Skip To The Main Content

Privacy and Cybersecurity

Privacy and cybersecurity issues have become mission critical for public and private companies of all sizes across industries. The constantly evolving landscape of new laws and threats creates increasingly complex compliance burdens and demands constant vigilance. Our multidisciplinary Privacy and Cybersecurity team advises global companies facing heightened regulatory, contractual and consumer obligations and risks surrounding the processing, disclosure and security of data, including personal data.

Privacy
Our team of lawyers in New York, Los Angeles, Palo Alto, Washington, D.C. and London routinely counsels clients across industries on U.S. federal, state, foreign and multinational laws and regulations, industry standards and best practices and relating to the collection, processing and sharing of personal data, on a standalone basis and in the context of corporate transactions and litigation.
Cybersecurity
Our cross-disciplinary team is available 24/7 for incident response matters, and includes members of our Crisis Management Group, our National Security Regulatory Practice and our Securities Litigation Practice. We also advise clients (including lawyers, CISOs and boards) across industries with respect to U.S. federal and state laws, SEC and other regulatory requirements relating to cybersecurity, and reporting considerations after an incident. 

Select Representations

Privacy
  • Publicly traded consumer facing company in FTC investigation relating to sales practices, identity theft mitigation and credit compliance matters
  • Credit reporting agency in an investigation by the New York Department of Financial Services in connection with the agency’s marketing and sale of credit monitoring and ID theft protection products
  • Insurance companies in high-stakes disputes involving alleged violations of Illinois’ Biometric Information Privacy Act
  •  Public and private companies in advising on compliance with laws and regulations, including the EU and U.K. GDPR, CCPA (and upcoming CPRA), HIPAA and HITECH, GLBA and FCRA, CAN-SPAM, COPPA, TCPA, BIPA and other current and pending U.S. federal and state privacy laws
  • Private equity and strategic buyers in complex privacy due diligence, negotiation of agreements and post-closing integration activities in connection with acquisitions, divestitures and other transactions
Show more
Cybersecurity
  • Financial institution in connection with data breach class action lawsuits in the SDNY and N.D. Cal.
  • Credit reporting agency in an internal investigation arising from a phishing/business email compromise incident
  • Certain underwriters in connection with ransomware attack claims
  • International nonprofit in a breach of its computer network
  • Insurance carrier concerning a computer data access incident that resulted in investigations by various state and federal government and regulatory entities, including the Department of Health and Human Services and the DOJ
  • Investment fund in an internal investigation following an email scam involving impersonation of an executive and fraudulent wire transfers
  • Board of a major U.S. company in connection with a cybersecurity incident
  • Multiple financial services firms and other firms in responses to data breaches
  • Public technology company in SEC investigation relating to large-scale business email compromise
  • Private equity firm in investigation of a business email compromise
  • Health care company in FBI investigation following data breach
  • Southern American family office in investigation of a business email compromise
  • Public technology company in connection with data incident and related civil and criminal matters
  • Private equity and strategic clients in complex cybersecurity due diligence, negotiation of agreements and remediation activities in connection with acquisitions, divestitures and other transactions
Show more
Deep Bench
We have a deep bench of talent, including former U.S. federal prosecutors (including a former cybercrimes prosecutor), former SEC lawyers, the former Acting Comptroller of the Currency, and recognized litigators in the related fields of class actions, securities litigation, shareholder derivative actions, insurance and breach of contract cases. We have significant experience in sector-specific and general privacy legislation, regulatory and enforcement trends and routinely interface with government agencies and regulators on these issues.

Clients seek our advice on:

  • legal and regulatory compliance and best practices
  • data breach prevention and incident response
  • SEC and other public disclosures
  • internal investigations and audits on privacy/cybersecurity
  • civil class actions and related litigation
  • responses to criminal and regulatory inquiries
  • corporate governance and board liability issues
  • due diligence and negotiation of privacy/cybersecurity agreements and prospectus disclosures, and post-transaction integration activities
  • cross-border data sharing and transfers
  • cyber insurance issues
  • marketing and advertising practices
  • use of AI and derivative data products
Show more
Multijurisdictional
Our cross-border team helps clients navigate complicated privacy and cybersecurity regulatory regimes in jurisdictions across and outside the U.S., including in the United Kingdom and the European Union. 

Our lawyers regularly liaise with U.S. and foreign government agencies and regulators, and closely monitor privacy and cybersecurity legal and regulatory developments in the U.S. and abroad. We have experience counseling companies on laws and regulations including:

Data Privacy:

  • U.K. and EU General Data Protection Regulation
  • California Consumer Privacy Act and incoming California Privacy Rights Act
  • New York SHIELD ACT and other recent state-specific privacy laws
  • Illinois Biometric Information Privacy Act
  • Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act
  • Gramm-Leach-Bliley Act and Fair Credit Reporting Act
  • CLOUD Act
  • CAN-SPAM Act
  • Telemarketing Sales Rule
  • Telephone Consumer Protection Act
  • Children’s Online Privacy Protection Act
Show more

Cybersecurity:

  • Computer Fraud and Abuse Act
  • Electronic Communications Privacy Act
  • Stored Communications Act
  • Foreign Intelligence Surveillance Act
  • USA PATRIOT Act
  • Anti-money laundering and related laws
  • U.S. and state cyber incident disclosure laws (current and pending)
  • Payment Card Industry Data Security Standard
Show more

    News & Events

      Publications

        Contact

        Spotlight on
        Simpson Thacher Attorneys Author Article on SEC’s Proposed Cybersecurity Rules
        Spotlight on
        Privacy Law Update: New EU/U.S. Data Agreement and Utah Law
        Spotlight on
        Newly Enacted Federal Cybersecurity Disclosure Statute Will Significantly Expand Data Breach and Ransomware Reporting Obligations
        Spotlight on
        SEC Proposes Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules
        Spotlight on
        Virginia Passes Comprehensive New Privacy Law
        Spotlight on
        Key Takeaways From Recent SEC Cybersecurity Charges Against Advisers and Broker-Dealers
        Spotlight on
        App Annie and Its Founder to Pay $10 Million to Settle First SEC Enforcement Action Against Alternative Data Provider
        Spotlight on
        SEC Settles Charges With Pearson plc Relating to Disclosures Concerning Cyber Breach