Matters

Our privacy team prides itself on providing practical, pragmatic advice using a risk-based approach that considers our clients’ businesses and legal needs. Representative examples of our work include:

  • Developed and implemented enterprise-wide privacy compliance programs to include GDPR, CCPA/CPRA and other U.S. and international laws.
  • Oversaw privacy and security risk assessments and gap analysis.
  • Provided outside privacy counsel services, including dedicated privacy hotline.
  • Undertook data mapping assignments in order to assist clients with EU Records of Processing Activities and general data inventories as necessary under CCPA and other privacy laws.
  • Formulated and implemented organization-specific policies and procedures.
  • Advised on domestic and international cookie and web tracking regulations.
  • Provided privacy and data security counseling and training;
  • Developed data subject response policies and procedures.
  • Conducted privacy due diligence in M&A-related transactions.
  • Counseled on complex areas of privacy compliance in industries such as ad tech, use clinical trials, machine learning, and AI.
  • Served as breach response and litigation counsel for financial institution that lost backup tapes containing account information of approximately two million customers.
  • Served as breach counsel for academic health system in connection with an incident arising from a threat actor’s deletion and attempted extortion for the return of the ePHI of approximately 80,000 patients residing across the U.S. and in multiple foreign jurisdictions.
  • Served as breach counsel for financial institution that was the target of ransomware and extortion attack involving the acquisition and posting on various social media sites the sensitive member information and personal information of more than 46,000 of the institution’s members and other affected individuals.
  • Served as breach response counsel for an international financial institution whose Office 365 e-mail accounts of users in the United States and the United Kingdom were compromised, potentially triggering the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies and the United Kingdom’s Data Protection Act of 2018.
  • Served as breach response counsel for more than one hundred incidents involving credit unions across the United States, including ransomware, extortion, fraudulent wire transfers, Office 365 e-mail account compromises, network intrusions and employee misconduct.
  • Served as counsel for manufacturer whose production line system was compromised, resulting in intentional alteration of product specifications and demand by threat actor for payment to cease further product alterations and information on past product alterations.
  • Served as breach response counsel for health care system that experienced a malware attack potentially impacting approximately four million customers and 40,000 employees.
  • Served as breach counsel to a university following a brute-force password attack, compromising personally identifiable information (PII) of over 60,000 students, alumni and employees residing in more than 40 states and several foreign countries.
  • Served as breach response counsel for website/e-commerce hosting services provider that sustained a malware attack impacting hundreds of third-party companies that used client’s hosting services as well as thousands of those companies’ customers.
  • Served as breach response counsel for health care system in connection with potential exposure of radiological records of approximately 400,000 patients.
  • Served as breach response counsel and law enforcement liaison for a national restaurant chain in connection with possible insider theft of payroll records.
  • Served as breach response counsel for community bank that sustained malware attack on an online banking portal, impacting customers across numerous states.
  • Served as breach response counsel for health care provider investigating whether patient information was stolen as part of an identity theft ring focused on illegally acquiring prescription medications.
  • Served as breach response counsel for law firm following theft of the firm’s servers containing PII and protected health information (PHI) of approximately 20,000 clients, adversaries and witnesses in multiple states.
  • Assisted major financial institutions to update and improve information security and data privacy practices, including data breach response procedures and conducting data privacy audits to identify potential privacy and data security issues.
  • Conducted tabletop exercises for members of a New York-based hedge fund community.
  • Counseled numerous entities in situations involving ransomware and other types of cyber-extortion.
  • Counseled numerous entities in situations involving wire fraud and other types of cyber fraud.
  • Conducted review of multinational food and beverage company information policies to ensure compliance with data privacy and security best practices.
  • Conducted privacy and risk management audits for multistate retailers and life science companies.
  • Developed employee training programs on information security and data privacy compliance for several investment advisers, broker-dealers and other financial service institutions.
  • Performed comprehensive regulatory compliance and privacy audit of a Fortune 500 company with internal and external data flows spanning dozens of countries worldwide.
  • Drafted and revised approximately 15 enterprise-wide internal privacy, security, access, and technology use policies for a well-known large-cap technology company.
  • Advised client regarding response obligations, agency and public notice, and best practices to quickly and effectively identify, contain, and remedy a data breach involving PII and PHI.
  • Counseled a Fortune 500 company on breach analysis and potential obligations related to encrypted laptops and mobile device theft.