The Legal 500

There are a variety of areas in which data protection and privacy laws create work for law firms with the requisite expertise. Outside counsel is most commonly called in to advise or represent companies on issues that fall into one of a few categories, and this section recognises those firms that are able to provide substantial support on most or all of these.

Firstly, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) continues to be of particular relevance and firms with strong healthcare practices often find value in understanding clients’ obligations under this legislation. The financial services sector also has its own regulations. Companies’ concerns with compliance with these provisions results in significant work for lawyers.

Probably the largest recent area of legal work is counselling clients with respect to data-security breaches. Many states across the US continue to ramp up their data-security legislation, particularly with respect to notification of breaches. Firms also are engaged to represent their clients in investigations or regulatory actions brought by the Federal Trade Commission (FTC).

Another area that has increased in significance is the regulation of privacy on the internet, which is of concern to any company that wishes to sell products or services or even advertise through this medium. Here, in particular, a strong presence in Washington DC is of great importance to US clients, who wish their privacy lawyers to advise them on future trends so that they can stay ahead of the curve and maintain best practice standards. Firms with insight into the regulators and the FTC are especially valued advisors.

The last major issue is in respect of globalized companies wishing to move data about their employees and customers between various offices in various jurisdictions. Many companies are setting up centralized information-storage databases, but the privacy implications of this are complex and law firms increasingly need international expertise to advise their clients effectively.

Covington & Burling LLP

PRACTICE: Given the clout of the Covington & Burling LLP’s regulatory and legislative practices, it’s little surprise that the firm’s data protection and privacy group has staked a claim to FTC work for an impressive span of clients. However, this perception doesn’t do justice to the scope of what clients refer to as ‘an inspirational group of individuals, completely at the top of the game’.

Microsoft retained the group to advise on a range of issues associated with the collection of data about computer users to serve advertisements online, including drafting self-regulatory principles for online advertising for submission to the Federal Trade Commission. This high-profile work plays to the cadre of Washington DC-oriented government relations that lie at the heart of the team’s reputation. However, the practice itself is a development of the firm’s deep entrenchment in data security affairs in Europe, highlighting the very pertinent international aspect which has, in turn, been key to the domestic team’s success.

Recent mandates, such as work with Proctor & Gamble in updating its global online privacy policy, continue to be at the core of the group’s activity, where it has harnessed the capability to handle complex privacy issues for global clients by combining a wide reaching domestic team and an international pedigree.

The extent of the team’s ‘outstanding access to expertise at every level’ and its comprehensive engagement with the communications and media industry coincide with a store of clients from both the supplier and customer side of the IT equation. The ability to draw on work from the firm’s key areas of strength such as sport and media is a boon for the team, but this serves to bolster the wealth of engagements the team acts on in other areas such as healthcare and finance, rather than act as a fallback.

Pinpointing ‘the exceptional understanding of the compliance side of the coin’ and ‘quality running through the team from top to bottom’ as important qualities, clients report they have ‘known the firm to be great value and never out-muscled on issues of federal law or best practice on data security’.

CLIENTS: Clients of the team include Expedia, InterActiveCorp, The Walt Disney Company, Kindsight, Kaplan, Yahoo!, Regions Financial Company, Schering-Plough, and NHL.

INDIVIDUALS: Clients say of practice co-chair Erin Egan: ‘she has been a truly valuable asset to what we do - reliable and precise’. Leading the group with ‘a great overall understanding of privacy matters’ and a leading record of helping multinational clients meet their regulatory and information security needs, Egan is known as ‘a beacon of knowledge’.

The balance brought to the team by partner Mark Plotkin’s expertise in financial services regulation has provided a valuable adjunct, particularly in picking up work from large clients with respect to the data security aspects of their billing arrangements. ‘A smart lawyer, able to hone in on the exact parts of the process that need attention and manage a precise response’, Plotkin has built a reputation among his clients as ‘a great guy and the first person to call to look for advice’.

Recent arrival from Hogan & Hartson LLP, Of Counsel Yaron Dori also wins mention for his work at the juncture of IT and communications, as well as his ‘amazing speed but with attention to detail’.

The recommended attorneys are based in the firm’s Washington DC offices.

Morrison & Foerster LLP

PRACTICE: As well as being one of the oldest and largest practices in this particular space, the Morrison & Foerster LLP group has kept itself in contention at the top of the pile by virtue of the range and diversity of the issues it regularly advises on.

The advantage the group has by virtue of wedding the benefits of the international full service model with a strong technology focus has made it ‘incredibly well-respected’ and ‘an example of a balanced and well thought out legal service’.

That said, to pick the group out as a spin off of a strong technology group betrays its unsurpassed record of leading standalone representations and the cross-disciplinary nature of the 60 attorneys that specialise to varying degrees in facets of privacy law. As such, the Washington DC component of the group continues to prove its value in the face of competition from firms with deliberate weighting towards the handling of issues with a federal element to them. In 2008/2009, the team has represented several clients in response to investigations relating to data security and privacy practices before the FTC; a crucial string in its bow.

Elsewhere, the breach response element of the team is recognized as ‘a complete service from the moment the call is made right through to the resolution’. Here the importance of the depth of the team’s armoury is underlined. For example, the practice defended Gap in two class actions arising from a lost laptop, whilst it also handled hundreds of breach procedures from remedial actions to regulatory audits.

Clients particularly rate the team’s ‘good availability of experts to deal with any questions or tasks, whether long term or urgent’. The combination of these qualities with the resources the firm is able to call on has won it repeat mandates in the financial sector, where clients include Bank of America, Wells Fargo and Citibank.

CLIENTS: Clients of the team include Johnson & Johnson, Bank of America, Avon Products, eBay, Hilton Hotels, Clorox, Visa, and Dow Jones.

INDIVIDUALS: Miriam Wugmeister, based in New York, is ‘extremely well-regarded’ and ‘probably the most impressive lawyer I’ve worked with’. As practice chair, ‘her level of experience is unlike any other’ and her particular focus on international handling of data and related issues therein has put her at the forefront of the market.

Clients also note that she has a ‘real grip on consumer privacy issues and handling international concerns’

In the Washington DC office Andrew Smith has noted expertise in financial privacy issues, which he combines with experience in the FTC’s Bureau of Consumer Protection. Clients say he is ‘a complete professional and a very astute advisor’. Also in that office, Rick Fischer is recognized in the market as a ‘brilliant strategist’ and ‘one of the foremost thinkers on the commercial aspects of privacy for financial institutions’.

Baker & McKenzie

PRACTICE: ‘A well-oiled machine’, the Baker & McKenzie data protection and privacy practice may be largely based out of the US, and Chicago in particular, but it’s the tremendous international service it offers that puts it among the market’s elite.

The 13 partners in this ‘high quality’ line-up advise on a spread of issues in the domestic context, though perhaps don’t have the same profile in certain specialist areas of privacy law, having only one partner in Washington DC, for example.

Instead, the capacity of the group to take advantage of the firm’s platform and handle complex multi-jurisdictional mandates has been key to its growth. Recently the practice advised a major client on the build of a global anti-money laundering database and the navigation of the plethora of compliance work encompassed therein. As this kind of work becomes more prominent, the position of the practice and the reach of its resources have made it one to watch.

‘Excellent at taking huge projects, breaking them down and bringing in the appropriate resources’, according to clients, the team’s forte has been acting for Fortune 100 clients on compliance and policy issues. As such, the group has earned a growing share of the market among clients from industries requiring specialist knowledge, such as the financial sector, and in helping these develop and implement global policies it has won its share of plaudits. One client names the team as ‘probably the only firm in the world who could give a huge task such attention and specified knowledge’.

Furthermore, the take-up of privacy work from the team’s outsourcing practice has seen the group win roles to advise on compliance issues whilst handling the ITO and BPO components as well.

CLIENTS: Clients include Arvin Meritor, Bank of America, Best Buy, Mattel, and Priceline.

INDIVIDUALS: Clients are full of praise for partner Ruth Hill Bro. She is ‘a remarkable individual’, who has been, for one client ‘effective and helpful on many notable occasions’. Her ‘immensely practical’ advice cements her reputation as one of the leading lawyers in the practice area.

In the Chicago office co-head of the global privacy steering committee, Brian Hengesbaugh is, say clients, ‘a really good person to work with in a tight situation’. One client also notes that they are ‘very grateful for the dedication with which he’s served us over the years - he’s been a superb team player’.

Another partner out of Chicago who wins praise is Michael Mensik. His practice ‘implements a plan with a minimum off fuss and sees it through to the conclusion’, say clients, and in particular his balance of experience in privacy and outsourcing marks him out as a key figure in the group.

DLA Piper

PRACTICE: ‘Supremely organized and bright’, the DLA Piper data protection and privacy group has outposts in several offices nationally, with a significant Washington DC presence at its heart.

The spread of clients from Fortune 500 to small technology companies provides some testament to the breadth of the work the team avails itself to. However, this isn’t to say the team doesn’t have specialist areas. Financial services frequently engage the group and expertise in financial privacy laws have been brought to the fore, culminating in mandates, such as providing privacy counsel to a leading financial services coalition of leading investors and corporations.

The data breach arm of the group’s service is recognized as being on the list of select teams able to handle virtually any scale of breach. In such a manner, the team has represented a handful of large IT and corporate clients on everything from the limiting the impact of the initial breach to the ensuing litigation and ongoing data security management.

The balance of supplier and customer clients is of particular note, and very few practices maintain the same level of engagement with both sides. Looking at roles such as acting as counsel to the state privacy and security coalition, whose members include some of the most well-known names in the industry, gives an idea of the team’s calibre. ‘Steeped in detailed understanding of the tech world and proficient in both the theoretical and the practical aspects of managing information’, according to clients, who prize the group’s expertise across areas such as state and federal legislative and regulatory matters, policy implementation.

CLIENTS: Clients of the practice include Alcatel-Lucent, AOL, Charles Schwab, Choicepoint, eBay, Experian, Fiserv, Investment Company Institute, Principal Financial Group, Vanguard Group and Verizon.

INDIVIDUALS: Washington DC partner Jim Halpert is highly thought of by clients and receives a barrage of praise including one enthusiastic client’s comment that he’s ‘the only man I’d dream of asking about data privacy’. Renowned for his ‘excellent judgment and awareness of the pressures a modern business faces’ for being ‘pro-active and impressively hands-on for such a well-respected lawyer’, Halpert leads on many of the firm’s most high profile global data security counsel mandates.

The same office also boasts the talents of regulatory and government affairs practice co-chair Thomas Boyd. He has a significant privacy component to his practice, leads on several financial services and is ‘always there when needed’ and ‘consistently gives a very, very high level of service’, say clients.

Hogan & Hartson LLP

PRACTICE: The Washington DC stronghold at the heart of the Hogan & Hartson LLP privacy practice has ensured that for FTC enforcement work, it remains among the frontrunners. Thus, as ‘one of the few practices truly centred on and built for FTC enforcement and privacy review work’, the team applies its 19 partners to an area of the market where it is largely unmatched.

However, Christine Varney’s appointment as assistant attorney general designate for antitrust, while highlighting the prominence of her practice, also represents a big loss for the team. Equally, Mary Ellen Callahan’s nomination as DHS chief privacy officer speaks volumes for her credibility, but again dents the practice in a big way. Whether it will recover from these losses, or simply lose ground in the areas it was dominant in before, remains to be seen.

Still, the heavy weighting towards privacy work has lent the team the reputation of being ‘probably the most sophisticated clutch of privacy advisors in the country’. This has previously been a big ticket to handling US companies in structuring international privacy compliance schemes, although it’s fair to say that this work has continued to be overshadowed by the group’s activities in the domestic setting.

Furthermore, HIPAA-related privacy work has been a mainstay of the group, especially important since the work requires a degree of dedication and specific industry knowledge, a specification the group is able to meet to a level that its competitors cannot.

CLIENTS: Clients of the group include MySpace, NewsCorp, XM Radio, Zango, and Textron.

INDIVIDUALS: Washington DC partner Marcy Wilder’s HIPAA practice has been valuable to the team’s reputation. She is ‘a great attorney and one of the best healthcare privacy advisors in the country’ and has recently been involved in assisting WebMD with data privacy issues and public policy counseling.

Hunton & Williams

PRACTICE: The waterfront of expertise that the Hunton & Williams group is able to offer clients has impressed, and continues to see the practice go from strength to strength. The team has had continued impact has had both on domestic and international fronts, as it persistently picks up major clients and acts on industry-leading cases of all descriptions.

Home to the Center for Information Policy Leadership, a highly regarded privacy think tank and consulting practice, the firm has been clients’ ‘destination of choice for some years thanks to its incredibly deep understanding of public policy and commercial privacy issues’.

The healthy mix of compliance and breach expertise that it has been able to assemble has been crucial to the team’s stature in the market. This capability is a marked feature of much of the group’s best work, as in the case of a recent engagement with a Fortune 150 retailer with respect to a data breach of unprecedented scale.

On the other side of the coin, clients say that the lawyers have ‘proved themselves invaluable in constructing substantial data management policies - their advice has been crucial to our continued success’. In this vein, the team continues to serve as global privacy counsel to a major multinational retailer. Advising on the various structures and facets of its privacy policy, and applying its expertise in the more esoteric areas of the field, such as assessing the company’s three HIPAA-covered entities advising on its ongoing remediation initiative.

‘All-round supreme service’, say clients of a group that continues to garner a reputation in the market for being ‘the most accessible, responsive and effective unit available’.

CLIENTS: Clients of the practice include consumer goods companies, electronic publishers, reference services, consumer and business credit-reporting agencies, risk management specialists, health care providers, direct marketers, telecoms and internet service providers, banks, insurers and government agencies.

INDIVIDUALS: Lisa Sotto ‘a fabulous attorney with a great approach to the trickier cases’, as clients put it, heads the practice and is also vice chair for the Department of Homeland Security’s data privacy and integrity advisory committee. ‘Wise’ and ‘impressive at getting the most out of information management’, Sotto is based in New York and is recognised by clients as ‘the best in the field’ and is ‘recommended without any reservation’.

WilmerHale

PRACTICE: At the juncture of e-commerce and privacy, the WilmerHale practice continues to be the best at what it does. The group fits into the communications department, and benefits from a crossover of expertise and regulatory acumen, consistently proving itself to have an exceptional presence in Washington DC. ‘The top attorneys in the business; they are completely amazing’, say enthusiastic clients.

Recently this ‘incredibly talented team’ worked with two major financial institutions on major data breaches. This involved analyzing the potential applicability of dozens of states’ data security breach laws, and acting on the clients’ behalf in front of state officials and regulatory bodies.

However, the profile the group has achieved for its breach-related representations is equalled by its depth of work in the regulatory field. Leveraging off the team’s strength in the communications industry, one recent representation saw the team act for two major internet portals and one major telecoms provider in connection with the FTC’s development of self-regulatory guidelines for behavioral advertisers. This kind of role, which included in-depth awareness of state and federal electronic surveillance and FCC privacy laws, distinguishes the team from those competitors with less regulatory experience. As one client puts it: ‘the team is unique, in the advice it gives, in the relations it has in the capital and in its service standards, which are second to none’.

CLIENTS: Clients are drawn from across industry sectors, with particular concentrations in the technology and financial services industries.

INDIVIDUALS: Partner J Beckwith Burr has a valuable FTC background and is, say clients, ‘one of the true champions of the field’. Burr’s practice entails working on sophisticated compliance programs and she is rated as ‘great to work with’ and noted for being ‘level-headed and exceptionally smart’.

David Medine ‘has done some outstanding work’ and is a partner who ‘performs very well under pressure’. Medine’s practice has a focus on working with financial services and major online companies, putting into effect experience developing e-commerce policy at the FTC.

Chair of the communications group Lynn Charytan is ‘really good at marshalling the firm’s resources’ and wins recognition as ‘a superb contact’, according to clients.

All three are based in the Washington DC offices.

Foley & Lardner

PRACTICE: With a practice featuring 22 attorneys spread across the country, Foley & Lardner has continued to make an impact in the privacy space without falling into any particular sub-category of specialization. The team has had success in acting on a wide range of representations, earning a reputation for ‘excellent service’.

Clients acknowledge the group as ‘dependable and quick to respond with a succinct answer’, and certainly the breach component of the group has earned itself a name as one of the most competent available. The firm’s recently launched privacy litigation SWAT team is a notable adjunct to the team’s general activities, and that few others have dedicated the same focus to such an endeavour, reflects on the firm’s drive to put itself among the major players in the data privacy league.

That the team has continued to be used by Facebook for privacy and internet marketing advice speaks to both its reach and its ability to compete with other technology-orientated firms when it comes to winning big mandates from technology clients.

CLIENTS: Clients of the practice include Provide Commerce, Tyco, Epsilon Data Management, Exelon, 24 Hour Fitness, Sempra Energy, Truste, Monster Worldwide, and Walmart.

INDIVIDUALS: Andrew Serwin is the founding chair of the practice and co-chair of the privacy litigation team. Based in the San Diego offices, Serwin draws praise from clients for being ‘a trustworthy and approachable lawyer’ and ‘intelligent and capable’.

Jones Day

PRACTICE: Comprising the services of a multi-disciplinary cross-section of attorneys within a huge platform, the Jones Day practice is a recognized leader in the international field, although perhaps less so domestically. While this doesn’t detract from the capabilities of the 20 partners clients call upon for privacy issues, the result of a relatively wide focus means other firms gain ground by virtue of having more dedicated domestic privacy and security operatives.

The team itself is ‘adaptable, quick to act and helpful at all times’, and has staked a claim as one of the elite data breach counsel in the world, on the back of a string of representations of leading banks and corporations in data breach matters.

‘Ideal for the kind of exercise we’re regularly involved in, they’ve provided exemplary service throughout our engagements’, says one impressed client. Given the size and international outlook of these companies, the build of the practice is well-suited to take on these wide-ranging, complex mandates.

CLIENTS: Clients of the group include Dell, Intuit, Educational Testing Services, Experian, Mentor, Sterling Commerce, Dow Corning, IBM, CenterPoint Energy, Marathon Oil, Ascension Health and United States Golf Association.

INDIVIDUALS: ‘The one lawyer in whom I have complete trust’, according to one enthusiastic client, practice head Kevin Lyles operates out of the Columbus offices and is ‘a very calm counsel, but also a very thorough one’.

Kelley Drye & Warren LLP

PRACTICE: The Washington DC-based privacy practice of Kelley Drye & Warren LLP has continued to quietly progress and develop an enviable reputation among several global brands.

Though numbering only seven partners, the degree of industry knowledge the group wields puts it ahead of many local competitors. Indeed, this ‘well-defined and exceptionally experienced’ team has won many plaudits for compliance work and housing of several FTC-oriented experts.

The breach element to the practice is increasingly substantive and the team acted on the defence to Jackson Hewitt Tax Services in a federal class action arising from an alleged privacy breach, winning dismissal of all but one of seven claims. The ‘technical superiority’ of the practice has frequently seen it take companies through breach procedures with success, as well as handling further data security matters.

Meanwhile, on compliance issues the firm’s presence in Washington DC and the wealth of regulatory acumen on offer has positioned this ‘highly recommended’ group well. While the team continues to handle a wide array of issues, its strength of expertise at the intersection of marketing and emerging privacy standards has set it apart.

CLIENTS: Clients of the firm include leading retail brands, internet companies, financial service providers and technology groups.

INDIVIDUALS: ‘Responsive and industrious’ say clients of practice head D Reed Freeman. A former staff attorney at the FTC Bureau of Consumer Protection, Freeman has been immensely active in privacy and breach matters and has proven himself ‘able to provide value at every step of an engagement’. He is based out of the Washington DC office, as is ‘excellent counsel’ John Villafranco, who has excelled in applying a focus on advertising law and consumer protection.

Paul, Hastings,
Janofsky & Walker LLP

PRACTICE: One practice making pronounced progress and picking up complex mandates, without the same reputation behind it as the leading firms, is Paul, Hastings, Janofsky & Walker LLP. The overall disposition of the firm to provide, as clients put it, ‘sharp, fast and effective service’ on complex representations, often with an international flavor, has been instrumental in the flourishing of this seven-partner group.

The team has accumulated a strong showing in data breach matters to complement a significant privacy element that originates from continuing work with the Direct Marketing Association. Advising on numerous breaches, as well as unauthorized access to government anti-crime/anti-terror database and the ensuing legal implications, the response unit the team has in place has proved particularly valuable to its clients.

Further, the practice plays ‘a vital role in making sure our strategies are both realistic and covered against mishandling of data’, say clients. The success of this approach has seen the team win roles as privacy counsel for clients beyond its core base on roles connected with marketing and HR.

CLIENTS: Clients of the team include Capital Access Network, the Walt Disney Company, and CSX Transportation.

INDIVIDUALS: Washington DC partner Behnam Dayanim is a member of the firm’s litigation department, known to clients for being ‘forward thinking, pragmatic and honest’. His practice covers advice on a range of IP and technology matters as well as a significant weight of public policy and government advocacy on technology issues. Clients say he ‘handles tricky situations well’ and ‘covers every eventuality’.

Venable LLP

PRACTICE: The rise of Venable LLP is indicative of the value clients put on its regulatory and legislative insight, which is, according to clients ‘second-to-none’.

The strict focus on the capital, with over 20 attorneys lending their expertise from offices in Washington DC and Tyson’s Corner, has dictated the team’s approach into a particular specialisation on privacy issues. Its work on issues arising from privacy statutes and regulatory engagements for clients from across healthcare, telecoms, technology and financial services, has put the team among the elite for its particular brand of representation.

In combination with a highly regarded ‘leading FTC practice’, the firm has a strong name in defending companies and associations in investigations, as well as litigating privacy issues, occasionally involving challenging agency regulations. The extent to which the group has been able to pick up work in specialist areas, such as advising on privacy statutes involving HIPAA or COPAA, is largely owed to the depth of specific expertise it draws from among its experienced advisors.

CLIENTS: Clients of the team include the Direct Marketing Association, the Interactive Advertising Bureau, the Electronic Retailing Association, and LexisNexis.

INDIVIDUALS: Partner Stuart Ingis is ‘among the best privacy lawyers in the capital’ and has ‘a great reputation on legislative issues’.