Firms To Watch: Cyber law (including data privacy and data protection)

Frankfurt Kurnit Klein & Selz PC advises tech-centric clients, such as digital marketing, advertising, gaming, social media, and blockchain-based gold purchasing platform clients on the interpretation and implementation of US State privacy laws in California, Virginia, Colorado, Connecticut and Utah. Daniel Goldberg leads the Los Angeles-based privacy and data security practice.
Washington DC-based James Pizzirusso, head of Hausfeld LLP ’s consumer protection practice group, represents plaintiffs, who have suffered from mass data breaches at well-known and leading companies, in nationwide class actions. Megan Jones in San Francisco, Swathi Bojedla in Washington DC, and Jeanine Kenney in Philadelphia are key practitioners in this space.
Based in Seattle, Mike Hintze and Susan Hintze lead Hintze Law’s privacy and data security practice. The team is a key advisor to companies in the healthcare and life sciences sector for data sharing and usage compliance strategies.
Advising clients on FTC cybersecurity investigations, data due diligences for commercial transactions and uses of data form a key part of Paul, Weiss, Rifkind, Wharton & Garrison LLP's practice. Key litigators and regulatory advisors include Jeh Johnson, Jeannie Rhee and Steven Herzog. Global risk and crisis management expert John Carlin, formerly at Morrison Foerster joined the practice in October 2022.
Nicholas Goldin and Lori Lesser co-chair Simpson Thacher & Bartlett LLP’s New York-based privacy and cybersecurity team. Lesser works on the data privacy side of tech-driven transactions while Goldin is a key contact for clients requiring assistance on compliance programs, regulatory investigations and data breaches.
Skadden, Arps, Slate, Meagher & Flom LLP’s cybersecurity, privacy and sensitive tech practice is known for its lead counsel role in major acquisitions involving big tech companies. The practice is co-led by New York based Stuart Levi and Michael Leiter in Washington DC, who are key contacts for incident response and government investigations.

Cyber law (including data privacy and data protection) in United States

Baker McKenzie LLP

Global data compliance strategies, security assessments and incident responses for international clients in a range of sectors are key drivers of work Baker McKenzie LLP‘s data privacy and security team, which leverages its global platform to handle a wide range of cross-border cyber incident mandates, including ransomware attacks. Chicago-based chair of the firm’s global data privacy and security business unit Brian Hengesbaugh focuses on advising clients on new privacy and security laws as well as cyber attack-related issues. The arrival in New York of Cyrus Vance and Elizabeth Roper from the Manhattan District Attorney’s Office in early 2022 brought experience in dealing with contentious intersecting financial fraud and cybercrime investigations. San Francisco's Lothar Determann is a key name to note for companies seeking assistance on creating and updating global privacy law compliance programs. Chicago-based Stephen Reynolds advises clients on their responses to cyber incidents, such as ransomware attacks and email compromise matters. Having joined from Baker Botts L.L.P. in July 2022, Cynthia Cole, in Palo Alto, adds a dimension to the practice, becoming a key contact for intersecting intellectual property, data privacy and security matters in connection with commercial transactions.

Practice head(s):

Brian Hengesbaugh; Lothar Determann; Brian Hengesbaugh

Other key lawyers:

Cyrus Vance; Elizabeth Roper; Stephen Reynolds; Cynthia Cole


‘The Incredible diversity of experience and backgrounds makes it so easy to get a great range of opinions and insights all from the same team.’

‘They take the time to dig into details to understand your business goals, but don’t get mired in them or waste time on unnecessary minutiae.’

‘Depth in cybersecurity, both technology, relationships and the practice is a serious national security asset.’

Cooley LLP

Cooley LLP is known for representing social media and technology companies, such as Zoom, Google and Meta on large and high-profile privacy class actions. The firm also defends various tech companies operating in a range of sectors from healthcare to education, insurance and finance in data security regulatory enforcement investigations brought by state attorney’s general, federal agencies and DPAs from around the world. The practice is led by San Fransisco-stationed Michael Rhodes, who is also global chair. Vice chair based in San Francisco Matthew Brown is a key name to note. Data-related dispute resolution specialist in San Francisco Travis LeBlanc is a lead outside counsel for several high-profile clients requiring assistance on lawsuits, investigations, regulatory inquiries following cyber incidents and mass arbitrations. Colorado-based vice chair David Navetta continues to be a leader in the privacy compliance and risk advisory space, while Tiana Demas is the key name in the Chicago office, focusing recently on defending clients against VPPA and cyber-attack class action lawsuits. Washington-based Randy Sabett works for clients to develop strategies to protect their information. With the May 2022 arrival of Michael Egan in Washington DC from Baker McKenzie LLP, the practice has added a data compliance and privacy program specialist to its global practice. Likewise, Lei Shen in Chicago is a key contact for clients with respect to advice concerning CCPA and upcoming state consumer data protection laws.

Practice head(s):

Michael Rhodes

Other key lawyers:

Matthew Brown; Travis LeBlanc; David Navetta; Tiana Demas; Michael Egan; Rany Sabett; Lei Shen

Key clients

Zoom Video Communications Inc.

Intuit Inc.

Dotdash Meredith

Foot Locker Retail

Willkie Farr & Gallagher LLP



Google LLC

Etsy Inc.


American Family Insurance

Marsh & McLennan Companies Inc.

NVIDIA Corporation

Plaid Inc.

Chegg Inc.

Berbix Inc.

Twitter Inc.

National Association of Realtors

Grindr LLC

The State Bar of California

Work highlights

  • Represented Chegg Inc. in a large mass arbitration regarding a mass data breach brought by 16,000 consumers.
  • Assisted Intuit, Inc. with all aspects of compliance with the California Consumer Privacy Act (CCPA) – and California Privacy Rights Act (CPRA) amendments. Also advised on State comprehensive privacy laws in Virginia, Colorado, Connecticut, and Utah that take effect in 2023.

DLA Piper LLP (US)

Providing high-level data protection advice in relation to acquisitions in the fintech space and assisting major energy sector clients on cyber-attacks on critical infrastructure are key features of the full spectrum cyber law practice at DLA Piper LLP (US). Team head in San Diego Andrew B Serwin works alongside Philadelphia-based Ron Plesco on managing multiple cybersecurity work streams following a global data breach. Miami-stationed Carol Umhoefer focuses on setting up and implementing global compliance programs, assessing data flows, usages, collections and storages. The practice has continued to develop, following the arrival of cross-border data flows and finance expert James Sullivan, in April 2022, in Washington DC, and global privacy programs specialist counsel, and in August 2022, New York’s John Gevertz, both of whom worked at the International Trade Administration (ITA) at the US Department of Commerce.

Practice head(s):

Andrew Serwin

Other key lawyers:

Ron Plesco; Carol Umhoefer; James Sullivan; John Gevertz


‘DLA’s Cyber and Privacy Practice is truly world class and are able to support their clients with their fantastic global footprint.’

‘Andy Serwin and Ron Plesco are the best partners I have worked with! They go out of their way to put themselves in the shoes of their client to find a legal solution based on a smart legal risks lens. They are responsive at all hours of the day, including public holidays to provide responsive outside counsel support.’

Key clients





ZeniMax Media, Inc.


Southern California Edison


Broadridge Financial Solutions, Inc.


Work highlights

  • Advising Visa on cyber and privacy due diligence in its acquisition of Tink, a cutting-edge emerging tech company.
  • Advising SCE on emerging issues concerning attacks on critical infrastructure and cybersecurity.
  • Represented Aetna in the negotiation of a Resolution Agreement and Corrective Action Plan with OCR over alleged HIPAA violations and represented CVS in a number of privacy and security matters.

Hogan Lovells US LLP

Hogan Lovells US LLP fields a multi-disciplinary cybersecurity practice, encompassing incident response and preparedness, program development and compliance counselling. Co-leader of the global privacy practice and leader of the US group Scott Loughlin leverages his experience as a transactional life sciences and privacy practitioner to structure transactions to achieve compliance and manage third-party data risks. Loughlin is the name to note for clients in the sports sector, such as MLB and NFL, for advice on navigating the cybersecurity threat landscape. Marcy Wilder is a key contact for health sector clients requiring assistance on high-profile data breaches and privacy enforcement investigations. Paul Otto and senior counsel Harriet Pearson work on litigation and settlements involving large-scale consumer data breaches. Head of the global technology and telecoms industry sector group Mark W. Brennan and specialist privacy practitioner Bret Cohen support clients using cutting-edge technologies on the impact of privacy laws, namely GDPR, CCPA, FERPA. New York-based Peter Marta combines his background in financial services and government, advising clients on the full range of regulatory issues. All named lawyers are based in Washington DC unless otherwise stated.

Practice head(s):

Scott Loughlin

Other key lawyers:

Mark Brennan; Bret Cohen; Marcy Wilder; Harriet Pearson; Paul Otto; Peter Marta


‘Hogan’s privacy and cybersecurity team has global expertise combined with business savviness that makes them uniquely positioned to help client manage legal risks while meeting business goals.’

‘Scott Loughlin has been my go-to partner for privacy and security compliance matters. His knowledge of the laws in this expanding space, combined with his ability to balance compliance requirements with business needs to provide practical, actionable advice to clients is invaluable. His calm demeanor brings structure and order to tense situations, and he is able to quickly assess complex matters and drive analysis and solutions that add value to any matter.’

‘I have found Hogan Lovells to be extremely cost-effective when compared to peer firms. They have specialists within the privacy space for nearly every area of expertise – student privacy, health privacy, etc. I have found each to be excellent.  Hogan Lovells provides strategies to achieve business objectives with each option risk assessed.’

‘Bret Cohen and Roshni Patel are excellent.’

‘The data privacy and data protection team at Hogan Lovells is outstanding. Their subject matter expertise is unmatched and the individuals like Paul Otto and Scott Loughlin who lead the group are extremely knowledgeable and present very well. They are some of the top practitioners in the country in this area and are trusted advisors.’

‘Scott Loughlin and Paul Otto are great. Their level of knowledge in this area makes them stand out. They provide practical advice and understand business issues but present the risks in a professional and thorough manner.’

‘Bret Cohen is one of the smartest and most practical lawyers I have ever worked with. He deeply understands complex technology, business needed, and how global data protection and technology laws intersect, and as a result his advice is realistic and scalable — never just a recitation of what the law says that leaves clients still uncertain about how to proceed.’

‘Peter Marta has a unique ability to synthesize difficult issues and provide practical advice. He is calm in the face of crisis.’

Key clients


McGraw Hill

Fox Corporation

Major League Baseball

National Football League



Advance Publications

Apollo Global Management




Pinnacle West Capital – Arizona Public Service

Anthem, Inc.

Cancer Treatment Centers of America

Change Healthcare, LLC

Foundation Medicine, Inc.

Exact Sciences Corporation

Globe Life, Inc.


Lucira Health

Work highlights

  • Advising Equifax on a large-scale consumer data breach, including negotiating the global settlement and security commitments
  • Advising Lucira on managing privacy and cybersecurity issues, addressing health privacy laws, including HIPAA, HITECH, sensitive condition laws and the GDPR’s obligations relating to sensitive data.
  • Advising the National Football League (NFL) on a range of data protection matters both in the United States and around the world.

Hunton Andrews Kurth LLP

Building global privacy compliance programs for private equity firms and advising on the data security implications of investment strategies forms an important part of Hunton Andrews Kurth LLP‘s privacy and cybersecurity practice. Global head Lisa Sotto assists clients on compliance with the CCPA and CPRA as well as other US state privacy laws. Sotto also leads the New York team on aiding clients in their response to data security incidents and subsequent investigations commenced by the FTC. Aaron Simpson is the go-to advisor for private equity and finance firms for regulatory compliance. The firm also leverages the experience of Washington DC-based Phyllis Marcus when advising gaming and tech companies on data security matters. Brittany Bacon is another name to note, working alongside Sotto on several matters. The firm has expanded its portfolio of security work for numerous energy, utility and critical infrastructure clients. Associate Danielle Dobrusin and counsels Michael La Marca, Adam Solomon and Jenna Rode are all key supports on matters, demonstrating the depth of expertise in the practice. All named lawyers are based in New York unless otherwise stated.

Practice head(s):

Lisa Sotto

Other key lawyers:

Aaron Simpson; Phyllis Marcus; Brittany Bacon; Danielle Dobrusin; Michael La Marca; Adam Solomon; Jenna Rode


‘The Hunton Andrews Kurth team takes the time to understand our business and goals, and then tailor their advice to help us achieve those goals. They are truly a strategic partner in a way that other firms simply don’t emulate.’

‘Many firms can advise about legal requirements, but Hunton excels in providing pragmatic guidance and options that take into account the spectrum of legal risks, costs, etc.’

‘The practice is exceptional. I have been working with Hunton in the privacy and data protection fields for almost a decade now and they have always maintained very high-quality standards and outstanding client service.’

‘Lisa Sotto’s expertise and prominence is second to none. Lisa is a national and global cyber and privacy attorney luminary whose insight is sought out by multiple sophisticated stakeholders.’

‘Aaron Simpson is the quintessential commercially minded attorney. He intuitively and promptly provides advice that is practical, reasoned and executable. Simpson easily manages multiple matters and simplifies them into digestible guidance.’

‘Danielle Dobrusin is an outstanding professional; US’ No. 1 expert in CCPA and CPRA. She is pragmatic, business focused and very responsive. She translates complex matters and concepts into clear and concise guidance. She will continue to make an impact and definitely help the industry practitioners in the years ahead.’ 

‘Aaron Simpson is a unique contributor and advisor. His knowledge of privacy law is extensive, and he understands the global issues and challenges associated with running a global privacy program.’

Key clients

Silver Lake Technology Management

TPG Global, LLC

TJX Companies, Inc.

Cybereason Inc.

MUFG Union Bank

Kering Americas

Google Inc.

Herbalife International of America Inc.


Tiffany & Co.

Work highlights

  • Advising Silver Lake Technology Management on global privacy and data protection issues.
  • Advising TPC Global on global privacy compliance issues.
  • Assisting TJX Companies Inc. in global data protection and privacy advice.

Latham & Watkins LLP

Following the April 2022 arrival of global data protection and consumer privacy specialist Clayton Northouse from Sidley Austin LLP, Latham & Watkins LLP has strengthened its robust data breach, mission critical incident and investigations driven cyber practice. Global Co-Chair of the Privacy and Cyber practice, based in San Francisco, Michael Rubin defends clients facing data breach litigations and regulatory investigations before the FTC. Likewise, Jennifer Archie, is also experienced in defending clients against investigations commenced by the FTC, Department of Health and Human Services and consumer protection authorities. Archie is also a key contact for cyber-attack responses and leads cross-border data privacy projects. Antony Kim contributes further regulatory and investigatory advice to clients.  San Francisco-based Robert Blamires adds a dimension to the practice, focusing on cross-border data privacy matters and advising clients on undertaking technology-related transactions. New York-based Serrin Turner is a key defense lawyer for companies dealing with class action litigations following data breaches. Marissa Boynton also navigates clients through privacy and cybersecurity-related issues in corporate transactions as well as the full-spectrum of data mandates. All named lawyers are stationed in Washington DC unless stated otherwise.

Practice head(s):

Jennifer Archie; Antony Kim; Michael Rubin; Serrin Turner

Other key lawyers:

Robert Blamires; Serrin Turner; Marissa Boynton; Clay Northouse

Key clients

Zynga, Inc.


AppsFlyer, Inc.

Accellion, Inc.

e.l.f Cosmetics, Mary Kay, Fiverr


Rent the Runway

Varsity Brands


Propel Holdings

Okta, Inc.

Slack Technologies, Inc. No

Airbnb, Inc

Morrison Foerster

Morrison Foerster specializes in global privacy compliance advice, involving cross-border transfers of data, localizations of data and security issues concerning large-scale outsourcing transactions, as well as data breach class actions. Team head and New York-based Miriam Wugmeister assists international companies with multinational compliance and data security incidents, often co-leading breach preparedness and incident responses to cyber-attacks with San Francisco-stationed Alex Iftimie. Regulatory and compliance matters for a range of clients in the media, retail and entertainment industries forms part of Kristen Mathews practice in New York, while Boston-based Julie O’Neill is the name for intersecting privacy and consumer protection law issues as well as privacy matters concerning cutting edge technology. Likewise, New York-based Marian Waldmann Agarwal advises clients on the impacts of existing and upcoming AI regulation and the Schrems II decision. Privacy litigator Tiffany Cheung, who works in the San Francisco office, defends various media and entertainment companies against BIPA and VPPA putative class actions. From the Los Angeles office Purvi Patel adds a dimension to the practice, defending clients against collection, use and disclosure of personal information claims. Washington DC-stationed Melissa Crespo offers a niche practice, routinely advising healthcare sector clients on privacy and cyber incident responses.

Practice head(s):

Miriam Wugmeister

Other key lawyers:

Alex Iftimie; Julie O’Neill; Purvi Patel; Kristen Mathews; Marian Waldmann Agarwal; Tiffany Cheung; Melissa Crespo;


‘Julie O’Neill is fantastic. She is detailed and thorough and her guidance has always been exceptional. She provided very practicable and executable guidance. I would recommend her to others in need of privacy advice.’

‘Alex Iftimie was great. Very personable, accessible and knowledgeable.’

‘Kristen Mathews stands out as one of the most skilled and competent lawyers we have ever worked with. She is unmatched among any cyber law lawyer and collaborates deftly across teams.’

‘Kristen Mathews is a tremendous support. She spends a great deal of effort investing in successful solutions for my business.’

‘Alex Iftimie has a unique understanding of how to navigate difficult external contact points in a cyber incident.’

‘This team offers an excellent diversity in skill sets, knowledge base, and the associates are extremely capable. This allows a one-stop solution. ‘

‘The firm truly work to understand the business and its needs and feel much more like colleagues than outside counsel.’

‘Excellent cyber team! Very informed and a good grasp of global matters.’

Key clients


American Bankers Association

Ally Bridge Group (HK) Limited


Carlos Lopez & Associates, LLC

Nexstar Media Group, Inc.

Line Corporation





Snap-on, Inc.


Unity Technologies

Warner Music Group

Work highlights

  • Representing Bumble Inc. and certain of its affiliates in five high-profile privacy class actions related to two popular dating apps, Bumble and Badoo.
  • Representing Warner Music Group in 10 data breach class actions filed in California and New York.
  • Advising American Bankers Association on privacy issues.

Orrick, Herrington & Sutcliffe LLP

Shannon Yavorsky, in San Francisco, and Boston-based Heather Egan Sussman co-head Orrick, Herrington & Sutcliffe LLP’s cyber, privacy and data innovation practice. Leader of the strategic advisory and government enforcement team, Sussman, focuses on mitigating the risks of security incidents and complying with government investigations and response procedures. Yavorsky is the key contact for global regulatory advice, such as the CPRA, GDPR and e-privacy directive. With Boston-stationed seasoned litigators and regulatory enforcement defense attorneys Douglas Meal and Michelle Visser on the team, the full scope of cyber law mandates is handled by the practice. Emily Tabatabai in Washington DC is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations. Co-chair of the life sciences group Thora Johnson, also based in Washington DC, works with clients in the biotechnology, healthcare and pharmaceuticals industries in order to structure HIPAA compliance and incident response programs. Stationed in the Seattle office, Aravind Swaminathan covers the full spectrum of contentious cyber law mandates, namely incident response strategies and litigation defenses for clients in the technology and financial services sectors. Boston-posted Seth Harrington remains a key cyber law dispute resolution practitioner. The group completed a merger with Buckley LLP in February 2023, adding a number of partners including former department co-heads Elizabeth McGinn and Amanda Lawrence, both of whom are based in Washington DC.

Practice head(s):

Shannon Yavorsky; Heather Egan Sussman

Other key lawyers:

Douglas Meal; Michelle Visser; Emily Tabatabai; Thora Johnson; Aravind Swaminathan; Seth Harrington; Amanda Lawrence; Elizabeth McGinn

Key clients

Block, Inc.

Carnival Corp.

Dermalogica, LLC

FanDuel, Inc.

Interactive Advertising Bureau

Microsoft Corporation

Shopify Inc.

Wells Fargo Bank N.A.

Zillow Inc.

ZoomInfo Technologies Inc.

Work highlights

  • Representing Microsoft in a biometric privacy class action pending in the Northern District of Illinois alleging that Microsoft violated the Illinois BIPA by failing to get informed consent from Uber drivers in Illinois when Uber used Microsoft’s Face API to verify the drivers’ identities.
  • Represented Shopify in a CCPA class actions.

Venable LLP

The Washington DC-based team at Venable LLP frequently works for clients at the epicenter of the advertising space. Stuart Ingis co-chairs the tech and innovation group with Michael Signorelli, both of whom are key contacts for clients in the ad-tech industry. Ingis and Signorelli are known for counselling leading industry trade associations and coalitions that establish and enforce self-regulation for online advertising, including the ANA, IAB, and NAI. The experienced Emilio Cividanes participates in drafting federal privacy regulation and is skilled in representing companies under FTC investigations, resulting in favorable consent decrees. Cividanes also lobbies Congress and federal agencies on behalf of his clients. Recently appointed co-chair of the privacy and data security group Julia Kernochan Tama assists clients across a range of industries, not limited to financial services, IT and retail, on compliance strategies with privacy and data security laws, and also represents clients facing enforcement action by the FTC. Now a co-chair, Kelly DeMarchis Bastide counsels clients on compliance with federal and state marketing, e-commerce, privacy, security, and advertising laws and regulations. Tara Sugiyama Potashnik represents clients before the FTC, FCC, CFPB and state attorney general on privacy, cybersecurity, communications, marketing and autonomous mobility matters. Reed Freeman departed for ArentFox Schiff in September 2022.

Practice head(s):

Stuart Ingis; Michael Signorelli; Emilio Cividanes; Julia Tama; Kelly DeMarchis Bastide

Other key lawyers:

Tara Sugiyama Potashnik


‘The firm has deep relationships with regulators and legislators in various countries, which we are able to call upon when needed. This includes regulators in the UK, Ireland and Argentina among other countries.’

‘The firm and each one of the partners and associates with whom we work are incredibly well versed in our areas and focused on practical solutions.’

‘With Venable, you start off with great advice on day 1This is a testament to a terrific vetting and hiring process as well as a focus on cintinuing industry education by all the partners for incoming professionals.’ 

‘Mike Signorelli really does a great job.’ 

Key clients

Privacy for America

Lidar Coalition

National Business Coalition on E-Commerce and Privacy

Autonomous Vehicle Industry Association

Work highlights

  • Advising Privacy for America in dialogue with Senate and House staff as well as other regulators to drive developments advancing comprehensive data privacy legislation in the US.
  • Acting as general counsel for the Lidar Coalition on the advocacy for and drafting of landmark infrastructure legislation as well as other regulatory matters.
  • Advising the National Business Coalition on compliance and privacy issues.


San Francisco-based Natasha Kohne and Dallas-stationed Michelle Reed, co-heads of Akin’s data privacy team, advise clients from a range of industries, including retailers, data brokers, healthcare services, energy companies and private equity firms, on the full range of cyber law and data privacy mandates.  The pair have expertise in dealing with class action litigations, regulatory actions, law enforcement enquiries and incident response preparations. Kohne is also a key contact for global mandates, working on high profile cybersecurity projects in the Middle East. Jo-Ellyn Sakowitz Klein, in Washington DC, is the firm’s specialist on healthcare and life sciences data-related matters involving HIPAA and HITECH regulations. The team frequently provides federal policy advice to large defense contracts and global companies for the development of privacy issues. A cross-disciplinary approach with the litigation, white-collar, international trade and public law and policy teams is a key feature of the team.

Practice head(s):

Natasha Kohne; Michelle Reed

Other key lawyers:

Jo-Ellyn Sakowitz Klein

Key clients


Apollo Global Management

Arthur Hayes


CenterPoint Energy


Eastman Kodak Company

Endava plc

FireEye Inc.

Franciscan Health

Helen of Troy Limited

Hydro Flask

Metro New York

NTT Global Data Centers


Starboard Value Acquisition Corp.

The Vanguard Group

USA Waste-Management Resources, LLC



Work highlights

  • Represented Altice USA, Inc. in a putative class action in the Southern District of New York arising from a data security incident.
  • Representing ClearBalance in multiple consumer class actions in California state and district courts related to a data breach that occurred in March 2021, involving alleged violations of the California Consumer Privacy Act (CCPA), California Confidentiality of Medical Information Act, California Consumer Records Act, California’s Unfair Competition Law, as well as other statutory and common law claims.


BakerHostetler routinely undertakes privacy compliance and incident response advisory work pertaining to ransomware attacks and attempted cyber-attacks, as part of a broad practice that also encompasses regulatory guidance, review and design of data privacy and data protection policies, and defense against cyber incident claims. The firm also takes on niche work for Native American Tribes and Alaska Native Organizations on matters concerning the exercise of tribal sovereignty and privacy law compliance. New York-based Theodore J. Kobus III counsels high-profile clients on compliance matters, development of response strategies and defense of class actions, and is also a key name for clients in the healthcare space, defending clients in a plethora of OCR investigations. In Cincinnati, Craig Hoffman focuses on FTC regulatory enforcement investigations, while at the Houston office, head of the healthcare privacy and compliance practice Lynn Sessions works on breach responses and privacy strategies, such as advising health system clients on potential legal obligations regarding Facebook pixel technology. Likewise, Denver-stationed Casie Collignon is a key contact for healthcare companies, representing in putative class actions and advising on response to cyber incidents. New York’s Nichole Sterling is noted for her expertise in cross-border data transfer mandates.

Practice head(s):

Theodore Kobus III

Other key lawyers:

Lynn Sessions; Craig Hoffman; Casie Collignon; Sara Goldstein; Andreas Kaltsounis; Taylor Bloom; Nichole Sterling


‘This firm works with an array of retail and hospitality clients, which gives them direct experience with a variety of different programs. The firm’s advisory in privacy compliance and cybersecurity has been consistently strong.’

‘Nichole Sterling has been standout for her practical expertise in working with cross-border regulatory matters.’

‘Ted Kobus has been excellent in advising on cost-effective solutions.’

Diverse group of attorneys providing guidance and experience across the entire data lifecycle.

Key clients

The Coca-Cola Company


Qurate Retail Group

Compass USA

Focus Brands LLC

State of Maryland


La-Z-Boy Incorporated

Forty Niners Football Company LLC

Abbott Laboratories

Duke University Health System

Cardinal Health

Tandem Diabetes Care, Inc.

Nebraska Medicine

University of Florida Health


Volkswagen Group of America

The Regents of the University of California

Canon, U.S.A., Inc.

Ulta Beauty

Work highlights

  • Defending healthcare entities against claims alleging the sharing of patient information with Facebook, Google Analytics and other AdTech companies.
  • Defending Marriott from regulatory enforcement investigations by the US multistate attorneys general group and FTC.

Debevoise & Plimpton LLP

With the addition of Erez Liebermann in New York at partner level from Linklaters LLP in June 2022, Debevoise & Plimpton LLP has furthered the depth of its cyber incident response advisory team. Luke Dembosky and Avi Gesser, respectively based in Washington DC and New York, co-chair the global data strategy and security practice. High profile companies, including Meta Platforms, call on Gesser’s advice for global AI regulatory readiness strategies, while Dembosky is the go-to for cyber-related investigations. New York-stationed litigator Jim Pastore responds to and investigates data breaches, while white collar defense specialist Lisa Zornberg, who also works from the New York office, takes on cyber investigations for corporate and financial institutions. Counsels Johanna Skrzypczyk and Christopher Ford, based in New York and San Francisco respectively, as well as New York-based associate Anna Gressel are key members of the team.

Practice head(s):

Luke Dembosky; Avi Gesser

Other key lawyers:

Erez Liebermann; Jim Pastore; Lisa Zornberg; Johanna Skrzypczyk; Christopher Ford; Anna Gressel


‘Debevoise has some of the finest legal minds I know working in this area.’

‘The attorneys at Debevoise have fantastic experience and backgrounds. There are several lawyers there who I can trust will understand the most complex issues I can throw at them with little or no lead time; they just get it. This saves time, money, and complexity.’

‘The attorneys are always willing to work with us and provide help even at low cost.’

‘Excellent team.’

‘In cyber response, they are unprecedented.’

‘Clever, commercial, pragmatic and a pleasure to work with.’

‘Luke Dembosky is brilliant, clever, and a leader in this field.’

Key clients

American Express

Bloomberg L.P.

Capital One



National Basketball Association

Prudential Financial

Take-Two Interactive Software, Inc./Rockstar Games

Warner Music Group

WPP Group

Ultimate Kronos Group

Work highlights

  • Representing SolarWinds in connection with the high-profile nation state cyberattack that impacted the company’s Orion products and internal systems.
  • Advising Meta Platforms Inc. on the company’s global AI regulatory readiness strategy.
  • Assisting UKG, a leading provider of HR, payroll, and workforce management solutions, following a ransomware incident carried out by a well-known threat group affecting UKG’s Kronos Private Cloud (“KPC”) product.

Dechert LLP

The experienced Brenda Sharton, co-chair of Dechert LLP‘s global privacy and cybersecurity practice from the Boston office, handles high profile data breaches, not limited to ransomware attacks and business email interruptions brought about by a range of threat actors, including nation states, organized crime groups and insiders. Sharton also defends clients against government investigations and enforcement actions brought by global and US regulators, namely the FTC, SEC and OCR for HIPAA breaches. Also working from Boston, trial litigator Timothy Blank advises technology, biotechnology and investment firms on privacy risks in relation to US state and global regulations, drafting security programs, class action defenses, responding to data breaches and FTC investigations. Los Angeles-based Kevin Cahill advises on complex and nuanced issues related to the scope of the CCPA’s GLBA carve-out and its impact on personal information collected from investors across various channels. Charlotte-stationed associate Hilary Bonaccorsi is a key contact for financial institutions and registered investment advisors on the SEC’s privacy regulations. Bonaccorsi also focuses on developing compliance programs related to the development and purchase of alternative data sets and web scrapping risks. Former co-chair Karen Neuman has retired.

Practice head(s):

Brenda Sharton

Other key lawyers:

Timothy Blank; Kevin Cahill; Hilary Bonaccorsi


‘Brenda Sharton is a brilliant lawyer and a great client advocate. She is the lawyer you want in your corner. As a seasoned litigator and an experienced data security lawyer, she manages crises with confidence, finesse and strategy. Brenda will get into the weeds with the technical team and in the same breath turn to the legal team to interpret the significance and how it aligns with the bigger picture.’

‘Brenda Sharton is knowledgeable, sharp, insightful and responsive. She is very good at negotiating. She knows when to push hard and when to play soft tunes to foster good relationships with different government agencies.’

‘Dechert team is the top-tier attorney team on privacy policy and cyber security with a lot of experiences and knowledge. They solve the problems. They are super good at communication and always get to the key point. While they are knowledgeable with a lot of experiences, they are also receptive to different opinions.’ 

‘The team have a broad spectrum of knowledge and work very closely with clients. They provide expert advice along with pragmatic solutions.’ 

‘Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation.’

‘The practice is led by Brenda Sharton. She brings a wealth of experience to the firm.’ 

The privacy and security team collaborates seamlessly across the globe when advising clients.’

‘The outstanding lawyers I deal with are Hilary Bonaccorsi, Madeleine White, Olaf Fasshauer and Tim Blank. They all have an incredible work ethic and are able to distill the legal issues in a very simple and business-friendly way. They understand that legal solutions must work not just for the lawyers but for the businesses.’ 

Key clients

Flo Health, Inc.

Moderna, Inc.

Pearson, plc

Cano Health, Inc.

GIC Special Investments Pte. Ltd.

Easy Healthcare Corp

Rockstar Games

Chase Bank USA, N.A.

Work highlights

  • Advised Flo Health, on its regulatory and litigation matters around the globe—including a dozen class actions alleging privacy policy violations, and for advice on a new product feature designed to further protect user privacy in the face of the overturning of Roe v. Wade.
  • Advised Moderna as lead counsel, on privacy and cybersecurity matters related to safeguarding the vaccine and compliance with global privacy laws, as well as in connection with the publicized European Medicines Agency (EMA) data breach of Covid-19 vaccine information.
  • Advising Pearson on a cyberattack and the subsequent SEC investigation as well as other aspects related to privacy and cybersecurity counseling matters more generally.

Gibson, Dunn & Crutcher LLP

The team at Gibson, Dunn & Crutcher LLP handles the full range of mandates, including global privacy compliance program developments, FTC and regulatory investigations, class action litigation and cyber due diligence for corporate transactions. The privacy, cybersecurity team also assists major tech companies in strategic product counselling. New York-based Alexander Southwell, a specialist practitioner in advising clients on data breaches and cyber fraud crises, and Palo Alto-stationed Ashlie Beringer, experienced in representing media and tech companies in various non-contentious and contentious matters, head the team. Ryan Bergsieker, in Denver, focuses on cyber-related white-collar defenses and government investigations. Co-chair of the AI and automated systems team, based in Palo Alto, Cassandra Gaedt-Sheckter works on legal and regulatory compliance with the CPRA, GDPR and COPPA as well as other federal state regulations. Former Director of the DOJ’s Consumer Protection Branch, Gustav Eyler in Washington DC, adds depth to the practice group, having re-joined the Washington DDC office in November 2022. Other key advisors for big tech clients include Lauren Goldman and Vivek Mohan, who both arrived from Mayer Brown in the summer of 2022- the former is based in New York, while the latter is in Palo Alto. Rosemarie Ring, in San Francisco, Ashley Rogers, in Dallas, and Eric Vandevelde, in Los Angeles, are also names to note. Joining in April 2022 from an in-house position, former FTC official Svetlana S. Gans is noted for her expertise in digital platform matters.

Practice head(s):

Alexander Southwell; Ashlie Beringer

Other key lawyers:

Ryan Bergsieker; Cassandra Gaedt-Sheckter; Gustav Eyler; Lauren Goldman; Vivek Mohan; Rosemarie Ring; Ashley Rogers; Eric Vandevelde; Svetlana S. Gans

Key clients

Meta Platforms Inc







Mayer Brown

Mayer Brown has a niche specialism in the innovative industries, such as electrical, healthcare and automotive, in particular working on autonomous vehicle security issues. As a reputable voice in the cybersecurity arena and head of the global cybersecurity and data privacy practice Rajesh De, in Washington DC, focuses on cutting-edge legal and policy issues at the intersections of tech, national security, law enforcement and privacy. De is a go-to name for internet service providers and automotive manufacturers for transnational privacy compliance advice. Los Angeles-based John Nadolenco is a key litigator for clients in the automotive sector. Having joined in April 2022 from Perkins Coie LLP, Los Angeles-stationed Domique Shelton Leipzig leads the global innovation, ad tech privacy and data management teams, advising big tech companies. Another new arrival from Perkins Coie LLP in Los Angeles, Arsen Kourinian, specializes in data flows, cross-border data transfers and privacy due diligence assessments for M&A. An additional dimension to the practice is brought by cyber expert Washington DC-based David Simon, who is experienced in advising victims of state-sponsored cyber activity, ransomware activity and various forms of cyber extortion attacks. Also in Washington DC, Stephen Lilley is another key name to note, co-leading compliance and cyber risk advisory mandates alongside De. Vivek Mohan and Lauren Goldman departed in July 2022.

Practice head(s):

Rajesh De

Other key lawyers:

Dominique Shelton Leipzig; Arsen Kourinian; David Simon; Stephen Lilley; John Nadolenco


The Mayer Brown team is incredibly responsive and provides very thorough and creative guidance.’

The practitioners understand the political environment and are calm as well as authoritative when they need to be; they will defer to me when I need them to.’

The firm understands the interplay between privacy, cybersecurity and data law and helps me identify other issues.’

Mayer Brown has a powerhouse team that supports my needs.’

Stephen Lilley is my primary contact. We have a very strong and relaxed relationship and I know that I can depend on him. He has a  very strong skillset in the areas of cybersecurity and information security; he keeps me well appraised on what’s going on in this rapidly evolving space.

Rajesh De is a great leader for this team; always available with a deep understanding of my business and what else is happening around the world.

Key clients

Automotive Alliance for Innovation

General Motors



Waymo LLC

The Carlyle Group

Palo Alto Networks

Gryphon Investors

US Cyberspace Solarium Commission

21st Century Privacy Coalition

Work highlights

  • Represented Automotive Alliance for Innovation, the entire auto industry, in challenging the constitutionality of a Massachusetts ballot initiative that requires car companies to share data generated by their vehicles.
  • Advising BECU on a class action lawsuits alleging that the credit union failed to protect the personal information of its members in the wake of a ransomware attack on a third-party vendor that printed monthly account statements.
  • Advised Waymo LLC, Alphabet Inc.’s autonomous vehicle subsidiary, on how to prevent the California Department of Motor Vehicles (DMV) from publicizing “sensitive trade secret information and records” about its autonomous vehicle program.

Reed Smith LLP

Reed Smith LLP’s nationwide US privacy law team provides high profile clients in various industries, not limited to life sciences, big tech and financial services, the full range of legal services, including compliance strategies, defenses against data-related class actions and assistance in connection with FTC investigations as well as incident responses. Working from Washington DC, experienced litigator Gerard Stegmaier focuses on privacy-centered corporate governance, IP and IoT issues. Stegmaier continues to represent companies in connection with big tech issues concerning global antitrust and competition laws and authorities. Data governance specialist Sarah Bruno, based in San Francisco, counsels companies on collections, uses and transfers of data in harmony with CCPA, COPPA, GDPR and Shield Act regulations. Monique Bhargava and Robert Newman, both stationed in Chicago, handle converging advertising and emerging technology matters as well as deals involving data assets. Bart Huffman and Wendell Bartnick left the firm in August 2022. Catherine Castaldo, in New York, was promoted to partner in January 2023.

Practice head(s):

Herb Kozlov

Other key lawyers:

Gerard Stegmaier; Sarah Bruno; Monique Bhargava; Robert Newman; Catherine Castaldo

Ropes & Gray LLP

Leveraging its global network of offices across the world, with particular advantages held in the cross-Atlantic collaboration between the data privacy team in Washington DC led by Edward McNicholas and the firm's UK presence enables Ropes & Gray LLP to provide solutions to multinational clients operating in a plethora of jurisdictions. The firm works on the full range of issues in the cyber and data privacy space: litigation involving the use and collection of consumer data and cybersecurity incidents, compliance counselling on the topic of the commercialization of data and emerging technologies, and the identification of privacy and cyber risks part of corporate transactions. McNicholas is the key name for companies requiring contentious assistance following data breaches and cyber-attacks. Washington DC-based Fran Faircloth is also a key practitioner for clients requiring assistance following a data breach.

Practice head(s):

Edward McNicholas

Other key lawyers:

Fran Faircloth


‘Practical client-focused advice’

Key clients

Kevin Thompson

America’s Test Kitchen, Inc.

Advocate Aurora Health






WilmerHale’s Washington DC-based cross-disciplinary practice converges privacy, corporate governance, national security and litigation in order to navigate clients through cyber incidents, provide compliance strategies and data-related risk evaluations part of transactions. Co-chair of the privacy practice Benjamin Powell advises clients from a range of sectors, including banking, software, retail, life sciences and media on cyber incidents and data breach investigations. Co-chair Kirk Nahra is the key contact for clients requiring implementation of privacy and data security laws on a domestic and global scale. Jason Chipman focuses on data due diligence part of corporate transactions, while special counsel Arianna Evers works with clients on cybersecurity risk and privacy impact assessments.

Practice head(s):

Benjamin Powell; Kirk Nahra

Other key lawyers:

Jason Chipman; Arianna Evers; Ali Jessani


‘Kirk J. Nahra is an excellent lawyer who is extremely well-versed in HIPAA and data privacy matters – particularly in the healthcare sector. He is active in voluntary bar associations and is always willing to collaborate and teach his fellow lawyers.’

‘The practice is unique in that it is both well-versed in healthcare privacy issues, but also cybersecurity matters.The practice has built, support, and promoted a diverse team of attorneys.’

‘The team always makes themselves available and is ready to answer questions from the very mundane to the very complex.’

‘Kirk Nahra has consistently proven himself to be a valuable asset in my outside counsel arsenal.

‘I work closely Arianna Evers and Ali Jessani. Both are incredibly thoughtful and insightful. The firm’s team in general makes me feel welcome.’

‘Thorough knowledge of the issues at hand, dedication to get it done right, ability to understand what needs to be addressed in order to successfully navigate a regulator’s request.’

‘Complete expertise over the subject matter and willingness to dig into to learn even more when necessary.’

Alston & Bird LLP

Alston & Bird LLP assists Fortune 500 and blue-chip companies in global compliance strategies and litigation matters. Following the retirement of former head Jim Harvey, the privacy and cybersecurity team is now led by Atlanta-based duo David Keating and Kristine Brown alongside Kimberly Peretti, in Washington DC. Brown focuses on defending clients against putative class actions arising from data breaches, while Keating is the key name for clients in the fast-food restaurant space on AdTech privacy compliance matters and cybersecurity program developments. Peretti is noted for her expertise in cyber crisis and data breach readiness mandates. Other key practitioners include Atlanta-stationed Donald Houser, Kellen Dwyer and Amy Mushahwar, who are both based in Washington DC.

Practice head(s):

David Keating; Kim Peretti; Kristy Brown

Other key lawyers:

Donald Houser; Kellen Dwyer; Amy Mushahwar

Key clients


Cross-Border Data Forum

McDonald’s Corporation


Parexel International

Work highlights

  • Advised UPS on its California / Virginia / Colorado privacy compliance initiative and continuing to represent the organization as outside privacy counsel on U.S. and E.U. data protection matters, including digital privacy, data transfer, and cybersecurity.
  • Advising Cross Border Data Forum on broad data issues.

Cleary Gottlieb Steen & Hamilton LLP

With the May 2022 arrival of San Francisco-based intellectual property and data privacy specialist Marcela Robledo from Baker McKenzie LLP, Cleary Gottlieb Steen & Hamilton has deepened its expertise in advising clients on the data and tech aspects of corporate and commercial transactions. Daniel Ilan represents leading multinational corporations and private equity firms in privacy, cybersecurity and technology issues arising in transactional contexts, with a special focus on transactions involving acquisition of investments in cutting-edge technologies. Jonathan Kolodner focuses on white-collar criminal enforcement and regulatory matters, particularly advising client on data breaches and crisis management. Likewise, Rahul Mukhi is a key contact for data-related criminal, securities and enforcement matters. The team also assists clients with privacy compliance matters and responding to cyber-attacks. Named lawyers are in New York unless otherwise stated.

Other key lawyers:

Daniel Ilan; Jonathan Kolodner; Rahul Mukhi; Marcela Robledo

Key clients

Sony Interactive Entertainment

Sony Corporation

American Express

Goldman Sachs

Wag Labs, Inc.

Giorgio Armani Corporation


Warburg Pincus LLC



American Express

Innocap Investment Management

Work highlights

  • Represented Sony Interactive Entertainment LLC in its $3.6 billion acquisition of Bungie Inc.

Davis+Gilbert LLP

Based in New York, Davis+Gilbert LLP is known for its niche specialism in the advertising, marketing and promotions as well as ad fraud and brand safety spaces. Gary A Kibel is a key contact for clients operating in digital media, focusing on implementing compliance programs and assisting clients incorporate new concepts into existing infrastructures. Richard Eisert, a specialist on intersecting IP and data privacy matters, advises start-ups and high-profile companies on complex advertising and promotional issues in regulated and cutting-edge areas. Counsel Oriyan Gitig is a key contact for creative agencies and technology companies seeking advice on privacy and data security obligations. Associate Zach Klein is the main contact for data security incident, breach response, false advertising and unfair trade issues. Associate Emily Catron leverages her experience of working in AdTech to navigate agencies and advertisers through evolving privacy laws.

Practice head(s):

Richard Eisert; Gary A Kibel

Other key lawyers:

Oriyan Gitig; Zach Klein; Emily Catron

Key clients

Vistar Media


Arcspan Media

GPS Trackit

Magellan AI




Actable Data

Ardsley Media


Giant Spoon

Eversheds Sutherland

Eversheds Sutherland leverages its global presence and experienced US bench of privacy and data security specialists to assist leading big-tech companies with data privacy matters pertaining to innovative product advances and breach response programs. The firm also clients on state, federal and international levels. US and multinational corporations call on global practice co-head, based in Washington DC, Michael Bahar, for advice on all areas of cyber and privacy law ranging from responding to global critical infrastructure data breaches to global compliance program harmonization mandates. Brandi Taylor, in San Diego, is the firm’s West Coast data lead, and focuses on preparing companies for regulatory changes, routinely working on multi-jurisdiction privacy compliance programs, with a niche specialism on AR and VR product development. Washington DC-stationed Mary Jane Wilson-Bilik is a key name for advice on privacy policies concerning the use of cookies and website advertising, and also assists clients, such as global insurance companies with privacy aspects of its digital transformations.

Practice head(s):

Michael Bahar

Other key lawyers:

Brandi Taylor; Mary Jane Wilson-Bilik

Work highlights

  • Assisted a global retailer with privacy and cybersecurity matters in the US and internationally, including advising the client on the investigation and analysis of being a victim of data theft.

Fenwick & West LLP

Data privacy specialist and head of Fenwick & West LLP‘s cybersecurity and privacy team, Tyler Newby in San Francisco, is sought out by big technology, advertising and retail companies on the full range of mandates, including data mapping issues, privacy compliance programs, state level consumer class action defense, and cyber due diligence. Newby also advises clients in the healthcare, gaming and robotics industries. New York-based counsel David Feder assists Newby with the full scope of matters but also leads cyber-attack responses for clients in the advanced technology space. Counsel Ana Razmazma, in the Silicon Valley office, is the key contact for US and global privacy risks pertaining to M&A. 'All star' associate in San Francisco Brent Tuttle is also a key name to note for privacy compliance strategies.

Practice head(s):

Tyler Newby

Other key lawyers:

David Feder; Ana Razmazda; Brent Tuttle


‘We found the Fenwick privacy team to be the leader in providing our In-House Legal Team with guidance on International Data Privacy, Cybersecurity and related legislation.’

‘We utilize this firm for our most complex issues, as well as updating forms and providing critical day-to-day advice on myriad customer and supplier facing matters.’

‘The Fenwick team generally, and individuals like Brent Tuttle specifically, have simply earned our trust.’

Key clients








Hill International

Transatlantic Reinsurance

CLS Behring

Work highlights

  • Advised InMobi on implementing privacy and cybersecurity programs its forthcoming U.S. launch of its Glance content platform.


The data privacy and cybersecurity team at Goodwin frequently advises a range of clients not limited to tech companies and financial institutions on the implementation of privacy compliance strategies of existing and new services and cyber due diligences as well as requirements as part of transactions. The team also has a strong record on metaverse-related products, ensuring data processing activities are compliant also forms part of the firm’s non-contentious focused practice. New York-based Boris Segalis co-heads the practice alongside tech-related transactions and licensing specialist Stephen Charkoudian, stationed in Boston. Omer Tene, also in Boston, works with Segalis on the full scope of compliance issues, including aspects of data sharing and data processing matters. The early 2022 arrival of New York-based Judson Welle from Nardello & Co furthers the firm’s specialism in the regulatory assistance space. New York-stationed Jacqueline Klosek and Washington-stationed Kaylee Bankston remain key contacts for clients. David Kantrowitz  has departed the firm.

Practice head(s):

Steve Charkoudian; Boris Segalis

Other key lawyers:

Omer Tene; Judson Welle; Jacqueline Klosek; Kaylee Bankston


‘Very responsive and excellent, practical advice.’

Boris Segalis has the depth of knowledge you need from a partner but what makes him stand out is that his advice is always practical.

Key clients

Best Buy

BJ’s Wholesale Club

Collibra NV





Metropolitan Transportation Authority

National Public Radio

New Balance Athletics, Inc.

PriceWaterhouseCoopers LLP


Work highlights

  • Advising DailyPay on all aspects of privacy and cybersecurity in connection with the company’s existing services, the development and implementation of additional financial services, and engagement with the company’s business customers.
  • Advised iRobot on privacy and cybersecurity aspects of the company’s sale to Amazon and continues to advise the company on compliance with privacy and cybersecurity requirements in Europe.

Jones Day

Jones Day leverages its global presence on mass cyber incident responses perpetrated by nation-state threat actors. Mandates include directing forensic investigations, ransom payment strategies, law enforcement engagements, and defending victim companies against FTC, SEC investigations and litigation, including class actions and commercial disputes. Boston-based practice head Lisa Ropple is the key contact for high-profile clients requiring assistance following cyberattacks. Mauricio Paez , in the New York office, is an expert on emerging tech issues, such as consumer IoT protections, big data analytics, AI, terrestrial and space-based commercial data services. Supported by New York-stationed Kerianne Tobitsch, Paez advises on safeguarding data assets, cross-border data transfers and cybersecurity risk management as part of commercial and corporate transactions. Seasoned litigator in Irvine John Vogt represents clients facing class actions under the FCRA, TCPA and EFTA. The team frequently represent clients in class action defenses following malware attacks and uses of data. Edward Chang, also based in Irvine, is a key name to note.

Practice head(s):

Lisa Ropple

Other key lawyers:

Mauricio Paez; John Vogt; Kerianne Tobitsch; Edward Chang


‘Jones Day has a strong team and is second to none in the area of cyber law. They can handle the most complex matters and guide them to a successful conclusion.’

‘Lisa Ropple is a superstar in cyber law and a national leader within the bar. She has an incredible ability to develop winning strategies and then to make them a reality. She commands respect with company executives, government officials, and opposing counsel.’

‘The Jones Day team is incredibly client focused. Superior client service is their mission and they deliver through all aspects of an engagement.’

Jones Day primarily represents large global firm clients and if you want dedicated attention, this is the team to hire for a cyber-related issue.’

‘One area to highlight is the diversity of the practice. Lisa Ropple is leading the practice group and in the last six years she has transformed the practice. When she took the helm, there were no women partners and now there is a great bench of diverse women leading client engagements and data breach investigations.’

‘I appreciate their dedication to customer outreach and education. They have instituted mechanisms to inform in-house counsel of relevant changes in the law in real time in addition to a quarterly briefing on the major headlines.’

‘The lawyers we work most often with are Lisa Ropple and Mauricio Paez. Lisa Ropple is the lawyer you want in your corner. She works tirelessly and aggressively to advocate for her clients and will ask the tough questions of vendors and stakeholders to get to the answers needed to form her recommendations.

Mauricio Paez is at the forefront of guiding clients through complicated, cross-border and novel new data transfer and transaction related issues. You can feel his energy and passion on calls and feel comfortable knowing he is leading you through new territory.’

Key clients

Applus Technologies, Inc.

Internet Corporation of Assigned Names and Numbers (ICANN)

Experian Information Solutions, Inc.

HDR, Inc.

Work highlights

  • Advising ICANN on its negotiations with domain name registries, registrars, data protection authorities, and internet stakeholder groups regarding the global data privacy implications of gTLD data and public access through WHOIS, as well as data protection compliance challenges for data sharing.
  • Defended HDR on class action asserted claims under the ECPA claiming the firm has deployed social listening tools to monitor communications within private Facebook groups.
  • Defended Applus Technologies against a class action regarding a malware attack, which the plaintiffs allege resulted in the compromise of personal identifying information.

Kelley Drye & Warren LLP

Kelley Drye & Warren LLP is routinely sought out by clients for its specialism in intersecting advertising and privacy law matters. The team leads numerous industry-driven policy initiatives with the IAB, NAI and ABA, who are all key players in the digital advertising space. Head of the cyber law and data privacy practice Alysa Hutnik represents a range of companies in FTC and state attorneys general Investigations, and is also known for her work in the adtech compliance space, having led policy initiatives within key self-regulatory groups, addressing new state privacy laws. Experienced commercial litigator in New Jersey Lauri Mazzuchetti focuses on class action defense, involving TCPA disputes. Aaron Burstein is the key contact for clients seeking advice on legislative and regulatory developments affecting cutting-edge technologies. Laura Riposo VanDruff and Jessica Rich, who both have a background of working for the FTC, with the latter a former director at the FTC’s BCP, provide clients with both compliance and investigatory advice concerning federal and state laws. Iona Gorecki arrived as a special counsel from the FTC in August 2022. All named lawyers are based in Washington DC unless otherwise stated.

Practice head(s):

Alysa Hutnik

Other key lawyers:

Lauri Mazzuchetti; Aaron Burstein; . Laura Riposo VanDruff; Jessica Rich; Iona Gorecki


‘Kelley Drye has an exceptional bench of partners and associates focused on data privacy with tremendous value added from attorneys having practiced in high level government positions’

‘Kelley Drye is a large firm but has a small firm, personal touch to how it works with clients.’

‘Alysa Hutnik is a Tier 1 data privacy attorney. She is exceptional when it comes to providing practical and succinct advice.’

Key clients


Dollar Shave Club

H&R Block


Interactive Advertising Bureau (IAB)


DISH Network

Keurig Dr Pepper

Kohl’s Department Stores

The Walt Disney Company

Work highlights

  • Assisted Walgreens with interpreting existing state laws applicable to hearing aids, tracking and navigating FDA’s proposed and final rules.
  • Assisting Unilever with regulatory and transactional matters.
  • Supporting the Interactive Advertising Bureau’s efforts to educate its members on CCPA and state privacy law requirements.

King & Spalding LLP

Internal investigations following cyber incidents and data governance assistance are frequent mandates for King & Spalding LLP‘s government matters, trial and global disputes department. Chief privacy officer based in Atlanta Phyllis Sumner represents US banks, insurance, pharma, hotel chain and consulting companies in comprehensive responses to high-profile data breaches. Also in Atlanta, David Balser is regularly the first port of call for companies facing data breach litigation claims, brought by a class of consumers and state Attorneys General. Head of the government matters team, in Chicago, Zachary Fardon leverages his white-collar defense and investigations experience to advise financial services firms on government investigations concerning data breaches. Based in Washington DC, Robert Hudock prepares clients for cyber-attacks by implementing information security programs and complying with federal and state specific requirements. Elizabeth Adler, in Atlanta, focuses on multi-district class action defenses arising out of prominent data security incidents. Sean Royall, a consumer protection and antitrust litigator, joined the New York office from Sidley Austin LLP in August 2023.

Practice head(s):

Phyllis Sumner; David Balser; Zachary Fardon

Other key lawyers:

Robert Hudock; Elizabeth Adler; Sean Royall


‘The K&S team takes a holistic view of privacy and cyber when providing advice. They are well versed with the regulations and laws related to cyber. They can provide pointed, relevant and well-thought support.’

‘Responsive, always available, willing to understand your business to provide the most relevant guidance. Phyllis Sumner, Elizabeth Adler and Misty Peterson have all taken this approach to provide excellent client support.’

‘Phyllis Sumner is an absolute star. She is one of the most gifted and calm practitioners that I have ever worked with. She has been instrumental in turning around a case that was quite challenging and headed in a difficult direction and has worked very well under difficult circumstances with other counsel, regulators, and internal senior leaders.’

Key clients

Align Technology

Arthur J. Gallagher & Co.

Capital One

Coca-Cola Company

Deloitte Consulting

Equifax, Inc.

General Motors

Integrity Marketing Group

Little Caesar Enterprises, Inc.

National Western Life Insurance

Novant Health

Nuance Communications


Red Beacon, Inc.

ReproSource Fertility Diagnostics, Inc.

Shutterfly, LLC


Subaru of America Inc.

The Home Depot, Inc.

The Gap, Inc.

Google, Inc.

Work highlights

  • Defended Capital One as lead counsel in over 60 consumer class actions filed in federal courts arising from a data breach incident announcement in July 2019 involving the compromise of personal information of a significant number of customers.
  • Assisted Google in its investigation and disruption of the novel Glupteba botnet, which used malware to infect and hijack victim computers and then surreptitiously instruct those victim computers to execute commands issued by cybercriminals.
  • Represented The Gap and The Home Depot in a privacy class action brought against some of the country’s largest retailers and a third-party fraud protection vendor, under the CCPA.

Manatt, Phelps & Phillips, LLP

Serving at the cross-roads of corporate data and operational risk and spanning the range of proactive and responsive cybersecurity and data protection matters is at the core of Manatt, Phelps & Phillips, LLP’s data security and privacy practice. The nationwide team is co-led by Scott Lashway in Boston and Donna Wilson in Los Angeles- Lashway frequently advises a range of companies, including private equity and technology players, on privacy program implementations, data due diligences, incident responses and government investigations, while Wilson is a key contact for clients in the financial services space requiring strategic data security advice. The litigation expertise of Christopher Lisy, in Boston, adds a layer to the practice, while Orange County-stationed Brandon Reilly specializes in matters concerning incident response and strategic uses of data. Kaylee Cox Bankston departed in September 2022.

Practice head(s):

Donna Wilson; Scott Lashway

Other key lawyers:

Christopher Lisy; Brandon Reilly


‘Brandon Reilly has deep privacy law knowledge and has advised significant software providers giving him a unique perspective on compliance strategies.’

‘The Manatt team offers a variety of subject matter experts in various disciplines to assist us with complex legal matters. Their deep understanding of relevant and current legal and business challenges is unmatched.’

‘The Manatt team is able to help us find creative solutions to key legal issues as we innovate. They differentiate themselves from others in the ability to synthesize information and help transform it into a legal strategy. 

‘Scott Lashway is a stand out in many ways. His client service skills are best in the business. He’s always responsive and meets our timelines, even when we have last minute requests and escalated deadlines. He is incredibly knowledgeable and is able to see the big picture legal risks that might other require multiple attorneys in a variety of disciplines.’

‘The team is highly efficient and responsive. Even though we are a small client, we always feel prioritized and important, for which we are very grateful.

‘We find that the team is able to handle all of our requests, no matter how big or small, and that even larger and more complex requests are always handled carefully, professionally, and efficiently.’

‘We feel that we can always rely on the advice we receive from the team and that we are in good hands when making risk-based assessments.’

‘Brandon Reilly is absolutely unparalleled in his knowledge not only of the latest privacy laws and regulations across various jurisdictions but of the underlying technological infrastructure impacted by these laws and regulations. He is exceptional in his ability to understand how businesses leverage data and to offer advice that is appropriate to each business’s resources, risk profile, and industry.’ 

Key clients

Francisco Partners Management LP

Meyer Corp.

MassMutual Financial Group

New York eHealth Collaborative

Ann & Robert H. Lurie Children’s Hospital

Work highlights

  • Represented Francisco Partners Management LP, in connection with its acquisition of a controlling interest in Kobalt, on the privacy and cybersecurity posture and risks at Kobalt as part of an overall business-oriented diligence process.

McDermott Will & Emery LLP

With the arrival of Washington DC-based duo Elliot Golding and senior counsel Robin Campbell  from Squire Patton Boggs in April 2022 as well as Kathryn Linsky, in New York, from an in-house position in August 2022, McDermott Will & Emery LLP has deepened its broad global privacy and cybersecurity group. Linsky focuses on privacy by design when advising clients on product and feature developments frequently involving AI and machine learning. The arrival of Campbell adds a dimension to the team with her specialism on undertaking global data compliance and breach response strategies in the autonomous vehicles and connected cars space. Likewise, Golding’s experience in working on innovative data compliance issues involving health-tech, biometrics, ad-tech and data monetization deepens the team’s expertise. Head of the US team Michael Morgan, based in Silicon Valley, works on both complex breach responses and global compliance strategies, involving US state privacy laws, GDPR and China’s Network Security Law. Boston-stationed Edward Zacharias and Daniel Gottlieb, in Chicago, are the key names for healthcare providers, insurers, pharmacies and medical device manufacturers on HIPAA compliance and investigation matters. Also in Chicago, Ryan Higgins is a further name to note for healthcare companies for data arrangements concerning transactions, while Jiayan Chen in Washington DC, covers big data issues pertaining to clinical laboratories, bioassets and big data transactions. Todd McClelland, in Atlanta, not only advises technology driven companies on responses to cyber incidents and also assists on pre-breach activities, namely incident response plan designs, vendor penetration testing and cyber tabletops. David Saunders in Chicago, is a key contact for state and federal level compliance advice.


‘Jiayan Chen is a subject matter expert with an extremely high degree of professionalism. She adroitly communicates with counter-parties and she is willing to think out of the box.

‘The firm’s advice and work is not generic and is tailored to the business model. They team provides this advice and guidance with excellent customer service at a reasonable cost.’

‘Daniel Gottlieb is practical and smart, creative, easy to understand, and prompt.

David Saunders is very quick to provide precise answers to questions.’

‘Elliot Golding is what makes this practice unique.’

‘Elliot Golding is responsive, and he also has a wealth of knowledge that is unmatched in this industry. He takes the time to work with this clients and I have come to trust his judgment on matters that require sensitivity and discretion. It feels good to know that you can rely on and trust a legal advisor.’

Key clients

Vistar Media


Arcspan Media

GPS Trackit

Magellan AI




Actable Data

Ardsley Media


Giant Spoon


Volkswagen Group of America

Work highlights

  • Assisted Volkswagen Group of America with investigating, mitigating and responding to a vendor security incident impacting information regarding approximately 3.3 million people in the US and Canada.

Morgan, Lewis & Bockius LLP

Morgan, Lewis & Bockius LLP is known for its contentious work in the cybersecurity and data privacy space, routinely defending companies in class actions arising from alleged compromises of payment card data and alleged improper use of online recording on ecommerce websites. Reece Hirsch in San Francisco is a go-to advisor for clients in the healthcare sector on matters pertaining to compliance with HIPAA and the Gramm-Leach-Bliley Act. Philadelphia-based Gregory Parks focuses on class action defense and assists clients with responses to data breaches. Co-head Mark Krotoski, stationed in Silicon Valley, co-heads the practice with Hirsch and Parks. Krotoski is the key name for criminal and civil cybersecurity matters, using his experience of working in the criminal division of the DOJ to assist clients on computer intrusions and criminal IP violations. Also based in the Philadelphia office, Ezra Church is a key name for consumer-facing firms dealing with contentious matters, while the strategic placement of litigation practice leader Beth Herrington in Illinois enables her to defend clients against BIPA class actions. With the acquisition of Calfo Eakes, a specialist white-collar crime and litigation firm, into the Seattle office, the firm has deepened its bench of trial lawyers.

Practice head(s):

Reece Hirsch; Gregory Parks; Mark Krotoski

Other key lawyers:

Ezra Church; Beth Herrington


Reece Hirsch is responsive and engaged. He provides high quality work and solid industry knowledge.’

Key clients

Hudson’s Bay Co.

Miklos Daniel Brody



Cracker Barrel Old Country Store


Rue Gilt Group

Snap Inc.

Work highlights

  • Representing Hudson’s Bay Co. against class actions arising from a data security incident involving Saks Fifth Avenue and Lord & Taylor.
  • Represented Snap Inc against a putative class action in the southern district of Illinois arising from alleged violations of BIPA.

Norton Rose Fulbright US LLP

Strengthening cybersecurity programs, working on cyber insurance coverage and privacy impact assessments for blue-chip clients from a range of industries, including pharmaceuticals, financial services, retail, energy and telecoms are frequent mandates for Norton Rose Fulbright US LLP’s information governance, privacy and cybersecurity team. Global co-head Chris Cwalina, based in Washington DC, is experienced in handling FTC and SEC investigations as well as congressional inquiries regarding data breaches, particularly related to critical infrastructure and personal data attacks. Head of the US cybersecurity team Will Daugherty in Texas is a key contact for incident specific regulatory enquires, implementing robust cybersecurity strategies and compliance with maturing state privacy laws. Global head of the e-discovery and information governance group David Kessler, stationed in New York, focuses on cross-border data transfers, while Steven Roosa head of the digital analytics team, also in New York, is a key name for data privacy strategies. Working from New York, Andrea D’Ambra, head of the US technology, e-discovery and information governance team advises clients on novel privacy and cyber issues in connection with new products. New York's Anna Rudawski is a key contact for advice on international, federal and state privacy regulations.

Practice head(s):

Chris Cwalina; Andrea D’Ambra; David Kessler; Steven Roosa; Will Daugherty

Other key lawyers:

Anna Rudawski


‘Norton Rose consistently delivers on high-profile global engagements.’

‘Norton Rose supports firm clients but it also sought out to lead complex data breach investigations.’

‘Norton Rose is the “fixer of law firms” and should be considered as primary counsel at the outset so investigations do not get started off in the wrong direction.’

‘Chris Cwalina leads a great diverse team of lawyers and is one of the most-hands on lawyers in the industry. It is not uncommon for Chris to be leading multiple global investigations. He leads a team of 85 lawyers across the world.’

‘I have seen Chris Cwalina lead early morning phone calls with the forensic teams in the US and on the same day update the leadership team overseas at 11pm. Chris is always available and his team is right there with him.’

Proskauer Rose LLP

Proskauer Rose LLP’s privacy and data security practice takes on nationwide compliance and data breach response mandates as well as data due diligences as part of M&A, primarily advising clients in the commercial and sports sectors. Washington DC-based global head Ryan Blaney advises clients in the healthcare and emerging technologies industries on cybersecurity incidents and government investigations, namely acting as lead defense counsel in HHS-OCR, DOJ, FTC and State Attorney Generals investigations. New York-based litigation specialist Margaret Dale assists companies across a range of sectors from consumer products to TMT and financial services on disputes involving data security issues and breaches. Dale co-heads the privacy litigation group alongside New York-based senior counsel Nolan Goldberg often represents clients against FCC and FTC investigations.

Practice head(s):

Ryan Blaney

Other key lawyers:

Margaret Dale; Nolan Goldberg

Quinn Emanuel Urquhart & Sullivan, LLP

Quinn Emanuel Urquhart & Sullivan, LLP frequently defends clients against putative class actions concerning the misappropriation of data for digital advertising, right of publicity law infringement claims and consumer class actions under BIPA, also handling responses and claims concerning ransomware attacks. The data privacy and security practice is co-chaired by Stephen Broome, Viola Trebicka, based in Los Angeles, and Jennifer Barrett. Broome focuses on disputes involving technology, finance, competition and bankruptcy issues. Broome is experienced in not only trial work but also appellate mandates for various technology clients in the digital advertising, web-browsing and mobile applications spaces. Trebicka is experienced in representing both plaintiffs and defendants in a variety of state and federal jurisdictions. Barett is the key contact for breach response advice, while Jomaire Crawford defends big tech companies in class action claims concerning data collection practices in the states of New York and California. All named lawyers are based in New York unless otherwise stated.

Practice head(s):

Stephen Broome; Viola Trebicka; Jennifer Barrett

Other key lawyers:

Jomaire Crawford

Key clients

Google LLC

International Business Machines Corporation

TWC Product and Technology LLC

KIK Custom Products, Inc.

Kaseya US LLC

Match Group Inc

ZoomInfo Technologies

Work highlights

  • Represented IBM and TWC, owner of The Weather Channel Mobile App, in a high-profile data privacy lawsuit brought by the Los Angeles City Attorney on behalf of the People of California in the California state court alleging that TWC’s purported failure to disclose its use and sharing of users’ geolocation data for advertising and other commercial purposes.
  • Represented Google in two class actions, Calhoun et al. v. Google LLC, and Brown v. Google LLC,  where the plaintiffs allege misappropriation of browser users’ personal data through its third-party web services such as Ad Manager, Analytics, Embedded Maps, Fonts, and other services that are ubiquitous on the web.
  • Representing in six putative class actions premised on electronic yearbook excerpts hosted on Ancestry’s website.

Seyfarth Shaw LLP

Cybersecurity maturing program advice, data monetization strategies, class action defense and state law compliance strategies are key areas of work for Seyfarth Shaw LLP’s global privacy and security team. Scott Carlson is the founder and chair of the e-discovery and information governance practice, focusing on both contentious and non-contentious mandates. Carlson co-leads the global privacy and security team alongside John Tomaszewski in Houston, a specialist in cross-border data privacy matters. Bart Lazar is experienced in defending clients against FTC investigations involving database security breaches, while Jason Priebe is a key name for the implementation of information governance programs and privacy compliance advice. Named lawyers are based in Chicago unless otherwise stated.

Practice head(s):

Scott Carlson; John Tomaszewski

Other key lawyers:

Jason Priebe; Bart Lazar

Sheppard, Mullin, Richter & Hampton LLP

Sheppard, Mullin, Richter & Hampton LLP’s privacy and cybersecurity team frequently advises high-profile clients in the retail sector on privacy counseling, breach response and high-stakes litigation. Craig Cardon and Liisa Thomas co-lead the practice- the former, based in Century City, focuses on representing retail brands, ad agencies and technology platforms in intersecting advertising and data matters, such as false advertising and consumer privacy class actions. The latter, in Chicago, leverages her global experiences to assist clients on worldwide security programs and navigate data breach notification mandates. Del Mar-based Wynter Deagle designs and implements global privacy and cybersecurity programs, while Moorari Shah in Los Angeles assists clients on complying with state and federal consumer protection laws and regulations. Retail, fashion and beauty brands contact San Francisco-based Rachel Hudson for advice on compliance with domestic and international privacy laws. New York-based seasoned litigator Kari Rollins works on data breach internal investigations and data privacy counselling matters.

Practice head(s):

Craig Cardon; Liisa Thomas

Other key lawyers:

Wynter Deagle; Moorari Shah; Rachel Hudson; Kari Rollins


‘Liisa Thomas and her team have provided expert guidance to our privacy team. They have helped us meet compliance requirements while keeping the program simple and easy to manage.’

‘Liisa Thomas has an expertise in privacy, but she can present it at a level that is easy to understand and implement. She sorts through the information to present what is relevant and needed for our situation.’

‘Moorari Shah is a clear industry expert and leader in his field.’

Key clients

County of Los Angeles

Insight Global LLC

Rockley Photonics, Inc.

Sports Warehouse

Nestle Purina PetCare

Deckers Outdoor Corporation

Levi Strauss & Co.

Digital Realty Trust

Williams-Sonoma, Inc.

Forge Global, Inc.

Kontoor Brands, Inc.




Shook, Hardy & Bacon LLP

Shook, Hardy & Bacon LLP’s privacy and data security practice chaired by Al Saikali is known for its ransomware incident response, compliance strategies regarding uses of data, and privacy litigation often concerning BIPA class actions. Saikali, based in Miami, is a key advisor for clients when it comes to mitigating cybersecurity risks and is experienced in dismissing state wiretap lawsuits against companies that use session replay technologies on their websites. Kansas City-based Colman McCarthy assists clients with state data breach notification laws, while Camila Tobón in Denver assists clients with data protection compliance, cyber risk preparedness and information governance. Associate Josh Hansen, based in Denver, focuses on privacy and data security risks as part of technology transactions.

Practice head(s):

Al Saikali

Other key lawyers:

Colman McCarthy; Camila Tobón; Josh Hansen


‘Practical, experts, easy to work with, confidence-inspiring plus cost-effective and great value for the money.’

‘Recommended by our cyber insurance carrier after an incident, Shook Hardy was quick to come up to speed, provide guidance throughout the process of forensics, threat actor negotiations, data reconciliation, notifications to patients and regulators, representation in class action law suit and eventual settlement.’

‘The lawyers are available, responsive, professional, knowledgeable and connected in the cyber security space.’

‘Alfred Saikali is very knowledgeable in the cyber security and incident response space. He provides clear guidance on issues that is understandable and actionable. His connections in this space makes for a strong team when working through the response to an IT incident.’

‘The Shook, Hardy & Bacon data privacy team builds and maintains trust through highly responsive and pragmatic handling of its client relationships. They of course offer “by the book” guidance, but they also provide practical suggestions to help in-house counsel work productively with internal clients.’ 

‘Camila Tobón is a proven and reliable partner. We regularly ask her to engage directly with internal business partners, and the feedback we receive is overwhelmingly positive. She provides clear and logical guidance in ways the business teams can understand, and that approach is greatly appreciated by the business teams.’ 

Key clients

Crate & Barrel

Sudler Property Management

UKG, Inc.

Kerry Inc.

Sidley Austin LLP

With the May 2022 arrival of David Lashway, John Woods, Jennifer Seale and Jonathan Wilan from Baker McKenzie LLP, Sidley Austin LLP’s Washington DC-centered practice has deepened its expertise in the data privacy and cybersecurity space. The team is called upon to advise leading technology companies and public companies on global and critical malware and ransomware matters that require international regulatory engagement, law enforcement coordination, breach notifications and SEC disclosures. Practice co-heads Alan Charles Raul and Lashway advise clients on global regulatory compliance, data breaches and crisis management with the former focusing on issues concerning national security, constitutional and administrative law. Lashway is also known for his expertise in advising on incident responses to critical infrastructure attacks, national-level misinformation-related issues and data due diligence assistance as part of corporate transactions. Colleen Theresa Brown is the key contact for emerging technology issues, working on the full range of mandates. Clients in the financial sector rely on Woods’ advice concerning global responses to data integrity attacks. Seale brings experience in handling complex cybersecurity investigations. Clayton Northouse departed the firm in April 2022.

Practice head(s):

Alan Charles Raul; David Lashway

Other key lawyers:

John Woods; Jennifer Seale; Jonathan Wilan; Colleen Theresa Brown


‘The team has deep expertise in privacy and cybersecurity and provides great guidance across the board. They have a long history on working with these issues and provide expert guidance on short notice.’

‘Alan Raul has long time deep expertise on cybersecurity and privacy laws stemming from a background in administrative law.

‘Colleen Brown is an excellent privacy attorney working closely with the financial services industry and providing expert advice.’

Key clients

WatchGuard Technologies, Inc.



Securities Industry and Financial Markets Association


Clearlake Capital Group L.P.

nCino, Inc

Work highlights

  • Represented a technology company in a highly sensitive cybersecurity matter regarding the Cyclops Blink malware by a Russian threat actor.
  • Advising AT&T on a broad range of privacy and cybersecurity issues, including advising on communications, satellite and cable privacy, location data privacy, and general privacy under the FTC and Telecom Acts, as well as under state (such as CCPA and CPRA) and international laws.
  • Advising SIFMA on financial privacy, cross-border, cybersecurity, and emerging technology issues.

Arnold & Porter

New York-based Jami Vibbert leads Arnold & Porter’s privacy, cybersecurity & data strategy practice, advising a range of clients, including leading pharma, telecoms, technology and media companies on compliance programs, incident response strategies and cybersecurity due diligence pertaining to M&A. Kenneth Chernof in Washington DC defends clients in class action claims, while also in DC, Ronald Lee and counsel Nancy Perkins are key cyber and data privacy practitioners respectively.

Practice head(s):

Jami Vibbert

Other key lawyers:

Ronald Lee; Kenneth Chernof; Nancy Perkins;

Key clients


Warner Bros. Discovery

Thermo Fisher Scientific

Laboratory Corporation of America

Zimmer Biomet

Gilead Sciences


Agilent Technologies


Merck & Co

Work highlights

  • Represented Thermo Fisher Scientific in performing privacy and cybersecurity diligence and review of privacy and cybersecurity practices as part of its acquisition of PPD, Inc.
  • Represented AT&T with cybersecurity diligence and post-acquisition cybersecurity incident response preparedness for the spin-off of WarnerMedia to Discovery, Inc, forming Warner Bros. Discovery.
  • Representing HBO Max in a Video Privacy Protection Act class action litigation in the Southern District of New York.

Davis Polk & Wardwell

Davis Polk & Wardwell LLP frequently advises investment advisors and private equity companies on the preparation of internal and external privacy policies. New York-stationed Matthew Bacal leads such matters and also assists capital market clients with public disclosure of privacy and data security risks and incidents. Further New York-based privacy specialists in the white-collar defense and investigations team, James Haldin and Angela Burgess, advise big tech companies on FTC inquiries. The experienced Robert Cohen, stationed in Washington DC, former chief of the SEC’s cyber unit, advises clients on responses to cyber incidents.

Practice head(s):

Matthew Bacal; Robert Cohen; James Haldin

Other key lawyers:

Angela Burgess


Dentons‘ cyber and privacy practice is the first port of call for sporting complexes, including NHL and NFL stadiums, and surrounding areas. Washington DC-based head of the privacy practice Todd Daubert advises such clients on data collection, processing, mapping, governance and managing risks associated with implementing new, cutting-edge technology. Supported by Washington DC-stationed associate William Krouse, Daubert also advises companies operating in the car rental space, financial services, insurance and big tech companies on implementing strategies for and adapting to regulatory changes. John McCauley, in Indianapolis, and associate Kyle Miller, in Louisville, are the key names for data breach responses.

Practice head(s):

Todd Daubert

Other key lawyers:

John McCauley; William Krouse; Kyle Miller

Key clients

SoFi Stadium and Hollywood Park

Anaheim Real Estate Partners, LLC


Avis Budget Group, Inc.

Digital Content Next

Wendy’s Restaurant Franchisees

First American Financial Corporation


North American Portability Management LLC


Work highlights

  • Advising Hollywood Park and SoFi Stadium on privacy and data issues.
  • Advising ocV!BE entertain district and Honda Center, home to the Anaheim Ducks of the National Hockey League (NHL), on data privacy and security matters.
  • Assisting Avis Budget Group on all data and cybersecurity issues.

Freshfields Bruckhaus Deringer LLP

With the April 2022 addition of cyber breach and cryptocurrency fraud expert Timothy Howard, based in New York, and the consolidation Christine Lyon, stationed in Silicon Valley, and former NSA official Brock Dahl, posted in Washington DC, Freshfields Bruckhaus Deringer LLP is a name for major clients who suffer large-scale and global data breaches. The US data privacy and security team, led by Lyon, leverages its global network to assist clients on breach responses and assessments of data risks as part of data-driven corporate deals.

Practice head(s):

Christine Lyon

Other key lawyers:

Timothy Howard; Brock Dahl


‘What truly sets Freshfields apart is that they are able to provide such a consistent service across the world through 1-2 single points of contact.’

‘Chris Lyon is one of the best privacy lawyers in the field, offering a unique combination of responsiveness, legal acumen, technology expertise, collegiality, and business savviness. She is a go-to counselor for us on some of the most difficult challenges facing our company.’

‘Deep subject matter expertise for privacy and cyber related issues. Able to bring experience from across client sectors.’

‘Very client-focused on their delivery of advice and guidance. Highly responsive with advice that can be implemented and acted upon.’

‘Christine Lyon is a fantastic resource for privacy-related matters in the technology sector.’

‘Exceptional attention from partners, keen insight into regulators’ aims and priorities.’

‘We have worked primarily with Christine Lyon, who provided clever, incisive, practical advice to us.’  

‘Christine’s advice was so impactful and effective that we followed her to Freshfields. Since the transition, she has continued to counsel us on data protection matters with the same practical and insightful approach.’

Key clients

Marriott International



Axel Springer

Sitel Group

América Móvil

Universal Music Group


London Stock Exchange Group plc


Stanley Black & Decker


Holland & Knight LLP

Led by New York-based Mark MelodiaHolland & Knight LLP’s data strategy, security and privacy practice group continues to strengthen with the August 2022 arrival from Reed Smith LLP  Bart Huffman and Wendell Bartnick, both in the Houston office. Melodia advises clients on responding to investigations initiated by the DOJ, OCR, FTC and AGs, and is also a seasoned defense attorney, dealing with class actions and multidistrict litigations arising from ransomware, wiretapping and data use allegations. Paul Bond identifies and manages data risks involving AI, emerging technologies and is another key contact for data-related class action defenses. New York-stationed Mark Francis focuses on data and IP agreements, including transfers, licenses and SaaS matters. Global data governance matters are led by Atlanta-stationed Elizabeth Hinson, while Rachel Marmor, in Boston, advises clients on evolving federal, state and self-regulatory privacy requirements, with a particular specialism on COPPA, CCPA, VCDPA and BIPA regulations.

Practice head(s):

Mark Melodia

Other key lawyers:

Paul Bond; Bart Huffman; Wendell Bartnick; Mark Francis; Elizabeth Hinson; Rachel Marmor


‘Elizabeth Hinson’s experience and legal knowledge is top notch.’

‘Elizabeth Hinson does everything right. She is responsive, creative and diligent.’

Key clients

Leidos Holdings, Inc.

News Corporation

The Paradies Shops, LLC

20/20 Eye Care Network, Inc.

Women’s Care Florida

Viceroy Hotel Management, LLC


Kids2, Inc.


Toyota Insurance Management Services and Connected Analytic Services

Work highlights

  • Defending several broadcasters against VPPA class actions in NY, IL and MA.
  • Defended half a dozen clients (in the financial services, retail, entertainment and health care fields) against class actions alleging violations of the Florida wiretap statute arising from the use of “session replay” software on their websites.
  • Advising a wide range of clients on the mitigation of risk associated with sharing consumer data internally across borders and externally with critical business partners.

Linklaters LLP

The practice at Linklaters LLP is led by New York-based Ieuan Jolly. With the support of senior associates Kris Ekdahl, in Chicago, and Caitlin Potratz Metcalf, in Washington DC, the team works on global compliance programs and digitalization, optimization and e-commerce expansion strategies for a client roster that includes leading technology, asset management and energy producing companies. The team also regularly collaborates with the London team for matters involving data breaches. Erez Liebermann departed in June 2022.

Practice head(s):

Ieuan Jolly

Other key lawyers:

Kris Ekdahl; Caitlin Potratz Metcalf


‘The Privacy Group’s innovative, cross-national practice allows for global clients to get access to consistently high quality advice on a global scale from a single contact point.’

‘Deep bench of world class privacy advocates with outstanding business judgment.’

Ieuan Jolly was particularly helpful from a US perspective, synthesizing regulatory matters from different US states and collaborating with subject matter experts in other jurisdictions.

Key clients



Clear Channel Outdoor

Viking River Cruises

iHeartMedia Inc.



Assa Abloy


Work highlights

  • Advising the largest mobile payment platform, which serves over 1.3 billion users and 80 million merchants, on its global privacy compliance program and digitization strategy.
  • Advising the fastest growing fashion retailer, valued at $100 Billion, on its data optimization strategy and global e-commerce expansion.
  • Advising on multiple high-profile cyber security attacks from ransomware, logic bombs, social engineering, business email compromise to a plethora of nation state attacks.

Loeb & Loeb LLP

Loeb & Loeb LLP assists well-known brands in the media and entertainment space on uses of innovative new technologies through data-driven business models and transactions. New York-based chair of the practice Jessica Lee advises organizations on designing privacy programs in line with GDPR, HIPAA, VPPA, NIST and CPRA regulations. Lee is an expert in the ad-tech, e-commerce, and entertainment space as well as the healthcare and financial services industries. Chair of the media, entertainment and tech department James Taylor, in New Yok, advises clients on issues around data and new information channels in order to reach consumers and market products. Chair of the luxury brands and intellectual property practice Melanie Howard, based in Los Angeles, and advertising and marketing expert Nathan Hole, in Chicago, are key contacts for data-driven transactions. Also in Chicago, Nerissa Coyle McGinn is the key name for handling children’s online privacy issues, while Susan Israel, based in Los Angels, works closely with senior counsel Robyn Mohr, in Washington DC, on federal law matters. Tanya Forsheit departed in May 2022.

Practice head(s):

James Taylor; Jessica Lee

Other key lawyers:

Melanie Howard; Nerissa Coyle McGinn; Nathan Hole; Susan Israel; Robyn Mohr

Key clients



The New York Times

National Collegiate Athletic Association



McGuireWoods LLP

Data protection policies and governance programs for nationwide clients are frequent mandates for McGuireWoods LLP. Virginia-based Andrew Konia regularly assists clients on data breach remediation and security issues pertaining to vendor contracts and private equity transactions. Janet Peyton, also in Virginia, is the go-to for intersecting intellectual property and data matters as well as EU and US cross-border data transfers. Pittsburgh-stationed counsel Anne Peterson handles data breach responses across a plethora of industries. Alicia Baiardo in San Francisco routinely advises clients on compliance strategies in line with the CCPA and CPRA. Rodger Heaton has departed the practice.

Practice head(s):

Andrew Konia

Other key lawyers:

Janet Peyton; Alicia Baiardo; Anne Peterson


‘The team is exceptional in every regard. The lawyers are client-centric, hyper-responsive, able to scale up and down quickly and efficiently, have deep experience in every kind of data issue – most notably issues involving PCI, HIPAA, and financial institution specific matters – have worked with (I believe) virtually every state AG, and are just wonderful colleagues.

‘McGuireWoods also has very accessible rates given the caliber of their professionals. I have seen them do innovative work with large data, and solve problems creatively.’

‘Andrew Konia, the practice leader, is a lawyer’s lawyer. He is always thinking about his clients’ interests, but finds time to be a gentleman to his colleagues and subordinates. He is forward-thinking, and available 24/7.’

‘Janet Peyton is an absolute joy. Brilliant and hard-working, she rivals Andrew in her ability to think strategically and forecast issues several moves ahead. She is also hyper-responsive.’

‘I also appreciate how aggressively the firm promotes and provides opportunities for their rising professionals – especially rising women.’

Paul Hastings LLP

Paul Hastings LLP’s cybersecurity and privacy practice is headed by the trio of Sherrese Smith, Aaron Charfoos and Jacqueline Cooney. Washington DC-based Smith routinely leads teams of US and EU practitioners on regulatory investigations following data breaches and privacy compliance strategies for global software providers, big tech companies and clients in the media and entertainment space. Chicago-stationed Charfos is a key contact for retail fashion brands and tech companies for representations in class action defenses. Cooney, in Washington DC is a name to note for data privacy and governance issues. Behnam Dayanim  departed in November 2022.

Practice head(s):

Sherrese Smith; Aaron Charfoos; Jacqueline Cooney

Key clients


Samsung Electronics America

GoTo Group, Inc. and its subsidiary LastPass

L’Oreal USA Inc

Modiface, Inc

Cadent Inc.

Biofire Diagnostics, Inc.

Citadel Enterprise Americas LLC

Spectrum Pharmaceuticals

Caesars Entertainment Inc.


Work highlights

  • Representing ModiFace in connection with its response to a forthcoming subpoena and requests for documents and testimony relating to litigation brought under Illinois’ Biometric Information Privacy Act (“BIPA”).
  • Advising GoTo Group, Inc. and its subsidiary LastPass, in its response to a cybersecurity incident.
  • Represented ModiFace, Inc., against a consumer class action asserting violations of the Illinois Biometric Privacy Act (“BIPA”).

Willkie Farr & Gallagher LLP

Willkie Farr & Gallagher LLP undertakes the full range of mandates, including due diligence on tech-driven transactions, crisis management planning and compliance strategies. Co-chairs Daniel Alvarez and Laura Jehl, both based in Washington DC, are key contacts for big tech, emerging tech and leading IT solutions providers. San Francisco-based litigation experts Ben Hur and Simona Agnolucci defend clients against state-level class actions. Washington-based A. Kristina Littman, former chief of the crypto assets and cyber unit in the division of enforcement of the SEC, joined the practice in September 2022.

Practice head(s):

Daniel Alvarez; Laura Jehl

Other key lawyers:

Ben Hur; Simona Agnolucci; A. Kristina Littman

Key clients

Kaseya, Inc.

Take-Two Interactive Software

Ukrainian Refugee Legal Aid



Ulta Beauty, Inc.

Choice Hotels International

Google LLC

Work highlights

  • Advised Kaseya on the privacy and cybersecurity implications of its $6.2 billion acquisition of Datto, a leading global provider of security and cloud-based software solutions purpose-built for MSPs.
  • Advised Ukrainian Legal Aid (ULA) on the unique privacy and cybersecurity challenges raised by compliance with the EU General Data Protection Regulation (GDPR) in the context of the Ukrainian refugee crisis.
  • Advising Nuro on all of its privacy and cybersecurity issues, as well as on crisis management planning and strategy, in preparation for the company’s successful launch of a multi-city pilot program and rollout of a new model vehicle.

Winston & Strawn LLP

Winston & Strawn LLP specializes in data security by design litigation involving emerging technologies such as AI and IoT devices. The firm also works on overlapping trade secret and cyber theft matters. Specialist in computer forensic investigations Sheryl Falk, based in Houston, leads high profile cybersecurity breach and ransomware cases as well as trade secret investigations, also working on compliance mandates, data due diligence, and is a go-to advisor for data security considerations concerning new technologies. Sean Wieber, in Chicago, is an experienced litigator, who defends clients in class action cases. The depth of the practice is showcased by Chicago-based Alessandra Swanson’s experience in counselling a range of clients, including healthcare, retail and media companies on compliance programs, breach responses and regulatory defenses.

Practice head(s):

Sheryl Falk; Alessandra Swanson; Sean Wieber


‘The depth of Winston & Strawn’s experience and ability to utilize skilled associates and other resources provides strong capabilities to clients.’

‘The lawyers are well versed in legal requirements and think outside the box to develop practical and actionable solutions’

Key clients

Fenix International Limited

Work highlights

  • Representing Fenix Internet LLC in connection with a Biometric Information Privacy Act (BIPA) class action in the N.D. Ill.