Demonstrating 'deep expertise in data protection law', the team at Baker McKenzie LLP is considered by clients to be 'a leader among firms' in this space. Jointly led by Lothar Determann, Brian Hengesbaugh, David Lashway and John Woods, the firm has a deep understanding of the global compliance landscape, and maintains close relationships with law enforcement, intelligence and national security agencies. In particular, it provides clients with privacy advice in relation to employee rights, cloud computing, security breaches and incident prevention. In addition, its strong track record in regulatory investigations (at both FTC and state level) further strengthens the offering for parties seeking sophisticated crisis management. Also recommended for privacy matters are Michael Egan and Jennifer Seale in Washington DC, Harry Valetk in New York and Chicago-based associate Gary Hunt. Brandon Moseberry and Amy de La Lama left the firm in October and November 2020, respectively.
Cyber law (including data privacy and data protection) in United States
Baker McKenzie LLP
Lothar Determann; Brian Hengesbaugh; David Lashway; John Woods
Other key lawyers:
Michael Egan; Jennifer Seale; Harry Valetk; Gary Hunt
‘The partners and associates within Baker McKenzie’s Cyber law practice consistently provide pragmatic legal advice to help drive successful business outcomes for their clients.’
‘No matter how complex the issue, Brian Hengesbaugh and Gary Hunt consistently provide pragmatic legal advice to help drive successful business outcomes for their clients.’
‘The Baker McKenzie privacy and security team has deep expertise in data protection laws and regulations. What makes Baker so unique is its ability to synthesize the complexity of the laws in this space but also understand the real world implications of the advice that is provided. Baker is a leader among firms in terms of its provision of practical advice that mitigates risk while meeting business needs.’
‘Expertise and scope, focus, and collaboration. They have significant expertise and experience in cyber law, and offer a truly global services to assist across the world. Our experience with the practice is that they are proactive and excellent business partners understanding what is important for the client.’
‘David Lashway is the stand-out partner, he is accessible when he is needed, ready to support, and proactive in understanding where the value lies for the customer. He is an expert in his field, and goes the extra mile in his support.’
Led by Andrew Serwin, the data protection group at DLA Piper LLP (US) acts for household name clients such as DropBox, Target and Visa. Fielding an expert team of security and technology consultants, the broader practice handles breach response, privacy litigation, multi-jurisdictional compliance and enforcement matters. Key figures in the team include Carol Umhoefer in the Miami office, Edward McAndrew in Wilmington, Washington DC-based Jennifer Kashatus and Anna Spencer in Atlanta. Highly regarded for its crisis management work, the team recently represented telecoms operator MyLife in an FTC investigation for alleged violations of FCRA/ROSCA, and also represented the client in related litigation. In addition, it acted for Visa in relation to its proposed blockbuster merger with financial services company Plaid. Jim Halpert is another leading name in the practice group and Kate Lucente is also recommended. Tracy Shapiro departed for Wilson Sonsini Goodrich & Rosati in March 2020, while Ron Plesco joined from KPMG in July of the same year.
Other key lawyers:
Carol Umhoefer; Edward McAndrew; Jennifer Kashatus; Anna Spencer; Ron Plesco; Jim Halpert; Kate Lucente
Irish Data Protection Commissioner
Global Tel Link (GTL)
Southern California Edison
The Nielsen company
ZeniMax Media, Inc.
- Advised Visa on the privacy and security diligence for a transaction involving Plaid, one of the largest fintech solutions companies, a $5bn transaction.
- Served as the lead expert on US law, including privacy, national security, and privacy litigation, for Irish Data Protection Commissioner Helen Dixon in the landmark case Schrems II.
- Advising ZeniMax Media on privacy, cyber security, data retention and data protection compliance matters, including compliance with GDPR, CCPA, LGPD and ePrivacy, as well as response to Schrems II and other legal developments.
The data protection practice at Hogan Lovells US LLP is able to draw on 'worldwide resources to provide comprehensive privacy advice'. Jointly led by Marcy Wilder, Eduardo Ustaran and Harriet Pearson, the practice group is often advising on cutting-edge issues relating to biometrics and AI. Of note over the review period, the team has also been involved in responding to the Schrems II/Privacy Shield ruling as well as CCPA harmonization with legislation such as HIPAA, the Gramm-Leach-Bliley Act and GDPR. In terms of clients, the firm represents Equifax, Salesforce and Uber Technologies, three key names in a client roster that also includes companies in the areas of connected cars, drones and digital health. Also recommended in the team are Paul Otto, who made partner 2019, compliance expert Mark Brennan, computer scientist Brett Cohen and cybersecurity specialist Peter Marta.
Marcy Wilder; Eduardo Ustaran; Harriet Pearson
Other key lawyers:
Paul Otto; Mark Brennan; Bret Cohen; Peter Marta
‘The HL team provides comprehensive, timely and, perhaps most importantly practical advice. There is an excellent mix of experienced senior advisors and smart and thorough associates covering a wide-range of national and international privacy and security areas, both established and emerging. The Breadth of coverage compares favorably to others.’
‘I have worked extensively, in a number of contexts, with partners Harriet Pearson, Mark Brennan, Scott Loughlin, Michelle Kisloff & Bret Cohen. All are excellent providing practical trusted and timely advice in a variety of contexts. Among non-partner, more junior lawyers, James Denville is excellent on cyber matters, and i have been particularly impressed with Filippo Rasso in the Washington office on CCPA issues. Ryan Woo as well.’
‘The team provides expert advice on cybersecurity matters. Their approach is holistic and takes into account business and reputational concerns. From a client service perspective, they are responsive and invested in a relationship with you. They will maintain this relationship and offer ways to help your organization build a better cyber program over time.’
‘Pete Marta is a highly knowledgeable partner whose expertise has been invaluable to our firm. Pete stands out not only because he has specific, deep experience in the financial services space, but also for his strong connections in the cybersecurity field, his ability to communicate with management, and his devotion to client service. You can rely on Pete to handle a matter ably, efficiently, and responsive to your needs. Pete is an advisor who understands the bigger picture, taking commercial and other concerns into account when providing his advice.’
‘The breadth of the Hogan Lovells practice is its key. They are able to leverage their worldwide resources to provide comprehensive privacy advice on a wide range of issues.’
Cancer Treatment Centers of America
Dozens of confidential household names
Apollo Global Management
Pinnacle West Capital – Arizona Public Service
- Advise Salesforce on emerging issues and acting on various compliance and commercial issues relating to privacy and cybersecurity.
- Advise extensively on Apollo Global Management’s (and its portfolio companies’) compliance with privacy and data security laws and privacy and data security provisions in commercial agreements.
- Advise Otsuka’s numerous affiliates on the impact of Covid-19, including remote work, return-to-workplace, health data, employee and contractor notices, and more.
The data protection offering at Hunton Andrews Kurth LLP is led by Lisa Sotto, ‘by far the country’s gold standard for privacy and cyber-security matters‘ in the eyes of her clients. Other key figures in the team include seasoned transatlantic counsel Aaron Simpson, COPPA expert Phyllis Marcus, risk management specialist Paul Tiao, Brittany Bacon, ‘the best at what she does‘, and Danielle Dobrusin, ‘one of the country’s leading CCPA experts‘. In broader terms, the practice is increasingly active in the areas of AI and facial recognition, where it advises on myriad cybersecurity issues, as well as on breach response. Indicative of the group’s work is its advice to Cybereason Inc., a new client for the team. In this regard, the team has assisted with numerous privacy issues relating to the client’s business growth, which included multi-jurisdictional questions pertaining to the EU, the Middle East and Asia.
Other key lawyers:
Aaron Simpson; Phyllis Marcus; Paul Tiao; Brittany Bacon; Danielle Dobrusin
‘No weaknesses. Has done it all before. Wicked, smart but not arrogant. HAK has become our go-to firm for privacy and data breach issues.’
‘Phyllis Marcus in particular is incredibly valuable as one of the few real children’s privacy experts around. Her long tenure at the FTC, and her involvement in drafting the COPPA rule, give her unique perspective and insight that are hard to find among private practitioners.’
‘Brittany Bacon is simply the best at what she does. Every single issue or problem that has come up on cyber security, she has detailed experience and thoughtful solutions to bring to bear.’
‘This practice is unique because they provide legal advice in the field of data privacy and protection that are practical and customized for our business operations. They are very thorough in their analysis and take time to understand our business and how the regulatory issues will impact our organization, They are also very knowledgeable about IT matters which helps in the analysis of complex regulatory matters. They are a tremendous asset to our ongoing privacy compliance efforts.’
‘Lisa Sotto is by far the country’s gold standard for privacy and cyber-security matters. Her vast and sophisticated expertise streamlines complex issues with a practical approach. Lisa is a sharp problem solver who understands her clients’ business and delivers her work product accordingly. High quality, responsiveness and availability define her client obsessed practice.’
‘Brittany Bacon is a brilliant and sophisticated data professional. She is a keenly detailed, resourceful and an on-the-spot problem solver who clearly articulates actionable advice. Brittany is always available and ready to help.‘
‘Aaron Simpson is an industry leader uniquely positioned to advice clients with first-hand knowledge of Europe’s GDPR and U.S. privacy laws including the CCPA and the CPRA. Aaron provide creative and business oriented solutions.‘
‘Danielle Dobrusin is a stand-out performer on the rise. She is without a doubt one of the country’s leading CCPA experts (and soon CPRA). Danielle, who ensures nothing is overseen or forgotten, is meticulously careful in providing accurate delivery estimates, maintaining her clients aware of progress and always delivering high quality work product on time.’
Silver Lake Technology Management, L.L.C.
Tiffany & Co.
MUFG Union Bank
The TJX Companies, Inc.
Verisk Analytics, Inc.
Proctor & Gamble Company
- Provide a significant amount of global privacy and data security advice to Silver Lake Technology Management, L.L.C.
- Handle a substantial amount of complex privacy and data protection work for MUFG Union Bank.
- Provide global privacy and cybersecurity advice to Kering Americas.
Led in the US by New York-based Miriam Wugmeister, the data protection team at Morrison & Foerster LLP provides expert advice in relation to FTC investigations, breach response and litigation. In particular, the practice group has noted experience of matters linked to HIPAA, TCPA, and COPPA, areas in which it regularly interacts with federal regulators and state AGs in class action defense. Moreover, its broad capabilities are evidenced by a portfolio featuring key players in the areas of pharmaceuticals (Pfizer), sportswear (Adidas) and social media (Facebook) as well as in recent work dealing with the complexities of Chinese Cyber Security Law and Privacy Shield/SCHREMS II. Also recommended in the practice group are Kristen Mathews (New York), Julie O’Neill (Boston/Washington DC), Purvi Patel (Los Angeles), Christine Lyon (Palo Alto) and associate Melissa Crespo (Washington DC). John Carlin departed for the Department of Justice in January 2020.
Miriam Wugmeister; Alex van der Wolk
Other key lawyers:
Julie O’Neill; Purvi Patel; Christine Lyon; Melissa Crespo; Mary Race; Tiffany Quach
The team at Orrick, Herrington & Sutcliffe LLP recently welcomed the arrivals of Shannon Yavorsky from Venable LLP, Keily Blair and James Lloyd from PricewaterhouseCoopers LLP. Strengthening an already impressive offering, these hires add to the group's expertise in CCPA, GDPR and the domestic/global parameters of regulatory enforcement. Regular work flows for the team include advising clients on optimal responses to cyberattacks and increasingly on developing areas such as biometrics. In this regard, the team secured a motion to dismiss a class action regarding Acuant's purported violations of BIPA. Led by Douglas Meal and Heather Egan Sussman, the practice also includes Aravind Swaminathan, Michelle Visser, Seth Harrington, Antony Kim and Emily Tabatabai. Also of note, the firm recently introduced a proprietary cloud-based utility customized to meet global privacy needs as well as assist with the monetization and exploitation of data sets.
Doug Meal; Heather Egan Sussman
Other key lawyers:
Shannon Yavorsky; Keily Blair; James Lloyd; Aravind Swaminathan; Michelle Visser; Seth Harrington; Antony Kim; Emily Tabatabai
Arby’s Restaurant Group
Robinhood Markets, Inc.
The TJX Companies
- Represented leading identity verification provider Acuant in a precedent-setting proposed biometric data privacy class action.
- Counseled Zynga Inc., a leading digital entertainment company famous for its “Farmville” game, on a complex, challenging response that spanned the globe following its highly publicized criminal cyberattack.
- Advise W. W. Grainger Inc. on a wide array of sophisticated privacy and cybersecurity matters including compliance counseling, incident preparedness and response, and litigation.
Jointly led by Emilio Cividanes and Stuart Ingis, the 'world-class' team at Venable LLP is particularly notable for its work on FTC enforcement matters relating to the security of personal information. Having recently established an office in Chicago, the firm continues to help clients with policymaking discussions on data privacy legislation, cybersecurity risk management and state AG investigations focused on privacy concerns. In particular, it is known for representing the Self-Driving Coalition for Safer Streets in relation to the significant data questions raised by autonomous vehicles. Notably, the practice also handles work for numerous advertising trade associations, an area in which it has secured clarifications on the CCPA's right-to-know and advised clients on their opposition to Washington State's proposed private right of action. Reed Freeman Jr joined the team from WilmerHale in August 2020. Also recommended in the team are Ariel Wolf, Kelly DeMarchis Bastide, Julia Kernochan Tama and Michael Signorelli.
Emilio Cividanes; Stuart Ingis
Other key lawyers:
Ariel Wolf; Kelly DeMarchis Bastide; Julia Kernochan Tama; Michael Signorelli; Reed Freeman Jr
‘The team is made up of both legal and non-legal professionals who are tops in their respective fields. Whether the issue is security, privacy, email, lobbying, advertising, breaches, or even new and emerging areas such as genomics or automated vehicles, Venable has invested in talent that is world-class and yet accessible to their clients.’
‘I’ve worked extensively with Michael Signorelli, partner, who excels at making sure that his clients receive practical and business-impacting advice in all manners of areas which are important to my organization. These range from regulatory guidance, legal compliance, lobbying strategy, technical advice and even business advice. In my experience, Mike’s clients have ready access to him – making them that much better prepared to succeed.’
‘I know it sounds cliched, but Venable’s Cyber law practice acts as a true partner in dealing with me and my company. Most firms give lip service to this notion, but Venable genuinely puts it into practice. They not only strive to provide cost-effective and practical guidance to my client, but they also also try to make me look good in the process!’
‘Aside from the fact that Milo Civadanes is an extremely smart, talented, practical, organized and cost-effective attorney who knows his subject-matter like no one else, the three attributes that stand out to me are: (1) He is a genuine person who I have a personal connection with and trust and who breathes the same values that I and my company try to follow; (2) Milo has such a breadth and wealth of experience (especially in the policy-making arena) that I can rely on Milo not only for the black letter legal advice but also for a deep understanding of how to tackle legal questions for which there is no clear answer or precedent, which is often the case in this field; and (3) Milo really understands how to communicate with in-house counsel and senior management – he is the master of taking a complex legal issue that could go in a thousands different directions and summarizing it into a one page memo.’
‘Venable has served as our outside counsel for privacy and data security matters for at least 7 years. They have deep experience and knowledge in the advertising space as well as active involvement in privacy legislative discussions/activities at the federal and state level. They also have significant experience in helping companies navigate exchanges with government regulators and investigators. These capabilities and strengths have made them invaluable both in the context of addressing risks to the Company as well as for long term planning as it relates to our privacy practices.’
‘Mike Signorelli acts as our primary outside counsel for privacy matters. He has provided invaluable advice and support for all our privacy processes and strategy. He also does an excellent job of being involved in and keeping us up to speed on the rapidly developing/changing regulatory landscape so that we are not in a position of reacting to developments but instead we are prepared for them. He also gives thoughtful business focused advice taking into account the competing needs of our business and is excellent at helping us navigate the legal and PR risks associated with the business.’
‘Julia Kernochan Tama was our lead counsel in addressing and responding to a government investigation. Julia is extremely knowledgeable and thoughtful in her advice and representation. She displays a level headedness, confidence and experience level that provided a lot of comfort to us during what was a very significant legal matter facing our Company. We felt that we were certainly benefiting from her experience in similar matters. She deftly handles surprises and is thoughtful and creative in addressing problems. She was also appropriately communicative and willing to marshal firm resources to support us throughout our responses, even when many of our internal resources were needed for other activities.’
‘The team is incredibly responsive and knowledgeable in their respective areas of expertise. They have provided invaluable guidance when navigating particularly complicated areas of law. Specifically, Kelly DeMarchis Bastide has been a great partner for our organization.’
Privacy for America
Association of National Advertisers (ANA)
Center for Cybersecurity Policy and Law
Network Advertising Initiative (NAI)
Digital Advertising Alliance (DAA)
Partnership for Responsible Addressable Media (PRAM)
Self-Driving Coalition for Safer Streets
American Association of Advertising Agency (4A’s)
Interactive Advertising Bureau (IAB)
- Supported Comscore in standing up a program for California Consumer Privacy Act (CCPA) compliance that is adapted to the company’s unique business model and global operations.
- Conducted legal and policy research and helped to draft and inform the new paradigm principles for P4A that support the development of federal privacy legislation.
- Spearheaded advocacy efforts directed at California state legislators and the California Attorney General on behalf of national trade associations.
Led by Theodore Kobus III, the data protection team at Baker & Hostetler LLP falls within the firm's new digital assets and data management practice group. This multidisciplinary team stands as a core pillar of the wider service group and assists clients with matters such as risk management, disputes, compliance, monetization and marketing strategy. Highly regarded for its work in breach response, key contacts in the group include compliance specialist Craig Hoffman, cybersecurity adviser Melinda McLellan and healthcare expert Lynn Sessions. Notably, it continues to provide strategic counsel to Marriott International following its global database security incident. In addition, the practice handles a substantive amount of CCPA regulatory research and compliance, an area in which it counsels some of the largest players in media, retail and transportation industries. Jeewon Kim Serrato joined from Norton Rose Fulbright US LLP in April 2020, but Will Daugherty left for Norton Rose Fulbright US LLP June.
Theodore Kobus III
Other key lawyers:
Craig Hoffman; Melinda McLellan; Lynn Sessions; Jeewon Kim Serrato
State of Vermont
The Cleveland Clinic
Health Transformation Alliance (HTA)
Premera Blue Cross
Duke University Health System
Memorial Sloan Kettering Cancer Center
Texas Children’s Hospital
University of Texas MD Anderson Cancer Center
- Provide strategic counsel to Marriott International, two full years after its initial global database security incident.
Cooley LLP has longstanding client relationships with key names such as Google and Zoom Video Communications, though the group handles a substantial amount of work for both established and emerging companies. The multidisciplinary service group is jointly led by Michael Rhodes and Matthew Brown in San Francisco, Travis LeBlanc in Washington DC and David Navetta in the Denver office, and has expertise across private lawsuits, privacy investigations and regulatory inquiries. In particular, it recently secured a multimillion-dollar settlement for Facebook in a class action suit filed under Illinois’ Biometric Information Privacy Act. Recent highlights also cover the data issues raised by webscraping, the violation of non-disclosure agreements, caller ID spoofing and ransomware attacks. Former vice chair Boris Segalis joined Goodwin in February 2021.
Michael Rhodes; Matthew Brown; Travis LeBlanc; David Navetta
Other key lawyers:
‘Our experience with the Cooley team has been very positive. They are very sharp, knowledgeable and have a good grasp of the technical issues, so they can have a meaningful conversation with your in-house technical team.’
‘They are thoughtful, good writers, and extremely diligent. We have had nothing but positive experiences with them. Travis LeBlanc and Kris Kleiner in particular have stood out as being extremely knowledgeable and capable.’
‘They are always available. There was never a time when they were not able to be contacted for advice. The advice was always well thought out and valuable.’
‘I found this firm better prepared to handle our issues than the team of lawyers of our parent company.’
Zoom Video Communications, Inc.
Chan Zuckerberg Initiative
- Obtained a successful settlement for Facebook in the largest privacy class action in US history and the first-ever class action filed under Illinois’ Biometric Information Privacy Act.
- Selected by Google to defend the company in a major privacy class action alleging the company, in partnership with the University of Chicago, violated patient privacy through the mishandling of electronic patient records.
- Represented WhatsApp and Facebook in their high-profile suit against Israeli cybersurveillance company NSO Group (and its parent company Q Cyber), alleging that NSO developed spyware to infiltrate and surveil the mobile devices of more than 1,400 WhatsApp users worldwide.
Covington & Burling LLP
Covington & Burling LLP advises clients on matters such as security audits, the handling of sensitive information for both customers and employees, and regulatory compliance. The team's client roster includes leading players in banking, healthcare, pharmaceuticals and telecoms. Elizabeth Canter is a contact in Washington DC.
Recognized by clients for its ‘breadth of knowledge‘, the team at Debevoise & Plimpton LLP was further strengthened in 2020 by the hire of Avi Gesser from Davis Polk & Wardwell LLP. This effectively broadens an already strong offering led by the ‘top-notch‘ Luke Dembosky and privacy specialist Jeremy Feigelson. The group regularly handles complex work in breach response, and also covers classified matters affecting law enforcement, emerging data technologies such as artificial intelligence, and cyber investigations with a focus on the national security space. The group is also noted for its proprietary data portal that enables clients to quickly assess their breach notification obligations and generates relevant templates. Risk assessor Jim Pastore and GDPR expert Jane Shvets are other important contacts. Named lawyers are based in New York, aside from Shvets, who divides time between New York and London.
Luke Dembosky; Jeremy Feigelson
Other key lawyers:
Jim Pastore; Jane Shvets
‘The team’s breadth of knowledge stands out; I would consider them not just practitioners, but experts in the field. The availability and responsiveness of the team should also be commended.’
‘Luke Dembosky and Jim Pastore are top-notch experts in their field. Luke has the extensive experience as a prosecutor and understands the intersection of technology and law. Luke is very practical and understands his role as a trusted advisor. Jim knows the state and regulator rules/thresholds like none other and knows how to meaningfully counsel on potential risk.’
Kohlberg Kravis Roberts & Co.
Major League Baseball
Prudential Financial Services
The American Express Company
The National Basketball Association
Dechert LLP's 'truly global' practice group welcomed former Goodwin partners Brenda Sharton and Karen Neuman in October 2020; the duo joined the team in joint leadership alongside Timothy Blank. The team is known for handling major breach responses arising both domestically and internationally, where it has particular overseas strength in EEA matters. Its impressive client portfolio includes financial services institutions, asset managers and investment funds, and life science, pharmaceuticals and senior care companies. Recent workflows have included advice on data management, analysis of vendor relationships, investment disclosures and gauging the risk landscape with respect to enforcement actions by the FTC, SEC, state attorneys general, and others. Hilary Bonaccorsi is a standout associate in the team.
Brenda Sharton; Karen Neuman; Timothy Blank
Other key lawyers:
‘Dechert has assembled a truly global team of privacy and data security lawyers. The cross practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis. The privacy and security team collaborates seamlessly across the globe when advising clients. The firm is dedicated to hiring experienced lawyers that can parachute in, establish client rapport and trust and develop a multifaceted workflow to tackle any client challenge.‘
‘Brenda Sharton is an amazing senior lawyer who combines deep experience and knowledge with a calm and collected approach.‘
‘Brenda Sharton was my primary contact and she is an industry leader in this area. She was not only knowledgeable on the legal issues in our case, but gave practical advice as well on avoiding issues in the future. We have a unique business model where our litigation team will draft some of the memorandums and briefing. Many firms do not like to work this way. Brenda was a great partner and was respectful of what my team brought to the table. She was able to work with our team in a way that lent value to the process and kept our costs to a reasonable level.‘
‘Brenda Sharton is a brilliant lawyer and a great client advocate. She is the lawyer you want in your corner. As a seasoned litigator and an experienced data security lawyer, she manages crises with confidence, finesse and strategy. Brenda will get into the weeds with the technical team and in the same breath turn to the legal team to interpret the significance and how it aligns with the bigger picture. Few lawyers have her depth, acumen and empathy but none have the same level of sincerity.‘
‘Brenda was able to work with my team on an alternative fee arrangement. As noted above, my team does hands on litigation work so we were able to take the budget proposed by Brenda and decide if we could do part of the work to bring costs to what we felt was manageable. Brenda was great at working with us on this and made us feel like we were part of a team. It was a very enjoyable experience and we got a fantastic result due in large part to Brenda’s leadership and partnership.‘
‘Brenda Sharton is one of the most experienced privacy lawyers in the market today, with deep experience and the ability to translate complexity in a way that is actionable and understandable. She cuts through the noise and focuses everyone on what is critical.‘
‘Karen Neuman is very responsive and provides very pragmatic advice.‘
Cano Health, LLC.
- Won a motion to dismiss for Macy’s in a purported class action litigation filed in federal court in Massachusetts, in the aftermath of a data breach in October of 2019, involving malware that captured credit card information for retail customers.
- Represented Cano Heath, Inc. in two purported class actions filed in Miami-Dade county, state court in Florida. The litigation matters were filed in the aftermath of a data breach that occurred in April, 2020, involving purported electronic health information and some PII.
- Assist Box, Inc. with advice and counseling on cybersecurity matters as well as on their global privacy program and policies.
Kelley Drye & Warren LLP
Acting for clients such as Disney, Expedia and Burger King, Kelley Drye & Warren LLP has a very strong reputation in litigation as it pertains to both government regulation and private consumer lawsuits. Headed up by the 'incredibly knowledgeable and experienced' Alysa Hutnik in Washington DC, the data protection team is also particularly well known for its work at the intersection of privacy and advertising law, often carrying out compliance reviews of marketing policies and performing security-by-design gap analyses. Also recommended in the team are Lauri Mazzuchetti and Paul Rosenthal in New Jersey.
Other key lawyers:
Lauri Mazzuchetti; Lauren Myers; Paul Rosenthal
‘The team is dedicated and hard-working, and they bring a depth of knowledge and familiarity with the regulatory process that competes with the largest firms in the country.’
‘Alysa Hutnik is one of the best regulatory advisors I have encountered. She brings a familiarity with the regulatory process and staff that is highly useful. She also brings a well-balanced perspective to engagements, avoiding fruitless and petty disagreements with regulators but still knowing when to draw the line and push back. That pragmatic approach leads to excellent communications and yields positive results.’
‘Alysa manages our relationship. Not only is she an expert in data security- and privacy-law, but she offers realistic and practical advice — not something you always receive from a legal expert. Alysa is also fantastic about providing realistic budgets for projects and managing to those budgets. Finally, Alysa does an outstanding job bringing in other experts from her firm. As a result, a relationship that began with the scope limited to data breach preparation has expanded to include privacy counselling, insurance review, government contact counselling, and litigation support.’
‘Paul Rosenthal is one of our favorite attorneys at Kelley Drye. He is extremely responsive and efficient. Given his prior experience as in-house counsel, he provides guidance tailored to our overall business goals.’
‘The team has a deep knowledge and history in the space that is unique in the field. The team is also responsive, easy to work with, meets deadlines, and provides thoughtful, practical advice taking into account our business and the legal realities. They are a great partner as well, providing value-adds wherever possible like updates and peer connection opportunities.’
‘Alysa Hutnik is incredibly knowledgeable and experienced, which enables to give her practical and thoughtful advice. She is easy to run “quick” issues by and a true partner, looking to provide value add where she can. She also has many connections in our industry and has enabled peer connections, which is always helpful. She truly embodies the term “trusted advisor” in all regards.’
‘Lauren Myers – while Lauren is an associate, she works on several matters for us and I think she is excellent. She provides thoughtful, sound advice and her written work is excellent. She is also incredibly responsive.’
‘My primary contact point has been Alysa Hutnik and she is great. Fantastic client service, but not sycophantic or meek. She’ll give you real advice. She doesn’t respond with lots of initial or follow-up questions–I love that. I’m not coming to you to have to answer more questions–I’m coming to you for answers!‘
Bank of America Merchant Services
Dollar Shave Club
Keurig Dr. Pepper
Burger King (Restaurant Brands International)
Latham & Watkins LLP's data protection team has strength in this area that is reflected in its enviable client roster, which including Facebook and VIZIO. Led by Jennifer Archie in Washington DC, San Francisco-based Michael Rubin and Serrin Turner in New York, the practice group is especially notable for its work in regulatory enforcement, litigation, M&A and transactions relating to both privacy and security. In particular, it has represented clients in a substantial number of investigations brought by the FTC, state attorneys general and various global authorities, as well as in class action suits raised both domestically and overseas. The firm is also increasingly active in data matters pertaining to the Internet-of-things, home security and online dating, and has a strong track record in legal questions surrounding the Children’s Online Privacy Protection Act. The 'exceptional' Robert Blamires and cybercrime expert Marissa Boynton are other key contacts.
Jennifer Archie; Michael Rubin; Serrin Turner
Other key lawyers:
Rob Blamires; Marissa Boynton
‘The Latham practice in data privacy and protection really stands out to us as being able to provide highest-quality service to us a global business — we operate in 152 countries — seamlessly and fully.’
‘Rob Blamires is our lead contact at Latham and he really is exceptional: completely across the existing and emerging legal issues and very sensitive to the business needs we have as a client — which means he makes a really important contribution to the development, implementation, and monitoring, of our risk management strategies.’
Omni Agent Solutions
Mayer Brown is well placed to advise on incident response and strategic counseling matters spanning multiple jurisdictions, leveraging the strength of its US and international teams in Europe and Asia. The practice group is led by Washington DC managing partner Rajesh De, who has held senior positions with a number of relevant government agencies, and also worked as general counsel at the NSA. Clients have also singled out David Simon, who has extensive experience of cyber incidents and investigations. In addition to breach response, the team is also able to advise on the data privacy aspects of cross-border corporate transactions and commercial agreements covering supply chain management and data transfers, among others. Also recommended are Lei Shen in the Chicago office; Marcus Christian, a litigator with expertise in the cybersecurity space; and Lauren Goldman, who is highly regarded for class actions and appellate litigation involving data privacy.
Other key lawyers:
David Simon; Lei Shen; Marcus Christian; Lauren Goldman
‘Stellar expertise, experience, practical orientation. The team has practiced in a variety of government roles, giving them experience that’s highly relevant.’
‘Raj De and David Simon stand out for their ability to advise based on deep experience and continued engagement in cutting edge cyber- and national security law.’
The Blackstone Group
Hyundai Motor America, Inc.
Kia Motors America, Inc.
St. Jude/Abbott Lab
- Advise the United Nations regarding international legal issues related to the prevention of cyber warfare, addressing cyber threats to critical infrastructure, preventing terrorists from exploiting the Internet and related information-communication technologies, and data privacy laws applicable to cross-border data sharing for law enforcement.
- Obtained a significant victory for Goya Foods, Inc. in an in rem cybersquatting lawsuit in the Eastern District of Virginia.
- Secured a significant victory on behalf of Shutterfly that could potentially benefit hundreds of other companies defending themselves against alleged violations of BIPA.
Reed Smith LLP
The data protection team at Reed Smith LLP is notably strong in breach response, compliance, risk management and litigation, areas in which New York-based lead partner Anthony Diana is particularly well known. Other key figures in the team include FTC specialist Gerry Stegmaier in Washington DC, risk management counsel Samuel Cullari in Philadelphia, New York-based Catherine Castaldo, class-action defense attorney Michael O’Neil in Chicago, and Houston-based cybersecurity expert Bart Huffman. The group has been particularly active in CCPA work, and is also very active in matters concerning the safety of cryptocurrency wallets and the data requirements of health sector clients. Kim Gold left the team in August 2020, but Robert Newman joined from Loeb & Loeb LLP in July 2021.
Other key lawyers:
Samuel Cullari; Michael O’Neil; Gerry Stegmaier; Catherine Castaldo; Bart Huffman; Sarah Bruno; Robert Newman
Steptoe & Johnson LLP
Steptoe & Johnson LLP runs an 'extremely knowledgeable and capable' data protection team led by New York-based partner Michael Vatis. The firm is particularly noted in the national security space, where it handles data breach pre-emption and response in addition to defense work in class action lawsuits and regulatory investigations. Recent highlights have covered preparatory measures for California Consumer Privacy Act, counseling US companies on EU data law (GDPR) and representing cybersecurity clients in their opposition to proposed export controls. Increasingly active in biometrics, blockchain and cryptocurrency, the offering also maintains an in-house global guide to encryption regulations.
Other key lawyers:
‘Steptoe’s data privacy/protection team is extremely knowledgeable and capable. We use them to update our data security policies and procedures and to assist in responding to potential breach situations. They look for ways to handle issues simply.’
‘Michael Vatis is a true pro in this area. Knows what he is talking about and can explain it in simple terms.’
Coalition for Responsible Cybersecurity
- Act as go-to legal counsel for many of the nation’s largest retailers in preparing for compliance with the California Consumer Privacy Act (CCPA) and related privacy and data security matters.
- Obtained the dismissal of two proposed nationwide class actions for Pearson. These arose from an alleged a data breach that purportedly resulted in unauthorized access to student and administrator data from 13,000 school and university accounts.
- Represented The Coalition for Responsible Cybersecurity in its opposition to the adoption of a rule proposed by the Commerce Department for certain exports related to intrusion software and IP surveillance systems.
Based in Washington DC, the team at WilmerHale is jointly headed by Kirk Nahra and Ben Powell, two highly regarded specialists for cybersecurity matters. In broader terms, the 'outstanding' practice group handles sensitive data breaches and is known for providing high-profile clients with advice on technical forensics, incident response, and crisis management. In addition, it has a strong track record in representing clients in regulatory matters before the FTC and state attorneys general, areas in which it has been successful in closing investigations prior to action. Moreover, the firm provides comprehensive advice in relation to privacy laws such as CCPA, GDPR and the impact of Schrems II. Senior associate Arielle Dobkin is recommended on the more junior end of the practice. Reed Freeman departed for Venable LLP in 2020.
Kirk Nahra; Ben Powell
Other key lawyers:
‘The WilmerHale Cyber team is outstanding — top of their game. They handle data breaches with skill and calmness, they are incredibly responsive, and are nuanced in their approach. This team also helped us update our Incident Response Plan this year, modernizing it with practical advice.’
‘Ben Powell has a unique set of skills given his national security background. Calm, thorough, responsive. Arielle Dobkin is an associate to watch.’
‘The breadth and depth of their knowledge of the law and its application to various scenarios.’
‘They come at problems and concerns with a balanced approach. They are reasonable in their assessment of the issue, and provide advice that targets the issue without going overboard with concerns or solutions that should be applied.’
Akin Gump Strauss Hauer & Feld LLP has particular strength in advisory matters relating to the CCPA, data breaches, FTC investigations, data issues linked to M&A and cybersecurity compliance frameworks. Of note, the team recently defended Vizio in a class action suit relating to the Video Privacy Protection Act, the Electronic Communications Privacy Act and various other consumer-based statutes. The team is also experienced in legal matters relating to smart cities, the Internet-of-things and sharing platforms. Contacts include joint practice heads Natasha Kohne and Michelle Reed, and Jo-Ellyn Sakowitz Klein, the name to note for issues affecting the health sector.
Natasha Kohne; Michelle Reed
Other key lawyers:
Jo-Ellyn Sakowitz Klein
Apollo Global Management
Arthur Hayes, Principal and co-founder of BitMEX, the world’s largest bitcoin derivatives exchange
Eastman Kodak Company
Helen of Troy Limited
Metro New York
RagingWire (part of NTT, a global technology services company)
The Vanguard Group
- Advised Altice USA, Inc. on its investigation and response to a data breach, including regulatory notices, press releases, establishing a call center, implementation of increased data security protocol, and subsequent putative data breach class action litigation in the Southern District of New York.
- Assisting a foreign government with drafting enabling laws for NEOM, a smart city, including addressing autonomous vehicle testing and integration and licensing of ride sharing, and crafting cybersecurity and data protection laws, regulations, policies, and practices for the new zone, as well as advice on privacy and cyber security matters relating to operational aspects of building a smart city.
- Defended VIZIO in a high-stakes privacy class action involving a multitude of privacy issues relating to the Video Privacy Protection Act, the Electronic Communications Privacy Act and other privacy and consumer protection statutes.
Arnold & Porter is recognized in this space for its presence in the healthcare sector, where it represents a number of large healthcare systems and service providers, and regularly handles class actions pertaining to HIPPA, CCPA and CMIA. The practice group is jointly led by New York-based Jami Mills Vibbert (a recent hire from Venable LLP) and Washington DC partners Ronald Lee, Kenneth Chernof and Nancy Perkins. The practice is also well versed in national security matters.
Jami Mills Vibbert; Ronald Lee
Other key lawyers:
Kenneth Chernof; Nancy Perkins
Canon Business Process Services Inc.
Dunkin’ Brands, Inc.
Georgetown Hospital System
Gilead Sciences Inc.
Johns Hopkins University
Presbyterian Healthcare Services
Tandem Diabetes Inc.
- Provide privacy due diligence in company M&A and create global privacy policies and procedures for Mylan Inc’s global data protection department.
- Representing Gilead Sciences, Inc., Georgetown Hospital System, Presbyterian Healthcare Services and Prisma Health across the US in data breach and privacy class actions.
- Guide clients through the national security and criminal law authorities and restrictions related to electronic surveillance, trap and trace devices, pen registers, and related mechanisms.
Cleary Gottlieb Steen & Hamilton LLP
Cleary Gottlieb Steen & Hamilton LLP provides privacy law advice to a roster of impressive corporates such as Google, Unicredit and Hugo Boss. Recent work has seen the team advising on cybersecurity matters as they relate to data breaches, incident response, enforcement, legal compliance at state, federal and international levels, and corporate governance. The key figures in the team are privacy law expert Daniel Ilan and seasoned commercial litigator Rahul Mukhi. A representative highlight for the team is its representation of Morgan Stanley in matters relating to two data security incidents.
Other key lawyers:
Daniel Ilan; Rahul Mukhi; Katherine Mooney Carroll; Jonathan Kolodner; Alexis Collins
‘Cleary has a highly sophisticated team of privacy/data protection professionals – in-depth knowledge and very good problem solving in complex situations’
‘Very approachable – eye-level communication and exchange of ideas highly professional – outstanding people skills.’
Giorgio Armani SpA
Global Healthcare Exchange
- Advised Morgan Stanley in connection with its response to two data security incidents, including provision of-notices to customers and to state attorneys general, as well as with responding to the Office of the Comptroller of the Currency’s actions relating to the data incidents.
- Advised ESL Investments on the completion of the sale of Sears, including significant data transfers which required months-long negotiation of privacy-related conditions with the bankruptcy court-appointed Consumer Privacy Ombudsman.
- Advised Google on privacy matters in connection with the acquisition of FitBit.
Led by New-York based Gary Kibel and Richard Eisert, Davis+Gilbert LLP provides comprehensive data protection advice to a range of media companies and other data-driven businesses. Its service provision in this regard is the result of a cross-practice effort drawing on expertise from its benefits and compensation, digital media, technology and privacy, labor and employment and litigation teams. The team assists clients with a range of breach-related issues, from consumer notification and public relations through to forensic investigations and regulatory responses. Oriyan Gitig is another contact in the team.
Richard Eisert; Gary Kibel
Other key lawyers:
The data protection team at Gibson, Dunn & Crutcher LLP is headed up by seasoned technology litigator Alexander Southwell and Ashlie Beringer, and has acted for high-profile names such as Facebook, Salesforce and Yahoo. Other key figures in the team include white-collar specialist Michael Li-Ming Wong, cybersecurity expert Kristin Linsley, Eric Vandevelde a name to note for cryptocurrency matters and Zainab Ahmad, who focuses on national security issues. A recent highlight for the team was its successful defense of Facebook in a matter against South Korean analytics company, Rankwave, concerning the client's ability to enforce data security protections against overseas developers. Ashley Rogers made partner in January 2021.
Alexander Southwell; Ashlie Beringer
Other key lawyers:
Michael Li-Ming Wong; Kristin Linsley; Eric Vandevelde; Zainab Ahmad; Ashley Rogers
Pro Labs and Add-On Networks
The team at Goodwin provides comprehensive support on data breaches and regulatory enforcement actions stemming from the FTC, HHS, OCR, FCC, state attorneys general, and financial regulators. The firm advises clients in the areas of technology and fintech, life sciences, real estate, and private equity. In addition to breach response, the team also has experience of transactional diligence, security assessments and the development of comprehensive privacy programs. Key contacts in the practice group include Steve Charkoudian and David Kantrowitz in Boston, and Jacqueline Klosek in the New York office. Boris Segalis joined the New York office from Cooley LLP in February 2021 and now co-chairs the data, privacy and cyber group.
Steve Charkoudian; Gretchen Scott; David Kantrowitz; Jacqueline Klosek
‘The relationship partner at Goodwin very much understands what we do as a business and what our risk tolerance is. As a result, when different practice groups assist (such as the Cyber Law Group) on specific issues, they are able to provide guidance that addresses our issues efficiently. In addition, when the Cyber Law Group has been brought in to assist, they have listened to what the issues were and provided appropriate guidance.’
‘David Kantrowitz is very customer focused, legally brilliant, and a quick learner of a complex business (mine) who remembers the important details even 2.5 years after our big engagement. He’s not just an “outside” counsel.‘
‘Brian Mukherjee did an expert job advising and negotiating with our broker, insurance firms and our clients. He, along with David, saved us millions of dollars by effectively building our case such that the insurance firms covered our customers’ entire losses and the maximum allowable portion of our legal, communication and cybersecurity consulting expenses. He also left us armed with good settlement agreements with those clients including releases of future claims in many cases.‘
‘David Kantrowitz has advised hundreds of clients through data breaches. He will confidently manage the day to day cadence of an investigation, oversee the forensic firm and consultants, interface with regulators and act as a sounding board when the lines between providing legal guidance and business decisions blur together.’
‘Data privacy and data protection are a very important topic not only for private clients, but for pro bono clients too. Goodwin has gone above and beyond in helping pro bono clients during 2020, with their data privacy questions. They are mindful of the clients’ needs and take time to answer all their questions.’
‘Jacqueline Klosek, has gone above and beyond in helping more than six pro bono clients this year with different questions around data privacy, digital rights and cybersecurity, she is patient and dedicated. She is an amazing lawyer.’
Atlanta-based Phyllis Sumner leads the data protection offering at King & Spalding LLP, which is rated by clients for its 'superior technical knowledge' in handling major security incidents that lead to litigation and regulatory action. Equally adept in litigation and advisory matters, the practice advises companies on state, federal and international issues covered by HIPAA, FERPA, CCPA and GDPR. Ransomware experts Livia Kiser and Robert Hudock, seasoned technology litigator Natasha Moffitt, and Scott Ferber are other key contacts. The practice group also welcomed the hires of Alvin Lee from Orrick, Herrington & Sutcliffe LLP and Albert Giang from Boies Schiller Flexner LLP. Lee joined the team in New York in February 2020, and Giang joined in California in May 2020.
Other key lawyers:
Alvin Lee; Albert Giang; Livia Kiser; Robert Hudock; Adam Solander; Natasha Moffitt; John Horn; Scott Ferber
‘The King & Spalding team is the law firm to engage when you have a significant data breach. The firm has a deep bench of lawyers with superior technical knowledge that can communicate with your legal team, CISO, and other business stakeholders. The lawyers also direct the forensic investigation and collaborate with your PR teams. Whether you retain the firm to assist with a breach response or assist with a legal defense in a class action relating to a breach, the team is thinking big picture and focused on the best interests of the client.’
‘Phyllis Sumner – Phyllis is responsible for leading the practice group, and I imagine quite busy, but she always seems to be available when you need her. Her advice is practical, based on experience and she will earn your trust quickly.
‘Natasha Moffit – Natasha is a very bright lawyer. She will be your biggest advocate and fights for her clients. She understand the business objectives of her clients and provides legal advice that enables the business to best work through crisis.’
‘They are very knowledgeable and, perhaps just as importantly, absolutely committed to providing 24/7 assistance.’
‘Phyllis Sumner has great experience and judgment.
‘Scott Ferber works 150% at all times. He also has a great grasp of technical complexities.’
Delta Air Lines, Inc.
Multiple Clients (Blackbaud Incident)
Home Depot, U.S.A., Inc.
Multiple Clients (Schrems II)
Integrity Marketing Group
- Represented Capital One in its response to the cybersecurity incident announced in July 2019 involving criminal unauthorized access to personal information.
- Represented Deloitte in several putative nationwide class actions that were filed relating to a May 2020 data incident involving various states’ Pandemic Unemployment Assistance programs.
- Act as data privacy and security counsel for Integrity Marketing Group, a fast-growing independent distributor of life and health insurance products focused on serving the senior market.
Loeb & Loeb LLP has a strong standing in the media space and counts Clear Channel Outdoor and Comcast Cable Communications among its key clients in this space. Led by Jessica Lee, the practice group has broad experience of data harvesting matters for autonomous driving interests and banks, the interactions between GDPR and US law, the monetization of data and cybersecurity breaches. Moreover, clients can benefit from its expertise in cross-border transfers, HIPAA compliance and myriad marketing regulations. Fintech and cyber specialist Mercedes Tunstall joined from Pillsbury Winthrop Shaw Pittman, LLP in February 2020. Ieuan Jolly left for Linklaters LLP in June 2021 and Robert Newman joined Reed Smith LLP in July.
Other key lawyers:
Mercedes Tunstall; Caroline Hudson
‘Loeb is our global privacy counsel and advises regularly on all aspects of privacy, cyber security and data protection. They are a premier privacy practice led by experts in their field. I appreciate their ability to provide meaningful advice to novel situations while taking into account unique commercial constraints and other client-specific considerations. Additionally, they have a knack for drafting cross-border documents working closely with foreign local counsel.’
‘Extremely knowledgeable and experts in their field. I appreciate the creativity and thoughtfulness when it comes to developing solutions and providing advice.’
Comcast Cable Communications
Toyota Motor North America
Tyler “Ninja” Blevins
Clear Channel Outdoor
Preferred Hotel Group
Manatt, Phelps & Phillips, LLP
Manatt, Phelps & Phillips, LLP is particularly strong in the areas of financial services and healthcare, where it regularly advises on matters pertaining to key regulation such as the Gramm-Leach-Bliley Act and HIPPA. Described by clients as 'one of the strongest in the legal arena', the team is jointly led by Los Angeles-based Donna Wilson and Scott Lashway in Boston, and counts Shopify and the Ann & Robert H. Lurie Children’s Hospital of Chicago among its diverse client roster. The practice has also had notable success in dealing with cyberattacks. Brandon Reilly in Costa Mesa and Washington DC-based counsel Kaylee Cox Bankston are also recommended.
Donna Wilson; Scott Lashway
Other key lawyers:
Brandon Reilly; Kaylee Cox Bankston
‘Manatt, Phelps & Phillips Privacy and Data Security team is one of the strongest in the legal arena. As an data breach incident response and forensics firm we handle up to 100 cases a month and consistently work with over 50 law firms. I would put Manatt in the top five of the fifty firms based on their expertise and demonstrated performance as breach coaches. Donna L Wilson provides superb leadership to this practice, and Scott T Lashway is one of their superstars. You won’t find anyone with stronger cyber skills!’
‘Donna L Wilson provides superb leadership to this practice, and Scott T Lashway is one of their super stars. You won’t find anyone with stronger cyber skills!’
‘The Manatt Team, led by Scott Lashway and Kaylee Cox Bankston were brought in to help our group better understand the applicability to certain privacy and data protection laws. They demonstrated a deep understanding of our specialty insurance industry along with a technical expertise in helping us navigate through some technology questions while interacting with IT staff and executives.’
‘The technical experience combined with the executive presence was truly helpful, we delivered the correct message and tempered expectations from those working on contracts, to identifying and prioritizing the processes that collected data that was in scope for legal risk. Scott Lashway in particular made himself available to address our executive team and reinforce the necessary activities in preparation for laws and regulations that were going into effect.’
‘Very knowledgeable about cybersecurity and data privacy. Able to give good, well rounded counsel with consideration to the specific situation and business.’
‘I value their frankness, knowledge, and thinking about tangential aspects, not just the direct situation at hand.’
‘Outstanding expertise in this area. Both knowledge of the different legal regimes as well as real understanding of challenges in-house legal departments face in this area.’
‘Donna Wilson is an excellent partner. Excellent legal counsel and sage business advice being provided.’
Ann & Robert H. Lurie Children’s Hospital of Chicago
CPK Media, LLC d/b/a Christopher Kimball’s Milk Street
Luna Grill Restaurants LLC
National Multifamily Housing Council
Robert Wood Johnson Foundation (RWJF)
Thomson Reuters Holdings d/b/a Westlaw
West Publishing Corporation
- Represented West Publishing Corporation as plaintiff in a commercial dispute against LegalEase Solutions, a legal support services provider that provided legal research services to its clients by using Westlaw, West Publishing’s proprietary legal research platform, for breach of contract, data harvesting and subsequent data sale to a competitor.
- Defended Ann & Robert H. Lurie Children’s Hospital of Chicago against a purported class action asserting claims related to a reported security incident involving employees’ purported access to patient data.
- Defended Aetna in litigation involving the alleged disclosure of HIV-related information.
McDermott Will & Emery LLP is well placed to advise on data matters arising from regulatory and enforcement regimes in the US, Europe, Latin America and Asia. Jointly led by Ed Zacharias in Boston and Daniel Gottlieb in Chicago, the team regularly advises on the establishment of compliance programs and is able to leverage its outstanding reputation in the healthcare sector to address the privacy issues raised by digital health platforms. The group also has a strong track record navigating investigations brought by federal and state authorities and has accumulated substantive experience in security breach work. Todd McClelland joined from Jones Day in April 2020 while Sarah Hogan departed for WilmerHale later that year, in September.
Ed Zacharias; Daniel Gottlieb
Other key lawyers:
‘McDermott has a large team of experts in health care law, with experience specific to IT technology, privacy and data protection. While some other firms may have some attorneys with expertise, I have found McDermott has experts in a variety of different segments of the health care industry, and is eager and able to provide legal support in these areas through more than one of its specialist attorneys. The attorneys recognize additional issues in the various fact patterns that I have presented, and use their internal resources efficiently to make sure that the client is not excessively charged for time.’
‘Great bench depth – there is always someone who is right in the thick of an issue and has excellent market knowledge. Practical and responsive with the ability to respond to issues in a proportionate manner.’
‘Cyber team has excellent knowledge of pre breach legal recommendations as well as post breach or incident response help and expertise.’
- Advising various clients on the use of location data from mobile devices. This includes advertisers, advertising agencies, mobile location data companies and data brokers.
- Advising various clients on the potential risk exposure of addressable TV, an emerging method of delivering targeted advertising on digital TVs and/or streaming devices.
- Advise on CCPA legislation, which includes helping clients develop outlines and action plans based on the various consumer rights, and business and service provider obligations set forth in the regulations.
McGuireWoods LLP is recognized for its work on breach response, but equally adept at compiling management policies and handling advisory matters for clients in the financial services industry. In addition, the practice has extensive experience of the cybersecurity aspects of M&A, compliance with CCPA and the privacy aspects of vendor contract management. The data protection group is headed by information governance expert Andrew Konia, and also includes Janet Peyton, Anne Peterson, Rodger Heaton and associate Emily Voorheis.
Other key lawyers:
Emily Voorheis; Janet Peyton; Anne Peterson; Rodger Heaton; Ashley Matthews
‘I work closely with Andrew Konia, Emily Voorheis, and others on a diversity of matters. The McGW team is exceptionally responsive, capable of performing extremely sophisticated legal work on a short timeframe, and always professional and easy to work with. I have found this combination to be quite rare.’
‘Andrew Konia is a lawyer’s lawyer, always calm and considerate in a crisis, and he works (and is available) 24/7. I have found the same of his associate Emily Voorhies. Overall, the firm is unusually easy to work with – all are professionals who remind me of the best parts of the what the profession must have been like years ago. It seems to me that the firm works as a true partnership. They also care deeply about the well-being of their rising professionals, and go out of their way to expose rising professionals to new experiences.’
‘My relationship partner puts in ungodly hours to deliver advice and turn contracts on time.’
‘Andrew Konia is a fantastic lawyer to in-house counsel. He provides the moral support we need to deliver bad news and helps us offer our business partners a range of solutions. Andrew literally works day and night to hit critical deadlines.’
Norton Rose Fulbright US LLP regularly advises large pharmaceutical companies and aviation sector clients on data and privacy matters covering the collection, use, storage, transfer and destruction of information. Specifically, the team counsels clients on legal compliance as it relates to cybersecurity and handles risk management, incident response and the stress testing of contingency plans. The group is jointly led by Washington DC-based Chris Cwalina, and Andrea D’Ambra and David Kessler in the New York office. Of note in 2020, the team welcomed Houston-based Will Daugherty from Baker & Hostetler LLP in June, but lost Spencer Persson and Jeewon Kim Serrato to Davis Wright Tremaine LLP and Baker & Hostetler LLP, respectively.
Chris Cwalina; Andrea D’Ambra; David Kessler
Other key lawyers:
‘As a General Counsel in a cyber crisis response situation, this is the team you need by your side. Highly experienced and knowledgeable, the NRF team is able to immediately swing into action and co-ordinate multiple work threads across multi-jurisdictions from dealing with customers, suppliers, regulators, law enforcement, insurers, public relations and more. As well as putting in place the appropriate legal safeguards, the NRF team has the experience, knowledge and technical understanding to provide invaluable insights and guidance on the broader strategic moves.’
‘Highly collaborative working team, quickly able to navigate the customer corporate landscape and immediately add value in key areas.’
‘Always available to provide highly insightful thoughts and guidance and to step in to lift the load off the internal team.’
‘Chris Cwalina’s deep experience in cybersecurity practice is a pair of trusted hands in helping clients with complex issues and risk management.’
‘Tristan Coughlin has demonstrated a good understanding of data privacy laws in many jurisdictions and is dedicated in advising clients.’
Pillsbury Winthrop Shaw Pittman LLP is particularly active in the energy, financial services, government, healthcare and technology sectors, advising clients ranging from start-ups to publicly traded companies. Jointly headed in the US by Los Angeles-based Deborah Thoren-Peden and Brian Finch in Washington DC, the team has recently advised on matters concerning the legal implications of CCPA as well as the Bank Secrecy Act, requests for information under the Financial Privacy Act, and large-scale risk assessments.
Deborah Thoren-Peden; Brian Finch; Rafi Azim-Khan
Proskauer Rose LLP's data protection group is perhaps best known for advising leading sports interests such as the NBA and MLB, but also acts for key players in the telecoms, healthcare and media sectors. Jointly led by Ryan Blaney and Jeffrey Neuburger, the practice group recently advised the NFL on matters relating to Covid-19 testing of players, coaches and staff, a matter which featured a negotiated agreement with Bio Reference Laboratories. The group advises corporate clients on a range of regulatory compliance issues, including those pertaining to information sharing and online advertising, and also represents clients in the defense against class action suits.
Ryan Blaney; Jeffrey Neuburger
National Football League
National Basketball Association
United Health Group
Church & Dwight Co., Inc.
Spectrum Equity Investors, LP
- Represented Ascension in responding to an ongoing public investigation by numerous state attorneys general and HHS OCR related to Ascension’s collaboration with Google.
- Represented T-Mobile in ongoing privacy and cybersecurity related counseling, investigations and cyber security responses.
- Advised the NFL on privacy and data security related issues concerning the NFL’s enterprise-wide Covid-19 testing of players, coaches, staff and on field third parties and negotiated an agreement with Bio Reference Laboratories.
The team at Ropes & Gray LLP has extensive experience in helping clients develop cybersecurity compliance programs, and also handles enforcement and litigation as they relate to the collection, storage and processing of company and personal information. Headed up by Edward McNicholas, Rohan Massey and Edward Black, the group also assists with data commercialization and the use of both AI and synthetic data. Moreover, it has a strong track record responding to federal and state investigations into data breaches. David Peloquin was promoted to the partnership in November 2020.
Edward McNicholas; Rohan Massey; Edward Black
Other key lawyers:
Sumitovant Biopharma Inc.
Civis Analytic Inc.
SIFMA Asset Management Group
Allscripts Healthcare Solutions Inc.
Aurora Health Care Inc.
- Advised Bombas on a potential data security incident that occurred on the company’s online checkout portal in 2017, but was only discovered in 2020.
- Advise Chicago-based P33, a technology nonprofit, on various privacy, healthcare and Constitutional implications involved in rolling out its breakthrough healthcare analytics platform that draws on hospital data for use in tracking Covid-19 cases.
- Advising Invesco on several ongoing matters, including the restructuring of Invesco’s North American internal data governance and privacy data structure for policy and procedures.
Fielding experts in security and encryption, the team at Seyfarth Shaw LLP is segmented into five particular areas: privacy compliance, incident management, privacy litigation and vendor and technology transactions. Jointly led by the Chicago-based Scott Carlson and John Tomaszewski in Houston, the team advises on breach analysis, the development of compliance systems and legal matters connected to automotive telematics, the Internet-of-things and relevant insurance issues. Information governance specialist Richard Lutkus in San Francisco and 'exceptional resource' Jason Priebe in Chicago are other key contacts.
Scott Carlson; John Tomaszewski
Other key lawyers:
Richard Lutkus; Jason Priebe
‘As deep technically as they are in the law, this group has a practical understanding of how to protect client’s “crown jewel” data where it resides and in transit. They have particular strengths with regard to the regulatory, compliance, and technological issues faced by media tech and telecom entities. While they are highly successful in litigation, they are even more successful in preventing litigation losses from inuring to their clients. This group compares favorably to other top law firms.’
‘Richard Lutkus is as good of an ethical hacker and digital forensic expert as any external expert that I know. These skills combine uniquely with his litigation, compliance and regulatory schema knowledge and experience to make him exceptionally potent in mitigating against the damages, costs and follow on litigation associated with breaches and other cybersecurity incidents.’
‘Jason Priebe provides an encyclopaedic knowledge and understanding of data privacy and information governance issues as well as a long storied history of successfully litigating such issues for Fortune 100 clients as well as middle market ones. His blend of practical experience and extensive theoretical knowledge makes him an exceptional resource.’
‘Scott Carlson is the preeminent lawyer in information governance, data security and eDiscovery. That’s why he serves as eDiscovery and information governance counsel for many Fortune 500 firms. His insight and consultative approach has saved and won clients billions of dollars as well as protecting their brand and enterprise value. He is a true thought leader in the information governance and cybersecurity space. A former Navy officer, Mr. Carlson’s leadership skills are formidable. He has very effectively shaped Seyfarth’s eDiscovery and Information Governance practice into an extremely valuable tool for his clients and internal peers.’
The data protection team at Sheppard, Mullin, Richter & Hampton LLP assists clients with compliance programs, class action suits and other contentious matters. The team acts for a diverse client roster including Burberry, Toyota Motor Credit and NEO Technologies, and is particularly well versed in defending alleged violations of the Illinois Biometric Privacy Act within its diverse portfolio. Craig Cardon in Century City and Chicago-based Liisa Thomas jointly lead the practice group, which also includes seasoned litigators Kari Rollins and Shannon Petersen in New York and San Diego, respectively; and cybersecurity specialist Jonathan Meyer in Washington DC.
Craig Cardon; Liisa Thomas
Other key lawyers:
Kari Rollins; Shannon Petersen; Jonathan Meyer; Brian Anderson; Rachel Tarko Hudson
StockX LLC and Stock, Inc.
Inspire Brands (fka Sonic Drive-In)
StockX LLC and Stock, Inc.
Toyota Motor Credit Corp.
Hanson Aggregates Pacific Southwest
Jimmy John’s Restaurants
Kontoor Brands (Lee and Wrangler)
Alston & Bird LLP
The data protection practice at Alston & Bird LLP handles a significant amount of work in the healthcare sector and has been kept busy with CCPA class actions, and advisory matters relating to ransomware and Schrems II. In addition to healthcare work, its client portfolio includes a number of leading payments processors, retailers, information services providers and manufacturers of hi-tech consumer goods. The practice group is led by David Keating and Jim Harvey in Atlanta, and Washington DC-based Kimberly Peretti. Maki DePalo has also been singled out by clients. Also of note, the team recently expanded its global incident response offering with a new team in Brussels.
David Keating; Kimberly Peretti; Jim Harvey
Other key lawyers:
‘The team has a really deep bench, good experience, and is very responsive. They can look at a problem from all angles. I appreciate that they have members with government experience, consulting experience, and experience from other large businesses. I feel like I can call them with any problem I have in this area. They also have the ability to think creatively, as we bring them questions from our innovation team that they haven’t encountered before. They can do everything from getting tricky agreements to close to draft nuanced policies.‘
‘Alston’s cyber and privacy team is top-notch. They are experts in the field, provide practical advice from a business mindset, are adaptable and responsive, and collaborate exquisitely across their various teams and practice groups — even across multiple office locations — to provide comprehensive legal advice that never forgets the big picture.‘
‘This team is very well rounded and experienced. Kim Peretti has excellent cyber experience, and the other team members have good technology, litigation, and HIPAA experience. They don’t just say they’ve handled breaches, they actually have handled breaches under multiple regulatory schemes.‘
‘The team maintains a really good privacy blog with helpful articles and insights. They also have good networking groups, such as Women in Cybersecurity & Law. They provide good weekly billing summaries, which help me stay within our budget.‘
‘Kim Peretti — Kim provides incredible support, even when your client is in a season of crisis. She is calm, patient, has good advice, and high integrity. I trust her. Maki Depalo — She has really great technical experience, she is always flexible, she gives good, practical business advice and does not over-lawyer. She always takes my calls. We can find good, creative solutions together. David Keating — He is super smart and stays on tops of the trends and newest developments. He, too, gives good practical advice and doesn’t over lawyer.‘
‘Kim Peretti, David Keating, and Maki DePalo are amazing to work with. They are flexible, accommodating, innovative, and apply a business mindset with their advice, which can be hard to find. They don’t “over lawyer”, but instead provide meaningful, practical advice in record time. They are might right hand and I am grateful for them!‘
‘Kim Peretti — great cyber lawyer. Good experience in handling breaches, PCI, and cyber.‘
Cross-Border Data Forum
- Serve as counsel to the Cross Border Data Forum, a publisher of information on how law enforcement’s access to evidence should change due to cloud computing and the globalization of criminal evidence.
- Engaged as lead defense counsel in a consumer class action in California against Four Seasons Hotels Limited following a data breach of a third-party vendor.
- Advised UPS as lead outside counsel for California Consumer Privacy Act compliance and continue to represent the organization as outside privacy counsel on US and EU data protection matters, including digital privacy, data transfer, and cybersecurity.
Buckley LLP has deep experience in advising financial services companies—most notably fintech players—on privacy and cybersecurity matters. Headed up by Elizabeth McGinn and Amanda Lawrence, the data protection team has been especially active advising on information sharing requirements and service provider oversight as it pertains to mobile devices. The group also has capabilities in emerging regulatory requirements, particularly those that fall within the parameters of CCPA, GDPR and various other state regimes. John Redding departed for Alston & Bird LLP in June 2020, though the firm recently welcomed Daniel Alonso from Exiger and James McGuire from Morrison & Foerster LLP.
Elizabeth McGinn; Amanda Lawrence
Other key lawyers:
Danile Alonso; James McGuire; Michelle Rogers
‘The Buckley team, including Amanda Lawrence and Michelle Rogers, bring a practical, business-friendly approach to the practice of law. While I very much appreciate their knowledge of the law (which is substantial), it is their practical guidance regarding how best to implement best practices that we find to be most valuable.’
‘Buckley’s team knows how to quickly provide legal advice that is both practical and concise, which is very valuable to our in-house team. While some firms will provide lengthy and expensive legal analysis, Buckley’s team relies on their depth and breadth of expertise to provide useful guidance from various team members quickly and efficiently. The team approaches challenging issues with empathy, and takes the time to listen to goals or concerns around a specific legal matter. They proactively send helpful articles or guidance when they learn of a new legal issue that is of concern to our organization.’
‘Elizabeth McGinn is not only a wealth of legal knowledge, she is a sincere and caring person. When I think of the term “trusted advisor”, Elizabeth comes first to mind. She has exceeded expectations over the past year in helping our organization navigate complex data privacy matters, a data certification audit, and updated internal policies and procedures. Our team values her comprehensive legal advice.’
‘The Buckley team is top-notch on issues at the intersection of privacy and financial services. They are excellent on counselling in practical ways and in applying existing standards to new and innovative products and services.’
‘Beth McGinn is excellent at addressing both the regulatory and litigation/enforcement sides or issues.’
Various clients re: General California Consumer Privacy Act (CCPA) advice
National Football League franchise
General data security incident responses
General GDPR advice to various financial services clients
Various financial services clients
Financial services company
Financial Services Data Protection Working Group
- Advised a National Football League franchise on privacy and data security issues that may arise when handling sensitive consumer payments information.
- Advised numerous companies on the scope and impact of the CCPA. This work also covered cyber forensics investigations, vulnerability remediation, cyber insurance, incident response, data breach notifications, ransomware incidents and enhancing information security postures to better prevent and mitigate future attacks.
- Represented financial institutions covered by the New York Department of Financial Services in investigations into compliance with DFS’s cybersecurity regulations.
Jointly led by cybersecurity expert James Koenig and seasoned litigator Tyler Newby, the team at Fenwick & West LLP acts for well-known companies including Uber and Credit Karma. The firm is highly regarded in the technology, life sciences and fintech sectors, where it handles data protection matters as they relate to AI and machine learning, geolocation, health analytics, cryptocurrency and blockchain, and global compliance across these areas. It represents leading players in the fields of e-sports and augmented reality.
James Koenig; Tyler Newby
Otsuka America Pharmaceutical
- Worked with Uber to develop, enhance and/or assess its privacy and security controls in support of its second FTC independent audit required by it FTC consent decree and settlement with all 50 states.
- Helped InMobi, based in India, enhance and further develop it privacy program controls and ad-tech compliance under the CCPA, the Interactive Advertising Bureau standards and other industry guidelines.
- Conducted the third biennial independent assessment required by Credit Karma’s FTC consent decree, and worked with the company to contour the FTC Assessment to cover areas of Intuit that will integrate with Credit Karma.
Frankfurt Kurnit Klein & Selz PC
Notably strong in CCPA matters, the team at boutique practice Frankfurt Kurnit Klein & Selz PC counts Domino’s Pizza and TikTok/ByteDance within its notable client portfolio. In broader terms, the firm represents publishers, brokers and analytics firms in data security matters relating to technology deals, and often counsels gaming clients on privacy concerns linked to COPPA. Clients can also benefit from the offering’s detailed knowledge of CCPA requirements as well as its experience in generating privacy programs that comply with international law. The group is led by Tanya Forsheit, and also includes Daniel Goldberg, a GDPR specialist who made partner in January 2021.
Other key lawyers:
‘This boutique practice provides bespoke legal services specifically tailored to our needs and the lawyers are true experts in their areas. ’
‘Tanya Forsheit – a precise expert that provides practical and actionable advice and insight.’
‘The FKKS data privacy team is exceedingly capable and highly responsive to our requests. Where needed in a potential breach analysis situation they are able to schedule same-day calls. The team does a good job of understanding our company’s products and risk-tolerance.’
‘Daniel Goldberg has done a great job of assisting us with negotiating contracts with our customers as well as assisting us with internal compliance issues. He is extremely responsive to our requests.’
‘Tanya Foresheit is a pro and I think one of the most knowledgeable privacy lawyers I’ve met. Also very practical. She thinks like a General Counsel but has the in depth knowledge of a partner who is really at the top of her game.’
‘Tanya is very practical, efficient and knowledgeable. She is always available when we need her.’
News Media Alliance
Wieden & Kennedy
- Act as outside privacy counsel for ByteDance, the parent company of the popular social media platform TikTok; advises ByteDance on product launches and privacy compliance, and helps the company negotiate complex vendor agreements.
- Act as outside privacy counsel for Zynga, a leading global video game publisher; advising on ad tech agreements and addressing privacy compliance.
- Advise the News Media Alliance on its industry and legislative discussions in Washington DC, and Sacramento, pertaining to CCPA, the CPRA, draft federal legislation including the SAFE DATA Act, and their respective impact on the free press.
The team at Morgan, Lewis & Bockius LLP handles a significant volume of HIPPA work for healthcare clients and also has a strong track record in data issues raised by GDRP and CCPA, as well as the Fair Credit Reporting Act, FACTA and the improper use of flash cookies. The team is jointly led by Reece Hirsch in San Francisco, Silicon Valley-based Mark Krotoski, and Gregory Parks in the Philadelphia office.
Reece Hirsch; Gregory Parks; Mark Krotoski
Hudson’s Bay Co. (HBC)
Bed Bath & Beyond
- Retained by Hudson’s Bay Co. to handle all class actions arising from its recent data incident involving Saks Fifth Avenue and Lord & Taylor, two of the brand banners that HBC owns.
- Represented EMD Digital Inc., a US affiliate of client Merck KGaA, with regard to the formation of Syntropy, a unique joint venture with Palantir Technologies Inc.
Based in Washington DC, the data protection team at Paul Hastings LLP is recognized by clients as 'incredibly responsive'. It handles both regulatory matters and litigation and has substantive experience in cross-border matters as they relate to privacy and cybersecurity legislation. Particular areas of focus for the firm are entertainment, social media and banking, areas in which it represents leading corporates including Caesars Entertainment, Facebook and Barclays. Key contacts in the team include Behnam Dayanim, Sherrese Smith, Robert Silvers and Jacqueline Cooney, the last of whom leads the privacy and cyber group.
Behnam Dayanim; Sherrese Smith; Robert Silvers; Jacqueline Cooney
‘I have had the privilege of working with Sherrese Smith and Jacqueline Cooney of Paul Hastings on data privacy and data protection related matters, and have valued the depth and breadth of their expertise, which has been tailored to our particular circumstances and which has been practical and pragmatic. Paul Hastings has a privacy blog with helpful resources, and a team with deep experience, with past government roles and involving lawyers and non-lawyers, to help us remain current in this evolving area of law. ’
‘Excellent written communications, with a well-organized plan of action for evaluation.’
‘Sundeep Kapur of Paul Hasting team has a deep understanding of the technology that undergirds the digital advertising industry. In fact, he knows the technology better than any lawyer at a law firm that I know. This makes him an indispensable partner in providing on point legal counsel. ’
‘The Paul Hastings Privacy and Cyber team are extraordinary. Incredibly responsive, practical, able to handle many diverse issues. For example, due to a staffing gap, PH started editing our contracts for privacy issues. After only one time, they now identify and ameliorate our unique contracting issues; they are an extension of our privacy team.’
‘Sherrese Smith is responsive, practical and creative. Top in her field. Drew Erber (associate) is responsive and thoughtful.’
‘Extremely responsive, knowledgeable and provide practical advice regarding complex privacy and cybersecurity matters.’
‘PH’s attorneys have provided a steady hand in uncertain seas, offering their expertise, knowledge and experience at all hours.’
Samsung Electronics America
L’Oreal USA Inc.
Interactive Advertising Bureau
Biofire Diagnostics, Inc.
Citadel Enterprise Americas LLC
Lusha Systems Inc.
- Represented Modiface from a putative class-action complaint alleging that its “Virtual Artist” kiosk software as provided to retailer Sephora violates Illinois’ Biometric Information Privacy Act.
- Retained by BioFire in a substantial matter filed in The United States District Court for the Northern District of Texas related to trade secret theft and breach of contract.
- Advise the IAB and IAB Tech Lab on a range of adtech privacy issues, including by helping the group try to develop an industry consensus on approaches to the impending California Consumer Privacy Act.
Shook, Hardy & Bacon LLP
Although the data protection team at Shook, Hardy & Bacon LLP stands out in particular for its work in biometrics, the team is also very experienced in compliance and incident response matters more generally. The practice group is led by the Miami-based cybersecurity expert Al Saikali, and also includes Melissa Siebert in Chicago, a class action specialist with noted experience in litigation brought under BIPA.
Other key lawyers:
The data security team at Winston & Strawn LLP recently introduced its regulated personal information practice, which specializes in compliance with legislation such as the TCPA, BIPA, and CCPA. Led by Sheryl Falk, Steven Grimes and Alessandra Swanson, the group is especially strong in CCPA litigation and regularly assists clients in matters pertaining to domestic and international regulations that protect employee and consumer information. It also has experience in matters presented by emerging technologies such as AI, facial recognition, biometrics, and IoT. Eric Shinabarger is another key contact.
Sheryl Falk; Steve Grimes; Alessandra Swanson
Other key lawyers:
‘Winston has in-depth experience with multiple companies in our space. This provides multiple viewpoints to assist us. Winston has heavy experience with IoT. They take the extra time to customize recommendations and position papers to our specific issues. ’
‘Eric Shinabarger- his insights into the technical aspects of compliance and security are outstanding.’
‘Sheryl Falk is internationally known and a premier resource in the field of privacy and technology. Her experience and talent in our area is unparalleled. She is great to work with and responsive to requests.’
Major Insurance Company
Global Oil and gas services and technology company
Major Manufacturer of Internet of Things Devices
International Food Manufacturer
International Medical Device Company