The Legal 500 > United States > United States > Cyber law (including data privacy and data protection)

Baker McKenzie LLP assists clients with a full spectrum of cybersecurity and data protection matters, including advisory work, transactions and crisis management, data breaches and incident prevention and response, regulatory and internal investigations, disputes and litigation. The practice is headed by Chicago-based Brian Hengesbaugh. Other names to note are Washington DC-based David Lashway, who is well versed in cybersecurity, crisis management, internal investigations, and complex criminal, civil and administrative litigation; John Woods (DC), Michael Egan (Boston) and Jennifer Seale (DC); Palo Alto-based Lothar Determann, who specializes in CCPA; Chicago-based Amy de La Lama; and associate Brandon Moseberry in Chicago. The client portfolio includes Booking, Geotab and Pizza Hut.

DLA Piper LLP (US) assists clients with compliance in relation to transnational, federal and state privacy and security regulations, industry best practices and self-regulatory initiatives. Based in Washington DC, practice head Jim Halpert has been advising the State Privacy and Security Coalition on stopping a number of bills which reintroduced at the state level asymmetrical ISP-only privacy rules from the FCC, repealed by Congress in March 2018.  Miami-based Carol Umhoefer has been assisting Pfizer with all aspects of its GDPR compliance program, while Atlanta-based Saxby Chambliss has been working with the US Chamber of Commerce on a report on the importance of reducing barriers to transnational sharing of cybersecurity threat information. San Francisco’s Rena Mears, who is well versed in privacy and cybersecurity assessments, program and control design, data mapping and program and vendor-risk management, is another key contact. Margo Tank joined the Washington DC office from Buckley LLP in January 2018, and Andrew Serwin, ‘a person of rare skills', joined the San Diego office from Morrison & Foerster LLP in 2019.

Hogan Lovells US LLP provides ‘tremendous help’ to global businesses on cybersecurity governance, compliance and risk management – particularly with reference to the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) - as well as breach response and litigation resulting from high-profile data breaches. The practice is headed by the ‘key author of privacy regulations’, Marcy Wilder, who specializes in complex cyber-attacks, privacy investigations and data protection work in digital health, and Harriet Pearson. Pearsonhas been assisting consumer credit reporting agency Equifax before the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) with regard to the client’s 2017 data breach, which affected 145m consumers. Uber and Salesforce are other notable clients. Key contacts also include litigator Michelle Kisloff, the ‘highly skilled’ Bret Cohen, senior counsel Christopher Wolf and senior associate Paul Otto, who is ‘very well versed in technical matters’. Named individuals are based in Washington DC.

The 'excellent’ Hunton Andrews Kurth LLP specializes in large-scale cybersecurity attacks, implementation of GDPR requirements for US-based multinational companies, board advisory work on privacy and data protection, international data transfer mechanisms, compliance with CCPA and the Health Insurance Portability and Accountability Act (HIPAA), and preparation and prevention of cyber events. Practice head Lisa Sotto has been assisting Yahoo! with two huge cyber-attacks and related class action lawsuits and, together with Brittany Bacon, who was made partner in April 2018, has been advising companies such as Western Union and Tiffany on global data protection and privacy. The ‘incredible’ Aaron Simpson and Washington DC-based Phyllis Marcus and Paul Tiao are other key contacts. Named individuals are based in New York unless otherwise indicated.

‘At the top of its game’, Morrison & Foerster LLP focuses on high-profile data breaches, enforcement actions and privacy compliance matters. Clients span the consumer products, manufacturing, retail, healthcare, pharmaceutical, transportation, food and beverage, hospitality, insurance and financial sectors. New-York based co-head Miriam Wugmeister’s ‘guidance and experience is invaluable’. She has been assisting a number of global industry leaders with their compliance with GDPR and CCPA. Julie O’Neill and Purvi Patel, who are based in Washington DC/Boston and Los Angeles respectively, have been acting for Unity Technologies in two putative class actions alleging the violation of the Children’s Online Privacy Protection Act (COPPA) by Disney and Viacom mobile gaming apps, which use the client’s software. The ‘master’ Nathan Taylor and John Carlin (both based in Washington DC) and New York-based associate Melissa Crespo are other key team members. Kristen Mathews joined the New York office from Proskauer Rose LLP in March 2019.

In January 2019, the ‘unusually skilled litigator’ Douglas Meal, Heather Sussman, Michelle Visser and Seth Harrington joined Orrick, Herrington & Sutcliffe LLP from Ropes & Gray LLP. Sussman leads the newly launched Boston office, which also includes Meal and Harrington; Visser is based in San Francisco. Aravind Swaminathan, who is based in Seattle and co-heads the practice with Washington DC’s Antony Kim, has been advising the City of Seattle on data privacy and security matters, including data sharing restrictions, protection of law enforcement and sensitive information, public records management requiring technical cyber intelligence as well as the privacy ramifications of new technologies. The team has also acted successfully for Microsoft in a dispute against the US Government, in which the latter’s ability to obtain emails stored on servers in Ireland was challenged.

Baker & Hostetler LLP specializes in regulatory and litigation issues, focusing on security and risk assessments, proactive training for incident response and compliance counseling, as well as on legal matters related to blockchain, digital currency and artificial intelligence. Practice head Theodore Kobus III from the New York office and Cincinnati-based Craig Hoffman have been advising cable, satellite and broadcast television network QVC on general privacy compliance, including compliance with CCPA, and data incident response plans. The team has also been defending hotel chain Marriott in a number of class actions generated from the massive data breach reported by the client in September 2018. Forever 21 and Hawaii Electric are other notable clients. Washington DC’s Laura Jehl, Houston’s Will Daugherty and New York’s Melinda McLellan are also recommended.

Cooley LLP bases its activities on compliance and strategy, transactional support to clients, breach preparedness and response, as well as privacy and data security litigation and investigation. The practice is headed by San Francisco-based Michael Rhodes and Matthew Brown, who successfully defended Facebook in a number of class actions filed across the country and following the client’s alleged use of 'browser cookies'. The team has also acted in class action litigation for Google, whose product Gmail had allegedly violated the California Invasion of Privacy Act and the Electronic Communications Privacy Act, and for Here Media, dismissing the claim that the client had failed to keep subscribers’ sensitive information secure. Colorado-based David Navetta and New York’s Boris Segalis, who have been advising life science companies, insurance brokers, financial institutions, media organization and retailers on GDPR compliance, are other key members of the team. In January 2019, litigator Travis LeBlanc joined the Washington DC and San Francisco offices from Boies Schiller Flexner LLP.

Debevoise & Plimpton LLP has ‘very deep expertise’ in a wide range of cybersecurity matters, including incident preparation, response and investigation, related civil litigation and regulatory defense, and national security issues. The practice is headed by Washington DC’s Luke Dembosky, who is ‘a trusted adviser in very high-stress, high-risk situations’, and New York’s Jeremy Feigelson. New York’s Jim Pastore is ‘incredibly knowledgeable, precise and detailed’. The team has been advising PayPal, the NBA and other clients on privacy and data security issues, including compliance with GDPR and CCPA. Other highlights include assisting Royal Bank of Canada with the response to a data breach at the client's vendor Expedia.

As ‘one of the most responsive and attentive data security law firms’, Goodwin is experienced in data breaches and incident response, regulatory investigations, litigation, transactions and M&A, and advice on GDPR. Practice head Brenda Sharton ‘has been advising clients since the early days of data security and privacy’. Highlights include assisting cloud-based identity and access management provider OneLogin with a data breach in which an unauthorized user gained access to the client’s US database, and acting for several businesses in consumer class actions, government investigations and enforcement actions alleging violations of the Telephone Consumer Protection Act (TCPA). Washington-DC based Karen Neuman and the ‘very notable’ David Kantrowitz, who was made counsel in January 2019, are other key contacts. Named individuals are based in Boston unless otherwise indicated.

Latham & Watkins LLP's data privacy and security team is headed by Washington DC’s Jennifer Archie, San Francisco’s Michael Rubin and New York’s Serrin Turner. Archie has been advising consumer electronics company Vizio on global data privacy and security matters, including the client’s potential expansion of smart television sales outside the US and into markets with different data protection laws. Rubin and Serrin have been assisting Facebook as leading global counsel with the investigation, preparation and handling of regulatory submissions and litigation in relation to the client’s September 2018 data breach. The client portfolio also includes Apple, Lyft and LG Electronics.

Brian Finch and Deborah Thoren-Peden head Pillsbury Winthrop Shaw Pittman LLP’s practice from Washington DC and Los Angeles respectively. Finch specializes in cybersecurity, national defense and intelligence policies, while Thoren-Pedersen has advised US-based fintech and bank holding company Green Dot on regulatory and privacy aspects of its acquisition of online distribution channel AccountNow. Mercedes Tunstall, who is also based in Washington DC, assists clients from a wide range of industries with mobile and other e-commerce initiatives, as well as with the use of social networking sites for marketing, customer service and crowdsourcing purposes. Los Angeles-based senior counsel Catherine Meyer, who works with financial institutions, is another name to note.

‘On the leading edge’ of cyber law, Proskauer Rose LLP has longstanding experience in privacy and data security compliance, corporate transactions, litigation, labor and employment and healthcare. Litigator Margaret Dale, who is ‘calm and confident in the stressful cyber law environment’, advised men's clothing retailer Charles Tyrwhitt on a putative class action brought against the client under the Wiretap Act, obtaining a complete dismissal. Other clients include companies from the telecoms, financial services, insurance, utilities, arts and sport sectors. Associate Tiffany Quach is ‘fantastic to work with’. Kristen Mathews joined Morrison & Foerster LLP in March 2019. All named individuals are based in New York

The ‘up-to-date and comprehensive’ Washington DC-based e-commerce, privacy and cybersecurity team at Venable LLP is headed by ‘top privacy lawyer’ Stuart Ingis and Emilio Cividanes, who specialize in crisis management and class action litigation, representing clients before Congress, the FTC and other institutions and agencies. Michael Signorelli advises marketers, advertisers, trade associations, e-commerce firms, retailers, social platforms and technology providers on privacy and consumer protection matters. Highlights included acting as general and policy counsel for the Digital Advertising Alliance (DAA) and assisting the American Association of Advertising Agencies (4A) with GDPR compliance. Thomas Boyd joined from DLA Piper LLP (US) in May 2018.

Akin Gump Strauss Hauer & Feld LLP assists clients with a wide range of cybersecurity matters, including advocacy and counseling on the CCPA and other regulatory frameworks, compliance work, M&A diligence, data sharing agreements, board advisory work, innovation-related services as well as investigation and litigation. The practice is co-headed by Natasha Kohne and Michelle Reed, who are based in San Francisco and Dallas respectively. Kohne has been advising clothing manufacturer Alpha Industries on the management of an intrusion suffered by the provider of a digital commerce platform used by the client on its website. Reed assisted Texas-based tax and accounting firm Honza with a data breach involving stolen client information. Washington DC’s senior counsel Jo-Ellyn Sakowitz Klein is another name to note. Consumer class action litigators Meredith Slawe, Kathryn Deal and Michael Stortz joined from Drinker Biddle & Reath LLP in 2018.

At Arnold & Porter, Ronald Lee specializes in national security, cybersecurity, and government contracts matters. He and counsel Nancy Perkins have been advising clients on legal and policy aspects of internet, computer networks and cyber operations, including criminal and civil provisions, privacy, intellectual property and encryption. Litigator Kenneth Chernof acted for travel technology company Sabre in obtaining dismissal of a putative class action following a data security incident that affected the client’s reservation technology. New York-based Marcus Asner, who focuses on data breaches, cyber  crime, identity theft and credit card bust-out schemes, is another key contact. Named individuals are based in Washington DC unless otherwise specified.

The ‘very accomplished and expert’ Richard Eisert and Gary Kibel head Davis & Gilbert LLP’s New York-based practice. The team is well known for advising clients with ‘intelligence, confidence and clarity’, particularly on data privacy and security issues related to advertising, marketing and sales promotion law. Highlights included assisting a number of advertising agencies and brands with reviewing their ad tracking activities and promotions in compliance with the Children’s Online Privacy Protection Rule (COPPA). Counsel Oriyan Gitig, who assists clients with new media, technology and software development, licensing, advertising and intellectual property, ‘exemplifies what an attorney and a professional should be’.

Loeb & Loeb LLP’s practice is jointly led by New York-based Ieuan Jolly and Jessica Lee as well as Chicago’s Robert Newman, who joined the team with Monique Bhargava from Winston & Strawn LLP in May 2018. Jolly and Lee have been advising advertising and public relations companies as well as Regeneron Pharmaceuticals on their respective GDPR compliance projects, while Newman has been assisting clients with consumer data collection use and technological innovations. The chair of the New York-based advanced media and technology practice James Taylor is also well versed in data privacy and data protection work.

Mayer Brown handles work in incident preparation and breach response, litigation and government investigations, strategic counseling and corporate governance, vendor and supply-chain management, contracting and data transfers, regulatory and compliance, as well as policy and advocacy. Practice head Rajesh De is based in Washington DC and specializes in legal and policy issues related to technology, national security, law enforcement and privacy. New York’s Lauren Goldman, who works in a ‘well-reasoned, concise, well-organized, and business-focused’ way, acted successfully for Facebook in the purported Smith v Facebook class action, defending the client from the allegation of having used cookies to communicate with various healthcare websites and then used that information for marketing purposes. Shutterfly and Twitter are other notable clients. Washington DC’s Marcus Christian and Los-Angeles-based litigator John Nadolenco are also recommended.

The McGuireWoods LLP team has ‘critical legal and technical expertise’. Tysons-based practice head Andrew Konia ‘provides excellent customer service and attention to detail’, advising clients on information governance, data protection programs and data breach response, as well as on privacy and security issues in vendor contracts and M&A and private equity transactions. Senior counsel Nathan Kottkamp, who is based in Richmond, has been assisting KPMG with its HIPAA work. Other key clients come from the telecoms, healthcare and transportation sectors. Charlottesville-based associate Ashley Matthews  is ‘a terrific lawyer’. In October 2018, Michael Adams left the practice and joined Palantir Technologies as senior executive in a non-legal position.

Ropes & Gray LLP’s areas of strength include privacy and security compliance, data breaches and intrusions, investigation defense and settlement negotiations as well as the development and implementation of corrective action plans. The practice is headed by Boston’s Marc Szpak, whose team has been assisting fast-food restaurant chain Arby’s against all third-party claims arising from a security breach which targeted customers’ payment card data. Other highlights included advising Nationwide Mutual Insurance Group on a 2012 cyber attack which has generated a number of class actions against the client. Marc Barnes and Deborah Gersh (from Boston and Chicago respectively) are recommended for healthcare work, while Boston’s Richard Batchelder is the name to note for litigation. In January 2019, Heather Sussman, Douglas Meal, Michelle Visser and Seth Harrington joined Orrick, Herrington & Sutcliffe LLP.

Along with compliance work, breach management and litigation, the ‘incredibly client-focused’ Seyfarth Shaw LLP specializes in automotive telematics, blockchain, IoT, big data and usage-based insurance. The practice is jointly headed by Houston’s ‘true expert’ John Tomaszewski  and security expert Scott Carlson from the Chicago office. Tomaszewski and San Francisco’s Richard Lutkus, who is well versed in data security and encryption, assisted human resources services and technology company Morneau Shepell with due diligence for its acquisition of LifeWorks. Chicago-based Bart Lazar has been advising a leading strategic communication firm and a well-known apparel manufacturer on GDPR compliance.

Sheppard, Mullin, Richter & Hampton LLP is ‘very knowledgeable’ in data breach, class action and litigation, technology transactions and privacy counseling as well as cybersecurity matters. The practice is headed by ‘standout’ Liisa Thomas and Craig Cardon, who are based in Chicago and Century City respectively. Thomas, Cardon and New York’s Kari Rollins acted for fast-food brand Sonic as breach response and litigation counsel in connection with a data breach suffered by the client’s drive-in restaurants in 2017 and following class actions. San Diego’s Dr Shannon Petersen assisted weight loss company Jenny Craig with a putative class action alleging the client’s violation of TCPA. Christine Clements, who specializes in HIPAA, joined the Washington DC office from Crowell & Moring LLP in April 2018.

Cleary Gottlieb Steen & Hamilton assists clients with data protection regulation compliance in multiple jurisdictions, incident notification and response, privacy and cybersecurity provisions in vendor contracts, data usage and litigation. Litigator Jonathan Kolodner and IP transaction expert Daniel Ilan jointly head the practice. Highlights included advising Canada-based software company OpenText on data breaches, cybersecurity and privacy related to M&A and SEC disclosures, and assisting multinational conglomerate Honeywell with data transfer issues and global compliance with privacy and data protection laws. Washington DC-based Katherine Mooney Carroll  specializes in advice to financial institutions. Rahul Mukhi and Washington DC’s Alexis Collins were made partners in January 2019. Named individuals are based in New York unless otherwise specified.

Clifford Chance has a cross-disciplinary practice which handles privacy and cybersecurity matters in relation to IP, antitrust, corporate transactions and litigation. The practice is headed by Megan Gordon, who is based in Washington DC and specializes in risk management, transactional due diligence, compliance and internal investigations, and the ‘wonderful’ Daniel Silver from the New York office, whose expertise as a litigator includes regulatory enforcement and white-collar criminal defense. Key clients are from the financial, technology, media and telecoms, consumer goods and retail and automotive sectors. Washington DC’s Steven Gatti, who is well versed in regulatory matters across the financial services sector, is another name to note.

The ‘amazing’ Frankfurt Kurnit Klein & Selz PC is well known for its expertise in cybersecurity and privacy matters in the field of digital advertising and publishing. The ‘incredibly responsive’ practice head Tanya Forsheit is ‘everything you could ask for in an outside counsel’. She and counsel Daniel Goldberg, who is also recommended, have been advising media conglomerate Meredith Corporation on compliance with GDPR. The client base also includes Dunkin’ and TaskRabbit. The ‘outstanding’ Gregory Boyd and Sean Kane from the New York office are other names to note. Named individuals are based in Los Angeles unless otherwise indicated.

Jenner & Block LLP’s areas of strength include privacy and data security issues, policy audits related to relevant legislation, customized compliance programs as well as investigations, enforcement and litigation. Key clients are companies from the media and entertainment, advertising, gaming and financial sectors. The names to note are Washington DC’s David Bitkower, who specializes in investigations, compliance and defense; litigators David Saunders and David Layden, who are based in Chicago; and Washington DC’s Keisha Stanford, who assists clients with compliance, white-collar criminal defense, government enforcement and internal investigations. Former practice head Nancy Libin moved to Davis Wright Tremaine LLP in September 2018.

The ‘top-notch’ Jones Day team is headed by Los Angeles’ Daniel McLoon. He and litigators John Vogt and Adam Wiers (based in Irvine and Chicago respectively) have acted for Experian in class actions related to the client’s alleged violation of the Fair Credit Reporting Act (FCRA) and to an identity thief accessing consumer records from databases allegedly owned by the client and two other companies. New York’s Mauricio Paez has been advising Cardinal Health on data protection matters concerning the acquisition of new businesses and the implementation of a local data protection compliance program in various countries. Boston-based Lisa Ropple, who specializes in breach investigation and response, is ‘a joy to work with’.

The ‘excellent, practical and efficient’ McDermott Will & Emery LLP’s practice is jointly headed from Boston, Los Angeles and Chicago by the ‘extremely well-versed’ Mark Schreiber, Michael Morgan, who ‘has a phenomenal understanding of his clients’ business needs’, and Daniel Gottlieb, who ‘is not only creative and smart, but also incredibly pleasant’. Highlights included assisting software publisher Block.one with data protection compliance matters related to the development of a mobile application designed to connect users to decentralized mobile applications that run on blockchain; and advising global provider of equipment and services for electric power systems S&C Electric on its obligations under GDPR.

At Morgan, Lewis & Bockius LLP, practice leaders Gregory Parks, W. Reece Hirsch  and Mark Krotoski (based in Philadelphia, San Francisco and between Silicon Valley and Washington DC respectively) have been advising a number of companies from the energy, financial, health, hospitality and retail sectors on compliance with CCPA. Parks and Philadelphia’s Ezra Church have been acting for department stores chain Hudson’s Bay in all class actions following a payment cards data incident involving client-owned brand banners Saks Fifth Avenue and Lord & Taylor. Start-up Blink Health, which offers a mobile app for consumers to access discounted medications outside of their health insurance plans, is a key client.

The ‘very responsive and practical’ team at Paul Hastings LLP is headed by Behnam Dayanim, who specializes in cybersecurity and privacy, fintech and payments as well as advertising and gaming. Dayanim and Robert Silvers acted for international money remittance company MoneyGram before the Committee on Foreign Investment in the United States (CFIUS) in relation to national security concerns linked to the bid by Ant Financial, a $150bn fintech company backed by Alibaba, to acquire the client. The practice has also been advising Barclays on a number of data security matters. Sherrese Smith, who has in-depth expertise on GDPR legislation, is a ‘great leader’. Named individuals are based in Washington DC.

Winston & Strawn LLP is jointly headed by Sheryl Falk in Houston and Steven Grimes, who splits between Chicago and Hong Kong. The practice specializes in privacy assessment, audits and compliance programs, IoT, cloud computing and outsourced technologies, internal forensic investigations, incident response and breach notification, theft of confidential information and trade secrets, data security class action litigation, cross-border data protection and transfer and GDPR compliance. The client portfolio includes companies from healthcare, financial services and telecoms. Robert Newman and Monique Bhargava moved to Loeb & Loeb LLP in May 2018.