Cyber law (including data privacy and data protection) in United States

Based in San Francisco and Dallas, Akin Gump Strauss Hauer & Feld LLP‘s cybersecurity, privacy and data protection practice particularly stands out for its breadth, and is regularly sought out by companies needing to update their privacy policies in connection to the California Consumer Privacy Act, seeking representation in privacy and cybersecurity disputes, including data breach class actions as well as assistance in government and internal investigations. Regulatory advice and compliance are also strong areas, alongside transactional work. Natasha Kohne in San Francisco is an expert in the retail, health, financial services and energy sectors and co-heads the department together with Michelle Reed in Dallas, who specializes in privacy and security risk assessments and procedures to mitigate privacy and cybersecurity threats. Jo-Ellyn S. Klein is a key contact in Washington DC.

Baker & Hostetler LLP is well known in the market for having a specialized digital assets and data management group, which particularly stands out in the litigation and class action disputes space, as well as providing a full service around data. The firm particularly stands out in the insurance sector, but the team’s experience also spans to e-commerce platforms, payment service providers, social media players and fintech entities. Incident response, global cybersecurity compliance and tech transactions complete the offering. The practice is led by Theodore Kobus III in New York, whose main clients include Marriott, Abbott and Garmin. Also in New York, associate Nichole Sterling focuses on privacy and data protection, information governance, and emerging technology. In Cincinnati, Craig A. Hoffman is the main contact for security incidents, response preparedness and digital risk advisory work. In May and October 2021, Dallas's Craig Carpenter and Washington DC-based Daniel Kaufman joined the firm from Holland & Knight LLP and the FTC, respectively.

Cooley LLP is a solid name in the market for cybersecurity, data and privacy law and its name is linked to the assistance of large companies in the healthtech, education, insurtech, fintech, social media and life sciences sectors. The team’s workload notably includes data protection work on IPOs and privacy class actions in the context of social media. Cross-practice expertise in venture capital and emerging companies is also highly appreciated by clients. In San Francisco, Michael Rhodes acts as global chair and Matthew Brown as vice chair. Vice chairs in other offices are Travis LeBlanc in Washington DC, who has ‘broad experience provides business-focused counsel’ and Denver's David Navetta. In Washington DC, associate Charlie Wood stands out for his privacy and data security litigation practice. In June 2021, Lei Shen joined the Chicago-based team from Mayer Brown LLP.

Privacy and data security in relation to digital media and interactive advertising is at the center of Davis+Gilbert LLP‘s department focus. The New York-based team is managed by Gary Kibel and Richard Eisert  and provides state-wide regulatory advice, including in California on the California Consumer Privacy Act, the Children’s Online Privacy Protection Act (COPPA) and the California Privacy Rights Act (CPRA), among others. Additionally, Kibel leads the team for all breach response matters, while Eisert offers counsel on all aspects of marketing, promoting and selling goods and services. Counsel Oriyan Gitig is also highlighted.

Debevoise & Plimpton LLP‘s expertise in data strategy and data security is ‘unmatched’. The team stands out for handling complex investigations and privacy incidents, including ransomware attacks. Luke Dembosky in Washington DC focuses on DOJ cyber cases and leads the team alongside New York’s Avi Gesser, ‘an amazing counselor’ and best known for representing international financial services firms, private equity firms, hedge funds and media organizations throughout cybersecurity incidents and civil lawsuits. Risk assessor Jim Pastore is also noted. Counsel Johanna Skrzypczyk joined the team in April 2021 from the New York Attorney General’s office and focuses on data privacy and consumer fairness. The newly opened San Francisco office, established in late 2021 also has cybersecurity capabilities.

Dechert LLP is able to attract high-profile clients dealing with significant data breaches and cyber-attacks as well as those seeking strategic advice especially in connection to M&A, financings and commercial transactions due diligence. Brenda Sharton and Karen Neuman head up the practice from Boston and Washington DC; respectively. Sharton is praised as ‘a fantastic partner to any business’ and an expert litigator, arbitrator and often acts on civil government, regulatory and enforcement matters. Neuman specializes, among other matters, in the collection, use, processing and protection of consumer and employee data. Associate Hilary Bonaccorsi in Boston is highlighted for her knowledge of global privacy and cybersecurity laws and frameworks.

DLA Piper LLP (US) provides global advice across the whole spectrum of breaches, due diligence, privacy litigation, multi-jurisdictional compliance and enforcement matters. San Diego-based Andrew B Serwin leads the team and recently stood out for acting as lead incident response counsel to SolarWinds in their global cybersecurity incident. In Miami, Carol Umhoefer is known for her knowledge of music compliance. Kate Lucente in Seattle advises client on privacy, cybersecurity, data retention and is a specialist of several data protection compliance regimes. The team’s data breaches capability was recently expanded with the arrival in San Diego of partner Justine Phillips, who joined in October 2021 from Sheppard, Mullin, Richter & Hampton LLP. Jim Halpert departed for a position at the Office of the National Cyber Director.

Fenwick & West LLP is known for representing technology and life sciences companies. Its privacy and cybersecurity team, led by San Francisco-based Tyler Newby, is particularly sought out by leading pharma, biotech and clinical research companies seeking help with digital health and pharma matters, including health analytics, global compliance and data breaches. Finance, gaming and consumer products are also key sectors. Class action litigation and M&A advice complete the offering.

Gibson, Dunn & Crutcher LLP‘s privacy, cybersecurity and data innovation department receives praise from the market for the breadth of matters it handles, spanning from regulatory scrutiny, litigation, and law enforcement, and for its remarkable client portfolio, which includes names of the caliber of Facebook, Tencent, Cartoon Network and the New York Times, among others. Technology, advertising and privacy litigation are particular strengths of the team, which is also highlighted for its internal investigation expertise, derived from the presence of lawyers in the team who are former cyber-crime prosecutors. In New York, Alexander Southwell co-chairs the group and is a member, among others, of the white collar defense and investigation practice. His counterpart is Ashlie Beringer in Palo Alto,  who focuses on defending technology companies in global regulatory and litigation matters. Eric Vandevelde   and Ashley Rogers are also key members of the team.

Goodwin‘s data, privacy and cybersecurity team is known for assisting clients in the design and implementation of data-driven products and the protection of privacy rights, and during transactions and related agreements. Incident preparedness and response are also at the center of the offering, as are litigation and investigation matters. In October 2021, former vice president and chief knowledge officer at the IAPP Omer Tene joined the firm as partner and is now the firm’s Boston-based practice head alongside his New York counterpart Boris Segalis. In the same locations are, respectively, David Kantrowitz and Jacqueline Klosek, former counsels both promoted to partner in October 2021. Kantowitz received praise for being ‘patient and effective at delivering both good and bad news’ and was described as ‘a top-notch strategic thinker.’ 

Hogan Lovells US LLP‘s privacy and cybersecurity practices stretches across the Atlantic and is led in the US by Washington DC-based Scott Loughlin. Such global integration, involving Hong Kong and Beijing, is an asset for the team, especially when advising on global privacy and cybersecurity matters and regulations. Compliance with the CCPA, HIPAA and GDPR are a significant part of the firm’s offering, as is the advice in connection to M&A and joint ventures in the healthcare sector. Mark Brennan and Brett Cohen are involved in a matter for Google and are providing advice in connection to cybersecurity and law enforcement surveillance and social media regulation, among other areas, and representing it in class actions. Marcy Wilder, Harriet Pearson and Paul Otto are other key names.

Hunton Andrews Kurth LLP is widely recognized as a cybersecurity law leader, specializing in complex cybersecurity and data breach events. Recently, the New York-based department has been particularly active advising clients in data breach preparedness, data transfer strategies post-Schrems II and defending major businesses against claims with respect to the CCPA. The practice is led by Lisa J. Sotto, who is also known for her role as chair of the US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. The team includes Aaron Simpson, who has an established EU data protection practice and provides ‘exceptional commercial perspective and insight.’ Brittany Bacon advises large, multinational companies on large cybersecurity incidents. Associate Danielle Dobrusin has a name as CCPA and CPRA expert.

Jones Day‘s ‘cutting-edge’ cybersecurity, privacy and data protection practice ‘can’t be recommended highly enough.’ The globally integrated team is particularly known for its international cyber incident response and forensic investigations capabilities and its ‘exceptionally skilled attorneys.’ Daniel McLoon and Lisa Ropple in Boston jointly lead the group, specializing in consumer class action defense and global cyber incidents, respectively. In Irvine, Edward Chang, who focuses on privacy litigation and regulatory compliance, and cybersecurity expert John Vogt are described as ‘the best in the business’.

King & Spalding LLP has global data protection, crisis management and response, and litigation capacities. Particularly outstanding is the firm’s data breach class action litigation practice and its knowledge of the finance sector. Phyllis Sumner in Atlanta co-heads the team and has notably acted as lead counsel for Equifax during 2021 in its response to its high-profile data breach. His counterparts are David Balser, also in Atlanta, and Zachary Fardon in Chicago. Washington DC-based Robert Hudock is appreciated for his experience in the technical aspects of data breaches. Scott Ferber left the firm in July 2021. Natasha Moffitt is now retired.

Latham & Watkins LLP receives high praise for its media, technology and telecoms practice. The team is known for assisting high profile tech companies including Facebook in non-US regulatory investigations and related disputes, Accellion in several class action lawsuits, and Zynga, Inc. in a significant data breach. Based in Washington DC, Jennifer Archie leads up the team and is an expert defending clients in Federal Trade Commission, Department of Health and Human Services, and state attorney general investigations. Michael Rubin stands out for his assistance of global technology companies in data crises matters. Serrin Turner in New York is an experienced trial lawyer. Antony Kim in Washington DC is ‘very knowledgeable in the area of cyber law, and is able to apply that knowledge to get clients to quick decision points.’ EU and US-qualified Robert Blamires in San Francisco has significant cross-border experience. Also in DC, Marissa Boynton was promoted to partner in mid-2022.

At Loeb & Loeb LLP in New York, James Taylor acts as head of the advanced media and technology practice, which comprises the privacy, security and data innovations group. The team is co-led by Jessica Lee and recent addition Tanya Forsheit, who joined in September 2021 from Frankfurt Kurnit Klein & Selz PC and is based in Los Angeles. Lee oversees clients launching, marketing and monetizing their digital products and content.  Forsheit is a privacy and data security lawyer with longstanding experience in interest-based advertising, privacy policies, mobile apps, cloud computing, smart devices, and data analytics.

Mayer Brown is highlighted for its international capability to act on matters involving cybersecurity threats and global data privacy regulation and developments, including the European Union’s GDPR and the CCPA. Transnational cyber incidents, global data breaches, class actions against technology companies, and autonomous vehicle security issues all belong to the team’s areas of expertise. The department is jointly headed up by Washington DC-based Rajesh De, who ‘has significant high-level government experience’  and provides ‘direct, clear and practical’ advice. Cyber-extortion expert David Simon, also in DC, is further noted. Lei Shen left the firm in June 2021, while the March 2022 arrival of co-head Dominique Shelton Leipzig to the Los Angeles office from Perkins Coie LLP was a significant boost to the firm’s global data and adtech capabilities.

McDermott Will & Emery LLP works with clients on cybersecurity compliance matters and in the planning of incident response plans. The firm’s worldwide network guarantees competent advice in connection to global regulation frameworks, including CCPA, CPRA, GDPR and regarding international data transfers post-Schrems II. Health data privacy lawyers Ed Zacharias in Boston and Daniel Gottlieb in Chicago, Los Angeles-based cybersecurity and video game technology expert Michael Morgan , and Todd McClelland in Atlanta, who specializes in tech transactions and breach response, jointly lead the team. Jiayan Chen in Washington DC ‘is a rock-star lawyer', while Chicago's Ryan Higgins ‘provides practical, concise constructive and extremely helpful advice.’

Based in Tysons, Andrew Konia manages the data privacy and security offering at McGuireWoods LLP, and is an expert in supporting clients during investigations, data breaches and tech sector M&A, with a particular emphasis on the telecoms sector. Janet Peyton in Richmond, Pittsburgh's Anne Peterson and Rodger Heaton in Chicago are further key names in the team. Emily Voorheis left for an in-house role in early 2021.

Among Morgan, Lewis & Bockius LLP‘s sector specialisms, data security incident consumer class actions stand out. Notably, a team led by practice co-head Gregory Parks in Philadelphia assisted the Hudson’s Bay Company in a series of class actions arising from a data incident involving payment card information. Class actions relating to the improper use of cookies, CCPA and GDPR matters are also at the heart of the practice, which includes San Francisco-based Reece Hirsch and Mark Krotoski in Silicon Valley as key names.

Morrison Foerster is particularly well-known for guiding high-profile clients in their response to disruptive data breaches, disputes and compliance. Among the firm’s notable work includes acting as breach counsel to FireEye/Mandiant in the SolarWinds supply-chain compromise, alongside representing other major clients before federal regulators and in other inquiries, class actions and investigations. Highly recognized Miriam Wugmeister acts as global co-chair in New York. Julie O’Neill, who divides their time between Boston and Washington DC, is a privacy and consumer protection law expert. Purvi Patel in Los Angeles has a niche expertise in businesses’ collection of personal information. Christine Lyon  left the firm in August 2021. New York’s Kristen Mathews is ‘by far the most knowledgeable data privacy and data protection lawyer one can work with’, demonstrating ‘leading expertise’ in the full spectrum of privacy, data protection, and cybersecurity law. DC-based counsel Melissa Crespo is also highlighted.

Norton Rose Fulbright US LLP stands out in the information governance, privacy, and cybersecurity space with a nationwide team and broad experience in key sectors such as life sciences, retail, telecoms and technology. The practice is focused on cybersecurity incidents response, an area in which the team developed an in house solution involving automated intervention schemes based on pre-defined severity levels and real-time connectivity to Security Operations Centers. Compliance and privacy complete the department’s offering. Will Daugherty in Houston acts as co-practice head together with Chris Cwalina in Washington DC, who focuses on complex cybersecurity attacks and data breach investigations, New York-based duo Andrea D’Ambra and David Kessler, who specialize in addressing litigation readiness and cross border discovery matters, and Steven Roosa , who is also based in New York and oversees the development of the firm’s privacy compliance tool suite, NT Analyzer.

The highly developed and recognized cyber, privacy and data innovation practice at Orrick, Herrington & Sutcliffe LLP attracts high-profile clients, including, among others, Microsoft, which hired the team for a biometric privacy litigation, and Twitter, which the team represented in a privacy class action. The matters were led by Boston-based practice head Douglas Meal, and by Michelle Visser in San Francisco and Seattle's Aravind Swaminathan, respectively. In the Boston office, cybersecurity compliance and advisory lawyer Heather Egan Sussman co-heads the group. San Francisco's Shannon Yavorsky is dual-qualified in California and the UK and considered a US and European data security and privacy expert. Litigator Seth Harrington in Boston and CCPA and COPPA specialist Emily Tabatabai in Washington DC are also noted. Antony Kim left the firm in June 2021.

Ryan Blaney heads up Proskauer Rose LLP‘s privacy and cybersecurity group in Washington DC, which is known for its cross-practice expertise, including corporate, transactional, counseling and litigation skills in relation to matters of data collection, use, and sharing, marketing and customer outreach, and online advertising and data security. Blaney focuses on regulatory compliance, enforcement, litigation and transactions and is also a member of the health care practice, creating further synergies.

Ropes & Gray LLP stands out for its comprehensive data, privacy and cybersecurity offering in the US, paired with cross-Atlantic collaboration with the firm’s London-based team, which is particularly appreciated by clients seeking compliance, advisory, enforcement and litigation aspects pertaining to the collection, storage and processing of company and personal data abroad. Standout mandates for the team include work for Wyndham and LabMD relating to regulatory investigations of cybersecurity incidents. Corporate and data transactions complete the group’s offering. Key contacts include practice heads Edward McNicholas and Fran Faircloth, both in Washington DC.

Seyfarth Shaw LLP‘s global privacy and security practice stands out for its expertise in data security and encryption and is highly appreciated for its commercially-savvy advice, deriving from experience in in-house capacities. The team’s ‘strong understanding’ of the needs of security leaders, risk leaders, senior management and directors gains them particular praise. Scott Carlson  ‘is skillful and ensures that messaging is effective, yet balanced for key parties involved.’ Carlson is based in Chicago and co-heads the group together with John Tomaszewski in Houston. Jason Priebe and Bart Lazar  in Chicago are noted. Richard Lutkus left the firm.

Sheppard, Mullin, Richter & Hampton LLP is ‘excellent’ at handling privacy regulatory compliance and houses ‘some of the top privacy experts in the field’, including practice co-heads Craig Cardon in Century City and Liisa Thomas in Chicago. The team focuses on advising large retailers, among other clients, in relation to data breaches, where New York's Kari Rollins excels, class action and litigation cases, and technology transactions and privacy counseling. Jonathan Meyer is now a general counsel at the Department of Homeland Security.

Shook, Hardy & Bacon LLP is well known for its incident response, compliance and risk minimization practice, combines with strong capabilities in privacy litigation, whereby an emphasis is put on biometric privacy cases. Based in Miami, practice head Al Saikali is ‘particularly good with helping business, technology, and legal executives prepared to deal with cybersecurity incidents.’ Further team members in Chicago include Melissa Siebert and Matthew Wolfe, who is an expert on BIPA and ‘gives good, direct guidance in that space.’

Based in Washington DC, Venable LLP distinguishes itself through its engagement in government and regulatory issues, and in particular policy and investigations. Stuart P Ingis co-heads the department and as privacy counsel is especially appreciated by trade associations and coalitions. He is also singled out for being ‘extremely knowledgeable of different industries and the regulatory landscape’. The team is also led by Emilio Cividanes, who has longstanding experience as a privacy lawyer. Reed Freeman Jr is an authority in privacy matters in relation to mobile devices, social media, and connected devices. Julia Kernochan Tama 'is very knowledgeable and always able to provide accurate advice', while Michael Signorelli is ‘fantastic on a whole host of privacy, security, and incident response matters.’ Kelly DeMarchis Bastide is also noted.

Winston & Strawn LLP‘s global privacy and data security practice offers counseling in privacy, data protection, data security by design, litigation, trade secret audits, and investigation matters. The team is led by former federal prosecutors Sheryl Falk and Steven Grimes, who sit in Houston and Chicago, respectively, and former federal privacy regulator Alessandra Swanson, also in Chicago. Other key contacts in Chicago include Sean Wieber, who recently stood out for acting in a class action filed under the CCPA’s new private right of action, and associate Eric Shinabarger, who focuses on privacy counseling, data breach response, and regulatory compliance.