The Legal 500 > United States > United States > Cyber law (including data privacy and data protection)

Hogan Lovells US LLP provides ‘tremendous help’ to global businesses on cybersecurity governance, compliance and risk management – particularly with reference to the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) - as well as breach response and litigation resulting from high-profile data breaches. The practice is headed by the ‘key author of privacy regulations’, Marcy Wilder, who specializes in complex cyber-attacks, privacy investigations and data protection work in digital health, and Harriet Pearson. Pearsonhas been assisting consumer credit reporting agency Equifax before the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) with regard to the client’s 2017 data breach, which affected 145m consumers. Uber and Salesforce are other notable clients. Key contacts also include litigator Michelle Kisloff, the ‘highly skilled’ Bret Cohen, senior counsel Christopher Wolf and senior associate Paul Otto, who is ‘very well versed in technical matters’. Named individuals are based in Washington DC.

The 'excellent’ Hunton Andrews Kurth LLP specializes in large-scale cybersecurity attacks, implementation of GDPR requirements for US-based multinational companies, board advisory work on privacy and data protection, international data transfer mechanisms, compliance with CCPA and the Health Insurance Portability and Accountability Act (HIPAA), and preparation and prevention of cyber events. Practice head Lisa Sotto has been assisting Yahoo! with two huge cyber-attacks and related class action lawsuits and, together with Brittany Bacon, who was made partner in April 2018, has been advising companies such as Western Union and Tiffany on global data protection and privacy. The ‘incredible’ Aaron Simpson and Washington DC-based Phyllis Marcus and Paul Tiao are other key contacts. Named individuals are based in New York unless otherwise indicated.

‘At the top of its game’, Morrison & Foerster LLP focuses on high-profile data breaches, enforcement actions and privacy compliance matters. Clients span the consumer products, manufacturing, retail, healthcare, pharmaceutical, transportation, food and beverage, hospitality, insurance and financial sectors. New-York based co-head Miriam Wugmeister’s ‘guidance and experience is invaluable’. She has been assisting a number of global industry leaders with their compliance with GDPR and CCPA. Julie O’Neill and Purvi Patel, who are based in Washington DC/Boston and Los Angeles respectively, have been acting for Unity Technologies in two putative class actions alleging the violation of the Children’s Online Privacy Protection Act (COPPA) by Disney and Viacom mobile gaming apps, which use the client’s software. The ‘master’ Nathan Taylor and John Carlin (both based in Washington DC) and New York-based associate Melissa Crespo are other key team members. Kristen Mathews joined the New York office from Proskauer Rose LLP in March 2019.

In January 2019, the ‘unusually skilled litigator’ Douglas Meal, Heather Sussman, Michelle Visser and Seth Harrington joined Orrick, Herrington & Sutcliffe LLP from Ropes & Gray LLP. Sussman leads the newly launched Boston office, which also includes Meal and Harrington; Visser is based in San Francisco. Aravind Swaminathan, who is based in Seattle and co-heads the practice with Washington DC’s Antony Kim, has been advising the City of Seattle on data privacy and security matters, including data sharing restrictions, protection of law enforcement and sensitive information, public records management requiring technical cyber intelligence as well as the privacy ramifications of new technologies. The team has also acted successfully for Microsoft in a dispute against the US Government, in which the latter’s ability to obtain emails stored on servers in Ireland was challenged.

Cooley LLP bases its activities on compliance and strategy, transactional support to clients, breach preparedness and response, as well as privacy and data security litigation and investigation. The practice is headed by San Francisco-based Michael Rhodes and Matthew Brown, who successfully defended Facebook in a number of class actions filed across the country and following the client’s alleged use of 'browser cookies'. The team has also acted in class action litigation for Google, whose product Gmail had allegedly violated the California Invasion of Privacy Act and the Electronic Communications Privacy Act, and for Here Media, dismissing the claim that the client had failed to keep subscribers’ sensitive information secure. Colorado-based David Navetta and New York’s Boris Segalis, who have been advising life science companies, insurance brokers, financial institutions, media organization and retailers on GDPR compliance, are other key members of the team. In January 2019, litigator Travis LeBlanc joined the Washington DC and San Francisco offices from Boies Schiller Flexner LLP.

Debevoise & Plimpton LLP has ‘very deep expertise’ in a wide range of cybersecurity matters, including incident preparation, response and investigation, related civil litigation and regulatory defense, and national security issues. The practice is headed by Washington DC’s Luke Dembosky, who is ‘a trusted adviser in very high-stress, high-risk situations’, and New York’s Jeremy Feigelson. New York’s Jim Pastore is ‘incredibly knowledgeable, precise and detailed’. The team has been advising PayPal, the NBA and other clients on privacy and data security issues, including compliance with GDPR and CCPA. Other highlights include assisting Royal Bank of Canada with the response to a data breach at the client's vendor Expedia.

As ‘one of the most responsive and attentive data security law firms’, Goodwin is experienced in data breaches and incident response, regulatory investigations, litigation, transactions and M&A, and advice on GDPR. Practice head Brenda Sharton ‘has been advising clients since the early days of data security and privacy’. Highlights include assisting cloud-based identity and access management provider OneLogin with a data breach in which an unauthorized user gained access to the client’s US database, and acting for several businesses in consumer class actions, government investigations and enforcement actions alleging violations of the Telephone Consumer Protection Act (TCPA). Washington-DC based Karen Neuman and the ‘very notable’ David Kantrowitz, who was made counsel in January 2019, are other key contacts. Named individuals are based in Boston unless otherwise indicated.

Latham & Watkins LLP's data privacy and security team is headed by Washington DC’s Jennifer Archie, San Francisco’s Michael Rubin and New York’s Serrin Turner. Archie has been advising consumer electronics company Vizio on global data privacy and security matters, including the client’s potential expansion of smart television sales outside the US and into markets with different data protection laws. Rubin and Serrin have been assisting Facebook as leading global counsel with the investigation, preparation and handling of regulatory submissions and litigation in relation to the client’s September 2018 data breach. The client portfolio also includes Apple, Lyft and LG Electronics.

Brian Finch and Deborah Thoren-Peden head Pillsbury Winthrop Shaw Pittman LLP’s practice from Washington DC and Los Angeles respectively. Finch specializes in cybersecurity, national defense and intelligence policies, while Thoren-Pedersen has advised US-based fintech and bank holding company Green Dot on regulatory and privacy aspects of its acquisition of online distribution channel AccountNow. Mercedes Tunstall, who is also based in Washington DC, assists clients from a wide range of industries with mobile and other e-commerce initiatives, as well as with the use of social networking sites for marketing, customer service and crowdsourcing purposes. Los Angeles-based senior counsel Catherine Meyer, who works with financial institutions, is another name to note.

‘On the leading edge’ of cyber law, Proskauer Rose LLP has longstanding experience in privacy and data security compliance, corporate transactions, litigation, labor and employment and healthcare. Litigator Margaret Dale, who is ‘calm and confident in the stressful cyber law environment’, advised men's clothing retailer Charles Tyrwhitt on a putative class action brought against the client under the Wiretap Act, obtaining a complete dismissal. Other clients include companies from the telecoms, financial services, insurance, utilities, arts and sport sectors. Associate Tiffany Quach is ‘fantastic to work with’. Kristen Mathews joined Morrison & Foerster LLP in March 2019. All named individuals are based in New York

Steptoe & Johnson LLP advises clients on global privacy and data security issues, including data breach prevention and response, compliance, regulatory investigations and class action lawsuits following data breaches. New York-based practice head Michael Vatis has been assisting the global supplier of electronic learning products for children, VTech, with the response to a hack of customer information and the resulting US and international regulatory enforcement investigations. Other key team members of the Washington DC office include Alan Cohn, who specializes in cybersecurity, blockchain and distributed ledger technology issues, Stewart Baker and cryptocurrency expert Jason Weinstein.

The ‘up-to-date and comprehensive’ Washington DC-based e-commerce, privacy and cybersecurity team at Venable LLP is headed by ‘top privacy lawyer’ Stuart Ingis and Emilio Cividanes, who specialize in crisis management and class action litigation, representing clients before Congress, the FTC and other institutions and agencies. Michael Signorelli advises marketers, advertisers, trade associations, e-commerce firms, retailers, social platforms and technology providers on privacy and consumer protection matters. Highlights included acting as general and policy counsel for the Digital Advertising Alliance (DAA) and assisting the American Association of Advertising Agencies (4A) with GDPR compliance. Thomas Boyd joined from DLA Piper LLP (US) in May 2018.

Akin Gump Strauss Hauer & Feld LLP assists clients with a wide range of cybersecurity matters, including advocacy and counseling on the CCPA and other regulatory frameworks, compliance work, M&A diligence, data sharing agreements, board advisory work, innovation-related services as well as investigation and litigation. The practice is co-headed by Natasha Kohne and Michelle Reed, who are based in San Francisco and Dallas respectively. Kohne has been advising clothing manufacturer Alpha Industries on the management of an intrusion suffered by the provider of a digital commerce platform used by the client on its website. Reed assisted Texas-based tax and accounting firm Honza with a data breach involving stolen client information. Washington DC’s senior counsel Jo-Ellyn Sakowitz Klein is another name to note. Consumer class action litigators Meredith Slawe, Kathryn Deal and Michael Stortz joined from Drinker Biddle & Reath LLP in 2018.

At Arnold & Porter, Ronald Lee specializes in national security, cybersecurity, and government contracts matters. He and counsel Nancy Perkins have been advising clients on legal and policy aspects of internet, computer networks and cyber operations, including criminal and civil provisions, privacy, intellectual property and encryption. Litigator Kenneth Chernof acted for travel technology company Sabre in obtaining dismissal of a putative class action following a data security incident that affected the client’s reservation technology. New York-based Marcus Asner, who focuses on data breaches, cyber  crime, identity theft and credit card bust-out schemes, is another key contact. Named individuals are based in Washington DC unless otherwise specified.

The ‘very accomplished and expert’ Richard Eisert and Gary Kibel head Davis & Gilbert LLP’s New York-based practice. The team is well known for advising clients with ‘intelligence, confidence and clarity’, particularly on data privacy and security issues related to advertising, marketing and sales promotion law. Highlights included assisting a number of advertising agencies and brands with reviewing their ad tracking activities and promotions in compliance with the Children’s Online Privacy Protection Rule (COPPA). Counsel Oriyan Gitig, who assists clients with new media, technology and software development, licensing, advertising and intellectual property, ‘exemplifies what an attorney and a professional should be’.

Loeb & Loeb LLP’s practice is jointly led by New York-based Ieuan Jolly and Jessica Lee as well as Chicago’s Robert Newman, who joined the team with Monique Bhargava from Winston & Strawn LLP in May 2018. Jolly and Lee have been advising advertising and public relations companies as well as Regeneron Pharmaceuticals on their respective GDPR compliance projects, while Newman has been assisting clients with consumer data collection use and technological innovations. The chair of the New York-based advanced media and technology practice James Taylor is also well versed in data privacy and data protection work.

Manatt, Phelps & Phillips, LLP assists clients with litigation and enforcement, data breach response and preparedness, and privacy and data security counseling, with a specific focus on the healthcare industry. The practice, headed by Los Angeles-based litigator Donna Wilson, has been advising the California Health Care Foundation (CHCF) on compliance programs with various regulatory contexts, including HIPAA and TCPA, as well as on the production of a white paper discussing the challenges of data sharing in the fight against the opioid epidemic. New York eHealth Collaborative, Kia Motors and fashion retailer New York & Company are other key clients. Healthcare specialist Robert Belfort from the New York office and Orange County-based associate Brandon Reilly are also recommended.

Mayer Brown handles work in incident preparation and breach response, litigation and government investigations, strategic counseling and corporate governance, vendor and supply-chain management, contracting and data transfers, regulatory and compliance, as well as policy and advocacy. Practice head Rajesh De is based in Washington DC and specializes in legal and policy issues related to technology, national security, law enforcement and privacy. New York’s Lauren Goldman, who works in a ‘well-reasoned, concise, well-organized, and business-focused’ way, acted successfully for Facebook in the purported Smith v Facebook class action, defending the client from the allegation of having used cookies to communicate with various healthcare websites and then used that information for marketing purposes. Shutterfly and Twitter are other notable clients. Washington DC’s Marcus Christian and Los-Angeles-based litigator John Nadolenco are also recommended.

Ropes & Gray LLP’s areas of strength include privacy and security compliance, data breaches and intrusions, investigation defense and settlement negotiations as well as the development and implementation of corrective action plans. The practice is headed by Boston’s Marc Szpak, whose team has been assisting fast-food restaurant chain Arby’s against all third-party claims arising from a security breach which targeted customers’ payment card data. Other highlights included advising Nationwide Mutual Insurance Group on a 2012 cyber attack which has generated a number of class actions against the client. Marc Barnes and Deborah Gersh (from Boston and Chicago respectively) are recommended for healthcare work, while Boston’s Richard Batchelder is the name to note for litigation. In January 2019, Heather Sussman, Douglas Meal, Michelle Visser and Seth Harrington joined Orrick, Herrington & Sutcliffe LLP.

Along with compliance work, breach management and litigation, the ‘incredibly client-focused’ Seyfarth Shaw LLP specializes in automotive telematics, blockchain, IoT, big data and usage-based insurance. The practice is jointly headed by Houston’s ‘true expert’ John Tomaszewski  and security expert Scott Carlson from the Chicago office. Tomaszewski and San Francisco’s Richard Lutkus, who is well versed in data security and encryption, assisted human resources services and technology company Morneau Shepell with due diligence for its acquisition of LifeWorks. Chicago-based Bart Lazar has been advising a leading strategic communication firm and a well-known apparel manufacturer on GDPR compliance.

Sheppard, Mullin, Richter & Hampton LLP is ‘very knowledgeable’ in data breach, class action and litigation, technology transactions and privacy counseling as well as cybersecurity matters. The practice is headed by ‘standout’ Liisa Thomas and Craig Cardon, who are based in Chicago and Century City respectively. Thomas, Cardon and New York’s Kari Rollins acted for fast-food brand Sonic as breach response and litigation counsel in connection with a data breach suffered by the client’s drive-in restaurants in 2017 and following class actions. San Diego’s Dr Shannon Petersen assisted weight loss company Jenny Craig with a putative class action alleging the client’s violation of TCPA. Christine Clements, who specializes in HIPAA, joined the Washington DC office from Crowell & Moring LLP in April 2018.

Cleary Gottlieb Steen & Hamilton assists clients with data protection regulation compliance in multiple jurisdictions, incident notification and response, privacy and cybersecurity provisions in vendor contracts, data usage and litigation. Litigator Jonathan Kolodner and IP transaction expert Daniel Ilan jointly head the practice. Highlights included advising Canada-based software company OpenText on data breaches, cybersecurity and privacy related to M&A and SEC disclosures, and assisting multinational conglomerate Honeywell with data transfer issues and global compliance with privacy and data protection laws. Washington DC-based Katherine Mooney Carroll  specializes in advice to financial institutions. Rahul Mukhi and Washington DC’s Alexis Collins were made partners in January 2019. Named individuals are based in New York unless otherwise specified.

The ‘super pragmatic’ team at Fenwick & West LLP has strong expertise in technology, focusing on matters related to digital health, biotech and life sciences, financial services and fintech, cryptocurrency and blockchain, gaming, consumer products as well as regulatory investigation, enforcement and class action litigation. The ‘excellent’ Jim Koenig and Tyler Newby lead the practice from New York and San Francisco respectively. Highlights included assisting Uber with an FTC case in which the client has agreed to comply with an FTC consent decree concerning the creation of a system which allows Uber’s CEO and employees to access riders' and drivers’ location and personal information; the decree was revised after it was revealed that the client had failed to disclose information on security incidents in 2014 and 2016, in which millions of Uber riders' and drivers' data was accessed. Facebook, Vizio and Otsuka Pharmaceutical are other notable clients. San Francisco’s Barbara Sondag and Mountain View’s James Gregoire are also recommended.

The ‘amazing’ Frankfurt Kurnit Klein & Selz PC is well known for its expertise in cybersecurity and privacy matters in the field of digital advertising and publishing. The ‘incredibly responsive’ practice head Tanya Forsheit is ‘everything you could ask for in an outside counsel’. She and counsel Daniel Goldberg, who is also recommended, have been advising media conglomerate Meredith Corporation on compliance with GDPR. The client base also includes Dunkin’ and TaskRabbit. The ‘outstanding’ Gregory Boyd and Sean Kane from the New York office are other names to note. Named individuals are based in Los Angeles unless otherwise indicated.

Jenner & Block LLP’s areas of strength include privacy and data security issues, policy audits related to relevant legislation, customized compliance programs as well as investigations, enforcement and litigation. Key clients are companies from the media and entertainment, advertising, gaming and financial sectors. The names to note are Washington DC’s David Bitkower, who specializes in investigations, compliance and defense; litigators David Saunders and David Layden, who are based in Chicago; and Washington DC’s Keisha Stanford, who assists clients with compliance, white-collar criminal defense, government enforcement and internal investigations. Former practice head Nancy Libin moved to Davis Wright Tremaine LLP in September 2018.

The ‘excellent, practical and efficient’ McDermott Will & Emery LLP’s practice is jointly headed from Boston, Los Angeles and Chicago by the ‘extremely well-versed’ Mark Schreiber, Michael Morgan, who ‘has a phenomenal understanding of his clients’ business needs’, and Daniel Gottlieb, who ‘is not only creative and smart, but also incredibly pleasant’. Highlights included assisting software publisher Block.one with data protection compliance matters related to the development of a mobile application designed to connect users to decentralized mobile applications that run on blockchain; and advising global provider of equipment and services for electric power systems S&C Electric on its obligations under GDPR.

At Morgan, Lewis & Bockius LLP, practice leaders Gregory Parks, W. Reece Hirsch  and Mark Krotoski (based in Philadelphia, San Francisco and between Silicon Valley and Washington DC respectively) have been advising a number of companies from the energy, financial, health, hospitality and retail sectors on compliance with CCPA. Parks and Philadelphia’s Ezra Church have been acting for department stores chain Hudson’s Bay in all class actions following a payment cards data incident involving client-owned brand banners Saks Fifth Avenue and Lord & Taylor. Start-up Blink Health, which offers a mobile app for consumers to access discounted medications outside of their health insurance plans, is a key client.

Shook, Hardy & Bacon LLP’s areas of strength include biometric privacy, incident preparation and response, GDPR compliance, vendor management, international data transfer as well as litigation and dispute resolution. Practice head Al Saikali , from the Miami office, has been acting for a number of companies in several class action lawsuits based on alleged violations of the Illinois Biometric Information Privacy Act (BIPA). The practice also assisted the village of Wellington in Florida with its response to a 2018 data breach that affected residents who used the Click2Gov application to make payments, such as utility bill, parking ticket and license fee payments. Automotive company JM and Apollo Bank are also clients. Of counsel Camila Tobón, based in Denver, in-depth knowledge of data protection regulations worldwide.

Winston & Strawn LLP is jointly headed by Sheryl Falk in Houston and Steven Grimes, who splits between Chicago and Hong Kong. The practice specializes in privacy assessment, audits and compliance programs, IoT, cloud computing and outsourced technologies, internal forensic investigations, incident response and breach notification, theft of confidential information and trade secrets, data security class action litigation, cross-border data protection and transfer and GDPR compliance. The client portfolio includes companies from healthcare, financial services and telecoms. Robert Newman and Monique Bhargava moved to Loeb & Loeb LLP in May 2018.