Cyber law (including data privacy and data protection) in United States

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP is particularly strong is cybersecurity matters, where it advises clients on a full range of issues from M&A due diligence to incident response. It is also very active in privacy class action litigation and regulatory compliance, especially in relation to internet-of-things and emerging technology. San Francisco-based Natasha Kohne and Michelle Reed in Dallas — both of whom frequently handle data breach investigations, regulatory actions and class action litigation — jointly head the team alongside Washington DC-based Jo-Ellyn Sakowitz Klein, who advises on data privacy matters with a focus on the health and life sciences sectors. The group also benefits from the ability to bring in experts from other of the firm's practice groups, including public law and policy, government contracts, investment funds, antitrust, and international trade.

Practice head(s):

Michelle Reed; Natasha Kohne

Other key lawyers:

Jo-Ellyn Sakowitz Klein

Key clients


Centerpoint Energy

Metro New York


Franciscan Health

Hydro Flask


Helen of Troy

Eastman Kodak Company

Work highlights

  • Defended VIZIO in a privacy class action involving first-of-its-kind privacy issues relating to the Video Privacy Protection Act (VPPA), the Electronic Communications Privacy Act and other privacy and consumer protection statutes.
  • Advised Revlon Hair Tools on a data incident involving customer information compromised by sophisticated criminal activity on Revlon’s website.
  • Assisted Apollo Global Management with cybersecurity due diligence efforts in the purchase of CareerBuilder and its $5.2bn acquisition of West Corp.
  • Advised OXO on containing and remediating a threat from the international criminal group, MageCart. This included notifying affected customers and regulatory agencies, resolving the matter with no adverse action against the client.
  • Acted for Apollo Global Management in a merger transaction that created a $2.8bn company.

Arnold & Porter

The privacy and data security team at Arnold & Porter has particular experience advising clients on data security breaches and defending against consumer class action litigation. Ronald Lee has expertise in national security-related matters, which he combines with experience in a range of traditional cybersecurity and privacy work; Lee jointly leads the team alongside commercial litigator Kenneth Chernof and New York-based white-collar crime partner Marcus Asner. Counsel Nancy Perkins is a name to note for regulatory compliance advice, including on issues relating to medical, financial and children's privacy. All attorneys referenced are based in Washington DC unless otherwise stated.

Other key lawyers:

Nancy Perkins

Key clients

Brooks Brothers


Barnes & Noble

Leidos (f/k/a Science Applications International Corporation or SAIC)


Work highlights

  • Successfully defended Brooks Brothers in a putative data breach class action in the Central District of California resulting from malware that was installed on Brooks Brothers point-of-sale systems.
  • Advising numerous companies, including major financial institutions, a leading automobile manufacturer, a metal production company, pharmaceutical companies, and others, on compliance with the California Consumer Privacy Act (CCPA).
  • Defended Barnes & Noble as lead litigation counsel against data breach class action lawsuits alleging that third parties skimmed payment card information from PIN pad devices in nine states across the country.
  • Advising numerous companies on non-US data protection laws and transfers of personal data from the EU to the US.
  • Advising an innovative biosciences company and its affiliates on permissible avenues for personal data collection and the limits on uses of such information for analytical and clinical trial recruitment purposes.

Baker & Hostetler LLP

Baker & Hostetler LLP has a breadth of experience in the privacy, data protection and cybersecurity space, where it is particularly active in advising clients in the retail, hospitality, financial services and technology sectors. The group is well known for handling high-profile incident response work, an area for which New York-based practice head Theodore Kobus III is a key name to note. In one recent highlight, the team acted for Marriott International in relation to a significant breach involving Starwood’s guest reservation database. In addition, the team is also recognized for its regulatory and compliance expertise. Craig Hoffman in Cincinnati is a name to note for privacy compliance, operational, and security matters relating to the use of technology. Melinda McLellan in New York frequently advises on emerging technologies, while Houston-based Lynn Sessions is highlighted for her healthcare sector expertise. Other names to note include Will Daugherty, also in Houston, for incident response work, and recent additions Eulonda Skyles in Washington DC and Daniel Pepper in Philadelphia, who joined from Capital One and Comcast, respectively. Laura Jehl left the Washington DC office for McDermott Will & Emery LLP.

Practice head(s):

Theodore Kobus III

Key clients

Marriott International


Chipotle Mexican Grill

The Cleveland Clinic Foundation


LPL Financial Holdings

Forever 21

Northwestern Energy

Piedmont Hospital

Inspire Brands

Work highlights

  • Advised Marriott International on its global incident response following its security incident involving approximately 338 million records from Starwood’s guest reservation database; also represented the same client in resulting class action litigation.
  • Successfully defended three data breach class action lawsuits filed against [24]
  • Representing Atlanta’s Northside Hospital in all aspects of its data breaches and general privacy matters, including advising on HIPAA compliance and business associate agreements.
  • Advising the State of West Virginia on privacy and data security compliance and risk advisory.
  • Representing Caribou Coffee and its affiliates in litigation brought by an issuing bank in Minnesota.

Baker McKenzie LLP

Baker McKenzie LLP's data privacy and security team is praised for its broad experience handling 'everything from data breaches to national security incidents to congressional investigations to foreign nations interfering in elections and stealing IP'. The group is jointly led by Chicago-based Brian Hengesbaugh, who has experience in advisory, compliance and regulatory issues, transactions and crisis management; Lothar Determann in Palo Alto, who focuses on advising technology sector clients; and cybersecurity experts David Lashway and John Woods in Washington DC. Michael Egan and Amy de La Lama —who are based in Washington DC and Chicago respectively — both have experience advising clients on global privacy matters including regulatory and transactional issues and breach notifications. Washington DC-based Jennifer Seale is another name to note for investigations and disputes, while recently promoted partner Brandon Moseberry in Chicago is rated for his experience of adtech matters. Also of note, the group further strengthened its litigation capabilities in Los Angeles with the additions of Perrie Weiner and Edward Totino from DLA Piper LLP (US).


The breadth of the team’s experience and knowledge is unparalleled. The team has handled everything from data breaches to national security incidents to congressional investigations to foreign nations interfering in elections and stealing IP. They also act with the upmost discretion.

David Lashway is exceptionally knowledgeable and conversant in cyber incident response, cyber threat intelligence, legislation and authorities issues, and national security matters.

John Woods is exceptionally knowledgeable in his understanding of cybersecurity resilience practices, and may be one of only a handful of individuals globally with direct experience assisting large complicated technical environments with deep legal complexity in the process of transition to hybrid and cloud architectures with identified function and service prioritizations.

I have never met cybersecurity counsel with deeper subject matter expertise and capability assisting a full range of practitioners (from cyber responders to executives) than David and John.

David Lashway is a lawyer’s lawyer. He is incredibly knowledgeable and detail oriented, but can convey complex legal advice to executives and boards in an understandable and actionable way.

John Woods is the most innovative and solution-oriented lawyer I have ever worked with.

Buckley LLP

Buckley LLP's Washington DC-based privacy, cyber risk and data security team handles a range of regulatory and enforcement work, including advising on general compliance, regulatory investigations and transactional matters. The group has particular expertise in the financial services and fintech sectors, and has been increasingly active in the sports sector. The 'outstanding' Elizabeth McGinn, who splits her time between New York and DC, jointly leads team alongside Amanda Lawrence. Financial services experts John Kromer and Jeffrey Naimon are other names to note. Antonio Reynolds and Douglas Gansler moved to Wiley Rein LLP and Cadwalader, Wickersham & Taft LLP, respectively.

Other key lawyers:

John Kromer; Jeffrey Naimon


The cyber practice at Buckley is strong in the convergence of cybersecurity and financial services.  The firm’s focus is primarily on advising financial services companies and their expertise in that field is well known.  The cyber practice is good at addressing unique issues in privacy and cybersecurity faced by financial companies.

Elizabeth McGinn is outstanding on privacy and e-discovery issues.  She is able to advise both on the regulatory and litigation sides of problems.’

Senior counsel Jonathan Jerison is a foremost authority on FCRA and advising about risks under that law.

Counsel Ryan Pollard is an excellent counselor on privacy and security topics in contracts.

Work highlights

  • Advised a National Football League franchise on privacy and data security issues that arise when handling sensitive consumer payments information.
  • Assisted a card tech company with assessing its information sharing practices in the context of its privacy notice.
  • Advised a national marketplace lender on a range of federal and state privacy and data security issues, and implemented robust information handling and sharing policies and practices as required by its bank partner and the bank partner’s prudential regulator.
  • Assisted more than 30 clients with CCPA compliance.
  • Advised a financial services industry trade group on existing privacy and data security laws, analyzing common themes among these laws, and suggesting the creation of nationwide statutes that would preempt conflicting state laws.

Cleary Gottlieb Steen & Hamilton

Cleary Gottlieb Steen & Hamilton's cybersecurity and data privacy team is 'very well versed in the current status of this fast and ever-changing area'. In particular, the team is active in the financial services, technology and fashion retail sectors. White-collar crime partner Joon Kim is a name to note for internal corporate investigations, regulatory enforcement and crisis management. Other contacts for enforcement work include Jonathan Kolodner and recently promoted partner Rahul Mukhi, who also have experience in complex commercial litigation. Daniel Ilan is highlighted for his expertise in advising on data privacy considerations in transactions, and Washington DC-based Katherine Mooney Carroll assists clients with a range of cybersecurity and privacy regulatory compliance. All lawyers mentioned are based in New York unless otherwise specified.


Not only do they have depth in this category, but their attorneys have both public and private experience. They are very well versed in the current status of this fast and ever changing area.

Key clients

ESL Investments




American Tower



Work highlights

  • Advised a financial institution on issues relating to a hack.
  • Advised a global fashion brand on potential cybersecurity issues related to a data specific incident.
  • Assisted ESL Investments with privacy law issues relating to its $5.2bn acquisition of Sears Holding Co.
  • Represented Alphabet/Google in the technology and data aspects of multiple data-rich acquisitions including its $2.6bn acquisition of Looker, a unified platform for business intelligence, data applications, and embedded analytics.
  • Represented a major US financial institution in a matter relating to a major data security incident.

Cooley LLP

Cooley LLP's cyber, data and privacy practice handles a range of disputes and non-contentious matters, combining expertise in litigation and investigations with experience of regulatory compliance, breach preparedness and transactional matters. The group has a particularly impressive roster of clients in the technology and big data space, as well as a strong reputation in the digital health and life sciences, telecoms, media, financial services and retail sectors. Global practice head Michael Rhodes and Matthew Brown, both in San Francisco, are names to note for litigation; they jointly lead the team alongside Travis LeBlanc, who splits his time between Washington DC and San Francisco; and David Navetta in Colorado. Randy Sabett in Washington DC is another name to note for cybersecurity, privacy, IT licensing and intellectual property issues. Andrew Roth joined Intuit as chief privacy officer in 2020, and Boris Segalis joined Goodwin in February 2021.

Other key lawyers:

Randy Sabett

Key clients






First Data




Google Sidewalk Labs


Marsh & McLennan Companies

Mobo Systems



Spark Neuro

Syneos Health


Work highlights

  • Reprenting Facebook in a privacy class action that alleges the company unlawfully collects biometric data through the tagging of photographs in violation of the Illinois Biometric Information Privacy Act.
  • Defending Google in a suit alleging the company, in partnership with the University of Chicago, violated patient privacy through the mishandling of electronic patient records.
  • Representing GitHub, a subsidiary of Microsoft, in the high-profile Capital One Data Breach MDL.
  • Defending Walmart in a class action that alleges the company violates the Video Privacy Protection Act by disclosing its website customers’ identities and video media purchases to Facebook.
  • Represented a company that was notified of a potential data breach, and found an active cyberattack through which the attacker was leveraging the company’s network to access networks of the B2B customers of the company.

Covington & Burling LLP

Covington & Burling LLP's data privacy and cybersecurity team has experience advising on compliance projects, breach notifications, FTC enforcement and class action litigation. The group has developed a track record in areas including aerospace, defense, consumer brands, financial services, life sciences, media and IT. Washington DC-based Kurt Wimmer, who acts for several social media clients, and Eric Bosset are names to note for regulatory advice and litigation, respectively.

Davis & Gilbert LLP

'Uniquely positioned with its knowledge of the complex ad-tech industry', Davis & Gilbert LLP 'feels like a boutique firm with top-level talent'. The New York-based digital media, technology and privacy practice acts for advertisers, brands and regulators in relation to data privacy considerations in the advertising and marketing sectors. 'Fantastic negotiator' Richard Eisert and Gary Kibel jointly lead the team. Allison Fitzpatrick is highlighted by one client as 'one of the preeminent attorneys working in the field of children's advertising', while counsel Oriyan Gitig, who has been particularly active in advising clients on CCPA and GDPR compliance in contracts, is rated for her 'extensive knowledge of, and experience in, advertising and marketing'.

Practice head(s):

Richard Eisert; Gary Kibel

Other key lawyers:

Allison Fitzpatrick; Oriyan Gitig


Davis & Gilbert (D&G), led by Gary Kibel, is one of the premier privacy law firms I’ve worked with over the past 8+ years.  The team is tight, collegial and does stellar work.  It is a testament that they have very low turnover.  The team is authentic and down to earth, not pretentious at all.  They have a quiet confidence about them.

D&G has deep expertise in commercial, privacy and technology related initiatives and often is able to jump in and provide support with little background.  I also find the practice to be quite integrated, meaning even if there are multiple lawyers working on a project, the communication and teamwork is seamless. The partners are thoughtful and measured and manage projects efficiently.  I invariably feel like I am receiving good value.

Great knowledge about the advertising and media industry and the issues faced by ad agencies.

Gary Kibel, who heads the privacy group at D&G, sets the tone for the rest of the team. His quiet confidence and easy manner belie a deep subject matter expertise in privacy, especially all things related to digital advertising. There is no one can think of with as deep an understanding of the nuances of this difficult but important area.

They have an understanding that, at the end of the day, the issues that we’re dealing with are business issues so when providing advice, the partners, specifically Richard Eisert, address not only the legalities of the issue but also the business impact.

What I appreciate about the D&G team is the strategic and solutions-oriented approach that they bring to handling legal issues. Gary and his group take time to grasp my business and devise strategic answers that help guide me to make good decisions for my company.

Davis & Gilbert has never failed to meet a deadline, no matter how short. There expertise in the ever emerging digital area meets all requirements. We always feel secure in the information provided.

D&G is unique in that they have a deep understanding of both the agency business, the ad-tech/mar-tech business and the intersection of those two.  I have worked with them as a small customer, a medium-sized customer, and a large customer, and the attention and service I get from them is unchanged in each instance – they offer exceptional expertise, are incredibly accommodating with their time and schedules, and take the time to understand the dynamics of my business to offer the most relevant advice.

Davis & Gilbert feels like a boutique firm with top-level talent. These are attorneys who could choose to work anywhere but they have found a home at D&G and are passionate about its mission and clientele. Despite being a small client, our needs are met swiftly and are handled with the utmost expertise. We don’t get the second-stringer attorneys because there are no second-stringers. Internal referrals have always provided us with invaluable advice and direction when our requests venture outside of our primary attorney’s areas of expertise.

The Davis and Gilbert Cyber Law group is uniquely positioned with its knowledge of the complex adtech industry. Issues of cyberlaw and privacy that emerge in this industry are not necessarily analogous to other industries as we serve a host of data collection. I have found D+G to be at the top of the ladder when it comes to being practitioners and knowledge leaders.

Gary Kibel is a superstar in this space. He has a business and technology background that in addition to his legal expertise make him a the perfect counselor in this space. His work is always top-notch and I feel comfortable with him advising my CTO, CFO and all other C-suite executives. Apart from his professional skill, Gary is a great person and human being. I completely trust his judgment.

My hero in legal-matters is Oriyan Gitig. Her extensive knowledge of, and experience in, advertising and marketing have had an immeasurable impact on how we do business. We’ve also had to rely on Ms. Gitig’s unmatched expertise in digital media and privacy issues. She provides professional advice as though she’s counseling a dear friend or family member – and is personally invested as such. I am so satisfied with my experience with Ms. Gitig (and the firm overall) that I haven’t ever considered bringing our business to a different firm.’

Richard Eisert is a fantastic negotiator who understands the complexities of data transfer in advertising between different players in the field and is always forward looking in his approach to contract drafting.

Gary Kibel is a great source of knowledge when it comes to data privacy and he has an ear to the ground and anticipates what a company should look out for.

Allison Fitzpatrick is one of the, if not the, preeminent attorneys working in the field of children’s advertising. She understands even the most esoteric of questions when they arise and is able to produce immediate answers.

Key clients

Neo Media World

Evoke Neuroscience




Engine USA

Giant Spoon

Christine Valmy

Digital Remedy


Actable Data

Ardsley Media

Board Packager




Work highlights

  • Advising well-known agencies, brands and content creators, as well as website and app operators and developers, on all aspects of the Children’s Online Privacy Protection Act (COPPA), including reviewing their privacy policies and practices and negotiating data privacy agreements to ensure COPPA compliance.
  • Advising many early-participants in the digital advertising ecosystem on the negotiation of appropriate contractual protections and privacy and security agreements in connection with blockchain projects, while simultaneously performing due diligence on various blockchain service providers.
  • Assisting several clients with significantly revising their privacy policies to comply with the new requirements of CCPA.
  • Advised leading advertisers, agencies and ad-tech companies that license or collect vast amounts of sensitive consumer location-based data from the mobile devices them on modifications to their consumer-facing privacy policy and with respect to whether their collection or use of this data complies with applicable laws and self-regulatory requirements.
  • Advised numerous clients on how to best conduct data onboarding (aka CRM retargeting) within the legal limitations and how best to allocate risks under agreements with CRM retargeting vendors and platforms, particularly in light of the impact of CCPA.

Debevoise & Plimpton LLP

Debevoise & Plimpton LLP has a strong cybersecurity and data privacy practice with complementary expertise in the technology sector and a widely recognized reputation in high-profile litigation. Cybersecurity expert Luke Dembosky is based in Washington DC and is a key name to note for incident preparation, response and investigation, civil litigation, regulatory defense and national security matters. Dembosky heads the team alongside New York-based Jeremy Feigelson, who is noted in particular for his experience in litigation and government investigations that involve the Internet and new technologies. Another name to note in New York is Jim Pastore, who specializes in data breach investigations and litigation.

Practice head(s):

Luke Dembosky; Jeremy Feigelson

Other key lawyers:

Jim Pastore; Jane Shvets

Key clients

American Express Company


Capital One

Financial Systemic Analysis & Resilience Center


Kohlberg Kravis Roberts

Major League Baseball

National Basketball Association


Work highlights

  • Advised Capital One on its response to a breach, which involved data of more than 100 million individuals.
  • Advised Prudential Financial on cybersecurity and data privacy due diligence in its $2.4bn acquisition of Assurance IQ, a direct-to-consumer platform that transforms the buying experience for individuals seeking personalized health and financial wellness solutions.

DLA Piper LLP (US)

DLA Piper LLP (US) fields a strong nationwide privacy and data security team, which brings together expertise in regulatory and compliance matters, transactional issues and cybersecurity response. It also benefits from the global reach of its international network. Washington DC-based Jim Halpert — who advises on compliance with transnational, federal and state privacy and security regulations, particularly in transactions — jointly leads the team alongside Andrew Serwin in the San Diego office, who joined the team from Morrison & Foerster LLP and brings with him a wealth of experience in data security incidents and privacy enforcement matters. Miami-based Carol Umhoefer is highlighted for her IT sector expertise, while Atlanta-based Anna Spencer is rated for her experience in the healthcare sector. The practice group has seen a number of recent personnel changes: cybercrime expert Edward McAndrew, who splits his time between the Wilmington and Washington DC offices, joined the team from Ballard Spahr LLP; and litigators Edward Totino and Perrie Weiner left for Baker McKenzie.

Practice head(s):

Jim Halpert; Andrew Serwin


DLA is a powerhouse. They have an expert on each issue.

Carol is well versed and well rounded. She is extremely knowledgeable in her field, attentive, responsive, and provides business minded legal advice that is practical in that she takes into account the relevant facts and circumstances.

Carol Umhoefer is an expert in her field and is a pleasure to work with. She is extremely responsive and attentive. Despite her robust work schedule, she always makes you feel like you are her top priority. She is careful, attentive to detail, excellent at issue spotting and problem solving, and provides commercial minded legal feedback that takes into account the risks and realities of the facts at hand.

‘DLA Piper and specifically Carol Umhoefer, are experts in this area of law. They help us interpret complex data privacy and security laws and how they apply to our business operations. They provide practical recommendations to ensure our compliance.’

Carol Umhoefer is thoughtful and practical in her legal advice. She is always available whether I need a quick answer or to engage her for a bigger matter or project. She is top notch.

Jayne Risk is our relationship partner. Whatever the issue, she will find us expertise within DLA to help. She is very responsive and creative with fee arrangements for unique matters.

Key clients

Reckitt Benckiser

State Privacy & Security Coalition

UK Mission to the United States


US Chamber of Commerce




T. Rowe Price


Work highlights

  • Advised Reckitt Benckiser on the roll out of its global data protection compliance program, initially focusing on GDPR compliance in the EU, but more recently expanding the program to cover the US and other overseas jurisdictions.
  • Assisted State Privacy & Security Coalition (Coalition of leading communications, Internet, retail, financial services, healthcare and cybersecurity companies which advocates for and helps draft privacy, data breach and cybersecurity laws and regulations across the US) with drafting, testifying at the California Assembly Privacy Committee hearing on, and negotiating with Alistair MacTaggart (the author of the California Privacy Initiative) on two critical amendments to the CCPA before it takes effect.
  • Assisting Pfizer with the design, implementation, and ongoing compliance maintenance aspects of its GDPR program.
  • Represented GlaxoSmithKline in internal investigations, a federal criminal investigation, and in grand jury and pre-trial proceedings, following the theft, by two GSK scientists who were working with external co-conspirators, of research and development, manufacturing and other confidential data relating to multiple products from GSK.
  • Advised Global Asset Management and Investment Advisors Group on its CCPA compliance program for the US holding company and its eight independent US businesses.

Fenwick & West LLP

Fenwick & West LLP has firm-wide expertise in the technology and life sciences sectors, two areas of in which cyber law and data protection are of prime importance. In particular, the team has niche specialization in emerging technology and digital health, but also acts for clients in the gaming, financial services and fintech sectors. Jointly headed by New York-based James Koenig and Tyler Newby in San Francisco, the team has established a track record in regulatory investigations and enforcement, class action litigation, breach response, standalone compliance matters and transactional support. Koenig is a key contact for emerging companies, while Newby has been increasingly active in advising on children's privacy issues in connection to digital gaming.

Practice head(s):

James Koenig; Tyler Newby

Key clients


InMobi Technologies

Credit Karma




Align Technologies

Electronic Arts

Avis Budget Group

Work highlights

  • Advised Uber Technologies on its agreement to enter a FTC consent decree for creating a system ‘god view’, which allowed the CEO and employees to access rider and driver location and personal information and led to a subsequent data breach that exposed thousands of drivers’ names and license numbers.
  • Advising Align on HIPAA compliance matters, privacy implications of select trademarks, and simulated breach exercises.
  • Advised EA on compliance with GDPR, ePrivacy, CCPA, COPPA, and other privacy laws affecting EA’s business; also drafted more than 20 privacy-related portions of EA’s Game Development Playbook, a comprehensive compilation of internal guidance documenting EA’s practice.
  • Assisting Peloton with compliance with GDPR and US laws.
  • Assisted Intuit, maker of the popular TurboTax software, with its strategic compliance projects relating to its privacy shield compliance program and GDPR compliance program.

Frankfurt Kurnit Klein & Selz PC

The privacy and data security group at Frankfurt Kurnit Klein & Selz PC acts for a range of clients, including brands, publishers, agencies, data brokers and analytics firms. In particular, the team has experience advising on issues such as regulatory compliance programs and ad-tech agreements. Los Angeles-based Tanya Forsheit, who has been particularly active in advising clients on compliance with the newly enacted CCPA, heads up the team, which also includes litigator Jeremy Goldman.

Practice head(s):

Tanya Forsheit

Other key lawyers:

Jeremy Goldman


The team has a consistent ability to develop pragmatic solutions that allow compliance and risk management to be a compliment, rather than an inhibitor, of the business.

Tanya Forsheit and Jeremy Goldman have been incredible partners to our company. We dealt with a significant cyber incident and the resources they were able to immediately bring to bear allowed us to deal with it very effectively and efficiently. Tanya is a leading expert in CCPA and has exceptionally good business judgment which makes her very practical and ultimately effective.

Tanya Forsheit and Daniel Goldberg have their finger on the pulse of the rapidly evolving data privacy and protection space. By being based in California, they are incredibly close to the changes taking place around the CCPA and have proven to be very capable and knowledgeable to provide advice and guidance to their clients. I always feel like I receive well-thought out advice and guidance to ensure my organization is meeting its compliance obligations.

Jeremy Goldman is exceptional in data Security, able to quickly and decisively focus everyone on the important issues, and uncover facts and trends otherwise missed. Daniel Goldberg was creative and thoughtful in helping to develop a CCPA program that was tailored specifically to our business.

Tanya Forsheit is one of the leading authorities in data privacy, and our source of answers for the thorniest questions.

FKKS is strong at handling data privacy questions, and they manage time and expectations well.

Tanya Forsheit is a leader in the privacy field and very active with legislation.  Hands-on and wonderful with clients.

FKKS excels at staying current on data protection legal developments.  I count on FKKS to know what has happened, what is in the works and how the industry is responding.  FKKS provides pragmatic advice that is based on the most current legal and industry developments.

Tanya Forsheit is the most knowledgeable attorney that I have ever worked with on data protection matters.  If she doesn’t know the answer, it’s because there is no answer yet.

Key clients

Dunkin’ Brands

News Media Alliance

Meredith Corporation

J.D. Power

Domino’s Pizza



Square Enix

Work highlights

  • Advising Dunkin’ Brands on numerous privacy and data security matters, including its global project to prepare for the California Consumer Protection Act, and ongoing compliance with those new legal requirements.
  • Assisted Meredith Corporation and its new chief privacy officer with its readiness project for the CCPA, ongoing GDPR compliance, and numerous transactions involving consumer data.
  • Advised Domino’s Pizza on CCPA compliance, as well as ongoing GDPR compliance projects.
  • Assisted MaxMind with its CCPA readiness and compliance efforts.
  • Advising News Media Alliance on its industry discussions relating to the impact of the newly enacted California Consumer Privacy Act, and potential amendments, on the free press.

Gibson, Dunn & Crutcher LLP

Gibson, Dunn & Crutcher LLP's privacy, cybersecurity and consumer protection team has recently handled a string of high-profile investigations and litigation. Of particular note, the team represented Facebook in its $5bn settlement with the FTC and is defending the client in nationwide consumer class actions and government enforcement actions arising out of the Cambridge Analytica events. Technology-focused investigations and crisis partner Alexander Southwell in New York heads up the team, which also includes California-based partners Michael Li-Ming WongKristin Linsley and Eric Vandevelde. The New York team was also strengthened by the recent addition of Zainab Ahmad, the former senior assistant special counsel in special counsel Robert Mueller’s office.

Practice head(s):

Alexander Southwell

Key clients





Berkshire Hathaway Homestate Insurance

Work highlights

  • Represented Facebook in a wide-ranging investigation focusing on whether the company complied with the privacy-related FTC consent decree entered in 2012 and advised on its $5bn settlement with the FTC.
  • Defending Facebook in nationwide consumer class actions and government enforcement actions arising out of the Cambridge Analytica events. This includes more than 30 federal actions consolidated in a multi-district litigation (MDL) in the Northern District of California, a California state-court action in San Mateo Superior Court, enforcement actions by the DC Attorney General and an action by the Cook County State Attorney’s office.
  • Represented AT&T in litigation brought by prominent cryptocurrency investor Michael Terpin, who alleged that AT&T’s lax cybersecurity and customer verification controls resulted in him becoming victim of an orchestrated attack by cyber-criminals who allegedly took over $20m in various cryptocurrencies Terpin claimed to own.
  • Advised Yahoo on dozens of proposed consumer class action lawsuits, in federal and state court, which related to two large data breaches.
  • Successfully defended Berkshire Hathaway Homestate Insurance Company and Cypress Insurance Company in a data privacy class action concerning alleged hacking.


Goodwin's privacy and cybersecurity team advises its impressive client roster on data breaches and incident response, regulatory investigations, litigation, data due diligence in transactions and strategic compliance. The group counts healthcare and life sciences among its particular sector specialities. Boston-based counsel David Kantrowitz is highlighted for his experience in a range of privacy and data security incidents. Brooks Brown, who splits his time between the DC and LA offices and has experience defending consumer class actions, government investigations and enforcement actions alleging violations of the TCPA. Brenda Sharton and Karen Neuman left for Dechert LLP in 2021, but Boris Segalis joined the team from Cooley LLP.

Practice head(s):

Boris Segalis

Other key lawyers:

Brooks Brown; David Kantrowitz


The team at Goodwin Procter is very hands on. From the moment you get on a call with them, its clear they deal with these issues on a very regular basis. They are not overly reactionary, putting things into perspective and providing insight into the seriousness of the issue.

Cyber incidents can be very scary for a company – some firms prefer to raise anxiety levels rather than calm them, which is Goodwin’s approach.

Goodwin brings to bear a truly powerful combination of best-in-class skill and experience and a passion for client care and advocacy that is truly unique in my experience. They have deep insights to offer their clients, insights informed and developed over years of on-point experience. In Cyber law, this group is second to none.

The Goodwin team has a great depth of experience and was able to quickly mobilize, within hours, and guide us through what could have been a significant business issue related to a data security incident. The team included tech savvy lawyers, litigators and privacy experts. I felt very comfortable knowing we had an experienced team advising my CEO.

The team was focused on the incident but also thinking through the potential lifecycle of the issue and started laying out a business focused and defensible plan. The lawyers were always available and leveraged a great team of outside consultants to help us through the incident. I hope I don’t need to engage them again but they would be my first call.

David Kantrowitz is a fantastic cyber lawyer, who provides outstanding counsel and advice to his clients. He is smart, well versed in technological issues and provides truly valuable advice and counsel to his clients.

Work highlights

  • Advised a leading cryptocurrency brokerage on massive data breach that exposed personal information belonging to over one million Coinmama users.
  • Advised dozens of clients on the rampant cyber attacks that have continued to affect corporate America in 2019, ranging in severity from nation-state sponsored cyberattacks to Microsoft Office 365 phishing attacks.
  • Advised global companies (including media, life sciences, tech hospitality, tech companies, and universities) on GDPR  compliance, which included helping clients in light of post-implementation enforcement activity and publication of interpretive guidance by privacy regulators.
  • Assisted various clients with California Consumer Privacy Act preparedness, this included auditing the collection, use, storage and sale of data that will fall into this regulation.
  • Advising more than 35 companies on TCPA compliance matters.

Hogan Lovells US LLP

Hogan Lovells US LLP's Washington DC-based privacy and cybersecurity team benefits from broad industry knowledge, 'a good mix of seniority levels and great international breadth'. The US team is jointly led by Harriet Pearson and healthcare sector specialist Marcy Wilder, both of whom have experience advising on privacy and cybersecurity regulations and breach preparedness and response. Beyond healthcare, the group is also active in the technology sector — with clients including Uber Technologies — and has a dedicated education privacy practice which is led by Bret Cohen. Other names to note include Mark Brennan and recently promoted partner Paul Otto, who specialize in regulatory compliance and cybersecurity risk management and incident response, respectively. Peter Marta recently joined the firm's New York office, having previously acted as head of cybersecurity law at JPMorgan Chase.

Practice head(s):

Marcy Wilder; Harriet Pearson


Hogan Lovell’s breadth of practice is incredibly useful, and a differentiator. We can use them for worldwide research, with good consistency. They also are one of the few firms with an education privacy practice.

Very responsive and thorough, but practical. Available on short notice if needed. Good mix of seniority levels and participation, and great international breadth.

Mark Brennan is incredibly responsive and aware of client needs.

Key clients



Uber Technologies

Apollo Global Management

Zimmer Biomet



Cancer Treatment Centers of America

Work highlights

  • Advising household names across a number of sectors including technology, retail, automotive and healthcare, on the CCPA since its passage and before the act was even introduced. Also acted for a number of key clients that were engaging with the earlier ballot initiative and provided strategic advice as the CCPA was being drafted and negotiated in the legislature.
  • Advising Salesforce on emerging issues and acting day-to-day on various compliance and commercial issues relating to privacy and cybersecurity.
  • Acting for Equifax in regulatory enforcement work, as well as legal strategy work, stemming from the consumer data breach announced by the company in September 2017.
  • Represented Uber Technologies in multi-district litigation comprising more than two dozen putative, nationwide class actions stemming from a 2016 data security incident in which personal information of millions of Uber users, riders, and drivers around the world was accessed by a hacker.
  • Acting for Apollo Global Management in business-critical privacy and cybersecurity risks, particularly those connected with its buying, managing and selling companies with high-value and highly sensitive data.

Hunton Andrews Kurth LLP

Hunton Andrews Kurth LLP's New York-based privacy and cybersecurity team is recognized by clients for its 'unparalleled expertise' and 'refreshing pragmatism to help navigate the labyrinth of the legal and regulatory landscape'. The group has experience across the full range of matters, including breaches, compliance projects and transactions, and boasts particular expertise in the financial services, private equity, technology, and retail sectors. In the past year, the team has been particularly busy advising clients on compliance with the CCPA, as well as on biometric data regulations. It is also assisting clients with data-monetization products and is increasingly acting for private equity clients in corporate transactions. Lisa Sotto, who according to one client is 'the gold standard for privacy and cybersecurity matters', leads the practice group, which also includes 'a world-class team of smart, hard-working, responsive associates'. Aaron Simpson takes the lead on privacy and cybersecurity work for private equity firms, while Phyllis Marcus has particular experience in advising consumer electronics, interactive gaming companies, and internet-connected device manufacturers on compliance with the US Children’s Online Privacy Protection Act (COPPA). For advice on cybersecurity preparedness, Paul Tiao, who also has experience advising clients on the Supporting Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, is a name to note. 'Shining star' Brittany Bacon is highlighted for her breadth of experience in assisting clients with both cybersecurity incidents and developing global privacy compliance programs.

Practice head(s):

Lisa Sotto


The breadth of the team’s capabilities by subject matter and jurisdiction make them thought-leaders I consult first on data privacy and protection matters.’

Very commercial approach, keen to take time to understand the risk profile of the client and its need. Great knowledge and understanding of global privacy laws.

Expert knowledge and ability to provide practical business solutions in an ever-evolving privacy landscape.

The Hunton team is second to none. It is local as well as international, and is particularly strong in maintaining a high quality of work irrespective of changes in resource or jurisdiction. I don’t have to explain to every attorney our business and structure because the team knows us. Clients’ institutional knowledge is acquired and maintained by the firm. This is both efficient and reassuring.

Hunton’s focus of work has been on CCPA applicability and compliance data breach preparation. They reflect a deep practice generally on federal law and specifically in CA and NY.

Unparalleled expertise, work product quality, responsiveness coupled with a refreshing pragmatism to help navigate the labyrinth of the legal and regulatory landscape.

Aaron Simpson is highly practical and can cut through the fog of ambiguous data privacy and protection rules and regulations and help you get your hands around the actual risk associated with the requirement and advise you efficiently on mitigation strategies.

Having good resources in the Hunton AK London and Brussels offices gives them a front row seat to everything unfolding in the UK and EU. The team includes subject matter experts in several areas.

Aaron Simpson is an outstanding lawyer and individual. Him and his team delivers very high value service to the client, in a prompt, commercial and reasonable way.

We have enjoyed working with all of the Hunton Andrews Kurth attorneys in the subject practice areas, Brittany Bacon in particular.  Brittany has been a valued contributor to our overall privacy program for many years and has taken the time to not only learn but prioritize our business needs.

Lisa Sotto is by far the country’s gold standard for privacy and cybersecurity matters. Her vast and sophisticated expertise streamlines complex issues with a practical approach. Lisa is a sharp problem solver who understands her clients’ business and delivers her work product accordingly. High quality, responsiveness and availability define her client obsessed practice.

Aaron Simpson is an industry leader uniquely positioned to advice clients with first-hand knowledge of Europe’s GDPR and U.S. privacy laws including the CCPA. Aaron provides creative and business oriented solutions.

Bacon Brittany was a rising star and is now a shining star. She is extremely detailed oriented, resourceful and an on-the-spot thinker who will clearly articulate the issue and provide a clear and viable path forward.

We chose the firm because Aaron Simpson appeared to possess what we needed. We couldn’t be more pleased. They have been completely responsive and extremely helpful. Turnaround is great and advice wise and based on extensive experience across many sectors.

Lisa Sotto’s skill and confidence as an expert and as a leader are evident and have allowed her to assemble a world class team of smart, hard-working, responsive associates who have taken up her professional example.

Key clients


Dunkin Brands


Tiffany & Co.

The Western Union Company

Hudson’s Bay Company

Verisk Analytics

Silver Lake


David Yurman

Best Buy

Procter & Gamble


Work highlights

  • Asssisted Dunkin Brands with its CCPA compliance program and in navigating its ad tech and media agency relationships.
  • Advising The Western Union Company on global privacy and cybersecurity matters including on the CCPA, GLBA, GDPR, cybersecurity regulations and other data security issues.
  • Advising numerous private equity firms, including Silver Lake, on a CCPA compliance, GDPR compliance and advice related to potential acquisitions of data driven targets.
  • Advising several energy and utility companies on cybersecurity matters, including those relating to the SAFETY Act.
  • Advising several gaming and technology companies on children’s privacy issues.

Kelley Drye & Warren LLP

Kelley Drye & Warren LLP's privacy and information security practice frequently assist its impressive client roster with privacy compliance mandates, with particular strengths in the advertising, marketing and communications sectors. Rated for her 'vast knowledge' of privacy issues, Washington DC-based practice head Alysa Hutnik has a focus on emerging technologies, IT and marketing. Dana Rosenfeld is a name to note for FTC investigations, while New Jersey-based Lauri Mazzuchetti is highlighted for her experience in commercial litigation and class action defense. Litigator Jeffrey Jacobson left for Drinker Biddle & Reath LLP. Attorneys referenced are based in Washington DC unless otherwise stated.

Practice head(s):

Alysa Hutnik

Other key lawyers:

Dana Rosenfeld; Lauri Mazzuchetti


Alysa Hutnik is heads and shoulders above the other outside attorneys with whom I have worked in this space. Beyond her vast knowledge of relevant laws, she always provides practical advice that is tailored to the facts and the client instead of just providing a recitation of the law that does not really help the client work out actual solutions. This is especially important in the privacy realm, where many applicable laws are new, changing, confusing/nonsensical, or non-existent, so we are working with a lot of grey area and require guidance that we can actually put into practice. Alysa is also always extremely responsive to our communications.

Key clients

Bank of America Merchant Services

The Children’s Place

Keurig Dr Pepper

DISH Network



Outfield Brew House (d/b/a Budweiser Brew House)




Work highlights

  • Advised Bank of America Merchant Services on compliance with the CCPA, including on implementing a plan that features plain-language, practical steps toward compliance.
  • Acted for Keurig Dr Pepper, a publicly traded American beverage and beverage-maker conglomerate, on implementing its compliance framework under the CCPA.
  • Assisted Terminix International Co, a pest control firm founded in Delaware, with an investigation into its business practices.
  • Advising TripAdvisor on privacy compliance matters from CCPA and privacy policy related support to strategic support in the ad-tech space.
  • Advising Disney on privacy and marketing issues, ranging from communications with awards voting, mobile app communication platforms, privacy related regulatory advice and comments, and telemarketing and related call and texting compliance within Disney’s hotel, theme park, vacation club and resort properties.

King & Spalding LLP

The 'exceptional' cybersecurity team at King & Spalding LLP includes professionals based across the firm's Atlanta, Chicago and Washington DC offices, who attract praise for their 'been-there-done-that attitude, which provides their clientele with tremendous comfort in times of tremendous stress'. The group is particularly strong in incident response work, where recent highlights include advising Equifax on a cybersecurity incident and acting for the client in relation to 450 putative class actions. Phyllis Sumner — who is also the firm's chief privacy officer — leads the data, privacy and security practice. Sumner is based in Atlanta alongside government and internal investigations partner John Horn and technology litigation specialist Natasha Moffitt. Chicago-based Livia Kiser is strong for litigation defense, and Robert Hudock, Scott Ferber and Adam Solander are names to note in Washington DC.

Practice head(s):

Phyllis Sumner


The cybersecurity team at King and Spalding is exceptional. Finding lawyers who truly understand the details of information technology is rare, and finding lawyers who can get hands-on with a compromised server and assist with forensic investigations is like meeting a unicorn. In addition to the unicorn-like technical knowledge, they are excellent partners when it comes to performing security assessments of both my organization and potential acquisitions.

This team is a remarkably cohesive group; they genuinely like and trust each other, which makes for incredibly strong relationships – which, in turn, they extend to their underlying clients.

Robert Hudock is a unicorn. He’s equally comfortable describing network packet flows and HIPAA. His work provides logical and defensible evidence of his legal opinions. Every time I work with him, I’m amazed. There is no one else like him.

Adam Solander perfectly understands the intersection of cybersecurity and contracting. He’s the lawyer I call when negotiating with a vendor who pushes back on security requirements. He’s equally adept at performing a technical risk assessment of the vendor and writing the contract language that will protect my company.

Michael Johnson is an amazing associate. His deep technical knowledge is used in both incident response and when performing risk assessments. I’m certain that giant technology companies would love to have his skills on their teams.

The team members are virtually unflappable, despite the incredible pressures and novel issues of fact and law with which they are presented. Their calm and their been-there-done-that attitude provides their clientele with tremendous comfort in times of tremendous stress.

Key clients


Delta Air Lines

SunTrust Banks/BB&T

Total System Services/Global Payments

Yale University

Capital One

Allscripts Healthcare Solutions

Integrity Marketing Group

One Call Care Management

The Home Depot

Work highlights

  • Represented Equifax in its response to a cybersecurity incident announced on September 7, 2017. The team advised on forensic investigation, the notification analysis and process support, the public relations and communications support and coordination; also acted in over 450 putative class actions.
  • Advised Delta on incident response and regulatory inquiries arising from a third-party vendor breach and defended Delta in multiple class actions.
  • Advised SunTrust on incident response and regulatory inquiries following a security incident involving data theft, and successfully defended SunTrust in a putative class action filed following the announcement of the data theft in early 2018.
  • Representing Total System Services, a large payment processor that recently merged with Global Payments, in a variety of data privacy and security matters.
  • Defended Yale University in a putative class action following a data security incident.

Latham & Watkins LLP

Rated for its 'exceptional knowledge' of data privacy and cybersecurity matters, the team at Latham & Watkins LLP handles a full range of disputes, transactional and standalone advisory matters for its impressive client roster. The group has a strong reputation for litigation and enforcement work and has recently been especially active in the fintech, technology and healthcare sectors. Washington DC-based Jennifer Archie is a name to note for cybersecurity issues and incident response; she has a breadth of experience defending clients in enforcement actions by regulators and also advises on cross-border data projects including for clients the digital health, technology, and financial services industries. Archie jointly leads the team alongside San Francisco-based Michael Rubin, who frequently assists clients with FTC investigations relating to the collection and use of data and class action litigation particularly in the technology sector, and Serrin Turner in New York who specializes in cybersecurity investigations and resulting litigation. The group was further strengthened by the addition of counsel Robert Blamires, who joined the San Francisco office from White & Case LLP and has expertise in data privacy.

Other key lawyers:

Robert Blamires


Exceptional knowledge in these areas of practice, aggressive representation and great people.

Individuals offer candor, high ethics, are easy to communicate with and are great strategist.’

Key clients




Fiscal Note


Alliance Data


Work highlights

  • Defending Facebook in a putative consumer class action regarding a criminal attack on Facebook’s web platform that resulted in the compromise of user data for approximately 29 million people.
  • Defending Facebook in five consolidated, nationwide class action lawsuits alleging that when plaintiffs installed Messenger and Facebook Lite apps on their Android devices, Facebook provided consent prompts that misleadingly asked for permission only to upload contacts, when Facebook allegedly uploaded their call and text logs too.
  • Assisting VIZIO/Inscape, a leading smart television company, with compliance and regulatory matters relating to the porduct and services offered.
  • RepresentedAlliance Data in its $4.4bn sale of Epsilon to Publicis Group.
  • Advising Foursquare, a global location data and intelligence company, on cross-border GDPR, CCPA and related data privacy compliance, including most recently in the context of its acquisition of Placed.

Loeb & Loeb LLP

Loeb & Loeb LLP's predominantly New York-based privacy, security and data innovations practice is a team to note for regulatory compliance and transactional advice, particularly in the media and entertainment sector. The key figures in the practice group are Ieuan Jolly, who handles privacy compliance, cybersecurity issues and data-driven transactions; Jessica Lee, a name to note for data monetization; media and advertising specialist James Taylor; and Chicago-based Robert Newman, who has broad-base expertise in privacy, marketing, e-commerce, and intellectual property.

Key clients

Comcast Cable Communications


Regeneron Pharmaceuticals

Toyota Motor North America

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP's privacy and data security practice is particularly strong in the financial services and healthcare industries, where it has experience advising on a full range of issues from implementation of compliance projects to incident response and litigation. The team is jointly led by Los Angeles-based Donna Wilson and 'tireless advocate' Scott Lashway, who joined in the Boston office from Holland & Knight LLP and specializes in cybersecurity issues, incident response, enforcement and litigation. Other names to note include Los Angeles-based head of consumer protection, advertising and competition Christine Reilly, who has been called 'a genius when it comes to TCPA advocacy', and recently promoted partner Brandon Reilly in the Costa Mesa office.

Practice head(s):

Donna Wilson; Scott Lashway

Other key lawyers:

Christine Reilly; Brandon Reilly


The Manatt Team has been working on health policy development with my organization for over 10 years.  They are extremely knowledgeable and professional. An important factor for our work is their availability and ability to turn around any legal policy framework documents we may need.  They get things done and are always available to consult with on specific policy issues.

They have an extremely broad cybersecurity and privacy practices that has experts in a range of verticals, from data breach counseling/litigation, to advertising, to TCPA, to product privacy.  Most other firms we have worked with tend to be more specialized or have a more limited bench.’

I work closely with two professionals at Manatt. What makes them stand out to me is their ability to communicate and to participate as if they were part of our team – not just an outside consultant. Both are always available for discussions on key issues and can be depended upon to produce quality policy documents. They are outstanding in what they do.

Scott Lashway is incredible. He’s a tireless advocate.

Christine Reilly is a genius when it comes to TCPA advocacy. She’s well connected, and very well respected by the plaintiffs’ bar.

Key clients

CVS Health


Thomson Reuters

West Publishing Company


Public Health Solutions

Babylon Healthcare Services

Work highlights

  • Assisting CVS Health with its CCPA compliance project, including data mapping, to identify all data collection, use and disclosure that is subject to the legislation.
  • Represented Aetna in numerous class actions alleging that the company improperly disclosed HIV-related information. The team successfully consolidated numerous class actions into a single venue and negotiated a $17m settlement of the class consolidation, avoiding protracted litigation.
  • Assisting Public Health Solutions, one of the largest public health service nonprofit organizations in New York City, with conducting an analysis of data sharing issues to serve residents of homeless shelters.
  • Representing West Publishing as plaintiff in a civil commercial dispute concerning the use of an automated bot used to harvest data.
  • Defended Thomson Reuters in appellate proceedings in connection to a purported class action lawsuit alleging violations of the Michigan Social Security Number Privacy Act (SSNPA), invasion of privacy and negligence by allegedly publishing the first five digits of their Social Security numbers on a webpage.

Mayer Brown

Acting for a variety of well-known clients including Twitter, Facebook, The Blackstone Group, Volkswagen and AT&T, Mayer Brown  is praised for its 'expertise, responsiveness, and practical guidance' across a huge range of issues. Practice head Rajesh De has unique experience of data security and privacy requirements, addressing cyber vulnerabilities and handling breaches and associated regulatory, litigation and reputational consequences. Based in the firm's DC office, De has previously held senior appointments at the White House, the Department of Justice, and the Department of Defense. Also recommended in DC is 'stellar' cybersecurity expert David SimonLauren Goldman is a contact in the New York office, specializing in high-stakes class action disputes, and Chicago-based Lei Shen is a name to note for regulatory compliance in the areas of e-commerce and emerging technology.

Practice head(s):

Rajesh De


Easy to get along with and connections to the government officials working on their issues enabling them to provide pointed advice. Raj De and David Simon are stellar.

The team stand out for their expertise, responsiveness, and practical guidance.

Key clients



The Blackstone Group

Business Roundtable


Equity Office


Hyundai Motor America

Kia Motors America

LivCor Holdings


Revantage Corporate Services




Work highlights

  • Represented Facebook in Smith v. Facebook, a putative class action brought in the Northern District of California, relating to Facebook’s alleged use of cookies to aggregate data about plaintiff’s medical-related browsing habits and the use of that data for marketing purposes.
  • Advising the United Nations on international legal issues related to the prevention of cyber warfare, addressing cyber threats to critical infrastructure, preventing terrorists from exploiting the Internet and related information communication technologies, and data privacy laws applicable to cross-border data sharing for law enforcement.
  • Represented Shutterfly in litigation whereby plaintiff alleged that it had violated BIPA by using facial-recognition technology to collect a biometric identifier from his photograph without his consent.
  • Advising a global manufacturing company on a wide variety of global privacy-related issues, including compliance with US state and federal privacy laws (including state data breach notification laws, COPPA, the California Consumer Privacy Act, call recording laws, and others) and with international privacy laws (including the EU GDPR, the Privacy and Electronic Communications Regulations, and others).
  • Advising a global gaming company on a wide variety of privacy-related issues, including compliance with GDPR, its use of new technologies (including facial recognition and geolocation tracking), call recording laws, and cybersecurity matters.

McDermott Will & Emery LLP

McDermott Will & Emery LLP's privacy and cybersecurity group has broad expertise across the US and benefits from the ability to leverage its global service group in multi-jurisdictional compliance, and international data transfers. The group was recently bolstered by the arrival in Washington DC of Laura Jehl from Baker & Hostetler LLP, who combines data, law and emerging technologies expertise and has experience advising on privacy compliance, data breaches and regulatory investigations. Jehl jointly leads the team alongside Boston-based Mark Schreiber, who has experience in areas including cybersecurity, data breach response and global privacy coordination; and Daniel Gottlieb in Chicago and Michael Morgan in Los Angeles, who focus on the areas of healthcare and emerging technology, respectively. The group is also active in the financial services, food and beverage, life sciences and defense sectors.

Key clients

Modernizing Medicine

National Electrical Manufacturers Association (NEMA)

Stanford University


S&C Electric Co.

Fresenius Medical Care North America


Sierra Nevada

Work highlights

  • Advising Modernizing Medicine on a range of matters including data protection, healthcare regulatory, and transactional matters, including day to day HIPPA compliance.
  • Prepared a report for the National Electrical Manufacturers Association (NEMA), which covered legal barriers to using Internet of Things (IoT) device-generated, or IoT device-collected data.

McGuireWoods LLP

The data privacy and security team at McGuireWoods LLP is particularly well known for its record in data breach incidents. The team also provides a range of compliance advice, relating both to developing regulations and in transactions. The 'innovative and responsiveAndrew Konia (who is based in Tysons, Virginia) heads the team which, includes Janet Peyton in the firm's Richmond office, and Pittsburgh-based Anne Peterson. Also recommended is associate Ashley Matthews in Charlottesville, who focuses on advising retailers and financial institutions. Changes to the team include the addition of former federal prosecutor Rodger Heaton in Chicago, and the departure of HIPAA expert Nathan Kottkamp to Waller Lansden Dortch & Davis.

Practice head(s):

Andrew Konia


They are knowledgeable and up to date on the law and deliver very thorough advice and counseling after listening carefully and asking clarifying questions.

The team, led by Andrew Konia, is innovative and responsive. Andrew is available 24-7, places client success first, and always keeps an eye on client bottom-line and cost. His team’s deep experience and rich competence in the space allows for effective and comprehensive legal advice to be delivered quickly. McGuireWoods places a serious premium on delivering outstanding results, but also works hard to make sure that its associates are given career development opportunities, have client contact, and (when possible) are not worked around the clock.

Andrew Konia and Ashley Mathews, in particular, have a terrific attitude and make great partners when providing advice and are capable project managers.

Andrew Konia is exceptionally available. He is exceptionally easy to work with, and always focused on client outcomes.

Key clients

US Chamber of Commerce

Work highlights

  • Advised the US Chamber of Commerce on crafting model legislation that would pre-empt a patchwork of inconsistent state laws.

Morgan, Lewis & Bockius LLP

Morgan, Lewis & Bockius LLP's privacy and cybersecurity team has experience advising clients on a full range of issues from compliance programs to breach and incident response matters and resulting litigation. The group is jointly led by Reece Hirsch in San Francisco, Gregory Parks in Philadelphia, and Mark Krotoski in Silicon Valley, who has nearly two decades of experience as a federal prosecutor. Hirsch specializes in healthcare privacy, Parks leads on retail and e-commerce related matters, and Krotosk focuses on litigation and investigations. Also recommended is Philadelphia-based Ezra Church, who handles class-action litigation.

Other key lawyers:

Ezra Church

Key clients

Hudson’s Bay Co. (HBC)

Blink Health

Women’s Health Care Group

Bed, Bath & Beyond

TDK USA Corporation


WNC Insurance Services

EMD Serono


Work highlights

  • Representing Hudson’s Bay Co (HBC) in all class action litigation arising from its recent data incident involving Saks Fifth Avenue and Lord & Taylor, two of the brand banners HBC owns.
  • Assisted over 100 companies with implementing programs and policies to comply with the CCPA.
  • Assisting Women’s Health Care with an investigation by the HIPAA Office of Civil Rights.
  • Assisted more than 100 companies with GDPR compliance.
  • Advising Blink Health on healthcare regulatory, privacy, and commercial contract matters.

Morrison & Foerster LLP

Fielding 'talented attorneys specializing in a diverse array of privacy sub-specialties across numerous jurisdictions', Morrison & Foerster LLP's privacy and data security practice is highlighted by clients as 'a top-tier one-stop shop'. New York-based Miriam Wugmeister ('an incredible command of the law') heads the practice group, which was recently strengthened by the addition of Kristen Mathews in New York. Mathews joined from Proskauer Rose LLP, alongside associate Tiffany Quach, and handles a range of complex privacy and cybersecurity issues, with particular expertise in the financial services and technology industries. Other names to note include Julie O’Neill, in Boston, who defends clients in enforcement actions brought by the FTC and non-US data protection authorities; 'exceptional' Washington-DC cybersecurity expert John Carlin, who boasts 'deep and diverse government experience'; and Christine Lyon in Palo Alto who is most active in the technology sector. Recently promoted of counsel Melissa Crespo, in Washington DC, and 'talented' associate Mary Race in Palo Alto have experience advising on issues relating to the HIPPA and CCPA, respectively. Andrew Serwin left for DLA Piper LLP (US).

Practice head(s):

Miriam Wugmeister


Practical advice given in a timely manner! They listen and provide guidance that can be applied to your actual situation.

Large number of talented attorneys specializing in a diverse array of privacy sub-specialties across numerous jurisdictions. For complex projects requiring multidisciplinary privacy expertise, they are a top-tier one-stop shop. Particularly strong on EU law, financial privacy, employment privacy, and M&A support.

We’ve worked with a few other firms on issues in this area, and Morrison & Foerster’s team has consistently been able to thoroughly understand our unique context, in order to provide expertly tailored and incredibly helpful advice. This has been an evolution over time – looking at the advice they give us now compared to that when our relationship started, it’s so much more bespoke and useful. I suppose that is to be expected, but I can say from experience that not all outside counsel are able to so thoroughly understand such context, and adjust their viewpoint and advice.

Christine Lyon provides clear, cool-headed advice even in stressful situations.

Mary Race is a talented and responsive senior associate.

Their advice has always been practical and practicable – easy to understand and to effect, because of their deep understanding of our organization and its goals.

This team is incredibly responsive and pragmatic. What sets them apart is their ability to provide business-minded advice.

Miriam Wugmeister has an incredible command of the law and can apply it in a business friendly manner. Miriam is also aware of budgetary constraints and does not try to add work just to increase the bill.

The Mofo team has deep experience in both privacy and cybersecurity, and their team covers all regions of the world. They are a true one-stop shop for global privacy and security advice. The team also has deep government experience, which in my view separates it from other firms, particularly in the cybersecurity space. That experience and those connections are invaluable when dealing with law enforcement, state actors, and other high profile incidents. The team also has expertise in our industry.

I’ve also found the team to be very deep and full of strong lawyers, from the senior partners to the junior associates. Unlike with some firms, I am comfortable interacting with MoFo’s junior and mid-level associates and have found them to be knowledgeable attorneys with good judgment.

John Carlin is an exceptional attorney with deep and diverse government experience. He has significant expertise in cybersecurity matters, and his government experience is critical in matters that require working with law enforcement and in high stress crisis management situations. His advice is highly strategic, and he is able to see all sides of an issue. He is also very down-to-earth and accessible, and his level of client service is the same regardless of whether he is speaking with a line in-house attorney, the general counsel, or the Board of Directors.

Alex Iftimie, an of counsel in the practice, has excellent judgment and strong experience, including in the government. He is the lead Mofo attorney on our day-to-day matters, and also takes a leading role in higher profile matters. He is a trusted advisor and counselor.

The team at Morrison and Foerster, at least in my opinion, is unique in that they have privacy experts globally. If we had a specific question for a specific country, they were able to identify an internal resource right away (or appoint an outside firm that was highly recommended). The guidance from all individuals at Morrison and Foerster was consistent and practical. They took the time to learn our business and provide practical guidance that we could easily use.

They were also quick to respond and provided responses in easy to understand format. They also appreciated you challenging their analysis, and they were able to provide legal advice from numerous points of view.

Chris Lyon (Partner) and Mary Race (Associate) were always responsive, and if they didn’t have an answer, they would find someone internally who could answer. Chris also took time to travel to our office to train our new General Counsel and Compliance Officer on GDPR which was very much appreciated.

Mary and Chris were always articulate and to the point with their responses, and never made me feel like their suggestions were the only way to conduct business. They took the time to learn about our business, and provide practical guidance to support our global manufacturing company.

The team has exceptional practitioner experience.

The team has exceptional relationships through out the legal, government and private sector and are able to create communities of professionals.

John Carlin and Miriam Wugmesiter have VERY unique real like experience that they’re able to translate into practical advice for large complicated multi-national companies. They are available and always engaged in matters.

Kristen Mathews is highly-competent, knowledgeable, dependable and accessible.

Key clients

Altaba (formerly Yahoo!)




Interpublic Group


Unity Technologies



Work highlights

  • Represented Altaba (formerly Yahoo!) in SEC and DOJ investigations following Yahoo’s announcement in 2016 that, two years earlier, it was the victim of a state-sponsored cyber-attack that resulted in the largest data breach in history.
  • Advising a global provider of computer software and cloud computing technologies on its significant data breach that involved more than 6 terabytes of data. The project included not only providing regulatory and individual notice, but also a deep internal investigation to understand the cause of the breach as well as an eDiscovery exercise to understand what data had been compromised.
  • Acting for Unity Software in two putative class actions filed in the Northern District of California which allege that various Disney and Viacom mobile gaming apps (that use Unity software) collect data that can be used to create profiles of children, allegedly violating the Children’s Online Privacy Protection Act.
  • Advising a major technology company on privacy issues in its development of virtual reality and augmented reality products for consumers.
  • Acting for a major international hospitality organization in response to multiple regulator inquiries relating to its privacy policy, its privacy practices, and its individual rights process.

Orrick, Herrington & Sutcliffe LLP

Orrick, Herrington & Sutcliffe LLP's cyber, privacy and data innovation team is praised for its understanding of 'the practical implications associated with data privacy practices and data protection' and its 'insights into regulators and reputational risks'. In addition to incident response work, the group also advises on a range of regulatory and compliance matters, including issues relating to emerging technology, fintech and the use of biometrics. Of particular note in 2019, the firm established a Boston office following the arrival of Douglas Meal and Heather Sussman from Ropes & Gray LLP in January 2019. Meal and Sussman jointly lead the practice alongside Seattle-based Aravind Swaminathan, who has experience advising on cyber attacks and data breaches, as well as on cybersecurity risk management and incident response planning. Other names to note include Washington DC-based Emily Tabatabai, a contact for regulatory issues associated with innovative uses of data, and San Francisco-based Michelle Visser, who was also formerly at Ropes & Gray LLP, and is well-regarded for handling complex and high-profile cybersecurity incidents.


In short, the understanding of the team about the practical implications associated with data privacy practices and data protection. The unparalleled experience working on some of the most sensitive data breach cases in the US, which has provided the team with real insights into regulators and reputational risks that are further applied by the team to general advice or real case involvement.

One individual that stands out from any other privacy lawyers we have worked with is Aravind Swaminathan, his assertiveness, pragmatism, intelligence, and ability to quickly decipher complex, multi-dimensional risk scenarios is outstanding. Aravind’s ability to understand the business context and speak the business language is also outstanding and not common among law firms yet, in particular in the data privacy and protection practice.

Emily Tabatabai: her thoroughness and deep level of expertise combined with her ability to provide pragmatic, solid advice is also outstanding. Great commitment to dive in and helping us getting things done.

Very focused on solutions, very practical advice tied to your specific facts and industry and risk tolerance. I love them and know I can trust them with essentially any legal issue in this area and get a workable solution.

Anthony Kim, Aravind Swaminathan, Emily Tabatabai and David Curtis (associate) are phenomenal. They can give precise solutions, ask incisive questions, and can work within your company’s specific set of challenges to provide really workable solutions.

Key clients


Hilton Worldwide



Arby’s Restaurant Group


Premera Blue Cross


Lending Club

The TJX Companies

Work highlights

  • Represented Arby’s Restaurant Group in litigation relating to a data security incident at the end of 2016. This included a consumer class action and a financial institution class action.
  • Represented Hilton in connection with litigation against BMO Harris Bank and Post Integrations arising out of data security incidents at certain US-based Hilton-branded hotels.
  • Advising W. W. Grainger on a range of privacy and cybersecurity matters including on the development of enterprise-wide data maps and counseling on global data transfers; the design and implementation of enterprise-wide global privacy compliance programs; strategic and legal counsel on cybersecurity preparedness and response, including incident response plans and simulations; and counsel linked to the management and deployment of e-commerce products and services.
  • Advised Chegg on the investigation of and response to an incident in which user data for approximately 40 million Chegg users may have been obtained.
  • Assisting City of Seattle with a range of privacy and data security matters including on data sharing restrictions, protection of law enforcement and sensitive information and public records requests seeking technical cyber intelligence.

Paul Hastings LLP

The Washington-based privacy and cybersecurity team at Paul Hastings LLP is recognized by clients for providing 'thoughtful, creative solutions to difficult privacy problems'. The group has a breadth of expertise ranging from regulatory compliance to incident response work, with particular experience in the financial services, technology, retail, leisure and health sectors. Behnam Dayanim (a contact for work in the gaming, advertising and marketing, and fintech sectors) jointly heads the team alongside cybersecurity expert Robert Silvers, and 'superstar' Sherrese Smith and Jacqueline Cooney, who are names to note for regulatory compliance advice. Clients also benefit from access to the firm's privacy consultancy service group, PH Privacy and Cybersecurity Solutions Group, which provides practical non-legal privacy advice.


Paul Hastings is incredibly responsive and creative. They always have thoughtful, creative solutions to difficult privacy problems. We work with them on payment card/financial privacy issues, international employee privacy, contract questions, and CCPA.  A good breadth of skills and knowledge.

The practice has deep practical knowledge and insight into the privacy, cybersecurity, and national security issues facing Fortune 100 Internet companies. The issues I face on a day-to-day basis constantly run up against antiquated laws and frameworks. And rather than offer me academic exercises in how the law may or may not be treated, Paul Hastings’ Cyber law practice offers me practical advice and insights that weight the various risks in taking a particular action.

Sherrese Smith is a superstar, and a ball of energy. She is a great leader of a strong team, and incredibly responsive.

The partners I work are highly-regarded who regularly counsels companies on complex transactional and regulatory issues involving privacy, cybersecurity and national security. They have the knowledge, insight, and expertise to regularly navigate clients through data breach and crisis response and associated regulatory investigations and enforcement proceedings, which is invaluable for a company that is always facing regulatory, enforcement, and media scrutiny.

There is no other attorney I would want to handle my most delicate and sensitive matters. Robert (Rob) Silvers combines experience from his time in the government and private practice to offer the most valuable advice. Because the issues I face often transcend the law where the answer becomes a policy decision, Rob’s insights are invaluable. He understands how to create a path forward that minimizes legal risk while ensuring the company achieves its objectives. I would be lost without his counsel.

Key clients


Samsung Electronics America


Caesars Entertainment

L’Oreal USA


Critical Path Institute (“C-PATH”)

Align Technology

Live Nation Entertainment

Work highlights

  • Acting for Live Nation in connection with the TicketMaster payment card breach, the first prominent post-GDPR European data breach and, as a result, one with extraordinary sensitivity both to the company and to data protection regulators.
  • Assisting the Interactive Advertising Bureau and IAB Tech Lab with a range of ad-tech privacy issues, including helping the group develop an industry consensus on approaches to the impending California Consumer Privacy Act (CCPA).
  • Representing Modiface in a putative class-action complaint alleging that its Virtual Artist kiosk software as provided to retailer Sephora violates Illinois’ Biometric Information Privacy Act (BIPA).

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP handles a variety of cyber law issues. Based in Washington DC and Los Angeles respectively, The practice group is jointly headed by Washington DC-based Brian Finch, who focuses on assisting clients with regulatory issues, cyberattacks, intelligence policies, and homeland security concerns, and Deborah Thoren-Peden in Los Angeles, who has experience in cyber issues affecting the financial services industry. Mercedes Tunstall joined Loeb & Loeb LLP.

Proskauer Rose LLP

Proskauer Rose LLP's New York-based team has experience in contentious and strategic data privacy matters. Margaret Dale represents clients in regulatory investigations and class action lawsuits, while Edward Kornreich and Jeffrey Neuburger have experience advising on regulatory issues in the healthcare and technology sectors, respectively. Kristen Mathews and associate Tiffany Quach moved to Morrison & Foerster LLP.

Reed Smith LLP

The data protection, privacy and cybersecurity practice at Reed Smith LLP is noted by clients for its 'technical knowledge combined with legal expertise'. The group is frequently involved in incident response matters, compliance and risk management and in litigation. Practice head Anthony Diana in New York has a broad practice covering regulatory investigations, litigation and compliance advice. DC-based Gerry Stegmaier and New York-based Catherine Castaldo are names to note for incident response work, while Michael O’Neil, in Chicago, is focused on class action defence. Also recommended is Houston-based Bart Huffman, who has been particularly active in advising clients on CCPA compliance.

Practice head(s):

Anthony Diana


Reed Smith’s attorney’s have far more practical experience than other firms.

I think what sets the Tech, Privacy and Security team apart at Reed Smith is that they have the technical knowledge combined with legal expertise. I am able to have meetings with my privacy, legal and security all in one saving us time and money and fostering a comprehensive, interdisciplinary team.

Bart Huffman and Wendell Bartnick have the deepest knowledge of, and experience in, data privacy and cybersecurity laws in Houston that I’ve come across. They are true experts in their field, and are able to address issues that involve multiple U.S. federal, state and international legal and regulatory regimes.

Bart Huffman is a go to attorney for cyber law. Not only does he understand the legal side of cyber law but he understands the technical side of the computing.

I work in a highly technical role and I am continually impressed with Gerard Stegmaier’s ability to navigate the complexities of the server room with the nuances of the board room. Gerry has not only an encyclopedic knowledge of the law but is also technically proficient. He is capable of engaging in highly technical conversations and distill out the key nuances of a security incident and often times does it quite quickly.

Bart Huffman and Wendell Bartnick have significant experience working for a diverse range of clients in a diverse range of situations, and they are able to harness that experience for applicability to my business. They also have the added benefit of having a deep bench to draw on, when the specific issue that we are addressing requires additional personnel.

Ropes & Gray LLP

Ropes & Gray LLP handles regulatory investigations, litigation, transactional support and compliance matters. In 2019 the firm significantly strengthened its data, privacy and cybersecurity practice following the departure of several partners to Orrick in 2018; recent additions include Washington-based co-head Edward McNicholas from Sidley Austin LLP, who has experience advising clients in investigations and class action litigation related to cybersecurity incidents and regulatory enforcement; and IP and technology sector specialist Violetta Kokolus, who joined in New York from Dechert LLPJennifer Romig in Chicago and Christine Moundas in New York were recently promoted to the partnership; both lawyers have particular expertise in the healthcare sector. Boston-based Edward Black jointly leads the team alongside McNicholas and focuses on transactional matters for clients in the technology, media and financial services sectors.

Practice head(s):

Edward McNicholas; Edward Black

Key clients

SIFMA Asset Management Group




Bain Capital


The Carlyle Group

Office of the Privacy Commissioner of Canada

Work highlights

  • Representing Bombas in international investigations into a data breach.
  • Advising CareCentrix on a breach of its vendor loss of patient records that are protected under HIPPA and state privacy laws.
  • Represented Bain Capital in the merger of Zelis and RedCard Systems, two healthcare payment optimization technology companies.
  • Advising SIFMA Asset Management on its regulatory comments on the CCPA.
  • Advised The Carlyle Group on their global privacy program and GDPR preparations; also helped develop its California Consumer Privacy Act (CCPA) compliance program.

Seyfarth Shaw LLP

The privacy and security practice at Seyfarth Shaw LLP acts for clients in a range of issues from compliance matters to incident response. Information governance expert Scott Carlson and John Tomaszewski, who focuses on the emerging technology sector, jointly head the team from the Houston and Chicago offices, respectively. Also recommended are Chicago-based Bart Lazar, who handles regulatory compliance and security breach work; Richard Lutkus in San Francisco, who has particular experience in the technology sector; and Washington DC-based Karla Grossenbacher, who is a name to note for workplace privacy issues. New York-based commercial litigator Tracee Davis joined from Zeichner Ellman & Krause LLP.

Practice head(s):

John Tomaszewski; Scott Carlson

Work highlights

  • Represented multiple employers in assessments of security incidents and in the related investigations.
  • Advised multiple employers on the deployment of workplace technology while protecting employee privacy rights.
  • Advised multiple clients on a variety of workplace privacy issues.
  • Acted for a national retail company in relation to several data breach and wire fraud matters.
  • Assisted a leading restaurant franchisor with its privacy certification.

Sheppard, Mullin, Richter & Hampton LLP

Sheppard, Mullin, Richter & Hampton LLP's privacy and cybersecurity team includes 'very practical and business-savvy lawyers' who cover a full range of disputes, transactional and advisory matters. The team is perhaps most active in the retail sector, though it boasts a varied client base including names such as Levi Strauss, NEO Technologies and Toyota Motor Credit Corp. The practice is jointly led from Chicago and Century City by Liisa Thomas and Craig Cardon, respectively; Thomas and New York-based Kari Rollins are names to note for data breach incidents, while Cardon along with Rollins and Shannon Petersen in San Diego handle privacy litigation and class action defense. Washington DC-based Jonathan Meyer specializes in cybersecurity matters, while, in San Francisco, Brian Anderson and recently promoted partner Rachel Tarko Hudson are highlighted for their experience advising on the privacy aspects of technology transactions.

Practice head(s):

Liisa Thomas; Craig Cardon


Very practical and business-savvy lawyers who understand moving at the speed of business. They understood that while responding to reporters might not be the best move from a legal perspective, our company nonetheless wanted to control the public message and worked to achieve our goals while protecting us legally. Also a great help with the practical realities of a data breach, such as helping navigating insurance coverage and working with identity theft monitoring.

Kari Rollins dug in deep and really understood the technical story as well as legal framework.

Liisa Thomas offers great advice and mastery of the space, while being super business friendly.

Key clients


Levi Strauss

Inspire Brands (fka Sonic Drive-In)

NEO Technologies

StockX and Stock

Toyota Motor Credit Corp.

Rite Aid

Hanson Aggregates Pacific Southwest

Jimmy John’s Restaurants


Work highlights

  • Advised Sonic Corp, Sonic Franchising, Sonic Industries, Sonic Industries Services and Sonic Restaurants, on breach response and litigation following a data breach that impacted Sonic Drive-In restaurants in 2017.
  • Representing NEO Technologies in a phishing-related data breach class action in the District of Massachusetts.
  • Defended Toyota Motor Credit Corp in a class action lawsuit filed by Lisa and Daniel Drayton for alleged violation of the Telephone Consumer Protection Act.
  • Representing StockX in connection with a global data incident that impacted 6.4 million StockX user accounts in 2019; this included five US federal consumer class action lawsuits.
  • Advising dozens of clients on California Consumer Privacy Act compliance.

Shook, Hardy & Bacon LLP

Shook, Hardy & Bacon LLP has a reputation for biometric privacy matters, having handled compliance and class action litigation relating to the Illinois Biometric Information Privacy Act (BIPA). Led by Al Saikali in Miami, the team also advises on incident preparation and response and transactional issues.

Sidley Austin LLP

Sidley Austin LLP fields a multi-disciplinary team to assist with a range of proactive regulatory advice and incident response mandates. Alan Charles Raul in Washington DC is a name to note for international privacy, cybersecurity and digital technology issues. Edward McNicholas joined Ropes & Gray LLP.

Steptoe & Johnson LLP

Steptoe & Johnson LLP has a range of experience in this space, but is particularly active in the retail sector where it has been advising on a range of privacy issues and litigation. The group has also increasingly been active in the biometric privacy space, and is routinely engaged by clients to assist with CCPA, GDPR, and data transfer compliance matters. 'Extremely knowledgeable' practice head Michael Vatis, in New York, specializes in data breach prevention and response, compliance with privacy and data security regulations, and issues relating to restrictions on the sale and use of encryption technology. Washington DC-based of counsel Stewart Baker is a name to note for cybersecurity matters.

Practice head(s):

Michael Vatis


Michael Vatis is extremely knowledgeable and is able to express that knowledge succinctly and clearly. His advice is also practical.

Key clients

VTech Electronics North America

The Coalition for Responsible Cybersecurity



Work highlights

  • Represented VTech Group of companies in managing the response to a hack of customer information, which has resulted in numerous US and international regulatory enforcement investigations.
  • Representing The Coalition for Responsible Cybersecurity, a group of companies founded by Ionic Security, in opposition to the adoption of a rule proposed by the Commerce Department for certain exports related to intrusion software and IP surveillance systems.
  • Advising many of the nation’s largest retailers on preparation for compliance with the California Consumer Privacy Act (CCPA) and related privacy and data security matters.
  • Advising a technology, communications and digital media client on GDPR compliance.

Venable LLP

Based in Washington DC, the team at Venable LLP handles matters ranging from advocating for and advising clients on regulatory matters to assisting with congressional response and governmental investigations. The group boasts particular expertise in acting for clients in the media, entertainment, advertising and e-commerce sectors, which are areas of focus for Stuart Ingis and Michael Signorelli. Inglis heads the team alongside Emilio Cividanes, who assists a range of clients on regulatory matters, government relations, and litigation strategies. Counsel Ariel Wolf, who recently rejoined the practice from the US Department of Transportation, is a name to note for mobility and transportation technology sector advice. Also recommended is Ari Schwartz, who leads the firm's cybersecurity risk management practice. David Strickland left the team for the Senate Commerce Committee.

Practice head(s):

Stuart Ingis; Emilio Cividanes

Key clients

Association of National Advertisers (ANA)

Center for Cybersecurity Policy and Law

Charles Schwab Corporation

Daimler Trucks North America

Digital Advertising Alliance (DAA)


National Business Coalition on E-Commerce and Privacy



Privacy for America

Work highlights

  • Acting as policy counsel and advocating on behalf of clients before the US Congress state attorneys general, and federal agencies on privacy, data security, and cybersecurity matters.
  • Managed and helped to form a coalition of advertising industry trade associations that convened to draft consumer-protection focused amendments to the California Consumer Protection Act.
  • Successfully represented companies across many industries in federal and state government investigations and inquiries by the US Congress, the FTC, the CFPB, and various state attorneys general.
  • Assisted clients across many industries with their risk management and in the creation of innovative, data-risk-managed programs.
  • Assisting an entertainment conglomerate based in the US with day-to-day data privacy and security matters; also advised on issues including an agency inquiry, a global security incident, contract agreement reviews, and on product development and marketing campaigns.


A team of 'true experts in their field', WilmerHale's Washington DC-based cybersecurity and privacy group is recognized by clients for its 'tremendous command of the subject matter'. The firm fields a multi-disciplinary team including specialists in privacy, corporate governance, national security, and litigation, and has a reputation for data breach and incident response matters, particularly in the retail sector. In addition, the team is popular choice for regulatory compliance advice in the advertising, technology and media industries. Reed Freeman is a key contact for big data issues in the media industry, and particularly in the field of social media. Benjamin Powell leads the 'exceptional' cybersecurity incident response practice. Also of note, Kirk Nahra's arrival from Wiley Rein LLP was a boost to the team's healthcare privacy practice, though Heather Zachary left the team and is now a privacy and data security consultant.


Wilmer’s cybersecurity team (led by Ben Powell) is exceptional. They handle all of the major incidents, while always making time for counseling and the necessary work in developing incident response plans. I wouldn’t call anyone else for cyber incident response.

These lawyers simply have a tremendous command of the subject matter; true experts in their field.  Their advice is always delivered quickly, and is always practical.  When needed to focus on a time-sensitive issue with little to no notice, this group is always available.

Reed Freeman is an amazingly calming influence.  He has great judgment, an ability to quickly understand complex issues, and a strength in dealing in grey areas.  He is, and makes sure his colleagues, are always available when needed.  He also has no ego, which is a rare find for someone who is so knowledgeable.

I recommend Ben Powell for cyber. Good pick up on health privacy with Kirk Nahra, joining the firm a little bit ago.

Winston & Strawn LLP

The team at Winston & Strawn LLP advises clients on a variety of issues including proactive regulatory compliance, cybersecurity, data loss investigations, trade secret litigation, and class actions. Houston-based Sheryl Falk and Steven Grimes, who splits his time between Chicago and Hong Kong, jointly lead the team; both have broad experience in assisting clients with data privacy and cybersecurity disputes, as well as with standalone compliance matters.

Practice head(s):

Sheryl Falk; Steve Grimes

Work highlights

  • Advised an international private equity fund on a nationwide assessment of any applicable privacy or data security laws, provided due diligence and gap analysis and have worked to develop policies and procedures.
  • Advised manufacturing sector client on amending its biometric privacy practices following receipt of a class action complaint brought by employees under Illinois’ Biometric Information Privacy Act; also acted as co-counsel in the litigation and subsequent mediation.
  • Defending a global financial services institution in a consumer class action pending in the Northern District of California filed against the client and another bank.
  • Assisted a global oil and gas sector client with domestic and international privacy law complinace, established privacy and best practices and developed policies and procedures to reduce privacy-related risks.
  • Assisted an insurance company with trade secret investigations and data security incidents, drafted information security guidelines for its outside retained counsel, and developed internal privacy policies and procedures.