Our Data Privacy & Security attorneys provide both domestic and international expertise to a wide range of U.S. and multinational clients. This multidisciplinary practice includes over 30 partners, counsel, and associates in our Washington, New York, and European offices with expertise in all aspects of privacy and data security law, as well as extensive experience in various complementary areas, including technology and communications law, financial institution and securities law, intellectual property, mergers and acquisitions, asset management, antitrust and competition law, food and drug law, and consumer protection regulations. Our Data Privacy & Security team includes transactional lawyers, litigators, and regulatory policy experts with many years of experience working with Congress and all major federal agencies. The close collaboration of the firm’s experts across offices and multiple disciplines of law permits us to provide our clients with comprehensive, practical advice that allows them to adopt global compliance plans while maintaining business flexibility and maximizing revenue.


Our Clients

Privacy and data security are essential elements of corporate risk management for companies in all industries. Our Data Privacy & Security Group has a long and successful history representing a diverse set of small, medium-sized, and large clients, including financial institutions, cable operators, telecommunications providers, mutual funds and hedge funds, information services providers, video programming networks and other media organizations, accounting firms, publishers, retailers, insurance companies, and industry trade associations.

Our Expertise

We offer our clients a wide array of privacy and data security counseling services, as well as transactional and litigation expertise. For example, we have:

• provided opinions on whether certain privacy and data security laws apply to a particular client given its business focus;
  
  
• developed comprehensive strategies and policies for ongoing compliance with various state, federal, and international privacy and data security requirements;
  
  
• counseled companies that have experienced data security breaches, and prepared appropriate notifications to customers and to the relevant regulators and law enforcement agencies, to ensure compliance with all applicable requirements and avoid litigation and enforcement actions;
  
  
• negotiated complex privacy and data security agreements between Fortune 100 companies;
  
  
• drafted website privacy policies, terms of service, and click-wrap agreements, and advised on related electronic commerce and marketing issues;
  
  
• designed appropriate client procedures for responding to government subpoenas and other requests for customer or employee data;
  
  
• guided clients through regulatory approval procedures in connection with M&A transactions, and advised these clients on the impact of privacy and data security issues that increasingly arise in complex deal negotiations;
  
  
• represented clients in investigations, enforcement actions, and litigation at the federal and state level, including before the Department of Justice (DOJ), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and the Office of Foreign Assets Control (OFAC);
  
  
• developed user notices and consent forms regarding the use of biometric data and the monitoring of customer and employee communications and online activity (e.g., for purposes of network management or detecting unlawful activity); and
  
  
• assisted entities involved in transactions subject to the Exon-Florio law, including both foreign acquirers and domestic targets, that go through the Committee on Foreign Investment in the United States (CFIUS) national security clearance process. Notably, we have represented data-sensitive companies before CFIUS and in particular in the negotiation of mitigation agreements to address national security concerns, including significant provisions regarding government access to personal data and security incident reports.

We also offer expertise on numerous U.S. federal statutes covering privacy and data security issues, including the following:

• Children’s Online Privacy Protection Act (COPPA)
  
  
• Communications Act (including cable privacy and telecommunications privacy provisions in Sections 631 and 222)
  
  
• Communications Assistance for Law Enforcement Act (CALEA)
  
  
• Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
  
  
• Electronic Communications Privacy Act (ECPA) (including wiretapping and Stored Communications Act (SCA) issues)
  
  
• Fair and Accurate Credit Transactions (FACT) Act
  
  
• Fair Credit Reporting Act (FCRA)
  
  
• Foreign Corrupt Practices Act (FCPA)
  
  
• Foreign Intelligence Surveillance Act (FISA)
  
  
• Gramm-Leach-Bliley (GLB) Financial Services Modernization Act
  
  
• Sarbanes-Oxley (SOX) Act
  
  
• USA PATRIOT Act

Our Data Privacy & Security Group also has experience in analyzing and advising on state laws regarding data breach notification, information security, identity theft, and related issues. We closely monitor proposed and newly enacted state and federal privacy legislation to determine any potential impact on our clients.

Our attorneys have participated in, or advised on, federal and state proceedings regarding numerous issues related to privacy and data security, including:

• Identity theft
  
  
• Online behavioral advertising
  
  
• Product promotions via e-mail, direct mail, and/or telemarketing, including Do-Not-Call Registry issues
  
  
• Opt-in and opt-out mechanisms
  
  
• Record retention
  
  
• Spyware
  
  
• Caller ID
  
  
• Spoofing
  
  
• Phishing
  
  
• GPS user tracking and mobile marketing

Our International Data Privacy & Security Expertise

Our attorneys also have extensive international privacy and data security expertise through our work with data protection laws and authorities in over 50 countries. We have developed a network of privacy and data security lawyers around the world that allows us to (1) provide our multinational clients with comprehensive advice regarding the collection, storage, processing, and cross-border transfer of personal data and (2) create practical and effective multi-jurisdictional privacy and data security policies and compliance programs.

We have extensive experience analyzing and applying the EU Directives on Data Protection, Electronic Commerce, Privacy and Electronic Communications, and Data Retention, and have registered client databases with data protection authorities in the EU, Africa, Asia, and Central and South America.

We have assisted our clients in obtaining certifications pursuant to the U.S.-EU Safe Harbor privacy program, have drafted EU model data protection contracts, and have analyzed the benefits and drawbacks of binding corporate rules (BCRs) as an alternative way to permit the transfer of personal data from the EU to the United States and other countries.

We have provided contract drafting assistance in connection with outsourcing transactions involving entities in different countries, including key provisions on the protection of customer data. Our attorneys have represented clients in privacy and data security complaint actions brought by customers or employees, as well as investigations by EU data protection authorities.

In connection with Foreign Corrupt Practices Act (FCPA) and other internal and government-related investigations that we routinely handle, we are increasingly called upon to resolve various privacy and data security issues that arise, typically when the demands of the investigation or the requests and expectations of U.S. regulators conflict with non-U.S. laws, such as blocking statutes that restrict the transfer of personal data outside the EU.