We have a portfolio approach to mitigating risk and supporting a crisis in any jurisdiction or time zone. Our suite of forward-thinking cybersecurity and privacy solutions helps to manage global data compliance risks, protect employee and consumer data, conduct risk assessments, implement incident preparedness and response programs and defend against high-stakes litigation and regulatory enforcement actions.
Data is the engine of today’s digital economy. It unlocks opportunity – but also introduces risk. Without a strong data management and compliance plan, you will increase your business’ exposure to breaches, intrusions, regulatory investigations and civil litigation
across the globe.
Ranked as a Leading Firm by Chambers USA,
Chambers Global, and Legal 500
THE LATEST
The Digital Services Act
Takes Full Effect: 5 Takeaways
for Businesses
Managing Legal Risk in
Marketing and Advertising:
5 Things Companies
Should Know
The SEC’s Fraud Suit Against SolarWinds: 3 Cybersecurity
Action Items for Companies
to Consider
Beyond the Breach:
The CISO’s Role as a
Strategic Risk Manager
How can we improve our cybersecurity and privacy best practices to mitigate ESG risk factors?
What are the cybersecurity and privacy threats for life sciences
and healthcare companies?
How can we ramp up our
U.S. state privacy compliance
plan to reflect new consumer privacy laws?
What do we need to know
about cybersecurity insurance
and managing data breach risk?
What immediate steps
should we take if we receive a
Civil Investigative Demand (CID) from the FTC?
FAQs
What are the risks our company needs to consider when contemplating the acquisition of
or partnership with an artificial intelligence company?
What are some practical
defense tips if we are facing
a CCPA class action?
TOOLS & RESOURCES
HOW WE CAN HELP
Managing Global Regulatory
Compliance Risk
Cybersecurity Incident
Response
Regulatory Investigations
and Enforcement
Leveraging Your Data
Litigation Defense
KEY CONTACTS
See the full team
See the full team
Data Innovation
Cyber, Privacy &
Managing Global Regulatory Compliance Risk
Whether you need to stay ahead of the rapidly evolving privacy and cybersecurity regulatory landscape or work with your boards, in-house teams and information technology departments to improve preparedness or compliance, we can help. We advise on the most impactful global privacy, cybersecurity and advertising and marketing regimes affecting your business, including U.S. state privacy laws, the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), and we horizon scan for new laws, regulations and data challenges.
We work with you to identify data risks most important to your operations, conduct comprehensive privacy and cybersecurity assessments, prepare for a cybersecurity incident, build global compliance programs, negotiate data and vendor relationship contracts, and assess and address the privacy and security risks in corporate transactions. We look to find the right balance to maximize data value but minimize risk in protecting your brand, your reputation and your customers.
Understanding risks and being prepared is your first line of defense. But, having a comprehensive global strategy to manage each step of your incident response process, when necessary, will allow you to react quickly and limit the damage.
Sophisticated cybersecurity attacks are on the rise—bet-the-company events, phishing scams, ransomware attacks, international threat actor demands and everything in between—and key protection is a best-in-class preparedness program to mitigate and manage risk.
From counseling on domestic and international notification obligations and directing physical and information technology forensics investigations to advising on public relations strategies and liaising with law enforcement and regulatory agencies, we support clients, executive officers and boards on every facet of an incident. Having led the insurance recovery efforts for some of the most complex breaches in history, we evaluate, negotiate and procure the appropriate cybersecurity insurance coverage, considering emerging technologies and developments in the insurance marketplace.
Cybersecurity Incident Response
When your reputation, or hundreds of millions of dollars, is at stake, you need privacy and cybersecurity litigators who can quickly master the facts and develop an effective defense strategy. We bring you premier defense and investigation counseling. In the decade and a half that cybersecurity incidents and consumer privacy litigation have impacted markets, our dedicated team of litigators have handled class actions stemming from some of the highest-profile privacy and cybersecurity incidents in history.
Whether connected to a regulatory investigation or a stand-alone matter, our litigators have seen precedent-setting data breach and consumer privacy cases in courts across the United States and abroad. We have the right experience to achieve a successful outcome, regardless of what type of action you are facing: civil class actions, arbitrations and data breach-related shareholder derivative litigation, alleged privacy violations related to employee and consumer data misuse, false advertising, telemarketing and biometric privacy or breach-related payment card litigation.
Litigation Defense
Having a compliance framework to manage and optimize your privacy risks in the fast-evolving legal landscape is critical before unlocking data. We can help to avoid privacy risks while leveraging data to increase business efficiency through effective data governance and management strategies.
Whether you are developing a new data management solution, implementing an AI tool or rolling out a consumer and employee data ethics program, we make sure you have the right strategy for using, protecting and owning new technologies. And if you are looking to monetize data, we can help with data acquisition strategies, devising protocols for data set due diligence and negotiating of data supply contracts.
Leveraging Your Data
The Federal Trade Commission (FTC) continues to ramp up its investigation and enforcement efforts to address unfair or deceptive acts or practices in the privacy, cybersecurity and consumer protection space. A CID, a type of administrative subpoena, allows the FTC to demand the production of documents. It is often the first formal step of an investigation into a company’s privacy, cybersecurity or consumer protection protocols. Our guide outlines the key details companies need to know about FTC CIDs.
What immediate steps should we take if we receive
a Civil Investigative Demand (CID) from the FTC?
To help you get your U.S. state privacy compliance program on the right track as new laws go into effect, we analyzed the key differences between the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Nevada Privacy Law, the Utah Consumer Privacy Act (UCPA), the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). With U.S. state laws constantly evolving and more developments expected this year, it is never too late to get started on your compliance planning.
How can we ramp up our U.S. state privacy compliance
plan to reflect new consumer privacy laws?
What are the cybersecurity and privacy threats for life sciences and healthcare companies?
Attacks continue to increase in the life sciences and health care sectors (healthcare providers and health technology, medical device, pharmaceutical and biotechnology companies). With the ongoing rush to develop vaccines and drug therapies around the globe, the threats show no signs of decreasing. We have identified the top global cybersecurity and privacy risks faced by the life sciences and health care sectors.
Shareholders and consumers must be able to evaluate the controls and processes
a corporation maintains on privacy and cyber topics to evaluate a company’s Environmental, Social and Governance (ESG) risk. Our guide explains the five best practices that shareholders, customers and ESG rating agencies focus on when assessing a company’s ESG fitness as it relates to data privacy and security. We also explain the steps companies can take to improve their compliance posture in this important area.
How can we improve our cybersecurity and privacy
best practices to mitigate ESG risk factors?
When the CCPA became operative, it ushered in a game-changing increase in liability exposure for companies that interact with personal information. In addition to permitting regulatory enforcement of its privacy requirements, the statute creates a private right of action for certain data breaches and lets California consumers pursue class actions for statutory damages between $100 and $750 per consumer per incident. We have assessed CCPA litigation to date and provided key practical takeaways for how businesses faced with such actions can seek early dismissal.
What are some practical defense tips if we are facing
a CCPA class action?
Artificial intelligence (AI) has become a focus of (and the most valuable asset in) many technology transactions—and the competition for top AI companies has never been hotter. AI companies have their own set of specialized risks that may not be addressed if buyers approach the transaction with their standard process. AI’s reliance on data and the dynamic nature of its insights highlights the shortcomings of standard agreement language and the risks in not tailoring agreements to address AI-specific issues. We have identified the key risks for buyers to consider about AI companies during an acquisition or agreement negotiation.
What are the risks our company needs to consider when contemplating the acquisition of or partnership with an artificial intelligence company?
ESG continues to evolve, with an increasing regulation and scrutiny from the SEC, a broad demand from investors and proxy advisors for more detailed, data-intensive, disclosure, and a more complex set of stakeholder views about which ESG initiatives companies should adopt. Our resource center is intended to support legal and compliance leaders who are increasingly guiding the company’s response.
Cyber, Privacy &
Ranked as a Leading
Firm by Chambers USA,
Chambers Global,
and Legal 500
Cyber,
Privacy &
Data Innovation
Cyber,
Privacy &
Data Innovation
THE LATEST
The Digital Services Act
Takes Full Effect: 5 Takeaways for Businesses
Beyond the Breach:
The CISO’s Role as a
Strategic Risk Manager
Managing Legal Risk in
Marketing and Advertising:
5 Things Companies
Should Know
The SEC’s Fraud Suit Against SolarWinds: 3 Cybersecurity Action Items for Companies
to Consider
THE LATEST
What are the risks our company needs to consider when contemplating the acquisition of or partnership with an artificial intelligence company?
What are some practical defense tips if we are facing
a CCPA class action?
How can we improve our cybersecurity and privacy best practices to mitigate ESG risk factors?
What are the cybersecurity and privacy threats for life sciences and healthcare companies?
How can we ramp up our
U.S. state privacy compliance plan to reflect new consumer privacy laws?
What do we need to know about cybersecurity insurance and managing data breach risk?
What immediate steps
should we take if we receive a Civil Investigative Demand (CID) from the FTC?
FAQs
TOOLS & RESOURCES
Leveraging Your Data
Litigation Defense
Regulatory Investigations
and Enforcement
Cybersecurity Incident
Response
Managing Global Regulatory
Compliance Risk
GET IN TOUCH
GET IN TOUCH
GET IN TOUCH
GET IN TOUCH
Beth
McGinn
Thora
Johnson
Jake
Heath
Shannon Yavorsky
See the full team
Are there restrictions on exports of software with encryption functionality to Russia or Belarus
The U.S. government has tightened export controls in ways that restrict unlicensed supply to Russia or Belarus of many types of software with encryption functionality. The change means that previously authorized exports and other transfers to Russia and Belarus of software with encryption will generally require a license even if the recipients are private-sector companies with no ties to the military.
Learn more: Expanded Controls on
Encryption Software Exports to Russia
and Belarus
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
To help you get your U.S. state privacy compliance program on the right track in 2022, we analyzed the key differences between the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), the CPRA and the Virginia Consumer Data Protection Act (VCDPA). With U.S. state laws constantly evolving and more developments expected this year, it is never too late to get started on your compliance planning.
How can we ramp up our U.S. state privacy compliance
plan this year to reflect new consumer privacy laws?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
Alleged consumer privacy violations and cybersecurity incidents remain under the microscope for regulators around the globe. To help companies understand the enforcement and investigation landscape, we have developed a guide that includes everything you need to know in key countries. We cover who the authorities are, what enforcement and investigative power they have, the penalty for violations and recent actions of note. From state attorneys general and the Federal Trade Commission (FTC) in the United States (U.S.) to the UK Information Commissioner’s Office (ICO) and other data protection authorities in the European Union (EU), the power of regulatory authorities continues to grow.
What do we need to know about cybersecurity and privacy regulatory enforcement actions and investigations?
TOOLS & RESOURCES
HOW WE CAN HELP
OUR TEAM
TOOLS & RESOURCES
FAQs
FAQs
TOOLS & RESOURCES
HOW WE CAN HELP
KEY CONTACTS
TOOLS & RESOURCES
GET IN TOUCH
What steps do we need to
take in the first 24 to 48 hours
after a cybersecurity incident
to mitigate our financial, reputational and legal risks?
The number of cybersecurity incidents continues to increase, with the average cost
of a data breach in 2022 reaching an all-time high of $4.35 million, up from $3.86 million in 2020. In addition to the increasing number of incidents, there have been several large-scale systemic vulnerabilities (e.g., Kaseya and Log4j) that had wide-ranging impacts across industries and geographies. Our guide outlines the 10 things you need to know about cybersecurity insurance and managing risk in the wake of these incidents.
What do we need to know about cybersecurity insurance and managing data breach risk?
As cybersecurity incidents become increasingly complex, your initial response to a potential cybersecurity crisis matters. The decisions you make in the first 24 to 48 hours can have a lasting financial, reputational and legal impact on your company. Drawing on our experience from working on some of the largest and most complex incidents in history—including nation-state attacks with national security implications, enterprise-wide network intrusions, malicious and negligent insiders, business email compromises, ransomware attacks and everything in between—we prepared a high-level list of do’s and don’ts in the first 24 to 48 hours of a cybersecurity incident.
What steps do we need to take in the first 24 to 48 hours after a cybersecurity incident to mitigate our financial, reputational and legal risks?
What steps do we need to
take in the first 24 to 48 hours after a cybersecurity incident
to mitigate our financial, reputational and legal risks?
KEY CONTACTS
HOW WE CAN HELP
Generative AI Growth
Demands New and Updated
Company Policies. The Gen AI
Policy Builder Can Help.
Generative AI Growth
Demands New and Updated
Company Policies. The Gen AI
Policy Builder Can Help.
GET IN TOUCH
Caroline
Simons
GET IN TOUCH
Christian
Schröder
Heather
Egan
Youth Online Safety:
U.S. State Law Tracker
Youth Online Safety:
U.S. State Law Tracker
GET IN TOUCH
GET IN TOUCH
Emily
Tabatabai
GET IN TOUCH
GET IN TOUCH
Aravind
Swaminathan
GET IN TOUCH
GET IN TOUCH
Caroline
Simons
GET IN TOUCH
GET IN TOUCH
Christian
Schröder
GET IN TOUCH
GET IN TOUCH
Beth
McGinn
GET IN TOUCH
GET IN TOUCH
Thora
Johnson
Jake
Heath
GET IN TOUCH
GET IN TOUCH
GET IN TOUCH
GET IN TOUCH
Heather
Egan
GET IN TOUCH
GET IN TOUCH
Shannon Yavorsky
GET IN TOUCH
Emily
Tabatabai
GET IN TOUCH
Aravind
Swaminathan
Cyber, Privacy & Consumer Protection Investigations
& Enforcement
Cybersecurity, privacy, and consumer protection issues are a top priority for regulators globally. Regulatory investigations present a unique area of risk for companies, particularly with ever-evolving federal, state, and international laws and shifting regulator priorities.
Our team assists companies across all sectors in responding to FTC, DOJ, SEC, NYDFS, and state attorneys general investigations across the United States and inquiries from the UK ICO and other international data protection authorities. Our team has a proven track record of aggressively defending companies and obtaining favorable resolutions in front of regulators. In addition, we have substantial experience in devising and implementing coordinated legislative and media responses to these high-stakes investigations and issues.
We have significant experience guiding clients through government enforcement actions alleging violations of the FTC Act, U.S. securities laws, the Children’s Online Privacy Protection Act (COPPA), the Restore Online Shoppers’ Confidence Act (ROSCA), and other state and federal privacy and consumer protection statutes and regulations, including the California Consumer Privacy Act (CCPA). We also assist clients in navigating government enforcement actions for alleged breaches of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and other global cybersecurity, privacy, and consumer protection laws and regulations. Our legal strategy and advocacy have often resulted in regulators declining to take further action. In those instances where the regulator has proposed a consent order, we have worked diligently to negotiate the most advantageous order for companies, knowing that such orders, if not drafted thoughtfully, can restrict companies’ growth and ability to take advantage of new technologies.
We have experience with the following regulators:
The Federal Trade Commission (FTC)
The Securities and Exchange Commission (SEC)
The Department of Justice (DOJ)
HHS Office for Civil Rights (HHS OCR)
State attorneys general
State insurance regulators
Congress
The UK Information Commissioner’s Office (ICO)
Other International Data Protection Authorities
Cyber, Privacy & Consumer Protection
Investigations & Enforcement
The Federal Trade Commission (FTC)
The Securities and Exchange Commission (SEC)
The Department of Justice (DOJ)
HHS Office for Civil Rights (HHS OCR)
State attorneys general
State insurance regulators
Congress
The UK Information Commissioner’s Office (ICO)
Other International Data Protection Authorities
Cybersecurity, privacy, and consumer protection issues are a top priority for regulators globally. Regulatory investigations present a unique area of risk for companies, particularly with ever-evolving federal, state, and international laws and shifting regulator priorities.
Our team assists companies across all sectors in responding to FTC, DOJ, SEC, NYDFS, and state attorneys general investigations across the United States and inquiries from the UK ICO and other international data protection authorities. Our team has a proven track record of aggressively defending companies and obtaining favorable resolutions in front of regulators. In addition, we have substantial experience in devising and implementing coordinated legislative and media responses to these high-stakes investigations and issues.
We have significant experience guiding clients through government enforcement actions alleging violations of the FTC Act, U.S. securities laws, the Children’s Online Privacy Protection Act (COPPA), the Restore Online Shoppers’ Confidence Act (ROSCA), and other state and federal privacy and consumer protection statutes and regulations, including the California Consumer Privacy Act (CCPA). We also assist clients in navigating government enforcement actions for alleged breaches of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and other global cybersecurity, privacy, and consumer protection laws and regulations. Our legal strategy and advocacy have often resulted in regulators declining to take further action. In those instances where the regulator has proposed a consent order, we have worked diligently to negotiate the most advantageous order for companies, knowing that such orders, if not drafted thoughtfully, can restrict companies’ growth and ability to take advantage of new technologies.
We have experience with the following regulators:
Regulatory Investigations
and Enforcement
Cyber, Privacy & Consumer Protection Investigations
& Enforcement
