Our Global Privacy & Security Group delivers sophisticated, business-minded and practical counsel that helps companies navigate complex legal regimes, develop data-driven strategies, and innovate confidently in a competitive digital economy.
We offer clients a rare combination of legal, regulatory, consulting and technical knowledge. Our team includes attorneys with deep technical backgrounds, including former software developers and engineers, who understand the mechanics of data systems, algorithms, and security architecture. This capability allows us to communicate fluently with in-house legal and technical teams alike—and to design strategies grounded in real-world data practices and infrastructure.
Our group is structured around three integrated practices: Global Privacy & Security, Cybersecurity & Data Breach Litigation, and Cybersecurity & Data Breach Response.
Our Global Privacy & Security team helps clients navigate the world’s data protection and data use regimes while building practical, scalable compliance programs that support innovation and business growth. We advise across all stages of the data management lifecycle—from data mapping and governance to cross-border transfers, use of AI, and incident response preparedness.
We work with companies to design privacy programs that are legally sound, technically feasible, and strategically aligned with the organization’s goals in various sectors including technology, security, healthcare, manufacturing, energy, finance, education, and retail.
We counsel clients on a broad range of U.S. federal and state, international, and sector-specific privacy, AI, and other data protection laws, including:
U.S. State Privacy Laws: California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act, and other evolving state frameworks; targeted state and local frameworks related to biometric data, consumer health data, children’s data, AI
Federal Laws: HIPAA and the Security Rule (for healthcare), GLBA (for financial institutions), COPPA and FERPA (for children and educational data), NIST Frameworks, FCRA, TCPA, CAN-SPAM, and other FTC enforcement frameworks, including Section 5 of the FTC Act
International Regulations: EU and UK GDPR, Brazil’s LGPD, Canada’s PIPEDA and provincial privacy laws, India’s Digital Personal Data Protection Act (DPDPA), and other APAC and LATAM privacy laws that is supported by a strong and expansive network of international counsel
Cross-Border Data Transfers: Standard Contractual Clauses (SCCs) (EU/UK and global), Binding Corporate Rules (BCRs), Data Privacy Framework Certification and Schrems II-compliant transfer risk assessments
AI and Emerging Tech Regulation: EU AI Act, U.S. Executive Orders, FTC enforcement priorities, Colorado AI Act, Texas Responsible AI Governance Act, AI notice requirements for Connecticut and other states, and similar proposed frameworks across the U.S., sector- and data-specific AI laws, and trends in regulating automated decision-making and AI-driven data processing
National Security and Cybersecurity: Global cross-border issues, risk management, and other data protection frameworks including NIST (Privacy, Cybersecurity, AI Risk Management Frameworks, and others), national security frameworks including the DOJ Data Security Program (Rule on Bulk Transfers of U.S. Sensitive Data), related controls and regimes, and [other risk management and data protection frameworks]
Cookies and Online Tracking Tech: Regulatory compliance and implementation of global laws impacting online tracking, opt-outs and consent management (EU and UK GDPR, ePrivacy Directive, PECR, U.S. state privacy laws), Invasion of Privacy and Wiretapping regulations (CIPA, VPPA).
Sensitive Data Management/Practices: Regulatory enforcement prioritization of sensitive data like biometrics, health/quasi-health, children/teens, geolocation (including bodily autonomy), evolving issues in relation to protected classes under existing law and emerging privacy laws, sensitive data under national security frameworks
Surveillance and Monitoring: Public and private sector, including video, audio and commercial surveillance
We monitor legislative developments closely and offer clients strategic counsel on how to adapt to regulatory shifts—whether by updating policies, redesigning data flows, or modifying contractual frameworks.
Privacy obligations often arise in the context of business operations, partnerships, and third-party engagements. We support clients in:
When privacy issues intersect with M&A or strategic partnerships, we provide privacy diligence and risk analysis, helping clients structure deals that account for both short-term exposures and long-term regulatory obligations.
Unlike traditional legal teams, our group includes former engineers and software developers who understand how data moves through modern systems. We regularly work alongside privacy, product, engineering, and security teams to:
Conduct privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) on new technologies and business models
Design and review consent management platforms, cookie banners, and user-facing privacy controls
Develop and operationalize privacy-by-design frameworks, embedding compliance into product lifecycle and software development workflows
Advise on data minimization, retention schedules, and automated processing in the context of AI and machine learning systems
In a rapidly evolving digital landscape, our Global Privacy & Security provides clients with guidance on the legal and regulatory challenges associated with artificial intelligence (AI). Our team brings deep experience advising global organizations on how to deploy AI responsibly—balancing innovation with compliance, transparency, and ethical risk management.
We work across industries to advise on:
Data privacy and AI governance frameworks
Regulatory compliance, including the EU AI Act, GDPR, CCPA, and other emerging AI-specific legislation
Algorithmic accountability, bias mitigation, and explainability requirements
Data minimization and consent strategies for AI training datasets
Vendor and technology contracting, including model licensing and AI-as-a-service agreements
AI risk assessments and impact analyses
Internal policies for responsible AI use and deployment
Responding to regulator inquiries or investigations related to AI systems
Our privacy lawyers collaborate closely with our technology, intellectual property, and litigation teams to offer holistic, business-oriented advice.
We are frequently called upon to represent companies in regulatory inquiries, audits, and investigations initiated by:
The Federal Trade Commission (FTC) – for deceptive practices, data misuse, AI-related risk, and children’s privacy violations
California Privacy Protection Agency (CPPA) – for alleged violations of CCPA/CPRA, including failures in consumer rights fulfillment, targeted advertising, children’s data, and security safeguards
State Attorneys General – in multi-state investigations of tracking technologies, mobile apps, children’s data, and sensitive data processing
The U.S. Department of Health and Human Services (HHS)/Office for Civil Rights (OCR) – in HIPAA audits, breach investigations, and enforcement
International Data Protection Authorities (DPAs) – including in the EU, UK, Brazil, and Canada
Automotive: Telematics, ADAS, V2X data, and connected vehicle privacy
Healthcare and Health Tech: HIPAA, 42 CFR Part 2, health AI and other health tech, Consumer Health Data privacy, and HHS/OCR investigations
Technology and AI: Algorithm design, AI governance, and privacy-by-design in product development, automated decision-making, and AI training data
AdTech and Marketing: Global consent frameworks, pixel and other online tracking, real-time bidding compliance
Education: COPPA, FERPA, and student data use in K-12 and higher education
Finance: GLBA, fintech integrations, open banking APIs
Public Sector: FedRAMP, FISMA, CMCC, and controlled unclassified information (CUI)
Cookie Litigation: Wiretap-based claims targeting tracking technologies—actively defending multiple companies
Regulatory Defense: Responding to FTC, CPPA, and multi-state AG inquiries
Employee Monitoring: Lawful tracking, surveillance, and emerging workplace privacy risks
Facial Recognition and Biometrics: BIPA defense, regulatory counseling, and policy design for biometric technologies
Childrens’/Teens’ Data: Product counseling and overall compliance with overlapping federal, state and local requirements
M&A Privacy Diligence: Cyber due diligence, rep & warranty coverage, and risk quantification
Data Processing, Security, and Data Use Agreements: Commercial contracting for data licensing, transfer, and joint data ventures
In the aftermath of a data incident, experience matters. Our litigators are seasoned trial lawyers who have repeatedly defeated class certification and have tried as lead counsel data privacy class actions to favorable outcomes. When clients need help, our team of experienced litigators can:
Defend against class actions arising from federal and state privacy laws, including the Fair Credit Reporting Act (FCRA), Telephone Consumer Protection Act (TCPA), the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Electronic Communications Privacy Act (ECPA), and other statutory and common law causes of action for privacy breaches.
Collaborate to implement a litigation strategy that addresses our clients’ business needs and objectives.
Develop effective strategies to achieve client goals – whether seeking a motion to dismiss, obtaining summary judgement, defeating class certification, or winning at trial.
Anticipate potential landmines in an environment where data breach class action litigation is evolving.
Protect our clients’ reputations and manage public relations strategies in high-profile cases.
Your company’s data is one of its most important assets. In the event of a security incident or breach, our team responds immediately:
Coaching you through the incident
Advising on each step of the process
Mitigating the damage and operational disruptions
Navigating the numerous consumer protection and industry specific notification laws
Following is a selected sampling of matters and is provided for informational purposes only. Past success does not indicate the likelihood of success in any future matter.
Our Global Privacy & Security team helps clients navigate the world’s data protection and data use regimes while building practical, scalable compliance programs that support innovation and business growth. We advise across all stages of the data management lifecycle—from data mapping and governance to cross-border transfers, use of AI, and incident response preparedness.
We work with companies to design privacy programs that are legally sound, technically feasible, and strategically aligned with the organization’s goals in various sectors including technology, security, healthcare, manufacturing, energy, finance, education, and retail.
We counsel clients on a broad range of U.S. federal and state, international, and sector-specific privacy, AI, and other data protection laws, including:
U.S. State Privacy Laws: California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act, and other evolving state frameworks; targeted state and local frameworks related to biometric data, consumer health data, children’s data, AI
Federal Laws: HIPAA and the Security Rule (for healthcare), GLBA (for financial institutions), COPPA and FERPA (for children and educational data), NIST Frameworks, FCRA, TCPA, CAN-SPAM, and other FTC enforcement frameworks, including Section 5 of the FTC Act
International Regulations: EU and UK GDPR, Brazil’s LGPD, Canada’s PIPEDA and provincial privacy laws, India’s Digital Personal Data Protection Act (DPDPA), and other APAC and LATAM privacy laws that is supported by a strong and expansive network of international counsel
Cross-Border Data Transfers: Standard Contractual Clauses (SCCs) (EU/UK and global), Binding Corporate Rules (BCRs), Data Privacy Framework Certification and Schrems II-compliant transfer risk assessments
AI and Emerging Tech Regulation: EU AI Act, U.S. Executive Orders, FTC enforcement priorities, Colorado AI Act, Texas Responsible AI Governance Act, AI notice requirements for Connecticut and other states, and similar proposed frameworks across the U.S., sector- and data-specific AI laws, and trends in regulating automated decision-making and AI-driven data processing
National Security and Cybersecurity: Global cross-border issues, risk management, and other data protection frameworks including NIST (Privacy, Cybersecurity, AI Risk Management Frameworks, and others), national security frameworks including the DOJ Data Security Program (Rule on Bulk Transfers of U.S. Sensitive Data), related controls and regimes, and [other risk management and data protection frameworks]
Cookies and Online Tracking Tech: Regulatory compliance and implementation of global laws impacting online tracking, opt-outs and consent management (EU and UK GDPR, ePrivacy Directive, PECR, U.S. state privacy laws), Invasion of Privacy and Wiretapping regulations (CIPA, VPPA).
Sensitive Data Management/Practices: Regulatory enforcement prioritization of sensitive data like biometrics, health/quasi-health, children/teens, geolocation (including bodily autonomy), evolving issues in relation to protected classes under existing law and emerging privacy laws, sensitive data under national security frameworks
Surveillance and Monitoring: Public and private sector, including video, audio and commercial surveillance
We monitor legislative developments closely and offer clients strategic counsel on how to adapt to regulatory shifts—whether by updating policies, redesigning data flows, or modifying contractual frameworks.
Privacy obligations often arise in the context of business operations, partnerships, and third-party engagements. We support clients in:
When privacy issues intersect with M&A or strategic partnerships, we provide privacy diligence and risk analysis, helping clients structure deals that account for both short-term exposures and long-term regulatory obligations.
Unlike traditional legal teams, our group includes former engineers and software developers who understand how data moves through modern systems. We regularly work alongside privacy, product, engineering, and security teams to:
Conduct privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) on new technologies and business models
Design and review consent management platforms, cookie banners, and user-facing privacy controls
Develop and operationalize privacy-by-design frameworks, embedding compliance into product lifecycle and software development workflows
Advise on data minimization, retention schedules, and automated processing in the context of AI and machine learning systems
In a rapidly evolving digital landscape, our Global Privacy & Security provides clients with guidance on the legal and regulatory challenges associated with artificial intelligence (AI). Our team brings deep experience advising global organizations on how to deploy AI responsibly—balancing innovation with compliance, transparency, and ethical risk management.
We work across industries to advise on:
Data privacy and AI governance frameworks
Regulatory compliance, including the EU AI Act, GDPR, CCPA, and other emerging AI-specific legislation
Algorithmic accountability, bias mitigation, and explainability requirements
Data minimization and consent strategies for AI training datasets
Vendor and technology contracting, including model licensing and AI-as-a-service agreements
AI risk assessments and impact analyses
Internal policies for responsible AI use and deployment
Responding to regulator inquiries or investigations related to AI systems
Our privacy lawyers collaborate closely with our technology, intellectual property, and litigation teams to offer holistic, business-oriented advice.
We are frequently called upon to represent companies in regulatory inquiries, audits, and investigations initiated by:
The Federal Trade Commission (FTC) – for deceptive practices, data misuse, AI-related risk, and children’s privacy violations
California Privacy Protection Agency (CPPA) – for alleged violations of CCPA/CPRA, including failures in consumer rights fulfillment, targeted advertising, children’s data, and security safeguards
State Attorneys General – in multi-state investigations of tracking technologies, mobile apps, children’s data, and sensitive data processing
The U.S. Department of Health and Human Services (HHS)/Office for Civil Rights (OCR) – in HIPAA audits, breach investigations, and enforcement
International Data Protection Authorities (DPAs) – including in the EU, UK, Brazil, and Canada
Automotive: Telematics, ADAS, V2X data, and connected vehicle privacy
Healthcare and Health Tech: HIPAA, 42 CFR Part 2, health AI and other health tech, Consumer Health Data privacy, and HHS/OCR investigations
Technology and AI: Algorithm design, AI governance, and privacy-by-design in product development, automated decision-making, and AI training data
AdTech and Marketing: Global consent frameworks, pixel and other online tracking, real-time bidding compliance
Education: COPPA, FERPA, and student data use in K-12 and higher education
Finance: GLBA, fintech integrations, open banking APIs
Public Sector: FedRAMP, FISMA, CMCC, and controlled unclassified information (CUI)
Cookie Litigation: Wiretap-based claims targeting tracking technologies—actively defending multiple companies
Regulatory Defense: Responding to FTC, CPPA, and multi-state AG inquiries
Employee Monitoring: Lawful tracking, surveillance, and emerging workplace privacy risks
Facial Recognition and Biometrics: BIPA defense, regulatory counseling, and policy design for biometric technologies
Childrens’/Teens’ Data: Product counseling and overall compliance with overlapping federal, state and local requirements
M&A Privacy Diligence: Cyber due diligence, rep & warranty coverage, and risk quantification
Data Processing, Security, and Data Use Agreements: Commercial contracting for data licensing, transfer, and joint data ventures
In the aftermath of a data incident, experience matters. Our litigators are seasoned trial lawyers who have repeatedly defeated class certification and have tried as lead counsel data privacy class actions to favorable outcomes. When clients need help, our team of experienced litigators can:
Defend against class actions arising from federal and state privacy laws, including the Fair Credit Reporting Act (FCRA), Telephone Consumer Protection Act (TCPA), the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Electronic Communications Privacy Act (ECPA), and other statutory and common law causes of action for privacy breaches.
Collaborate to implement a litigation strategy that addresses our clients’ business needs and objectives.
Develop effective strategies to achieve client goals – whether seeking a motion to dismiss, obtaining summary judgement, defeating class certification, or winning at trial.
Anticipate potential landmines in an environment where data breach class action litigation is evolving.
Protect our clients’ reputations and manage public relations strategies in high-profile cases.
Your company’s data is one of its most important assets. In the event of a security incident or breach, our team responds immediately:
Coaching you through the incident
Advising on each step of the process
Mitigating the damage and operational disruptions
Navigating the numerous consumer protection and industry specific notification laws
Alternative Lending & Other Non-Bank Financial Services
Bankruptcy, Creditors' Rights & Restructuring
Class Action & Multi-Claim Litigation
Cybersecurity & Data Breach Response
E-Discovery & Information Governance
Intellectual Property Litigation
Outsourcing & Managed Services
Following is a selected sampling of matters and is provided for informational purposes only. Past success does not indicate the likelihood of success in any future matter.