Privacy/Cybersecurity/Tech Counseling and Regulatory Defense

Sidley has a long-standing presence at the center of privacy and cybersecurity regulatory matters in Washington, D.C. Operating from offices across the world, our global practice engages with state, federal, and international data protection regulators. Our lawyers, many of whom have extensive government experience, help clients navigate high-stakes privacy matters, regulatory requirements and investigations, inquiries, and defense issues.

We have assisted numerous multinational companies in developing and implementing global data protection programs, including those addressing novel state privacy laws. This includes the California Consumer Privacy Act (CCPA), sector-specific privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), and international data protection laws, such as the General Data Protection Regulation (GDPR), the ePrivacy Directive, the UK Data Protection law, and the new Chinese privacy and cybersecurity requirements. We provide comprehensive cybersecurity overviews, identifying potential risks and developing information security incident response plans.

We also advise on governance protocols and privacy issues related to big data, artificial intelligence (AI), and virtual reality, including how data sets are collected, stored, analyzed, and used. Our counseling advice extends to social media policies, mobile application development, promotional activities, debt collection, telemarketing and sales practices, employee issues, privacy by design, cross-border matters, internal affiliate information sharing, and sharing of personal or otherwise regulated data with joint marketing partners, general third parties, and service providers or for due diligence purposes. We also advise on cybersecurity information sharing under the Cybersecurity Act of 2015, authorized defensive measures, and available liability protections.

Our team has represented clients before various investigative and administrative agencies. This includes the Federal Trade Commission (FTC), Department of Justice, Securities and Exchange Commission, Office for Civil Rights at the Department of Health and Human Services, Federal Communications Commission (FCC), state attorneys general, state insurance departments, and other regulators, as well as in inquiries by international data protection authorities. We also advocate on behalf of clients in legislative and policy issues before Congress and the Executive Branch of the U.S. government, the European Commission, and the European Parliament.

Representative matters

Regulatory

  • Represented a telecommunications company in connection with the now-rescinded FCC privacy regulations for Internet Service Providers.
  • Defending an FTC investigation of a major national bank involving data leakage of confidential information resulting from employee negligence.
  • Assisted a media and entertainment company with privacy compliance issues concerning the CCPA, GDPR, FTC, and other privacy regulatory and statutory compliance issues.
  • Advised the bank subsidiary of a major retailer in an FDIC examination following one of the largest reported data breaches.
  • Represented a number of clients in the major data security investigation of approximately 100 companies announced by the FTC in February 2010. The investigations were triggered as a result of alleged widespread exposure of sensitive information via peer-to-peer file sharing. The FTC’s investigations focused on the companies’ handling of specific data breach incidents, as well as the overall legal compliance of the companies’ privacy and information security programs.
  • Defended a major financial institution in regulatory inquiry by the New York Department of Financial Services (DFS) in connection with their review of compliance with the DFS Cybersecurity Regulations in the wake of a data security incident.
  • Defended a retailer in connection with an investigation of 42 states, led by the attorneys general of the states of Connecticut and Illinois, following a high-profile cybersecurity intrusion that resulted in the client testifying before Congress.
  • Advised a Fortune 500 retailer in response to an FTC civil investigative demand.
  • Advised a trade association regarding financial privacy, cross-border, cybersecurity, and emerging technology issues. Sidley has prepared public materials for the client regarding AI inquiries by federal regulators, cybersecurity authorities of federal and state agencies, Insider Threat cybersecurity programs, and numerous other issues.
  • Advised a financial services company on a broad range of general privacy and regulatory financial compliance issues, including the Gramm-Leach-Bliley Act, as well as cybersecurity matters.
  • Advised a financial services company on regulatory reporting requirements in relation to cyber incidents. We have also been advising on interaction with U.S. and international agencies.

Cybersecurity Governance and Incident Preparedness

  • Counseled a multinational automaker on identifying and prioritizing data analytics risks and helped the client implement strategies to manage risk and govern product innovation.
  • Facilitated a multi-stakeholder day-long tabletop incident response exercise for a national insurer, which entailed working with a large professional services firm to simulate a cyberattack and stress-test the IT department and broader incident response processes for responding to a crisis-level security incident, leading to the development of a new global incident response program and policy.
  • Counseling a major property and casualty insurer on cybersecurity incident response in preparation for the possibility of a cyberattack.
  • Providing significant cybersecurity governance and preparedness advice to a leading media holding company and presenting on these topics in continuing legal education for the company.
  • Working with a global tech company on a number of substantial cybersecurity and privacy assessments.
  • Helped a major retail pharmacy develop a robust incident response program, including reconciliation of competing incident response programs from legal, PR, IT, physical security, and business lines. Having developed a coordinated plan, we tested the plan through a series of tabletop exercises, starting with working levels and concluding in a phased tabletop that included the C-Suite and Board in the final sections of the tabletop.
  • Assisted a large accounting firm in developing a global data security incident response plan, as well as building out their global data protection programs.
  • Advising a leading global communications company on all aspects of domestic and international privacy compliance programs, including complex Big Data and consumer protection issues. Our work includes regulatory compliance; analysis, recommendations, and guidance regarding new products and services; responding to government investigations, inquiries, and requests; and litigating against private and governmental plaintiffs alleging privacy or data protection violations.

Data Breach Incident Response

  • Represented one of the country’s most significant financial services firms on a cybersecurity incident involving access to online accounts and fraudulent funds transfers. This matter involved considerable interaction with the FBI in connection with identifying and potentially apprehending the cybercriminals, and recovering funds.
  • Selected as counsel for the Special Cybersecurity Review Committee of a global media and tech company’s Board of Directors to advise on what has generally been regarded as the tech sector’s largest data breaches in history. We conducted an intense, independent investigation into the discovery and handling of the data breaches. The firm’s mandate involved responsibility to understand, evaluate, and report to the Special Committee and Board on all relevant circumstances of the incident, including internal cybersecurity knowledge, communication, reporting and incident response, data breach analysis, and public disclosure. The investigation involved interaction with various government agencies with different responsibilities and interests, an extensive array of internal and external lawyers and law firms, and numerous information security and forensic experts.
  • Advised a global cybersecurity company on U.S., EU, UK, and international privacy and cybersecurity issues, including cross-border data transfers and incident response. Sidley has assisted the client to substantially update its privacy and data protection compliance program. Sidley also advises on software lifecycle development legal issues.
  • Conducted internal investigations on privacy and cybersecurity incidents regarding potential unauthorized access to personal information and confidential business information for a multinational auto manufacturer, working with outside forensic firms and auditors on this matter.
  • Advising a media holding company on incident response related to a phishing attack.
  • Served as lead privacy counsel during a forensic investigation into one of the largest advanced persistent threat attacks ever against a major financial transaction processor, ultimately building a record that no breach occurred.
  • Represented a financial services company with the sophisticated hacking of its network affecting approximately 4.5 million customers. We worked with the company and the FBI to assess the origin, scope, severity, and length of compromise to the system and assisted the client to prepare and submit notifications to affected individuals and reports to state attorneys general and government agencies, and to develop appropriate responses to media requests and government investigators. Sidley also assisted the client in proceedings for victim restitution. This matter is considered to be one of the most high-profile cybercrimes in U.S. history, revealing a large criminal network of organized hackers in several foreign jurisdictions likely responsible for the incident.

Global Data Protection Key Matters

  • Advising a global healthcare company on cookie notices and online behavioral tracking.
  • Counseling a global software developer on the impact of the GDPR and, in particular, in relation to new requirements on profiling. This included the development of a white paper and meeting with key stakeholders in London, Brussels, and Washington, D.C.
  • Advising an operator of a global transaction platform for travel and tourism on specific aspects of the GDPR, including, for example, an analysis of the requirement to appoint a data protection officer.
  • Advising a global online direct sales company on data protection issues in the EU, including GDPR project implementation, and advising on global data transfer solutions, including self-certification to the EU-U.S. Privacy Shield.
  • Counseling a global consumer debt company on EU data protection requirements, international transfers, and adoption of GDPR requirements, such as one-stop-shop, consent, restrictions on profiling, and appointment of data protection officers.
  • Advised a global manufacturing company on a range of data protection and information security issues, including requirements under the GDPR, as well as substantial advice in relation to a cybersecurity incident affecting a number of jurisdictions and notifications to regulators.
  • Advising a global insurance and risk management company on data protection and privacy matters, including intra-group, cross-border transfers of personal and sales data, and data transfers from the EEA in the context of discovery and document production.
  • Counseling a global real estate investment adviser on compliance with the GDPR, including the review, development, and implementation of numerous policies and procedures on a multi-jurisdictional level.
  • Counseling an international insurance broker on EU data privacy issues relating to GDPR and employee and customer data, including cross-border data transfer issues for business operations in Asia, the EU, South America, and the United States.
  • Advising a telecommunications company on a global revision of its privacy policies to take into account the GDPR and the state-of-the-art privacy practices.
  • Working for a multinational consumer products company to assist in developing and implementing a new global data protection compliance program. In addition, we provide extensive advice regarding international data transfers and cross-border privacy issues. Our work concerns primarily U.S., EU, and Asian data privacy requirements and has involved one of the most significant Binding Corporate Rules applications to the UK Information Commissioner.
  • Provide strategic advice to a global tech company regarding a range of global tech policy issues, including data localization, encryption, privacy, and other international measures impacting technology and information flows. We also advise on privacy practices relating to advertising and health in the U.S.
  • Advising several leading tech and telecom companies on the impact of the GDPR and other EU regulatory developments relevant to data protection in the EU, including prospective regulation of technologies and encryption policy.
  • Advising on an ongoing basis one of the world’s largest mass-media companies on data privacy issues in Asia-Pacific, including Hong Kong, Malaysia, Australia, New Zealand, China, Thailand, Vietnam, Indonesia, Taiwan, the Philippines, and Singapore.
  • Represented a multinational consumer products company in developing and implementing a major new global data protection compliance program in the countries where the client operates, including the implementation of Binding Corporate Rules (BCRs). The project includes advising on international data transfers; counseling for the United States, EU, Asia, and Latin American privacy regimes (working with the group’s network of national counsel, where necessary); workplace privacy and employee monitoring issues; and migration of data to such locations as the Cloud and regional business centers. We also advised on issues involving data processing for group health plan analytics aimed at lowering plan costs and healthcare privacy and security issues raised by mobile apps. We have provided extensive advice on UK, EU, and global data protection requirements, as well as drafting policies and other agreements. Due to the size and international nature of our client, this was one of the largest BCR projects in 2017 and demonstrates our experience with BCRs.
  • Advised a global life sciences company on EU data privacy and the GDPR, including international transfers and, in particular, the EU/Swiss-U.S. Privacy Shield. We also have advised the company on numerous questions related to the application of the GDPR to life sciences activities. This work demonstrates our ability to deal with privacy issues in highly regulated industries.
  • Advised a life sciences company on numerous privacy, HIPAA, CCPA, and cybersecurity matters, including incident response, and on GDPR and Schrems II data transfer issues.
  • Provided strategic advice to a technology company regarding a range of global tech policy issues, including data localization, encryption, privacy, and other international measures impacting technology and information flows. We also advise on privacy practices relating to advertising and health in the U.S.
  • Advised an international game developer on a range of data privacy and GDPR issues relating to electronic games, adtech, and use of analytics and artificial intelligence.

Other Matters

  • Provided a telecommunications company a broad range of privacy and cybersecurity services. Sidley advises the company on communications, satellite and cable privacy, location data privacy, general privacy under the FTC and Telcom Acts, and under state (such as CCPA and CPRA) and international laws. Sidley advises the company regarding various business-use cases as well as government access requests and law enforcement issues. Sidley also advises the company on cybersecurity issues and preparedness, and incident response. Sidley has handled numerous significant regulatory investigations and litigation matters involving privacy, security, technology, law enforcement, national security, etc. In addition, Sidley handled the privacy and data law aspects of the corporate reorganization and potential disposition of the company’s video assets.
  • Provided privacy and cybersecurity counseling for a major national grocer for privacy compliance work for evolving state privacy laws, as well as incident response, management, and defense.
  • Provided a major health insurance company with privacy and data security counseling, including cybersecurity incident preparedness, investigation, and response support, as well as advising for a transformative data governance initiative that will incorporate considerations from a variety of laws including HIPAA, GLBA, and new and emerging state privacy and security laws and regulations.
  • Assisted a telecommunications company on a broad range of U.S. and international privacy and data protection matters, including litigation, government proceedings, CCPA and GDPR. Our work includes strategic and compliance counseling as well as contentious matters. We have also represented the client in connection with FCC inquiry (location privacy inquiry) and advised on response to FTC 6(b) inquiry on data privacy issues.
  • Advised a major financial institution on privacy and cybersecurity issues, including incident response and regulatory analysis, as well as counseling related to regulator inquiries and B2B dispute negotiation.