Andrew Epstein

Andrew strategically advises a broad range of Fortune 500 to emerging and private companies clients across industries including life sciences, healthcare, software as a service (SaaS), fintech, insurtech, edtech, ecommerce, automotive and more. For their data privacy and security needs, clients turn to Andrew to navigate issues ranging from high-level business model development and operation to granular product and service design. Andrew leverages his in-house background to provide practical and actionable advice to clients because he knows, understands and solves friction points. He takes a proactive approach to data privacy and security to help protect clients’ data through risk-based guidance.

Andrew brings significant practical and operational in-house and private practice experience to the increasingly complex and evolving international, US and local cyber/data/privacy landscape.

Andrew’s practice includes privacy and cybersecurity counseling, commercial transactional support, corporate transactional due diligence and negotiation support, proactive and reactive incident response guidance, and regulatory investigation guidance. He advises clients on data issues related to products and services, contract negotiations, cross-border data transfers, stakeholder notices, and service provider management. Additionally, Andrew guides clients through the information security incident life cycle, which includes identifying, investigating and responding to the incident.

Before joining Cooley, Andrew clerked for US District Court Judge Raymond P. Moore on the US District Court for the District of Colorado. Andrew also has earned the Certified Information Privacy Professional for the United States (CIPP/US) credential from the International Association of Privacy Professionals.

Privacy and cybersecurity strategic counseling

• Developed and implemented strategies, programs, policies, and procedures to comply with domestic (federal and state) and non-US data protection laws and regulations, such as the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Washington My Health My Data (MHMD) Act, Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA), the European Union’s General Data Protection Regulation (GDPR), the UK GDPR, and others
• Developed a data privacy compliance program for an insurtech company, including drafting and implementing privacy notices/terms of use; drafting and implementing customer experience changes to address regulatory, contractual, and industry compliance requirements; implementing and leading data-mapping exercises; driving privacy-by-design/default into product and service offerings; implementing and leading data privacy/security trainings for cross-functional teams; automating processes for responding to data subject requests; and advising senior leadership and executives on privacy and cybersecurity business risks*
• Advised life science companies on the collection, cross-border transfer (including under the Data Privacy Frameworks) and other processing of clinical trial data; guided companies on engagement with vendors (such as clinical research organizations and clinical trial sites) and collaboration partners; and presented to companies on how to address data protection obligations
• Advised digital health companies on the processing of sensitive health information, including through mobile applications
• Advised various organizations on leveraging artificial intelligence tools
• Advised public companies on privacy and cybersecurity public filing disclosures
• Advised a nonprofit organization on the development and implementation of digital contact tracing solutions to address the spread of COVID-19
• Advised a proptech company on establishing a consumer reporting agency subject to the FCRA
• Advised fintech and insurtech businesses on compliance with state (including New York Department of Financial Services regulations) and federal (including GLBA) privacy and cybersecurity obligations
• Counseled a global software provider on the development and implementation of a ransomware response strategy
• Counseled an enterprise solutions provider on implementing biometric identification for call recordings and using data for machine learning purposes

*Matter handled before joining Cooley

Commercial transactions

• Negotiated privacy, cybersecurity, and commercial terms in vendor and data provider agreements, and conducted relevant diligence
• Negotiated cross-border collaboration agreements for life sciences companies
• Negotiated a digital retailing automotive services agreement to create a new consumer online shopping experience

Corporate transactions

• Led privacy/cybersecurity diligence in M&A, venture capital, private equity and initial public offering (IPO) transactions, and drafted and negotiated representations and disclosures

Incident response

• Directed organizations’ legal response to, and forensic investigations of, data security incidents, including ransomware, supply chain and social engineering attacks
• Advised an insurtech company on responding to a security incident that impacted more than 13,000 consumers and resulted in notifications to consumers, regulators and others
• Advised a business software company on a data incident that affected more than 600,000 global users
• Advised a food products manufacturer/distributor on a data breach that affected individuals in more than 20 countries
• Advised a traditional financial institution on a data incident that affected more than 450,000 US consumers
• Advised 10+ law firms on responding to data security incidents

Investigations

• Responded to international, US and state regulators’ inquiries into privacy/cybersecurity practices
• Represented a social media platform in its response to a multistate investigation into the company’s processing of minors’ data and product designs
• Represented an insurtech company in a New York Department of Financial Services investigation into the company’s response to a data security incident and corresponding cybersecurity controls, resulting in the matter being closed without enforcement action
• Represented a healthcare plan in response to a US Office of Civil Rights (OCR) investigation into the entity’s privacy and cybersecurity practices, resulting in the matter being closed without enforcement action
• Represented, in coordination with local counsel, a food products manufacturer/distributor in a non-US data protection authority’s investigation into the company’s response to a data security incident and corresponding data protection practices, resulting in the matter being closed without enforcement action
• Represented, in coordination with local counsel, a business software company in several non-US data protection authorities’ investigations into the company’s response to a data security incident and corresponding data protection practices, resulting in the matters being closed without enforcement action