Practices

Cyber/Data/Privacy

Why Cooley

Cooley’s cyber/data/privacy group offers the full spectrum of counseling and litigation capabilities in cybersecurity, data rights, and privacy to clients around the globe. We provide companies with a holistic approach to compliance, security and response that’s built to preserve and protect our clients through a growing number of crippling data breaches and vulnerabilities in digital assets, intellectual property, employees, outside vendor access, brand reputation, and trade secrets.

Whether responding to a data breach, developing a privacy policy, conducting due diligence on an M&A transaction, guiding a company through a Federal Trade Commission (FTC) inquiry or regulatory investigation, or defending a client against litigation, we assist our clients in navigating the increasingly complex landscape of international laws and regulatory requirements. Our enduring record of helping top companies with cyber/data/privacy matters and our unmatched industry leadership are regularly recognized by such respected publications as Law360, which repeatedly has named the Cooley team as Cybersecurity & Privacy Practice Group of the Year.

We represent industry leaders, executives and boards of directors whose innovative technologies and business models often raise novel legal issues in the area of privacy and data security. In some instances, these issues challenge the fundamental definition of data protection and privacy in the age of information, interconnectedness and social media – whether in traditional industries like healthcare, telecommunications and higher education that have evolved with the rapid increase of digitized information, or in emerging industries such as social media, drones, smart grid technology and the Internet of Things. Our lawyers understand the importance of not only knowing and applying the law but shaping it in a way that better enables our clients to develop and deploy value-maximizing business strategies.

Cooley’s cyber/data/privacy team is part of our CooleyREG offering, through which we combine an understanding of the impact of disruptive advancements – and the regulatory issues that impose risk and slow progress – to help our clients navigate an increasingly complex regulatory landscape. 

Areas of Practice

Counseling and compliance

  • Assessment, revision and development of privacy and cybersecurity policies
  • Compliance with regulatory and industry-specific issues, including the Biometric Information Privacy Act (BIPA), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and other state privacy laws, Children's Online Privacy Protection Rule (COPPA), the EU and UK General Data Protection Regulation (GDPR), the Chinese Personal Information Protection Law (PIPL) and Cyber Security Law (CSL), Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act), Electronic Communications Privacy Act (ECPA), Family Educational Rights and Privacy Act (FERPA), Student Online Personal Information Protection Act (SOPIPA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Telephone Consumer Protection Act (TCPA), Video Privacy Protection Act (VPPA), and laws implementing the EU’s ePrivacy Directive
  • Cross-border transfer issues
  • Legislative monitoring, assessment and analysis
  • Cybersecurity audits and liability analysis, cyber insurance evaluation, and employee security training
  • Security process-hardening services to proactively mitigate the legal and business impact of security incidents
  • Strategic relationships with third-party service providers – such as forensic firms, crisis communication firms, mailing vendors, call centers, recovery firms and ransomware negotiators – to provide an enhanced range of services
  • Threat-intelligence monitoring and deep-look, long-term strategic data protection forecasting

Transactional

  • Tailored advice and guidance on addressing a key source of security and critical IP vulnerabilities – a company’s dealings with suppliers, customers and other business partners
  • Transactional review and analysis, including contractual privacy and data protection assessment
  • Due diligence and support during M&A and other transactions, including those with cyber and cross-border information components
  • Technology license agreements
  • Joint development agreements, supply chain security, critical technology transfers to internationally outsourced contractors and modernization of trade secret protection programs

Regulatory

  • Guidance on regulatory actions and the regulatory and sector-specific issues touching the security concerns of those in heavily regulated industries such as healthcare (e.g., HIPAA), financial services (e.g., GLBA, FCRA), telecommunications, national security and higher education (e.g., FERPA)
  • Compliance trends, including revisions to the Payment Card Industry (PCI) security standards, the latest draft of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and Securities and Exchange Commission reporting requirements
  • Client exposure related to the FTC, state attorneys general and consumer information issues
  • Investigations and inquiries by the FTC, the US Department of Health and Human Services, state attorneys general, EU data protection authorities, and UK financial regulators

Incident response and data breach counseling

  • Small and large incident response efforts and advice to companies – including those in the online, retail, technology, financial services and life sciences sectors – that have experienced data breaches or other data security incidents
  • Internal toolkit consisting of response roadmaps, notice templates for communicating with individuals and regulatory agencies in all 50 US states, the UK and the EU, and client-specific statements of work under existing Cooley agreements with forensic, remediation and crisis PR firms, to respond quickly and efficiently to data incidents on behalf of clients
  • Cross-firm resources of regulatory investigations and class action litigation teams available, when necessary, to ensure streamlined approach to handling all aspects of a client’s issues

Privacy and data protection litigation

  • Experienced in evaluating potential claims, assessing liability risks, preparing and implementing subpoena response policies, providing contract dispute evaluation and counseling, and advising on appropriate responses to regulatory activities
  • Successfully resolved multiple high-profile cases in this area of the law
  • Work closely with our clients to obtain favorable resolutions as early and as efficiently as possible under the unique circumstances of each case, whether by obtaining dismissals, defeating class certification motions, negotiating favorable settlements, or litigating cases through trial and appeal

Representative matters

  • Defended Google in groundbreaking privacy class actions
  • Negotiated a class settlement for Zoom in consolidated class actions alleging collection and disclosure of users’ personal information without consent and failure to make truthful disclosures about the privacy of its services
  • Obtained a successful settlement for Facebook in the largest privacy class action in US history and the first-ever class action filed under Illinois’ BIPA
  • Represented Chegg and achieved a favorable settlement in one of the largest mass arbitrations in US history
  • Coordinated multiple incident responses involving a serious advanced persistent threat (APT) attack on a provider of online services
  • Successfully resolved an investigation brought against Chegg by the FTC concerning four data security breaches
  • Advised a management consulting services company on liability exposure related to internal network configuration issues and the consideration of various data protection alternatives, including tokenization, hashing, and encryption
  • Drafted and negotiated HIPAA authorizations and business associate agreements for covered entity and business associate clients in the context of clinical trials and commercial transactions