Privacy and Cybersecurity

Privacy Compliance and Governance

• Assisted organizations in developing and implementing privacy and cybersecurity programs, including policies and procedures addressing data governance, cybersecurity, and privacy compliance obligations.
• Advised clients on compliance with California privacy laws, including the CCPA and CPRA, as well as broader U.S. and international privacy frameworks.
• Counseled technology, digital marketing, healthcare, and eCommerce companies on website and mobile application privacy policies, online data practices, and operational privacy obligations.
• Advised companies on cross-border data transfer and privacy compliance issues involving international operations and digital platforms.

Cybersecurity and Incident Response

• Represented a healthcare client in the investigation, reporting, and resolution of a business associate’s theft of medical records involving approximately 150,000 patients, including coordination with law enforcement, regulatory reporting, and breach notification obligations.
• Served as incident response counsel for companies nationwide in matters involving cybersecurity incidents, unauthorized access, and data-related operational risk.
• Assisted clients in developing cybersecurity prevention and response plans designed to reduce operational and litigation risk associated with cyber incidents.
• Advised clients on risk management and remediation strategies following cybersecurity incidents and privacy-related investigations.

Investigations, Litigation, and Regulatory Matters

• Defended clients in consumer class actions and mass arbitrations involving privacy, data security, and digital tracking claims, including matters arising under CIPA and related California laws.
• Represented a telecommunications company in a government investigation involving management of customer records containing personally identifiable information (PII), negotiating a successful resolution before litigation.
• Represented regulators, financial institutions, and investment companies in investigations involving alleged regulatory violations, data breaches, and identity theft issues.
• Obtained judgment and costs defending a leading online publishing platform in litigation involving the Communications Decency Act, the US SPEECH Act, and First Amendment issues in one of the first privacy-related cases involving the US SPEECH Act.
• Defended a California regional medical services provider in a CIPA wiretapping class action opt-out claim, securing dismissal by demurrer.

Data Practices, Technology, and AI

• Counseled cutting-edge web-based technology and digital medicine companies on privacy obligations involving online platforms, websites, mobile applications, and digital tracking technologies.
• Advised cybersecurity and software companies on privacy, cybersecurity, intellectual property, and export control issues involving encryption technologies and digital products.
• Counseled clients on legal and operational risks associated with AI technologies, digital advertising, employee monitoring, and evolving California privacy regulations.
• Assisted companies in evaluating litigation and compliance risks associated with cookies, pixels, session replay technologies, and other online tracking tools.

Transactions, Employment, and Operational Risk

• Conducted privacy and cybersecurity diligence in corporate transactions, including mergers and acquisitions involving technology and data-driven businesses.
• Assisted a cybersecurity company in raising more than $2 million in convertible debt financing and negotiating strategic marketing partnerships with a global telecommunications company.
• Advised cybersecurity and technology companies on contractor and employee agreements, cybersecurity-related operational policies, and protection of confidential and proprietary information.
• Counseled employers on employee monitoring, cybersecurity governance, and protection of trade secret and confidential business information.

When should a company involve privacy or cybersecurity counsel?

Ideally before a problem arises. Privacy and cybersecurity issues often affect day-to-day operations, vendor relationships, marketing practices, employee management, and technology deployment. Early involvement helps companies identify risks, implement practical safeguards, and avoid more costly regulatory or litigation issues later.

Why are California privacy laws so significant for businesses?

California privacy laws, including the CCPA and CPRA, have become some of the most influential privacy regulations in the United States. Many companies operating nationally or online are affected by California requirements, particularly regarding consumer rights, data collection practices, disclosures, and vendor relationships.

What types of privacy litigation are companies currently facing in California?

California has seen a significant increase in privacy-related litigation, including claims involving website tracking technologies, session replay tools, cookies, pixels, wiretap allegations under CIPA, and consumer privacy class actions. These cases often focus on operational and technical practices that companies may not realize create litigation exposure.

What should a company do immediately after a data breach or cybersecurity incident?

Companies should act quickly to preserve evidence, assess the scope of the incident, secure systems, and evaluate notification and reporting obligations. Early coordination among legal, technical, operational, and communications teams is often critical to managing both legal and business risk effectively.

How do you help companies manage incident response and investigations?

We help clients coordinate investigations, regulatory notifications, internal response efforts, and litigation strategy following cybersecurity incidents and privacy-related events. Our approach focuses on practical execution, risk management, and helping clients restore operations while addressing legal obligations.

How do privacy and cybersecurity issues affect business operations beyond compliance?

Privacy and cybersecurity considerations now affect marketing practices, AI deployment, vendor management, employee monitoring, software implementation, corporate transactions, and customer relationships. Many operational decisions carry potential litigation and regulatory implications that require cross-functional coordination.

What role does AI play in privacy and cybersecurity risk?

AI technologies can create significant privacy, governance, and litigation risks, particularly where automated decision-making, data collection, tracking technologies, or sensitive information are involved. Companies increasingly need policies and operational controls addressing how AI systems collect, process, and use data.

How do privacy issues arise in mergers, acquisitions, and technology transactions?

Privacy and cybersecurity issues often arise in due diligence, vendor agreements, data-sharing arrangements, software licensing, and post-transaction integration. Identifying data-related risks early can significantly affect valuation, liability exposure, and operational integration following a transaction.

How do you help companies manage the cost and complexity of privacy compliance and litigation?

We focus on practical, business-oriented strategies that prioritize the most significant operational and legal risks. Our approach emphasizes efficient staffing, coordinated advice across disciplines, and helping clients implement solutions that are sustainable within their business operations.

How do privacy and cybersecurity issues intersect with employment and trade secret concerns?

Issues involving employee monitoring, remote work, confidential information, and access to company systems often overlap with privacy, cybersecurity, and trade secret considerations. Companies increasingly need coordinated policies addressing data access, employee activity, and protection of sensitive business information.

When should a company consider changing or expanding privacy and cybersecurity counsel?

Companies often reassess counsel as their data practices become more complex, litigation exposure increases, or new technologies and regulatory frameworks emerge. This is particularly relevant for businesses navigating California privacy laws, incident response matters, or operational data risks across multiple jurisdictions.