Cyber, Privacy and AI

Dechert’s deep bench of experienced partners and associates, global footprint and industry-specific experience are true differentiators. We provide seamless, holistic service to clients in any type of matter, including strategic counseling and advice, incident response enforcement defense and litigation.

Dechert’s global Cybersecurity, Privacy and AI practice is second to none. Our partners are top, sought-after, thought leaders, many of whom are pioneers in this space. The team has advised at the most senior levels of the government, testified before Congress, prosecuted cyber criminals, handled some of the largest, high-profile data breaches, litigation and enforcement actions in the space, negotiated data sharing terms with the EU on behalf of the U.S., and taught one of the first cyber law school classes in the country. Our team offers:

Award-winning, top-ranked team with an experienced senior bench. Our deep, global bench of partners have decades of experience, several of whom are pioneers in the space. The team includes partners who are top ranked in The Legal 500 for Cyber Law/Data Protection, including a “Leading Lawyer” (one of only 17 in the country), the founder of one of the first Cybersecurity and Privacy practices in the AmLaw50, a former United States Attorney and several former assistant U.S. attorneys, among others.

Experience in high-profile, cutting-edge matters. Our matters are featured in front-page headlines, but our best work is often on matters that no one ever hears about, such as the regulatory inquiry that quietly goes away, or the creative, sophisticated strategic counseling advice that solves a company’s thorniest cross-border data transfer issue.

Most recently, we are advising clients on privacy matters post-Roe v. Wade, handling the world’s most high-profile cyberattacks such as the MOVEit data breach and breaches involving Russian intelligence, Chinese sponsored state actors and the like. We have also counseled leading pharmaceutical companies on Covid-19 vaccine security during the pandemic. We have experience defending litigation or regulatory matters across the globe and providing critical strategic advice on thorny global data issues.

In addition, we have conducted privacy and cybersecurity due diligence on hundreds of transactions. Our innovative “reverse diligence” product helps clients prepare for a sale or IPO.

Industry-specific knowledge. No industry or company is immune to cyberattacks. We have a wealth of experience advising and representing clients in various sectors, including financial services, asset management and investment funds, advertising and media emerging technology, telecommunications, healthcare, life sciences, and real estate.

Global footprint. In the past year alone, we have advised on matters involving Australia, Belarus, Belgium, Brazil, Canada, China, European Economic Area (EEA), Germany, Hong Kong, Israel, Japan, Norway, Singapore, Switzerland, UK, and the U.S. We collaborate closely with some of the world’s largest multinational companies and European regulators on the complex and demanding legal, compliance and policy issues under the GDPR, UK Data Protection Act and the ePrivacy Directive.

Our ongoing work with clients on cross-border data transfer issues is risk based and solution oriented, particularly considering the evolving legal landscape following the Schrems II decision, related guidance by regulators and the proposed new Standard Contractual Clauses (SCCs). Our lawyers have designed and implemented sophisticated policies and practical procedures that comply with the strict requirements of EU laws, including consent management, cross-border data transfers, recordkeeping and analysis, and handling of DSARs.

Key Contacts

Brenda R. Sharton

Partner Boston
+1 617 728 7113 brenda.sharton@dechert.com
Timothy C. Blank

Senior Counsel Boston
+1 617 728 7154 timothy.blank@dechert.com
Kevin F. Cahill

Partner Los Angeles
+1 949 442 6051 kevin.cahill@dechert.com
Dr. Olaf Fasshauer

National Partner Munich
+49 89 21 21 63 13 olaf.fasshauer@dechert.com
Joshua H. Rawson

Partner New York
+1 212 698 3862 joshua.rawson@dechert.com

We provide business-focused advice and strategic counseling to the most sophisticated global companies—from Silicon Valley to the European Economic Area and beyond—on complex, cutting-edge matters that require an integrated approach to complying with global cybersecurity and privacy laws.

We advise clients on diverse laws, industry self-regulatory codes, official guidance and best practices, including:

Section 5 of the FTC Act	Illinois BIPA
GLBA	EU/UK GDPR
FCRA	State and Federal Privacy Laws
HIPAA	ePrivacy Directive
COPPA	Cross-Border Data Transfers and Localization Requirements
FERPA	UK Data Protection Act
CCPA	PCI DSS

We also provide pre-incident counseling and deal support and diligence for mergers and acquisitions, financings, corporate transactions and securities offerings.

Since the late 1990s, we have advised clients on data breach investigations. We have handled over 1,500 investigations, successfully resolving ransom negotiations with threat actors worldwide. We also provide pre-breach counseling and analyze cyber-insurance coverage for companies.

Our expertise covers a wide range of cyber threats, including ransomware, business email interruption, Office 365 compromises, corporate and nation-state espionage, DDoS attacks, insider threats, and theft of computer and electronic data.

We have advised clients in all aspects of incident response investigation, including:

engaging crisis management and public relations firms;
working with law enforcement and intelligence authorities;
engaging the right forensic firm for each breach;
advising on ransom negotiation;
advising on state, global and regulatory notice obligations, and SEC disclosure issues; and
communicating with senior management, board members, outside auditors, customers, vendors and investors.

Our experience with virtually all major regulatory bodies allowed us to successfully handled hundreds of regulatory actions brought by U.S. and global regulators.

We have defended enforcement actions brought under Section 5 of the FTC Act, those brought by the SEC Cybersecurity unit, as well as those brought by OCR/HHS and numerous state attorneys general. We have litigated landmark privacy cases, including one of the first online bank hacking cases, defended and prosecuted trade secret theft and CFAA claims related to stolen data, won motions to dismiss for companies in class action litigation in state and federal courts across the United States in the aftermath of data breaches, including a recent win for a global retail company, and defended a Fortune 15 company in the MOVEit Data Breach, one of the largest hacks in recent history.

A critical consideration as companies begin to adopt AI technologies involves the protection of company data. Companies need to implement robust security measures to protect valuable data from unauthorized access, disclosure or alteration. It is also important to monitor and address emerging threats to avoid liability.

Our lawyers are pioneers in this field, specializing in the intersection of privacy and artificial intelligence. We have litigated some of the earliest landmark AI-privacy cases, handled data breach investigations, defended hundreds of regulatory enforcement actions brought by U.S. and global regulators, negotiated directly with U.S. congressional committees over AI, and advised the world’s top companies on the most cutting-edge, sensitive matters.

In particular, the scraping of data to train AI models invites the scrutiny of plaintiff attorneys and the government. We have extensive experience defending those practices, as well as crafting policies and protocols to avoid litigation and regulators at the outset.

Additionally, the collection and manipulation of biometrics for AI image generation, if not done carefully, can easily run afoul the Illinois Biometric Information Privacy Act and other analogous state laws. Our best-in-class privacy team has unrivaled experience defending such lawsuits and has a deep understanding of the actual engineering at issue.

Click here to learn more about our Artificial Intelligence and Machine Learning practice.

Counseling/Privacy

Leading AI mobile app developer accused of misappropriating user biometrics, successfully having complaint seeking the largest ever Illinois Biometric Information Privacy Act (BIPA) class action dismissed.
Global technology/social media company in connection with counseling on compliance with an FTC order and privacy program.
Global FinTech company on using a biometric-driven AI solution for identity verification in customer service.
Global health app on AI driven dynamic pricing and compliance with U.S. consumer protection laws and GDPR.
Developer of the world’s most downloaded mobile health application with over 100 million users on a new product offering that changed substantially altered data storage and retention practices while navigating preservation requirements in eight federal class actions and five foreign class actions—all alleging violations of user privacy.
Global provider of financial digital products and services on AI for innovative consumer products and services, which included recommendations for identifying and mitigating the risk of algorithmic bias in data sets, AI/ML processes and recommendations to target audiences, as well as the preparation of appropriate user privacy disclosures formulating risk-based solutions and arguments in light of applicable U.S. and European law and “gray areas.”
Global healthcare provider relating to safeguarding vaccine and compliance with global privacy laws.
Global provider of financial services software providing all advice and counseling regarding global privacy laws, including HIPAA, GDPR, CCPA, etc.
Multinational tech company in a U.S. Federal Trade Commission investigation related to data privacy issues and theft of computer data.
Global video optimization company on strategic development of novel CCPA/CPRA and GDPR-compliant ad tech solution for omnichannel targeted advertising.
Global software provider on strategic guidance regarding compliance with U.S. federal and state education law, including FERPA.
Private equity firm regarding complex privacy/cyber issues arising from acquisition of a social media dating platform.
Countless global financial institutions, including investment advisers, mutual fund complexes and private funds in drafting information security programs and counseling involving state and federal data privacy and security rules.
Asset management firm in providing risk analysis and assessment in relation to the acquisition and use of large data sets in investment decision making. We provided guidance on proper data collection practices under relevant U.S. securities and anti-hacking laws.
Global asset manager in providing strategic CCPA and GDPR compliance advice. We assisted in navigating gray areas in the CCPA and leveraged extensive knowledge of the Gramm-Leach-Bliley Act and Regulation S-P to provide advice on complex and nuanced issues related to the scope of the CCPA’s GLBA carveout and its impact on personal information collected from investors/client and potential investors/clients across various channels.
Various major asset managers in providing advice and training on all cyber and privacy related requirements, including leading tabletop exercises for IT and business teams relating to ransomware attacks and other data breach incidents involving loss of personal and company data.
One of the largest accounting and consulting firms in the U.S. on privacy and cybersecurity compliance ahead of a proposed sale.
British biotechnology company on bringing its practices into compliance with the GDPR.
Managing a GDPR compliance project for a global retailer of gaming accessories.
An agent for Sandals, Beaches, The Royal Plantation Collection and Grand Pineapple Resorts in the Caribbean in assisting with strategic advice on GDPR compliance, including advice and counseling regarding data breaches and data subject requests.
Advising on the privacy aspects and implications of an independent investigation by the former Court of Appeal judge, the Rt. Hon. Dame Elizabeth Gloster DBE, into the Financial Conduct Authority’s regulation and oversight of London Capital & Finance Plc.

Data Breach Investigations

Global data broker with 7-8x the amount of data as eBay regarding data breach resulting in multi-million-dollar ransom.
A global backend providing for market-leading airlines and hotel providers with data incidents involving ethical security researchers and public vulnerability disclosures.
A global financial services company in connection with MOVEit breach at third-party vendor.
A French financial services company with global outlets in connection with MOVEit breach at third-party auditor.
A private investment company in connection with nation state theft of cryptocurrency assets.
A large packaging company based in Canada and the United States regarding a cyber event that idled tens of manufacturing facilities.
A global public distribution company regarding data breach involving theft of sensitive employee information.
Moderna in connection with the highly publicized EMA data breach of Covid-19 vaccine information.
Public education company in a settlement with the SEC that was groundbreaking with respect to cybersecurity disclosures and company settlements in the aftermath of a data breach.
Advised IT strategy and consulting company on handling large ransomware attack involving two different threat actors, affecting individuals in three countries. Directed regulatory notifications in and outside of the United States, handled communications with threat actors, and directed ransom negotiations with both threat actors. Represented client in litigation stemming from data breach, successfully obtaining an early settlement agreement.
Global financial services provider on a Microsoft Office365 email intrusion that led to the exposure of thousands of health insurance records, including information protected under HIPAA, as well as the defense of HHS/OCR and day-to-day counseling on privacy and cybersecurity issues.
A biotechnology company when their drug development research data was hacked from third-party research laboratory by foreign actors.
A software corporation on a systems intrusion and malware incident caused by an APT threat actor that resulted in notification being sent to individuals, regulators and business contacts.
A healthcare payment platform in connection with a highly sophisticated attack on its system that resulted in the theft of over US$10 million in customer funds.
A global public Silicon Valley customer management software company in connection with data security breach where millions of customer credentials had been exposed.
A developer of a push-to-talk app in a data breach that compromised data of its 140 million users.
A Chinese bitcoin mining company in connection with a global data breach in which US$500 million of bitcoin was stolen.
A public biotech company in connection with nation state attack and cybersecurity management around sensitive drug development matters.
A Silicon Valley-based healthcare company in a breach affecting millions of patient records and defense of OCR/HHS enforcement action in a case that had the highest ransom the FBI had seen to date.
Managing European and Asian law enforcement in negotiating and coordinating multi-million-dollar ransom.
A European health care app with over 100 million users in a data breach and defense of FTC action regarding its privacy practices.
People’s United Bank in a summary judgment victory in a landmark case, which involved an alleged breach of the bank’s online security system through keylogging malware. One of the first cases of its kind to be decided by an appellate court and named a “national case to watch” by the American Banker, the dispute was resolved after the First Circuit reversed in part and remanded the district court’s decision.
A global public bioscience company based in Hong Kong regarding a cyberattack that defrauded the company of millions of dollars.
A leading private equity firm focused on investing in Central and Eastern Europe in connection with a data breach suffered by a recently acquired portfolio company. The company operates the largest bakery retail network in Southeast Europe, serving food and beverages to more than 36 million customers per year through approximately 220 directly-owned stores in Croatia and Slovenia, and franchise stores across ten countries.
The Board of Directors of one of the world’s largest hedge funds in responding to a major data breach involving the personal and financial records of major investors and shareholders, including advice on required notifications to individuals and regulators located in 23 countries.
An international food services company on all issues arising from a substantial ransomware attack that encrypted all company systems, including advice on ransom negotiations, remediation and recovery of company operations, working with government investigators and addressing insurance issues.
A large national bank in class action litigation arising out of data breach involving theft of over 40 million credit card records.

Data Breach Litigation

A health management company in two purported class action lawsuits regarding disclosure of patient information following a 2020 data breach.
Easy Healthcare Corporation and its women’s mobile health fertility app in connection with a purported nationwide class action pending in federal court in Illinois.
A large retail store in federal court against purported class action claims arising out of a data breach involving malware that captured credit card information for retail customers.
Taconic Biosciences, Inc. in a putative class action in NY State court arising from theft of employee information following phishing scam.
Wellpoint Inc./Anthem in an HHS OCR investigation involving alleged violations of HIPAA. At the time, the settlement was one of only 12 OCR settlements nationwide.
Online video and media service providers in class action litigations filed nationwide challenging the alleged use of local shared objects, also known as “flash cookies.”
A large parcel service advising the client through a conciliation process with the Office of the Australian Information Commissioner (OAIC).
Cano Health, Inc. in connection with the successful settlement of two purported class actions pending in state court in Miami-Dade County in Florida following a Microsoft Office365 cyberattack.
Flo Health, Inc. the world’s leading women’s health app, in the defense of numerous class actions pending in federal court in California, Canada (British Columbia, Quebec and Ontario), as well as in Israel.
Flo Health, Inc. in connection with the successful settlement with the FTC in June 2021.
Represented IT strategy and consulting company in litigation stemming from ransomware attack that affected individuals in three countries. Obtained favorable settlement before fact discovery stage.

Privacy Matters

A multinational technology company conducting a PIA regarding the privacy impact and legal risk of implementing a company-wide data loss prevention technology; developed an enterprise-wide strategy for mitigating risk while achieving the company’s goals of preventing the loss of IP and other highly sensitive information.
A provider of B2B ad tech services regarding privacy legal risks associated with the development and deployment of cutting-edge products, tools and services to assist consumer brands with segment insights and targeting under the GDPR and CCPA.
A global tech company in the air travel sector creating and negotiating GDPR DPA terms with over 60 airline customers.
A global travel and leisure company on formulating and operationalizing a comprehensive CCPA compliance program.
A global cloud service provider on strategic planning for responding to government data requests, including under the U.S. CLOUD Act.
A provider of intelligence services for a video content delivery platform, a marketing management service provider, a global provider of voice recognition technology, a cybersecurity SaaS provider and others on comprehensive GDPR readiness advice.
A global provider of financial services software on formulating and implementing a CCPA program for current and contemplated products and services.
A global software provider on strategic guidance regarding compliance with U.S. federal and state education law.
A global retailer regarding the post-acquisition integration of the acquired company’s consumer data and how to leverage the data for marketing intelligence and other purposes.
A global financial services provider regarding privacy legal risks associated with implementing novel actions to protect company systems and customer data.
A global provider of education services in formulating a global privacy compliance strategy in connection with the rollout of a new product.
An institution of higher education on implementing a GDPR program and discrete advice on the EU e-Privacy Directive, including a comprehensive privacy policy update.
A global provider of services to the financial services sector board training on the evolving role of corporate boards in understanding and accountability for cyber and data security risk.
A global provider of cloud-based software-as-a-service to the life sciences and pharmaceutical sectors regarding compliance with EU privacy law frameworks.
An EU-based multinational luxury goods company in formulating its strategy for compliance with state and federal employee privacy laws for its global employee training program.
A UK-based operator of a child-directed educational website in performing a comprehensive privacy impact assessment concerning the development and implementation of a Children’s Online Privacy Protection Act (COPPA)-compliant privacy and data security program.
A Silicon Valley technology company concerning the development of its privacy compliance strategy during development and deployment of cutting-edge digital products and services, with a particular focus on COPPA.
A provider of fraud detection services regarding integration of an evolving international geolocation standard into its emerging line of products and services.
A global e-commerce trade association regarding the development of comprehensive, practical behavioral advertising and other online privacy guides.
A global industry trade group regarding the creation of electronic retail transaction contract templates with a focus on customer data management and security for call center, distribution and order fulfillment.
Various mutual funds, hedge funds and investment advisers in drafting information security programs and counseling with regard to state and federal data privacy and security rules.

Artificial Intelligence

Provided holistic, comprehensive advice to global provider of financial digital products and services on AI for innovative consumer products and services. The scope of work includes providing recommendations for identifying and mitigating the risk of algorithmic bias in data sets, AI/ML processes and recommendations to target audiences. Includes preparing appropriate user privacy disclosures formulating risk-based solutions and arguments in light of applicable U.S. and European law and “gray areas.”
Represented a global fintech company on implementing AI driven biometric AI for consumer service.
Represents the world’s leading health mobile application with over 240 million downloads, in eight federal class actions, an Israeli class action, a Portugal class action, three Canadian class actions, and an FTC investigation—all alleging that Flo’s AI product, which uses predict female fertility and ovulation, violates user privacy.
Represents a healthcare technology startup that uses AI for its core products, in a federal regulatory investigation, three State Attorney General actions, and an Illinois class action.
Represents the most downloaded artificial intelligence photo editing software in multiple class actions concerning their alleged collection and use of biometrics.
Represented a global health app on AI driven dynamic pricing.
Represented a global financial software company on ethical use of AI under U.S. and EU law and industry requirements.