Privacy & Cybersecurity

Our world class Privacy & Cybersecurity practice is second to none. It includes a deep, global bench of senior partners with decades of experience, several of whom are pioneers in the space. They include a former Chief Privacy Officer of the Department of Homeland Security in the Obama/Biden administration, top ranked in The Legal 500 Cyber Law/Data Protection partners, including a “Leading Lawyer” (one of only 20 in the country), the founder of one of the first Privacy and Cybersecurity practices in the AmLaw50, a former United States Attorney and several former assistant U.S. attorneys, among others. Our partners are top ranked, well-known thought leaders in the space with unparalled expertise. They have advised at the most senior levels of the government, testified before Congress, prosecuted cyber criminals, negotiated data sharing terms with the EU on behalf of the U.S. and taught one of the first Cyber law school classes in the country.  

Dechert is a market leader with a world class practice covering all aspects of privacy and cybersecurity, including litigation and breach response, strategic privacy counseling, transactional diligence and the defense of regulatory actions. We provide seamless, one-stop shopping across the globe, utilizing our 26 offices worldwide to provide holistic, pragmatic advice. We have litigated some of the earliest, landmark privacy cases, handled over 750 data breach investigations, defended hundreds of regulatory enforcement actions brought by U.S. and global regulators, advised the world’s top companies (including marquee, global public companies and Silicon Valley household names) on the most cutting edge, sensitive matters of strategic importance to them. We provided privacy and cybersecurity deal diligence on over 800 transactions in 2020 alone and we help our clients get ready for a sale or an IPO through our innovative “reverse diligence” product. Our matters include many of the highest profile cases in the world, featured in front page headlines, but our best work often is on matters that no one ever hears about, such as the regulatory inquiry that quietly goes away or the creative, sophisticated strategic counseling advice that solves a company’s thorniest cross-border data transfer issue. 

2020 was a transformative year for Dechert’s practice, with the onboarding of two internationally recognized, top ranked partners as well as the addition of top associate talent. The Dechert team is more than 70 lawyers strong internationally. In 2020, we advised on matters involving the U.S., the U.K., Germany, Belgium, Switzerland, Belarus, China, Hong Kong, Australia, Canada, Japan, Singapore, France, Brazil and the European Economic Area (EEA). Dechert’s global footprint, unparalleled deep senior bench of experienced partners, and its industry-specific experience are true-differentiators. We provide seamless, one-stop shopping advice utilizing our global network to provide holistic service to clients in any type of matter from strategic counseling, incident response, litigation or regulatory advice. Our lawyers are industry experts in financial services, technology, telecommunications, health care, life sciences and real estate, among others. They are adept in supporting the type of financial services institutions, asset managers and investment fund clients that have earned Dechert top rankings in leading publications such as Chambers and The Legal 500

Global Strategic Counseling, Privacy Programs, Deal Diligence

Dechert’s Global Privacy & Cybersecurity team provides solution-oriented, business focused, forward thinking advice and strategic counseling to the world’s most sophisticated companies—from Silicon Valley to the European Economic Area and beyond—on the most complex, cutting-edge privacy and cybersecurity matters that require an integrated approach to complying with global privacy and cybersecurity laws. We advise clients on diverse laws, industry self-regulatory codes and official guidance and best practices ranging from Section 5 of the FTC Act, the CCPA, GDPR, ePrivacy Directive, cross-border data transfer and localization requirements, COPPA, FERPA and the UK Data Protection Act. Our team also provides pre-incident counseling and deal support and diligence for mergers and acquisitions, financings, corporate transactions and securities offerings. We serve as strategic architects to clients who offer cutting-edge, data-driven products and services while leveraging data assets for trend forecasting, product development and improvement and the delivery of personalized content and information to a broad range of global users. Tapping decades of experience to tailor our advice to your company’s needs, we partner with clients to add value to your business.

Litigation: Data Breach Investigations, Defense of Regulatory Actions, Class Action Litigation

Our team has handled over 750 breach investigations (over 150 in 2020), including some of the highest profile cyberattacks from front page headlines brought by nation state threat actors, organized crime and insiders, among others. These include the negotiation of ransom/ransomware, business email interruption/Office 365 compromises, corporate and nation state espionage, DDoS, insider threats and the theft of all types of computer and electronic data. Our experience is second to none and dates to our handling data breach investigations as far back as the late 1990s. We have successfully resolved and advised on ransom negotiation with threat actors across the globe. We counsel companies on pre-breach counseling and analysis of cyber-insurance coverage. In addition, we handle all aspects of incident response investigation, including engaging crisis management/public relations firms, working with law enforcement and intelligence authorities, engaging the right forensic firm for the particular type of breach, advising on ransom negotiation and advising on state, global and regulatory notice obligations and SEC disclosure issues. In addition, we handle communications with senior management, board members, outside auditors, customers, vendors and investors. Since Covid-19 has forced a remote work environment, cyberattacks have increased exponentially as cyber criminals seek to take advantage of a disrupted work force. We have counseled numerous companies on enhanced cyber and physical security to meet this challenge, including for high-target companies engaged in Covid-19 research. In addition to data breach investigations, we have successfully handled hundreds of regulatory actions brought by U.S. and global regulators. We have defended enforcement actions brought under Section 5 of the FTC Act, those brought by the SEC Cybersecurity unit, as well as those brought by OCR/HHS and numerous states attorneys general. Our lawyers have litigated landmark privacy cases, including one of the first online bank hacking cases, defended and prosecuted trade secret theft and CFAA claims related to stolen data and won motions to dismiss for companies in class-action litigation in state and federal courts across the United States in the aftermath of data breaches, including a recent win for a global retail company.  

Global Expertise

Dechert’s EU team is uniquely comprised of EU- and U.S.-based experts in European data privacy law. The team has worked closely with some of the world’s largest multinational companies and European regulators on the complex and demanding legal, compliance and policy issues under the GDPR, UK Data Protection Act and the ePrivacy Directive. We have designed and helped clients operationalize sophisticated policies and practical procedures in accordance with the strict requirements of EU laws, including consent management, cross-border data transfers, record-keeping and analysis and handling of DSAR’s. We have managed significant data breach investigations and responses on behalf of our clients, and we have advised our clients on reporting such issues to the appropriate EU authorities. Our ongoing work with clients on cross-border data transfer issues is risk-based and solution-oriented in the currently evolving legal landscape following the recent Schrems II decision, related guidance by regulators and the proposed new Standard Contractual Clauses (SCCs). Our EU team also includes substantial depth in the UK and, with Brexit looming, we are well positioned to advise on all of the nuances that we anticipate following the final withdrawal agreement between the EU and the UK. Finally, our EU and U.S. teams work closely to ensure seamless and efficient legal advice.

Representative Data Breach Investigations
  • A global public Silicon Valley customer management software company in connection with data security breach where millions of customer credentials had been exposed.
  • A global, public trucking/dedicated logistics company with respect to a nation-state cyberattack on their systems, as well as ongoing privacy and cybersecurity counseling advice.
  • A health management company in data breach regarding disclosure of patient health and medical information and in OCR/HHS investigation.
  • A developer of a push-to-talk app in a data breach that with compromised data of its 140 million users
  • A global technology/social media company in connection with counseling on compliance with a FTC order and privacy program.
  • A Chinese bitcoin mining company in connection with a global data breach in which US$500 million of bitcoin was stolen.
  • A public biotech company in connection with nation state attack and cybersecurity management around sensitive drug development matters.
  • A subscription-based business information database company on data breach affecting over 100 million database records from around the globe.
  • A Silicon Valley-based healthcare company in a breach affecting millions of patient records and defense of OCR/HHS enforcement action in a case that had the highest ransom the FBI had seen to date.
  • A public technology company specializing in 3D printing in a sophisticated global ransomware attack.
  • European and Asian law enforcement in negotiating and coordinating multi-million dollar ransom.
  • A public software company in connection with cyberattack by a nation state.
  • A public education software company regarding a cyberattack by a nation state that affected student data and state AG, FTC and SEC Cybersecurity Division actions.
  • A European health care app with over 100 million users in a data breach and defense of FTC action regarding its privacy practices.
  • A global public bioscience company based in Hong Kong regarding a cyberattack that defrauded the company of millions of dollars.
  • A cloud services and identity management company on a data breach in which an unauthorized user gained access to the company’s U.S. database, potentially accessing passwords and credentials for thousands of the company’s corporate customers. This matter remains one of the most significant recent data breaches in the tech and cloud services community. Also defended the company in an FTC enforcement action.
  • A healthcare payment platform in connection with a highly sophisticated attack on its system that resulted in the theft of over US$10 million in customer funds.
  • A global financial services provider on a Microsoft Office 365 email intrusion that lead to the exposure of thousands of health insurance records, including information protected under HIPAA; as well as the defense of HHS/OCR and day-to-day counseling on privacy/cybersecurity issues.
  • A global biotech company on a breach involving the release of employee W-2 forms via a phishing scam. Also represented the company in a putative class action arising from the breach and defended the New York Attorney General’s action.
  • The One Fund Boston, a charity created to provide financial assistance to survivors and families of those killed in the Boston Marathon bombings, in creating a complete privacy program and policies for employees, volunteers and collaborating parties of the charity, which was created to on a pro bono basis.
  • A multinational internet company in a U.S. Federal Trade Commission investigation related to data privacy issues and theft of computer data.
  • An Internet company in a U.S. Federal Trade Commission investigation related to data privacy issues and theft of computer data.
Representative Data Breach Litigation
  • A health management company in two purported class action lawsuits regarding disclosure of patient information following a 2020 data breach.
  • Macy’s Inc. in federal court against purported class action claims arising out of 2019 data breach.
  • Taconic Biosciences, Inc. in a putative class action in NY state court arising theft of employee information following phishing scam.
  • People’s United Bank in a summary judgment victory in a landmark case, which involved an alleged breach of the bank’s online security system through keylogging malware. One of the first cases of its kind to be decided by an appellate court and named a “national case to watch” by the American Banker, the dispute was resolved after the First Circuit reversed in part and remanded the district court’s decision.
  • Wellpoint Inc./Anthem in an Office of Civil Rights (HHS Division) investigation involving alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). At the time, the settlement was one of only 12 OCR settlements nationwide.
  • Online video and media service providers in class action litigations filed nationwide challenging the alleged use of local shared objects, also known as “flash cookies.”
  • Numerous companies in privacy-related government investigations and enforcement actions brought by states attorneys’ general, the FTC, HHS and the Office of Civil Rights, among others.
  • Numerous public companies in hundreds of data security breaches, including global investigations and the handling one of the first major data breaches for a public company in 2002.
  • A major bank in litigation arising out of computer data theft involving millions of credit card numbers.
Representative Privacy Matters
  • A multinational technology company conducting a PIA regarding the privacy impact and legal risk of implementing a company-wide data loss prevention technology; developed an enterprise-wide strategy for mitigating risk while achieving the company’s goals of preventing the loss of IP and other highly sensitive information.
  • A provider of B2B ad tech services regarding privacy legal risks associated with the development and deployment of cutting-edge products, tools and services to assist consumer brands with segment insights and targeting under the GDPR and CCPA.
  • A global tech company in the air travel sector creating and negotiating GDPR DPA terms with over 60 airline customers.
  • A global travel and leisure company on formulating and operationalizing a comprehensive CCPA compliance program.
  • A global cloud service provider on strategic planning for responding to government data requests, including under the U.S. CLOUD Act.
  • A provider of intelligence services for a video content delivery platform, a marketing management service provider, a global provider of voice recognition technology, a cybersecurity SaaS provider and others on comprehensive GDPR readiness advice.
  • A global provider of financial services software on formulating and implementing a CCPA program for current and contemplated products and services.
  • A global software provider on strategic guidance regarding compliance with U.S. federal and state education law.
  • A global retailer regarding the post-acquisition integration of the acquired company’s consumer data and how to leverage the data for marketing intelligence and other purposes.
  • A global financial services provider regarding privacy legal risks associated with implementing novel actions to protect company systems and customer data.
  • A global provider of education services in formulating a global privacy compliance strategy in connection with the rollout of a new product.
  • An institution of higher education on implementing a GDPR program and discrete advice on the EUp e-Privacy Directive, including a comprehensive privacy policy update.
  • A global provider of services to the financial services sector Board training on the evolving role of corporate boards in understanding and accountability for cyber and data security risk.
  • A global provider of cloud-based software-as-a-service to the life sciences and pharmaceutical sectors regarding compliance with EU privacy law frameworks.
  • An EU-based multinational luxury goods company in formulating its strategy for compliance with state and federal employee privacy laws for its global employee training program.
  • A UK-based operator of a child-directed educational website in performing a comprehensive privacy impact assessment concerning the development and implementation of a Children’s Online Privacy Protection Act (COPPA)-compliant privacy and data security program.
  • A Silicon Valley technology company concerning the development of its privacy compliance strategy during development and deployment of cutting-edge digital products and services, with a particular focus on COPPA.
  • A provider of fraud detection services regarding integration of an evolving international geolocation standard into its emerging line of products and services.
  • A global e-commerce trade association regarding the development of comprehensive, practical behavioral advertising and other online privacy guides.
  • A global industry trade group regarding the creation of electronic retail transaction contract templates with a focus on customer data management and security for call center, distribution and order fulfillment.
  • Various mutual funds, hedge funds and investment advisors in drafting information security programs and counseling with regard to state and federal data privacy and security rules.