Edward R. McNicholas

McNicholas, Edward R.


Washington, D.C. +1 202 736 8010

1501 K Street, N.W.
Washington, D.C. 20005
+1 202 736 8010

emcnicholas@sidley.com emcnicholas@sidley.com

Admissions & Certifications

Edward R. McNicholas


ED MCNICHOLAS, a co-leader of Sidley’s Privacy, Data Security, and Information Law practice, represents technologically-sophisticated clients facing complex cybersecurity, information technology, privacy and related constitutional issues. Recognized by the National Law Journal as a “Cybersecurity & Data Privacy Trailblazer,” Ed spearheads Sidley’s cybercrime focus and has significant experience with litigation and counseling matters involving privacy and data protection, electronic surveillance, cloud computing, the Internet of Things, trade secrets, online advertising, social media, big data/data science and national security.

Ed is frequently recognized as a leader in his field. He has been commended by The Legal 500 US for his “deep knowledge of privacy and information security,” and was named in a Computerworld survey of “Best Privacy Advisers” as one of the “Top 25 Privacy Experts” in the country and has been included in The International Who’s Who of Internet, e-Commerce & Data Protection Lawyers since 2011. Chambers USA has included Ed in its rankings of the country’s Leading Lawyers since 2008 and notes that he “impresses sources with his outstanding knowledge and responsive service . . . handling complex privacy matters in his trial and appellate practice.” The 2015 edition of Chambers USA recognized Ed as a lawyer who “can help you to put any issue quickly into context” and who has substantial experience in investigations and contentious matters. Chambers Global has recognized the global reach of Ed’s data protection practice since 2011. Chambers also has commended Ed in its nationwide litigation rankings for e-discovery. Most recently, in 2016, the Washingtonian named Ed in its inaugural listing of best Cybersecurity lawyers, and the Cybersecurity Docket included Ed on its inaugural “Incident Response 30” list of the nation’s best cybersecurity and data breach response lawyers.

Reflecting the breadth of Ed’s practice, his recent experience includes:

  • Representing international Internet Cross Community Working Groups with respect the historic and widely-followed transition of the Internet domain name system away from US Government control to private governance by a Multistakeholder community within ICANN.
  • Representing major retailers experiencing congressional, litigation, and investigative challenges after cybersecurity attacks including in Moyer v. Michaels Stores, Inc., 2014 WL 3511500 (N.D. Ill. 2014) and Frank v. The Neiman Marcus Group, No. 1:14-cv-233 (E.D.N.Y. 2014).
  • Assisting corporations with preparation for and responses to sophisticated cybersecurity incidents. 
  • Advising U.S. companies on EU cross-border data transfer and cloud computing issues.
  • Helping insurance, automotive, and Internet companies formulate big data governance programs for systems that generate actionable insights and enhance customer choice while mitigating legal risk.

Prior to joining Sidley, Ed served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. Ed has developed unique experience representing clients in the midst of media-driven legal challenges. His crisis management skills are particularly useful in coordinating the swirl of complex litigation, congressional hearings, and federal and state investigations that can follow from major privacy and cybersecurity incidents.


Litigation and Investigations

Ed leads internal investigation and litigation matters that frequently involve complex, multi-jurisdictional, and multi-national litigation issues, particularly federal court jurisdictional and constitutional concerns related to the First and Fourth Amendments. He also has extensive experience in the use of Internet and financial forensics, the investigation of sophisticated international frauds and complex electronic discovery issues. His internal investigation and regulatory investigations experience includes:  

  • Defense of a medical device manufacturer victim of an APT foreign national state attack aimed at R&D servers, including related defense of state attorney general inquiries.
  • Investigation of potential wiretapping allegations at major consumer financial services company.
  • Investigation and assertion of claims regarding electronic communications surveillance among the owners of a major professional sports franchise.
  • Guidance to a U.S. critical infrastructure provider during a foreign national cybersecurity attack.
  • Response to an information security intrusion at a major e-commerce site involving tens of millions of consumer records and related global data protection authority inquiries.
  • FTC and State Attorney General investigations involving data breaches, consumer protection, and privacy issues, as well as other unfair or deceptive business practices.
  • Conducted investigations of CPNI compliance incidents.
  • Investigated extensive TCPA compliance issues and developed governance structures for Internet, pharmaceutical and healthcare companies

He has litigated several matters before federal and state courts as well as regulatory agencies, and has considerable experience with regulatory proceedings involving the FTC, State Attorneys General, the Securities and Exchange Commission, and other government investigations. A sampling of his major litigation representations includes:

  • Trinity Lutheran Church v. Pauley, No 15-577 (U.S. 2016) - Represent amicus U.S. Conference of Catholic Bishops and other religious institutions in amicus brief argument against religious discrimination absent compelling circumstances.
  • Adheris v. Sebelius (D.D.C. 2013) – Successful constitutional challenge to HIPAA/HITECH refill reminder regulations.
  • In re: Google Inc. Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (2012) – Defended Internet advertising company, PointRoll, in litigation regarding cookies and browser settings.
  • MDL 1791: In re National Security Agency Telecommunications Records Litigation - (N.D.Cal. and 9th Cir. 2006-12) Defense of AT&T against constitutional and statutory claims in multiple purported class actions related to alleged national security programs, resulting in dismissal of all claims.
  • Hosanna-Tabor Evangelical Lutheran Church v. EEOC, No 10-553 (U.S. 2012): Represent various religious institutions amici arguing for the freedom of religious organizations to define their own self-understanding of their ministers.
  • MeadWestvaco Corporation v. Rexam PLC (E.D.Va. 2010-11) – Represented party regarding effect of French blocking statute on U.S. discovery requirements.
  • Turner v. Rogers (U.S. 2011) – Represented amici Legal Aid Society of D.C. et al. in significant right to counsel appeal.
  • Accusearch v. Federal Trade Commission (10th Cir. 2008) – Representation of the Office of the Privacy Commissioner of Canada as amicus curiae in appeal from privacy enforcement action.
  • Menges v. Walgreen Co. v. Blagojevich (Illinois state and federal courts. 2005-09) - Defense of Walgreens in suits related to whether pharmacists must dispense Plan B emergency contraception.
  • Crawford v. Marion County Election Board (U.S. 2008): Represented the National Law Center on Homelessness and Poverty and a coalition of other national homelessness groups as amici curiae in this significant challenge to voter identification requirements.
  • City of New York v. Fifth Avenue Presbyterian Church (S.D.N.Y., 2d Cir., U.S., 2002-07) – Successfully represented the Fifth Avenue Presbyterian Church in a dispute over its homeless ministry.
  • Sylvia’s Haven, Inc. v. Massachusetts Development Finance Agency (D. Mass, 2005; 1st Cir. 2006) Represented Sylvia’s Haven, Inc. in appeal of base closure issues.
  • AT&T Corp. v. 2PrePaid Inc. (M.D. Fla. 2006) - Obtained damages and permanent injunction against unlawful Internet sales of counterfeit AT&T prepaid calling cards.
  • Boothe v. Hanson (Texas District Court 2005) - Obtained a blanket injunction against an elusive Internet critic in a case involving extensive use of Internet forensics. See “As Angry Patients Vent Online, Doctors Sue to Silence Them,” Wall Street Journal, Sept. 14, 2005.
  • AT&T v. Sprint (S.D.N.Y. 2004): Represented AT&T in unfair competition and trademark litigation.
  • AT&T Corp. v. CyberTelecom, Inc. (S.D. Fla. 2004) - Obtained preliminary and permanent injunctions against Internet distribution of counterfeit prepaid calling cards in a case involving extensive Internet forensics.
  • In re Microsoft Corp. Antitrust Litigation, MDL No. 1332 (D. Md. 2000-03) - Represented Microsoft in competitor class actions including those brought by Netscape and Burst.
  • Physicians Interactive v. Lathian Systems, Inc. (E.D. Va. 2003) - Obtained preliminary injunction for plaintiffs alleging hacking of computer systems in order to obtain trade secrets.
  • Globalsantafe Corp. v. Globalsantafe.Com (E.D. Va. 2003) - Developed and prevailed on a novel theory of in rem jurisdiction that asserted U.S. jurisdiction to enforce its resolution of an Internet domain name dispute regardless of a directly contradictory order from a court in South Korea.
  • Al-Abood v. El-Shamari (E.D. Va.; 4th Cir. 2000) - Affirming jury verdict Sidley won on a variety of fraud theories related to complex international investments.

Counseling and Regulatory

  • Counseling major U.S. and global companies on the invalidation of the U.S.-EU Safe Harbor and the new EU General Data Protection Regulation.
  • Representing Internet companies on public policy issues regarding the benefits of consumer encryption.
  • For several telecommunication and Internet companies, providing analysis, advice and regulatory counseling regarding major U.S. and international privacy and data security laws and regulations, including ECPA, CFAA, COPPA, GLBA, the FCRA, and unfair or deceptive trade practice restrictions. 
  • Developed innovative data governance structures for several “big data” / data science projects.
  • Advising one of the largest participants in the payment card system regarding federal and state data security requirements. 
  • Advising several investment advisors and hedge funds with respect to rapidly evolving cybersecurity rules.
  • Represented several major Internet, retailer, pharmaceutical, financial services and telecommunications in connection with several hundred data security incidents that required analysis of breach reporting obligations under U.S. and international statutes. 
  • Developing incident response plans for a wide range of companies including major retail pharmacies, insurance, telecommunications, hedge funds and critical infrastructure providers.
  • Counseling several branded pharmaceutical manufacturers on a range of privacy compliance issues. 
  • For major media companies, analyzing compliance with U.S. and international privacy and data security laws and regulations, including advertising restrictions and children’s privacy. 
  • Directing due diligence on the privacy aspects during acquisitions of companies providing gaming platforms, electronic payment systems and online training.

Transactional Experience

  • Advised PayPal Inc. with respect to privacy and data security issues in its acquisition of Xoom Corporation (NASDAQ:XOOM), a leading international digital money transfer provider for $890 million in cash, as well as its acquisitions of Paydiant, which helps retailers operate mobile wallets; Zong SA, which processes mobile payments; Modest, a Swiss mobile payments platform; and CyActive, an Israeli cybersecurity company. 
  • Advised the Lagunitas Brewing Company, a U.S. craft brewery, with respect to privacy and data security in its agreement to sell an equity interest to Heineken N.V., one of the world’s largest beer companies.
  • Advised SEGA Networks Inc., an interactive entertainment company, with respect to privacy and data security issues in its acquisition of Demiurge Studios, developer of mobile, console and PC games.

Ed is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He is an editorial advisor to Bloomberg BNA and served on its former Advisory Board for the BNA Privacy & Security Law Report. He was awarded a 2010 Burton Award for Legal Achievement for his writing. His books and recent contributions to treatises include:

  • “CFTC Issues Cybersecurity Rules on System Safeguards Testing Requirements,” Futures and Derivatives Law Report (with Michael Sackheim, Geeta Malhotra and Alison Looman) (2016).
  • “Cybersecurity: A Practical Guide to the Law of Cyber Risk,” PLI Treatise (lead general editor) (2015).
  • “Federal Trade Commission Enforcement of Privacy and Data Security,” 500 Privacy & Data Security Practice Series, Bloomberg BNA (with Andrew Strenio and Clayton Northouse) (2014).
  • “Privacy and Security Issues in Cloud Computing,” 520 Privacy & Data Security Practice Series, Bloomberg BNA (with William Long, Yuet Ming Tham, Mark Kaufmann and Colleen Brown) (2014).
  • “U.S. Efforts to Change Leak Laws,” Whistleblowers, Leaks and the Media (2014).
  • “Health Information Privacy and Security," 505 Privacy & Data Security Practice Series, Bloomberg BNA (co-author with lead author Anna Spencer) (2014).
  • “Autonomy: The Key Theory for Understanding the Evolution of US Privacy Law,” Privacy and Surveillance Legal Issues (2014).
  • “Privacy And Security,” Successful Partnering Between Inside and Outside Counsel (co-author of a chapter on working together on privacy and security to achieve client objectives) (2013).
  • “Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists,” ABA Section of Science and Technology Law (contributor) (2011).
  • “Privacy and Security,” Business and Commercial Litigation in Federal Courts, 3d Ed. (co-author of chapter on implications of privacy and data security laws for commercial litigation) (2011).

Many of his articles are collected on the Privacy, Data Security and Information practice page, available at www.sidley.com/InfoLaw, including:

  • “Data Security & Cybercrime in the USA,” Lexology Navigator (with Alan Raul et al.) (July 2016).
  • “Considerations for Employers Collecting Health Information,” eHealth Law & Policy (with Anna Spencer) (June 6, 2016).
  • “Broker-dealers need to respond to recent focus on cybersecurity threats,” Journal of Investment Compliance (with David S. Petron and Michael D. Wolk) (2014).
  • “European Court of Justice Finds 'Right to be Forgotten' and Compels Google to Remove Links to Lawful Information,” NY Business Law Journal  (co-author with William Long et al.) (Summer 2014).
  • “White House Releases NIST Cybersecurity Framework,” Harvard Law School Forum on Corporate Governance and Financial Regulation (February 2014).
  • “Cybersecurity Insurance to Mitigate Cyber-Risks and SEC Disclosure Obligations,” BNA’s Privacy & Security Law Report (August 19, 2013).
  • “Standing to Challenge Statutory Violations of Privacy Laws After First American Finance Corporation v. Edwards,” BNA’s Privacy & Security Law Report  (with Jonathan Adams) (July 23, 2012).
  • “Regulated Social Media: Practical Advice for Addressing Evolving Technologies in Regulated Industries,” BNA’s Privacy & Security Law Report  (with Sabrina Ross) (June 14, 2010).
  • “End of the Notice Paradigm?: FTC’s Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements,” BNA’s Electronic Commerce & Law Report (with Alan Raul et al.) (July 15, 2009).
  • “National Security Letters: Practical Advice For Understanding and Handling Exceptional Requests,” BNA Privacy & Security Law Report (March 30, 2009).
  • “Competitive Privacy: Towards A New Area of Privacy Litigation?” IAPP Privacy Tracker (with Jennifer Tatel) (July/August 2008).
  • “A Path to Resolving European Data Protection Concerns With U.S. Discovery,” Privacy and Security Law (with Stan Crosley, Alan Raul and Julie Dwyer) (October 2007).
Memberships & Activities

Ed serves as the Chairman of the Board of Directors for the National Law Center on Homelessness and Poverty and was admitted to the Cosmos Club as “distinguished in Information Privacy law.” Previously, Ed has served on the board of the Washington, D.C. lawyer’s chapter of the American Constitution Society.

Pro Bono

Ed frequently advises organizations that combat homelessness regarding complex constitutional issues at both the trial and appellate levels and before legislative bodies. His work for such organizations contributed substantially to the firm being awarded the 2004 and 2014 Counsel Pro Bono Award by the National Law Center on Homelessness and Poverty.

Ed also regularly represents religious institutions on constitutional and other legal issues. He is a national co-chair of Sidley’s Religious Institutions practice, which the New York Times recognized as representing “some of the country’s largest religious organizations.” He was awarded the 2010 Thurgood Marshall pro bono counsel prize by Muslim Advocates for innovative litigation to protect civil liberties. 

News & Achievements
  • “Critical Issues in Cybersecurity,” IAA’s 2017 Investment Adviser Compliance Conference (March 2, 2017)
  • “Will the Surveillance State Doom Transatlantic Data Transfer? The Future of the U.S. – EU Privacy Shield Agreement,” New York City Bar Association presentation (February 28, 2017)
  • “Preparing for a Cybersecurity Event,” Association of Corporate Counsel In-house Counsel Conference (Universal City, CA, January 17, 2017)
  • “Insurance Industry Cybersecurity and Privacy Roundtable,” Sidley Austin LLP (New York, NY, September 15, 2016).
  • “Bay to Beltway: Why Regulatory Strategy Matters to Innovators,” Sidley Austin LLP Bay Area Life Sciences Roundtable: Crossing the Technology/Life Sciences Divide (San Francisco, CA, April 13, 2016).
  • “Cybersecurity: Considerations for Legal and Compliance,” SIFMA Compliance and Legal Society Annual Seminar (Orlando, FL, March 14, 2016).
  • “Cybersecurity Roundtable,” Credit Suisse Prime Services Leadership Conference (Orlando, FL, March 10, 2016).
  • “Cybersecurity and Data Privacy: Addressing Increasing Risks and Heightened Regulatory Requirements,” Sidley Austin LLP New York City Compliance Roundtable Anti-Money Laundering and Cybersecurity/Data Privacy (New York, February 24, 2016).
  • “Hot Topics in Data Privacy for Pharmaceutical Manufacturers,” DP Legal US Annual Meeting (Indianapolis, IL, November 18, 2015).
  • “Cybersecurity Policy: The Role of the Government,” Privacy + Security Forum (Washington D.C., Oct. 22–23, 2015).
  • Privacy, Data, and Information Security, The Conference Board (Washington, D.C., October 15, 2015).
  • Cybersecurity, Sidley Regulatory Roundtable (Washington, D.C., October 13, 2015).
  • “Cybersecurity,” 15th Annual LICONY Legislative & Regulatory Conference (Cooperstown, NY, October 7–9, 2015).
  • “How New Developments in Privacy Will Impact Litigation,” ACLegal (New Jersey, October 8, 2015).
  • “Cybersecurity & Data Privacy”, OFII (Washington, D.C., October 2, 2015).
  • “FTC Calling? How to Navigate a Data Security Investigation Before, During and After,” IAPP Privacy. Security. Risk. Conference /CSA Congress (Las Vegas, NV, September 30, 2015).
  • Investment Fund Regulatory Hot Topics,” Sidley Funds Conference (New York, NY, September 17, 2015).
  • “Regulatory Hot Topics,” Sidley Austin LLP Private Funds 2015: Developments and Opportunities (New York, NY, September 2015).
  • “Data Breach Class Cases,” DRI Class Action Seminar (Washington, D.C., July 23–24, 2015).
  • “Cybersecurity Process & Practice for Asset Managers,” Regulatory Compliance Association (Webinar, July 23, 2015).
  • “Cybersecurity Concerns for Senior Managers and Boards of Directors,” Investment Company Institute  (London, UK, July 14, 2015).
  • “Cybersecurity: How Not to Make the Evening News,”Futures Industry Association Law & Compliance Conference (Washington, D.C., June 22, 2015).
  • “Cybersecurity Regulation and Preparedness: Focusing on the Insurance Sector,” Insurance Cybersecurity and Privacy Roundtable (New York, NY, June 1, 2015).
  • “Cybersecurity for Financial Services,” IA Watch Conference (Washington, D.C., May 20, 2015).
  • “Cybersecurity for the Insurance Industry,” ALIC Conference (Breakers, FL, May 18, 2015). 
  • “The Legal Pitfalls of Failing to Develop Secure Cloud Services,” RSA Conference (San Francisco, CA, April 23, 2015).
  • “Cyber-risk Oversight: Emerging Trends and Considerations for Directors,” NACD Advisory Councils (Washington, D.C., March 31, 2015).
  • “Cybersecurity: Practical Considerations for Legal and Compliance,” SIFMA Compliance & Legal Society 2015 Annual Seminar (Phoenix, AZ, March 16, 2015).
  • “The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches” (ACA Webcast, March 12, 2015).
  • “FTC and State AG Enforcement,” Sidley Privacy & Cybersecurity Roundtable (Washington, D.C., March 3, 2015).
  • “Commerce and Competition in the Internet Age,” Center for American Progress Panel for the German Industry and Trade Representation (Washington, D.C., January 27, 2015).
  • “Cyber Incident Investigations,” EEI Conference on Cybersecurity Law for Utilities (New York, NY,  October 24, 2014).
  • “Cybersecurity: New Privacy Laws and New Threats From Organized Crime and Nation States,” ABA 3rd International White Collar Crime Institute (London, UK, October 14, 2014).
  • “Cybersecurity: Trends, Incident Response, Remediation and Disclosures,” ACA Fall Compliance Conference (San Diego, CA, October 9, 2014).
  • “Cybersecurity, Data Protection and Privacy,” OFII General Counsel Conference (Washington, D.C., September 18, 2014).
  • “Cyber Security – What You Need to Know,” SIFMA Compliance and Legal Society Annual Seminar (Orlando, FL, April 2014).
  • “Cybersecurity: Managing Risk Around New Data Threats,” Ethisphere (Webinar, January 2014).
  • “An International Perspective on Health Care Privacy and Security,” Presentation at the American Conference Institute 3rd Annual Health Care Privacy and Security Forum (New York, NY, May 23, 2013).
  • “Privacy, Data Security and Cyber-Compliance,” St. Louis General Counsel Roundtable (May 6, 2013).
  • “The U.S. Approach to Liability Online,” IELE presentation at the University of California, Berkeley School of Law (Berkeley, CA, May 1, 2013).
  • “Cyber Regulation and Insurance,” Bloomberg BNA (Webinar, April 3, 2013).
  • “At the Ready: Preparing U.S. Organizations for the Proposed EU Regulation,” IAPP Global Privacy Summit (Washington, D.C., March 8, 2013).
  • “Privacy & Data Protection,” SIFMA Compliance & Legal Society (Phoenix, AZ, March 20, 2013).
  • “Cellular Phones and Mobile Privacy,” Information Society Project at Yale Law School, Location Tracking and Biometrics Conference (New Haven, CT, March 3, 2013).
  • “Cloud Computing: Understanding and Mitigating the Risks, Utilizing the Latest Security Controls and Ensuring Protection ‘In the Cloud’,” Conference on the Privacy and Security of Consumer and Employee Information (San Francisco, CA, July 2012).
  • “Navigating Global Privacy & Information Laws,” Sidley privacy workshops (Singapore, Hong Kong, and Tokyo, November 2012).
  • “Toward a Safe Harbor for the Cloud,” iTech Law European Conference (Rome, Italy, October 2012).
  • “Privacy in a Time of Change,” Twin Cities Privacy Retreat (St. Paul, MN, January 15, 2009).
  • “Minimizing the Weight of Regulation,” Security Standard Conference (Chicago, IL, September 2007).
  • “Why Privacy Matters — Protecting Your Reputation, Practice and Clients,” AICPA National Conference on Fraud and Litigation Services (Las Vegas, NV, September 2006).
  • “Privacy: The Importance of Getting It Right,” 2006 CSO Perspectives Conference (Orange County, CA, March 2006).