Edward R. McNicholas
ED MCNICHOLAS, a co-leader of Sidley’s Privacy, Data Security, and Information Law practice, has an extensive practice representing technologically-sophisticated clients facing complex cybersecurity, information technology, privacy and related constitutional issues. Commended by The Legal 500 US for his “deep knowledge of privacy and information security,” Ed spearheads Sidley’s cybercrime focus and has significant experience with litigation and counseling matters involving privacy and data protection, electronic surveillance, cloud computing, the Internet of Things, trade secrets, online advertising, social media, big data/data science, and national security.
Ed is frequently recognized as a leader in his field. In addition to his inclusion in The Legal 500 US, Ed has been named in a Computerworld survey of “Best Privacy Advisers” as one of the “Top 25 Privacy Experts” in the country and has been included in The International Who’s Who of Internet, e-Commerce & Data Protection Lawyers since 2011. Chambers USA has included Ed in its rankings of the country’s Leading Lawyers since 2008 and notes that he “impresses sources with his outstanding knowledge and responsive service . . . handling complex privacy matters in his trial and appellate practice.” Chambers Global has recognized the global reach of Ed’s data protection practice since 2011. Chambers also has commended Ed in its nationwide litigation rankings for e-discovery.
Reflecting the breadth of Ed’s practice, his recent experience includes:
Representing major retailers experiencing congressional, litigation, and investigative challenges after cybersecurity attacks including in Moyer v. Michaels Stores, Inc., 2014 WL 3511500 (N.D. Ill. 2014) and Frank v. The Neiman Marcus Group, No. 1:14-cv-233 (E.D.N.Y. 2014).
Assisting corporations with preparation for and responses to sophisticated cybersecurity incidents.
Advising U.S. companies on cross-border data transfer and cloud computing issues.
Prior to joining Sidley, Ed served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. Ed has developed unique experience representing clients in the midst of media-driven legal challenges. His crisis management skills are particularly useful in coordinating the swirl of complex litigation, congressional hearings, and federal and state investigations that can follow from major privacy and cybersecurity incidents.
Litigation and Investigations
Ed leads internal investigation and litigation matters that frequently involve complex, multi-jurisdictional, and multi-national litigation issues, particularly federal court jurisdictional and constitutional concerns related to the First and Fourth Amendments. He also has extensive experience in the use of Internet and financial forensics, the investigation of sophisticated international frauds and complex electronic discovery issues. His internal investigation and regulatory investigations experience includes:
- Defense of a medical device manufacturer victim of an APT foreign national state attack aimed at R&D servers, including related defense of state attorney general inquiries.
- Investigation of potential wiretapping allegations at major consumer financial services company.
- Investigation and assertion of claims regarding electronic communications surveillance among the owners of a major professional sports franchise.
- Guidance to a U.S. critical infrastructure provider during a foreign national cybersecurity attack.
- Response to an information security intrusion at a major e-commerce site involving tens of millions of consumer records and related global data protection authority inquiries.
- FTC and State Attorney General investigations involving data breaches, consumer protection, and privacy issues, as well as other unfair or deceptive business practices.
He has litigated several matters before federal and state courts as well as regulatory agencies, and has considerable experience with regulatory proceedings involving the FTC, State Attorneys General, the Securities and Exchange Commission, and other government investigations. A sampling of his major litigation representations includes:
- Adheris v. Sebelius (D.D.C. 2013) – Successful constitutional challenge to HIPAA/HITECH refill reminder regulations.
- Kelley v. Federal Bureau of Investigation (D.D.C. 2013) – Represent plaintiffs in privacy litigation.
- In re: Google Inc. Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (2012) – Defended Internet advertising company, PointRoll, in litigation regarding cookies and browser settings.
- MDL 1791: In re National Security Agency Telecommunications Records Litigation - (N.D.Cal. and 9th Cir. 2006-12) Defense of AT&T against constitutional and statutory claims in multiple purported class actions related to alleged national security programs, resulting in dismissal of all claims.
- MeadWestvaco Corporation v. Rexam PLC (E.D.Va. 2010-11) – Represented party regarding effect of French blocking statute on U.S. discovery requirements.
- Turner v. Rogers (U.S. 2011) – Represented amici Legal Aid Society of D.C. et al. in significant right to counsel appeal.
- Accusearch v. Federal Trade Commission (10th Cir. 2008) – Representation of the Office of the Privacy Commissioner of Canada as amicus curiae in appeal from privacy enforcement action.
- Menges v. Walgreen Co. v. Blagojevich (Illinois state and federal courts. 2005-09) - Defense of Walgreens in suits related to whether pharmacists must dispense Plan B emergency contraception.
- Crawford v. Marion County Election Board (U.S. 2008): Represented the National Law Center on Homelessness and Poverty and a coalition of other national homelessness groups as amici curiae in this significant challenge to voter identification requirements.
- Disability Rights Council v. WMATA (D.D.C. 2005-08) - Defense of former paratransit provider in class action lawsuit alleging systematic ADA violations, where Sidley prevailed against a motion to implead our client into the class action.
- City of New York v. Fifth Avenue Presbyterian Church (S.D.N.Y., 2d Cir., U.S., 2002-07) – Successfully represented the Fifth Avenue Presbyterian Church in a dispute over its homeless ministry.
- Sylvia’s Haven, Inc. v. Massachusetts Development Finance Agency (D. Mass, 2005; 1st Cir. 2006) Represented Sylvia’s Haven, Inc. in appeal of base closure issues.
- AT&T Corp. v. 2PrePaid Inc. (M.D. Fla. 2006) - Obtained damages and permanent injunction against unlawful Internet sales of counterfeit AT&T prepaid calling cards.
- Boothe v. Hanson (Texas District Court 2005) - Obtained a blanket injunction against an elusive Internet critic in a case involving extensive use of Internet forensics. See “As Angry Patients Vent Online, Doctors Sue to Silence Them,” Wall Street Journal, Sept. 14, 2005.
- AT&T v. Sprint (S.D.N.Y. 2004): Represented AT&T in unfair competition and trademark litigation.
- AT&T Corp. v. CyberTelecom, Inc. (S.D. Fla. 2004) - Obtained preliminary and permanent injunctions against Internet distribution of counterfeit prepaid calling cards in a case involving extensive Internet forensic evidence.
- In re Microsoft Corp. Antitrust Litigation, MDL No. 1332 (D. Md. 2000-03) - Represented Microsoft in competitor class actions including those brought by Netscape and Burst.
- Physicians Interactive v. Lathian Systems, Inc. (E.D. Va. 2003) - Obtained preliminary injunction for plaintiffs alleging hacking of computer systems in order to obtain trade secrets.
- Globalsantafe Corp. v. Globalsantafe.Com (E.D. Va. 2003) - Developed and prevailed on a novel theory of in rem jurisdiction that asserted U.S. jurisdiction to enforce its resolution of an Internet domain name dispute regardless of a directly contradictory order from a court in South Korea.
- Al-Abood v. El-Shamari (E.D. Va.; 4th Cir. 2000) - Affirming jury verdict Sidley won on a variety of fraud theories related to complex international investments.
- For several telecommunication and Internet companies, providing analysis, advice and regulatory counseling regarding major U.S. and international privacy and data security laws and regulations, including ECPA, CFAA, COPPA, GLBA, the FCRA, and unfair or deceptive trade practice restrictions.
- Advising critical infrastructure providers on cybersecurity risks and the response to such attacks.
- Counseling several branded pharmaceutical manufacturers on a range of privacy compliance issues.
- Advising one of the largest participants in the payment card system regarding federal and state data security requirements.
- Representing a major Internet retailer in connection with data breach reporting obligations under U.S. and international statutes.
- For major media companies, analyzing compliance with U.S. and international privacy and data security laws and regulations, including advertising restrictions and children’s privacy.
- Directing due diligence on the privacy aspects during acquisitions of companies providing gaming platforms, electronic payment systems and online training.
Ed is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He currently serves on the Advisory Board for the BNA Privacy & Security Law Report and one of his articles received a 2010 Burton Award for Legal Achievement. His books and recent contributions to treatises include:
- Cybersecurity: A Practical Guide to the Law of Cyber Risk, PLI Treatise (forthcoming 2015) (general editor with Vivek Mohan)
- Federal Trade Commission Enforcement of Privacy and Data Security, 500 Privacy & Data Security Practice Series (Bloomberg BNA 2014) (with Andrew Strenio, and Clayton Northouse).
- Privacy and Security Issues in Cloud Computing, 520 Privacy & Data Security Practice Series (Bloomberg BNA 2014) (with William Long, Yuet Ming Tham, Mark Kaufmann, and Colleen Brown).
- "U.S. Efforts to Change Leak Laws," in Whistleblowers, Leaks and the Media (2014).
- "Health Information Privacy and Security," 505 Privacy & Data Security Practice Series (Bloomberg BNA 2014) (co-author with lead author Anna Spencer).
- “Autonomy: The Key Theory for Understanding the Evolution of US Privacy Law,” in Privacy and Surveillance Legal Issues (2014).
- “Privacy And Security,” in Successful Partnering Between Inside and Outside Counsel (2013) (co-author of a chapter on working together on privacy and security to achieve client objectives).
- Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists (2011) (contributor) (ABA Section of Science and Technology Law publication).
- “Privacy and Security,” in Business and Commercial Litigation in Federal Courts (3d Ed. 2011) (co-author of chapter on implications of privacy and data security laws for commercial litigation).
Many of his articles are collected on the Privacy, Data Security and Information practice page, available at www.sidley.com/InfoLaw, including:
- “Broker-dealers need to respond to recent focus on cybersecurity threats,” in the Journal of Investment Compliance (2014) (with David S. Petron and Michael D. Wolk).
- "European Court of Justice Finds 'Right to be Forgotten' and Compels Google to Remove Links to Lawful Information," in the NY Business Law Journal (Summer 2014) (co-author with William Long et al.).
- "White House Releases NIST Cybersecurity Framework," Harvard Law School Forum on Corporate Governance and Financial Regulation (February 2014).
- “Cybersecurity Insurance to Mitigate Cyber-Risks and SEC Disclosure Obligations,” BNA’s Privacy & Security Law Report (August 19, 2013).
- “Standing to Challenge Statutory Violations of Privacy Laws After First American Finance Corporation v. Edwards,” BNA’s Privacy & Security Law Report (July 23, 2012) (with Jonathan Adams).
- “Rapid Data Breach Reporting Now Required By Vermont’s Attorney General,” BNA’s Privacy & Security Law Report (June 18, 2012) (with Ryan Sandrock).
- “Regulated Social Media: Practical Advice for Addressing Evolving Technologies in Regulated Industries,” BNA’s Privacy & Security Law Report (June 14, 2010) (with Sabrina Ross).
- “An Uneasy Peace: Maine’s Act to Prevent Marketing to Minors and the Continuing Problems of Privacy for Children and Teens,” BNA’s Privacy & Security Law Report (September 14, 2009) (with Colleen Rutledge).
- “End of the Notice Paradigm?: FTC’s Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements,” BNA’s Electronic Commerce & Law Report (July 15, 2009) (with Alan Raul et al.).
- “Reconciling European Data Privacy Concerns with US Discovery Rules: Conflict and Comity,” Global Competition Litigation Review (July 2009) (with Alan Raul et al.).
- “National Security Letters: Practical Advice For Understanding and Handling Exceptional Requests,” BNA Privacy & Security Law Report (March 30, 2009).
- “Competitive Privacy: Towards A New Area of Privacy Litigation?” IAPP Privacy Tracker (July/August 2008) (with Jennifer Tatel).
- “A Path to Resolving European Data Protection Concerns With U.S. Discovery,” Privacy and Security Law (October 2007) (with Stan Crosley, Alan Raul and Julie Dwyer).
Ed frequently advises organizations that combat homelessness regarding complex constitutional issues at both the trial and appellate levels and before legislative bodies. His work for such organizations contributed substantially to the firm being awarded the 2004 and 2014 Counsel Pro Bono Award by the National Law Center on Homelessness and Poverty.
Ed also regularly represents religious institutions on constitutional and other legal issues. He is a national co-chair of Sidley’s Religious Institutions practice, which the New York Times recognized as representing “some of the country’s largest religious organizations.” He was awarded the 2010 Thurgood Marshall pro bono counsel prize by Muslim Advocates for innovative litigation to protect civil liberties.
- “Cyber-risk Oversight: Emerging Trends and Considerations for Directors,” NACD Advisory Councils (Washington, D.C., March 31, 2015).
- “Cybersecurity: Practical Considerations for Legal and Compliance,” SIFMA Compliance & Legal Society 2015 Annual Seminar (Phoenix, Ariz., March 16, 2015).
- “The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches” (ACA Webcast, March 12, 2015).
- “FTC and State AG Enforcement,” Sidley Privacy & Cybersecurity Roundtable (Washington, D.C., March 3, 2015).
- “Commerce and Competition in the Internet Age,” Center for American Progress Panel for the German Industry and Trade Representation (Washington, D.C., January 27, 2015).
- "Cyber Incident Investigations," EEI Conference on Cybersecurity Law for Utilities (New York, N.Y., October 24, 2014).
- "Cybersecurity: New Privacy Laws and New Threats From Organized Crime and Nation States," ABA 3rd International White Collar Crime Institute (London, October 14, 2014).
- "Cybersecurity: Trends, Incident Response, Remediation and Disclosures," ACA Fall Compliance Conference (San Diego, Calif. October 9, 2014).
- "Cybersecurity, Data Protection and Privacy,” OFII General Counsel Conference (Washington, D.C., September 18, 2014).
- “Cyber Security – What You Need to Know,” SIFMA Compliance and Legal Society Annual Seminar (Orlando, Fla., April 2014).
- "Cybersecurity: Managing Risk Around New Data Threats," Ethisphere (Webinar, January 2014).
- “An International Perspective on Health Care Privacy and Security,” Presentation at the American Conference Institute 3rd Annual Health Care Privacy and Security Forum (New York, N.Y., May 23, 2013).
- “Privacy, Data Security and Cyber-Compliance,” St. Louis General Counsel Roundtable (May 6, 2013).
- “The U.S. Approach to Liability Online,” IELE presentation at the University of California, Berkeley School of Law (Berkeley, Calif., May 1, 2013).
- “Cyber Regulation and Insurance,” Bloomberg BNA (Webinar, April 3, 2013).
- “At the Ready: Preparing U.S. Organizations for the Proposed EU Regulation,” IAPP Global Privacy Summit (Washington, D.C., March 8, 2013).
- “Privacy & Data Protection,” SIFMA Compliance & Legal Society (Phoenix, Ariz., March 20, 2013).
- “Cellular Phones and Mobile Privacy,” Information Society Project at Yale Law School, Location Tracking and Biometrics Conference (New Haven, Conn., March 3, 2013).
- “Cloud Computing: Understanding and Mitigating the Risks, Utilizing the Latest Security Controls and Ensuring Protection ‘In the Cloud’,” Conference on the Privacy and Security of Consumer and Employee Information (San Francisco, Calif., July 2012).
- “Navigating Global Privacy & Information Laws,” Sidley privacy workshops (Singapore, Hong Kong, and Tokyo, November 2012).
- “Toward a Safe Harbor for the Cloud,” iTech Law European Conference (Rome, October 2012).
- “Best Practices for Social Media at Pharmaceutical Communications,” Sidley Life Sciences Data Privacy Day (Palo Alto, Calif., April 2012).
- “Ethical Privacy,” IAPP Privacy Academy (Dallas, Texas., September 2011).
- “Privacy Litigation: The Evolution in Theories,” IAPP Privacy Academy (Baltimore, MD., September 2009).
- “Privacy in a Time of Change,” Twin Cities Privacy Retreat (St. Paul, Minn., January 15, 2009).
- “Minimizing the Weight of Regulation,” Security Standard Conference (Chicago, September 2007).
- “U.S. and International Legal Standards for Information Security,” 2006 IAPP Privacy Academy (Toronto, October 2006).
- “Why Privacy Matters — Protecting Your Reputation, Practice and Clients,” AICPA National Conference on Fraud and Litigation Services (Las Vegas, Nev., September 2006).
- “Anatomy of a Data Breach,” Sidley Austin Global Privacy and Information Law Conference (San Francisco, Calif., September 2006).
- “Privacy: The Importance of Getting It Right,” 2006 CSO Perspectives Conference (Orange County, Calif., March 2006).