Partner

Colleen Theresa Brown

- Data Matters

Privacy and Cybersecurity
Commercial Litigation and Disputes
Crisis Management and Strategic Response
Insurance

ctbrown@sidley.com

Washington, D.C. +1 202 736 8465

- Data Matters
- Letter
- A4

COLLEEN THERESA BROWN focuses on privacy, cybersecurity, data protection, and emerging technology issues for a diverse group of companies, including those in the financial, life sciences, energy, telecommunications, media, retail, and manufacturing sectors. She has focused her practice on global data protection compliance, digital governance, litigation and regulatory enforcement actions relating to privacy, cybersecurity, consumer protection issues, data breach response, crisis management, and internal investigations. Colleen is ranked in Chambers Global (USA) (2023) and Chambers USA (2022–2023) as an “Up and Coming” privacy and data security lawyer who “approaches complex legal issues in a practical way.” Global Data Review named her to its “Women in Data” list in 2022, The Lawyer Network recognized her as “Cybersecurity Lawyer of the Year” in Washington, D.C. in 2021 and 2022, and Euromoney’s Women in Business Law listed her as one of the world’s leading female practitioners in Privacy and Data Protection in 2022. Washingtonian named her among its “Top Lawyers” for Cybersecurity in 2019. Colleen is also a recommended lawyer by Legal 500 USA for Cyber Law, which notes, “Colleen Brown demonstrates ‘confidence in making judgment calls on complex issues.’”

Colleen's counseling experience includes cyber risk and data breach management, corporate data protection and privacy compliance programs, international data protection and cross-border transfer, applied and generative Artificial Intelligence, Big Data, Internet of Things, electronic surveillance, trade secrets, social media, cloud computing, and online brand protection. She also has significant experience in counseling and strategy under CAN-SPAM, CCPA, CFAA, COPPA, ECPA, ESIGN, FCRA, FOIA, GDPR, GLBA, HIPAA, the Privacy Act, TCPA, Unfair and Deceptive Trade Practices, state privacy, and common law claims including defamation and privacy torts, privacy regulations and enforcement in federal agencies including the Federal Trade Commission (FTC) and the Federal Communications Commission, and industry self-regulation on privacy matters, including those related to online advertising and PCI DSS compliance. Colleen is a Certified Information Privacy Professional (CIPP)/United States through the International Association of Privacy Professionals (IAPP). She is on the Advisory Boards of the Electronic Privacy Information Center and the Future of Privacy Forum in her personal capacity.

In addition to counseling and litigation related to data protection, Colleen's work also includes counseling and negotiation of data-driven agreements, as well as privacy and cybersecurity diligence, and integration planning for mergers and acquisitions.

At Sidley, Colleen co-founded Women in Privacy^® (WIP), a networking group for women working as in-house counsel, compliance officers, and other professionals in the field of privacy. WIP holds regular meetings in the U.S. and the EU and is dedicated to thought leadership for women privacy professionals. She is also a frequent speaker, writer, and commenter on privacy and cybersecurity legal developments, and the chief editor of the Sidley Blog Data Matters.

Experience

The following representative types of matters are illustrative of the breadth of Colleen’s practice:

Assisting corporations with preparation for and responses to sophisticated cybersecurity incidents.
Privacy and cybersecurity litigation, regulatory investigations, and compliance counseling.
International data protection compliance programs and cross-border transfers.
FTC and State Attorney General investigations involving privacy, data security, and unfair or deceptive business practices.
Diligence counseling for mergers related to data and privacy risks, and post-merger integration.
Counseling for privacy and data protection compliance and risk mitigation in Big Data analytics and emerging technologies.

Regulatory

Counseled a tech company on evolving privacy and cybersecurity laws and regulation, including for compliance with new state privacy laws and changes to European data protection and international transfer obligations in the wake of the EJF Schrems II decision. Worked closely with client on its cybersecurity preparedness, including support for a new bug bounty program and evaluations of significant changes in the industry flowing from President Biden’s 2021 Cybersecurity Executive Order.
Advised a large international pharmaceutical company on the development and implementation of a global privacy program, including assisting the company with its data mapping activities; drafting all necessary privacy policies, notices, assessments and procedures; reviewing vendor contracts; developing template contractual provisions and minimum information security requirements for vendors; and advising on international transfers, including in the context of Schrems II.
Counseled a Northwestern University in developing its testing and tracing policies to open the university, which required balancing privacy interests while mitigating university health risks during the COVID-19 pandemic.
Advised a foundation in the development of a platform during the pandemic that assists in mitigating PPE supply chain issues at the local level.
Provided strategic counseling to U.S. Digital Response, a volunteer-powered, non-partisan effort to help governments respond to the COVID-19 pandemic crisis by leveraging technology, data, communications, and other digital initiatives. This led to the development of a model data protection addendum for government use in the development of exposure alerting applications and systems published by MIT’s Computational Law Report.
Defended a major financial institution in regulatory inquiry by the New York Department of Financial Services in connection with their review of compliance with the DFS Cybersecurity Regulations in the wake of a data security incident.
Defended a major department store in connection with an FTC civil investigation of allegations of FCRA noncompliance. The matter was closed without enforcement action.
Advised a major luxury retailer on new privacy law compliance, data security incident preparedness and response, and regulatory defense and litigation for privacy and cybersecurity matters, including in the wake of data security incidents.
Advised a large regional energy company on cybersecurity incident response, as well as on privacy law compliance in light of new state law requirements and crisis preparedness, considering new executive order cybersecurity requirements for the critical infrastructure sector.

Litigation

Represented Kroger Co. with regard to the Accellion data breach, which involved a complex supply chain data security incident and response, as well as class action claims attempting to press a novel theory of liability for downstream customers of a compromised vendor.
Represented a large retailer in class action litigation regarding electronic communications on websites owned by the client in violation of state wiretapping and privacy laws. The plaintiff sought to represent a class consisting of more than 5,000 unique visitors. After removing the case from state court to federal court and an unanswered motion to compel arbitration, plaintiffs voluntarily dismissed the case.
Represented a medical trade organization in a claim against a vendor for breach of contract and other claims related to a 2020 data security incident.
Represented a leading “rich-media” internet advertising company in multi-district litigation regarding alleged circumvention of Safari browser privacy settings to enable subsequent online tracking. Also handled related congressional inquiries, as well as non-public discussions with certain regulators. Successfully briefed dismissal and then negotiated a highly favorable class action and state attorney general settlement for this client.
Represented a meal kit delivery company in the wake of its 2020 data security incident, which has resulted in the dismissal of multiple arbitration cases.

Transactions

Represented Grove Collaborative, a leading sustainable consumer products company, in its business combination with Virgin Group Acquisition Corp. II (NASDAQ: VGII), a SPAC, with an implied pro forma enterprise value of US$1.5 billion.
Represented Walgreens Boots Alliance in its agreement to invest US$5.2 billion in VillageMD, which will make Walgreens the first national pharmacy chain to offer full-service primary care practices with primary care physicians and pharmacists co-located at its stores at a large scale.
Represented Prudential Financial, Inc. in the sale of a US$31 billion portion of its in-force legacy variable annuity block for US$2.2 billion to Fortitude Re, Bermuda’s largest multi-line reinsurer (pending).
Represented OMERS, the defined benefit pension plan for municipal employees in the Province of Ontario, Canada, in its partnership with Gastro Health, a national leading U.S. platform supporting medical groups specializing in the treatment of gastrointestinal disorders, nutrition, and digestive health.
Represented Home Partners of America, Inc. in its acquisition by Blackstone Real Estate Income Trust, Inc., an affiliate of The Blackstone Group Inc., in a transaction valued at US$6.0 billion.
Represented ServiceTitan in its acquisition of Aspire Software, a provider of management software solutions for customers in the landscaping business.
Represented Primerica, Inc. in its strategic acquisition of 80% of Etelequote Limited’s operating subsidiaries (collectively, e-TeleQuote), which were valued on a pre-debt enterprise basis at US$600 million.
Represented GIC in connection with its agreement to acquire an indirect 19.9% equity interest in Duke Energy Indiana, a subsidiary of Duke Energy, for a total purchase price of US$2.05 billion.
Represented Porch.com, Inc. in its business combination with PropTech Acquisition Corporation, a special purpose acquisition company (SPAC), to become a publicly listed company named “Porch Group, Inc.”
Represented Biodesix, Inc., a Boulder-based biotech company, in connection with its initial public offering of US$72 million.
Represented MetLife in its pending acquisition of Versant Health from an investor group led by Centerbridge Partners and including FFL Partners for a purchase price of approximately US$1.7 billion.
Represented affiliates of Siris Capital Group, LLC (sellers) and Pulse Secure, LLC (target company) in the sale of Pulse Secure, LLC to Ivanti, Inc.
Represented Provation, a provider of procedure documentation and clinical decision software solutions backed by Clearlake Capital Group., L.P. in its acquisition of ePreop, a provider of perioperative SaaS solutions designed to simplify the entire surgical encounter.
Represented Outset Medical Inc., a private equity-backed medical technology company focused on an innovative dialysis solution, in connection with its initial public offering, which was upsized to nearly US$278 million (including green shoe).
Represented Walgreens Boots Alliance, Inc. in its agreement to invest US$1 billion in equity and convertible debt in VillageMD, which will primarily be used to fund the opening of full-service doctor offices co-located at Walgreens stores on a large scale.
Represented Ryan Specialty Group, LLC (RSG) in its definitive agreement to merge with All Risks, Ltd.
Represented HMS in the acquisition of Accent, a payment accuracy and cost containment business, from Intrado Corporation for US$155 million.
Represented OMERS Private Equity, the defined benefit pension plan for Ontario’s municipal employees, in its sale of MatrixCare Holdings Inc. to ResMed Operations Inc. for US$750 million.

Colleen advises civil rights and equality organizations through pro bono representations regarding complex constitutional and other general privacy issues. Her work contributed substantially to the firm being awarded the 2010 Thurgood Marshall Award for Exceptional Pro Bono Service by the Muslim Advocates, a sister entity of the National Association of Muslim Lawyers, for Sidley’s efforts in litigation to protect civil liberties.

Future of Privacy Forum (FPF), Advisory Board
Women in Privacy^® (WIP), an international networking group for women data protection and privacy professionals
International Association of Privacy Professionals (IAPP)
American Bar Association (ABA), Antitrust Law Section and Privacy and Information Security Committee
ARMA International (International Association for Information Governance Professionals)
Electronic Privacy Information Center (EPIC), Advisory Board

Colleen Theresa Brown

Credentials

Admissions & Certifications

Education

Contact