Colleen Theresa Brown

COLLEEN BROWN is a nationally recognized lawyer with an increasing focus on AI. She provides strategic advice on digital risk management for a diverse range of companies, including those in the financial, insurance, life sciences, tech, energy, telecommunications, media, retail, and manufacturing sectors. Her clients turn to her for compliance advising, digital governance, investigations, litigation and regulatory enforcement defense, and crisis management related to AI, privacy, cybersecurity, and incident response.

“Her technical expertise is really great.”
Chambers Global 2025

Colleen is widely viewed as a thought leader and go-to counsel in privacy and cybersecurity law, having developed an exceptional track record for steering her clients through their most challenging matters and achieving excellent results. She is ranked by Chambers USA (Nationwide, 2022–2025) and Chambers Global (USA, 2023–2025) in the Privacy & Data Security: Privacy and Privacy & Data Security: Cybersecurity categories. In the 2025 edition of Chambers USA, clients praised Colleen as “superb counsel” and that she “bridges the gap between legal and IT.” Global Data Review named her to its 2022 “Women in Data” list, The Lawyer Network recognized her as “Cybersecurity Lawyer of the Year” in Washington, D.C. (2021–2022), and Euromoney’s Women in Business Law listed her as one of the world’s leading female practitioners in Privacy and Data Protection (2022). Washingtonian named Colleen among its “Top Lawyers” for cybersecurity in our nation’s capital (2018, 2024). She is also a recommended lawyer by Legal 500 United States. for Cyber Law (including Data Privacy and Data Protection) (2024–2025), which notes, “Colleen Brown demonstrates ‘confidence in making judgment calls on complex issues.’”

Colleen is a Certified Information Privacy Professional (CIPP)/United States and a certified Artificial Intelligence Governance Professional (AIGP) through the International Association of Privacy Professionals (IAPP). She is on the Advisory Boards of the Electronic Privacy Information Center and the Future of Privacy Forum in her personal capacity, and at Sidley she serves on the Steering Committee of the firm’s AI Working Group.

Colleen's counseling experience includes cyber risk and data breach management, corporate data protection and privacy compliance programs, international data protection and cross-border transfer, applied and generative AI, Big Data, Internet of Things, electronic surveillance, trade secrets, social media, cloud computing, and online brand protection. She also has significant experience in counseling and strategy under CAN-SPAM, CCPA, CFAA, COPPA, ECPA, ESIGN, FCRA, FOIA, GDPR, GLBA, HIPAA, the Privacy Act, TCPA, Unfair and Deceptive Trade Practices, state privacy laws, and common law claims including defamation and privacy torts. Additionally, Colleen addresses privacy regulations and enforcement in federal agencies including the Federal Trade Commission (FTC) and the Federal Communications Commission, and she advises on industry self-regulation on privacy matters, including those related to online advertising and PCI DSS compliance.

In addition to counseling and litigation related to data protection, Colleen's work also includes counseling and negotiation of data-driven agreements, privacy and cybersecurity diligence, and integration planning for mergers and acquisitions. She is sought after nationwide for her deep experience in assessing privacy and cybersecurity risk in acquisitions.

At Sidley, Colleen co-founded Women in Privacy® (WIP), a networking group for women working as in-house counsel, compliance officers, and other professionals in the field of privacy. WIP holds regular meetings in the U.S. and the EU and is dedicated to thought leadership for women privacy professionals. She is a frequent speaker, writer, and commenter on privacy and cybersecurity legal developments affecting all industries, and the chief editor of the Sidley Blog Data Matters.

The following representative types of matters are illustrative of the breadth of Colleen’s practice:

• Privacy, cybersecurity, and AI litigation, regulatory investigations, and compliance counseling.
• Assisting corporations with preparation for and responses to sophisticated cybersecurity incidents.
• International data protection compliance programs and cross-border transfers.
• FTC and State Attorneys General investigations involving privacy, data security, and unfair or deceptive business practices.
• Diligence counseling for mergers related to data and privacy risks, and post-merger integration.
• Counseling for privacy and data protection compliance and risk mitigation in Big Data analytics and emerging technologies.

Regulatory

• Providing strategic counseling on confidential generative AI initiatives for several Fortune 100 Companies, including those in the manufacturing, technology, life sciences, and financial sectors. Colleen has provided critical guidance on AI governance, data rights considerations, emerging AI regulation — including extraterritorial impact of the EU AI Act on U.S. companies — and privacy and cybersecurity risk management.
• Counseled a tech company on evolving privacy and cybersecurity laws and regulation, including for compliance with new state privacy laws and changes to European data protection and international transfer obligations in the wake of the EJF Schrems II decision. Worked closely with client on its cybersecurity preparedness, including support for a new bug bounty program and evaluations of significant changes in the industry flowing from President Biden’s 2021 Cybersecurity Executive Order.
• Advised a large international pharmaceutical company on the development and implementation of a global privacy program, including assisting the company with its data mapping activities, drafting all necessary privacy policies, notices, assessments and procedures, reviewing vendor contracts, developing template contractual provisions and minimum information security requirements for vendors, and advising on international transfers, including in the context of Schrems II.
• Counseled Northwestern University in developing its testing and tracing policies to open the university, which required balancing privacy interests while mitigating university health risks during the COVID-19 pandemic.
• Advised a foundation in the development of a platform during the pandemic that assists in mitigating PPE supply chain issues at the local level.
• Provided strategic counseling to U.S. Digital Response, a volunteer-powered, non-partisan effort to help governments respond to the COVID-19 pandemic crisis by leveraging technology, data, communications, and other digital initiatives. This led to the development of a model data protection addendum for government use in the development of exposure alerting applications and systems published by MIT’s Computational Law Report.
• Defended a major financial institution in regulatory inquiry by the New York Department of Financial Services in connection with their review of compliance with the DFS Cybersecurity Regulations in the wake of a data security incident.
• Defended a major department store in connection with an FTC civil investigation of allegations of FCRA noncompliance. The matter was closed without enforcement action.
• Advised a major luxury retailer on new privacy law compliance, data security incident preparedness and response, and regulatory defense and litigation for privacy and cybersecurity matters, including in the wake of data security incidents.
• Advised a large regional energy company on cybersecurity incident response, as well as on privacy law compliance in light of new state law requirements and crisis preparedness, considering new executive order cybersecurity requirements for the critical infrastructure sector.

Litigation

• Represented Kroger Co. with regard to the Accellion data breach, which involved a complex supply chain data security incident and response, as well as class action claims attempting to press a novel theory of liability for downstream customers of a compromised vendor.
• Represented a large retailer in class action litigation regarding electronic communications on websites owned by the client in violation of state wiretapping and privacy laws. The plaintiff sought to represent a class consisting of more than 5,000 unique visitors. After removing the case from state court to federal court and an unanswered motion to compel arbitration, plaintiffs voluntarily dismissed the case.
• Represented a medical trade organization in a claim against a vendor for breach of contract and other claims related to a 2020 data security incident.
• Represented a leading “rich-media” internet advertising company in multi-district litigation regarding alleged circumvention of Safari browser privacy settings to enable subsequent online tracking. Also handled related congressional inquiries, as well as non-public discussions with certain regulators. Successfully briefed dismissal and then negotiated a highly favorable class action and state attorney general settlement for this client.
• Represented a meal kit delivery company in the wake of its 2020 data security incident, which has resulted in the dismissal of multiple arbitration cases.

Transactions

• Represented International Game Technology PLC in its US$6.3 billion sale of its gaming & digital business to a newly formed holding company owned by funds managed by affiliates of Apollo Global Management, Inc.
• Represented IDEX Corporation (NYSE: IDEX) in its US$1 billion acquisition of Mott Corporation and its subsidiaries.
• Represented Grove Collaborative, a leading sustainable consumer products company, in its business combination with Virgin Group Acquisition Corp. II (NASDAQ: VGII), a SPAC, with an implied pro forma enterprise value of US$1.5 billion.
• Represented Walgreens Boots Alliance in its agreement to invest US$5.2 billion in VillageMD, which will make Walgreens the first national pharmacy chain to offer full-service primary care practices with primary care physicians and pharmacists co-located at its stores at a large scale.
• Represented Prudential Financial, Inc. in the sale of a US$31 billion portion of its in-force legacy variable annuity block for US$2.2 billion to Fortitude Re, Bermuda’s largest multi-line reinsurer (pending).
• Represented OMERS, the defined benefit pension plan for municipal employees in the Province of Ontario, Canada, in its partnership with Gastro Health, a national leading U.S. platform supporting medical groups specializing in the treatment of gastrointestinal disorders, nutrition, and digestive health.
• Represented Home Partners of America, Inc. in its acquisition by Blackstone Real Estate Income Trust, Inc., an affiliate of The Blackstone Group Inc., in a transaction valued at US$6.0 billion.
• Represented ServiceTitan in its acquisition of Aspire Software, a provider of management software solutions for customers in the landscaping business.
• Represented Primerica, Inc. in its strategic acquisition of 80% of Etelequote Limited’s operating subsidiaries (collectively, e-TeleQuote), which were valued on a pre-debt enterprise basis at US$600 million.
• Represented GIC in connection with its agreement to acquire an indirect 19.9% equity interest in Duke Energy Indiana, a subsidiary of Duke Energy, for a total purchase price of US$2.05 billion.
• Represented Porch.com, Inc. in its business combination with PropTech Acquisition Corporation, a special purpose acquisition company (SPAC), to become a publicly listed company named “Porch Group, Inc.”
• Represented Biodesix, Inc., a Boulder-based biotech company, in connection with its initial public offering of US$72 million.
• Represented MetLife in its pending acquisition of Versant Health from an investor group led by Centerbridge Partners and including FFL Partners for a purchase price of approximately US$1.7 billion.
• Represented affiliates of Siris Capital Group, LLC (sellers) and Pulse Secure, LLC (target company) in the sale of Pulse Secure, LLC to Ivanti, Inc.
• Represented Provation, a provider of procedure documentation and clinical decision software solutions backed by Clearlake Capital Group., L.P. in its acquisition of ePreop, a provider of perioperative SaaS solutions designed to simplify the entire surgical encounter.
• Represented Outset Medical Inc., a private equity-backed medical technology company focused on an innovative dialysis solution, in connection with its initial public offering, which was upsized to nearly US$278 million (including green shoe).
• Represented Walgreens Boots Alliance, Inc. in its agreement to invest US$1 billion in equity and convertible debt in VillageMD, which will primarily be used to fund the opening of full-service doctor offices co-located at Walgreens stores on a large scale.
• Represented Ryan Specialty Group, LLC (RSG) in its definitive agreement to merge with All Risks, Ltd.
• Represented HMS in the acquisition of Accent, a payment accuracy and cost containment business, from Intrado Corporation for US$155 million.
• Represented OMERS Private Equity, the defined benefit pension plan for Ontario’s municipal employees, in its sale of MatrixCare Holdings Inc. to ResMed Operations Inc. for US$750 million.

• Future of Privacy Forum (FPF), Advisory Board
• Women in Privacy^® (WIP), an international networking group for women data protection and privacy professionals
• International Association of Privacy Professionals (IAPP)
• American Bar Association (ABA), Antitrust Law Section and Privacy and Information Security Committee
• ARMA International (International Association for Information Governance Professionals)
• Electronic Privacy Information Center (EPIC), Advisory Board
• Sidley's Working AI group, Member

Colleen advises civil rights and equality organizations through pro bono representations regarding complex constitutional and other general privacy issues. Her work contributed substantially to the firm being awarded the 2010 Thurgood Marshall  Award for Exceptional Pro Bono Service by the Muslim Advocates, a sister entity of the National Association of Muslim Lawyers, for Sidley’s efforts in litigation to protect civil liberties.