Privacy and Cybersecurity

As a top-tier global privacy and cybersecurity law firm, we assist clients with cybersecurity compliance and governance programs, data security litigation and investigations, and multi-jurisdictional regulatory, law enforcement and policy issues. Our lawyers have deep experience in the rapidly developing areas of information security, cyber and technology, advising clients on cutting-edge issues related to the Internet of Things, big data analytics, artificial intelligence (AI), adtech, data governance, data ethics and other innovative business applications. We also work with C-suite executives and corporate boards to address their public disclosure obligations and fiduciary responsibilities to shareholders and other stakeholders.

Few other privacy and cybersecurity law firms can match the depth and breadth of Sidley’s global cyberlaw platform. We bring value to clients in the following ways:

• Integrated Services: We leverage the firm’s vast network of resources and cross-servicing opportunities for our clients, working across offices and disciplines to ensure they benefit from our collective experience. Our cyberlaw team works closely with colleagues from the firm’s Banking and Financial Services, Life Sciences, Litigation, International Trade, Technology and IP Transactions, Telecom and Internet Competition, and Government Strategies practices to provide seamless advice on complex privacy and cybersecurity law issues.
• Cyber Investigations and Litigation: We represent clients on the full scope of investigation, enforcement and litigation arising from cybersecurity incidents. We conduct confidential internal investigations for a diverse range of businesses, often advising on corporate governance issues and compliance programs. Our lawyers have achieved victory in several high-profile class action cases.
• International Regulatory Insight: Members of our team have been involved in the development of cyberlaw regulation and enforcement, having formerly served in senior government roles. We are active in Washington, D.C. with respect to investigations and guidance by the FTC, the expanding cybersecurity agenda of the SEC, state attorneys general and the new White House privacy framework. Our lawyers have in-depth knowledge of EU and UK regulations and have developed strong relationships with a number of European regulators. Lawyers in the group also advise clients regarding privacy law requirements and developments in the Asia Pacific region.
• Industry Advocate: Our privacy and cybersecurity lawyers remain on the leading edge of cyberlaw with innovative thought leadership. In addition to frequent speaking engagements, news alerts, webinars and publications, we keep clients abreast of emerging issues through our industry-leading blog: Data Matters and through organizing many industry privacy and cyber networks and roundtables including Women in Privacy and dplegal. We also provide frequent insights and developments on the California Consumer Privacy Act and the General Data Protection Regulation.

INCIDENT PREPAREDNESS AND RESPONSE PLANS

• Design incident response plans and “play books” in light of a variety of GDPR, CCPA, and other U.S. and international regulatory regimes
• Pre-secure statements of work from forensic providers, PR agencies and credit monitoring providers
• Partner with forensic firms to conduct technical reviews of IT systems and vulnerability mitigation
• Serve as “stand-by” cybersecurity counsel

DATA GOVERNANCE

• Conduct internal cybersecurity governance legal assessments and due diligence on behalf of boards
• Design and implement data governance systems (such as “ethical stewardship” of data) for operational and innovative data use, including risk mitigation for AI deployments
• Design data governance architecture that classifies information by sensitivity and significance
• Deliver operational and board-level training on cybersecurity matters

TABLETOP TESTING

• Develop custom tabletop scenarios based on client’s business needs
• Conduct on-site incident scenario exercise working with stakeholders to assess decision points
• Debrief the client and provide observation, gaps and recommendations
• Team up with forensic firms to provide an added layer of complexity by engaging the IT department

CRISIS MANAGEMENT AND DATA BREACH INCIDENT RESPONSE

• Respond to complex multi-jurisdictional data breaches worldwide, including advanced persistent threats
• Assess legal obligations under various EU, U.S. and international regulations and contractual commitments
• Engage and manage forensic service providers and other service providers
• Liaise with regulators and law enforcement agencies in the EU, U.S. and internationally

CYBERSECURITY INVESTIGATIONS AND LITIGATION

• Defend companies in class, representative or group litigation arising out of data breach incidents
• Respond to enforcement actions brought by EU data protection authorities, the FTC and state attorneys general
• Assist in responding to EU, U.S. and international law enforcement agencies
• Conduct internal investigations on behalf of board of directors with respect to the company’s breach response

CYBERSECURITY IN FINANCIAL SERVICES — CONFIDENTIALITY AND BANK SECRECY

• Advise on cybersecurity obligations under EU and UK financial services laws, including under EU’s Market Abuse Regulations and UK’s Financial Conduct Authority rules and Takeover Code
• Counsel on the U.S.’s Fair Credit Reporting Act and FATCA, the Gramm-Leach-Bliley Act and the Right to Financial Privacy Act, as well as numerous state privacy, data security and data breach statutes

PHARMACEUTICAL, HEALTHCARE AND DIGITAL HEALTH AND WELLNESS

• Provide counsel on cybersecurity obligations under EU laws, including those applicable to clinical trials and UK’s National Health Service
• Advise on cybersecurity requirements under the U.S. HIPAA and HITECH, state and EU data protection requirements for health information

PUBLIC POLICY AND GOVERNMENT STRATEGIES

• Engage with the FTC, Secret Service, Department of Homeland Security, elements of the intelligence community and state attorneys general
• Interact with the European Data Protection Board and data protection authorities in various EU Member States
• Communicate with the UK’s ICO, the National Cybersecurity Centre and the Serious Fraud Office