Companies of all sizes and focus are facing these types of privacy- and cyber-related challenges at a rapidly increasing clip. Our lawyers have extensive experience in addressing cutting-edge cybersecurity risks for companies engaged in critical operations:
- Complying with a complicated lattice of federal and state legislation and cyber and privacy regulations, including the U.S. Department of Justice’s Bulk Data Transfer Rule
- Responding to criminal ransomware attacks and espionage
- Preparing for and defending against class action and derivative actions related to cyber incidents
- Assisting clients with the integration of Artificial Intelligence (AI) with existing systems and personnel
- Working alongside clients on complex business transactions involving secure transfer of oceans of sensitive customer data and intellectual property
- Assisting clients with management of cyber risk consistent with the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Prepping the board of directors for best cyber hygiene practices and preparation and response for cyber incidents
Our engagements span the gamut of critical infrastructure sectors:
|
|
We provide proactive counseling and compliance assessment perspective as well as reactive incident response, internal reviews and government investigations, administrative agency engagement, and litigation. Based on our extensive practice for companies that need to protect sensitive corporate and personal data, we have developed a depth of knowledge about the rapidly evolving legal standards for cybersecurity across the United States ― at the federal and state levels ― as well as in Europe, Asia Pacific, and across the globe. Sidley has advised a broad range of companies in numerous industry sectors to prepare, prevent, and respond to major cyberattacks and data breaches, including engagement with federal law enforcement and the intelligence community in the United States and globally.
Investigations and Enforcement Actions
A company victimized by a data breach can quickly become the target of state or federal investigation. For instance, a retailer that maintains credit card information may suffer a data breach, and the Federal Trade Commission (FTC), state attorneys general, and congressional committees ― not to mention numerous European Data Protection Authorities and other international privacy and cybersecurity regulators ― may open investigations into the company’s response to the incident and its data security practices. At the same time, the Federal Bureau of Investigation (FBI), U.S. Secret Service, and self-regulatory entities, such as the Payment Card Industry, may become involved in the investigation ― which could lead to additional complications for the company. Companies must ensure they are prepared for such potential challenges, investigations, and consequences and understand the benefits and risks of engagement with various governmental entities. Sidley can help.
Data Breaches
Data breaches can be devastating ― clients’ sensitive personal data hijacked and exposed ― potentially huge financial liability for the company coupled with business disruption and debilitating reputational harm. Sidley helps clients to prepare for that zero-day vulnerability and the aftermath ― remediation, litigation (including defending class actions and derivative actions), ransomware response, internal investigations, congressional, state, and international investigations, as well as crisis management calibrated to the incident.
For example, Sidley represents two major retailers that have suffered significant, highly publicized data security incidents, including defense of litigation, managing forensic investigations, and congressional testimony. Whichever the industry ― retail, financial services, healthcare, communications, technology, consulting, transportation, or other critical infrastructure sectors ― companies face a myriad of breach notification and data security compliance requirements. Sidley’s practice is well known because our privacy counselors and regulators are the litigators; there is no need for the regulatory lawyers to teach the litigators. And we litigate the initial actions with knowledge of the complicated potential for collateral litigation with various governmental and self-regulatory entities. Our lawyers can navigate and anticipate the relevant legal requirements in responding to complicated information security incidents and draw from a wealth of experience to rapidly deploy investigation, crisis management, and public communications strategies to discover the scope of the problem and respond to government inquiries in a consistent and coherent way.
Preparation: Identifying, Protecting, Detecting, Responding, and Recovering from Cyberattacks
Cybersecurity is a key corporate governance issue for all organizations, regardless of sector or size. In addition to federal law compliance issues, while state law requirements relating to directors and cyber governance vary, a string of high-profile cyberattacks across the globe highlights the importance of boards ― irrespective of jurisdictional location ― understanding and managing their organization’s cyber exposures.
The best time to prepare for a cyberattack is before the incursion begins. Sidley assists with the assessment of cyber vulnerability using toolkits and methodologies to review the legal aspects of cyber risks in different business sectors, ranging from due diligence prior to a merger and acquisition transaction, through the creation of cyber risk and contract registers to advise on governance and board responsibilities. We advise on compliance with international, federal, and state privacy and data security laws and regulations, as well as industry standards and best practices. We are able to offer companies a comprehensive look at their information management and security practices, and recommend necessary steps to comply with the law and to ensure greater protections by implementing best practices. Sidley often provides this type of counsel in the context of legal/regulatory compliance and transactional counseling. This includes the design of protocols for data security, sharing and use of data, eDiscovery readiness, records retention, and defensible deletion practices. We work with companies to craft appropriate securities disclosures of data security practices and threats, in accordance with Securities and Exchange Commission (SEC) rules and compliance guidance. We have also worked with many companies to design incident response plans and coordinate the necessary steps in the event of a cyberattack.
In addition, Sidley advises clients on complex insurance issues and coverage, e.g., pre-incident risk controls, mitigation and damages related to data breaches, ransomware attacks, customer notifications, remediation, lawsuits, and liability. This ranges from reviewing the extent of coverage under a company’s existing traditional policies as well as under next-generation cyber insurance policies, to assisting companies with issues regarding notification of breaches or potential policy claims.
Crisis Management for Cyber Incidents
Warfare is no longer only kinetic ― cyber weapons abound and often manifest without any warning ― a zero-day assault. In the event of a cyberattack, Sidley assists companies with cyber crisis management immediately after the incident to help mitigate behind the scenes and also with public-facing response, as appropriate. A company that has been attacked must instantly identify the threat, determine its scope and severity, consider how to work with law enforcement and forensic analysis support, determine whether consumers, customers, business partners, or government agencies should or must be notified, and draft the appropriate response to media requests and government investigators ― all in a coordinated and consistent way. Sidley can help.
We work shoulder-to-shoulder with clients to identify priorities and maintain strategic focus through each of these steps. Through deep experience and continuing refinement, our firm has developed well-seasoned protocols to triage incidents and counsel clients on appropriate responses, not just default to a costly and reputation-damaging public disclosure. Frequently, we are able to resolve data security incidents for clients without public disclosure or litigation, utilizing our deep understanding of the applicable statutes or through appropriate, informal engagements with regulators, both domestically and internationally.
Department of Justice Data Security Program – Americans’ Bulk Sensitive Personal Data and United States Government-Related Data
Sidley lawyers have worked extensively with clients to comply with the 2025 Department of Justice (DOJ) Data Security Program (DSP) Rule ― the progeny of 2024 Presidential Executive Order 14117 ― Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. This complicated and comprehensive regulation impacts a wide swath of companies’ data transactions (including ‘omic, biometric, precise geolocation, personal health, personal financial, and covered personal identifiers data) with “countries of concern” and “covered persons.” Our experience and knowledge of the DSP Rule is the result of extensive review and application of the DSP to client’s data transactions, coupled with our lawyers’ prior government experience. Compliance with this dense and sweeping regulation is imperative to avoid tripwires for criminal prosecution and civil liability for knowing or willful violations. Sidley can help organizations with their efforts to comply with the DSP Rule, including evolution as DOJ refines its guidance and enforcement operations.
Government Strategies
Sidley’s representations have included interaction and advocacy with the White House and key federal agencies, such as the Federal Bureau of Investigation (FBI), U.S. Secret Service, U.S. Department of Justice (DOJ), Cybersecurity and Infrastructure Security Agency (CISA), Federal Trade Commission (FTC), the Intelligence Community in the United States and in Europe, state attorneys general, state regulatory agencies, e.g., New York Department of Financial Services (DFS), California Privacy Protection Agency (CPPA), as well as Data Protection Authorities in Europe and other key international jurisdictions. Particularly where sensitive consumer or national security information is at stake, companies may be subject to congressional inquiries, where our Government Strategies colleagues can provide comprehensive guidance on relative legislative and oversight priorities. Sidley regularly represents clients before Congress, and we maintain strong relationships with various European and other non-U.S. data protection authorities. Altogether, our team can advise in real time as part of a consistent response to breaches of computer systems that span borders.
By way of example, in the UK, Sidley’s office in London works closely with the UK Cabinet Office, the Association of British Insurers (ABI), the Department for Business, Innovation and Skills (BIS), and the Cyber Security Information Sharing Partnership (CiSP) to identify cyber risk issues affecting stakeholders in businesses, as well as determining responses to mitigate the threats.
Litigation and Class Actions
If a cyber breach becomes public, Sidley is well-positioned to successfully defend plaintiffs’ lawsuits. We have represented clients in some of the most complex cyber cases, helping clients contain the situation, control their liabilities, and manage notifications, media, and regulator relationships. Sidley lawyers have been at the intersection of cybersecurity and privacy law since its nascency, helping to shape the development of this niche practice over several decades. For example, we litigated a seminal case for the proposition that even intentional unauthorized data sharing by itself does not give rise to standing (a plaintiff’s right to bring a claim), see Conboy v. AT&T Corp., 241 F.3d 242 (2d Cir. 2001) ― long before most law firms were following these issues. We have been successful on standing arguments in data breach cases, see, e.g., Randolph v. ING Life Insurance & Annuity Co., 486 F.Supp.2d 1 (D. D.C. 2007). And in the landmark Pharmatrak privacy litigation, we obtained summary judgment for our defendant client to short-circuit a class action case that sought damages related to alleged privacy violations on various pharmaceutical company websites.
Sidley’s Privacy team likewise has exceptional experience in the defense of complex multidistrict class action, notably having represented Kroger Co. with regard to the Accellion data breach, which involved a complex supply chain data security incident and response, as well as class action claims filed across multiple jurisdictions.
Advanced Persistent Threats
Cybersecurity law has become even more fraught with the rise of state-sponsored cybersecurity threats, such as Advanced Persistent Threats (APTs) ― complex attacks on systems where criminals burrow in and maintain unauthorized and undetected access to a company’s computer network for an extended period. APTs present novel and potential catastrophic harm. Companies are faced with the potential for commercial espionage ― the loss of trade secrets, competitive and deal information, and other intellectual property, not to mention the potential for significant commercial and public harms from loss of critical infrastructure. We have successfully helped clients with notorious criminal hacking like LockBit, Volt Typhoon, Salt Typhoon, and BianLian, including negotiating for the release of critical data and interfacing with law enforcement in the United States and globally.
We have also helped clients, including several critical infrastructure providers, to address the legal issues surrounding the investigation of and response to APT incidents. In this work, several members of our team have the requisite security clearances (above top secret) to work closely with agencies monitoring these threats.
United States Securities and Exchange Commission Disclosures, Financial, and Other Regulatory Issues
The potential that a corporate victim of cybercrime could suffer extensive brand damage, trigger U.S. Securities and Exchange Commission (SEC) disclosure obligations, and lose valuable customer information, trade secrets, and physical assets have caused many clients to work with us to craft and fortify their preparations for such attacks. This strategic practice is complemented by Sidley lawyers who focus on the financial services sector in connection with the unique privacy-related concerns the financial services industry faces, including data security incidents.
Healthcare Privacy and the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Sidley regularly provides health information privacy counsel to a broad range of clients, including assisting clients with respect to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and amendments made to HIPAA by the Health Information Technology for Economic and Clinical Health (HITECH) Act. We have assisted several clients in navigating complex breaches of health information before the U.S. Department of Health and Human Services Office for Civil Rights, the California Attorney General’s office, and European Regulators.
United States and International Advocacy
Sidley’s deep experience in cyber and privacy law is complemented by extensive regulatory knowledge and a global white collar and litigation capacity that extend across all of our 21 worldwide offices. We have deployed talented lawyers ― many of whom with extensive governmental experience ― to assist with data breach issues. Their involvement has substantially contributed to our clients’ successful navigation of crises, as well as proactively addressing particularly difficult privacy challenges. Sidley offers a blend of experience amongst our lawyers in the areas of privacy, compliance, internal investigations, and government criminal defense to aid in cybersecurity-, national security-, and privacy-related matters. We have represented and continue to represent numerous companies investigated by the FTC, including cases where our lawyers successfully persuaded the FTC to take no enforcement action. We also have worked extensively with clients on data breach matters involving various Canadian, European, and Asian data protection authorities.