Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. Our privacy and cybersecurity practice is a leader in its field and our firm has been ranked by Computerworld magazine as the top law firm globally for privacy and data security in all of its surveys. Chambers and Partners also ranked Hunton Andrews Kurth for privacy and data security practice in its Chambers Global, Chambers Europe, Chambers USA and Chambers UK guides.
Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm. CIPL provides strategic consulting services and helps clients develop global privacy and data security strategies for today’s digital economy. With over 90 members, CIPL also offers clients a forum for developing privacy solutions and brings together companies, consumer leaders and senior policymakers to develop next-generation privacy principles to facilitate global digital information flows.
The lawyers in our privacy and cybersecurity practice authored a 1,400-page treatise, titled Privacy and Cybersecurity Law Deskbook (Aspen Publishers, Wolters Kluwer). The deskbook provides a detailed overview of all US and international information privacy and data security laws relevant to US businesses operating in the global arena. The book also contains a collection of sample documents, charts, checklists and other compliance-enabling tools.
Who We Are
Our privacy and cybersecurity lawyers understand information-use business models and how information flows generate revenue for our clients. Our lawyers have extensive underlying subject matter experience in technology, banking and finance, consumer protection, international law, intellectual property, health care and litigation. In addition, our lawyers have hands-on business experience that enables us to provide strategic business consulting on all aspects of information policy, including privacy, cybersecurity, data breach and records management.
Our Clients
We represent a diverse group of clients, including retailers, consumer goods companies, energy companies, health care providers, direct marketers, telecommunications and internet service providers, banks, insurance providers, government agencies, electronic publishers, reference services, consumer and business credit reporting agencies and risk management specialists.
Areas of Experience
Our privacy and cybersecurity practice group focuses on providing legal services in the following areas:
- Compliance with all US federal and state privacy and information management requirements, including the California Consumer Privacy Act (as amended by the California Privacy Rights Act), Colorado Privacy Act, Virginia Consumer Data Protection Act, the Gramm-Leach-Bliley Act, HIPAA, the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act of 2003, the Driver’s Privacy Protection Act, CAN-SPAM, Telephone Consumer Protection Act (TCPA), state and federal security breach notification laws, state Social Security laws, the Payment Card Industry Data Security Standard, and other federal and state requirements;
- Compliance with all international data protection laws, including the EU General Data Protection Regulation and e-Privacy Directive and member state implementations thereof (including the EU-US Data Privacy Framework, standard contractual clauses and binding corporate rules), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and China’s Personal Information Protection Law (PIPL);
- Comprehensive assistance with significant information security breaches, including network intrusion investigations, customer notification, state and federal regulatory negotiations, discussions with payment card issuers, as well as public relations, call center and investor relations communications and training;
- Preventing and managing cyber events, from security planning and developing proactive, breach-readiness solutions, including incident response and table top exercises, to handling of litigation and disputes arising from such events;
- Performance of comprehensive privacy and information management assessments, including preparation of data flow maps, and privacy policies and procedures;
- Development and implementation of privacy and data use policies and procedures that comply with applicable laws and generate consumer and business partner confidence, revenue and flexibility;
- Development and implementation of programs to protect global information assets, including legislative and regulatory advocacy;
- Assistance with information product life cycle issues, including product promotion, customer profiling, targeted marketing, channel definition and expansion, franchising, branding, advertising, warranties and pricing;
- Drafting and negotiation of vendor contracts and information use and distribution agreements; and,
- Assistance with dispute resolution, management of consumer concerns, response to allegations of misuse of data, state and federal investigations (including actions and requests for information from state attorneys general and the Federal Trade Commission) and litigation.
Relevant Experience
- Serve as global privacy counsel to a Fortune 50 retailer. We assisted the client in developing a global privacy framework, including privacy governance documents, a vendor management program, data transfer documents and an information security program for emerging business initiatives. In addition, we have drafted the company's global privacy policy.
- Advise a Fortune 10 company on various US and international privacy and data protection compliance initiatives, including assisting the company with cross-border data transfer strategy, employee monitoring, numerous records management compliance projects, and several significant information security issues that had global impact in nearly 80 countries.
- Assist a Fortune 500 financial services company with US and EU data protection compliance issues impacting the company, and also are working with the company on its cross-border data transfer strategy, binding corporate rules.
- Regularly advise a Fortune 150 retail company on significant privacy and data security issues. We assisted the company with its data security breach remediation, including the development and implementation of a global comprehensive, written privacy and information security program. In addition, we have assisted the company with Payment Card Industry Data Security Standard (PCI) compliance activities and issues related to new payment card and loyalty card programs. We also have worked with the company to develop numerous privacy statements and notices (online and offline) worldwide and to manage privacy risks where vendors process personal data on behalf of the company.
- Provide global privacy and data security advice to a leading technology company, including advising on numerous aspects of US and EU privacy law in connection with cutting-edge privacy issues and compliance with new and existing EU rulings (such as the GDPR), monitoring and mobile issues.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code