Cyber, Privacy & Data Security

Practice Contacts

Our Cyber, Privacy & Data Security Team offers a suite of proactive and responsive services aimed at addressing any and all client needs in the digital space.


The Cyber, Privacy & Data Security Team routinely advises clients in connection with regulatory compliance of state, federal and international laws, including but not limited to: 

  • Gramm-Leach-Bliley Act 
  • Health Insurance Portability and Accountability ACT (HIPAA)
  • Computer Fraud and Abuse Act (CFAA)
  • Fair Credit Reporting Act (FCRA)
  • Fair Debt Collection Practices ACT (FDCPA)
  • Stored Communications Act (SCA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • California Consumer Privacy Act (CCPA)
  • New York State Department of Financial Services Cybersecurity Regulation
  • New York Stop Hacks and Improve Electronic Data Security Act (SHIELD)
  • Illinois Biometric Information Privacy Act (BIPA)
  • Texas Capture or Use of Biometric Identifier Act
  • Arkansas Personal Information Protection Act
  • Louisiana Database Security Breach Notification Law
  • Arizona Data Security Breaches Law
  • Oregon Consumer Information Protection Act
  • Washington State RCW 19.375.010 and Notice of Personal Information Data Breaches Law
  • Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth
  • The EU’s General Data Protection Regulation (GDPR)

The Cyber, Privacy & Data Security Team actively monitors the growing and overlapping legislation as it evolves.  As the only law firm with offices in all 50 states, Gordon & Rees lawyers actively advise and assist clients navigate the regulatory waters with confidence and ease as the laws continue to develop.  


The Cyber, Privacy & Data Security Team represents clients in complex transactions with a focus on the allocation of risk and liability of potential data-related issues and cyber incidents with third parties and clients’ vendors.  Gordon & Rees lawyers negotiate and draft the terms for vendor agreements involving the sharing of sensitive information and responsibility for data-related due diligence and compliance with applicable laws, rules and regulations.

The Cyber, Privacy & Data Security Team reviews, advises, drafts and revises clients’ current security policies and procedures in connection with their data collection and data review.  Gordon & Rees lawyers focus on data retention and destruction policies, while also assessing data flows and evaluating risk-ranking vulnerabilities and ensuring compliance with applicable laws, rules and regulations to help establish and implement coherent and relevant policies and procedures.   

The Cyber, Privacy & Data Security also assists clients in developing internal policies and procedures that are consistent with relevant workplace privacy laws and whistleblower laws to navigate the best methods in the collection and storage of company-related data.     


The Cyber, Privacy & Data Security Team has counseled clients in navigating responses to data security incidents across many business sectors.  Gordon & Rees lawyers make thoughtful and thorough initial assessments and determine all necessary steps in the remediation of sensitive data breaches.  Gordon & Rees lawyers facilitate and assess all legal agreements and services with third party forensics experts and remediation vendors and works with the client and necessary experts to isolate and address breaches in real time.     

The Cyber, Privacy & Data Security Team also analyzes and advises on notification issues including when and how to notify affected customers, employees, business partners and regulators in accordance with applicable requirements under state and federal laws, rules and regulations.  Gordon & Rees lawyers work with clients’ management team, IT professionals and in-house counsel to help navigate the dynamic landscape in the wake of a cyber-incident and provide cost-efficient legal services. 

Gordon & Rees lawyers also actively work with clients, their public relations teams and outside consultants to develop and execute a media plan to mitigate any reputational harm as a result of a cyber-incident.


The Cyber, Privacy & Data Security Team, staffed with seasoned commercial litigators, guide clients through their options in resolving complex litigation issues stemming from third-party demands, class action complaints and, if necessary, affirmative litigation to remedy significant economic loss.  Gordon & Rees lawyers have vast and diverse courtroom and arbitration experience involving privacy and data security.  

The Cyber, Privacy & Data Security Team has litigated on behalf of clients, across a wide spectrum of industries, for claims involving cybersecurity preparedness, data breaches, business-to-business claims, breach of contract, fraud, advertising and media claims, including intellectual property disputes, and other privacy and/or data-related issues.  Gordon & Rees lawyers also counsel clients in response to, and defense of, regulatory inquiries and investigations, including by the Federal Trade Commission and State Attorneys General. 


  • Represent one of world’s largest non-life insurers in global privacy and data security compliance and privacy tech transactions including for GDPR/Privacy Shield, CCPA, NYDFS and HIPAA.
  • Represent a specialty lines property casualty insurer in CCPA and state privacy law compliance matters.
  • Represent a leading global hedge fund in worldwide privacy and data security compliance and privacy tech transactions including for GDPR and CCPA.
  • Represent a leading global specialty asset manager in privacy and data security compliance including FINRA and SEC (Reg SP).
  • Represent several global and domestic boutique hospitality/hotel groups in worldwide privacy and data security compliance and privacy tech transactions including for GDPR and CCPA.
  • Represent a variety of Fortune 500s in the privacy and data security aspects of:
    • big data and data analytics matters (acquisition, append, storage, transmission and use)
    • commercialization and monetization of data (advertising and marketing)
    • breach and incident responses
  • Represented insurers in coverage issues regarding data breach-related class action lawsuits tendered to them under general liability and cyber-risk policies.
  • Represented a grocery outlet and a major retailer in separate putative class actions alleging violations of the Song-Beverly Credit Card Privacy Act. Obtained favorable settlements in both cases.
  • Represented a financial services company for alleged violations of the Telephone Consumer Privacy Act (TCPA). Defeated class certification of the case.
  • Represented nursing home in negligence case alleging Health Insurance Portability and Accountability Act (HIPAA) violations and other non-HIPAA negligence-related claims.
  • Represented health care facilities in HIPAA compliance issues including the release of medical records and fax policies.
  • Represented entities in alleged breaches of personal identifying information regarding the risks associated with potential lawsuits, including sustainability as a class, and Article III justiciability.
  • Represented a variety of entities in breach response advice including the preparation of notice letters to state attorney general offices and the owners of the stolen information, remediation measures for their clients, and in-depth research into Payment Card Industry Data Security Standards to determine the scope of the entities’ obligations.
  • Represented an anti-spam support organization against a software development company over disputes regarding email/spam policies.

Cyber, Privacy & Data Security
Fast Facts

  • 40 Attorneys
  • National experience handling corporate cyberattack detection, investigation, and response; compliance, audits, and risk management; privacy policies, programs, and procedures
  • Multidisciplinary team of attorneys with experience in commercial litigation, consumer protection, intellectual property, employment, and business transactions/ corporate law
  • Corporate Member, International Association of Privacy Professionals (IAPP)


    To read the blog, click here.