Privacy and Data Security

Home / Practices / Privacy and Data Security
All practices
Intellectual Property and TechnologyPrivacy

Privacy and data security work that engineers can actually implement: we build compliance programs for GDPR, CCPA, and state privacy laws, harden how you handle data, and run point when a breach hits.

Privacy and data security stopped being a back-office concern the moment regulators started writing real penalties into the law and attackers started treating your data as inventory. Because our attorneys have built and shipped software, we understand how data actually moves through your systems, which makes our privacy advice something your engineering and product teams can put into practice instead of file away.

Building Privacy Compliance Programs

A privacy program only works if it reflects how your product collects and uses data. We map your data flows, then build the policies, notices, consent mechanics, data-subject-request workflows, and recordkeeping you need under the GDPR, CCPA, CPRA, and the growing list of state privacy laws. We help you decide where to standardize across jurisdictions and where to tailor, so compliance scales with your product rather than fighting it.

Data Security and Vendor Risk

Good security cuts both your breach risk and your legal exposure. We advise on security policies, data retention and minimization, encryption and access controls, and the security commitments you make to customers and regulators. We also draft and negotiate the data-processing and security terms in your vendor contracts, so the third parties touching your data are held to the same standard you are.

Breach Response and Defense

When an incident hits, the first hours matter and the clock on notification deadlines is already running. We quarterback the response: directing forensic investigators under privilege, sorting out which state, federal, and international notification obligations apply, drafting notices to individuals and regulators, and defending the litigation and enforcement inquiries that can follow. You get clear decisions fast, not a memo full of maybes.

Frequently asked questions

It depends on your industry, what data you collect, and where your customers are. Common ones include the GDPR (EU residents), CCPA and other state privacy laws, HIPAA (health data), and GLBA (financial data). Most growing companies end up subject to more than one, which is why it pays to map your data early.

Yes, if you collect personal information from consumers. And it can't be generic boilerplate. Your policy has to accurately describe what data you collect and how you use it, plus include the specific disclosures the applicable laws require. A policy that doesn't match your actual practices can itself become the violation.

When personal data is compromised, the law generally requires you to notify the affected individuals and often regulators. The exact triggers, timing, and content vary by jurisdiction, and some deadlines are tight (the GDPR's is 72 hours to the regulator). Having an incident response plan ready before a breach is what keeps you inside those windows.

Possibly. The GDPR reaches US companies that offer goods or services to people in the EU or monitor their behavior. If it applies, you need a lawful basis for processing personal data, procedures to handle data-subject requests, and in some cases a designated data protection officer.

Any vendor that handles personal data on your behalf should be under a data processing agreement. It needs to spell out the security measures they'll maintain, the limited purposes they can use the data for, and their obligation to tell you about a breach. Under laws like the GDPR and CCPA, these agreements aren't optional.

Review it regularly, because the laws, your technology, and your data practices all keep changing. An annual review is a reasonable baseline for most companies, and more often if you're in a high-risk industry or rolling out significant new products that change how you handle data.

Our team

People in this practice

Document products

Related document products

Order attorney-drafted documents related to this practice.

Browse all products

Bring our privacy and data security team to your next matter.

Get in touch