Privacy and Data Security


Arnold & Porter's Privacy and Data Security practice assists businesses in a wide range of industries, from e-commerce start-ups to global FORTUNE 100 companies, in the increasingly challenging task of protecting data consistent with applicable law. We provide data protection counsel to technology and business leaders in connection with the development and use of emerging technology platforms; to clients in the financial services and health industries; and to others involved e-commerce, software development and deployment, telecommunications, government contracting, and a host of other activities. We work closely with our colleagues in the firm's Legislative and Public Policy practice group to ensure our clients are informed of and can appropriately anticipate and respond to developments in privacy legislation and regulation.

Our team advises clients on permissible uses and disclosures of personal data for purposes of online marketing, including behavioral advertising through the use of cookies and other tracking technologies, text messaging, and telemarketing under the Telephone Consumer Protection Act (TCPA) and applicable state law, and mobile applications. For mobile applications and website operators, we assist in drafting online pertinent privacy policies and terms of use, taking into account the requirements of laws such as the Children's Online Privacy Protection Act (COPPA), the California Online Privacy Protection Act, and non-US laws for global-facing websites and online applications. In the healthcare space, we advise clients on medical data, privacy, and security requirements and best practices, including under the Health Insurance Portability and Accountability Act (HIPAA), the federal Human Subjects Protection Regulations, and state law governing healthcare providers, insurers, researchers, marketers, and others collecting, using and disclosing personal health information.

In a wide variety of contexts, we represent financial institutions and their business partners with respect to financial information privacy and security, including matters under the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACTA), the Payment Card Industry Data Security Standards, and state laws regulating the protection of personal financial information. We regularly assist clients in negotiating agreements that will adequately provide for such protection by service providers and other third parties.

We also advise US companies on compliance with the EU Data Protection Directive, including assisting with enrolling in and complying with the US-EU Privacy Shield administered by the Department of Commerce.

In the data security space, we assist clients in all aspects of their data protection activities, including developing and implementing appropriate cybersecurity standards, drafting data security incident plans, responding to data security breaches by providing necessary notifications, and providing representation in the event of ensuing litigation. For those clients involved in national security-related activities, we assist in matters involving cyber operations, security clearances, and the corresponding security functions of other US government departments and agencies, as well as the interaction of law enforcement, national security, and homeland security legal authorities and processes with emerging technologies and with privacy laws, policies, and norms. Our team has extensive experience both in private practice and in senior government policymaking, legal compliance, prosecutorial, and criminal defense positions. This includes experience as Legal Adviser at the Department of State under Secretary of State Condoleezza Rice; General Counsel for the Central Intelligence Agency; General Counsel of the US Army and US Air Force; a former Counselor to the Attorney General for National Security; Associate Deputy Attorney General and Director of the Executive Office for National Security at the US Department of Justice; General Counsel for the National Security Agency; Chief of Major Crimes and Computer Hacking/Intellectual Property Unit at the US Attorney's Office in the Southern District of New York, Associate Chief Counsel for Drugs, General Counsel for Litigation, and Associate Chief Counsel for Enforcement (Office of Chief Counsel) for the US Food and Drug Administration; Chief Counsel for the National Telecommunications and Information Administration; and the DC Public Defender Service.


GDPR: Approximately 100 Fines Imposed to Date in Germany
Markt und Mittelstand (Online Edition)
Being a Medtech Start-Up in Germany
Bpifrance (Banque Publique d'Investissement), Paris, France
We Knew This Day Would Come: FCA Claim Based on Inadequate Cybersecurity Survives Dismissal Motion on Materiality Grounds
Qui Notes: Unlocking the False Claims Act
US Privacy State of Play in 2019: In the Age of IoT, How Will Policymakers Strike the Balance Between the Freedom to Innovate and the Need to Regulate?
Arnold & Porter Webinar
And Now A Word From The Panel: An MDL Denial
Appellate Law360, Class Action Law360, Competition Law360, Cybersecurity & Privacy Law360, Employment Law360, Life Sciences Law360, Product Liability Law360, Securities Law360, Tax Law360, Transportation Law360


Chambers USA
Privacy & Data Security (Nationwide) (2008-2019)
Chambers Global
Privacy & Data Security (USA) (2010-2019)
The Legal 500 US
Media, Technology and Telecoms: Data Privacy and Data Protection (2014-2018)
Media, Technology and Telecoms: Cyber Law (including Data Protection and Privacy) (2016-2018)

Email Disclaimer