Privacy, Cybersecurity and Consumer Protection

LEADERS

Overview

Gibson, Dunn & Crutcher’s Privacy, Cybersecurity and Consumer Protection Practice Group has a demonstrated history of helping companies successfully navigate the complex and rapidly evolving laws, regulations, and industry best practices relating to privacy, cybersecurity and consumer protection.  Our global and interdisciplinary team advises clients across a broad range of industries in high-stakes matters on the full spectrum of issues in these areas.

In the privacy area we have decades of experience with a wide array of counseling, government investigations and litigation.  Our deep roster of lawyers with experience at the highest levels of government is prepared to handle any type of government investigation.  Our elite class action team has successfully litigated scores of issues, including numerous matters of first impression.  Our experience includes advising a broad array of companies large and small, in Silicon Valley, Silicon Alley, and around the world.

We have substantial experience assisting companies with all facets of cybersecurity, including counseling clients through the important steps that must occur immediately after breach situations and navigating the federal and state government investigations and private litigation that increasingly accompany cybersecurity incidents.

With respect to consumer protection, we advise clients on a broad array of issues, including advertising practices, consumer disclosures, and compliance with the myriad laws regulating consumer interactions.  We routinely appear before the U.S. Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) on consumer protection matters and have litigated complex consumer protection disputes involving a diverse range of industries.

Our team includes lawyers with significant experience in litigation, government investigations, and corporate matters, many of whom have experience at senior government levels.  The practice group is led in part by a former U.S. Attorney who oversaw prominent high-technology prosecutions, a former Assistant U.S. Attorney with primary responsibility for investigating and prosecuting computer crime and intellectual property cases, and a former senior official at the FTC.  Our team includes numerous other former computer crimes prosecutors, FTC lawyers, senior government officials at the DOJ, and leaders at the European Commission.  Our lawyers are distinguished not only by their substantive capabilities and advocacy skills, but also by their ability to guide clients through major events, deal with all relevant constituencies, and develop and implement a prompt and effective crisis management strategy.

Our litigation and investigations experience includes:

  • Defending companies in regulatory investigations, including FTC and state attorney general investigations
  • Defending companies in class action and other privacy and consumer protection litigation, including that stemming from data breaches
  • Responding to Congressional inquiries related to privacy and cybersecurity

Data breach and crisis management experience includes:

  • Counseling companies, executives and boards of directors on developing and implementing crisis management strategies
  • Coordinating breach notification responses and other regulatory obligations
  • Liaising with federal government, state law enforcement and regulatory officials, and international regulators
  • Assisting companies with prompt and effective media strategies

Counseling and audits experience includes:

  • Counseling related to compliance with federal, state and local laws and regulations governing privacy, social media, data security, online advertising, e-commerce and related issues
  • Overseeing network security, privacy and cybersecurity compliance audits
  • Advising on data compliance strategies and the development of data protection and Internet enforcement compliance programs
  • Conducting assessments of privacy and data security programs

Preparedness and transactional due diligence experience includes:

  • Advising boards of directors and in-house counsel on governance matters, privacy and cybersecurity policies and procedures, risk management frameworks, incident response plans, and best practices related to preparedness
  • Performing privacy and information security due diligence in support of mergers and acquisitions and other corporate transactions
  • Advising on all aspects of technology-, data- and privacy-related corporate transactions
  • Counseling on securities law disclosures
  • Advising on legislative and regulatory developments

Our capabilities are global.  Cybersecurity and privacy are global issues, and Gibson Dunn draws on its international team to seamlessly advise clients on sophisticated multijurisdictional matters.  The practice group includes lawyers in Brussels, London, Paris, Munich, Beijing, Singapore and Hong Kong who are exceptionally knowledgeable not only on relevant data protection and privacy laws at the national level, but are experienced in advising companies on European Union developments and coordinating multinational approaches.

Experience

Recent representations include:

  • Serving as lead outside privacy and data security counsel for Facebook.  We advise the company on privacy and data security issues, private litigation matters including class action matters and FTC investigations.  Among many other representations, we represented Facebook in connection with the FTC investigation and enforcement action involving the company’s online privacy practices – described by the FTC as its largest and most significant privacy investigation to date.
  • Representing a leading international e-commerce site in connection with a data breach impacting potentially hundreds of millions of users, and handling related investigations by the FTC, various state attorneys general, and foreign data privacy authorities, as well as detailed forensic analysis and counseling on a range of privacy and cybersecurity issues.
  • Obtained dismissal on behalf of mobile advertising and analytics networks in nationwide U.S. class action alleging that defendants collected and disclosed data and personal information from mobile devices without users’ knowledge and consent, on grounds that plaintiffs lacked Article III standing and failed to state a viable claim.
  • Represented a leading digital media company facing a full-phase FTC investigation relating to compliance with the Children’s Online Privacy and Protection Act (COPPA).  We obtained closure without conditions notwithstanding a recommendation from the FTC staff to pursue an enforcement action.
    Achieved a complete victory for St. Joseph Health System by securing dismissal of a putative data breach class action.  Asserting claims under California’s Confidentiality of Medical Information Act and the common law, including the right to privacy and negligence, plaintiff alleged that St. Joseph had lost possession of the confidential medical information of more than 33,000 patients.  The California Superior Court agreed with Gibson Dunn that plaintiff had not alleged sufficient facts to proceed and dismissed the case.
  • Serving as U.S. coordinating counsel for data security matters for one of the world’s largest global payment technology companies.
    Represented an executive search firm in response to a sophisticated cyber-attack including advanced persistent threat intrusion and extensive exfiltration of sensitive databases.  We counseled the client on investigation of the intrusion, including supervising digital forensics investigation and data security improvements, handled referral of the incident to law enforcement and coordinated breach notification compliance, as well as public relations and SEC disclosure strategy.
  • Worked with a provider of social media services to ensure that all aspects of its user platform complied with the FTC’s revised COPPA guidance.
    Represented one of the world’s largest engineering design firms in response to network intrusion, involving significant employee data breach.  We counseled the client on investigation of the incident, including supervising digital forensics investigation and data security improvements, coordinated breach notification compliance, public relations strategy, and law enforcement interaction.
  • Represented a Fortune 50 retailer in connection with multiple data security issues and related government investigations, including FTC and Secret Service investigations of a massive data breach impacting millions of credit card holders, and succeeded in persuading the FTC to close the nonpublic investigation without taking any action, based on demonstrated proof that our client had acted reasonably at every key juncture, both before and after the breach.

RECENT PUBLICATIONS

2017 Year-End German Law Update

-January 7, 2018

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 2

-December 13, 2017

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

-December 12, 2017

The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data

-December 4, 2017

Webcast: Hot Topics in Securities and Governance

-November 17, 2017

Cybersecurity & Data Privacy: An Overview for Health Care, Pharmaceutical, and Biotech Companies

-August 8, 2017

Will “Kokesh v. SEC” Put a Kink in the Federal Trade Commission’s Disgorgement Hose?

-July 12, 2017

Trump Administration Prioritization of Cybersecurity

-June 7, 2017

Zufallsfunde bei Videoüberwachung

-March 1, 2017

Webcast: IPO and Public Company Readiness: Cybersecurity

-February 28, 2017

French Legal Briefing – France Continues to Adopt the Highest International Standards to Attract Investors

-February 21, 2017

International Cybersecurity and Data Privacy Outlook and Review: 2017

-January 31, 2017

2016 Trade Secrets Litigation Round-Up

-January 27, 2017

U.S. Cybersecurity and Data Privacy Outlook and Review: 2017

-January 27, 2017

2016 Year-End German Law Update

-January 13, 2017

New York State Department of Financial Services Revises Proposed Cybersecurity Regulations

-January 5, 2017

President Obama Announces New Russian Sanctions in Response to Election-Related Hacking

-December 30, 2016

California Continues to Take the Lead on Consumer Privacy – Attorney General Issues New Guidance to the Ed Tech Sector About Student Data

-November 10, 2016

FCC Votes to Adopt New Regulations Governing Use of Customers’ Proprietary Information by Providers of Broadband Internet Access Service

-November 7, 2016

New Cybersecurity Requirements for Defense Contractors Take Effect

-October 31, 2016

Federal Banking Regulators Announce New Proposed Cybersecurity Standards

-October 24, 2016

New York State Department of Financial Services Announces Proposed Cybersecurity Regulations

-September 19, 2016

New EU-Wide Rules on Cybersecurity: Watch the Fine Print

-July 22, 2016

The Consumer Financial Protection Bureau and the Future of Class Action Waivers

-July 7, 2016

Teaching an Old Law New Tricks: The 1988 Video Privacy Protection Act in the Modern Era

-July 4, 2016

Drone Privacy: Voluntary Best Practices Released by Multi-Stakeholder Group

-June 13, 2016

The EU-US Privacy Shield

-June 9, 2016

FTC Targets “Native” Advertising

-May 30, 2016

Tests mit Tücke – Arbeitsrechtliche Anforderungen an Social Engineering Tests

-May 23, 2016

U.S. Supreme Court Holds That Violation of a Statutory Right, Without a Resulting “Concrete” Injury, Does Not Satisfy Article III’s Injury-in-Fact Requirement

-May 17, 2016

1st Circ. Video Privacy Decision Creates Split With 11th Circ.

-May 13, 2016

President Obama Signs Federal Trade Secrets Law

-May 11, 2016

Webcast: CFPB Trends in Enforcement and Investigations

-April 21, 2016

Sensible Regulations Encourage Drone Use

-April 11, 2016

FTC Enforcement Targets Native Advertising

-March 30, 2016

French Bill for a Digital Republic

-March 29, 2016

Commercial Drone Industry May Be Ready For Takeoff Soon

-February 18, 2016

Cybersecurity and Data Privacy Outlook and Review: 2016

-January 28, 2016

Webcast – Challenges in Compliance and Corporate Governance – 2016

-January 20, 2016

How To Protect Against Business Email Compromise Scams

-January 12, 2016

2015 Year-End German Law Update

-January 8, 2016

Making Sense of a Morass: An Overview of the Different Standards U.S. Government Agencies and Other Entities Are Developing to Regulate Cybersecurity

-November 23, 2015

U.S. Supreme Court Hears Argument in Big Data Case with Far-Reaching Implications

-November 9, 2015

U.S. Federal Trade Commission Provides Guidance on Cybersecurity Enforcement Priorities

-September 15, 2015

The Third Circuit Upholds the U.S. Federal Trade Commission’s Authority to Regulate Cybersecurity

-August 27, 2015

The Data Security Governance Conundrum: Practical Solutions and Best Practices for the Boardroom and the C-Suite

-July 21, 2015

2015 Mid-Year E-Discovery Update

-July 15, 2015

A Practical Guide to the Use of the Commissioned Public Report as an Effective Crisis-Management Tool

-June 12, 2015

The Federal Trade Commission’s Enforcement of Data Security Standards

-June 10, 2015

BitLicense Regulations Create Groundbreaking Hurdles

-June 4, 2015

Virtual Currency Regulation and Enforcement: Granting of First NY Charter and FinCEN Fine Demonstrate Continued Evolution for Virtual Currency Sector

-May 27, 2015

Privacy and Data Security in Outsourcing

-May 26, 2015

Cybersecurity Sanctions: A Powerful New Tool

-April 2, 2015

Lawsky Speech Portends Strict NY Cybersecurity Standards

-February 27, 2015

Cybersecurity and Data Privacy Outlook and Review: 2015

-February 17, 2015

Presidential Summit Reveals Cybersecurity Concerns, Trends

-February 17, 2015

BitLicense 2.0: New York Moves Closer to Comprehensive Virtual Currency Regulation

-February 11, 2015

SEC Cybersecurity Findings May Establish De Facto Standard

-February 6, 2015

New FTC Report Sets Out Principles Likely to Influence Regulation of the “Internet of Things”

-February 5, 2015

Bitcoin Basics: a Primer on Virtual Currencies

-January 30, 2015

2014 Year-End French Law Update

-January 23, 2015

2014 Year-End E-Discovery Update

-January 20, 2015

U.S. President Obama Announces Renewed Focus on Securing Cyberspace and Protecting Consumer Privacy

-January 20, 2015

2014: The Year of the ‘Mega Breach’

-January 16, 2015

2014 Trade Secrets Litigation Round-Up

-January 13, 2015

2014 Year-End German Law Update

-January 9, 2015

Developments in Virtual Currency: Regulation and Enforcement Actions Gain Momentum

-January 5, 2015

SEC Adopts Rule Creating New Regulatory Framework to Strengthen Technological Infrastructure of U.S. Securities Markets

-November 25, 2014

New York and Federal Regulators Increasingly Focus Attention on Cybersecurity in the Financial Sector

-October 27, 2014

The New Standard in Bitcoin Regulation?  New York’s Proposed BitLicense Would Create a Highly Regulated Virtual Currency Industry

-September 10, 2014

Tools Let Attorneys Follow the Breadcrumbs

-September 5, 2014

Board of Directors Duty of Oversight and Cybersecurity

-August 20, 2014

District Court Upholds Government’s Ability to Seek Digital Information Stored Abroad

-August 4, 2014

2014 Mid-Year eDiscovery Update: Is This the ‘Year of Technology’ in eDiscovery?

-July 31, 2014

2014 Mid-Year French Law Update

-July 22, 2014

U.S. Supreme Court Extends Fourth Amendment Protection to “Digital” Searches for the First Time in Landmark Decision

-July 3, 2014

Implications of the SEC’s Increased Focus on Cybersecurity

-May 1, 2014

The SEC Assesses Cybersecurity Preparedness in the Securities Industry in the Wake of the Cybersecurity Roundtable

-April 23, 2014

Border Insecurity: Searches and Seizures of Electronic Devices Entering the U.S.

-March 26, 2014

U.S. Commerce Department Announces Plan to Accelerate Transition to Private Management of the Domain Name System

-March 18, 2014

There’s No Harm In Asking For Harm Post-Spokeo

-February 27, 2014

NIST Debuts Cybersecurity Framework

-February 20, 2014

Selective Distribution and e-Commerce: Recent developments in EU and national case law

-February 3, 2014

2013 Trade Secrets Litigation Round-Up

-January 31, 2014

2013 Year-End German Law Update

-January 15, 2014

Technology: To image or not to image, that is the question

-January 10, 2014

Technology: Self-collection is not always the fox guarding the henhouse

-December 27, 2013

Perils of E-Discovery Reflected in Sanctions Opinion

-December 20, 2013

Technology: Auto-delete and the not-so-safe harbor

-December 13, 2013

The Cybersecurity Framework: Risk management process … and pathway to corporate liability?

-December 12, 2013

Technology: Your company’s legal hold obligations may not be a Dr. Seuss story

-December 6, 2013

Chancery Provides Framework for ESI Discovery, Preservation

-November 20, 2013

California’s New ‘Digital Eraser’ Evaporates Embarrassment

-November 19, 2013

California Tightens Privacy Protection

-November 18, 2013

Technology: Embracing the use of mobile devices in e-discovery

-November 15, 2013

Technology: Is Instant Messaging the Next Email?

-November 1, 2013

How to use company data efficiently to detect fraud and corruption

-August 1, 2013

European Commission Proposes Stricter EU Antitrust Rules on Technology Transfer (European Intellectual Property Review)

-June 3, 2013

Cyber-security and Data Privacy Outlook and Review: 2013

-April 16, 2013

SEC Issues Guidance on Use of Social Media to Disseminate Corporate Information

-April 15, 2013