Cybersecurity, Data Privacy and State Attorneys General

As part of our leading Cybersecurity and Data Privacy practice, our team focuses on the role of state AGs in cybersecurity, data breach and data privacy investigations.

As leading retailers, consumer products companies, financial institutions and health insurers have become victims of data breaches and other attacks, state AGs are focusing increasing attention on protecting their states’ residents and bringing actions against corporations for violations of state cybersecurity and consumer protection laws.

Companies that have been hacked must contend with not only federal cybersecurity and data privacy laws, but also each state’s own privacy laws and data security rules. Following a significant data breach, a company may face AG inquiries and investigations in 50 states. It is critical to hire counsel with firsthand experience in AG investigations, including civil investigative demands and multistate actions.

Our team is led by two-term former Washington Attorney General Rob McKenna, a recognized leader in the development of data protection and privacy regulations. Rob was the first state AG to build a computer forensics lab to collect evidence of Internet fraud, and he passed one of the nation’s first anti-spyware laws while leading the National Association of Attorneys General in its expansion into technology issues.

Together with former Washington Chief Deputy AG Brian Moran and Maryland Chief Deputy AG Kay Winfree, McKenna and his team have deep relationships with regulators at the forefront of data privacy and cybersecurity enforcement, such as the U.S. Federal Trade Commission, the Federal Communications Commission, the Consumer Financial Protection Bureau and all 50 state AGs, and also has experience with EU member-state data protection authorities.

Orrick Cybersecurity Incident Hotline

Our experience includes representing a Fortune 500 technology company in connection with a high-profile cyberattack that exposed millions of user names and other nonfinancial information. We engaged with 40 state AGs who launched a multistate investigation into the breach, and also advised on overseas notification and compliance issues. In another example of our multistate-action experience, we helped represent a box-office ticketing provider in a security breach of 10 million consumer credit cards and investigations by 25 state AG offices.