Cybersecurity & Data Privacy

Privacy, Data Security & Internet Safety

Orrick’s Cybersecurity & Data Privacy group is a global, interdisciplinary team with members across the U.S., Europe and Asia. Legal 500 United States ranks our team as a leading practice that delivers “cost-effective, practical advice” and possesses “high-level practical experience and understanding of the law.” Our team members have also been recognized by Chambers for expertise both in the U.S. and European markets.

We craft practical solutions that involve counseling, insurance, brand protection, investigatory and litigation. We leverage our in-depth legal and technical knowledge of cybersecurity and data privacy matters, as well as our relationships with domestic and international law enforcement, government regulators, data protection authorities, and policy groups, to ensure that our clients benefit from holistic solutions.

You can find out more about our Cybersecurity services here and our Data Privacy services here.

The Orrick Difference

We have global expertise. With our geographic reach, we tackle our clients’ most complex cross-border cybersecurity, data privacy and Internet safety matters. We have led scores of company responses to cyber-attacks involving compromised records and intellectual property assets; we have partnered with law enforcement and brought affirmative cases to disable complex botnets responsible for financial theft and fraud; and we have designed international privacy compliance programs for companies across an array of industries and technologies.

We have strong ties to government. Our team has deep experience with regulators at the forefront of cybersecurity and data privacy enforcement, such as the U.S. Federal Trade Commission, all 50 U.S. state attorneys general, and EU and member-state data protection authorities. Among our team members are six former federal prosecutors, a former state Attorney General, former Federal Trade Commission trial lawyer, and former official of France’s CNIL.

We represent industry leaders. Our client roster includes leading companies across geographies and industries, including eBay, EY (Ernst & Young), W.W. Grainger, Logitech, Microsoft, NVIDIA, Flexera Software, Sensata Technologies and Sony, as well as hundreds of global emerging growth and technology companies.

We take cases to trial. We have a deep bench of first-chair trial lawyers with strong records of significant wins in court, including for technology clients such as Microsoft and Facebook. We leverage our depth of late-stage conflict resolution and trial experience to proactively identify issues before they arise, a key component in building compliant privacy and cybersecurity programs, and in handling reactive cybersecurity breach matters. Ultimately, our expansive trial experience enables us to effectively manage data privacy and cybersecurity investigations and defend companies in privacy and cybersecurity breach-related governmental enforcement actions and plaintiff-driven litigation. We have demonstrated creative and practical affirmative rights enforcement related to cybercrime, insurance, data privacy and intellectual property theft. We have also helped global Fortune 500 companies navigate international privacy laws in Europe, Asia and Latin America in the discovery phase of civil litigation.

We build sustainable governance programs. We advise not only on the legal interpretations of privacy and security laws, but on practical implementation that achieves commercial objectives and protects executive and board-level decision-makers. Our team has firsthand experience working within industry-leading organizations to: audit privacy and security compliance; design corporate governance frameworks; and imbed protocols into daily operations.


Building cybersecurity and breach preparedness. Cyberattacks and other security breaches are costly to a company’s reputation and its bottom line. We regularly counsel clients on proactive strategies to improve their security preparedness and effectively manage cybersecurity risk, including building data security governance and compliance programs, incident response policies and procedures, tabletop and management training―for both enterprise-wide and product/service-specific contexts. We are also active in coordinating industry cybersecurity and threat information-sharing strategies.

Cyber insurance. When a security incident occurs, clients need coverage counsel experienced in data breach claims who can anticipate events and maximize insurance recovery. We have led insurance recovery efforts for some of the largest and most complex data breaches in history. We also are experts in cyber insurance, which increasingly is a key component of our clients’ cybersecurity and breach preparations. We help our clients negotiate comprehensive cyber insurance coverage, taking into account emerging technologies and developments in the insurance market. And you can be sure we are on your side because Orrick’s insurance lawyers represent policyholders only.

Responding to cyberattacks and breaches. When a cyberattack or security breach occurs, your company needs a coordinated and effective response. Orrick has deep expertise across all facets of these bet-the-company events, having handled dozens of high-profile, sensitive cybersecurity incidents. Drawing from strong multi-disciplinary backgrounds, we position our clients to move past incidents as efficiently as possible with minimal impact to operations or brand and with an enhanced security posture for the future.

A comprehensive approach. Our global team has practical and technical expertise to seamlessly handle a series of key actions:

  • Directing physical and IT forensics, as well as internal investigations, to reach conclusions efficiently and maintain confidentiality
  • Advising on regulatory and contractual data breach notification requirements across the globe, including requirements in the U.S., EU and Asia
  • Counseling executive officers and boards on corporate governance responsibilities related to a cybersecurity incident
  • Coordinating with domestic and international law enforcement agencies
  • Representing clients in government investigations before the FTC, state attorneys general and international data protection authorities
  • Defending clients in “parallel proceedings” including civil class actions, shareholder derivative litigation and arbitrations
  • Managing insurance recovery for incident response costs, breach notification, legal fees and defense of claims, and helping clients comply with requirements for cyber insurance coverage
  • Advising on SEC public disclosure requirements
  • Advising on public relations and media strategy
  • Executing “active defense” strategies and pursuing affirmative claims against criminal actors responsible for the incident

Cost-effective Solutions. Our team works together across issues and jurisdictions to provide streamlined, cross-disciplinary services. Our integrated approach ensures that the key facts, mitigation strategies and “defense narrative,” remain consistent across the multiple regulatory, legal and PR/media fronts that may arise. We have strong relationships with security experts and vendors (e.g., consultants, credit-monitoring services, mail houses, call centers) that help to reduce cost inefficiencies. And we focus on maximizing insurance recoveries where available.

Data Privacy

Risk management and compliance. Navigating data privacy laws and managing privacy risks are essential components to an organization’s compliance and operational activities. Every company collects and handles data related to customers, partners, website visitors, employees or other individuals, as well as propriety information and trade secrets. In addition, many employees inside the company touch different types of data, ranging from teams handling customer service or “Big Data” analytics or HR functions, through to vendor management, IT/IS and security personnel, and even scientists, engineers and mobile app developers. Further, data is often shared between corporate entities and with third parties such as partners and service providers, and usually across borders. The international and interconnected nature of many IT solutions (e.g., through worldwide shared service centers, outsourced service providers and cloud based solutions), can further complicate compliance and risk management. Organizations―particularly multinationals or those with global customer bases―must balance the requirements of dozens and sometimes hundreds of international privacy regimes.

Comprehensive counseling services. We help our clients manage every step in the data life cycle: collection, use, sharing, transfer, storage, retention, loss and disposal. Our goal is to provide practical privacy advice that works in a business-as-usual setting and comports with commercial needs.

  • Privacy audits, privacy impact assessments (PIA), and privacy-by-design (PbD) programs
  • Privacy risk management for “Big Data” and “People Analytics” engines, Social Media, Internet of Things (IoT) and smart devices, and other emerging, disruptive technologies
  • Designing and implementing legal and technical enterprise privacy governance structuresInternational data transfers (both intra-group transfers and third-party transfers), including implementation of Safe Harbor, EU model contract clauses, and binding corporate rules (BCR)
  • Integration of foreign affiliates into internal data sharing/access schemes, and implementation of data processing through outsourcing by third party service providers (including cloud computing platforms and services)
  • Implementation of new software applications to process, for example, employee or customer data (e.g. CRM systems, ERP systems, employee monitoring technologies)
  • Designing online privacy policies, terms of service (ToS) and end user licensing agreements (EULA), relating to core privacy and related consumer-protection issues, such as online behavioral advertising (OBA), cookies and similar tracking technologies, commercial email, phone and text advertising campaigns, non-traditional channels (social, viral, media-integration), and e-commerce platforms
  • Counseling pursuant to a host of international privacy rules and regulations and related consumer-protection statutes, including but not limited to: EU Data Protection Directive 95/46/EC and its local member-state implementations; (draft) General Data Protection Regulation; Children’s Online Privacy Protection Act (COPPA); Gramm-Leach Bliley Act (GLBA); Fair Credit Reporting Act (FCRA); Family Education Rights Protection Act (FERPA); California Online Privacy Protection Act (CalOPPA); Computer Fraud and Abuse Act (CFAA); Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM); Electronic Communications Privacy Act (ECPA); Federal Trade Commission Guidelines and the FTC Act; Payment Card Industry (PCI) Standards; Student Online Personal Information Protection Act (SOPIPA); Telephone Consumer Protection Act (TCPA); and dozens of other privacy-related rules and regulations

Litigation Expertise. Our global team includes litigators who are experts in managing derivative shareholder litigation and privacy and consumer class actions, including data breach litigation, cyber-insurance litigation, and internet law disputes. We also regularly interface with privacy and data protection agencies, such as the U.S. Federal Trade Commission, U.S. state attorney general offices, and EU member-state data protection authorities. Our e-Discovery team advises leading global companies in large scale antitrust, intellectual property, insurance recovery, employment, products liability, and other cases around the world, including issues relating to spoliation.

Transactional Expertise. Many commercial transactions and “deals” involve some aspect of data collection, use, sharing, transfer, storage, retention, and/or disposal. We regularly conduct privacy reviews and advise on risk mitigation strategies in relation to: vendor agreements (e.g., cloud storage or processing); licensing agreements; due diligence for M&A transactions; due diligence for pre-IPO or financing round activities.

We represent eBay in relation to a cyber-attack it suffered in 2014 that resulted in a data breach that exposed millions of user names and some other non-financial information. An Orrick team, led by former Washington State Attorney General and Partner Rob McKenna and White Collar Partner Mark Mermelstein, engaged with 40 state attorneys general who launched a multi-state investigation into the breach. Orrick also has been assisting with overseas data breach notifications and compliance issues, and with insurance recovery matters.

We have advised Microsoft Corp. since 2007 on an array of data privacy and data security matters. Orrick has filed numerous lawsuits on Microsoft’s behalf to stop hacking activity and the spread of botnets, or networks of malware. Such suits target botnets that carry out online advertising and financial fraud. These cases are matters of first impression and the impact has been substantial, stopping the theft of millions of dollars.

Orrick represented Facebook in high-profile, longstanding litigation with Power Ventures. Facebook had accused Power Ventures ( of copyright infringement, violating the CAN-SPAM Act and numerous computer trespass statutes. The case involved novel questions of Internet law related to unauthorized use of the Facebook system by commercial entities.

Orrick continues to advise Sony on insurance coverage claims related to the 2011 cyber-attack on the PlayStation Network. We are currently representing Sony Pictures on insurance issues arising out of the highly publicized cyber-attacks on the company in late 2014.

Advising Instagram on data privacy and consumer protection investigatory and compliance matters in advance of its $1 billion acquisition by Facebook.

Representation of a “Big Data” public data aggregator in the development of its privacy policies, negotiations of contracts with social networks for the supply of data, contracts with institutional customers and discussions with data protection authorities.

We advise a large, multi-national corporation in structuring its data protection program in connection with its global e-commerce activities. We also craft privacy policies, terms of use, copyright/trademark policies and other disclosures for dozens of companies in the U.S. and EU.

Developing privacy policies and advising on global privacy compliance for one of the world’s largest social networks and dating sites.

Developing Intra-Group Data Transfer Agreements (IGA) for two large multinational clients and managing their authorization by EU data protection authorities.

Advising a regulated organization on the implementation, development and maintenance of its binding corporate rules.

Advising on the implementation of new worldwide shared databases in cooperation with local data supervisory authorities.

Work with over 1,000 emerging and growth company clients to develop marketable products and services that align with consumer privacy and data protection principles; draft privacy policies, terms of service, and vendor contracts; evaluate cutting-edge and disruptive technologies and businesses on privacy compliance and consumer protection concepts.

Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

By clicking "OK" below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.