Heather Egan



Heather Egan is the Business Unit Leader for Orrick’s Strategic Advisory & Government Enforcement (SAGE) Business Unit. Heather focuses on cybersecurity, privacy and information management. A strategic advisor to clients, she is ranked by Chambers USA, Chambers Global and The Legal 500 United States as a leader in her field. Chambers explains companies turn to Heather because she “understands all the business issues and the dynamics of how to implement privacy programs [and is] extraordinarily thoughtful, very pragmatic and responsive.”

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties. 

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and  drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

  • Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe, including but not limited to:

    • Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
    • Electronic Communications Privacy Act (ECPA)
    • Fair Credit Reporting Act (FCRA)
    • Gramm–Leach–Bliley Act (GLBA)
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Telephone Consumer Protection Act (TCPA)
    • State breach notification laws
    • State data security laws
    • Self-regulatory frameworks (advertising and payment card processing)
    • U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
    • Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe.
    • Managed a team providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.
    • Developed a global privacy program for a major food products company operating in more than 40 countries around the globe.
    • Created and implemented a successful “bring your own device” global strategy for a major multinational in the healthcare industry.
    • Performed a privacy and security compliance assessment for a U.S. public company in the manufacturing industry, which has operations spanning four continents.
    • Advised a major academic institution on the full range of acceptable information use and sharing practices in light of the differing ways and roles in which the university may receive information, including on-campus clinics, campus police, admissions, hosting e-mail and social media platforms, and more.
    • Addressed privacy and security aspects for a U.S. and EU rollout of a popular mobile application and provide continuing support through the rollout of additional versions, features and technologies, particularly as the company contemplates new data uses.
    • Guided multiple major multinational corporations through U.S./EU/Swiss Safe Harbor certification and re-certification.
    • Advised a major U.S. healthcare provider on integrating federal contracting requirements to existing privacy and security compliance program.
    • Drafted and revised a website privacy statement of an intelligent media company to address data collection use and disclosure through multiple platforms, including website, mobile, and social as well as integrating client's existing safe harbor policy.
    • Developed a privacy and security infrastructure for companies in a broad array of business sectors in connection with the implementation of U.S. state and federal privacy and security laws and regulations.
    • Successfully resolved numerous U.S. state and multi-state attorney general investigations following data incidents, including security breaches.
    • Successfully litigated claims against departing executives absconding with client confidential information, including regulated data.
    • Regularly advises both small and large financial institutions, healthcare institutions, and other general industry companies that have experienced security breaches and other security events involving personal data.