Brittany M. Bacon

Brittany advises clients in identifying, evaluating and managing complex global privacy and information security risks and compliance issues.

Brittany  Bacon is a partner in the firm’s top-ranked global privacy and cybersecurity practice. She has national recognition for her work in the areas of privacy and data security. Brittany is ranked in Chambers USA, Chambers Global and Legal 500, and was named a New York Law Journal “Rising Star,” a Law360 “Rising Star” in privacy and cybersecurity, and one of Global Data Review’s 40 Under 40 data lawyers. Chambers USA quotes clients who call her “very diligent, intelligent and hard-working” and “very client-focused, attentive and responsive.” Chambers USA also quotes a client who calls her “one of the very best individuals I have worked with on privacy-related matters.” Legal 500 refers to Brittany as “the best at what she does,” recommending her for cyber law (including data privacy and data protection) and fintech.

Brittany assists clients in identifying, evaluating and managing a panoply of global privacy and information security risks and compliance issues. A significant aspect of her practice is advising large, multi-national companies on catastrophic cybersecurity incidents. Brittany served as a lead attorney on the two largest reported breaches in history (affecting over three billion user accounts) and has managed hundreds more. Her cybersecurity practice includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing ransomware attacks, as well as inquiries from Boards of Directors, consumers, media and potential acquiring companies in a deal setting. Brittany also helps companies design and build privacy and data security governance programs and conduct proactive breach preparedness activities, including developing workable incident response plans and legal breach notification procedures, ransomware playbooks and legal primers, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts (such as forensic investigation firms, ransomware specialists, credit monitoring services, PR firms and call centers) in advance of an incident.

In relation to her privacy compliance practice, Brittany advises clients on the California Consumer Privacy Act of 2018, GLB, CAN-SPAM, and other U.S. state and federal privacy requirements, and global data protection laws (including those in the EU, Asia and Latin America). She routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use, including with AI and machine learning technologies. She also regularly negotiates privacy and data security provisions of complex commercial and technology-related contracts and helps companies design robust vendor management programs.

Relevant Experience

  • Advised dozens of companies (including in the gaming and hospitality, health care, retail, energy, consumer goods, and financial services industries) on data breach and cybersecurity incident response, including preparation of required notifications pursuant to state breach notification laws, the HITECH Act and Interagency Guidance, call center training and development of media strategies.
  • Advised a technology company in all aspects of responding to the two largest reported data breaches affecting more than 3 billion user accounts.
  • Advises a world-renowned casino and hospitality company on all aspects of its comprehensive global privacy and data security program, including managing its CCPA and GDPR compliance efforts, developing a global data inventory, conducting privacy impact assessments, negotiating complex vendor agreements, advising on initiatives involving facial recognition technology and AI/machine learning, directing cybersecurity audits, updating and enhancing information security policies and standards, developing incident response plans and conducting executive-level tabletops.
  • Counsels one of the world’s largest investment companies on data breach preparedness activities, including developing legal-focused incident response plans and a ransomware playbook and conducting c-suite level cybersecurity tabletops, and advising the company on global privacy compliance matters.
  • Advises an independent consultant ordered by the SEC to review global bank’s compliance with federal securities laws in connection with operating alternative trading systems.
  • Advises a leading global alternative asset manager and its portfolio companies on US and EU data protection matters, including designing global marketing campaigns and HR privacy handbooks, as well as incident response.
  • Advises a privately-held multinational conglomerate corporation on strategic privacy initiatives and compliance efforts and data security incident management.
  • Counsels a NBA team on incident response, vendor management and privacy compliance.
  • Advised a major multi-national company with a data security incident extending to 78 countries, managed the US legal escalation call center and responded to multiple international data protection authorities.
  • Advises clients on FTC, SEC and state Attorney General (including Multistate Task Force) investigations and enforcement actions for alleged data security and privacy violations.
  • Provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness.
  • Develops comprehensive vendor management programs, including evaluating and negotiating privacy and data security provisions and indemnities contained in vendor agreements.
  • Advises clients on the collection and processing of biometric information.
  • Counsels clients on building global AI and machine learning governance programs, policies and procedures.
  • Assisted a Fortune 100 company in responding to congressional inquiries relating to a cybersecurity incident.
  • Briefed the board of directors of large electric company on managing cybersecurity risk and oversight responsibilities.
  • Advised a major diversified energy company on breach preparedness, crisis communications and vendor contractual terms relating to privacy and cybersecurity.
  • Designed CCPA compliance program for and advised on security incidents impacting multinational utility company.
  • Prepares comprehensive data security policies, standards and procedures in connection with corporate information security programs.
  • Assists clients with complying with privacy and information security requirements, including under GLB, HIPAA and state information security laws.
  • Advises clients on managing FTC Consent Orders and CIDs in connection with data security incidents.
  • Advised a major global bank on massive cyber intrusion.
  • Advised dozens of multinational clients on Safe Harbor certification and annual recertification.
  • Counsels clients in negotiating information sharing agreements with government agencies.
  • Evaluates compliance issues and drafts notices and consents for corporate programs involving business uses of employee-owned electronic devices.
  • Drafts online and offline privacy policies, procedures and notices.
  • Evaluates compliance and enforcement issues related to the collection of information in the context of credit card transactions under the Song-Beverly Act and other state and federal laws.
  • Develops employee training materials and handbooks focusing on privacy and information security practices.
  • Counsels clients on HIPAA compliance, including security breach notification obligations under the HITECH Act and preparation of HIPAA security policies and procedures.

Media Appearances

  • Radio Times, Privacy and Security on the Internet (Bacon interviewed), July 22, 2015
  • FOX5NY, Cash, Credit Cards, Chips – Consumer Payment Methods Fluctuate in Light of Data Breaches (Bacon interviewed), October 21, 2014

Memberships

  • Member, New York Bar Association
  • Member of the Board of Directors, City Bar Fund (the nonprofit arm of the New York City Bar Association)

Awards & Recognition

  • Recommended for Cyber Law (including Data Privacy and Data Protection) (2021-2023) and FinTech (2021-2022), Legal 500 United States
  • Recognized as a Leader in Privacy & Data Security, U.S., Chambers Global, 2020-2024
  • Recognized as a Leader in Privacy & Data Security, USA-Nationwide, Chambers USA, 2018-2023
  • Ranked in the Next Generation Lawyers for Data Protection and Privacy, Legal 500 United States, 2017-2020
  • Recognized for Privacy and Data Protection by Euromoney’s Rising Stars Awards Americas, 2020-2022
  • Named a Rising Star for Privacy and Data Protection, United States, Legal Media Group Expert Guide, 2019
  • Named a Rising Star, Law360, 2018
  • Named a New York Law Journal 2018 Rising Star
  • Selected as one of Global Data Review’s 40 under 40 Data Lawyers, 2018
  • City Bar Justice Center’s 2016 Jeremy G. Epstein Award for Pro Bono Service

Insights