In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. Our privacy and cybersecurity practice is a leader in its field and our firm has been ranked by Computerworld magazine as the top law firm globally for privacy and data security in all of its surveys. Chambers and Partners also ranked Hunton Andrews Kurth for privacy and data security practice in its Chambers Global, Chambers Europe, Chambers USA and Chambers UK guides.

Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm. CIPL provides strategic consulting services and helps clients develop global privacy and data security strategies for today’s digital economy. With over 90 members, CIPL also offers clients a forum for developing privacy solutions and brings together companies, consumer leaders and senior policymakers to develop next-generation privacy principles to facilitate global digital information flows.

The lawyers in our privacy and cybersecurity practice authored a 1,400-page treatise, titled Privacy and Cybersecurity Law Deskbook (Aspen Publishers, Wolters Kluwer). The deskbook provides a detailed overview of all US and international information privacy and data security laws relevant to US businesses operating in the global arena. The book also contains a collection of sample documents, charts, checklists and other compliance-enabling tools.

Who We Are

Our privacy and cybersecurity lawyers understand information-use business models and how information flows generate revenue for our clients. Our lawyers have extensive underlying subject matter experience in technology, banking and finance, consumer protection, international law, intellectual property, health care and litigation. In addition, our lawyers have hands-on business experience that enables us to provide strategic business consulting on all aspects of information policy, including privacy, cybersecurity, data breach and records management.

Our Clients

We represent a diverse group of clients, including retailers, consumer goods companies, energy companies, health care providers, direct marketers, telecommunications and internet service providers, banks, insurance providers, government agencies, electronic publishers, reference services, consumer and business credit reporting agencies and risk management specialists.

Areas of Experience

Our privacy and cybersecurity practice group focuses on providing legal services in the following areas:

  • Compliance with all US federal and state privacy and information management requirements, including the California Consumer Privacy Act (as amended by the California Privacy Rights Act), Colorado Privacy Act, Virginia Consumer Data Protection Act, the Gramm-Leach-Bliley Act, HIPAA, the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act of 2003, the Driver’s Privacy Protection Act, CAN-SPAM, Telephone Consumer Protection Act (TCPA), state and federal security breach notification laws, state Social Security laws, the Payment Card Industry Data Security Standard, and other federal and state requirements;
  • Compliance with all international data protection laws, including the EU General Data Protection Regulation and e-Privacy Directive and member state implementations thereof (including the EU-US Data Privacy Framework, standard contractual clauses and binding corporate rules), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and China’s Personal Information Protection Law (PIPL);
  • Comprehensive assistance with significant information security breaches, including network intrusion investigations, customer notification, state and federal regulatory negotiations, discussions with payment card issuers, as well as public relations, call center and investor relations communications and training;
  • Preventing and managing cyber events, from security planning and developing proactive, breach-readiness solutions, including incident response and table top exercises, to handling of litigation and disputes arising from such events;
  • Performance of comprehensive privacy and information management assessments, including preparation of data flow maps, and privacy policies and procedures;
  • Development and implementation of privacy and data use policies and procedures that comply with applicable laws and generate consumer and business partner confidence, revenue and flexibility;
  • Development and implementation of programs to protect global information assets, including legislative and regulatory advocacy;
  • Assistance with information product life cycle issues, including product promotion, customer profiling, targeted marketing, channel definition and expansion, franchising, branding, advertising, warranties and pricing;
  • Drafting and negotiation of vendor contracts and information use and distribution agreements; and,
  • Assistance with dispute resolution, management of consumer concerns, response to allegations of misuse of data, state and federal investigations (including actions and requests for information from state attorneys general and the Federal Trade Commission) and litigation.

Relevant Experience

  • Serve as global privacy counsel to a Fortune 50 retailer. We assisted the client in developing a global privacy framework, including privacy governance documents, a vendor management program, data transfer documents and an information security program for emerging business initiatives. In addition, we have drafted the company's global privacy policy.
  • Advise a Fortune 10 company on various US and international privacy and data protection compliance initiatives, including assisting the company with cross-border data transfer strategy, employee monitoring, numerous records management compliance projects, and several significant information security issues that had global impact in nearly 80 countries.
  • Assist a Fortune 500 financial services company with US and EU data protection compliance issues impacting the company, and also are working with the company on its cross-border data transfer strategy, binding corporate rules.
  • Regularly advise a Fortune 150 retail company on significant privacy and data security issues. We assisted the company with its data security breach remediation, including the development and implementation of a global comprehensive, written privacy and information security program. In addition, we have assisted the company with Payment Card Industry Data Security Standard (PCI) compliance activities and issues related to new payment card and loyalty card programs. We also have worked with the company to develop numerous privacy statements and notices (online and offline) worldwide and to manage privacy risks where vendors process personal data on behalf of the company.
  • Provide global privacy and data security advice to a leading technology company, including advising on numerous aspects of US and EU privacy law in connection with cutting-edge privacy issues and compliance with new and existing EU rulings (such as the GDPR), monitoring and mobile issues.

Insights