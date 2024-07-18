Brittany M. Bacon
Overview
Brittany advises clients in identifying, evaluating and managing complex global privacy and information security risks and compliance issues. Brittany is a partner in the firm’s top-ranked global privacy and cybersecurity practice. She has national recognition for her work in the areas of privacy and data security. Brittany is ranked in Chambers USA, Chambers Global and Legal 500, and was named a New York Law Journal “Rising Star,” a Law360 “Rising Star” in privacy and cybersecurity, and one of Global Data Review’s 40 Under 40 data lawyers. Chambers USA quotes clients who call her “very diligent, intelligent and hard-working” and “very client-focused, attentive and responsive.” Chambers USA also quotes a client who calls her “one of the very best individuals I have worked with on privacy-related matters.” Legal 500 refers to Brittany as “the best at what she does,” recommending her for cyber law (including data privacy and data protection) and fintech.
Brittany assists clients in identifying, evaluating and managing a panoply of global privacy and information security risks and compliance issues. A significant aspect of her practice is advising large, multi-national companies on catastrophic cybersecurity incidents. Brittany served as a lead attorney on the two largest reported breaches in history (affecting over three billion user accounts) and has managed hundreds more. Her cybersecurity practice includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing ransomware attacks, as well as inquiries from Boards of Directors, consumers, media and potential acquiring companies in a deal setting. Brittany also helps companies design and build privacy and data security governance programs and conduct proactive breach preparedness activities, including developing workable incident response plans and legal breach notification procedures, ransomware playbooks and legal primers, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts (such as forensic investigation firms, ransomware specialists, credit monitoring services, PR firms and call centers) in advance of an incident.
In relation to her privacy compliance practice, Brittany advises clients on the California Consumer Privacy Act of 2018, GLB, CAN-SPAM, and other U.S. state and federal privacy requirements, and global data protection laws (including those in the EU, Asia and Latin America). She routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use, including with AI and machine learning technologies. She also regularly negotiates privacy and data security provisions of complex commercial and technology-related contracts and helps companies design robust vendor management programs.
Experience
- Advised dozens of companies (including in the gaming and hospitality, health care, retail, energy, consumer goods, and financial services industries) on data breach and cybersecurity incident response, including preparation of required notifications pursuant to state breach notification laws, the HITECH Act and Interagency Guidance, call center training and development of media strategies.
- Advised a technology company in all aspects of responding to the two largest reported data breaches affecting more than 3 billion user accounts.
- Advises a world-renowned casino and hospitality company on all aspects of its comprehensive global privacy and data security program, including managing its CCPA and GDPR compliance efforts, developing a global data inventory, conducting privacy impact assessments, negotiating complex vendor agreements, advising on initiatives involving facial recognition technology and AI/machine learning, directing cybersecurity audits, updating and enhancing information security policies and standards, developing incident response plans and conducting executive-level tabletops.
- Counsels one of the world’s largest investment companies on data breach preparedness activities, including developing legal-focused incident response plans and a ransomware playbook and conducting c-suite level cybersecurity tabletops, and advising the company on global privacy compliance matters.
- Advises an independent consultant ordered by the SEC to review global bank’s compliance with federal securities laws in connection with operating alternative trading systems.
- Advises a leading global alternative asset manager and its portfolio companies on US and EU data protection matters, including designing global marketing campaigns and HR privacy handbooks, as well as incident response.
- Advises a privately-held multinational conglomerate corporation on strategic privacy initiatives and compliance efforts and data security incident management.
- Counsels a NBA team on incident response, vendor management and privacy compliance.
- Advised a major multi-national company with a data security incident extending to 78 countries, managed the US legal escalation call center and responded to multiple international data protection authorities.
- Advises clients on FTC, SEC and state Attorney General (including Multistate Task Force) investigations and enforcement actions for alleged data security and privacy violations.
- Provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness.
- Develops comprehensive vendor management programs, including evaluating and negotiating privacy and data security provisions and indemnities contained in vendor agreements.
- Advises clients on the collection and processing of biometric information.
- Counsels clients on building global AI and machine learning governance programs, policies and procedures.
- Assisted a Fortune 100 company in responding to congressional inquiries relating to a cybersecurity incident.
- Briefed the board of directors of large electric company on managing cybersecurity risk and oversight responsibilities.
- Advised a major diversified energy company on breach preparedness, crisis communications and vendor contractual terms relating to privacy and cybersecurity.
- Designed CCPA compliance program for and advised on security incidents impacting multinational utility company.
- Prepares comprehensive data security policies, standards and procedures in connection with corporate information security programs.
- Assists clients with complying with privacy and information security requirements, including under GLB, HIPAA and state information security laws.
- Advises clients on managing FTC Consent Orders and CIDs in connection with data security incidents.
- Advised a major global bank on massive cyber intrusion.
- Advised dozens of multinational clients on Safe Harbor certification and annual recertification.
- Counsels clients in negotiating information sharing agreements with government agencies.
- Evaluates compliance issues and drafts notices and consents for corporate programs involving business uses of employee-owned electronic devices.
- Drafts online and offline privacy policies, procedures and notices.
- Evaluates compliance and enforcement issues related to the collection of information in the context of credit card transactions under the Song-Beverly Act and other state and federal laws.
- Develops employee training materials and handbooks focusing on privacy and information security practices.
- Counsels clients on HIPAA compliance, including security breach notification obligations under the HITECH Act and preparation of HIPAA security policies and procedures.
Media Appearances
- Radio Times, Privacy and Security on the Internet (Bacon interviewed), July 22, 2015
- FOX5NY, Cash, Credit Cards, Chips – Consumer Payment Methods Fluctuate in Light of Data Breaches (Bacon interviewed), October 21, 2014
Accolades
Honors & Recognitions
- Recognized as a Leader in Privacy & Data Security, USA, Chambers Global, 2020-2025
- Recommended for Cyber Law (including Data Privacy and Data Protection) (2021-2024) and FinTech (2021-2022, 2024), Legal 500 United States
- Recognized as a Leader in Privacy & Data Security, USA-Nationwide, Chambers USA, 2018-2024
- Ranked in the Next Generation Lawyers for Data Protection and Privacy, Legal 500 United States, 2017-2020
- Recognized for Privacy and Data Protection by Euromoney’s Rising Stars Awards Americas, 2020-2022
- Named a Rising Star for Privacy and Data Protection, United States, Legal Media Group Expert Guide, 2019
- Named a Rising Star, Law360, 2018
- Named a New York Law Journal 2018 Rising Star
- Selected as one of Global Data Review’s 40 under 40 Data Lawyers, 2018
- City Bar Justice Center’s 2016 Jeremy G. Epstein Award for Pro Bono Service
Affiliations
Professional
- Member, New York Bar Association
- Member of the Board of Directors, City Bar Fund (the nonprofit arm of the New York City Bar Association)
Civic
- Volunteer attorney at the Volunteer Lawyers for the Arts
- Member and former Global Teen Director, Teenangels
Insights
Legal Updates
- 13 Minute ReadJuly 18, 2024Legal Update
- 22 Minute ReadAugust 3, 2023Legal Update
- 5 Minute ReadJuly 18, 2023Legal Update
- 3 Minute ReadJune 15, 2023Legal Update
- 2 Minute ReadNovember 18, 2021Legal Update
- 14 Minute ReadOctober 8, 2021Legal Update
- 5 Minute ReadSeptember 24, 2021Legal Update
- 2 Minute ReadMarch 20, 2020Legal Update
- November 12, 2019Legal Update
- November 1, 2018Legal Update
- October 9, 2018Legal Update
- February 26, 2018Legal Update
- 1 Minute ReadJuly 14, 2017Legal Update
Events & Speaking Engagements
- October 18, 2022Event
- July 17 – July 20, 2022Event
- February 3, 2021Event
- December 3, 2020Event
- December 3, 2020EventSpeakerMachine Learning Hot Topics: Negotiating Global Data Protection and IP Terms, Hunton Andrews Kurth webinar
- November 19, 2020Event
- September 24, 2020EventSpeakerCybersecurity 2020: Managing Cybersecurity Incidents, Practising Law Institute (PLI)
- March 12, 2020Event
- November 14, 2019EventSpeakerThe New Age of Privacy, Hunton GC Privacy and Data Security Event
- November 6, 2019EventSpeakerCCPA Amendments and Regulations – Managing the Changes, New York Privacy Officers’ Forum Leadership Series
- October 2, 2019Event
- September 26, 2019EventPanelistBlurrier Lines: The Evolving and Confusing Landscape of Data Privacy and Cybersecurity in the Entertainment Industry, Music Business Associations’ Entertainment & Technology Law Conference
- September 24, 2019EventSpeaker2019 Cybersecurity and Privacy Law Update, Board of Directors Retreat: Pinnacle West Capital Corporation and Arizona Public Service Company
- September 13, 2019EventSpeakerPLI’s Cybersecurity 2019: Managing Cybersecurity Incidents, Cyber Attack Tabletop
- June 11, 2019EventSpeakerKeynote Address, Update on Cyber Risk Trends and Developments, 2019 Aon Consulting Industry Symposium
- June 4, 2019Event
- November 15, 2018EventSpeakerThe California Consumer Privacy Act: Impact and Implications, New York Privacy Officers’ Forum Breakfast Briefing
- November 14, 2018EventSpeakerNearly Everything You Wanted to Know About Privacy for 2018, Dallas Area Compliance Association
- September 7, 2018Event
- August 27, 2018EventSpeakerKey Developments in Data Security and Breach Notification Laws, Regulations, and Guidance, Lawline
- June 5, 2018Event
- March 15, 2018EventSpeakerEU GDPR Academy, GDPR Breach Notification: A How-to Guide
- March 7, 2018EventSpeakerHunton & Williams, SEC Cybersecurity Guidance Webinar
- November 2, 2017EventKeynote SpeakerBlackstone Portfolio CISO Summit, General Data Protection Regulation
- October 12, 2017Event
- August 28, 2017EventSpeaker
- April 4, 2017Event
- February 1, 2017EventSpeakerResponding to a Cyber Breach – On Demand, Clear Law Institute
- January 25, 2017EventSpeakerCybersecurity Tabletop: Managing an Event, Cybersecurity and Data Privacy Law Conference, The Center for American and International Law
- November 30, 2016EventModeratorCybersecurity Panel Discussion and a Live Cyber Attack Scenario, GC Dinner NYC
- October 19, 2016EventSpeakerCybersecurity and Its Risks for Fiduciaries, Twenty-Sixth Annual Client Symposium, Actuarial Benefits & Design Company
- June 23, 2016EventSpeakerIncident Response & Annual General Meeting, ISACA Harrisburg Chapter
- June 17, 2016EventSpeakerPrivacy By Design, Retail Industry Leaders Council Call
- May 19, 2016Event
- November 18, 2014EventSpeakerData Breach and the SEC: Who’s to Blame?, Sarbanes Oxley 404 Conference
- October 29, 2014EventSpeakerData Breach and Cyber Security: A How-To Guide, Fashion Law Institute Data Night
- November 6, 2013EventSpeakerCyber Predictions, Quartz Roundtable
- October 22, 2013EventPanelistLatest Legal & Privacy Updates, Protiviti Enterprise Security Briefing
- July 17, 2012EventSpeakerCyber Liability: The Aftermath of a Network Security Breach, Resort Hotel Association
- January 6, 2011EventSpeakerFTC Privacy Report Analysis: Protecting Consumer Privacy in an Era of Rapid Change, Association of Corporate Counsel
- May 4, 5 and 6, 2004EventPanelistWired Kids Annual Summit, discussing emerging issues in online safety, privacy, and security
- 2004EventPanelistIAPP Conference, San Francisco
Publications
- July 20, 2023Publication
- October 2020Publication
- June 2020Publication
- February 2020Publication
- May-June, 2019Publication
- February 6, 2019Publication
- November 21, 2018Publication
- October 29, 2018Publication
- June 27, 2017Publication
- June 9, 2017PublicationCo-authorCybersecurity Risks and Readiness for the Hotel Industry, GMBHA Allied Upgrade eNewsletter
News
- 4 Minute ReadFebruary 13, 2025News
- 2 Minute ReadFebruary 13, 2025News
- 7 Minute ReadJune 12, 2024News
- 6 Minute ReadJune 6, 2024News
- 4 Minute ReadFebruary 15, 2024News
- 7 Minute ReadJune 8, 2023News
- 6 Minute ReadJune 1, 2023News
- May 25, 2023Media Mention
- 4 Minute ReadFebruary 16, 2023News
- 6 Minute ReadJune 9, 2022News
- 6 Minute ReadJune 1, 2022News
- 4 Minute ReadFebruary 18, 2022News
- January 4, 2022Media Mention
- 2 Minute ReadNovember 30, 2021News
- November 8, 2021Media Mention
- 6 Minute ReadJune 10, 2021News
- 6 Minute ReadMay 25, 2021News
- 3 Minute ReadFebruary 18, 2021News
- 1 Minute ReadFebruary 1, 2021News
- 6 Minute ReadJune 12, 2020News
- 5 Minute ReadApril 27, 2020News
- 3 Minute ReadFebruary 18, 2020News
- 6 Minute ReadJune 6, 2019News
- 4 Minute ReadApril 25, 2019News
- 2 Minute ReadApril 3, 2019News
- September 27, 2018Media Mention
- 1 Minute ReadSeptember 11, 2018News
- September 5, 2018Media Mention
- 1 Minute ReadJune 30, 2018News
- 1 Minute ReadJune 14, 2018News
- 4 Minute ReadJune 13, 2018News
- 4 Minute ReadMay 16, 2018News
- 1 Minute ReadApril 5, 2018News
- 2 Minute ReadMarch 21, 2018News
- 1 Minute ReadOctober 19, 2017News
- September 22, 2017Media Mention
- August 25, 2017Media Mention
- 2 Minute ReadJuly 14, 2017News
- 2 Minute ReadJune 16, 2017News
- 2 Minute ReadMarch 6, 2017News
- 1 Minute ReadOctober 21, 2014News
- June 15, 2011News
Education
JD, Washington University in St. Louis School of Law, 2009
BA, University of Notre Dame, cum laude, 2006
Admissions
New York
Areas of Focus
Additional Service Areas
Privacy and information security, once overlooked in many corporate transactions, are now taking center stage.