Data Privacy & Cybersecurity

Businesses and organizations of all sizes and industries are facing increased threats to their data stewardship on the one hand, and constantly evolving regulatory requirements and growing prosecutorial regimes on the other. And it’s only getting more challenging.

Join our mailing list for the latest legal developments and events in data privacy and cybersecurity.


Our Approach

Nixon Peabody’s multifaceted Data Privacy & Cybersecurity team collaborates globally to advise companies of all sizes and industries across the full spectrum of privacy and security issues facing them on a daily basis, including compliance, incident and breach response, litigation and regulatory enforcement, and transactions.

We advise companies on:

  • Ongoing compliance and advisory services concerning international, national, and state privacy laws and regulations, such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Telephone Consumer Protection Act (TCPA), Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH), and audits, data mapping, and developing privacy policies
  • Security incident and breach preparation and response, including leading investigation, remediation, and reporting efforts
  • Defending against single-plaintiff and class-action privacy and security litigation and enforcement actions
  • Advising on privacy and security-related transactions, including vendor agreements, licensing and technology transactions, and mergers and acquisitions

Trends we’re watching

  • Business leaders (not just legal and IT departments) will be increasingly held directly accountable for data privacy controls and breach responses.
  • “Reasonable” security measures will increasingly become mandated and will require tracking industry-specific developments and best practices.
  • Incident response plans will need to account for a changing landscape, including larger scales and shorter notification windows.
  • Wearable technologies and internet of things (IoT) will continue to proliferate, expanding the number of access points to and vulnerability of protected health information (PHI) and other sensitive data.
  • Terms of service and vendor agreements will increasingly require provisions to mitigate liability and protocol for privacy matters.
  • Employees will continue to be the biggest threat to cybersecurity, whether through negligence or bad intent, requiring increased security training programs.
  • State-level regulations will increase, providing a patch-work of data privacy and breach laws, making compliance increasingly difficult.
  • Consumers will increasingly reach “data breach fatigue,” taking less action to protect themselves, requiring businesses to rethink their pre- and post-breach communications.
  • Remote work will continue to expand, putting additional pressure on companies’ privacy and security frameworks.

Who we work with

  • Businesses, organizations, and government entities that collect, transmit, or store sensitive or personally identifiable information
  • Industries, including technology, health care, finance, infrastructure, defense, energy, big data, social media, data storage, and professional services
  • Companies using mobile apps, websites, and social media
  • Companies that communicate with individuals by telephone, text message, fax, email, or other technology-enabled method
  • Health care providers, insurance companies, pharmacies, clearinghouses, business associates, and others impacted by HIPAA, HITECH, and the Omnibus Rule
  • Companies that receive and store the personal financial information of their clients and customers and others impacted by the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) and state data security laws
  • Law firms, accounting firms, and other professional advisors working with sensitive client information

Representative experience

Compliance & Transactional

Our team advises clients in various industries, including financial services, health care, marketing, retail, and education, on the myriad of international, federal, and state data privacy and cybersecurity laws and regulations regarding the collection, use, disclosure, and security of personal information.

  • Assisted clients in updating their policies, procedures, websites, and employee trainings to comply with the CCPA.
  • Advised an international retailer on adapting GDPR-compliance processes and procedures for compliance with the CCPA.
  • Advised a leading financial institution on compliance with the CCPA’s GLBA exemption.
  • Built enterprise-wide privacy and security frameworks for startup companies in the health care industry.
  • Advised investment firms on data privacy and security issues in connection with various investments in the technology and consumer goods industries.
  • Drafted and negotiated HIPAA business associate agreements, data-related modifications to subscription agreements, and non-disclosure agreements (NDAs) for health care and health IT companies.
  • Counseled higher education institution on HIPAA and state data privacy laws involving college wellness center, including advising on how to stay under Federal Educational Rights and Privacy Act (FERPA) regulation and not trigger HIPAA regulation.

Data Breach Preparation & Response

We have prepared proactive data breach policies and response plans and have handled hundreds of sensitive security incidents for clients in various industries, including health care, financial services, marketing, retail, and technology.

  • Led investigation and reporting efforts following discovery of a data breach during M&A activity at a leading apparel company.
  • Represented a group of affiliated health care providers after their collective network was victimized by a ransomware attack. Worked closely with forensic investigation team to assess scope of penetration and advised on reporting requirements and remediation.
  • Counseled a boutique hotel chain after its computer network was hacked by a former employee, including working closely with forensic investigators, advising on mandatory notifications, and successfully avoiding litigation.
  • Led investigation, remediation, and reporting efforts under the GDPR following a phishing scam at a financial institution resulting in unauthorized access to personal information and diversion of customer funds.

Litigation & Enforcement Actions

We handle disputes, including class actions and other litigation and arbitrations resulting from data breaches, regulatory enforcement actions (by the Department of Justice, Federal Trade Commission (FTC), Office for Civil Rights (OCR), and state attorneys general), and consumer privacy litigation involving federal and state statutes, such as the TCPA, Fair Credit Reporting Act (FCRA), Federal Debt Collection Practices Act (FDCPA), Biometric Information Privacy Act (BIPA), and those involving unfair and deceptive trade practices.

  • Defeated class certification and obtained summary judgment on remaining individual claims on behalf of a leading medical device manufacturer accused of violating the TCPA by sending prerecorded calls for educational health care seminars.
  • Defended national customer relationship manager (CRM) and marketing provider in related putative class actions in U.S. District Court for the Southern District of California, which (i) alleged violations of the TCPA for autodialed and prerecorded telemarketing calls and (ii) alleged violations of California state law for recording phone calls without consent; successfully briefed and argued bifurcation of the individual merits from class discovery and the cases settled favorably for our client on individual bases prior to class certification.
  • Defended client against allegations of breach of contract and negligence, following a data breach of PHI where backup and data recovery services allegedly failed. Case settled favorably during discovery.
  • Represented a food distribution company in connection with an email scam/cyberattack, which resulted in an inadvertent change to wire payment instructions. We were ultimately successful in defending our client against the plaintiff’s federal lawsuit, persuading the court to dismiss the negligence claim, and pushing the plaintiff to drop its lawsuit.
  • Represented international retailer accused of violating BIPA by collecting employee biometric data for timekeeping purposes.


The JustPod (ABA podcast) | January 06, 2021

Data Privacy & Cybersecurity practice group leader and Los Angeles Government Investigations & White Collar Defense partner Jason Gonzalez is feature as a guest on this podcast episode discussing cybercrimes around the January 6th attack on the Capitol, in addition to technology investigative tools and privacy.

Laying Down the Law with Data Privacy and Cybersecurity

The New IT Podcast | December 02, 2020

Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes appears as a guest in this tech-focused podcast to discuss her outlook and best practices on cloud computing, putting together an incident response plan, and the Privacy Shield.

The Once-and-Future Privacy Shield

Rochester Business Journal | November 06, 2020

Data Privacy & Cybersecurity deputy leader and Rochester associate Jenny Holmes contributed this article analyzing the European Court of Justice’s recent invalidation of the Privacy Shield and its impact on data flows between the US and the EU. This article was co-developed with Los Angeles partner Jason P. Gonzalez and Boston associate Troy K. Lieberman, both from the Data Privacy & Cybersecurity team.

Incident response plans critical for any organization

Rochester Business Journal | October 23, 2020

The following article in Rochester Business Journal’s special report on Cybersecurity quote Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes for her insights on state, federal and international cybersecurity laws, and legal best practices on selecting a cloud computing service provider and putting together an incident response plan.

Transitioning to cloud-based services: Due diligence is key

Rochester Business Journal | October 23, 2020

The following article in Rochester Business Journal’s special report on Cybersecurity quote Data Privacy & Cybersecurity deputy team leader and Rochester associate Jenny Holmes for her insights on state, federal and international cybersecurity laws, and legal best practices on selecting a cloud computing service provider and putting together an incident response plan.

Legal guidance a necessity for companies amid coronavirus uncertainty

Rochester Business Journal | September 04, 2020

In this article on the most common COVID-related issues that businesses and companies are seeking legal help for, Data Privacy & Cybersecurity deputy leader Jenny Holmes and Complex Commercial Disputes associate Eric Ferrante, both in Rochester, are quoted for their outlook on cybersecurity best practices, force majeure clauses, and rent concerns from both landlords and tenants.

'Not a black-and-white issue:' Legal, business implications of facial recognition tech

Boston Business Journal | July 30, 2020

Boston Intellectual Property associate and deputy leader of the Data Privacy & Cybersecurity practice group Troy Lieberman was featured in a Q&A for his outlook on facial recognition technologies in light of Boston Mayor Martin Walsh recently signing into law a ban on government use of these technologies in the city.

5 ERISA Cases To Watch In The 2nd Half Of 2020

Law360 | July 29, 2020

San Francisco office managing partner and Corporate partner Karen Ng was quoted in this article for her outlook on the federal government’s interest in Howard Jarvis Taxpayers Association v. California Secure Choice Retirement Savings Program, and the rise in ERISA privacy and cybersecurity lawsuits in Harmon et al. v. Shell Oil Co. et al.

ANALYSIS | 42 CFR Part 2 Rules Changes a Welcome Sign for Many Providers

Behavioral Healthcare Executive | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

Biggest Illinois Decisions So Far in 2020: Midyear Report

Law360 | July 16, 2020

This article includes commentary from Chicago Complex Commercial Disputes partners John Ruskusky and Seth Horvath on some of the most noteworthy Illinois decisions thus far in 2020. John discusses a decision related to the Illinois Biometric Information Privacy Act, while Seth comments on a decision regarding parents suing paint makers for children’s lead test costs, as well as a ruling on a record destruction provision in the Chicago police union contract.

Hospitals balance disclosure and privacy as COVID-19 spreads

Modern Healthcare | March 12, 2020

Chicago Health Care partner Valerie Breslin Montague talks about how hospitals can remain in compliance with HIPAA while executing an effective crisis communications plan related to the coronavirus outbreak.

What’s Next: Why Facebook’s $550M biometrics settlement isn’t a huge deal

The American Lawyer | February 05, 2020

This article features Chicago Complex Commercial Disputes partners John Ruskusky and Richard Tilghman analyzing Facebook’s recent $550 million settlement in a class action suit alleging violations of Illinois’ Biometric Information Privacy Act.

Unwanted pre-recorded calls don’t violate TCPA

Massachusetts Lawyers Weekly | January 23, 2020

This article mentions Manchester Complex Commercial Disputes partner Dan Deane and Boston Complex Commercial Disputes associate Troy Lieberman, who earned a favorable ruling on behalf of defendant Boston Scientific in a class action suit alleging violations of the Telephone Consumer Protection Act.

FTC steps up actions against VoIP providers to abet scammers

Rochester Business Journal | January 17, 2020

In his latest monthly column, Rochester Corporate partner Jeremy Wolk analyzes a recent action by the Federal Trade Commission to crack down on VoIP providers who turn a blind eye to their clients’ unlawful telemarketing practices. Washington, DC, Complex Commercial Disputes associate Brian Donnelly and Rochester Complex Commercial Disputes associate Zach Osinski contributed to the article.

California data security law to have widespread impact

Rochester Business Journal | November 29, 2019

Rochester Corporate associate Jenny Holmes talks to the Rochester Business Journal for their special report on the impact of the California Consumer Privacy Act, which goes into effect January 1. Jenny anticipates that companies will have to comply with the strictest state law on the books if Congress does not pass a federal law.

Keep up with laws developing to protect our consumer data

Rochester Business Journal | November 15, 2019

In the latest installment of his monthly column, Rochester Corporate partner Jeremy Wolk analyzes state-level legislation aimed at enhancing consumer privacy rights and protections, similar to the European Union’s General Data Protection Regulation. Rochester Corporate associate Jenny Holmes contributed to the column.

Corporate spending on cybersecurity continues to increase

Rochester Business Journal | October 25, 2019

Jenny Holmes, Nixon Peabody associate, is quoted in this article about the trend of rising costs for cybersecurity protection.

Read fine print on cyberthreat coverage

Providence Business News | September 26, 2019

Providence Complex Commercial Disputes partner Steven Richard is quoted in this article about how more Rhode Island businesses are purchasing insurance to protect against the fallout from potential data breaches.

What makes you work harder? Strap on a sensor and find out

Boston Globe | July 16, 2019

In this story, Rochester Corporate associate Jenny Holmes discusses privacy concerns raised by employers who are leveraging wearable devices such as fitness trackers to learn more about workplace productivity.

How to contact your customers without getting sued

Bloomberg Law | June 11, 2019

San Francisco Complex Commercial Disputes partner Karl Belgum wrote this contributed article explaining that businesses need to perform a self-assessment of the risks of automated customer contact, given the FCC’s failure to clarify the scope of the Telephone Consumer Protection Act.

Attorneys watch cross-border issues

Buffalo Business First | June 10, 2019

In this article, Buffalo Complex Commercial Disputes counsel Ben Dwyer discusses how Canada’s approach to data privacy differs from the United States’, and how that impacts cross-border sharing of consumers’ personal information.

Is a ransomware attack a reportable data breach?

Providence Business News | April 26, 2019

Providence Complex Commercial Disputes partner Steven Richard authored this column about ransomware attacks and how businesses should respond, including considering whether the ransomware attack is reportable or subject to notification requirements.

3 legal trends will affect retailer strategies

Retail Environment | February 07, 2019

Chicago Complex Commercial Disputes partner Rich Tilghman authored this article about how legal trends related to data protection and monetization, ADA accessibility, and leasing will impact retailer strategies.

Facebook lawsuit underscores importance of transparent collection and use of data

Rochester Business Journal | January 25, 2019

Rochester Corporate partner Jeremy Wolk wrote this contributed column analyzing a lawsuit filed against Facebook in Washington, DC, alleging violations of state-level consumer protection laws by the social media company. This article incorporates perspective from an alert written by Washington Complex Commercial Disputes associate Brian Donnelly, Rochester Corporate associate Jenny Holmes, and Los Angeles Government Investigations & White Collar Defense associate Karina Puttieva.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.

High court may upend TCPA litigation landscape

Law360 | November 13, 2018

Boston Intellectual Property associate Troy Lieberman is quoted in this article looking at possible FCC changes to the definition of “autodialer” in regard to the Telephone Consumer Protection Act.

State AGs at odds over Google privacy pact at high court

Law360 | September 05, 2018

This article mentions Complex Commercial Disputes partners Chris Mason, Sarah André, Dan Deane and Seth Horvath as counsel for The New York Bar Foundation and The New York State Bar Association in an amicus brief—filed with the United States Supreme Court—in support of the approval by a California District Court, and the Ninth Circuit, of Google’s settlement involving a “cy pres” remedy in a privacy-related case.

Cybersecurity and benefits plans: The next front in the ongoing battle to protect personal information

Confero | June 30, 2018

Rochester Corporate group associate Jenny Holmes contributed this article to the quarterly magazine for Westminster Consulting, discussing why benefit plans are inviting targets for would-be data thieves, and what plan administrators need to do to protect personal data.

European Union law on data protection takes effect

Rochester Business Journal | June 07, 2018

Rochester corporate group partner Jeremy Wolk and associate Jenny Holmes co-wrote this contributed article on the introduction of the General Data Protection Regulation, “a set of tougher rules designed to give European Union citizens more control over their personal data.” The regulation applies to all organizations, regardless of location, that handle the personal data of EU citizens.


Jason C. Kravitz

Co-leader, Intellectual Property
Leader, Data Privacy & Cybersecurity

Phone: 617-345-1318

Jenny L. Holmes

Deputy Co-leader, Data Privacy & Cybersecurity

Phone: 585-263-1494

  • U.S. News/Best Lawyers “Best Law Firms” 2020 ranked as National Tier One in: Appellate Practice, Commercial Litigation, Corporate Law, Employment Law—Management, Energy Law, Franchise Law, Health Care Law, Labor Law—Management, Litigation—Construction, Litigation—Labor & Employment, Litigation—Real Estate, Mass Tort Litigation/Class Actions—Defendants, Patent Law, Public Finance Law, Real Estate Law, Securities Regulation, Tax Law
  • In addition, many Nixon Peabody practices received U.S. News/Best Lawyers Tier 1 rankings at the regional level in the following geographies: Albany, NY; Boston; Buffalo; Chicago; Long Island; Los Angeles; Manchester, NH; New York City; Providence, RI; Rochester, NY; San Francisco; and Washington, DC.
  • U.S. News/Best Lawyers has named Nixon Peabody “Law Firm of the Year” in Health Care Law in 2016

NP Privacy Partner Blog
Staying ahead in a data-driven world: insights from our Data Privacy & Security team

Back to top