Data Security & Privacy
O’Melveny’s Data Security and Privacy group helps clients prepare for and respond to the serious legal and financial risks posed by evolving data protection and privacy obligations. Our lawyers provide counsel across the entire life-cycle of privacy and data security concerns—from pre-incident counseling and policy formation, to managing incident responses, internal investigations, litigation, and regulatory proceedings. Senior business executives, company boards, and corporate legal departments look to our team as they anticipate challenges, shape their strategies, and address the business, legal, and policy issues surrounding privacy and cybersecurity.
We also leverage the in-depth knowledge and experience of our lawyers who have held high-level posts in government and the private sector—allowing us to help clients navigate the complex and shifting decision-making procedures followed by federal agencies, Congress, and other governmental and regulatory bodies. O’Melveny’s award-winning litigation and investigations lawyers draw on their decades of success in and out-of-court to advise clients when data breaches result in class action litigation or regulatory proceedings.
- Training and education for in-house counsel and information security officials on existing regulatory regimes, managing cyber risks, and potential liabilities in the event of data breaches.
- Strategic counseling on the cyber threat landscape and the rapidly evolving legal risks associated with cyber-attacks, including presentations geared to the Board and other high-level decisions makers.
- Privileged and confidential assessments of cybersecurity risks of existing holdings, including review and recommendations for enhancements of incident response plans, and other pre-breach preparations, such as table top exercises, employee training, insider threat management, and penetration testing.
- Supply Chain Risk Management assessments, including review and recommendations to mitigate exposure and risks from cybersecurity incidents of suppliers and vendors.
- Post incident response, including internal investigations, compliance with notification and SEC disclosure requirements, and the management of relationships with law enforcement and regulatory agencies (federal, state, foreign) in order to mitigate investigative risks.
- Defense of regulatory enforcement matters, class action litigation (consumer, employee, and shareholder derivative), and other breach related litigation, and the handling of cyber insurance issues.
E-Commerce CompanyO’Melveny represented a leading internet search engine in class actions related to data privacy in federal court. These cases involved claims that the company tracked or disclosed personally-identifiable user information to third parties and that the company itself accessed user information without authorization. Read
Insurance CompanyO’Melveny conducted an internal investigation for a large insurance company into a cyber attack on client accounts and advised the company on responding to the attack. Read
International Cosmetics and Household Goods CompanyWe performed an international analysis covering regulatory requirements for the online collection and cross-border transfers of customer information for the U.S., China, and the European Union. Read
Major financial services institutionsO’Melveny advises several financial institutions on cybersecurity preparedness and incident response. We are currently advising a large banking client in responding to the Equifax data breach and are advising a separate banking client on cybersecurity issues as part of stress testing exercises mandated by Dodd-Frank. We have also advised a large insurance and retirement firm on response in the aftermath of a cybersecurity incident affecting customer accounts. Additionally, we have helped a large mortgage-market participant prepare for privacy and data security issues related to the implementation of a large database used for predictive analytics and research purposes. Separately, we helped that same client develop protocols for information-sharing with federal regulators and law enforcement, and advised on privilege consideration surrounding the company’s disclosure of threat and incident information. Read
Managed Care and Health Care ProvidersWe provide advice and counseling to multiple clients in the health care industry on data security preparedness and breach response planning and have assisted in evaluating crisis management practices. This work has included designing HIPAA and 50-state compliant incident response policies, testing incident response plans, and enhancing policies and procedures to cure any determined gaps or risks. Read
Multinational corporationsWe advise numerous multinational corporations on the impact of the China Cyber Security Law on their China operations. Read
Omnicare/CVSO’Melveny represented the specialty pharmacy in defending multiple class actions under statutory privacy laws involving separate alleged violations of calling and faxing activities to patients and medical practices related to its services. O’Melveny successfully resolved the first class action without providing classwide relief and reached a favorable settlement in the second action. Read
Online Music CompanyWe counseled an online music company on its response to a ransomware demand and worked with the company to inform state governments of the data breach. Read
VisaO’Melveny represents Visa on matters related to data compromise events at merchants or processors, including on issues related to many of the largest account data compromise events in the history of the payment card industry, such as counseling on and the settlement of claims arising from data breaches at Target Corporation, The Home Depot, Heartland Payment Systems, and others. Read
Thank you for your interest. Before you communicate with one of our attorneys, please note: Any comments our attorneys share with you are general information and not legal advice. No attorney-client relationship will exist between you or your business and O’Melveny or any of its attorneys unless conflicts have been cleared, our management has given its approval, and an engagement letter has been signed. Meanwhile, you agree: we have no duty to advise you or provide you with legal assistance; you will not divulge any confidences or send any confidential or sensitive information to our attorneys (we are not in a position to keep it confidential and might be required to convey it to our clients); and, you may not use this contact to attempt to disqualify O’Melveny from representing other clients adverse to you or your business. By clicking "accept" you acknowledge receipt and agree to all of the terms of this paragraph and our Disclaimer.
CCPA Case Tracker
With CCPA enforcement here, use our CCPA Case Tracker to stay abreast of litigation and regulatory developments. >>