Data Privacy & Cybersecurity

2019 and 2020 Advisen Cyber Law Firm of the Year

Data Privacy & Cybersecurity

– 24/7/365 – ANYTIME, ANYWHERE...

24/7 Data Breach Response Hotline: 844.312.3961

24/7 Data Breach Response Team Email:

Sean Hoar, a former federal cyber attorney for the Department of Justice, heads Lewis Brisbois’ national Data Privacy & Cybersecurity Team. The Team has managed responses to thousands of data security incidents in all business sectors – from relatively simple device theft containing proprietary or consumer information, to catastrophic system compromises affecting millions of consumers. We were recognized by Advisen, an international cyber insurance industry association, as the 2019 and 2020 “Cyber Law Firm of the Year.” Our Team includes an additional former Department of Justice cyber attorney and twelve Certified Information Privacy Professionals. Our lawyers understand complex technology and are devoted to customer service. We have particular expertise working with the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Supported by a full-service law firm, our team employs a holistic approach to data privacy and cybersecurity, offering a suite of proactive services to help clients keep their data private and secure, providing a rapid response to any digital crisis with fully managed breach response services, and delivering defensive litigation services when necessary.

The Lewis Brisbois team is available 24/7/365 and is geographically distributed across the nation to help clients protect their data, and to respond and remediate any type of data security incident.


Incident response management: Having managed responses to thousands of data security incidents in all business sectors the Lewis Brisbois Data Privacy & Cybersecurity Team has extensive experience managing responses to information security incidents. Lewis Brisbois' data breach hotline is staffed 24/7/365 and our Team provides complete project management of the breach response process. Lewis Brisbois attorneys work closely with cyber insurance brokers and carriers to maximize client access to appropriate resources. The rapid response process involves an initial assessment of the data security problem and facilitation of all legal agreements and services to contain, analyze, investigate and remediate the incident. This often includes digital forensics, crisis management and communications, consumer notification, and credit monitoring and/or identity protection services. The process also involves an assessment of consumer and regulatory notification obligations, and, if such obligations apply, our attorneys assist in drafting consumer and regulatory notification, and responding to inquiries from the media and regulatory officials. The Lewis Brisbois national breach response team is best in class and ready to immediately respond to any type of data security incident at anytime, anywhere.

Data breach-related defensive litigation: Our attorneys have extensive experience representing clients in complex litigation arising from data breach-related matters. Whether it is a third-party demand or a class action complaint, Lewis Brisbois attorneys are particularly well suited to defend clients in all business sectors. Lewis Brisbois has extensive litigation resources covering major markets across the nation, ensuring that clients are well represented in all defensive litigation matters.

Data breach-related affirmative litigation: Clients who fall victim to a data breach often incur harm from third parties. The lawyers in Lewis Brisbois’ Data Privacy & Cybersecurity Practice and its Commercial Litigation Practice guide clients through their options in resolving difficult and complex problems — including the recovery of substantial losses from third parties and the recovery and seizure of private data stolen during a data breach — and provide strong affirmative litigation services when necessary. 

Website and mobile application accessibility defensive litigation services: Litigation surrounding website accessibility under Title III of the Americans with Disabilities Act (ADA) has significantly increased in recent years. Perhaps due to uncertainty about pending federal regulations, businesses have been caught off guard when confronted with third party demands or lawsuits. The lawyers in Lewis Brisbois’ Data Privacy & Cybersecurity Practice and its ADA Compliance and Defense Practice guide clients through their obligations under Title III of the ADA and provide strong defensive litigation services when necessary. 


GDPR compliance. Our team can assist in assessing the application of the GDPR to your business. We work side-by-side with company personnel to develop applicable policies and procedures that comply with the GDPR. We can also serve as the company’s Data Protection Officer (DPO). These efforts will ensure continuity of operations, limit your liability, and allow your organization to represent that it is fully GDPR-compliant for continued business opportunities.

Compliance counseling: The Lewis Brisbois Data Privacy & Cybersecurity Team assists clients in all business sectors to assess regulatory obligations and develop compliance programs to meet them. Our attorneys have expertise in a wide variety of state and federal regulatory statutes pertaining to data privacy and cybersecurity. These statutes include over 50 state and territorial data breach notification statutes, regulatory provisions in the communications, energy, financial, and healthcare sectors, and international data protection laws. These provisions include the Computer Fraud and Abuse Act (CFAA), the Fair Credit Reporting Act (FCRA), the Fair Debt Collection Practices Act (FDCPA), the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and its amendment, the Health Information Technology for Economic and Clinical Health Act (HITECH), the Stored Communications Act (SCA), the Telephone Consumer Protection Act (TCPA), and the E.U. General Data Protection Regulation (GDPR).

Cyber assessments: The Lewis Brisbois Data Privacy & Cybersecurity Team assists clients in all business sectors to assess their cyber preparedness through a process which is mapped to the National Institute of Standards and Technology Special Publication 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, and if appropriate, Special Publication 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Lewis Brisbois attorneys have extensive knowledge of the critical security controls required by regulators to be enabled in information security systems, and we work with information technology and security personnel to enhance their organizational security posture and reduce information system vulnerabilities. 

Incident response planning: The Lewis Brisbois Data Privacy & Cybersecurity Team assists clients in all business sectors to develop and draft incident response plans that are mapped to the National Institute of Standards and Technology Computer Security Incident Handling Guide, Special Publication 800-61 Rev. 2. The planning process includes the identification and involvement of key stakeholders, the acquisition of cyber liability insurance, the facilitation and execution of Master Service Agreements with breach response service providers (digital forensics services, consumer notification/call center services, credit monitoring/identity protection services, etc.), and introductions to appropriate law enforcement personnel. We recognize that preparation is a critical phase in the incident response life cycle, and are well versed in helping clients prepare for all types of data security incidents.

Table top exercises: We help clients test their incident response plans by facilitating enterprise-wide digital crisis response exercises. These exercises involve key stakeholders and assist them to identify and experience their roles and responsibilities in responding to a data security incident before an actual crisis occurs. Our attorneys recognize that “experiencing” a data security incident before it actually occurs accelerates an organization’s ability to effectively contain and remediate an incident. The exercises also help to identify and resolve gaps in incident response plans and enhance an organization’s enterprise security posture.

Service Provider Agreements/Third Party Contract Review: Lewis Brisbois attorneys assist clients in all business sectors to review agreements with service providers, including third party technology service providers, through a lens that identifies and protects against potential liabilities arising from a data security incident. Our team works closely with clients to understand the unique circumstances and challenges that exist with each service provider. Keeping our clients’ business goals in mind, we craft narrowly tailored service provider agreements designed to mitigate potential exposure arising from a data security incident by clearly defining a client’s relationship with the service provider; requiring the service provider to adhere to delineated information security practices molded to the specific service offering; setting forth expectations as to when, how and under what circumstances a service provider must report a potential or suspected data security incident, and preserving the client’s right to conduct an independent forensic investigation; incorporating optimal indemnification and limitation of liability language to shift liability and defense exposure to the service provider; leveraging a service provider’s insurance coverage; incorporating warranties that hold the service provider accountable for rendering services in accordance with the agreement and applicable law; applying a favorable choice of law provision governing disputes under the contract; and avoiding potential pitfalls such as waivers of subrogation that may preclude our clients or their insurers from recovering damages attributable to a service provider’s conduct. Managing liabilities associated with service providers has never been more important with the evolution of technology and online threats creating an increasingly dangerous digital environment. The risks and liabilities can be mitigated, however, with due diligence and good service provider contract management.

Data privacy policy development and review: The Lewis Brisbois Data Privacy & Cybersecurity Team assists clients to identify and develop necessary data privacy policies pertaining to data collection, employment, online marketing, and sector specific requirements. Data collection is a critical aspect of many business models, and regulation of data collection practices is constantly increasing. We help businesses navigate the ever-evolving privacy regulatory landscape.

Data security policy development and review: Our team helps clients review existing information security policies and procedures, recommends revisions to existing policies and procedures, and drafts policies and procedures if none exist. These policies are often mapped to the Critical Security Controls, which are now managed by the Center for Internet Security.

Document retention policy development and review: Because of the data explosion caused by the advent of electronically created and stored information, management of data has become critical for business processes, regulatory compliance and data security. Focused data retention and destruction policies are an important component of information security and information management systems. Our lawyers regularly counsel on document retention and destruction policies for public and private companies.

Mergers and acquisitions due diligence assistance: Information systems are an increasingly important part of any merger, acquisition, or sale. For buyers, it is critical that due diligence be conducted to avoid the purchase of a data breach. For sellers, it is critical to ensure that representations and warranties about the security of information systems are accurate. Lewis Brisbois attorneys understand these dynamics and regularly work with clients to conduct the due diligence necessary to guide them through the merger, acquisition, or sale process.

Employee/Board/Executive training: We also assist clients to identify and prioritize employee training needs, develop customized training to educate employees about network security awareness, and develop customized presentations for Boards and Executives about information security threats and risks while addressing the business case for information security.

Facilitation of confidential third-party technology projects: Our team facilitates confidential third-party technology engagements to ensure they are covered by the attorney-client privilege to the extent permitted by law. These projects may involve system vulnerability assessments, system penetration testing, and forensics investigations. Our attorneys assist clients to identify an appropriate vendor, determine appropriate scope, facilitate and execute pertinent contracts, oversee the various projects to ensure they remain within scope and budget, and review and edit preliminary reports to ensure they are accurate and in a format acceptable for regulators should they need to be produced.

General information security consulting: We regularly counsel clients in all business sectors on commercially reasonable practices to enhance their enterprise security posture. This includes reviewing information security practices, facilitating self-assessments, and helping to identify and reduce system vulnerabilities to mitigate the risk and scale of a breach.

THE LEWIS BRISBOIS TEAM IS ALWAYS AVAILABLE TO RESPOND: Lewis Brisbois attorneys are available 24/7/365 and geographically distributed throughout the United States to immediately and effectively respond and remediate any type of data security incident – any type, anytime, anywhere.


Vice Chairs

Related News, Publications & Events