Privacy & Information Security Law Blog

Hunton Andrews Kurth LLP is pleased to announce that Chambers & Partners ranked Hunton’s Privacy and Cybersecurity practice in Band 1 in the recently released 2023 Chambers USA guide. The firm has been recognized by Chambers among the “elite” firms for privacy and data security for several years. As noted to Chambers by clients, the team “truly has one of the best privacy practices in the world. They’re practical and take the time to understand the client's business and objectives.” In addition, partners Lisa Sotto, Aaron Simpson and Brittany Bacon were recognized in the guide.

On January 25, 2023, Hunton Andrews Kurth’s retail industry team released its annual Retail Industry in Review publication, which provides an overview of key issues and trends that impacted the retail sector in the past year, as well as a preview of relevant legal issues retailers can expect to arise in 2023. This year’s publication highlights key topics including cyber insurance, cybersecurity and privacy accountability, M&A activity, regulation and litigation related to PFAS, labor organizing, developments in ESG disclosure and more.

On February 8, 2022, BTI Consulting Group honored Hunton partners Aaron Simpson and Lisa Sotto as BTI Client Service All-Stars for 2022. Aaron and Lisa join a select group of lawyers identified as client service leaders by corporate counsel at the world’s leading organizations. Lisa, also recognized as a Super All-Star, breaks BTI records by being nominated by six clients, the highest number of nominations so far. The BTI Client Service All-Stars “is the only ranking and attorney recognition relying solely on clients.” BTI singles out these attorneys as practical, savvy, in the know, available, nimble, and skilled to deal with complex issues.

This is an extraordinary and unprecedented time for the retail industry. Hunton Andrews Kurth’s 2020 Retail Industry Year in Review provides an in-depth analysis of the issues and challenges that retailers faced in the past year, and a look ahead at what they can expect in 2021. The Year in Review includes several articles authored by our privacy and cybersecurity lawyers, including on topics such as the cashier-less technology revolution, the California Privacy Rights Act of 2020 and “buy now, pay later” plans.

Read the full publication.

The global privacy and cybersecurity team at Hunton Andrews Kurth has authored multiple chapters of the 2021 Data Protection & Privacy guide by Lexology’s Getting the Deal Through. Partner Aaron P. Simpson and practice chair Lisa J. Sotto served as contributing editors of the ninth edition of the annual guide, which provides summary and analysis in key areas of law, practice and regulation for 150 jurisdictions across the globe.

In one of the most important cases on global data transfers, the Court of Justice of the European Union (“CJEU”) will rule on the validity of the Standard Contractual Clauses (“SCCs”) in the Schrems II case (case C-311/18) on July 16, 2020. Invalidation of the SCCs would leave businesses scrambling to find an alternative data transfer mechanism. But there may be significant practical challenges for businesses even if the SCCs survive.

In GIR’s recently published Guide to Cyber Investigations, Hunton Andrews Kurth partner Aaron Simpson and associate Adam Solomon are featured as contributing authors to the chapter on Complying with Breach Notification Obligations in a Global Setting: A Legal Perspective.

On November 19, 2019, Hunton Andrews Kurth will host an in-person breakfast briefing in the firm’s London office to explore the California Consumer Privacy Act (“CCPA”), against the backdrop of the EU General Data Protection Regulation (“GDPR”).

In the seminar, we will discuss:

• The CCPA in the context of the GDPR, covering the similarities and differences between the frameworks
•  Key CCPA obligations
• The CCPA’s approach to enforcement and penalties
• How businesses are approaching CCPA compliance, and leveraging their GDPR work

The event will be led by Hunton partners ...

On June 4, 2019, Hunton hosted a webinar with partners Lisa Sotto, Aaron Simpson, Brittany Bacon and Fred Eames on the evolving U.S. privacy landscape. The past year has seen highly consequential legislative developments in U.S. privacy law affecting compliance obligations for businesses that have or use consumer data. Various states and the U.S. Congress are considering bills that could transform privacy in the United States. In this program, our speakers discuss the California Consumer Privacy Act of 2018 (“CCPA”) and other significant state and federal privacy legislation.

Hunton Andrews Kurth LLP, in coordination with the U.S. Chamber of Commerce, recently issued a report setting forth best practices for an effective data breach notification framework (the “Report”). Lead Hunton authors are Lisa J. Sotto, chair of the Global Privacy and Cybersecurity practice, and partners Brittany M. Bacon and Aaron P. Simpson.

On January 16, 2019, Hunton Andrews Kurth hosted a breakfast seminar in London, entitled “GDPR: Post Implementation Review.” Bridget Treacy, Aaron Simpson and James Henderson from Hunton Andrews Kurth and Bojana Bellamy from the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth discussed some of the challenges and successes companies encountered in implementing the EU General Data Protection Regulation (the “GDPR”), and also identified key data protection challenges that lie ahead. The Hunton team was joined by Neil Paterson, Group Data Protection Coordinator of TUI Group; Miles Briggs, Data Protection Officer of TUI UK & Ireland; and Vivienne Artz, Chief Privacy Officer at Refinitiv, who provided an in-house perspective on the GDPR.

On March 7, 2018, Hunton & Williams LLP hosted a webinar with partners Lisa Sotto, Aaron Simpson and Scott Kimpel, and senior associate Brittany Bacon on the Securities and Exchange Commission’s (“SEC’s”) recently released cybersecurity guidance. For the first time since its last major staff pronouncement on cybersecurity in 2011, the SEC has released new interpretive guidance for public companies that will change the way issuers approach cybersecurity risk.

Last week, the Centre for Information Policy Leadership (“CIPL”) and several privacy team members at Hunton & Williams LLP attended the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong (the “Conference”). The weeklong event hosted by Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong was attended by over 3000 privacy professionals from data protection authorities (“DPAs”), industry and research sectors. CIPL hosted two events at the conference, as well as a joint roundtable with Hunton & Williams and Citibank, throughout the week.

Recently, the fourth edition of the book, The International Comparative Legal Guide to: Data Protection 2017, was published by the Global Legal Group. Hunton & Williams’ Global Privacy and Cybersecurity lawyers prepared several chapters in the guide, including the opening chapter on “All Change for Data Protection: The European Data Protection Regulation,” co-authored by London partner Bridget Treacy and associate Anita Bapat. Several other global privacy and cybersecurity team members also prepared chapters in the guide, including David Dumont (Belgium), Claire François (France), Judy Li (China), Manuel E. Maisog (China), Wim Nauwelaerts (Belgium), Anna Pateraki (Germany), Aaron P. Simpson (United States), Adam Smith (United Kingdom) and Jenna Rode (United States).

As companies in the EU and the U.S. prepare for the application of the EU General Data Protection Regulation (“GDPR”) in May 2018, Hunton & Williams’ Global Privacy and Cybersecurity partner Aaron Simpson discusses with Forcepoint the key, significant changes from the EU Directive that companies must comply with before next year. Accountability, expanded data subject rights, breach notification, sanctions and data transfer mechanisms are a few requirements that Simpson explores in detail. He reminds companies that, in the coming year, it will be very important to ...

On March 21, 2017, Hunton & Williams is pleased to host an in-person seminar in its London office featuring seasoned cybersecurity practitioners. Drawing from deep experience in their respective fields, the panel members will discuss the implications of the EU General Data Protection Regulation’s breach notification obligations in the context of a state-of-the-art cyber attack simulation. In doing so, the panelists will share best practices to help protect organizations in the event of a cyber attack.

Hunton & Williams announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. 

The Privacy team at Hunton & Williams has authored several chapters of the recently published 2017 guide to data protection and privacy for Getting the Deal Through. The publication covers data privacy and data protection laws in 26 jurisdictions across the globe. Wim Nauwelaerts, Privacy team partner in the firm’s Brussels office, served as the contributing editor of the guide and co-authored the Belgium chapter and the EU overview.

Earlier this month, Hunton & Williams announced that Global Privacy and Cybersecurity partner Aaron P. Simpson has switched to London from the firm’s New York office. He will continue his work on behalf of clients as a leader of the firm’s Global Privacy and Cybersecurity practice.

Hunton & Williams announces its participation with the Global Legal Group in the publication of the third edition of the book The International Comparative Legal Guide to: Data Protection 2016. The guide provides corporate counsel and international practitioners with a comprehensive worldwide legal analysis of the laws and regulations relating to data protection. Bridget Treacy, partner and head of the UK privacy and cybersecurity practice, served as the contributing editor of the guide and co-authored the UK chapter.

Chambers & Partners ranked Hunton & Williams LLP’s Global Privacy and Cybersecurity practice in Band 1 in the recently released 2016 Global guide. The firm has been recognized by Chambers Global as a Band 1 firm, global-wide, for data protection for the past nine years. As noted by Chambers Global, the team is a “[t]op-ranked firm with notable strength negotiating with regulators and advising on compliance programmes.”

On March 9, 2016, Hunton & Williams LLP hosted a webinar regarding the impact of the EU General Data Protection Regulation (“GDPR”) on global companies. Partner Aaron Simpson moderated the session, and speakers included partner and head of the Global Privacy and Cybersecurity practice Lisa Sotto and partner Wim Nauwelaerts. Together, they explored the key components of the GDPR and discussed a roadmap toward compliance.

The webinar was the first segment in a two-part series, and Part 2 will be held in April.

A federal judge of the U.S. District Court for the Northern District of Illinois denied Neiman Marcus’ motion to dismiss in Remijas et al. v. Neiman Marcus Group, LLC, 1:14-cv-01735.  As we previously reported, the Seventh Circuit reversed Judge James B. Zagel’s earlier decision dismissing the class action complaint based on Article III standing. At that time the Seventh Circuit declined to analyze dismissal under Federal Rule of Civil Procedure 12(b)(6) due to, among other reasons, the district court’s focus on standing.

Hunton & Williams LLP’s Aaron Simpson, partner in the firm’s Global Privacy and Cybersecurity practice, and Adam Solomon, associate, co-authored an article in Pratt’s Privacy & Cybersecurity Law Report entitled Dealmakers Ignore Cyber Risks At Their Own Peril.

The United States District Court for the Northern District of California recently dismissed―without prejudice―a former Uber driver’s class action complaint. The driver, Sasha Antman, was one of roughly 50,000 drivers whose personal information was exposed during a May 2014 data breach. Uber contended the accessed files contained only the affected individuals’ names and drivers’ license numbers.

On September 17, 2015, the Seventh Circuit rejected Neiman Marcus’ petition for a rehearing en banc of Remijas v. Neiman Marcus Group, LLC, No. 14-3122. In Remijas, a Seventh Circuit panel found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach that resulted in hackers gaining access to customers’ credit and debit card information. No judge in regular active service requested a vote on the rehearing petition. Additionally, all members of the original panel voted to deny rehearing. As we previously reported, and according to The Practitioner's Handbook for Appeals to the United States Court of Appeals for the Seventh Circuit, “it is more likely to have a petition for writ of certiorari granted by the Supreme Court than to have a request for en banc consideration granted” in the Seventh Circuit.

On August 3, 2015, Neiman Marcus requested en banc review of the Seventh Circuit’s recent decision in Remijas v. Neiman Marcus Group, LLC, No. 14-3122. As we previously reported, the Seventh Circuit found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach. During that breach, hackers gained access to customers’ credit and debit card information.

On July 20, 2015, the United States Court of Appeals for the Seventh Circuit reversed a previous decision that dismissed a putative data breach class action against Neiman Marcus for lack of Article III standing. Remijas et al. v. Neiman Marcus Group, LLC, No. 14-3122.

Hunton & Williams is pleased to announce its participation with the Global Legal Group in the publication of the second edition of the book The International Comparative Legal Guide to: Data Protection 2015. Members of the Hunton & Williams Global Privacy and Cybersecurity team prepared several chapters in the guide, including the opening chapter on “Legislative Change: Assessing the European Commission’s Proposal for a Data Protection Regulation,” and chapters on Belgium, China, France, Germany, the United Kingdom and the United States.

The U.S. District Court for the Central District of California recently granted, only in part, a motion to dismiss a data breach class action against Sony Pictures Entertainment, Inc. (“Sony”) in Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK) (C.D. Cal. June 15, 2015). The case therefore will proceed with some of the claims intact.

Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group has written a portfolio for Bloomberg BNA on information security and data breach issues in the United States and globally. Cybersecurity and Data Breach offers a broad overview of relevant legal requirements in the United States, European Union and select countries around the world. The portfolio includes practical guidance and advice on managing a data security breach, from managing an investigation and conducting remediation to providing notification to affected individuals, regulators, consumer reporting agencies, employees, boards of directors and the public. It also provides details on proactive cyber readiness activities such as preparing an Incident Response Plan, conducting tabletop exercises, and developing a vendor and employee management program. Cybersecurity and Data Breach is available at Bloomberg BNA’s Privacy & Data Security Law Resource Center and also at Bloomberg Law.

Hunton & Williams LLP proudly announces that the firm’s Global Privacy and Cybersecurity practice was ranked in Tier 1 in The Legal 500 United States 2014 guide for cyber crime and data protection and privacy. Global practice chair Lisa Sotto also was ranked as a leading lawyer and partner Aaron Simpson was highlighted for his work on privacy and cybersecurity matters.

Hunton & Williams LLP is pleased to announce that several privacy lawyers were named to the New York Metro Super Lawyers list for 2013. For the eighth consecutive year, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was selected as a New York Super Lawyer. She also was featured in the latest edition of New York Super Lawyers Magazine in an article entitled “The Queen of Breach: Privacy Expert Lisa Sotto Goes Public.” In addition, partner Aaron P. Simpson was included as a Rising Star for the third year in a row, and associate ...

On September 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the first webcast in its new Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation, recent Safe Harbor issues from both European and American perspectives, and cybersecurity developments on both sides of the Atlantic.

Listen to a recording of the September Hunton Global Privacy Update.

Hunton Global Privacy Update sessions are 30-minutes in length and are scheduled to take place every two months.

Hunton & Williams LLP proudly announces that the firm’s global Privacy and Cybersecurity practice was top-ranked in both The Legal 500 United States and EMEA 2013 guides. This is the fourth consecutive year that the practice has been listed in “Tier 1” by The Legal 500 United States.

Hunton & Williams LLP is pleased to announce the firm’s global Privacy and Data Security practice again ranked in “Band 1” in 2013 Chambers USA, Chambers Global and Chambers UK.

Global practice group leader Lisa Sotto, who was recently named among The National Law Journal’s “The 100 Most Influential Lawyers in America,” was recognized in Chambers USA as a “Star” performer, the guide’s highest ranking. Sotto was the only privacy lawyer in the U.S. to receive this distinguished ranking. In the same guide, New York partner Aaron Simpson was highlighted for his notable work in advising on global privacy and data security matters.

The wait is over. On January 17, 2013, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released its long-anticipated megarule (“Omnibus Rule”) amending the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. These amendments implement and expand on the requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the Genetic Information Nondiscrimination Act of 2008. The Omnibus Rule is effective March 26, 2013, and compliance is required with respect to most provisions no later than September 23, 2013. Coming into compliance will require significant effort and attention by covered entities and business associates alike. Below we highlight some of the more significant aspects of the Omnibus Rule and provide critical compliance tips.

Hunton & Williams LLP is pleased to announce its 2012 top rankings from Chambers and Partners and The Legal 500: United States. The firm consistently has maintained its number one ranking in both surveys for its Privacy and Data Security practice.

Hunton & Williams LLP is pleased to congratulate Aaron P. Simpson for his inclusion in Super Lawyers New York Rising Stars 2011. His practice focuses on complex privacy and data security matters, including assisting clients with the remediation of large-scale data security incidents and compliance with federal, state and international privacy and data security requirements. In addition, for the sixth consecutive year, Lisa J. Sotto, head of the Global Privacy and Data Security practice at Hunton & Williams, was selected as a New York Super Lawyer ...

Hunton & Williams LLP is pleased to announce its 2011 rankings from Chambers and Partners and The Legal 500: United States.  The firm maintained its number one ranking in both surveys for its Privacy and Data Security practice.

For the last four years, the firm has held the “Band 1” ranking for Privacy and Data Security by both the Chambers USA and Chambers Global guides.  In its Chambers USA guide, Chambers and Partners recognized the firm’s privacy and data security practice for its “full spectrum of privacy issues including data security breaches, records and information management and legislation compliance.”  Hunton & Williams also received the highest honors for its client service and “commercial awareness.”  In addition, the practice was praised for its connections with regulatory agencies. Lisa J. Sotto, partner and head of the firm’s Privacy and Data Security practice, was ranked in “Band 1,” and was singled out for her “tremendous wealth of knowledge” and proactive nature in assisting clients.

Please join us at these great events coming up this fall.  Several members of Hunton & Williams’ Privacy and Information Management team are presenting at these events to discuss the current and evolving privacy and data security issues occurring around the world.

Internet Rights and Technology: A Practical Legal Guide to Doing Business on the Internet – New York City Bar
On September 28, 2010, 6:00 p.m. – 8:45 p.m., the New York City Bar hosts a live program to discuss how the Internet affects various areas of law, including intellectual property, new media, litigation, regulatory and licensing.  The faculty includes Hunton & Williams partner, Aaron P. Simpson, who will lead the Privacy & Data Security session.

Richard Thomas (RT): Lisa, congratulations on the publication of the new treatise.  I’m sure the Privacy team has been waiting for its release.  Could you give us some background on what prompted you and the team to write the Privacy and Data Security Law Deskbook?

Lisa Sotto (LS): Thanks, Richard.  Privacy and information security are topics that have received significant attention during the last few years.  Organizations that manage personal information are under the microscope and are struggling to keep up with the many new and evolving legal requirements around the world.  In addition, there is a real uptick in enforcement actions for privacy and data security incidents.  As the former Information Commissioner of the UK, I’m sure you would agree that privacy is an issue on which nearly every global company must focus.  In 2009 alone, companies spent an average of $6.6 million to rebuild their brand image and retain customers after being involved in some type of data breach the previous year.

On July 20, 2010, Hunton & Williams announced the release of the first edition treatise Privacy and Data Security Law Deskbook (Aspen Publishers) by lead author Lisa J. Sotto, managing partner of the firm’s New York office and head of the firm’s global Privacy and Information Management practice.  The deskbook provides a detailed overview (with thousands of specific citations for the legal practitioner) of those areas of information privacy and data security law that have the greatest impact on and are most relevant to U.S. businesses operating in the global arena.  In addition ...

Hunton & Williams is pleased to announce its 2010 rankings from Chambers and Partners and The Legal 500 United States.  The firm was ranked #1 in both surveys for its Privacy and Information Management practice.

Once again, the firm was ranked in "Band 1" for Privacy and Data Security by both the Chambers USA and Chambers Global guides.  Chambers notes, "the team is particularly praised for its international expertise, especially in matters involving the European Union, such as cross-border data transfers."  Clients note that the firm "is a major competitor, especially on data ...

Don’t miss the 2009 International Association of Privacy Professionals’ (“IAPP”) Privacy Academy in Boston, MA, September 16-18th. The Academy provides various program topics on operational privacy and technology, as well as advanced breakout sessions focusing on today’s cutting edge privacy issues. We hope you will visit our privacy attorneys who are speaking on the following panels:

• Suggestions From the States: Designing a Workable Breach Notice Requirement, Thursday, September 17, 11 a.m. – 12 p.m., Aaron Simpson, Hunton & Williams, moderates, and speakers ...

For the third year in a row, Hunton & Williams LLP has been named the top firm for privacy by Computerworld magazine. In its third annual report on top privacy advisers, the poll surveyed corporate privacy leaders in North America and Europe. The firm was ranked #1 by the respondents overall and by those in the Fortune 1000. When respondents were broken out by industry, Hunton & Williams topped the list as “providing the best privacy advice” in every industry category, including the financial, technology, consumer products and retail, healthcare, media and entertainment, and manufacturing sectors.