Artificial Intelligence, Cybersecurity & Privacy

We draft, review, and negotiate Data Processing Agreements (DPAs), vendor contracts, and terms governing the collection, use, sharing, and storage of personal data. For cross-border transfers, we advise on implementing Standard Contractual Clauses, meeting data localization requirements, and navigating legal frameworks for transferring data between jurisdictions, particularly between the EU/UK and United States. SaaS providers, service vendors, and global operators rely on us to address the legal and operational challenges of data processing and lawful data flows.

For organizations subject to GDPR and similar privacy regimes, we offer outsourced Data Protection Officer (DPO) services. Our lawyers act as your DPO—monitoring compliance, providing regular updates and training, overseeing data protection impact assessments, and serving as your company’s point of contact with regulators and individuals. You get access to partner-level privacy and compliance guidance without adding headcount.

Effective cybersecurity depends on the right blend of technical and legal controls. We partner with IT and leadership teams to develop, review, and update cybersecurity policies that address risks to data both “at rest” and “in transit.” Our services include preparing incident response plans, performing AI and security risk assessments, and guiding readiness for third-party security audits. We also help implement administrative, technical, and physical safeguards tailored to your risk profile and industry’s expectations, ensuring ongoing compliance and resilience.

Organizations deploying AI tools need to ensure they’re used responsibly, ethically and lawfully. We advise on the development and implementation of AI governance frameworks, from establishing “AI Principles” and ethical use standards to ensuring transparency, bias mitigation, and appropriate human oversight. Our team helps ensure AI deployments comply with evolving regulations such as the EU AI Act and align with your organization’s strategic objectives.

Digital advertising and marketing raise distinct privacy challenges related to the use of tracking technologies, targeted campaigns, and communication strategies. We advise on structuring privacy notices, managing consumer consent, and ensuring the lawful use of cookies and marketing analytics. For email or SMS/text campaigns, we guide compliance with the CAN-SPAM Act and TCPA, covering consent, opt-outs mechanisms, and consumer preference management—to reduce regulatory risk and maintain consumer trust.

Organizations handling healthcare or medical data face stringent obligations under HIPAA, the HITECH Act, and international privacy laws. We advise on the management and protection of Protected Health Information (PHI), draft and review Business Associate Agreements, and support compliance in clinical trial and research settings. Our team addresses the full data lifecycle for sensitive or special categories of personal data, from collection through cross-border transfer and reporting, supporting pharma, biotech, and research organizations.

A proactive, well-prepared response is essential when a data breach or cybersecurity incident occurs. Our attorneys develop and review Data Breach Incident Response Plans, advise on notification obligations across all U.S. states and international jurisdictions, and help manage communications with affected individuals and regulators. We support your business through the incident, remediation, and post-event assessment, strengthening future resilience and ensuring you meet all notification requirements.

We advise educational service providers, government agencies and educational institutions involving child and student privacy. Our work includes compliance with FERPA, PPRA, and other student privacy laws, as well as COPPA and related child safety requirements. We negotiate student data privacy agreements and data sharing agreements with state, municipal and other government agencies, NGOs and corporations in the US and abroad.