Partner & Employee Best Access
First time users must log in to Best Access via the Virtual Environment, not via this link.

Privacy & Cybersecurity


As the amount of — and potential uses for — personal and consumer data increases exponentially, the gathering, storing, safe handling, and sharing of that data have become pressing concerns for businesses around the world. In a recent survey by the Association of Corporate Counsel, chief legal officers identified cybersecurity as one of the top issues keeping in-house lawyers up at night. One in five said their organization had experienced a data breach within the past two years.

To help you meet these challenges, Michael Best has assembled a multi-disciplinary team of attorneys who understand how privacy and cybersecurity laws intersect with other areas of law and industry-specific regulations. Because we know our clients need to do more than just react to the latest breach, we provide forward-looking, comprehensive counsel and litigation defense. Our Privacy & Cybersecurity team advises and represents clients in many different sectors, including energy, financial services, healthcare, pharmaceutical, media, education, consumer products, agriculture, manufacturing, science, and technology. 


Any organization with operations involving the collection, retention, use, processing, or disclosure of personally identifiable information (PII), or that engages in internet or mobile marketing, is subject to various federal and state privacy and security laws. PII is broader than many people realize and may include: Social Security number, address, email, phone number, health information, biometric data, financial information, consumer credit information, or background checks (including drug testing).

To complicate matters, the United States lacks a comprehensive federal law regulating the use of PII, instead taking a sectoral approach to privacy and data security regulation. Michael Best helps clients navigate the complex and rapidly changing landscape of regulations, including:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Genetic Information Nondiscrimination Act (GINA)
  • Fair Credit Reporting Act (FCRA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Gramm-Leach-Bliley Act
  • Dodd-Frank Wall Street Reform and Consumer Protection Act
  • Anti-money laundering laws
  • Family Educational Rights and Privacy Act (FERPA)
  • Protection of Pupil Rights Amendment (PPRA)
  • Americans with Disabilities Act (ADA)
  • Electronic Communications Privacy Act (ECPA)
  • Telephone Consumer Protection Act (TCPA)
  • Telecommunications Act of 1996
  • Children’s Online Privacy Protection Act (COPPA)
  • Payment card industry (PCI) issues
  • North American Electric Reliability Corporation (NERC) standards, including critical infrastructure protection standards (CIPS)
  • State laws relating to consumer privacy
  • State financial regulations relating to privacy
  • EU-US Privacy Shield, EU Cookie Directive, and other international regulations

Service Areas

Privacy & Cybersecurity Counseling

Advising clients on compliance with, and auditing policies and practices related to, privacy and data security regulation in areas such as: employee and workplace management; M&A; negotiating and drafting data agreements and transactions involving personally identifiable information; cross-border issues; cyber insurance coverage; and in sectors including finance, healthcare, and energy.


Privacy & Cybersecurity Litigation

Representing clients in regulatory actions, government investigations, arbitrations, and civil litigation involving a wide range of privacy and data security regulations; helping clients prepare for and conduct data breach and incident responses, investigations, and litigation.



  • Represented various clients in assessing and responding to data breaches, managing multi-state breach notifications, including notification to regulators, and providing credit monitoring
  • Negotiated data aggregation agreement between client and major financial institution to allow sharing of financial institution customer information with third parties
  • Counseled on sharing of financial institution nonpublic personal information with non-affiliated third parties under joint marketing agreements and service provider agreements in order to increase and refine targeted marketing efforts
  • Advised on FCRA issues relating to firm offers of credit involving financial institution, credit bureau, and multiple service providers

Primary Contact

back to top