Decorative building image

Data Privacy & Security

Data Privacy & Security

Data Privacy & Security

Download PDFDownload PDF
Print
Share

Overview

BCLP’s Global Data Privacy and Security team is composed of lawyers located across the United States, the United Kingdom and continental Europe, and Asia.  We routinely advise clients in a variety of sectors, including hospitality, consumer services, healthcare, software and technology, financial services, travel, manufacturing, and retail. We coordinate advice across multiple jurisdictions for clients working to achieve the most streamlined international data privacy strategy as possible, and we excel at helping companies achieve their business goals while balancing and addressing privacy and security obligations in a practical, business-focused approach.  We pride ourselves on our responsiveness and building teams shaped to meet our clients’ needs. 

AI legislation & regulation trackers

AI legislation & regulation trackers

US state-by-state

AI legislation snapshot

To help companies achieve their business goals while minimizing regulatory risk, our team actively tracks proposed and enacted AI regulatory bills from across the United States to enable our clients to stay informed in this rapidly-changing regulatory landscape.

UK and EU

UK and EU take divergent approaches to AI regulation

As companies increasingly integrate AI into their products, services, processes, and decision-making, they will need to do so in ways that comply with the varying regulatory approaches in the UK and EU.  Our UK and EU AI Regulation Tracker will keep you updated on legislation that, if passed, would directly impact businesses’ development or deployment of AI solutions in the UK and EU.

Privacy Advisory

Our team has extensive experience handling the full scope of complex privacy and security issues.  From a data privacy perspective, we advise clients on the development of comprehensive privacy and data protection programs, data sharing and international mobilization of data, complex transactions involving monetization and licensing of data, as well as with conducting gap assessments to align with international privacy standards, responding to regulatory investigations and inquiries, and defending companies in court and before government agencies in enforcement actions. 

This counseling spans the gamut of US and non-US privacy laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, state privacy and data breach laws, FTC and state law enforcement issues, as well as emerging laws and regulations around the world.

Incident Response and Preparedness

In the context of incident response and preparedness, we have a world class incident response practice that has helped clients navigate major security incidents and data breaches, including ransomware attacks, O365 mailbox intrusions, malware, credential harvesting, insider threats, and inadvertent disclosure. We leverage that experience to help companies identify and remediate gaps in their readiness and to train companies how to respond to breaches effectively. Should an incident occur, BCLP’s 24-hour data breach hotline connects clients directly with experienced attorneys who will guide companies through all aspects of breach response, from investigation and notification to regulatory investigation or litigation. Our experience and practical approach to data breach response uniquely equip us to assist organizations by understanding both the law and the business implications of data breaches. We help clients get ahead of incident response issues by a providing range of offerings, including bespoke “drill” exercises with c-suite executives, analysis of insurance coverage, contractual analysis to identify business partners and customers who require notification of a breach, and evaluation and engagement of third party providers under privilege (forensics, PR, call centers).

We are continually working to understand new privacy and security issues and to partner with our clients to shape practical, risk-based solutions that can be adapted over time to ever-changing technologies, business priorities and laws.            

Amy de La Lama

Amy de La Lama

Partner; Chair – Global Data Privacy and Security Practice; and Global Practice Group Leader – Technology, Commercial and Government Affairs, Boulder

+1 303 417 8535
Geraldine Scali

Geraldine Scali

Partner and EMEA Lead of Data Privacy and Security, London

+44 (0) 20 3400 4483
Christian M. Auty

Christian M. Auty

Partner and US Lead – Data Privacy and Security , Chicago

+1 312 602 5144
Amy de La Lama

Amy de La Lama

Partner; Chair – Global Data Privacy and Security Practice; and Global Practice Group Leader – Technology, Commercial and Government Affairs, Boulder

+1 303 417 8535
Geraldine Scali

Geraldine Scali

Partner and EMEA Lead of Data Privacy and Security, London

+44 (0) 20 3400 4483
Christian M. Auty

Christian M. Auty

Partner and US Lead – Data Privacy and Security , Chicago

+1 312 602 5144

Meet The Team

Amy de La Lama

Amy de La Lama

Partner; Chair – Global Data Privacy and Security Practice; and Global Practice Group Leader – Technology, Commercial and Government Affairs, Boulder

+1 303 417 8535
Geraldine Scali

Geraldine Scali

Partner and EMEA Lead of Data Privacy and Security, London

+44 (0) 20 3400 4483
Christian M. Auty

Christian M. Auty

Partner and US Lead – Data Privacy and Security , Chicago

+1 312 602 5144

Experience

  • Defending a major online fashion retailer in a lawsuit alleging violation of the Video Privacy Protection Act.  The suit alleges that the client hosts video content on its website and that by also using Facebook pixels on its website to track usage statistics, it is unlawfully sharing personally identifiable information concerning videos viewed by users with a third party, in violation of the VPPA.
  • Defending a provider of crypto currency trading software in a class action lawsuit filed in the wake of disclosures that the company was the victim of criminal hacking. The hacking resulted in the unauthorized disclosure of API keys, which were allegedly used by the hackers to consummate unauthorized trades in user accounts on various crypto currency exchanges.

Representative Clients

  • Red Robin – Casual dining restaurant chain operating in the U.S.
  • Delaware North – Manages and provides food and beverage concessions, dining, entertainment and lodging at high-profile locations throughout the world
  • Best Western International – One of the top five largest hotel chains in the world.
  • World Wide Technology, Inc.  – One of the 100 largest privately held companies in the United States; provides technology needs to national and multi-national companies with revenues in excess of $7.4 billion annually
  • Grindr LLC – Grindr is the premiere platform for the global LGBTQ+ community to connect, learn and champion their rights. With more than 3.8 million daily active users in more than 190 countries, Grindr empowers people to be themselves in a safe and meaningful way. Given the sensitive nature of information disclosed in-app, the company is focused on global compliance with data privacy and security laws.
  • Washington University in St. Louis. – Washington University is routinely ranked as one of the top 15 universities within the United States, and one of the top 5 medical schools in the United States.
  • IHS Markit Ltd. – Global diversified provider of critical information, analytics, and solutions
  • Dillard’s Inc. – An upscale department store chain in the U.S. with more than 325 stores in 28 states
  • eClinicalWorks – One of the main providers of electronic medical records to physicians and health groups
  • Backstop Solutions – Provider of portfolio management technology to financial advisors and hedge funds

Related Insights

Insights
Oct 01, 2024

From Code to Compliance: Essential Steps to Adapt to Colorado’s New AI Law

On May 17, 2024, Colorado’s Governor Jared Polis signed into law The Colorado AI Act (SB205).  SB205 will take effect on February 1, 2026, and regulates the use of certain high-risk artificial intelligence (AI) systems. While the 2026 effective date could lull companies into thinking that preparing for the law can wait, its complex requirements will demand timing and planning to address. Additionally, Colorado is not the only US state to step into the ring of AI regulation and enforcement, and many of the steps needed to prepare for the SB205 will help build a compliance foundation for meeting other emerging laws. To help companies begin this process, we have prepared an overview of the law and identified essential compliance steps businesses should take now.
Insights
Sep 03, 2024

AI Surveillance and Data Privacy at the Games

As the Paris 2024 Summer Olympic and Paralympic Games (the “Games”) turn onto the final straight, the Games have yet again captured widespread global attention, on and off the track. With over 15.3 million visitors in Paris this summer for the Games, data security has emerged as a critical concern. To enhance the safety of athletes, spectators and residents, the French government implemented specific measures, including a bill relating to the Games (the “OG law”), a legislative measure passed on 19 May 2023, to bolster security during the Games[1]. The “OG law” introduces advanced security measures, notably the use of experimental algorithmic video surveillance systems. This article focuses on the deployment of these augmented surveillance systems during the Games and examines the associated GDPR compliance and privacy dilemmas that subsequently arise. 
Insights
Aug 13, 2024

Arizona Spy Pixel Class Action Litigation Update

Recently filed class action complaints allege that companies that utilize embedded trackers within emails, or “spy pixels” as the plaintiffs are calling them, violate Arizona law because they collect a “communication service record” without first obtaining the consumer’s consent.

Related Insights

Blog Post
Nov 06, 2024
The SEC is watching: four companies charged for misleading cyber disclosures
Insights
Oct 28, 2024
Key Concepts In Privacy Law for Insurance Companies: Part 1 – GLBA
Insights
Oct 01, 2024
From Code to Compliance: Essential Steps to Adapt to Colorado’s New AI Law
On May 17, 2024, Colorado’s Governor Jared Polis signed into law The Colorado AI Act (SB205).  SB205 will take effect on February 1, 2026, and regulates the use of certain high-risk artificial intelligence (AI) systems. While the 2026 effective date could lull companies into thinking that preparing for the law can wait, its complex requirements will demand timing and planning to address. Additionally, Colorado is not the only US state to step into the ring of AI regulation and enforcement, and many of the steps needed to prepare for the SB205 will help build a compliance foundation for meeting other emerging laws. To help companies begin this process, we have prepared an overview of the law and identified essential compliance steps businesses should take now.
Insights
Sep 20, 2024
The EU’s Digital Operational Resilience Act 2022/2554 (DORA)
Insights
Sep 12, 2024
Navigating a Security Incident - Communication “Dos” and “Don’ts”
Insights
Sep 10, 2024
Navigating a Security Incident - Best Practices for Engaging Service Providers
Insights
Sep 03, 2024
AI Surveillance and Data Privacy at the Games
As the Paris 2024 Summer Olympic and Paralympic Games (the “Games”) turn onto the final straight, the Games have yet again captured widespread global attention, on and off the track. With over 15.3 million visitors in Paris this summer for the Games, data security has emerged as a critical concern. To enhance the safety of athletes, spectators and residents, the French government implemented specific measures, including a bill relating to the Games (the “OG law”), a legislative measure passed on 19 May 2023, to bolster security during the Games[1]. The “OG law” introduces advanced security measures, notably the use of experimental algorithmic video surveillance systems. This article focuses on the deployment of these augmented surveillance systems during the Games and examines the associated GDPR compliance and privacy dilemmas that subsequently arise. 
Insights
Aug 16, 2024
Federal Court Rejects Motion to Dismiss Wiretap Claims Using HIPAA to Support Crime-Tort Exception Allegations
Insights
Aug 13, 2024
Arizona Spy Pixel Class Action Litigation Update
Recently filed class action complaints allege that companies that utilize embedded trackers within emails, or “spy pixels” as the plaintiffs are calling them, violate Arizona law because they collect a “communication service record” without first obtaining the consumer’s consent.