Locke Lord’s Privacy & Cybersecurity Practice Group consists of more than 30 lawyers in 13 offices across the United States and in London. With a range of backgrounds in insurance, finance, retail, health care, energy, intellectual property and litigation (among others), our group provides advice that takes into account the standards and practices of the industries and legal frameworks in which our clients operate, as well as laws and regulations of countries on a worldwide basis. With a history of rankings by various institutions, our privacy and cybersecurity practice and individual lawyers have been recognized as leaders in the field by both Legal 500 and Chambers USA. Locke Lord was ranked third among firms for outside counsel in the Cyber/Privacy category in Corporate Counsel's Best of 2020. We are members of the International Association of Privacy Professionals (“IAPP”) and several of the members of our Privacy & Cybersecurity Practice Group are IAPP Certified Information Privacy Professionals.

Our lawyers counsel clients with respect to data stewardship and management in a time of explosive information and technological growth. We help clients protect and manage personal data as well as proprietary and other information assets and other cyber risk exposures. We guide our clients in meeting their legal, regulatory and contractual obligations concerning the collection, use, transmission, storage and destruction of data and in mitigating the cybersecurity risks. Our lawyers regularly develop document retention policies, information security plans, privacy policies, data breach plans and other inward-facing materials. In the event of a security incident, we provide the requisite legal evaluation, guide forensic evaluations and, if necessary, prepare data breach responses and oversee remediation, as well as work with clients to prepare for and respond to inquiries from governmental agencies and affected individuals.

We provide the following services to our clients:

Incident Preparedness and Risk Management

Our lawyers regularly help clients address and mitigate privacy and cyber risks in connection with business operations, data handling, contracts, marketing and e-commerce. From the development of policies and procedures – including written documentation policies, information security programs, incident response plans and mobile workforce policies – to privacy impact assessments, identity management systems and the protection and use of encryption technologies, we can offer up-to-date, industry-specific experience and practical advice. Our lawyers also bring sophisticated transactional experience in data-centric commercial relationships such as digital marketing, HR information services, data exchanges and enterprise cloud computing. In recognition that responsible data practices are of concern to Boards as well as IT professionals, we frequently counsel clients in connection with overall assessments and in identifying, prioritizing and addressing potential threats and vulnerabilities as well as in corporate governance issues. We also provide preparedness assistance including refining incident response plans, conducting tabletop exercises, working with a company's data custodians, helping to improve vendor and business partner agreements and oversight, and advising on the identification and engagement of forensic and other technical consultants to assist the client where appropriate.

Compliance and Enforcement

We understand each client needs a compliance approach that works for it and is also appropriate to the client's particular industry, size, and circumstances and the corporate and regulatory governance under which they operate. Our team has experience with the various compliance regimes, including those applicable to financial, health care, retail, telecommunications, energy, defense and other industries and their service providers. When needed, we use our extensive relationships and experience in responding to informational requests, regulatory inquiries and enforcement actions at the state and federal level.

In response to evolving initiatives and the needs of our clients, we have organized dedicated initiatives focused on the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, the General Data Protection Regulation of the EU (GDPR), and the California Consumer Privacy Act of 2018 (CCPA). These initiatives have involved tracking these developments, delivering targeted advice to our clients, and education to the marketplace generally through articles, seminars and webinars.

We also provide compliance-related and other advice with respect to issues arising under state information security, financial and health laws, PCI-DSS, and U.S. federal CAN-SPAM, COPPA, ECPA, FCRA, GLBA, HIPAA, HITECH and TCPA laws and regulations, among many others, related to the privacy and security of data, and the growing body of federal and industry guidances on the cybersecurity of critical infrastructure. We assist clients with addressing issues and designing compliant procedures and policies for the collection, handling and use of customer and employee data, and drafting and negotiating vendor contracts, including cloud contracts and business associate agreements under HIPAA. Our team is equipped to advise clients faced with the wide range of regulatory compliance requirements now governing so many industries, as well as assisting clients in addressing discovery issues, government subpoenas, search warrants and other governmental inquiries and requests.

Incident Response

When a cybersecurity incident or data breach is suspected, our experienced group of data breach response professionals throughout the United States and in London can handle the legal and regulatory aspects of breach investigation, analysis and response. We work closely with clients to assemble the right team of internal and external resources for a given set of circumstances. We are the go-to law firm in the incident response plans of numerous companies and we are also on the approved panels of a number of cyber insurers. We stay abreast of legal notification requirements in the U.S. on the state, federal and governmental agency levels as well as in the UK, elsewhere in the EU and countries around the world. We work closely with clients in an effort to devise the best response, taking into account both the law and our experience in similar situations. We understand and are familiar with the security and breach response requirements associated with special data types, such as personally identifiable information (PII) as defined by varying U.S. state and other laws, protected health information (PHI), payment card industry (PCI) data, and information maintained by defense contractors and others in industries with specialized industry guidelines. When appropriate, we deploy our internal investigatory experience and relationships with law enforcement and other governmental agencies. We are staffed to respond quickly, efficiently and effectively to both large, complex breaches and more limited, routine compromises of data security.

Litigation and Class Action Defense

Our Firm has a strong reputation for litigation, including lawsuits arising from data breach and other privacy related claims. We have a wealth of experience defending against class action and other lawsuits in both consumer and employee class scenarios. Our class action defense team closely follows emerging issues such as the Illinois Biometric Information Privacy Act (BIPA) and includes a dedicated TCPA team that represents a host of Fortune 500 and other companies. Our litigators are supported by talented and distinguished appellate lawyers, who work closely with trial teams to help position cases optimally. Our experience extends to data breach and other privacy related litigation matters in various jurisdictions.

In addition, we work with insurance clients on handling cyber insurance issues and claims, and with clients in a number of other industry sectors – such as defense contracting, retail, political campaigns and Internet services – to develop and implement national litigation strategies related to exposures arising from the collection, handling, use and disclosure of personal information.


Due to the prevalent use and significance of personal and other confidential and protected information, our lawyers are often called upon to provide subject matter knowledge in a variety of transactional contexts. For example, we assist M&A counsel with due diligence related to target company privacy and cybersecurity compliance and risk profile; advise on appropriate representations, warranties and indemnities concerning privacy and data security matters; draft and negotiate appropriate contractual obligations related to privacy and information security in a wide variety of vendor, supply, service and customer contracts; assist with electronic signatures and electronic payments and associated disclosures and requirements; and support clients developing emerging products and technology such as innovative video games and mobile applications as they consider myriad issues related to collection and use of data.


With offices in London and Hong Kong, and a number of lawyers practicing international law from the United States, we regularly advise companies with multinational operations on EU and other data protection laws as well as on cross-border data flows and transfers, including in cloud computing and other information services arrangements. Our GDPR Initiative referenced above is focused on the implications of the EU General Data Protection Regulation, and the specific effects on our clients. We also assist clients with internal investigations concerning potential fraud, corruption and the FCPA. Our UK lawyers provide counsel and coordination on data protection policies and regulatory compliance issues in the UK and abroad. In addition, our Firm is a member of World Law Group (WLG), a global independent law firm network with more than 18,000 lawyers worldwide, practicing in all key areas of law. WLG, one of a few “Elite” global law firm networks according to Chambers and Partners, allows us to access the expertise and resources required to meet a client’s needs almost anywhere in the world swiftly, efficiently and cost effectively.