With a network of lawyers in 16 integrated offices on four continents, Cleary Gottlieb regularly advises global clients in diverse industries on the privacy, data protection, data transactions, and cybersecurity challenges impacting their businesses.

Because enforcement actions and breaches often involve data in multiple jurisdictions, clients rely on Cleary’s cross-border capability for both regulatory and enforcement matters, particularly our ability to combine U.S. experience with strong European capabilities.

Our lawyers advise clients not only on legal obligations and liabilities, but also on anticipated changes in laws and enforcement practices, strategies for managing compliance and risks, and ways to minimize the costs and efforts of compliance.

Our privacy and cybersecurity task force, composed of lawyers from practice areas across the globe (including anti-corruption, banking and financial institutions, commercial litigation, compliance and integrity, corporate governance, intellectual property, and white-collar defense and investigations), works collaboratively across disciplines and jurisdictions to advise domestic and multinational clients. The team includes former senior DOJ officials with direct experience prosecuting cybersecurity matters.

Clients rely on Cleary for state-of-the-art advice on a variety of matters, including:

  • Assessment and management of data privacy and cybersecurity risks and liabilities in corporate and financial transactions, including due diligence in M&A transactions, data transfers in cross-border acquisitions, and restructuring.
  • Compliance with data protection laws and regulations in multiple jurisdictions, including the California Consumer Privacy Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, the CAN-SPAM Act, the EU General Data Protection Regulation, and the Office of Foreign Asset Controls, The Bank Secrecy Act, the revised Payment Services Directive, and anti-money laundering and related requirements.
  • Board fiduciary duties, required disclosures, and related corporate governance issues.
  • Preparing for and responding to cybersecurity incidents, including advice under various data breach notification laws and liaising with law enforcement and regulatory bodies.
  • Assistance with internal investigations and in responding to government requests for information and subpoenas.
  • Assessment and drafting of IT and privacy policies, codes of conduct, whistleblower policies, binding corporate rules, and international data transfer agreements.
  • Privacy and cybersecurity provisions in vendor contracts, including cloud-computing and outsourcing agreements.
  • Advice on usage of data in marketing, including opt-out and opt-in mechanisms in relation to placement of cookies and consents.
  • Anticipating the needs of UK-based companies and companies doing business in the UK in regard to possible data-protection implications of Brexit.