Privacy & Cybersecurity


The explosion in information technology has driven privacy and cybersecurity issues to the forefront of legal developments affecting every business. Unprecedented levels of connectivity, and increasingly disruptive cyber attacks on government and private networks, are fueling new privacy and data security policies – at both the federal and state levels – that present challenges for any business that collects, utilizes, or distributes information about individuals, whether consumers, employees or otherwise, or has sensitive government or other proprietary or commercial information on its information systems. Pervasive media scrutiny, shifting regulatory frameworks, class action litigation, and governmental enforcement actions have made privacy and cybersecurity a major risk area for businesses. All of this has heightened the need for businesses to address this issue – not only to protect their assets and reputations, but also to ensure that government policies are properly focused and do not create more harm than good. Wiley Rein attorneys provide clients with a thorough understanding of the current and potential rules and risks that are associated with privacy, data security and cybersecurity principles, along with a broad range of compliance and strategic advice. Our attorneys offer legal solutions that harmonize client needs with policy, best practice and emerging information access restrictions across the full range of privacy and security laws.

We provide clients with a thorough understanding of the current and potential rules and risks associated with privacy and data security. Wiley Rein continually monitors current and developing domestic and international initiatives in this area and leverages our knowledge and experience to assist clients. We provide guidance to businesses ranging from Fortune 500 corporations to small startups, to ensure compliance with data security rules, prevent breaches, and respond effectively in the event that a data breach occurs. Our guidance is comprehensive – we have expertise across the full array of relevant laws and regulations, and provide advice that integrates these requirements with an effective understanding of the business implications of these rules.

The Privacy & Cybersecurity Practice is chaired by Kirk J. Nahra, who is ranked among the top tier of attorneys nationwide in Privacy and Data Security by Chambers USA, and is considered by Chambers sources to be “one of the nation’s leading experts,” and “highly knowledgeable and sensitive to both costs and delivering results on time.” In recommending the Practice, Chambers reports that sources are impressed with our “ability to foresee legal issues down the road,” give us “extremely high marks in all categories,” and “rate the group highly for its deep knowledge of the field and high levels of service.” The Practice is also named one of the best privacy consultancies by Computerworld magazine, and the attorneys are recognized in the media as national leaders in more than a dozen substantive areas.

Our Practice focuses on:

  • Monitoring developments in privacy law worldwide and advocating policy positions in the U.S. Congress and key national and international regulatory agencies.
  • Advising on compliance, risk management, and business strategy issues.
  • Adapting available options for maintaining a free flow of personal information to a company’s needs and risk exposure.
  • Developing and implementing privacy and security policies consistent with applicable law and business objectives.
  • Identifying solutions to the challenges raised by cross-border data flows.
  • Conducting compliance investigations.
  • Conducting data security evaluations.
  • Negotiating and drafting vendor contracts.
  • Assisting in litigation or enforcement efforts.
  • Advising federal government contractors on contractual and regulatory information security requirements, cyber incident reporting obligations, and information system audit best practices.

Areas of Experience

Our practice covers the three pillars of this area – privacy, data security, and cybersecurity.


Wiley Rein counsels national and international clients with regard to an ever-expanding array of privacy concerns. Our attorneys understand the legal trends, provide efficient and integrated compliance advice, develop appropriate policies and procedures, negotiate contractual protections can and are also involved in advocating and developing – at both state and federal levels – privacy regulations and public policy. Our clients on privacy issues range from large, established and highly regulated companies – such as health insurers and hospital systems – as well as businesses ranging from technology start-ups to vendors facing compliance challenges based on the industry of their clients. We help build privacy compliance programs from scratch, or provide sophisticated advice to companies who need creative thinking at the outer reaches of privacy law. We pride ourselves on being knowledgeable, efficient and creative in solving the privacy needs of our clients. 

Data Security

An increasing variety of data security laws are emerging across the country and across the globe. These laws and regulations (along with enforcement actions from various state and federal agencies) require companies in all industries to provide reasonable and appropriate data security practices, tailored to a complex and overlapping set of legal and business requirements. Our attorneys advise companies across the spectrum of data security laws, covering legal requirements in the healthcare, telecommunications, government contracting and financial services industries (as well as all vendors to these industries), integrate these compliance requirements with best practices across the globe, and provide advice and defend investigations related to security breaches and others data security incidents and enforcement actions. We work closely with information security professionals in developing appropriate policies and procedures, and assist company counsel and others in evaluating vendors and potential transactions.


Cybersecurity and related privacy issues have become a critical component of the overall national security debate. Governments in the United States and abroad are requiring companies to support more surveillance requests, necessitating a review of privacy, security, and confidentiality policies. As government agencies seek a wide range of personal information, companies need to know the ins and outs of what the law requires and permits. We help businesses ensure that privacy policies and confidentiality agreements reflect legal obligations and disclosure authorizations; that procedures are in place to respond to court orders within the scope of any liability protections; and that disclosures or surveillance can be accomplished without business disruptions. We also assist companies with meeting new security requirements, whether imposed by law or by industry “best practices.” We have extensive experience drafting security policies, conducting risk assessments, auditing vendor compliance, and negotiating security contract provisions.

Our attorneys have extensive experience working with Congress, as well as the Federal Communications Commission (FCC), the U.S. Department of Justice (DOJ), and other federal agencies, where the complexities of the USA PATRIOT Act, the Communications Assistance for Law Enforcement Act (CALEA), the Foreign Intelligence Surveillance Act (FISA), and other surveillance laws continue to evolve. Our attorneys have counseled clients on the applicability of the Wiretap Act, the Electronic Communications Privacy Act (ECPA), and other federal privacy statutes; counseled the world’s largest communications firms and Internet service providers concerning privacy and security challenges; and represented clients in litigation over these issues.

Key Industries

Health Care: Chambers USA consistently rates Wiley Rein’s Privacy Group in its top tier of groups with a health care specialty, noting the Team is “singled out in the market for its significant healthcare sector experience” (2015). The firm has a leading role in the representation of health insurers, health care providers, employers, and other participants in the health care system in connection with federal health care privacy rules. With one of the broadest HIPAA privacy and security practices in the country, we have been involved in representations covering all components of these rules, including compliance counseling, contract drafting and negotiation, preemption analysis, training of corporate employees, and the full range of legal, operational, and risk management challenges presented by the privacy and security rules. We also represent a wide range of entities on other aspects of HIPAA Administrative Simplification, including standard electronic transactions and compliance with health information security rules.

Communications: In conjunction with our nationally renowned Telecom, Media & Technology (TMT) Practice, our leadership in communications law and regulation has produced comprehensive counseling, transactional, administrative, and litigation expertise applicable to privacy-related issues arising among FCC-regulated entities, businesses, services, and products. Our attorneys also advise clients about foreign developments that could result in obligations affecting U.S. communications companies. Ambassador David A. Gross, co-chair of the TMT Practice, served on the U.S. delegation to the Organization for Economic Cooperation and Development (OECD) initiative to draft information-technology security guidelines.

Current issues involve the management and transfer of customer databases, the appropriate uses of position-location technology, and special statutes such as the Cable Television Consumer Protection and Competition Act governing cable subscriber information or, under CALEA, establishing technical facilities cooperation responsibilities. Among other services, we counsel clients on radiofrequency identification (RFID) technology policy that allows remote, automatic tracking of RFID-tagged products and represent clients before the FCC on RFID issues.

Government Contracts: Federal contractors are increasingly targeted by cyber attacks due to the sensitive nature of government information that is generated, received and stored on their systems. In response to these attacks, as well as high-profile attacks on government-owned information systems and insider threats, the government has adopted stringent information security protocols and cyber incident reporting obligations. Wiley Rein is active in this space, and we routinely: 

  • Counsel contractors on the evolving regulatory landscape and contractual obligations to safeguard sensitive government information.
  • Help clients identify and address information security “gaps” that need to be corrected, and work with contracting officials to negotiate forbearances.
  • Leverage our expertise in incident response to help clients navigate post-breach disclosure obligations.
  • Assist clients with ongoing federal audits and investigations into information security compliance. 
  • Respond to cure notices, suspension/debarment notices, and qui tam False Claims Act suits involving alleged information security performance challenges.
  • Develop insider threat detection and avoidance programs to manage the internal “human element” of cybersecurity and meet NISPOM standards for cleared contractors.

Insurance and Financial Services: Insurers and other financial services companies have been at the heart of the public debate on privacy and security from the beginning. These industries face ongoing compliance obligations related to the Gramm-Leach-Bliley Act. The health insurance industry is confronted with complex privacy requirements stemming from HIPAA. With the advent of e-commerce and the increasing globalization of the insurance marketplace, insurers also must master Internet privacy rules and the increasingly complex international privacy environment.

We have focused attention on all aspects of the privacy debate as it affects the insurance and financial services industries. This integrated privacy effort has allowed us to understand and analyze the broad public policy debate on privacy, and to advise our clients on the rules both as they stand today and where they likely will be moving in the future. Wiley Rein attorneys:

  • Assist numerous companies on their immediate compliance obligations under GLBA and HIPAA.
  • Advise on strategic and compliance issues arising from new regulations.
  • Provide risk management and litigation advice.
  • Advise insurers on the future of federal and state privacy legislation and regulation.

Specialty Areas

Data Security and Breaches: The firm’s comprehensive capabilities with issues relating to data security include counseling companies operating in the United States on compliance with state data breach notification laws, as well as helping companies avoid breaches in the first place, in part by helping companies’ IT departments establish policies requiring the encryption of sensitive personal information and limiting the ability of such data to travel beyond the controlled areas of the company.

In the event that a data breach does occur, our Privacy & Cybersecurity attorneys frequently partner with the firm’s White Collar Defense & Government Investigations attorneys to provide a comprehensive and effective response. We regularly conduct internal investigations, defend against criminal and civil government enforcement actions, and provide advice and litigation assistance on cybersecurity issues. 

We represent companies in all industries in responding to privacy and security complaints. Our recent experience includes a wide range of Health Insurance Portability and Accountability Act (HIPAA) complaints and investigations, defense of numerous Do-Not-Call investigations, and an extensive range of other challenges to privacy and security practices.

Enforcement Actions: An increasing number of state and federal enforcement agencies see privacy and security violations as an important part of their enforcement responsibility. We have extensive experience representing companies across a wide range of industries in government investigations related to compliance with existing laws and regulations, as well as “best practices” monitored by specific agencies. 

Litigation: Many federal and state legislative and regulatory initiatives designed to increase legal protection for the privacy of personal information make specific provisions for private rights of action, as well as enforcement by governmental authorities. Wiley Rein litigators are well-versed in the policy premises underlying these sources of litigation, as well as in the statutory and constitutional law principles that may affect their enforceability. We also are well grounded in common law and traditional statutory bases for potential privacy liability. These perspectives, when combined with our depth of experience in litigating large, complex cases, make our firm an excellent choice for privacy litigation.

Workplace: We provide employers with comprehensive counseling and litigation support on issues such as monitoring email, recording telephone or office conversations, searching employee-used equipment or personal property, drug testing, properly retaining employees’ personal information, using credit reports – and other consumer reports – in employment decisions, and monitoring employee off-duty conduct. We work with employers in managing their data needs related to employee issues, across the United States and around the world. We also provide assistance routinely in managing big data issues for employers, including understanding and managing the differing rules related to health insurance benefits, wellness programs and a broad array of other data concerning employees.

International: Companies that do business across borders – or simply handle data identifying foreign nationals – face an array of complicated, over-lapping and often inconsistent international privacy regulations. Unsettled jurisdictional rules for cyberspace complicate matters further, leaving online businesses unsure about which nations’ privacy laws apply to them. In addition, governments in the United States and abroad are requiring companies to support more surveillance requests, necessitating a review of privacy, security, and confidentiality policies.

Wiley Rein attorneys have extensive experience helping multinational firms and high-tech companies develop and implement corporate and website privacy and security policies. We have helped companies identify solutions to the challenges raised by cross-border data flows. These include experience in meeting the full range of data transfer obligations involving the European Union (including the new Privacy Shield requirements), along with overall data transfer strategies around the globe. We also advise international companies on how best to bring their practices into compliance with U.S. privacy and data security law. 

The Internet of Things: The Internet of Things (IoT) creates tremendous opportunities across the private sector as well as unprecedented cybersecurity and privacy challenges. We advise clients on the rapidly evolving legal, regulatory, and business complexities presented by connecting millions of things, from refrigerators to cars to insulin pumps, to the Internet. We assist IoT device manufacturers on issues such as crafting IoT privacy policies, mitigating product liability risks, and responding to law enforcement requests for IoT data. We have the technical background to assist clients as they evaluate cybersecurity guidance for IoT devices from NIST, the FTC, and the FDA.

De-Identification and Big Data Issues: The growth in “big data” sources around the world is leading to new privacy challenges for both regulated and generally unregulated companies. We are at the forefront of the debate on big data issues, and advise companies around the world on emerging legal principles involving big data. At the same time, many companies view the idea of “de-identification” as a means of addressing privacy challenges from big data. We have developed a specialty in addressing legal issues related to de-identification, including research issues, assessment of de-identification frameworks, representation of both data suppliers and de-identification companies, and assessment of contractual and business strategies for appropriately implementing big data and de-identification principles, across industries, legal frameworks and around the world.  

Public Policy: We provide lobbying, legislative analysis, and strategic advice related to the many new privacy initiatives on Capitol Hill. Our work in Congress builds on successful efforts to preserve reasonable information access under the Gramm-Leach-Bliley Act (GLBA), and on years of experience with the committees exercising jurisdiction over the Federal Trade Commission (FTC), the Federal Communications Commission, the HHS Office for Civil Rights, and other centers of federal privacy regulation. Our Public Policy Group represents clients in dealings with key agencies including the FTC, the U.S. Department of Commerce, and others on policy matters. Through these activities, Wiley Rein has been active in the debate on critical federal privacy issues.

Freedom of Information Shielding: For years, the need to provide the government sensitive business information to secure licenses or ward off enforcement, as well as the need to provide business partners access to confidential information, have created the risks that such information could be disclosed, either voluntarily or pursuant to demands under the federal Freedom of Information Act or its state counterparts. Through focused contracting and negotiation in terms of statutes such as the Federal Trade Secrets Act and the Privacy Act, as well as through supportive reverse Freedom of Information litigation, Wiley Rein attorneys can help keep your sensitive information confidential.

Contact Us

Kirk J. Nahra
202.719.7335 |

Megan L. Brown
202.719.7579 |

Matthew J. Gardner
202.719.4108 |

Jon W. Burd
202.719.7172 |

Our People

Name Position Telephone Email
Rand L. AllenPartner202.719.7329Download vCard
Moshe B. BroderAssociate202.719.4186Download vCard
Megan L. BrownPartner202.719.7579Download vCard
Jon W. BurdPartner202.719.7172Download vCard
Shawn H. ChangPartner202.719.4456Download vCard
Bethany A. CorbinStaff Attorney202.719.4418Download vCard
Nova J. DalySenior Public Policy Advisor202.719.3282Download vCard
Scott D. DelacourtPartner202.719.7459Download vCard
Michael L. DiakiwskiAssociate202.719.4081Download vCard
Matthew J. GardnerPartner202.719.4108Download vCard
Ambassador David A. GrossPartner202.719.7414Download vCard
David E. HilliardSenior Counsel202.719.7058Download vCard
John E. HowellPartner202.719.7047Download vCard
Peter S. Hyun *Partner202.719.4499Download vCard
Kevin J. MaynardPartner202.719.3143Download vCard
Scott M. McCalebPartner202.719.3193Download vCard
Bruce L. McDonaldSenior Counsel202.719.7014Download vCard
Ari MeltzerPartner202.719.7467Download vCard
Brandon J. MossAssociate202.719.7554Download vCard
Kirk J. NahraPartner202.719.7335Download vCard
Leslie A. PlattPartner202.719.3174Download vCard
Dorthula H. Powell-WoodsonPartner202.719.7150Download vCard
Duane C. PozzaPartner202.719.4533Download vCard
Hap RigbySenior Policy Advisor202.719.7461Download vCard
Marc E. RindnerPartner202.719.7486Download vCard
Bennett L. RossPartner202.719.7524Download vCard
Kathleen E. ScottAssociate202.719.7577Download vCard
Peter D. ShieldsManaging Partner202.719.3249Download vCard
Jim SlatteryStrategic Counsel202.719.7264Download vCard
Joan StewartOf Counsel202.719.7438Download vCard
Scott WeaverSenior Public Policy Advisor202.719.3273Download vCard
David E. WeslowPartner202.719.7525Download vCard
Richard E. WileyChairman Emeritus202.719.7010Download vCard

*Not admitted to the District of Columbia Bar. Supervised by principals of the firm who are members of the District of Columbia Bar.

News & Insights

News & Insights