Kevin L. Coy
Partner
Suite 350S
Biography
Kevin is a partner and co-chair of the Privacy & Cybersecurity practice. He is also a member of the Background Screening, Emerging Technologies, Life Sciences, and Payments Systems & Fintech industry teams. Kevin has an established reputation for advising organizations as they consider domestic and international privacy law and policy matters. As security is critical to a successful business environment, Kevin counsels organizations about protecting personal information (including criminal history and other public record details, credit and financial data, health information, and employee data). Kevin’s legal advice also addresses online privacy issues, privacy issues related to artificial intelligence and other emerging technologies, developing privacy notices and statements, implementing privacy compliance programs, negotiating data protection agreements, and conducting privacy due diligence for corporate transactions. When data security and breach notification issues arise, he guides clients through their responses to data security incidents.
Kevin also advises on matters related to the Fair Credit Reporting Act (“FCRA”) and other consumer reporting and background screening issues, the Gramm-Leach-Bliley Act (“GLBA”), and Section 5 of the FTC Act, as well as data privacy, data security, and data breach issues. He assists clients through HIPAA’s privacy, security, and data breach regulations and helps them navigate related matters before the Department of Health and Human Services Office of Civil Rights. He advises companies on other U.S. privacy and data security laws and regulations, including but not limited to the Driver’s Privacy Protection Act, the Telephone Consumer Protection Act, and state privacy laws, such as the California Consumer Privacy Act, the Virginia Consumer Data Protection Act, and the growing list of other similar state laws, as well as state biometric and artificial intelligence laws.
Also knowledgeable in international matters, Kevin manages transborder data flow issues and matters with the European Union General Data Protection Regulation (“GDPR”) and other foreign privacy laws and regulations. Kevin also advises clients on international data transfer issues and strategies, including the use of standard contractual clauses and participation in the EU/U.S. Data Privacy Framework and related UK and Swiss programs.
Related Services
Experience
- Advised national hospice provider regarding compliance with breach reporting and notice requirements and indemnification rights where a potential breach was caused by an IT vendor business associate.
- Advised a national hospitalist firm on federal and state breach notification obligations arising from a potential breach experienced by a subcontractor that may have exposed protected health information over the internet.
- Conducted a privacy risk assessment for a client with multiple e-commerce properties. The privacy assessment examined the client’s online and offline privacy practices and marketing practices, as well as internal privacy controls, in areas such as human resources, with compliance and best practice recommendations to the client in each area, when appropriate.
- Advised a publicly traded corporation regarding the potential jurisdiction of the Consumer Financial Protection Bureau over the operations of multiple subsidiaries. Work included assessments of whether subsidiaries were “covered persons,” whether subsidiaries may be considered to be “larger participants” subject to CFPB supervision, and authority the CFPB may exercise over the company and its subsidiaries under consumer protection statutes for which full or partial authority was transferred to the CFPB.
- Advised clients regarding enrollment in the Department of Commerce EU/U.S. and Swiss/U.S. Privacy Shield Programs for the transfer of personal information from the European Union to the United States. Advice included assisting the client in developing Privacy Shield-compliant privacy policies, development of internal implementing policies and controls, and completion of required filings with the Department of Commerce.
- Advised a client in connection with the development of a consolidated online privacy policy to govern more than 80 company websites. Work included assisting the client in developing a survey tool to assess website privacy practices, reconciling the survey results, making best practice recommendations regarding changes in website practices, and developing a consolidated online privacy policy.
- Successfully represented a consumer reporting agency before the Federal Trade Commission in a nonpublic FTC inquiry into compliance with the Fair Credit Reporting Act. Following document productions, responses to interrogatories, and meetings with the FTC staff, the inquiry was closed without further action by the FTC.
- Advised a consumer electronics retailer regarding consumer data breach notification obligations and other steps to respond to a data breach. In addition to advising the client regarding consumer, regulatory, and other notifications advice also addressed matters pertaining to the investigation of the breach, cooperation with law enforcement, and enhancing internal controls to minimize the potential for additional breaches.
- Advised a client regarding the development of a HIPAA/HI-TECH Act compliance program covering its potential obligations as a business associate of HIPAA-covered entities. Assisted the client in the conduct of a gap analysis to identify areas where further action may be necessary depending upon proposed changes to the HIPAA privacy, security, and breach notification regulations.
- Represented a large consumer information company in one of the nation’s first high-profile data breaches. In addition to representing the client before the Federal Trade Commission, we also advised the client on consumer breach notification issues, congressional testimony, and enhancements to the client’s internal controls.
Credentials
- Georgetown University Law Center, Juris Doctor
- Georgetown University, Bachelor of Arts,cum laude
- District of Columbia – 1998
- State of Texas – 1997
- International Association of Privacy Professionals
- CIPP/US, CIPP/E, CIPM, FIP, PLS
- National Association of Professional Background Screeners
- Co-Chair, Educational Resources Committee (2016-18)
- International Association of Privacy Professionals
News & Insights
- EventsJackie Cooney and Kevin Coy to Speak on Effective Use of AI in Public Housing at HDLI 2024 Fall ConferenceSeptember 27, 2024 | Speaking Engagements | Orlando, Florida
- EventsAGG to Sponsor the D.C. LGBTQ+ Bar Association’s September 2024 Happy HourSeptember 19, 2024 | Conferences | Washington, District of Columbia
- EventsAGG Attorneys Spoke at 2024 PBSA Annual ConferenceSeptember 8-10 | Speaking Engagements | Conferences