Data Privacy


Protecting personal privacy is a global imperative. Protecting personal privacy also creates challenges and opportunities for businesses, large and small, and domestic and multinational. Our team traces its roots to our former colleague, Professor Alan F. Westin, at Columbia University, whose 22 books from 1966 to 1996 laid the foundation for modern information privacy. Our Data Privacy practice provides in-depth and comprehensive privacy legal services, including compliance counseling; regulatory representation; litigation; international; data breach and cyber; and congressional representation. Our attorneys not only help our clients anticipate and comply with legal requirements, but we also help our clients who use personal information to mitigate risk and maximize opportunity.

Our Data Privacy practice comprises attorneys with extensive experience and expertise in privacy law. We represent background check companies, consumer reporting agencies, credit bureaus, financial institutions, healthcare providers, insurers, trade associations, and entities that collect, maintain, use, or sell sensitive personal information. Our team represents clients in consumer regulatory proceedings, legislative campaigns, and compliance initiatives involving the Fair Credit Reporting Act, Title V of the Gramm-Leach-Bliley Act, Drivers Privacy Protection Act, and other consumer privacy statutes. They have special expertise and experience in helping clients analyze and manage potential data breach situations.

We’ve consulted on privacy issues to both government and professional organizations, including the U.S. Office of Technology Assessment, National Telecommunications and Information Administration, Social Security Administration, Department of Defense, and National Science Foundation. In addition, the team has advised private sector clients on business-privacy policies in credit reporting, direct marketing, telecommunications, medical and health, online services, and employment.

We also have extensive experience in international privacy developments throughout the European Union (EU) and the Asia-Pacific Economic Cooperation (APEC).

Additional Specialties

  • Whether your organization is proactively developing a data breach response plan or responding to a breach that already has occurred, we can help. To assist organizations in responding to or preparing for data breaches, large and small, we have established a team to assist that cuts across several of the firm’s practice groups. Members of the team have extensive experience with the many aspects of responding to a data breach, ranging from the assessment of whether a breach occurred, to initial consumer and regulatory notifications, to post-breach activities such as responding to regulatory inquiries or bringing or defending litigation.
  • Our team is comprised of attorneys with extensive experience and expertise in international privacy law. Our attorneys represent multinational companies handling personal information that are seeking counsel on compliance with the broad variety of international privacy requirements in different countries. We have extensive experience in international privacy developments. In addition to advising clients on current international requirements, our team remains current on international privacy developments, such as proposed legislation, and is able to advise clients on such developments on an ongoing basis.
  • We provide the full spectrum of representation and counseling for compliance with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain secure environments. We have significant experience advising clients on development of proactive programs and policies to ensure compliance with PCI-DSS, and representing clients in connection with PCI-DSS audits and breach investigations by payment card brands and acquirers as well as the U.S. Federal Trade Commission. We also have represented clients in litigation involving liability assessments by payment networks against merchants for PCI data breach losses, including what is believed to be the first such case to address a merchant’s challenge that such assessments constitute unenforceable “penalties” under applicable law.
  • Our team is comprised of regulatory, privacy, litigation, and corporate attorneys who have deep and broad experience with government entities and their regulatory schemes in a multitude of regulated industries. We are actively involved throughout the process of the Consumer Financial Protection Bureau's (CFPB) creation and early implementation. We advocated on clients’ behalf during the development and eventual passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, and our team of attorneys remains actively engaged with CFPB staff on the implementation of the Dodd-Frank Act’s requirements. We have special expertise with CFPB’s regulatory authority over non-bank financial institutions, such as consumer reporting agencies, participants in the debt industry, non-bank lenders, and background check companies.


  • Lead counsel successfully representing a preeminent worldwide financial services and private wealth firm in defeating defamation and invasion of privacy claims brought by a departed executive advisor.
  • Worked with a major retailer regarding its data breach, particularly with regard to Congressional investigations and hearings.
  • Works with the National Retail Federation, National Association of Chain Drug Stores, and other retail trade associations to support important data security and data breach policies.
  • Successfully represented a nationwide radiology company in two lawsuits brought in Georgia involving departing physician shareholder groups who then competed against our clients. These lawsuits involved extensive breach of contract, breach of fiduciary duty, and competition issues, and both were resolved on very favorable terms to our clients.
  • Advised a publicly traded corporation regarding the potential jurisdiction of the Consumer Financial Protection Bureau over the operations of multiple subsidiaries. Work included assessments of whether subsidiaries were “covered persons,” whether subsidiaries may be considered to be “larger participants” subject to CFPB supervision, and authority the CFPB may exercise over the company and its subsidiaries under consumer protection statutes for which full or partial authority was transferred to the CFPB.
  • Advised an e-commerce client regarding enrollment in the Department of Commerce Safe Harbor Program for the transfer of personal information from the European Union to the United States.  Advice included assisting the client in developing safe harbor-compliant consumer and human resources privacy policies, development of internal implementing policies and controls, and completion of required filings with the Department of Commerce.
  • Conducted a privacy risk assessment for a client with multiple e-commerce properties. The privacy assessment examined the client’s online and offline privacy practices and marketing practices as well as internal privacy controls in areas such as human resources, with compliance and best practice recommendations to the client in each area, when appropriate.
  • Advised a client regarding developing an online privacy policy and related content for a website designed for consumers from several European Union member states. In addition to advising the client regarding the content of the online privacy policy, we also advised the client regarding obtaining the consent of individuals providing information through the site for the transfer of health information to the United States.
  • Advised a client regarding the drafting of website privacy policies.
  • Successfully represented a consumer reporting agency before the Federal Trade Commission in a nonpublic FTC inquiry into compliance with the Fair Credit Reporting Act. Following document productions, responses to interrogatories, and meetings with the FTC staff, the inquiry was closed without further action by the FTC.
  • Advised a client in connection with the development of a consolidated online privacy policy to govern more than 80 company websites. Work included assisting the client in developing a survey tool to assess website privacy practices, reconciling the survey results, making best practice recommendations regarding changes in website practices, and developing a consolidated online privacy policy.
  • Advised a consumer electronics retailer regarding consumer data breach notification obligations and other steps to respond to a data breach. In addition to advising the client regarding consumer, regulatory, and other notifications, advice also addressed matters pertaining to the investigation of the breach, cooperation with law enforcement, and enhancing internal controls to minimize the potential for additional breaches.
  • Advised a client regarding the development of a HIPAA/HI-TECH Act compliance program covering its potential obligations as a business associate of HIPAA-covered entities. Assisted the client in the conduct of a gap analysis to identify areas where further action may be necessary depending upon proposed changes to the HIPAA privacy, security, and breach notification regulations.
  • Represented a large consumer information company in one of the nation’s first high-profile data breaches. In addition to representing the client before the Federal Trade Commission, we advised the client on consumer breach notification issues, congressional testimony, and enhancements to the client’s internal controls.
  • Provided counsel and strategic advice to the background screening industry on employment and tenant screening issues before the U.S. Congress and multiple federal agencies.

    Compliance News Flash Newsletter

    AGG provides a quick overview of current news briefs relevant to background screening, immigration, and data privacy for the benefit and interest of our clients as well as employers and consumer reporting agencies generally.