Andrew Epstein

Experience

Privacy and Cybersecurity Strategic Counseling

• Developed and implemented strategies, programs, policies and procedures to comply with domestic (federal and state) and foreign data protection laws/regulations such as the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), EU General Data Protection Regulation (EU GDPR), UK General Data Protection Regulation (UK GDPR), Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA) and others.
• Developed data privacy compliance program for an InsurTech company, including drafting and implementing privacy notices/terms of use; drafting and implementing CX changes to address regulatory, contractual and industry-compliance requirements; implementing and leading data mapping exercise; driving privacy-by-design/default into product/service offerings; implementing and leading data privacy/security trainings across cross-functional teams; automating processes for responding to data subject requests; and advising senior leadership and executives on privacy/cybersecurity business risks.
• Advised clinical stage life science companies on the collection, cross-border transfer (including under the EU-US Privacy Shield and Swiss-US Privacy Shield) and other processing of clinical trial data, including engagement with vendors (such as CROs and clinical trial sites) and joint partners.
• Advised a PropTech company on establishing a consumer reporting agency subject to the FCRA.
• Advised FinTech and InsurTech businesses on compliance with state (including NYDFS regulations) and federal (including GLBA) privacy and cybersecurity obligations.
• Advised digital health companies on the processing of sensitive health information including through mobile applications.
• Counseled a global software provider on the development and implementation of a ransomware response strategy.
• Advised a non-profit organization on the development and implementation of digital contact tracing solutions to address the spread of COVID-19.
• Counseled an enterprise-solutions provider on implementing biometric identification for call recordings and using data for machine learning purposes.

Technology Transactions

• Negotiated privacy, cybersecurity and commercial terms in vendor agreements and conducted vendor diligence.
• Negotiated data privacy/security and commercial terms in over 100 partnership, service provider and data provider agreements; conducted diligence into counterparties’ data privacy/security practices.
• Negotiated privacy and cybersecurity terms for a biotechnology company’s worldwide strategic collaboration with another biotechnology company to develop and commercialize a portfolio of cell therapeutics.

Incident Response

• Responded to foreign, national and state regulators’ inquiries into privacy/cybersecurity practices.
• Directed organizations’ legal response to, and forensic investigations of, data security incidents (including ransomware, supply-chain and social-engineering attacks).
• Advised an InsurTech company on responding to a security incident that impacted more than 13,000 consumers which resulted in notifications to consumers, regulators and others.
• Advised a business software company on a data incident that affected more than 600,000 global users.
• Advised a food products manufacturer/distributor on a data breach that affected individuals in more than 20 countries.
• Advised a traditional financial institution on a data incident that affected more than 450,000 U.S. consumers.
• Advised more than 10 law firms on responding to data security incidents.

Transactions

• Led privacy/cybersecurity diligence in M&A/VC/PE/IPO transactions; drafted and negotiated representations and disclosures.
• Advised Paidy on its sale to PayPal Holdings.
• Advised Hyper Labs, Inc. on its Series E financing.
• Advised Ethos Technologies, Inc. on its Series D and Series D-1 financings.
• Advised BowX Acquisition Corp. (a SPAC) on its agreement to merge with WeWork.
• Advised an underwriter in Avidity Biosciences, Inc.’s IPO.
• Advised Broadcom Inc. in its acquisition of the enterprise business unit of Symantec Corp.

Investigations

• Responded to foreign, national and state regulators' inquiries into privacy/cybersecurity practices.
• Represented an InsurTech company in a NYDFS investigation into the company’s response to a data security incident and corresponding cybersecurity controls. Matter closed without enforcement action.
• Represented a health plan in response to an OCR investigation into the entity’s privacy and cybersecurity practices. Matter closed without enforcement action.
• Represented, in coordination with local counsel, a food products manufacturer/distributor in a foreign data protection authority’s investigation into the company’s response to a data security incident and corresponding data protection practices. Matter closed without enforcement action.
• Represented, in coordination with local counsel, a business software company in several foreign data protection authorities’ investigations into the company’s response to a data security incident and corresponding data protection practices. Matters closed without enforcement action.

Memberships

• International Association of Privacy Professionals
• Washington Bar Association

Community

• Northwestern University Alumni Association
• University of Chicago Alumni Association