Andrew Epstein

He | Him | His

Counsel

Seattle
T +1.206.566.7093
F +1.206.624.7317

Overview

As a strategic thought partner to businesses, non-profits and other organizations, Andrew Epstein provides risk-based options and operationalizes solutions to clients’ privacy and cybersecurity compliance obligations that are designed to optimize clients' abilities to leverage a key asset: data. Andrew's wide breadth of experience includes counseling clients on cutting-edge privacy/cybersecurity practices; negotiating privacy/cybersecurity provisions in technology-transaction agreements; providing proactive/reactive security incident guidance; leading privacy/cybersecurity efforts in M&A/VC/PE/IPO transactions; as well as responding to foreign, federal and state regulatory investigations into clients’ privacy/cybersecurity practices.

Andrew advises a broad range of F500 to emerging company clients across industries including SaaS, FinTech, InsurTech, EdTech, life sciences, healthcare and others. He holistically advises clients on the development and implementation of data-driven products and services to comply with regulatory frameworks such as the EU/UK GDPR, CCPA, VCDPA, CPA, CMIA, GLBA, FCRA, TCPA, HIPAA, COPPA and CAN-SPAM as well as their contractual and industry obligations. Clients turn to Andrew for guidance navigating issues ranging from business model to granular product design questions. Further, Andrew’s employment law experience allows him to creatively solve unique issues posed by employee privacy concerns.

Andrew brings practical/operational in-house and private practice experience to the changing foreign, national and local privacy/cybersecurity landscape since he was, respectively, the privacy and cybersecurity senior corporate counsel at an InsurTech startup and an associate with a global AmLaw100 firm’s privacy and cybersecurity practice.

Select Experience

Privacy and Cybersecurity Strategic Counseling

  • Developed and implemented strategies, programs, policies and procedures to comply with domestic (federal and state) and foreign data protection laws/regulations such as the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), EU General Data Protection Regulation (EU GDPR), UK General Data Protection Regulation (UK GDPR), Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA) and others.

Incident Response

  • Directed organizations’ legal response to, and forensic investigations of, data security incidents (including ransomware, supply-chain and social-engineering attacks).

Transactional

  • Led privacy/cybersecurity diligence in M&A/VC/PE/IPO transactions; drafted and negotiated representations and disclosures.
  • Negotiated privacy, cybersecurity and commercial terms in vendor agreements; and conducted vendor diligence.
More »

Experience

Privacy and Cybersecurity Strategic Counseling

  • Developed and implemented strategies, programs, policies and procedures to comply with domestic (federal and state) and foreign data protection laws/regulations such as the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), EU General Data Protection Regulation (EU GDPR), UK General Data Protection Regulation (UK GDPR), Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA) and others.
  • Developed data privacy compliance program for an InsurTech company, including drafting and implementing privacy notices/terms of use; drafting and implementing CX changes to address regulatory, contractual and industry-compliance requirements; implementing and leading data mapping exercise; driving privacy-by-design/default into product/service offerings; implementing and leading data privacy/security trainings across cross-functional teams; automating processes for responding to data subject requests; and advising senior leadership and executives on privacy/cybersecurity business risks.
  • Advised clinical stage life science companies on the collection, cross-border transfer (including under the EU-US Privacy Shield and Swiss-US Privacy Shield) and other processing of clinical trial data, including engagement with vendors (such as CROs and clinical trial sites) and joint partners.
  • Advised a PropTech company on establishing a consumer reporting agency subject to the FCRA.
  • Advised FinTech and InsurTech businesses on compliance with state (including NYDFS regulations) and federal (including GLBA) privacy and cybersecurity obligations.
  • Advised digital health companies on the processing of sensitive health information including through mobile applications.
  • Counseled a global software provider on the development and implementation of a ransomware response strategy.
  • Advised a non-profit organization on the development and implementation of digital contact tracing solutions to address the spread of COVID-19.
  • Counseled an enterprise-solutions provider on implementing biometric identification for call recordings and using data for machine learning purposes.

Technology Transactions

  • Negotiated privacy, cybersecurity and commercial terms in vendor agreements and conducted vendor diligence.
  • Negotiated data privacy/security and commercial terms in over 100 partnership, service provider and data provider agreements; conducted diligence into counterparties’ data privacy/security practices.
  • Negotiated privacy and cybersecurity terms for a biotechnology company’s worldwide strategic collaboration with another biotechnology company to develop and commercialize a portfolio of cell therapeutics.

Incident Response

  • Responded to foreign, national and state regulators’ inquiries into privacy/cybersecurity practices.
  • Directed organizations’ legal response to, and forensic investigations of, data security incidents (including ransomware, supply-chain and social-engineering attacks).
  • Advised an InsurTech company on responding to a security incident that impacted more than 13,000 consumers which resulted in notifications to consumers, regulators and others.
  • Advised a business software company on a data incident that affected more than 600,000 global users.
  • Advised a food products manufacturer/distributor on a data breach that affected individuals in more than 20 countries.
  • Advised a traditional financial institution on a data incident that affected more than 450,000 U.S. consumers.
  • Advised more than 10 law firms on responding to data security incidents.

Transactions

  • Led privacy/cybersecurity diligence in M&A/VC/PE/IPO transactions; drafted and negotiated representations and disclosures.
  • Advised Paidy on its sale to PayPal Holdings.
  • Advised Hyper Labs, Inc. on its Series E financing.
  • Advised Ethos Technologies, Inc. on its Series D and Series D-1 financings.
  • Advised BowX Acquisition Corp. (a SPAC) on its agreement to merge with WeWork.
  • Advised an underwriter in Avidity Biosciences, Inc.’s IPO.
  • Advised Broadcom Inc. in its acquisition of the enterprise business unit of Symantec Corp.

Investigations

  • Responded to foreign, national and state regulators' inquiries into privacy/cybersecurity practices.
  • Represented an InsurTech company in a NYDFS investigation into the company’s response to a data security incident and corresponding cybersecurity controls. Matter closed without enforcement action.
  • Represented a health plan in response to an OCR investigation into the entity’s privacy and cybersecurity practices. Matter closed without enforcement action.
  • Represented, in coordination with local counsel, a food products manufacturer/distributor in a foreign data protection authority’s investigation into the company’s response to a data security incident and corresponding data protection practices. Matter closed without enforcement action.
  • Represented, in coordination with local counsel, a business software company in several foreign data protection authorities’ investigations into the company’s response to a data security incident and corresponding data protection practices. Matters closed without enforcement action.

Recognitions and Memberships

Recognitions

  • International Association of Privacy Professionals: CIPP/US

Memberships

  • International Association of Privacy Professionals
  • Washington Bar Association

Community

  • Northwestern University Alumni Association
  • University of Chicago Alumni Association

Prior Positions

  • Ethos Technologies, Inc.: Senior Corporate Counsel - Privacy, Cybersecurity and Employment (2022)
  • The Honorable Raymond P. Moore, U.S. District Court for the District of Colorado (2014 to 2016)

Admissions

  • Colorado
  • Washington

Education

  • J.D., University of Chicago Law School
  • B.A., Northwestern University