As Chair of Shook's Privacy and Data Security Practice, Al has gained the trust of clients challenged by data incident response, privacy litigation, and compliance with the myriad laws governing sensitive information. Al believes that client service, deep experience and proactive thinking are what separates him from other privacy and data security lawyers. These values are illustrated by the fact that Chambers USA named him a Nationwide Recognized Practitioner in Privacy and Data Security in 2017 and 2018; he was named a Cybersecurity Trailblazer by the National Law Journal in 2015; and he received the Client Choice Award from Lexology in both 2016 and 2018.
“Top-notch work should be a given from any law firm," Al says. "I believe what separates Shook’s privacy and data security team from the competition is client service. This means we listen closely to our clients’ needs, ask questions, understand their business and learn their industry. We are incredibly responsive and we apply the Golden Rule 24/7. Doing all of this helps us better monitor and proactively advise our clients on ways to address applicable legal trends. In this area of law, if you’re not preparing you’re responding, which is not the optimal place to be.”
The Wall Street Journal and Law360, among others, frequently interview him when they need insight into the legal implications of data breaches, emerging technological trends, biometric privacy, and other data security and privacy issues. Al often speaks to business professionals and teaches fellow attorneys about meeting the challenges associated with the proliferation of sensitive electronic information.
Outside his client practice, Al is Chair Emeritus of The Sedona Conference® Working Group 11: Data Security and Privacy Liability. Tasked with developing guides to help organizations minimize their privacy and data security liability risks, the working group includes leading practitioners in privacy and data security law, regulatory authorities and information security experts.
Al is a Fellow of Information Privacy, a Certified Information Privacy Technologist and a Certified Information Privacy Professional/US accredited by the International Association of Privacy Professionals. He maintains a blog, Data Security Law Journal, where he regularly posts about legal developments and trends in data security and privacy law. He serves on the International Association of Privacy Professionals’ Privacy Bar Board and is an active member of the U.S. Secret Service's Electronic Crimes Task Force. He also is a member of Law360’s Privacy & Consumer Protection Editorial Advisory Board and teaches cybersecurity law at St. Thomas University in Miami.
Data Breach Investigation and Response
For those clients seeking to proactively minimize the risks of a data incident, Al guides companies in building an incident response team and preparing an incident response plan. Based on his deep experience and the hundreds of data incidents handled, Al develops and directs tabletop exercises to ensure that organizations are prepared to respond to the inevitable attacks.
For those clients who have experienced a data incident, Al directs the forensic investigation under privilege and work product protection; advises as to legal obligations to notify affected consumers, business partners and regulators; oversees the notification of third parties; communicates with law enforcement; responds to regulatory inquiries; and represents companies in litigation and enforcement actions arising from the incident or breach.
Al’s incident response experience includes:
- a cyberattack exploiting the vulnerability of a website that allowed access to the personal information of several million individuals;
- a network intrusion affecting the payment card information of an online retailer’s consumers in every U.S. state and overseas;
- a cyberattack involving an Advanced Persistent Threat that put the intellectual property of a multinational science and technology company at risk;
- the insertion of malware into a company’s website, affecting the payment card information of more than 100,000 individuals;
- the theft of personally identifiable information from a professional services company by an employee involved in a nationwide identity-theft crime ring;
- lost mobile devices used to store protected health information by covered entities and business associates; and
- a vendor’s theft of consumer information from a national financial services company.
Al regularly represents companies in class action lawsuits arising from data breaches or alleged privacy incidents. Al and the rest of Shook’s Biometric Privacy Task Force currently represent more companies in class action lawsuits arising from alleged violations of the Illinois Biometric Information Privacy Act than almost any other firm in the country. Al has also represented companies in consumer class actions arising from data breaches involving the loss of medical records and theft of payment card information. Additionally, Al is one of a small number of practitioners with experience representing companies in proceedings challenging assessments levied by card brands against merchants based on alleged violations of the Payment Card Industry’s Data Security Standards. Al has also represented companies in B2B lawsuits where clients are bringing or defending against indemnification and other contractual liability issues relating to a data breach. Finally, Al represents companies in enforcement actions brought by state and federal regulatory authorities as a result of a data breach or alleged data privacy violations.
Al believes that, if handled correctly, the proliferation of privacy and data security laws provides an opportunity for his clients to shine, rather than an obstacle they must overcome. When clients approach Al, they are looking for advice that goes beyond the letter of the law because regulatory or judicial interpretation of many privacy laws may be scarce. Al and his team draw from their deep experience working with some of the most sophisticated companies in the world to help operationalize legal requirements that may seem like a moving target and can be quite challenging.
Al’s compliance experience includes:
- building a global biometric technology program for a multinational company in compliance with state and international biometric privacy laws;
- counseling covered entities and business associates to comply with HIPAA/HITECH, preparing risk assessments, drafting internal and consumer-facing privacy policies and notices, performing employee training, and negotiating business associate agreements;
- designing and drafting incident response plans for companies in all industries;
- helping companies comply with the General Data Protection Regulation and, more recently, the California Consumer Privacy Act;
- providing counsel on the Payment Card Industry’s Data Security Standards and negotiating merchant agreements and subcontractor agreements to ensure compliance with the standards;
- designing vendor management programs, along with the drafting and negotiation of agreements, to minimize the risks of service-provider access to sensitive information. This also encompasses the drafting and negotiation of agreements that address incident response, indemnification, notification, data ownership and the implementation and auditing of security safeguards;
- directing an information-security assessment for a Fortune 50 company to identify legal risks associated with its procedures for collecting, storing, using and disposing of sensitive information;
- training employees of covered entities, business associates and insurance companies about the proper handling of protected health information; and
- advising Fortune 100 companies about their obligations under federal data privacy laws, such as the Gramm-Leach-Bliley Act, HIPAA/HITECH, CAN-SPAM and the Fair and Accurate Credit Transactions Act. Al also regularly helps companies comply with Texas HB 300, California’s Online Privacy Protection Act and all state privacy laws and regulations.
Publications and Presentations
Model Data Breach Notification Law; WG11 Town Hall; California Consumer Privacy Act (CCPA) Penalties, The Sedona Conference Working Group 11 Annual Meeting 2019, Houston, Texas. March 1, 2019.
Minimizing Cyber Risks: What Every In-House Lawyer Needs to Know, Mid-America Chapter of the Association of Corporate Counsel (CLE), Kansas City, Missouri, December 5, 2018 (with Colman McCarthy).
Hot Topics in Data Privacy and Cybersecurity, Legal and Ethical Developments for In-House Counsel, Miami, Florida, November 30, 2018.
Privacy & Data Security Risks, Confidential Client Presentation - CLE, New York City, November 29, 2018 (with Colman McCarthy).
Navigating Lei Geral de Proteção de Dados Pessoais: Brazil’s New General Data Privacy Law, webinar (with Camila Tobón and Marina Lima Silviera de Souza), November 2018.
U.S. Privacy Law Update: Biometric Laws and CA Consumer Privacy Act of 2018, IAPP KnowledgeNet, Omaha, Nebraska, October 11, 2018.
The California Consumer Privacy Act: Our First "Federal" Privacy Law?, Privacy + Security Forum, Washington, D.C., October 4, 2018.
Beyond the California Consumer Privacy Act: "Competing" Privacy Rules and Whether Any Might Become a National Standard, Practising Law Institute, September 24, 2018.
The Legal and Ethical Risks of Privacy and Data Security Traps (Panelist), Update of the Law CLE, June 14, 2018 (with Colman McCarthy, Eric Boos, Patrick Castle, Bill Sampson and Camila Tobon).
Law Firms at Risk: The Ethical Duty to Protect Client Data in the New Breach Environment, ABA Tort Trial and Insurance Practice Section, May 2, 2018.
Domestic Privacy Profile: Florida, Bloomberg Law, January 2018.
Everything You Need to Know About Biometric Privacy Class Action Lawsuits (Speaker), 2018 Global Privacy Summit, March 28, 2018.
What’s Next for WG11? A Dialogue on Progress Made, and the Next Steps for the Working Group (Panelist), Sedona Conference Working Group on Data Security and Privacy Liability, March 20, 2018.
Al Saikali, Gary Miller, Anna Knight & Patrick Castle, Biometric Privacy: The Next Frontier of Privacy Liability, Webinar.
What A Fine Mess: Avoiding the Privacy and Cybersecurity Regulators' Crosshairs (Panelist), Minority Corporate Counsel Association's Global TEC Forum, June 20, 2017.
Court Applies Work Product Protection to Breach Investigation Reports, Privacy and Data Security Alert, May 23, 2017.
Understanding New York Cybersecurity Requirements for Financial Services Companies, Privacy and Data Security Alert, May 20, 2017.
New Privacy Training Requirement for Contractors of the Federal Government, Privacy and Data Security Alert, March 15, 2017.
The First 48 Hours: A Simulated Data Breach (Speaker), Northwestern Pritzker School of Law's 55th Annual Corporate Counsel Institute, September 29, 2016.
Preparing for and Responding to a Data Breach (Speaker), International Associate of Financial Crimes Investigators Annual Conference, August 31, 2016
Ethics and the Connected Lawyer (Speaker), 2016 Practising law institute’s 17th Annual Institute on Privacy and Data Security Law, June 7, 2016.
William Sampson, Al Saikali & Dan Schwaller, Standing in Data Breach Cases: A Changing Legal Landscape and a Few Suggestions for Counsel, In-House Defense Quarterly, Winter 2016.
What Every Financial Institution Should Know About Data Security Law (Presenter), Florida Bankers Association, August 27, 2015.
Data Breaches, Cyberattacks and High-tech Vulnerabilities Facing Cities (Presenter), Florida Municipal Attorneys Association, July 10, 2015.
Data Security Compendium (Speaker), The Sedona Conference, June 24, 2015.
Protecting Your Company When a Data Breach Hits (Speaker), Shook, Hardy & Bacon Annual Update of the Law, June 16, 2015.
The Cybersecure Practice of Law: Legal Ethics and the Use of Information (Speaker), Practising Law Institute’s 16th Annual Institute on Privacy and Data Security Law, June 8, 2015.
Data Privacy: Update and Mock Breach (Speaker), Colorado Litigation Roundtable, June 5, 2015.
Mock Breach: Table-Top Crisis Response (Moderator), NetDiligence Cyber Risk & Privacy Liability Forum, June 2, 2015.
2015 Securities Compliance Seminar: Cybersecurity Issues Affecting Broker Dealers and Investment Advisors (Panelist), Financial Markets Association, April 23, 2015.
2015 Cyber Fraud Summit: RAM Scraping & Data Exfiltration / Legal Aspects of Data Compromises (Speaker), International Association of Financial Crimes Investigators, April 8, 2015.
The Second Annual South Florida Privacy and Data Security Law Summit (Founder, Co-Chair & Speaker), University of Miami, March 31, 2015.
10th National Advance Forum on Cyber & Data Risk Insurance (Speaker), American Conference Institute, March 23, 2015.
Privacy and Cybersecurity Law: How International Financial Institutions Can Minimize Their Legal Risks (Presenter), Florida International Bankers Association, February 24, 2015.
Data Privacy Legal Risks for Financial Institutions (Presenter), Florida Bankers Association, February 11, 2015.
Emerging Data Security and Privacy Legal Issues Affecting The Energy Industry (Speaker), SHB Energy Law Series, December 12, 2014.
Data Breach Litigation: Theories of Damages (Speaker), The Sedona Conference “All Voices” Meeting, November 7, 2014.
Crisis Communications: PR Pros are From Venus and Lawyers are From Mars (Speaker), Retail Law Conference, October 15, 2014.
Anatomy of a Data Breach From the Attorney General Perspective (Moderator), NetDiligence Cyber Risk & Privacy Liability Forum, October 9, 2014.
Around the Privacy World in 60 Minutes (Speaker), Altria Client Services – ALCS Law Department, October 2, 2014.
Emerging Data Privacy Issues: What Corporate Counsel Needs To Know (Speaker), Association of Corporate Counsel America (ACCA), September 18, 2014.
Data Security Legal Risks for Financial Institutions (Speaker), Financial Institution Security Association (FISA), September 17, 2014.
Risks and Emerging Issues in Privacy and Data Security (Speaker), NAPABA Southeast Regional Conference, August 15, 2014.
Agribusiness Data Privacy Legal Issues: The Landscape, Emerging Issues and Risk Management (Speaker), Agricultural Business Council of Kansas City's Big Data: Challenges & Opportunities in Agriculture Forum, July 17, 2014; follow-up interview with This Week in Agribusiness, August 16, 2014.
Ethics in Data Security and Privacy (Speaker), Practising Law Institute's 15th Annual Institute on Privacy and Data Security Law, June 16, 2014.
South Florida Privacy and Data Security Summit (Founder, Co-Chair, & Speaker), University of Miami, June 4, 2014.
Data Breach and Privacy (Speaker), National Association of Attorneys General, May 19, 2014.
Data Privacy Traps for the Unwary Company: Permissible Use of Consumer Information (Speaker), Association of Corporate Counsel (DELVACCA) Chapter, May 1, 2014.
What Every In House Lawyer Should Know About Data Privacy, Class Actions, and Attorney-Client Privilege (Speaker), Daily Business Review’s Corporate Counsel Summit, April 25, 2014.
Technology Flashpoints: TAR, Data Protection, and Dispute Resolution, (Speaker), ABA Annual Conference - ADR Section, April 3, 2014.
Healthcare Finance Management Association Cybersecurity Panel (Speaker), HFMA South Regional & Technology Forum Education Session, March 31, 2014.
Healthcare Data Protection Products, Risk Assessment, Training and Auditing: Factoring in HIPAA, HHS, HITECH, OCR Enforcement, the Omnibus Rule, Business Associates and More (Speaker), ACI's 8th National Advanced Forum on Cyber & Data Risk Insurance, March 24, 2014.
Breach Notification Under the HIPAA Omnibus Final Rule (Speaker/Moderator), International Association of Privacy Professionals’ Global Summit, March 7, 2014.
The Risks of Collecting and Storing Sensitive Information (Speaker), Corporate Counsel Institute, March 5, 2014.
Alfred J. Saikali, Data Breaches Draw Congressional Scrutiny, Daily Business Review, January 29, 2014.
Litigation Update: The Latest in Data Breach Litigation and Mega Privacy Actions, Including TCPA and Texting Cases (Speaker), ACI's Privacy & Security of Consumer And Employee Information, January 17, 2014.
Anticipating and Preparing for Protracted Litigation in the Aftermath of a Data Breach (Moderator), Global Law Forum Cybersecurity Law & Policy In-House Summit, January 15, 2014.
Telling The Company Story: Devising and Implementing a Tailored Data Breach Response Plan to Proactively Prepare for an Attack and Subsequent Actions (Speaker), Global Law Forum Cybersecurity Law & Policy In-House Summit, January 14, 2014.
Alfred J. Saikali, What's the Next Wave of Privacy Litigation? "Failure to Match", Data Security Alert, November 21, 2013.
Private Civil Data Breach Litigation (Speaker/Moderator), The Inaugural Sedona Conference on Cyber Liability, October 24, 2013.
Data Protection and Security for Lawyers and Law Firms (Speaker), The Inaugural Sedona Conference on Cyber Liability, October 24, 2013.
Cyber Liability Issues in Health Care, Pharma, and Biotech, (Speaker/Facilitator), The Inaugural Sedona Conference on Cyber Liability, October 25, 2013.
Confronting the Wild West of Litigation Abuse (Data Privacy, Patent Trolls, and Private Enforcement of State Causes of Action), (Speaker), Retail Law Conference, October 17, 2013.
Data Privacy and Security Law: An Overview for the IT Professional (Panel Member), International Legal Technology Association, August 22, 2013.
Data Breach and Privacy Litigation: The Recent Successes and Failures of Common Defenses and Claims (Speaker), Bloomberg BNA, August 20, 2013.
Preparing for the Inevitable: What Every Company Should Know About Minimizing Data Breaches (Moderator and Speaker), Annual Meeting of the American Bar Association, August 11, 2013.
Alfred J. Saikali (co-author), Chapter 3: Data Security and Lawyers’ Legal and Ethical Obligation to Clients, in The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2013).
Data Privacy Issues Affecting the Health Care Industry (Moderator), International Association of Privacy Professionals South Florida KnowledgeNet, July 25, 2013.
Florida Legal Ethics in Privacy and Security (Featured Speaker), Dade County Defense Bar Association, June 26, 2013.
Ethics in Data Security and Privacy (Featured Speaker), Practising Law Institute’s 14th Annual Institute on Privacy and Data Security Law, June 18, 2013.
Dissecting a Data Breach Claim (Panel Member), NetDiligence 2013 Cyber Risk & Privacy Liability Forum, June 6, 2013.
Creating a Data Breach Response Plan (Moderator), Consortium on Litigation, Information Law, and E-Discovery, May 1, 2013.
Emerging Data Security and Privacy Risks in 2013 (Panel Member), South Florida Chapter of the International Association of Privacy Professionals, April 19, 2013.
Alfred J. Saikali & Rebecca Schwartz, Supreme Court Confirms Stringent Article III Standing Requirement for Privacy Cases, Data Security Alert, March 6, 2013.
Alfred J. Saikali & Thérèse Miller, The White House Executive Order on Cybersecurity, Data Security Alert, February 13, 2013.
Security Response and Breach Notification, 2012 Masters Conference, Washington, D.C., October 2012.
Critical Conversations: Emerging Trends in Law and Accounting (Panel Member), South Florida Business Journal, September 20, 2012.
Data Security and Computer Fraud in the Cloud (Moderator), Florida International Bankers Association, September 20, 2012.
Alfred J. Saikali, Private Lawsuits Arising from Data Breaches - The Eleventh Circuit Weighs In, Data Security Alert, September 13, 2012.
Marni M. Otjen, Thérèse P. Miller & Alfred J. Saikali, New Texas Law Imposes Requirements On Companies That Maintain Protected Health Information, Data Privacy Alert, August 28, 2012.
Alfred J. Saikali, Google's $22.5 Million FTC Fine: Why Should Cos. Care?, Law360, August 20, 2012.
Alfred J. Saikali, Why You May Have Suffered a Data Breach and Not Even Know It, Data Security Alert, August 3, 2012.
Alfred J. Saikali, Can a Company be Liable for its Employee Installing File-Sharing Software?, Data Security Alert, June 14, 2012.
Alfred J. Saikali, Data Security Questions Companies Should Consider, Data Security Alert, May 15, 2012.
Anatomy of a Data Breach: Developments in Data Security and Cloud Computing Laws (Program Chair and Presenter), ABA Section of Litigation Annual Conference, Washington, D.C., April 2012.
Alfred J. Saikali, Data Security Law Journal.
Alfred J. Saikali, Data Stored in Cloud Not Guaranteed to Remain Private, (Special Report: The Risks of Cloud Computing), Daily Business Review, October 11, 2011.
Al Saikali Pioneers Privacy and Data Security Practice, Daily Business Review, December 10, 2018.
Google Exposed User Data, Feared Repercussions of Disclosing to Public, The Wall Street Journal, October 8, 2018.
7th Circ. Opens Up Path For Cos. To Ditch Data Breach Suits, Law360, April 18, 2018.
Fingerprint-Scanning Time Clocks Spark Privacy Lawsuits, The Wall Street Journal, January 11, 2018.
Cybersecurity & Privacy Predictions For 2018; and Cybersecurity & Privacy Cases To Watch In 2018, Law360, January 1, 2018.
Ill. Biometric Privacy Suits Must Claim Actual Harm, Court Says, Law360, December 22, 2017.
Mich. Bill To Shield Cybersecurity Plans From FOIA Advances, Law360, October 26, 2017.
Best Practices for Reducing Cybersecurity Risks, South Florida Legal Guide, October 16, 2017.
SEC Takes Walk in Businesses' Shoes With Database Hack, Law360, September 22, 2017.