As chair of Shook's Privacy and Data Security Practice, Al has gained the trust of clients challenged by data incident response, privacy litigation, and compliance with the myriad laws governing sensitive information. Al believes that client service, deep experience and proactive thinking are what separates him from other privacy and data security lawyers. These values are illustrated by the fact that Chambers USA ranked him as a national leader in privacy and data security law for the last four years in a row. He has been named a Cybersecurity Trailblazer by the National Law Journal and has received the Client Choice Award from Lexology. Under Al’s leadership, Legal 500 has named Shook a Top Cyber Law Firm the last two years in a row.
“Top-notch work should be a given from any law firm," Al says. "I believe what separates Shook’s privacy and data security team from the competition is client service. This means we listen closely to our clients’ needs, ask questions, understand their business and learn their industry. We are incredibly responsive and we apply the Golden Rule 24/7. Doing all of this helps us better monitor and proactively advise our clients on ways to address applicable legal trends. In this area of law, if you’re not preparing you’re responding, which is not the optimal place to be.”
The Wall Street Journal and Law360, among others, frequently interview him when they need insight into the legal implications of data breaches, emerging technological trends, biometric privacy, and other data security and privacy issues. Al often speaks to business professionals and teaches fellow attorneys about meeting the challenges associated with the proliferation of sensitive electronic information.
Outside his client practice, Al is Chair Emeritus of The Sedona Conference® Working Group 11: Data Security and Privacy Liability. Tasked with developing guides to help organizations minimize their privacy and data security liability risks, the working group includes leading practitioners in privacy and data security law, regulatory authorities and information security experts.
Al is a Fellow of Information Privacy, a Certified Information Privacy Technologist, a Certified Information Privacy Professional/US and a Certified Information Privacy Professional/Europe, accredited by the International Association of Privacy Professionals. He maintains a blog, Data Security Law Journal, where he regularly posts about legal developments and trends in data security and privacy law. He was a founding member of the IAPP’s Privacy Bar Section Board and is an active member of the U.S. Secret Service's Electronic Crimes Task Force.
Incident Preparation and Response
For clients experiencing a data incident, Al directs the forensic investigation under privilege and work product protection; advises as to legal obligations to notify affected consumers, business partners and regulators; oversees the notification of third parties; communicates with law enforcement; prepares communications about the incident; responds to regulatory inquiries; and represents companies in litigation and enforcement actions arising from the incident or breach.
Al’s incident response experience includes:
- a cyberattack exploiting the vulnerability of a website that allowed access to the personal information of several million individuals;
- a network intrusion affecting the payment card information of an online retailer’s consumers in every U.S. state and overseas;
- a cyberattack involving an Advanced Persistent Threat that put the intellectual property of a multinational science and technology company at risk;
- the insertion of malware into a company’s website, affecting the payment card information of more than 100,000 individuals;
- the theft of personally identifiable information from a professional services company by an employee involved in a nationwide identity-theft crime ring;
- lost mobile devices used to store protected health information by covered entities and business associates; and
- a vendor’s theft of consumer information from a national financial services company.
Al regularly represents companies in class action lawsuits arising from data breaches and alleged privacy incidents. Al and the rest of Shook’s Biometric Privacy Task Force currently represent more companies in class action lawsuits arising from alleged violations of the Illinois Biometric Information Privacy Act (BIPA) than almost any other firm in the country. Al has defended and brought claims against companies in relation to data breaches—defending companies in consumer class actions and bringing claims against third parties to recover losses clients experienced from data breaches. Al has successfully challenged PCI assessments levied by card brands against merchants. He also represents companies in enforcement actions brought by state and federal regulatory authorities.
Al’s litigation experience includes:
- Representing major health care systems in class action lawsuits arising from ransomware attacks, the loss of medical records, and other data breaches;
- Defending national retailers in lawsuits relating to the Illinois Biometric Information Privacy Act;
- Counseling financial services companies in lawsuits relating to the use of consumer data for new business operations;
- Prosecuting claims against a vendor whose vulnerability led to a data breach that resulted in losses to our client; and
- Representing a national manufacturing company and retailer in multi-district litigation arising from a payment card data breach.
Al believes that the proliferation of privacy and data security laws provides companies an opportunity to shine. Clients need advice that adds value beyond a recitation of the letter of the law. Al and his team draw from their deep experience working with some of the most sophisticated companies in the world to help operationalize legal requirements that may seem like a moving target and can be quite challenging.
Al’s compliance experience includes:
- building a global biometric technology program for a multinational company in compliance with state and international biometric privacy laws;
- counseling covered entities and business associates to comply with HIPAA/HITECH, preparing risk assessments, drafting internal and consumer-facing privacy policies and notices, performing employee training, and negotiating business associate agreements;
- designing and drafting incident response plans for companies in all industries;
- helping companies comply with the General Data Protection Regulation (GDPR) and the patchwork of state privacy laws including, more recently, the California Consumer Privacy Act, the NY SHIELD Act and the NY Department of Financial Services’ Cybersecurity Requirements;
- providing counsel on the Payment Card Industry’s Data Security Standards and negotiating merchant agreements and subcontractor agreements to ensure compliance with the standards;
- designing vendor management programs, along with the drafting and negotiation of agreements, to minimize the risks of service-provider access to sensitive information. This also encompasses the drafting and negotiation of agreements that address incident response, indemnification, notification, data ownership and the implementation and auditing of security safeguards;
- directing an information-security assessment for a Fortune 50 company to identify legal risks associated with its procedures for collecting, storing, using and disposing of sensitive information;
- training employees of covered entities, business associates and insurance companies about the proper handling of protected health information; and
- advising Fortune 100 companies about their obligations under federal data privacy laws, such as the Gramm-Leach-Bliley Act, HIPAA/HITECH, CAN-SPAM, and Section 5 of the FTC Act.
Publications and Presentations
Breaking It Down and Breaking It Out: Minimizing the Legal Risks of Emerging Trends in Privacy and Cybersecurity, ACC Annual Conference, October 14, 2020 (with Melissa Siebert and Colman McCarthy).
Working From Home? Practice Good Digital Hygiene, The Florida Bar News, April 2, 2020.
Florida's Proposed Privacy Legislation: An In-Depth Analysis for Corporate Counsel, White Paper (with Kate Paine), February 2020.
Subject Access Requests and Identity Verification: Navigating a Data Controller's Catch-22, Worldwide Financier, September 2019 (with Kate Paine).
Hot Topics in Privacy and Data Security Law: What Every In House Lawyer Should Know, ACC In House Counsel Forum, Denver, Colorado, April 4, 2019 (with Erin Hines, Dan Rohner and James Theiss).
Model Data Breach Notification Law; WG11 Town Hall; California Consumer Privacy Act (CCPA) Penalties, The Sedona Conference Working Group 11 Annual Meeting 2019, Houston, Texas. March 1, 2019.
Minimizing Cyber Risks: What Every In-House Lawyer Needs to Know, Mid-America Chapter of the Association of Corporate Counsel (CLE), Kansas City, Missouri, December 5, 2018 (with Colman McCarthy).
Hot Topics in Data Privacy and Cybersecurity, Legal and Ethical Developments for In-House Counsel, Miami, Florida, November 30, 2018.
Privacy & Data Security Risks, Confidential Client Presentation - CLE, New York City, November 29, 2018 (with Colman McCarthy).
Navigating Lei Geral de Proteção de Dados Pessoais: Brazil’s New General Data Privacy Law, webinar (with Camila Tobón and Marina Lima Silviera de Souza), November 2018.
U.S. Privacy Law Update: Biometric Laws and CA Consumer Privacy Act of 2018, IAPP KnowledgeNet, Omaha, Nebraska, October 11, 2018.
The California Consumer Privacy Act: Our First "Federal" Privacy Law?, Privacy + Security Forum, Washington, D.C., October 4, 2018.
Beyond the California Consumer Privacy Act: "Competing" Privacy Rules and Whether Any Might Become a National Standard, Practising Law Institute, September 24, 2018.
The Legal and Ethical Risks of Privacy and Data Security Traps (Panelist), Update of the Law CLE, June 14, 2018 (with Colman McCarthy, Eric Boos, Patrick Castle, Bill Sampson and Camila Tobon).
Law Firms at Risk: The Ethical Duty to Protect Client Data in the New Breach Environment, ABA Tort Trial and Insurance Practice Section, May 2, 2018.
Domestic Privacy Profile: Florida, Bloomberg Law, January 2018.
Everything You Need to Know About Biometric Privacy Class Action Lawsuits (Speaker), 2018 Global Privacy Summit, March 28, 2018.
What’s Next for WG11? A Dialogue on Progress Made, and the Next Steps for the Working Group (Panelist), Sedona Conference Working Group on Data Security and Privacy Liability, March 20, 2018.
Al Saikali, Gary Miller, Anna Knight & Patrick Castle, Biometric Privacy: The Next Frontier of Privacy Liability, Webinar.
What A Fine Mess: Avoiding the Privacy and Cybersecurity Regulators' Crosshairs (Panelist), Minority Corporate Counsel Association's Global TEC Forum, June 20, 2017.
Court Applies Work Product Protection to Breach Investigation Reports, Privacy and Data Security Alert, May 23, 2017.
Understanding New York Cybersecurity Requirements for Financial Services Companies, Privacy and Data Security Alert, May 20, 2017.
New Privacy Training Requirement for Contractors of the Federal Government, Privacy and Data Security Alert, March 15, 2017.
The First 48 Hours: A Simulated Data Breach (Speaker), Northwestern Pritzker School of Law's 55th Annual Corporate Counsel Institute, September 29, 2016.
Preparing for and Responding to a Data Breach (Speaker), International Associate of Financial Crimes Investigators Annual Conference, August 31, 2016
Ethics and the Connected Lawyer (Speaker), 2016 Practising law institute’s 17th Annual Institute on Privacy and Data Security Law, June 7, 2016.
William Sampson, Al Saikali & Dan Schwaller, Standing in Data Breach Cases: A Changing Legal Landscape and a Few Suggestions for Counsel, In-House Defense Quarterly, Winter 2016.
What Every Financial Institution Should Know About Data Security Law (Presenter), Florida Bankers Association, August 27, 2015.
Data Breaches, Cyberattacks and High-tech Vulnerabilities Facing Cities (Presenter), Florida Municipal Attorneys Association, July 10, 2015.
Data Security Compendium (Speaker), The Sedona Conference, June 24, 2015.
Protecting Your Company When a Data Breach Hits (Speaker), Shook, Hardy & Bacon Annual Update of the Law, June 16, 2015.
The Cybersecure Practice of Law: Legal Ethics and the Use of Information (Speaker), Practising Law Institute’s 16th Annual Institute on Privacy and Data Security Law, June 8, 2015.
Data Privacy: Update and Mock Breach (Speaker), Colorado Litigation Roundtable, June 5, 2015.
Mock Breach: Table-Top Crisis Response (Moderator), NetDiligence Cyber Risk & Privacy Liability Forum, June 2, 2015.
2015 Securities Compliance Seminar: Cybersecurity Issues Affecting Broker Dealers and Investment Advisors (Panelist), Financial Markets Association, April 23, 2015.
2015 Cyber Fraud Summit: RAM Scraping & Data Exfiltration / Legal Aspects of Data Compromises (Speaker), International Association of Financial Crimes Investigators, April 8, 2015.
The Second Annual South Florida Privacy and Data Security Law Summit (Founder, Co-Chair & Speaker), University of Miami, March 31, 2015.
10th National Advance Forum on Cyber & Data Risk Insurance (Speaker), American Conference Institute, March 23, 2015.
Privacy and Cybersecurity Law: How International Financial Institutions Can Minimize Their Legal Risks (Presenter), Florida International Bankers Association, February 24, 2015.
Data Privacy Legal Risks for Financial Institutions (Presenter), Florida Bankers Association, February 11, 2015.
Emerging Data Security and Privacy Legal Issues Affecting The Energy Industry (Speaker), SHB Energy Law Series, December 12, 2014.
Data Breach Litigation: Theories of Damages (Speaker), The Sedona Conference “All Voices” Meeting, November 7, 2014.
Crisis Communications: PR Pros are From Venus and Lawyers are From Mars (Speaker), Retail Law Conference, October 15, 2014.
Anatomy of a Data Breach From the Attorney General Perspective (Moderator), NetDiligence Cyber Risk & Privacy Liability Forum, October 9, 2014.
Around the Privacy World in 60 Minutes (Speaker), Altria Client Services – ALCS Law Department, October 2, 2014.
Emerging Data Privacy Issues: What Corporate Counsel Needs To Know (Speaker), Association of Corporate Counsel America (ACCA), September 18, 2014.
Data Security Legal Risks for Financial Institutions (Speaker), Financial Institution Security Association (FISA), September 17, 2014.
Risks and Emerging Issues in Privacy and Data Security (Speaker), NAPABA Southeast Regional Conference, August 15, 2014.
Agribusiness Data Privacy Legal Issues: The Landscape, Emerging Issues and Risk Management (Speaker), Agricultural Business Council of Kansas City's Big Data: Challenges & Opportunities in Agriculture Forum, July 17, 2014; follow-up interview with This Week in Agribusiness, August 16, 2014.
Ethics in Data Security and Privacy (Speaker), Practising Law Institute's 15th Annual Institute on Privacy and Data Security Law, June 16, 2014.
South Florida Privacy and Data Security Summit (Founder, Co-Chair, & Speaker), University of Miami, June 4, 2014.
Data Breach and Privacy (Speaker), National Association of Attorneys General, May 19, 2014.
Data Privacy Traps for the Unwary Company: Permissible Use of Consumer Information (Speaker), Association of Corporate Counsel (DELVACCA) Chapter, May 1, 2014.
What Every In House Lawyer Should Know About Data Privacy, Class Actions, and Attorney-Client Privilege (Speaker), Daily Business Review’s Corporate Counsel Summit, April 25, 2014.
Technology Flashpoints: TAR, Data Protection, and Dispute Resolution, (Speaker), ABA Annual Conference - ADR Section, April 3, 2014.
Healthcare Finance Management Association Cybersecurity Panel (Speaker), HFMA South Regional & Technology Forum Education Session, March 31, 2014.
Healthcare Data Protection Products, Risk Assessment, Training and Auditing: Factoring in HIPAA, HHS, HITECH, OCR Enforcement, the Omnibus Rule, Business Associates and More (Speaker), ACI's 8th National Advanced Forum on Cyber & Data Risk Insurance, March 24, 2014.
Breach Notification Under the HIPAA Omnibus Final Rule (Speaker/Moderator), International Association of Privacy Professionals’ Global Summit, March 7, 2014.
The Risks of Collecting and Storing Sensitive Information (Speaker), Corporate Counsel Institute, March 5, 2014.
Alfred J. Saikali, Data Breaches Draw Congressional Scrutiny, Daily Business Review, January 29, 2014.
Litigation Update: The Latest in Data Breach Litigation and Mega Privacy Actions, Including TCPA and Texting Cases (Speaker), ACI's Privacy & Security of Consumer And Employee Information, January 17, 2014.
Anticipating and Preparing for Protracted Litigation in the Aftermath of a Data Breach (Moderator), Global Law Forum Cybersecurity Law & Policy In-House Summit, January 15, 2014.
Telling The Company Story: Devising and Implementing a Tailored Data Breach Response Plan to Proactively Prepare for an Attack and Subsequent Actions (Speaker), Global Law Forum Cybersecurity Law & Policy In-House Summit, January 14, 2014.
Alfred J. Saikali, What's the Next Wave of Privacy Litigation? "Failure to Match", Data Security Alert, November 21, 2013.
Private Civil Data Breach Litigation (Speaker/Moderator), The Inaugural Sedona Conference on Cyber Liability, October 24, 2013.
Data Protection and Security for Lawyers and Law Firms (Speaker), The Inaugural Sedona Conference on Cyber Liability, October 24, 2013.
Cyber Liability Issues in Health Care, Pharma, and Biotech, (Speaker/Facilitator), The Inaugural Sedona Conference on Cyber Liability, October 25, 2013.
Confronting the Wild West of Litigation Abuse (Data Privacy, Patent Trolls, and Private Enforcement of State Causes of Action), (Speaker), Retail Law Conference, October 17, 2013.
Data Privacy and Security Law: An Overview for the IT Professional (Panel Member), International Legal Technology Association, August 22, 2013.
Data Breach and Privacy Litigation: The Recent Successes and Failures of Common Defenses and Claims (Speaker), Bloomberg BNA, August 20, 2013.
Preparing for the Inevitable: What Every Company Should Know About Minimizing Data Breaches (Moderator and Speaker), Annual Meeting of the American Bar Association, August 11, 2013.
Alfred J. Saikali (co-author), Chapter 3: Data Security and Lawyers’ Legal and Ethical Obligation to Clients, in The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2013).
Data Privacy Issues Affecting the Health Care Industry (Moderator), International Association of Privacy Professionals South Florida KnowledgeNet, July 25, 2013.
Florida Legal Ethics in Privacy and Security (Featured Speaker), Dade County Defense Bar Association, June 26, 2013.
Ethics in Data Security and Privacy (Featured Speaker), Practising Law Institute’s 14th Annual Institute on Privacy and Data Security Law, June 18, 2013.
Dissecting a Data Breach Claim (Panel Member), NetDiligence 2013 Cyber Risk & Privacy Liability Forum, June 6, 2013.
Creating a Data Breach Response Plan (Moderator), Consortium on Litigation, Information Law, and E-Discovery, May 1, 2013.
Emerging Data Security and Privacy Risks in 2013 (Panel Member), South Florida Chapter of the International Association of Privacy Professionals, April 19, 2013.
Alfred J. Saikali & Rebecca Schwartz, Supreme Court Confirms Stringent Article III Standing Requirement for Privacy Cases, Data Security Alert, March 6, 2013.
Alfred J. Saikali & Thérèse Miller, The White House Executive Order on Cybersecurity, Data Security Alert, February 13, 2013.
Security Response and Breach Notification, 2012 Masters Conference, Washington, D.C., October 2012.
Critical Conversations: Emerging Trends in Law and Accounting (Panel Member), South Florida Business Journal, September 20, 2012.
Data Security and Computer Fraud in the Cloud (Moderator), Florida International Bankers Association, September 20, 2012.
Alfred J. Saikali, Private Lawsuits Arising from Data Breaches - The Eleventh Circuit Weighs In, Data Security Alert, September 13, 2012.
Marni M. Otjen, Thérèse P. Miller & Alfred J. Saikali, New Texas Law Imposes Requirements On Companies That Maintain Protected Health Information, Data Privacy Alert, August 28, 2012.
Alfred J. Saikali, Google's $22.5 Million FTC Fine: Why Should Cos. Care?, Law360, August 20, 2012.
Alfred J. Saikali, Why You May Have Suffered a Data Breach and Not Even Know It, Data Security Alert, August 3, 2012.
Alfred J. Saikali, Can a Company be Liable for its Employee Installing File-Sharing Software?, Data Security Alert, June 14, 2012.
Alfred J. Saikali, Data Security Questions Companies Should Consider, Data Security Alert, May 15, 2012.
Anatomy of a Data Breach: Developments in Data Security and Cloud Computing Laws (Program Chair and Presenter), ABA Section of Litigation Annual Conference, Washington, D.C., April 2012.
Alfred J. Saikali, Data Security Law Journal.
Alfred J. Saikali, Data Stored in Cloud Not Guaranteed to Remain Private, (Special Report: The Risks of Cloud Computing), Daily Business Review, October 11, 2011.
Washed Up: These Miami Lawyers Just Helped Whirlpool Defeat a Multimillion-Dollar Privacy Class Action, Daily Business Review, July 7, 2021.
Ransomware Attack Affecting Likely Thousands of Targets Drags On, The Wall Street Journal, July 4, 2021.
Whittled Florida Privacy Bill Moves Forward, International Association of Privacy Professionals (IAPP) Tracker, April 6, 2021.
Next State Up: Top Contenders for 3rd U.S. Data Privacy Law, Law360, March 9, 2021.
Cyberattacks Cost Hospitals Millions During Covid-19, Wall Street Journal, February 26, 2021.
U.S. Advisory Meant to Clarify Ransomware Payments Only Spotlights Widespread Uncertainty, Cyberscoop, October 13, 2020.
Treasury Warns Against Keeping Ransomware Payments Quiet, The Wall Street Journal, October 1, 2020.
Florida's Auditor General Puts Focus on Student Data Protection, NPR and Associated Press, September 10, 2019.
Workers Push Back as Companies Gather Fingerprints and Retina Scans, The Wall Street Journal, March 27, 2019.
Florida Lawmakers Considering Biometric Privacy Bill, Copying Illinois Law Which Has Spawned Hundreds of Class Actions, Florida Record, March 26, 2019.
Al Saikali Pioneers Privacy and Data Security Practice, Daily Business Review, December 10, 2018.
Google Exposed User Data, Feared Repercussions of Disclosing to Public, The Wall Street Journal, October 8, 2018.
7th Circ. Opens Up Path For Cos. To Ditch Data Breach Suits, Law360, April 18, 2018.
Fingerprint-Scanning Time Clocks Spark Privacy Lawsuits, The Wall Street Journal, January 11, 2018.
Cybersecurity & Privacy Predictions For 2018; and Cybersecurity & Privacy Cases To Watch In 2018, Law360, January 1, 2018.
Ill. Biometric Privacy Suits Must Claim Actual Harm, Court Says, Law360, December 22, 2017.
Mich. Bill To Shield Cybersecurity Plans From FOIA Advances, Law360, October 26, 2017.
Best Practices for Reducing Cybersecurity Risks, South Florida Legal Guide, October 16, 2017.
SEC Takes Walk in Businesses' Shoes With Database Hack, Law360, September 22, 2017.