As Chair of Shook's Privacy and Data Security Practice, Al has gained the trust of clients challenged by data breach response, crisis management, and compliance with laws governing the collection, storage, use and disposal of sensitive information. Al represents companies in class action lawsuits arising from data breaches and other data privacy issues. Chambers USA named him a Nationwide Recognized Practitioner in Privacy and Data Security in 2017 and 2018; he was named a Cybersecurity Trailblazer by the National Law Journal in 2015; and he received the Client Choice Award from Lexology in both 2016 and 2018. In addition, he is one of only a handful of global practitioners who has been designated a Privacy Law Specialist by the International Association of Privacy Professionals (IAPP).
Data Breach Investigation and Response
For those clients who suspect a data breach, Al designs and leads the breach response; directs the data forensic investigation; advises as to legal obligations to notify affected consumers, business partners, and regulators; oversees the notification of third parties; communicates with law enforcement; responds to regulatory inquiries; and provides representation in litigation and enforcement actions arising from the breach.
Al’s data breach response experience includes:
- a network intrusion affecting the payment card information of an online retailer’s consumers in every U.S. state and overseas;
- a cyber-attack involving an Advanced Persistent Threat that put the intellectual property of a multinational science and technology company at risk;
- the insertion of malware into a company’s website, affecting the payment card information of more than 100,000 individuals;
- the theft of personally identifiable information from a professional services company by an employee involved in a nationwide identity-theft crime ring;
- lost mobile devices used to store protected health information by covered entities and business associates;
- a vendor’s theft of consumer information from a national financial services company; and
- representing an entity in class action litigation arising from a data breach.
In addition to leading breach response efforts for his clients, Al helps companies proactively minimize the risk of a breach and comply with state, federal and international privacy laws.
Al’s compliance experience includes:
- advising companies on their legal obligations regarding permissible use, sharing, storage and disposal of customer information;
- counseling covered entities and business associates to comply with HIPAA/HITECH, preparation of risk assessments, drafting internal and consumer-facing privacy policies and notices, performing employee training and negotiating business associate agreements;
- designing and drafting incident response plans for financial institutions and multinational science and technology companies;
- helping companies comply with the U.S.-EU Safe Harbor Framework for cross-border transfers of information;
- providing counsel on the Payment Card Industry’s Data Security Standards and negotiating merchant agreements and subcontractor agreements to maximize compliance with the standards;
- designing vendor management programs, along with the drafting and negotiation of agreements, to minimize the risks of service-provider access to sensitive information. This also encompasses the drafting and negotiation of agreements that address incident response, indemnification, notification, data ownership and the implementation and auditing of security safeguards;
- directing an information-security assessment for a Fortune 50 company to identify legal risks associated with its procedures for collecting, storing, using and disposing of sensitive information;
- training employees of covered entities, business associates and insurance companies about the proper handling of protected health information; and
- advising Fortune 100 companies about their obligations under federal data privacy laws, such as the Gramm-Leach-Bliley Act, HIPAA/HITECH, CAN-SPAM and the Fair and Accurate Credit Transactions Act. Al also regularly helps companies comply with Texas HB 300, California’s Online Privacy Protection Act and all state privacy laws and regulations.
Al chairs The Sedona Conference®´s newly-formed Working Group 11: Data Security and Privacy Liability. Tasked with developing guides to help organizations minimize their privacy and data security liability risks, the working group includes leading practitioners in privacy and data security law, in-house counsel, judges, regulatory authorities, and data forensic experts.
Al is a Certified Information Privacy Professional accredited by the International Association of Privacy Professionals, and he maintains a blog (Data Security Law Journal) where he regularly posts about legal developments and trends in data security and data privacy law.
Al serves on the International Association of Privacy Professionals’ Education Advisory Board and co-chairs the association's local chapter, South Florida KnowledgeNet. Al is also an active member of the U.S. Secret Service's Electronic Crimes Task Force. He is frequently invited to speak to business professionals about meeting the challenges associated with the proliferation of sensitive electronic information, and in 2013, he was selected to join Law360’s Privacy & Consumer Protection Editorial Advisory Board. Al also teaches cybersecurity law at St. Thomas University in Miami.
Publications and Presentations
U.S. Privacy Law Update: Biometric Laws and CA Consumer Privacy Act of 2018, IAPP KnowledgeNet, Omaha, Nebraska, October 11, 2018.
The California Consumer Privacy Act: Our First "Federal" Privacy Law?, Privacy + Security Forum, Washington, D.C., October 4, 2018.
Beyond the California Consumer Privacy Act: "Competing" Privacy Rules and Whether Any Might Become a National Standard, Practising Law Institute, September 24, 2018.
The Legal and Ethical Risks of Privacy and Data Security Traps (Panelist), Update of the Law CLE, June 14, 2018 (with Colman McCarthy, Eric Boos, Patrick Castle, Bill Sampson and Camila Tobon).
Law Firms at Risk: The Ethical Duty to Protect Client Data in the New Breach Environment, ABA Tort Trial and Insurance Practice Section, May 2, 2018.
Domestic Privacy Profile: Florida, Bloomberg Law, January 2018.
Everything You Need to Know About Biometric Privacy Class Action Lawsuits (Speaker), 2018 Global Privacy Summit, March 28, 2018.
What’s Next for WG11? A Dialogue on Progress Made, and the Next Steps for the Working Group (Panelist), Sedona Conference Working Group on Data Security and Privacy Liability, March 20, 2018.
Al Saikali, Gary Miller, Anna Knight & Patrick Castle, Biometric Privacy: The Next Frontier of Privacy Liability, Webinar.
What A Fine Mess: Avoiding the Privacy and Cybersecurity Regulators' Crosshairs (Panelist), Minority Corporate Counsel Association's Global TEC Forum, June 20, 2017.
Court Applies Work Product Protection to Breach Investigation Reports, Privacy and Data Security Alert, May 23, 2017.
Understanding New York Cybersecurity Requirements for Financial Services Companies, Privacy and Data Security Alert, May 20, 2017.
New Privacy Training Requirement for Contractors of the Federal Government, Privacy and Data Security Alert, March 15, 2017.
The First 48 Hours: A Simulated Data Breach (Speaker), Northwestern Pritzker School of Law's 55th Annual Corporate Counsel Institute, September 29, 2016.
Preparing for and Responding to a Data Breach (Speaker), International Associate of Financial Crimes Investigators Annual Conference, August 31, 2016
Ethics and the Connected Lawyer (Speaker), 2016 Practising law institute’s 17th Annual Institute on Privacy and Data Security Law, June 7, 2016.
William Sampson, Al Saikali & Dan Schwaller, Standing in Data Breach Cases: A Changing Legal Landscape and a Few Suggestions for Counsel, In-House Defense Quarterly, Winter 2016.
What Every Financial Institution Should Know About Data Security Law (Presenter), Florida Bankers Association, August 27, 2015.
Data Breaches, Cyberattacks and High-tech Vulnerabilities Facing Cities (Presenter), Florida Municipal Attorneys Association, July 10, 2015.
Data Security Compendium (Speaker), The Sedona Conference, June 24, 2015.
Protecting Your Company When a Data Breach Hits (Speaker), Shook, Hardy & Bacon Annual Update of the Law, June 16, 2015.
The Cybersecure Practice of Law: Legal Ethics and the Use of Information (Speaker), Practising Law Institute’s 16th Annual Institute on Privacy and Data Security Law, June 8, 2015.
Data Privacy: Update and Mock Breach (Speaker), Colorado Litigation Roundtable, June 5, 2015.
Mock Breach: Table-Top Crisis Response (Moderator), NetDiligence Cyber Risk & Privacy Liability Forum, June 2, 2015.
2015 Securities Compliance Seminar: Cybersecurity Issues Affecting Broker Dealers and Investment Advisors (Panelist), Financial Markets Association, April 23, 2015.
2015 Cyber Fraud Summit: RAM Scraping & Data Exfiltration / Legal Aspects of Data Compromises (Speaker), International Association of Financial Crimes Investigators, April 8, 2015.
The Second Annual South Florida Privacy and Data Security Law Summit (Founder, Co-Chair & Speaker), University of Miami, March 31, 2015.
10th National Advance Forum on Cyber & Data Risk Insurance (Speaker), American Conference Institute, March 23, 2015.
Privacy and Cybersecurity Law: How International Financial Institutions Can Minimize Their Legal Risks (Presenter), Florida International Bankers Association, February 24, 2015.
Data Privacy Legal Risks for Financial Institutions (Presenter), Florida Bankers Association, February 11, 2015.
Emerging Data Security and Privacy Legal Issues Affecting The Energy Industry (Speaker), SHB Energy Law Series, December 12, 2014.
Data Breach Litigation: Theories of Damages (Speaker), The Sedona Conference “All Voices” Meeting, November 7, 2014.
Crisis Communications: PR Pros are From Venus and Lawyers are From Mars (Speaker), Retail Law Conference, October 15, 2014.
Anatomy of a Data Breach From the Attorney General Perspective (Moderator), NetDiligence Cyber Risk & Privacy Liability Forum, October 9, 2014.
Around the Privacy World in 60 Minutes (Speaker), Altria Client Services – ALCS Law Department, October 2, 2014.
Emerging Data Privacy Issues: What Corporate Counsel Needs To Know (Speaker), Association of Corporate Counsel America (ACCA), September 18, 2014.
Data Security Legal Risks for Financial Institutions (Speaker), Financial Institution Security Association (FISA), September 17, 2014.
Risks and Emerging Issues in Privacy and Data Security (Speaker), NAPABA Southeast Regional Conference, August 15, 2014.
Agribusiness Data Privacy Legal Issues: The Landscape, Emerging Issues and Risk Management (Speaker), Agricultural Business Council of Kansas City's Big Data: Challenges & Opportunities in Agriculture Forum, July 17, 2014; follow-up interview with This Week in Agribusiness, August 16, 2014.
Ethics in Data Security and Privacy (Speaker), Practising Law Institute's 15th Annual Institute on Privacy and Data Security Law, June 16, 2014.
South Florida Privacy and Data Security Summit (Founder, Co-Chair, & Speaker), University of Miami, June 4, 2014.
Data Breach and Privacy (Speaker), National Association of Attorneys General, May 19, 2014.
Data Privacy Traps for the Unwary Company: Permissible Use of Consumer Information (Speaker), Association of Corporate Counsel (DELVACCA) Chapter, May 1, 2014.
What Every In House Lawyer Should Know About Data Privacy, Class Actions, and Attorney-Client Privilege (Speaker), Daily Business Review’s Corporate Counsel Summit, April 25, 2014.
Technology Flashpoints: TAR, Data Protection, and Dispute Resolution, (Speaker), ABA Annual Conference - ADR Section, April 3, 2014.
Healthcare Finance Management Association Cybersecurity Panel (Speaker), HFMA South Regional & Technology Forum Education Session, March 31, 2014.
Healthcare Data Protection Products, Risk Assessment, Training and Auditing: Factoring in HIPAA, HHS, HITECH, OCR Enforcement, the Omnibus Rule, Business Associates and More (Speaker), ACI's 8th National Advanced Forum on Cyber & Data Risk Insurance, March 24, 2014.
Breach Notification Under the HIPAA Omnibus Final Rule (Speaker/Moderator), International Association of Privacy Professionals’ Global Summit, March 7, 2014.
The Risks of Collecting and Storing Sensitive Information (Speaker), Corporate Counsel Institute, March 5, 2014.
Alfred J. Saikali, Data Breaches Draw Congressional Scrutiny, Daily Business Review, January 29, 2014.
Litigation Update: The Latest in Data Breach Litigation and Mega Privacy Actions, Including TCPA and Texting Cases (Speaker), ACI's Privacy & Security of Consumer And Employee Information, January 17, 2014.
Anticipating and Preparing for Protracted Litigation in the Aftermath of a Data Breach (Moderator), Global Law Forum Cybersecurity Law & Policy In-House Summit, January 15, 2014.
Telling The Company Story: Devising and Implementing a Tailored Data Breach Response Plan to Proactively Prepare for an Attack and Subsequent Actions (Speaker), Global Law Forum Cybersecurity Law & Policy In-House Summit, January 14, 2014.
Alfred J. Saikali, What's the Next Wave of Privacy Litigation? "Failure to Match", Data Security Alert, November 21, 2013.
Private Civil Data Breach Litigation (Speaker/Moderator), The Inaugural Sedona Conference on Cyber Liability, October 24, 2013.
Data Protection and Security for Lawyers and Law Firms (Speaker), The Inaugural Sedona Conference on Cyber Liability, October 24, 2013.
Cyber Liability Issues in Health Care, Pharma, and Biotech, (Speaker/Facilitator), The Inaugural Sedona Conference on Cyber Liability, October 25, 2013.
Confronting the Wild West of Litigation Abuse (Data Privacy, Patent Trolls, and Private Enforcement of State Causes of Action), (Speaker), Retail Law Conference, October 17, 2013.
Data Privacy and Security Law: An Overview for the IT Professional (Panel Member), International Legal Technology Association, August 22, 2013.
Data Breach and Privacy Litigation: The Recent Successes and Failures of Common Defenses and Claims (Speaker), Bloomberg BNA, August 20, 2013.
Preparing for the Inevitable: What Every Company Should Know About Minimizing Data Breaches (Moderator and Speaker), Annual Meeting of the American Bar Association, August 11, 2013.
Alfred J. Saikali (co-author), Chapter 3: Data Security and Lawyers’ Legal and Ethical Obligation to Clients, in The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2013).
Data Privacy Issues Affecting the Health Care Industry (Moderator), International Association of Privacy Professionals South Florida KnowledgeNet, July 25, 2013.
Florida Legal Ethics in Privacy and Security (Featured Speaker), Dade County Defense Bar Association, June 26, 2013.
Ethics in Data Security and Privacy (Featured Speaker), Practising Law Institute’s 14th Annual Institute on Privacy and Data Security Law, June 18, 2013.
Dissecting a Data Breach Claim (Panel Member), NetDiligence 2013 Cyber Risk & Privacy Liability Forum, June 6, 2013.
Creating a Data Breach Response Plan (Moderator), Consortium on Litigation, Information Law, and E-Discovery, May 1, 2013.
Emerging Data Security and Privacy Risks in 2013 (Panel Member), South Florida Chapter of the International Association of Privacy Professionals, April 19, 2013.
Alfred J. Saikali & Rebecca Schwartz, Supreme Court Confirms Stringent Article III Standing Requirement for Privacy Cases, Data Security Alert, March 6, 2013.
Alfred J. Saikali & Thérèse Miller, The White House Executive Order on Cybersecurity, Data Security Alert, February 13, 2013.
Security Response and Breach Notification, 2012 Masters Conference, Washington, D.C., October 2012.
Critical Conversations: Emerging Trends in Law and Accounting (Panel Member), South Florida Business Journal, September 20, 2012.
Data Security and Computer Fraud in the Cloud (Moderator), Florida International Bankers Association, September 20, 2012.
Alfred J. Saikali, Private Lawsuits Arising from Data Breaches - The Eleventh Circuit Weighs In, Data Security Alert, September 13, 2012.
Marni M. Otjen, Thérèse P. Miller & Alfred J. Saikali, New Texas Law Imposes Requirements On Companies That Maintain Protected Health Information, Data Privacy Alert, August 28, 2012.
Alfred J. Saikali, Google's $22.5 Million FTC Fine: Why Should Cos. Care?, Law360, August 20, 2012.
Alfred J. Saikali, Why You May Have Suffered a Data Breach and Not Even Know It, Data Security Alert, August 3, 2012.
Alfred J. Saikali, Can a Company be Liable for its Employee Installing File-Sharing Software?, Data Security Alert, June 14, 2012.
Alfred J. Saikali, Data Security Questions Companies Should Consider, Data Security Alert, May 15, 2012.
Anatomy of a Data Breach: Developments in Data Security and Cloud Computing Laws (Program Chair and Presenter), ABA Section of Litigation Annual Conference, Washington, D.C., April 2012.
Alfred J. Saikali, Data Security Law Journal.
Alfred J. Saikali, Data Stored in Cloud Not Guaranteed to Remain Private, (Special Report: The Risks of Cloud Computing), Daily Business Review, October 11, 2011.
Google Exposed User Data, Feared Repercussions of Disclosing to Public, The Wall Street Journal, October 8, 2018.
7th Circ. Opens Up Path For Cos. To Ditch Data Breach Suits, Law360, April 18, 2018.
Fingerprint-Scanning Time Clocks Spark Privacy Lawsuits, The Wall Street Journal, January 11, 2018.
Cybersecurity & Privacy Predictions For 2018; and Cybersecurity & Privacy Cases To Watch In 2018, Law360, January 1, 2018.
Ill. Biometric Privacy Suits Must Claim Actual Harm, Court Says, Law360, December 22, 2017.
Mich. Bill To Shield Cybersecurity Plans From FOIA Advances, Law360, October 26, 2017.
Best Practices for Reducing Cybersecurity Risks, South Florida Legal Guide, October 16, 2017.
SEC Takes Walk in Businesses' Shoes With Database Hack, Law360, September 22, 2017.