Customers trust your company with sensitive data every day. But as technology outpaces regulation and legislation, organizations face complex challenges complying with the patchwork of laws governing the collection, use, storage and disposal of this information. Responding quickly and appropriately to a data incident requires the direction of outside counsel with the knowledge, experience and relationships to minimize the risks arising from a breach.

Whether preparing companies for new compliance and reporting requirements or helping them through the aftermath of a cyberincursion, Shook, Hardy & Bacon’s Privacy and Data Security Practice always prioritizes the business operations, goals and culture of those we represent. In this capacity, we have worked closely with data aggregation and marketing firms, financial services companies, health care providers, manufacturers, pharmaceutical companies, and other corporations—from startups to Fortune 100 firms—that regularly handle sensitive information. 

With attorneys holding professional privacy certifications in the U.S. and Europe, our team offers both preventive and responsive strategies designed to integrate seamlessly with your business needs.

Toll Free 24-Hour Data Incident Contact: 855.380.7584

Representative Matters

Breach Response

Our Privacy and Data Security Practice has assisted clients with the following data breach incidents:

  • A network intrusion affecting the payment card information of an online retailer’s consumers in every U.S. state and overseas.
  • A cyber-attack involving an advanced persistent threat that put the intellectual property of a multinational science and technology company at risk.
  • The insertion of malware into a company’s website, affecting the payment card information of more than 100,000 individuals.
  • The theft of personally identifiable information from a professional services company by an employee involved in a nationwide identity-theft crime ring.
  • Lost mobile devices used to store protected health information by covered entities and business associates.
  • A vendor’s theft of consumer information from a national financial services company.

Privacy and Data Security Litigation

Defended an educational institution in class action litigation arising from a data breach involving a vendor’s loss of sensitive information.

Defended major retailers in privacy-related class action lawsuits based on the Fair and Accurate Credit Transactions Act (FACTA). 


Advising companies on their legal obligations regarding permissible use, sharing, storage, and disposal of customer information.

Counseling covered entities and business associates to comply with HIPAA/HITECH, including the preparation of risk assessments, drafting internal and consumer-facing privacy policies and notices, performing employee training, and negotiating business associate agreements.

Designing and drafting incident response plans for financial institutions and multinational science and technology companies.

Helping companies comply with the U.S.-EU Safe Harbor Framework for cross-border transfers of information.

Providing counsel on the Payment Card Industry’s Data Security Standards and negotiating merchant agreements and subcontractor agreements to maximize compliance with the standards.

Designing vendor management programs (including the drafting and negotiation of agreements) to minimize the risks of service-provider access to sensitive information. This includes the drafting and negotiation of agreements that address incident response, indemnification, notification, data ownership, and the implementation and auditing of security safeguards.

Directing an information-security assessment for a Fortune 50 company to identify legal risks associated with its procedures for collecting, storing, using, and disposing of sensitive information.

Training employees of covered entities, business associates and insurance companies about the proper handling of protected health information.

Advising Fortune 100 companies about their obligations under federal data privacy laws, such as the Gramm-Leach-Bliley Act, HIPAA/HITECH, CAN-SPAM, and the Fair and Accurate Credit Transactions Act. 

We also regularly help companies understand and comply with the Illinois Biometric Information Privacy Act (BIPA), Texas HB 300 and California’s Online Privacy Protection Act, as well as state privacy laws and regulations.

Thought Leadership

To keep abreast of the latest data trends and technologies, our attorneys are involved and hold leadership positions in numerous industry and standard-setting activities, including the following organizations:

  • The Sedona Conference® Working Group on Privacy and Data Security (Founder and Co-Chair);
  • International Association of Privacy Professionals (Board Member);
  • South Florida Privacy and Data Security Law Summit  (Founder, Co-Chair and Speaker);
  • U.S. Secret Service Electronic Crimes Task Force;
  • American Bar Association Section of Science and Technology, Cloud Computing and E-Privacy Committees
  • Law360’s Privacy and Consumer Protection Editorial Advisory Board.

Our attorneys routinely offer cutting-edge legal analysis in the Data Security Law Journal, Cloud IPQ, Law360, and various media outlets. In 2018, practice chair Al Saikali received national ranking for Privacy & Data Security by Chambers USA