Privacy & Security

The frictionless flow of information is a defining feature of today’s information economy. Your organization’s ability to transfer customer data, employee files, financial records, and other information around the country or the globe quickly and cheaply has opened a world of new opportunities. Privacy laws vary by jurisdiction and are interpreted unpredictably, and even if your business is extremely conscientious, it can make a false step as it captures, uses, transfers, and discloses personal information. The consequences can be serious and even devastating — heavy fines, injunctions, government audits, even criminal liability and damaging media attention.

Our practice, ranked by Chambers USA and Chambers Global, draws upon broad experiences related to technology, health, communications, antitrust, competition, and consumer protection to counsel clients on a day-to-day basis regarding their privacy and data security policies. We have assisted our clients with the formulation and implementation of policies and best practices for information management that are compliant with the changing and growing body of international, federal, and state privacy statutes.

We are proud to say that we are one of the few law firms in the Northeast to have multiple attorneys with certifications issued by the International Association of Privacy Professionals, recognizing facility with and knowledge of privacy and security processes and procedures. We provide general business counseling and advise clients in relation to their corporate transactions, international business operations, and public policy development as well as conduct privacy audits, gap analyses, risk assessments, and manage the investigation, mitigation, and resolution of any privacy and security breaches.

Quick Facts


  • Thought leadership delivered through our Privacy & Security Matters blog
  • Advise clients on US federal and state laws related to data protection and data breach notification
  • In-depth familiarity with the EU Data Protection Directive and requirements in EU member states and other international jurisdictions
  • Interdisciplinary practice serving a wide range of industries

Areas of Focus

  • Cable privacy
  • Children’s privacy
  • Consumer and employee privacy
  • Consumer protection litigation
  • Data breach litigation
  • Data breach response and notification
  • Data retention policies
  • Data security
  • Data sharing
  • Direct marketing
  • Education privacy
  • Financial privacy
  • General privacy and data security compliance
  • Health and pharmaceutical privacy
  • Identity theft risk “red flags” and mitigation
  • International privacy laws
  • Online advertising and behavioral marketing
  • Payment card data security
  • Privacy and data security audits
  • Retailer and point-of-sale (POS) privacy
  • Telecommunications privacy
  • Utilities privacy
Sort by: Name  Title  Office

Boston 617.348.1865
New York 212.692.6776
Boston 617.348.3057
Boston 617.348.1614
Ernest C. Cooper

Ernest C. Cooper

Associate

Washington, DC 202.434.7314
London, UK +44.20.7776.7330
London, UK 011.44.790.881.9030
Steve Ganis

Steve Ganis

Of Counsel

Boston 617.348.1672
Boston 617.348.1642
Kimberly J. Gold

Kimberly J. Gold

Associate

New York 212.692.6706
Sarah T. Hogan

Sarah T. Hogan

Associate

Boston 617.348.1883
New York 212.692.6215
Boston 617.348.1732
Boston 617.348.4499
London, UK +44.20.7776.7306
New York 212.692.6705
Boston 617.348.4780
Boston 617.348.1688
Evan Nadel

Evan Nadel

Member

San Francisco 415.432.6016
San Diego 858.314.1505
San Francisco 415.432.6109
New York 212.692.6859
Jake Romero

Jake Romero

Associate

San Diego 858.314.1584
Boston 617.348.3039
Boston 617.348.1621
Christine M. Wahr

Christine M. Wahr

Associate

Boston 617.348.3014

Representative Experience

  • Acted as general counsel to an international software company providing clinical information and EHR systems for critical, peri-operative, and acute care environments.
  • Advise a global company operating in more than 140 countries on development of global data privacy strategy and compliance infrastructure.
  • Advised a community hospital on procuring a web-based patient communication portal.
  • Advised a multispecialty physician group on procuring an EHR system.
  • Advised a pharmacy benefits manager on procurement of a new claims processing platform.
  • Advised an online behavioral health company on online contracting, licensing, and distribution matters.
  • Advised multiple health information technology service providers on compliance with new regulatory obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • Advised the independent state agency (known as the Connector) formed to manage Massachusetts’s health insurance program on the substantial outsourcing of its customer service center operations.
  • Assisted a biotech company on the acquisition and use of national and international clinical data to build a data repository to support research and development activities.
  • Assisted integrated health care providers seeking to revamp and integrate their IT systems for revenue cycle management, billing, and patient administration.
  • Consumer privacy advice (online and offline) to a leading publicly held warehouse club operator. Work with the client to ensure compliance with Federal Trade Commission consent order requiring extensive privacy safeguards and audits, including during launch of company's first e-commerce site.
  • Counseled a hospital following the loss of paper-based mental health records on mitigation of harm, reporting to patients and regulatory authorities, and negotiation with state authorities following disclosure of the incident.
  • Designed, implemented, and delivered an employee privacy and security training program for a specialty physician practice under investigation by the Department of Justice.
  • Developed a Red Flags compliance program for a full-service telecommunications company providing phone, high-speed Internet, and video services to more than 750,000 customers in the Midwest. This is an example of one Red Flags compliance program among dozens that the firm’s Privacy & Security Practice has worked on for companies of all types — communications / cable companies, utilities, universities, auto dealers, retailers, vendors, and more.
  • Developed a multistate HIPAA and Red Flags privacy compliance infrastructure for a US-based biosciences company specializing in the development and commercialization of clinically validated molecular diagnostics and anatomic pathology services.
  • Managed a Safe Harbor certification program for a leading web-enabled energy demand-response management solutions provider, and coordinated registration with UK Data Protection Authority for UK subsidiary. Developed enterprise-wide information security program and conducted training of employees.
  • Multistate privacy compliance and advice to an athletic club with facilities in Massachusetts, New York, DC, and California.
  • Negotiated a strategic distribution arrangement with a leading telecommunications carrier for an international mobile health IT applications company.
  • Negotiated a strategic exclusive license arrangement with a large EHR vendor and health care data analytics company for distribution of an integrated platform.
  • Negotiated an outsourcing agreement with an Indian data processing company for a health care data analytics company.
  • Negotiated SaaS agreements for a health care data analytics company offering subscription-based data analytics products.
  • Negotiated strategic collaborations with consumer health portals, e-prescribing vendors, payment processing service providers, and consumer health content publishers for an innovative provider of online care.
  • Ongoing advice and analysis to many clients related to the changing legislative landscape, providing timely updates on introduced legislation, and analysis of potential effects on business processes.
  • Ongoing consumer privacy advice (online and offline) to a manufacturer / supplier of nontoxic household products.
  • Ongoing data privacy and security compliance advice to an interactive marketing and media company in the business of producing and distributing premium new age, metaphysical, and psychic entertainment services.
  • Ongoing multistate (and HIPAA) privacy and security advice to an innovative online health care company that allows consumers to interact with physicians immediately using web-based technologies, including managing the privacy and security negotiations with major providers and insurers who are customers of our client.
  • Ongoing privacy advice on global compliance with data privacy and bank secrecy laws to the leading independent analytics provider for derivatives and structured products, enabling the structuring, pre-trade pricing, valuation, and management of even the most complex deals.
  • Ongoing privacy compliance advice (online and offline services) to a major cable television content provider (music television), with respect to collection and use of data (particularly in connection with federal Children's Online Privacy Protection Act).
  • Ongoing privacy compliance advice to a company providing educational software and services to over 3,700 educational institutions in more than 60 countries.
  • Ongoing privacy compliance advice to an association representing all of the cable television multiple system operations in the United States with respect to collection and use of cable subscriber data under the federal Cable Subscriber Privacy Act and legislative updates relating to drafts of federal privacy legislation.
  • Provide ongoing global privacy compliance advice to a global information and content company traded on the London Stock Exchange.
  • Provide risk assessments and gap analyses for multiple Mintz Levin clients (located in Massachusetts, New Hampshire, New York, Connecticut, Texas, and California) under the Massachusetts data security regulations, which are the strictest regulations in the United States.
  • Provided strategic and legal advice to the Massachusetts Health Information Technology Council, which was charged with developing a statewide Health Information Exchange.
  • Represented a premier global open innovation provider, from its inception in 2001 as a wholly owned subsidiary of Eli Lilly and Company through spin out and financings. Issues included structure of the provider’s privacy framework and compliance with global privacy and security requirements.
  • Represented hospital systems in strategic collaborations with major IT companies.
  • Served as general counsel to a software company providing an automated platform for case, disease, and population management.

Past