Brittany Bacon

Brittany M. Bacon advises clients in identifying, evaluating and managing complex global privacy and information security risks and compliance issues.

Brittany assists clients in identifying, evaluating and managing a panoply of global privacy and information security risks and compliance issues.  A significant aspect of her practice is advising large, multi-national companies on catastrophic cybersecurity incidents.

This includes advising clients on data breach notification responsibilities, counseling them on responding to multi-jurisdictional regulatory investigations, and providing strategic advice in the breach context for managing inquiries from Boards of Directors, consumers, media and potential acquiring companies in a deal setting.

Brittany helps companies design and build privacy and data security governance programs, and develop written policies, procedures and standards.  She advises clients on conducting proactive breach preparedness activities, including developing workable incident response plans and legal breach notification procedures, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts (such as forensic investigation firms, credit monitoring services, PR firms and call centers) in advance of an incident.

In relation to her privacy compliance practice, Brittany has extensive experience in advising clients on state, federal and international privacy laws.  She routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use.

She works with start-ups whose technology is often years ahead of the laws designed to regulate it.  She also regularly negotiates privacy and data security provisions of complex commercial and technology-related contracts and helps companies design robust vendor management programs.

Experience:

• Advised over 50 companies (including health care companies, retailers, consumer goods companies, and financial institutions) on data breach and cybersecurity incident response, including preparation of required notifications pursuant to state breach notification laws, the HITECH Act and Interagency Guidance, call center training and development of media strategies.
• Advised major multi-national company with a data security incident extending to 78 countries, managed the U.S. legal escalation call center and responded to multiple international data protection authorities.
• Advises clients on FTC, SEC and state Attorney General (including Multistate Task Force) investigations and enforcement actions for alleged data security and privacy violations.
• Provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness.
• Assisted Fortune 100 company in responding to congressional inquiries relating to a cybersecurity incident.
• Prepares comprehensive data security policies, standards and procedures in connection with corporate information security programs.
• Assists clients with complying with privacy and information security requirements, including under GLB, HIPAA and state information security laws.
• Advises clients on managing FTC Consent Orders and CIDs in connection with data security incidents.
• Advised major global bank on massive cyber intrusion.
• Advised multinational clients on Safe Harbor certification and annual recertification.
  Develops comprehensive vendor management programs.
• Counsels clients in negotiating information sharing agreements with government agencies.
• Assists clients in establishing a vendor management program, including evaluating and negotiating privacy and data security provisions and indemnities contained in vendor agreements.
• Evaluates compliance issues and drafts notices and consents for corporate programs involving business uses of employee-owned electronic devices.
• Drafts online and offline privacy policies, procedures and notices.
• Evaluates compliance and enforcement issues related to the collection of information in the context of credit card transactions under the Song-Beverly Act and other state and federal laws.
• Develops employee training materials and handbooks focusing on privacy and information security practices.
• Counsels clients on HIPAA compliance, including security breach notification obligations under the HITECH Act and preparation of HIPAA security policies and procedures.

EDUCATION:

• JD, Washington University School of Law, 2009
• BA, University of Notre Dame, cum laude, 2006

BAR ADMISSIONS:

• New York

Memberships:

• Member, New York Bar Association