California Attorney General Announces First CCPA Settlement

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation. David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on their data practices to provide guidance on the myriad issues that arise in today’s digital world. Additionally, David has experience conducting risk assessments, developing privacy programs, drafting privacy policies, performing due diligence for corporate transactions, planning around cross-border data transfers, negotiating vendor agreements and working with clients through data incident response. He regularly counsels on HIPAA, HITECH, GDPR, GLBA, CCPA and state law privacy obligations, including engaging with key rulemakers at the state level to advance clients’ interests. He has litigated and helped resolve matters related to data privacy and cybersecurity issues, including navigating potential and actual regulatory investigations. David has successfully worked with a number of state attorney general’s offices and federal regulators, and advocated on behalf of clients in the telecommunications, consulting and financial services sectors whether in response to routine inquiries or in response to reported data incidents. His work also includes collaborating with clients to provide testimony and comment on existing and planned data privacy legislation at the state and federal levels. David maintains an active pro bono practice, having represented inmates in various actions in state and federal courts, and providing privacy program development, counseling and training to non-profits.

Michael Morgan is recognized as one of the nation’s leading lawyers in cybersecurity and data privacy. He has guided clients through some of the largest and most complex data breaches, breaches involving more than 50 million records, incidents affecting persons in over 100 countries around the world, and incidents involving sensitive defense-related information. He counsels clients on compliance with US and international regulations relating to cybersecurity and data privacy, including compliance with the California Consumer Privacy Act, the EU’s General Data Protection Regulation and China’s Network Security Law. Mike is the US head of the Firm’s Global Privacy & Cybersecurity Practice Group. Mike has particular experience on complex legal issues arising from advanced technologies. He represents companies on privacy and cybersecurity issues arising from vehicle autonomy and connectivity and is an expert on the fast-changing regulatory environment relating to autonomous vehicles and in the US and around the world. He also advises clients on matters relating to international data transfers (e.g. EU model clauses and Privacy Shield), cryptocurrency, e-commerce security, and blockchain applications. He represents clients in a range of industries, including financial services, big data, automotive, telecommunications, healthcare, insurance, and automotive, as well as defense contractors and subcontractors subject to requirements under DFARS and the CMMC Framework. Mike has handled scores of privacy and cybersecurity-related cases, including more than one hundred lawsuits involving claims under the FCRA, UDAAP statutes and consumer protection statutes. He has particular expertise in the defense of cases involving claims for statutory damages and advises clients on mitigation of legal risks arising from the CCPA’s statutory damages provisions applicable to data breaches. He has defended against government investigations by the FTC, CFPB, FCC and state attorneys general. Mike is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).

Austin Mooney focuses his practice on global privacy, cybersecurity and emerging technologies. He helps clients in a variety of industries understand and manage risks relating to the collection, use and storage of personal and other sensitive information. In his privacy practice, Austin advises clients on implementing global compliance programs designed to navigate the evolving legal landscape around data privacy, including the Federal Trade Commission (FTC) Act, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other emerging US state consumer privacy laws. He is experienced in consumer privacy litigation and investigations, privacy contract drafting and negotiation, cross-border data transfers and compliance issues with federal surveillance law including the Foreign Intelligence Surveillance Act (FISA). Austin also advises on cybersecurity matters, including conducting enterprise security assessments under privilege, drafting and negotiating vendor contracts, compliance with federal and state security laws and data breach response and remediation. Austin regularly speaks and writes on technology law topics. He has featured in Ars Technica, JD Supra, National Law Review, Lexology and ACC Docket. He has represented clients ranging from startups to Fortune 500 companies, including in the professional services, technology, healthcare, life sciences, finance, retail, entertainment and e-commerce sectors. He advises on risks relating to emerging technologies including autonomous vehicles, blockchain/cryptocurrencies, Internet of Things (IoT) devices, encryption and encrypted messaging, artificial intelligence, biometrics and advertising technology. He has also advised on privacy and security risks arising from large M&A transactions. Before McDermott, Austin served as a law clerk for the US Senate Judiciary Committee, where he worked on Supreme Court and Attorney General nominations, executive branch oversight and investigations, FISA reform and other legislative initiatives. He has also held positions with a nationally ranked law firm, the Federal Trade Commission, the Network Advertising Initiative and as a research assistant for Professor Daniel Solove. Austin is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E).

Saba Bajwa focuses her practice on privacy and cybersecurity matters. Saba provides compliance advice and guidance on the impact of evolving domestic and international privacy regimes. She has experience advising clients on US and international privacy laws, including the EU General Data Protection Regulation (GDPR), state laws like the California Consumer Privacy Act (CCPA) and similar laws in Virginia, Colorado, Connecticut, and Utah, marketing laws like the CAN-SPAM Act and Telephone Consumer Protection Act (TCPA), and other data security and privacy laws and regulations, including the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), and US state data breach notification laws. While in law school, Saba served as editor-in-chief of the Journal of Law and Innovation.