Brad works closely with leaders from corporate legal departments, c-suites, and business units to evaluate data privacy legal risks and develop solutions.
Both emerging and established companies turn to Brad to assist with data privacy law matters ranging from compliance and risk mitigation to data breaches, including U.S. and international compliance issues; privacy program development, implementation, and maintenance; due diligence, privacy impact assessments, and vendor management; and breach/incident response.
Data privacy is regulated by a patchwork of state, federal and international law, and Brad supports companies across multiple industries and jurisdictions to evaluate risk and develop corporate strategy to comply with applicable laws and regulations. He advises clients on state-level laws in the U.S., including CCPA/CPRA (California), Colorado (CPA), Connecticut (CTDPA), Nevada, New York (SHIELD Act), Utah (UCPA), and Virginia (CPDA), as well as a host of federal regulations that bear upon data privacy, including the Gramm-Leach Bliley Act, HIPAA, FERPA, CAN-SPAM, COPPA, and TCPA. Brad also has experience with technology compliance with the ADA, as well as compliance with guidance and enforcement from the Federal Trade Commission, U.S. Department of Commerce, and state Attorneys General.
The cutting edge of privacy regulation is often found outside of the U.S., and Brad is conversant with a variety of international laws that impact businesses on a global basis. These include the EU’s General Data Protection Regulation (GDPR) and the EU Member States’ implementation and enforcement; Russian and Chinese data localization laws; and countries achieving or seeking GDPR adequacy, such as Australia, New Zealand, South Korea, Switzerland, United Kingdom, Canada, Japan, and Argentina, among others. He also guides clients on new and developing privacy/security regimes in Brazil, India, China, South Africa, and others.
Brad uses his knowledge of U.S. and international data privacy law to help clients develop, implement, and maintain compliance programs that are consistent with each client’s strategic plans. He has created privacy programs “from the ground up,” as well as developed improvements and refinements to existing programs, in both cases coordinating with non-legal stakeholders—such as HR; IT; Marketing; Safety and Health Enforcement; Security; Procurement; M&A—throughout client organizations (and across multinational subsidiaries) as needed to evaluate the scope of privacy concerns, determine the client-specific, risk-appropriate approach, and implement policies and procedures. For clients ranging from large, multinational organizations to smaller enterprises, he has served as de facto External Data Privacy Officer.
As part of program development and implementation, Brad routinely drafts policies, procedures, and trainings for internal use and drafts notices for websites, mobile apps, customers, employees, franchisees, and other relevant audiences. He also performs privacy impact assessments (PIA) for vendors and systems; drafts and reviews privacy and security contracts with vendors, including preparing template agreements for use across systems, with subsidiaries, and in franchise relationships; creates and coordinates ongoing compliance plans for vendor management and tracking to ensure compliance with the GDPR’s Article 30 and similar laws; and performs M&A due diligence and post-transaction integration regarding security and data privacy compliance.
In the context of data breaches and cybersecurity incidents, Brad manages clients’ data breach response, including compliance with applicable state, federal, and international breach laws. This includes advice regarding incident response plans and determining the necessity of individual or regulator notice for U.S. state law, GDPR, and other similar regulation.