Andrew Serwin is one of the pre-eminent privacy and security practitioners in the world. He has worked on some of the highest-profile privacy and security matters, and clients describe him as a "rock star lawyer," "a walking encyclopedia on anything data protection related" and "a tireless worker, holding onto the ever-shifting puzzle pieces of the law in this area in a way that other privacy lawyers cannot" (Chambers USA). For his work in data protection and privacy, Andrew is an inaugural inductee into the 2017 Legal 500 Hall of Fame, comprised of outstanding US lawyers who have been recommended as Legal 500 Leading Lawyers for the last six consecutive years. He was also recently named one of the Daily Journal's Top 100 Lawyers in California for 2016 and a National Law Journal 2015 Cyber Security & Data Privacy Trailblazer, recognizing the 50 people "who have helped make a difference in the fight against criminal cyber activity."
Andrew offers clients the practical experience that comes from having counseled on many of the highest profile privacy and cybersecurity matters of recent years, with the breadth of knowledge that comes from authoring the premier global treatise on privacy and cybersecurity.
With extensive business and leadership experience, Andrew understands his clients' businesses, industries and unique challenges. He has founded, advised and served on the board of directors of many companies, particularly in the transformational technology and media sectors. He also holds advanced certifications in governance, including Carnegie Mellon University's Computer Emergency Response Team (CERT) certification in cyber oversight.
Andrew is a noted public speaker and author and the only law firm lawyer ever to be named to Security Magazine's prestigious "25 Most Influential Industry Thought Leaders." He wrote the leading treatise on privacy and security, Information Security and Privacy: A Guide to Federal and State Law and Compliance and Information Security and Privacy: A Guide to International Law and Compliance (West 2006-2022), collectively a 6,000-page, three-volume treatise that examines all aspects of privacy and security laws, published by Thomson-West. The treatise has been called "the best privacy sourcebook," "an indispensable resource for privacy professionals at all levels," and "a book that everybody in the information privacy field should have on their desk." He has published numerous other books and law review articles and routinely authors client alerts on cutting-edge privacy and cybersecurity developments.
Andrew advises a number of Fortune 500 and emerging companies alike regarding privacy, security, crisis management and national security, with a particular emphasis on: international compliance; cybersecurity; national security issues; health privacy; mobile; behavioral advertising; the Electronic Communications Privacy Act and wiretap issues; electronic marketing concerns; social media; and compliance with FTC requirements. He also handles some of the highest-profile data security incidents and privacy enforcement and litigation matters in the world. His representations involve every aspect of breach preparedness and response, from drafting incident response plans and conducting tabletop exercises, to advising on consumer and state notices, responding to regulators and defending companies in litigation relating to the incident. Andrew has served as lead counsel in a number of FTC matters before the Office for Civil Rights and state consumer protection and privacy litigation based on the alleged misuse of personal information, including class actions and enforcement matters brought by state attorneys general.
- Represent leading technology company in what is alleged to be one of the largest, and most complicated, security incidents.
- Mr. Serwin was selected as the lead expert witness on U.S. law by the Irish Data Protection Commissioner in Schrems II. His opinions on surveillance, Article III standing, and the scope of U.S. remedies, served as the basis of the U.S. law discussion in the Commissioner’s Draft Decision, and this analysis was largely adopted by the Irish High Court in its decision, affirmed by the Irish Supreme Court, and served as the basis of the CJEU’s decision
- Advised Target Corporation on a security incident involving theft of credit card and other personal information allegedly from up to 70 million individual customers
- Represented health insurance provider in multiple security breaches, including a 2015 security incident that allegedly involved 80 million insureds
- Represented a global technology provider in a significant security incident
- Advised eBay on a global security incident, on a breach allegedly involving over 140 million records.
- In the Matter of CVS Caremark, represents CVS before the Federal Trade Commission and the Office for Civil Rights in connection with a consent decree and resolution agreement arising from allegations related to information security
- In the Matter of Playdom, Inc., a subsidiary of Disney Enterprises, Inc., represented company before the Federal Trade Commission in an investigation alleging a violation of COPPA and Section 5
- Represent numerous companies before the FTC in consumer protection investigations
- Represented Fortune 50 healthcare company before OCR in a matter arising from allegations of improper access to medical records. Case closed without enforcement
- Drafted all documents relating to security breach response for numerous clients, including notification letters, scripts, and questions and answers for individuals, as well as notification letters to state authorities and credit reporting agencies, including under HIPAA
- Advise numerous major utilities, financial services companies, health care companies, technology companies, and retailers, on information sharing, incident response and preparedness, disaster recovery, including drafting policies and procedures and conducting numerous tabletop exercises
- Represent major health insurer in cybersecurity incident
- Represent global consulting and staffing company in responding to security incidents
- Represented a global relationship management company in several litigation matters, including a qui tem action, and a government investigation, that arose from the alleged improper disclosure of sensitive information. The matters resolved on favorable terms
- Hall v. Pacific Dental Services, Inc., represented the defendants in a putative class action alleging violation of the California Medical Information Act related to the alleged improper sharing of information. Summary judgment was granted for our client.
- Source Healthcare Analytics, LLC, v. NDCHealth Corporation, Represented defendant in technology dispute arising out of allegations related to uses of health care data
- Represent several global consulting firms in numerous privacy and security matters, including internal investigations.
- Represent global consulting firm in matter before OCR relating to allegations of HIPAA non-compliance and retaliation. Case closed without enforcement.
- Represent global financial services cases in privacy and security diligence for a multi-billion dollar acquisition
- Conduct numerous tabletops and incident simulations for a cross-sectional group of companies, including utilities, financial services companies and health care companies
- People of the State of New York v. Synergy 6, Inc., et al., represented two of the defendants in an action brought by Attorney General Eliot Spitzer arising out of the alleged improper sending of commercial e-mails. The case sought US$20 million in civil penalties and ultimately resolved for US$50,000
- Create information sharing programs for numerous global companies
- Represent numerous AdTech, sports and media companies in CCPA, privacy, and cybersecurity matters
- J.D., University of San Diego 1995
Order of the Coif
- B.A., University of California at San Diego 1992
- Chambers Global (2009 – 2023)
- Band 1, USA Privacy & Data Security (2023)
- Band 2, USA Privacy & Data Security (2020 - 2022)
Chambers comments, "Andrew Serwin is accomplished in navigating data security incidents and responding to enforcement issues." Clients say, "His knowledge is just so deep and balanced. He knows how to handle the privacy and data security issues in a practical manner. He provides guidance on how it will work in the real world. You can trust his advice and counsel." "An excellent lawyer with an impressive practice. He is also very talented and a pleasure to work with."
- Chambers USA (2007 – 2023)
- Band 1, Nationwide Privacy & Data Security (2022 - 2023)
- Band 2, Nationwide Privacy & Data Security (2020 - 2021)
- The Legal 500 United States (2006 – 2023)
- Hall of Fame, Cyber Law (including Data Privacy and Data Protection) (2020 - 2023)
- Leading Lawyer, Cyber Law (including Data Privacy and Data Protection) (2019)
- BTI Super All-Star 2022 – Recognized for Superior Client Service
- What clients say to BTI about Andy; "Hiring him is a no-brainer."
- BTI All-Star MVP 2022 – Recognized for Superior Client Service
- BTI Client Service All-Stars 2020 – Recognized for Superior Client Service
- Daily Journal 2019-2022 – Named a Top Cyber Lawyer in California
- National Law Journal 2015 – Cyber Security & Data Privacy Trailblazer. Recognizing the 50 people "who have helped make a difference in the fight against criminal cyber activity"
- Daily Journal 2016 – Top 100 Lawyers in California
- Computerworld 2011 – Top Global Privacy Advisors - ranked second
- Security Magazine 2009 – 25 Most Influential Industry Thought Leaders. The only law firm lawyer ever to be named to this prestigious list
- Best Lawyers in America 2010–2023 – Featured, Information Technology Law
"One of the top privacy lawyers able to focus not only on the complexity of the laws in the United States, but also globally, including European data protection laws and the APEC privacy framework"
- San Diego SuperLawyers 2007–2023 – Featured - ranked among the top 50 lawyers of 2012
- "Corporate Counsel’s Data Privacy Problem," LegalTech News, April 5, 2023
- "Cos. Must Create Data Sustainability To Address Privacy Risks," Law360, January 12, 2023
- Information Security and Privacy: A Guide to Federal and State Law and Compliance and Information Security and Privacy: A Guide to International Law and Compliance (West 2006-2022)
- The Intelligence Community: Who is Who and What Do They Do?, IAPP, August 25, 2018
- The Dark Web—the Next Frontier in Data Breach Standing Analysis Amid a Deepening Circuit Split, Bloomberg Law, March 19, 2018
- FISA Section 702 Reauthorization Attempts Privacy, Intel Balance, Bloomberg BNA, January 18, 2018
- Cyber Becomes Mainstream: The Lessons Learned for 2017, Legaltech News, January 9, 2017
- Managing Security in a Cyber-Enabled World, Baseline, April 2016
- HIPAA Enforcement: A Retrospective, IAPP - The Privacy Advisor, March 2016
- Courts Defer to Individual Privacy Interests by Requiring Warrant To Obtain Cell Phone Data and Cell Site Records in Riley and Davis, Bloomberg BNA Criminal Reporter, July 2014
- Privacy, Data Protection & Transportation—Emerging Trends and Emerging Risks, Journal of Air Law and Commerce (SMU Air Law Symposium), April 2014
- Calif. Case Limits Health Care Data Breach Claims, Law360, December 2013
- Search Warrant: FBI warrant to search a target computer at premises unknown, E-Commerce Law Reports, Vol. 13, Issue 3, July 2013
- Ramping up for FedRAMP: An Overview of the FedRamp Certification Process and Its Importance in Federal Procurements for Cloud Computing Services, Bloomberg BNA Federal Contracts Report, June 2013
- The Expanding Reach of U.S. Laws Protecting Health Information and Children's Information, Bloomberg BNA World Data Protection Report, Vol. 13, No 6, June 2013
- Health Care Privacy and Security, 2013-2022 ed., May 2013
- Information Security and Privacy: A Guide to Federal and State Law and Compliance, 2013 ed., April 2013
- Internet Marketing and Consumer Protection, 2012-2021 ed., January 2013
- Information Security and Privacy: A Guide to International Law and Compliance, 2013 ed., January 2013
- 'Cybersecurity and ESG,' NACD (National Association of Corporate Directors) Leading Minds Program, May 2023
- Fireside Chat: Cybersecurity Issues in Renewable Energy: What You Need to Know (and Be Worried About), 2019 Infocast Solar Finance & Investment Summit, March 2019
- Pay Up or Your Data Gets It: Preparing for and Responding to a Ransomware Attack, IAPP Web Conference, December 2017
- Perilous Pathways: Cybersecurity & Corporate Liability at the Crossroads, The 3rd Annual West Coast Legal Executive Forum, April 2016
- California District Attorneys Association Seminar February 2016
- Cybersecurity Developments and Cyber Insurance, 2016 LA County Bar Association's Corporate Law Department Roundtable, February 2016
- Cybersecurity: What Are Boards DOING About it?, Directors Forum 2016: Directors, Management & Shareholders in Dialogue, January 2016
- Doing Business After Safe Harbor—the First 90 Days, CEB Compliance and Legal Groups, January 2016
- The Attack: How Hackers Get In and the Mischief They Create, Cyber Day: Cybersecurity for Directors and C-Level Executives, November 2015
- The Dangers and Ethics Clouding High-Technology Surveillance and Data Collection, Emerging Technology and Privacy Conference, October 2015
- How Companies Can Manage Cyber Security Risk and Partner with Law Enforcement to Reduce Exposure, ACC September MCLE, September 2015
- Data Protection Masterclass: Managing Data Breach Incident Response, July 2015
- Understanding the Three Letter Acronyms, Who is Who and What Do They Do? The United States Secret Service in Focus, July 2015
- HIPAA Security Breach Response Plan, March 2015
- 12th Annual General Counsel Roundtable and All Day MCLE, January 2015
- Data Protection Masterclass: Cybersecurity & Data Protection Concerns – Current and Upcoming Risks, December 2014
- Data Breach Prevention & Response: Creating Order Out of Chaos, RILA Retail Law 2014, October 2014
- Oxbridge Biotech Roundtable: Genetic Privacy: Who has Access to Your Code?, April 2014
- National Cyber-Forensics & Training Alliance, Retail Industry Leaders Association, March 2014
- Avoiding a Target on Your Back: Creating An Information Governance Structure, Silicon Valley Association of General Counsel, March 2014
- 3rd Annual Berkeley Center for Law & Technology Privacy Law Forum: Silicon Valley, March 2014
- ACC 11th Annual General Counsel Roundtable and All Day MCLE, January 2014
- HIPAA Omnibus Rule – Implementation and Learning, 4th Annual HIMSS SOCAL Privacy & Security Forum, December 2013
- Data Breaches that Don't Make the Headlines, ACC Annual Meeting, October 2013
- NCFTA Executive Cyber Security Threat Summit, October 2013
- Do you know where your data is? Finding and protecting your sensitive, high-risk data, September 2013
- Protecting Your Information Assets from the Emerging Cyberthreat, June 2013
- “Companies paying price for EU-U.S. Privacy Shield removal,” Compliance Week, July 27, 2020
Memberships And Affiliations
Andrew serves as chairman of the board of directors of the private-sector federally- funded National Cyber Forensic Training Alliance (NCFTA), an entity that functions as a forum for private industry, academia and law enforcement, with a core mission to identify, mitigate and neutralize cybercrime. In addition, he serves as an advisor to the Naval Postgraduate School's Center for Asymmetric Warfare and is the CEO and executive director of the Lares Institute, a think tank focused on privacy, information superiority and national security issues.
My latest insights
Putting governance and risk in context and reducing personal liability for the cyber and...
14 September 2023 .2 minute read
Burns v. Mammoth Media: What does it take to meet the injury in fact requirement in...
11 September 2023 .5 minute read