Andrew advises a number of Fortune 500 and emerging companies alike regarding privacy, security, crisis management and national security, with a particular emphasis on: international compliance; cybersecurity; national security issues; health privacy; mobile; behavioral advertising; the Electronic Communications Privacy Act and wiretap issues; electronic marketing concerns; social media; and compliance with FTC requirements. He also handles some of the highest-profile data security incidents and privacy enforcement and litigation matters in the world. His representations involve every aspect of breach preparedness and response, from drafting incident response plans and conducting tabletop exercises, to advising on consumer and state notices, responding to regulators and defending companies in litigation relating to the incident. Andrew has served as lead counsel in a number of FTC matters, matters before the Office for Civil Rights and state consumer protection and privacy litigation based on the alleged misuse of personal information, including class actions and enforcement matters brought by state attorneys general.

  • Represent leading technology company in what is alleged to be one of the largest, and most complicated, security incidents.  
  • Mr. Serwin was selected as the lead expert witness on U.S. law by the Irish Data Protection Commissioner in Schrems II. His opinions on surveillance, Article III standing, and the scope of U.S. remedies, served as the basis of the U.S. law discussion in the Commissioner’s Draft Decision, and this analysis was largely adopted by the Irish High Court in its decision, affirmed by the Irish Supreme Court, and served as the basis of the CJEU’s decision
  • Advised Target Corporation on a security incident involving theft of credit card and other personal information allegedly from up to 70 million individual customers
  • Represented health insurance provider in multiple security breaches, including a 2015 security incident that allegedly involved 80 million insureds 
  • Represented a global technology provider in a significant security incident 
  • Advised eBay on a global security incident, on a breach allegedly involving over 140 million records.
  • In the Matter of CVS Caremark, represents CVS before the Federal Trade Commission and the Office for Civil Rights in connection with a consent decree and resolution agreement arising from allegations related to information security
  • In the Matter of Playdom, Inc., a subsidiary of Disney Enterprises, Inc., represented company before the Federal Trade Commission in an investigation alleging a violation of COPPA and Section 5
  • Represent numerous companies before the FTC in consumer protection investigations
  • Represented Fortune 50 healthcare company before OCR in a matter arising from allegations of improper access to medical records. Case closed without enforcement
  • Drafted all documents relating to security breach response for numerous clients, including notification letters, scripts, and questions and answers for individuals, as well as notification letters to state authorities and credit reporting agencies, including under HIPAA
  • Advise numerous major utilities, financial services companies, health care companies, technology companies, and retailers, on information sharing, incident response and preparedness, disaster recovery, including drafting policies and procedures and conducting numerous tabletop exercises
  • Represent major health insurer in cybersecurity incident
  • Represent global consulting and staffing company in responding to security incidents
  • Represented a global relationship management company in several litigation matters, including a qui tem action, and a government investigation, that arose from the alleged improper disclosure of sensitive information. The matters resolved on favorable terms
  • Hall v. Pacific Dental Services, Inc., represented the defendants in a putative class action alleging violation of the California Medical Information Act related to the alleged improper sharing of information. Summary judgment was granted for our client.
  • Source Healthcare Analytics, LLC, v. NDCHealth Corporation, Represented defendant in technology dispute arising out of allegations related to uses of health care data
  • Represent several global consulting firms in numerous privacy and security matters, including internal investigations. 
  • Represent global consulting firm in matter before OCR relating to allegations of HIPAA non-compliance and retaliation. Case closed without enforcement.
  • Represent global financial services cases in privacy and security diligence for a multi-billion dollar acquisition
  • Conduct numerous tabletops and incident simulations for a cross-sectional group of companies, including utilities, financial services companies and health care companies
  • People of the State of New York v. Synergy 6, Inc., et al., represented two of the defendants in an action brought by Attorney General Eliot Spitzer arising out of the alleged improper sending of commercial e-mails. The case sought US$20 million in civil penalties and ultimately resolved for US$50,000
  • Create information sharing programs for numerous global companies
  • Represent numerous AdTech, sports and media companies in CCPA, privacy, and cybersecurity matters