Andrew advises a number of Fortune 500 and emerging companies alike regarding privacy, security, crisis management and national security, with a particular emphasis on: international compliance; health privacy; mobile; behavioral advertising; the Electronic Communications Privacy Act and wiretap issues; electronic marketing concerns; social media; and compliance with FTC requirements. He also handles some of the highest-profile data security incidents and privacy enforcement and litigation matters in the world. His representations involve every aspect of breach preparedness and response, from drafting incident response plans and conducting tabletop exercises, to advising on consumer and state notices, responding to regulators and defending companies in litigation relating to the incident. Andrew has served as lead counsel in a number of FTC matters, matters before the Office for Civil Rights and state consumer protection and privacy litigation based on the alleged misuse of personal information, including class actions and enforcement matters brought by state attorneys general.

  • In the Matter of CVS Caremark, represents CVS before the Federal Trade Commission and the Office for Civil Rights in connection with a consent decree and resolution agreement arising from allegations related to information security
  • In the Matter of Playdom, Inc., a subsidiary of Disney Enterprises, Inc., represented company before the Federal Trade Commission in an investigation alleging a violation of COPPA and Section 5
  • Represented Fortune 50 healthcare company before OCR in a matter arising from allegations of improper access to medical records. Case closed without enforcement
  • Represented Fortune 50 healthcare company before the California Attorney General arising from allegations related to health marketing and alleged violations of CMIA. Case closed without enforcement
  • People of the State of New York v. Synergy 6, Inc., et al., represented two of the defendants in an action brought by Attorney General Eliot Spitzer arising out of the alleged improper sending of commercial e-mails. The case sought US$20,000,000 in civil penalties and ultimately resolved for US$50,000
  • Advised Target Corporation on a security incident involving theft of credit card and other personal information allegedly from up to 70 million individual customers
  • Advised a major health insurer on a security incident involving a security incident that allegedly involves 80 million individuals
  • Advised a major e-commerce company on a security incident (including drafting notices on a global basis), on a breach allegedly involving over 140 million records
  • Represented a global technology provider (Dell) in a significant security incident
  • Drafted all documents relating to security breach response for numerous clients, including notification letters, scripts, and questions and answers for individuals, as well as notification letters to state authorities and credit reporting agencies, including under HIPAA
  • Advise numerous major utilities, financial services companies, health care companies, technology companies, and retailers, on information sharing, incident response and preparedness, disaster recovery, including drafting policies and procedures and conducting numerous tabletop exercises
  • Represent major health insurer in cybersecurity incident
  • Represent global consulting and staffing company in responding to security incidents
  • Mr. Serwin was selected as the lead expert witness on U.S. law by the Irish Data Protection Commissioner in Schrems II. His opinions on surveillance, Article III standing, and the scope of U.S. remedies, served as the basis of the U.S. law discussion in the Commissioner’s Draft Decision, and this analysis was largely adopted by the Irish High Court in its decision and affirmed by the Irish Supreme Court
  • Represented a global relationship management company in several litigation matters, including a qui tem action, and a government investigation, that arose from the alleged improper disclosure of sensitive information. The matters resolved on favorable terms
  • Hall v. Pacific Dental Services, Inc., represented the defendants in a putative class action alleging violation of the California Medical Information Act related to the alleged improper sharing of information. Summary judgment was granted for our client.
  • Source Healthcare Analytics, LLC, v. NDCHealth Corporation, Represented defendant in technology dispute arising out of allegations related to uses of health care data
  • Represent several global consulting firms in numerous privacy and security matters, including internal investigations. 
  • Represent global consulting firm in matter before OCR relating to allegations of HIPAA non-compliance and retaliation. Case closed without enforcement.
  • Represent Visa in its privacy diligence for its $5.3 billion acquisition of Plaid
  • Conduct numerous tabletops and incident simulations for a cross-sectional group of companies, including utilities, financial services companies and health care companies
  • Create information sharing programs for numerous global companies
  • Represent numerous AdTech, sports and media companies in CCPA, privacy, and cybersecurity matters