Andrew Serwin

Andrew advises a number of Fortune 500 and emerging companies alike regarding privacy, security, crisis management and national security, with a particular emphasis on: international compliance; cybersecurity; national security issues; health privacy; mobile; behavioral advertising; the Electronic Communications Privacy Act and wiretap issues; electronic marketing concerns; social media; and compliance with FTC requirements. He also handles some of the highest-profile data security incidents and privacy enforcement and litigation matters in the world. His representations involve every aspect of breach preparedness and response, from drafting incident response plans and conducting tabletop exercises, to advising on consumer and state notices, responding to regulators and defending companies in litigation relating to the incident. Andrew has served as lead counsel in a number of FTC matters before the Office for Civil Rights and state consumer protection and privacy litigation based on the alleged misuse of personal information, including class actions and enforcement matters brought by state attorneys general.

• Represent leading technology company in what is alleged to be one of the largest, and most complicated, security incidents.  
• Mr. Serwin was selected as the lead expert witness on U.S. law by the Irish Data Protection Commissioner in Schrems II. His opinions on surveillance, Article III standing, and the scope of U.S. remedies, served as the basis of the U.S. law discussion in the Commissioner’s Draft Decision, and this analysis was largely adopted by the Irish High Court in its decision, affirmed by the Irish Supreme Court, and served as the basis of the CJEU’s decision
• Advised Target Corporation on a security incident involving theft of credit card and other personal information allegedly from up to 70 million individual customers
• Represented health insurance provider in multiple security breaches, including a 2015 security incident that allegedly involved 80 million insureds 
• Represented a global technology provider in a significant security incident 
• Advised eBay on a global security incident, on a breach allegedly involving over 140 million records.
• In the Matter of CVS Caremark, represents CVS before the Federal Trade Commission and the Office for Civil Rights in connection with a consent decree and resolution agreement arising from allegations related to information security
• In the Matter of Playdom, Inc., a subsidiary of Disney Enterprises, Inc., represented company before the Federal Trade Commission in an investigation alleging a violation of COPPA and Section 5
• Represent numerous companies before the FTC in consumer protection investigations
• Represented Fortune 50 healthcare company before OCR in a matter arising from allegations of improper access to medical records. Case closed without enforcement
• Drafted all documents relating to security breach response for numerous clients, including notification letters, scripts, and questions and answers for individuals, as well as notification letters to state authorities and credit reporting agencies, including under HIPAA
• Advise numerous major utilities, financial services companies, health care companies, technology companies, and retailers, on information sharing, incident response and preparedness, disaster recovery, including drafting policies and procedures and conducting numerous tabletop exercises
• Represent major health insurer in cybersecurity incident
• Represent global consulting and staffing company in responding to security incidents
• Represented a global relationship management company in several litigation matters, including a qui tem action, and a government investigation, that arose from the alleged improper disclosure of sensitive information. The matters resolved on favorable terms
• Hall v. Pacific Dental Services, Inc., represented the defendants in a putative class action alleging violation of the California Medical Information Act related to the alleged improper sharing of information. Summary judgment was granted for our client.
• Source Healthcare Analytics, LLC, v. NDCHealth Corporation, Represented defendant in technology dispute arising out of allegations related to uses of health care data
• Represent several global consulting firms in numerous privacy and security matters, including internal investigations. 
• Represent global consulting firm in matter before OCR relating to allegations of HIPAA non-compliance and retaliation. Case closed without enforcement.
• Represent global financial services cases in privacy and security diligence for a multi-billion dollar acquisition
• Conduct numerous tabletops and incident simulations for a cross-sectional group of companies, including utilities, financial services companies and health care companies
• People of the State of New York v. Synergy 6, Inc., et al., represented two of the defendants in an action brought by Attorney General Eliot Spitzer arising out of the alleged improper sending of commercial e-mails. The case sought US$20 million in civil penalties and ultimately resolved for US$50,000
• Create information sharing programs for numerous global companies
• Represent numerous AdTech, sports and media companies in CCPA, privacy, and cybersecurity matters

Chambers USA

• Band 1, Nationwide Privacy & Data Security: Cybersecurity, (2022 – 2025)
• Band 1, Nationwide Privacy & Data Security: Privacy, (2022 – 2025)
  Chambers comments, "Andrew is top-notch, he goes out of his way to make sure the client is happy with the work and he's very responsive." Clients say, "He's very knowledgeable and experienced in the space."
• Band 2, Nationwide Privacy & Data Security, (2012 – 2021)
  Chambers comments, "Market sources praise the 'wonderful results' he has provided, as well as his ‘practical commercial sense." "Sources also single out his abilities in disputes, especially class actions, with one peer describing him as a 'superb litigator.'" Clients say, "He is very savvy when dealing with regulatory bodies and attracts praise from sources for being very good on international issues."

Chambers Global

• Band 1, USA Privacy & Data Security: Cybersecurity, (2025)
• Band 1, USA Privacy & Data Security: Privacy, (2025)
• Band 1, USA Privacy & Data Security, (2023 – 2024)
  Chambers comments, "He is a very impressive guy, an amazing partner, very strong, very knowledgeable and a valuable partner." 
• Band 2, USA Privacy & Data Security, (2014 – 2022)
  Chambers comments, "Andrew Serwin is accomplished in navigating data security incidents and responding to enforcement issues." Clients say, "His knowledge is just so deep and balanced. He knows how to handle the privacy and data security issues in a practical manner. He provides guidance on how it will work in the real world. You can trust his advice and counsel." "An excellent lawyer with an impressive practice. He is also very talented and a pleasure to work with."

The Legal 500 United States

• Hall of Fame, Cyber Law (including Data Privacy and Data Protection), (2020 – 2025)
  Legal 500 comments, "True leader of the field."
• Leading Lawyer, Cyber Law (including Data Privacy and Data Protection), (2011 – 2016, 2019)

Additional Recognitions

• Featured, Information Technology Law, Best Lawyers in America®, (2010 – 2023)
  "One of the top privacy lawyers able to focus not only on the complexity of the laws in the United States, but also globally, including European data protection laws and the APEC privacy framework"
• Featured, San Diego, SuperLawyers, (2007 – 2023)
  Ranked among the top 50 lawyers of 2012
• Super All-Star, Superior Client Service, BTI Consulting, (2022)
  What clients say to BTI about Andy; "Hiring him is a no-brainer."
• All-Star MVP, Superior Client Service, BTI Consulting, (2022)
  What clients say to BTI about Andy; "He has experience over many years in dealing with big company breaches and regulators." "Andrew has over 10 years of experience in privacy and cybersecurity, a key asset in today's environment."
• Named, Top Cyber Lawyer: California, Daily Journal, (2019 – 2022)
• Client Service All-Star, Superior Client Service, BTI Consulting, (2020)
• Named, Top 100 Lawyers: California, Daily Journal, (2016)
• Trailblazer, Cyber Security & Data Privacy, National Law Journal, (2015)
  Recognizing the 50 people "who have helped make a difference in the fight against criminal cyber activity"
• Ranked Second, Top Global Privacy Advisors, Computerworld, (2011)
• Named, 25 Most Influential Industry Thought Leaders, Security Magazine, (2009)
  The only law firm lawyer ever to be named to this prestigious list

• "Corporate Counsel’s Data Privacy Problem," LegalTech News, April 5, 2023
• "Cos. Must Create Data Sustainability To Address Privacy Risks," Law360, January 12, 2023
• Information Security and Privacy: A Guide to Federal and State Law and Compliance and Information Security and Privacy: A Guide to International Law and Compliance (West 2006-2022)
• The Intelligence Community: Who is Who and What Do They Do?, IAPP, August 25, 2018
• The Dark Web—the Next Frontier in Data Breach Standing Analysis Amid a Deepening Circuit Split, Bloomberg Law, March 19, 2018
• FISA Section 702 Reauthorization Attempts Privacy, Intel Balance, Bloomberg BNA, January 18, 2018
• Cyber Becomes Mainstream: The Lessons Learned for 2017, Legaltech News, January 9, 2017
• Managing Security in a Cyber-Enabled World, Baseline, April 2016
• HIPAA Enforcement: A Retrospective, IAPP - The Privacy Advisor, March 2016
• Courts Defer to Individual Privacy Interests by Requiring Warrant To Obtain Cell Phone Data and Cell Site Records in Riley and Davis, Bloomberg BNA Criminal Reporter, July 2014
• Privacy, Data Protection & Transportation—Emerging Trends and Emerging Risks, Journal of Air Law and Commerce (SMU Air Law Symposium), April 2014
• Calif. Case Limits Health Care Data Breach Claims, Law360, December 2013
• Search Warrant: FBI warrant to search a target computer at premises unknown, E-Commerce Law Reports, Vol. 13, Issue 3, July 2013
• Ramping up for FedRAMP: An Overview of the FedRamp Certification Process and Its Importance in Federal Procurements for Cloud Computing Services, Bloomberg BNA Federal Contracts Report, June 2013
• The Expanding Reach of U.S. Laws Protecting Health Information and Children's Information, Bloomberg BNA World Data Protection Report, Vol. 13, No 6, June 2013
• Health Care Privacy and Security, 2013-2022 ed., May 2013
• Information Security and Privacy: A Guide to Federal and State Law and Compliance, 2013 ed., April 2013
• Internet Marketing and Consumer Protection, 2012-2021 ed., January 2013
• Information Security and Privacy: A Guide to International Law and Compliance, 2013 ed., January 2013

• 'Cybersecurity and ESG,' NACD (National Association of Corporate Directors) Leading Minds Program, May 2023
• Fireside Chat: Cybersecurity Issues in Renewable Energy: What You Need to Know (and Be Worried About), 2019 Infocast Solar Finance & Investment Summit, March 2019
• Pay Up or Your Data Gets It: Preparing for and Responding to a Ransomware Attack, IAPP Web Conference, December 2017
• Perilous Pathways: Cybersecurity & Corporate Liability at the Crossroads, The 3rd Annual West Coast Legal Executive Forum, April 2016
• California District Attorneys Association Seminar February 2016
• Cybersecurity Developments and Cyber Insurance, 2016 LA County Bar Association's Corporate Law Department Roundtable, February 2016
• Cybersecurity: What Are Boards DOING About it?, Directors Forum 2016: Directors, Management & Shareholders in Dialogue, January 2016
• Doing Business After Safe Harbor—the First 90 Days, CEB Compliance and Legal Groups, January 2016
• The Attack: How Hackers Get In and the Mischief They Create, Cyber Day: Cybersecurity for Directors and C-Level Executives, November 2015
• The Dangers and Ethics Clouding High-Technology Surveillance and Data Collection, Emerging Technology and Privacy Conference, October 2015
• How Companies Can Manage Cyber Security Risk and Partner with Law Enforcement to Reduce Exposure, ACC September MCLE, September 2015
• Data Protection Masterclass: Managing Data Breach Incident Response, July 2015
• Understanding the Three Letter Acronyms, Who is Who and What Do They Do? The United States Secret Service in Focus, July 2015
• HIPAA Security Breach Response Plan, March 2015
• 12th Annual General Counsel Roundtable and All Day MCLE, January 2015
• Data Protection Masterclass: Cybersecurity & Data Protection Concerns – Current and Upcoming Risks, December 2014
• Data Breach Prevention & Response: Creating Order Out of Chaos, RILA Retail Law 2014, October 2014
• Oxbridge Biotech Roundtable: Genetic Privacy: Who has Access to Your Code?, April 2014
• National Cyber-Forensics & Training Alliance, Retail Industry Leaders Association, March 2014
• Avoiding a Target on Your Back: Creating An Information Governance Structure, Silicon Valley Association of General Counsel, March 2014
• 3rd Annual Berkeley Center for Law & Technology Privacy Law Forum: Silicon Valley, March 2014
• ACC 11th Annual General Counsel Roundtable and All Day MCLE, January 2014
• HIPAA Omnibus Rule – Implementation and Learning, 4th Annual HIMSS SOCAL Privacy & Security Forum, December 2013
• Data Breaches that Don't Make the Headlines, ACC Annual Meeting, October 2013
• NCFTA Executive Cyber Security Threat Summit, October 2013
• Do you know where your data is? Finding and protecting your sensitive, high-risk data, September 2013
• Protecting Your Information Assets from the Emerging Cyberthreat, June 2013