Edward R. McNicholas
Edward McNicholas is a co-leader of Ropes & Gray’s data, privacy & cybersecurity practice. He represents technologically sophisticated clients facing complex data, privacy, and cybersecurity issues in litigation, investigative, and counseling matters. His clients include financial institutions, technology companies, insurance companies, branded pharma companies, healthcare providers, data brokers, and e-commerce retailers. In connection with COVID-19, Ed is advising clients across industries on issues of data protection, opportunistic cyber attacks, and contact tracing technologies.
Ed has significant experience with investigations and class action litigation related to cybersecurity incidents, as well as enforcement actions by the FTC, state Attorneys General, the SEC, OCR, Data Protection Authorities outside of the U.S., and other government agencies. He leads internal investigation and litigation matters that frequently involve complex, multi-jurisdictional, and multi-national litigation issues, particularly federal court jurisdictional and constitutional concerns related to the First and Fourth Amendments. Ed has experience dealing with Internet and information law matters involving data breaches, ransomware, online brand protection, trade secrets, social media, e-commerce, Internet governance, and national security issues.
Ed also advises clients on the full range of federal, state and foreign privacy and data security requirements including in the areas of financial privacy, health care privacy, communications privacy, ad-tech, data analysis, cybersecurity, and national security. Ed’s counseling practice also includes other areas of technology law, such as electronic surveillance, cloud computing, the Internet of Things, trade secrets, online advertising, social media and big data/data science. He frequently helps companies design global data governance programs to allow for efficient data transfers across corporate entities governed by multiple privacy regimes, such as US privacy laws, including the Gramm Leach Bliley Act, FCRA, HIPAA, TCPA, and the California Consumer Privacy Act (CCPA), as well as the EU’s General Data Protection Regulation (GDPR) and the various privacy and cybersecurity regimes in China and across Asia.
Ed previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. Ed has developed unique experience representing clients in the midst of media-driven legal challenges. His crisis management skills are particularly useful in coordinating the swirl of complex litigation, congressional hearings, and federal and state investigations that can follow from major privacy and cybersecurity incidents.
Ed is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He is the lead editor of the PLI treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk.
Crisis Management and Incident Response
- Representing an online retailer with respect to multiple investigations by Attorneys General and Data Protections Authorities in the EU and Canada into a data breach.
- Advising an international media consulting company on its response to a ransomware attack.
- Representing a quantitative trading fund that suffered an insider attack on significant IP assets.
- Represented a provider of professional services to major film studios who suffered an insider theft of personal data.
- Represented a Midwestern hospital that suffered an intrusion and resulting investigations and litigation in the midst of the pandemic.
- Investigated data breaches for the independent Special Cybersecurity Review Committee of the Yahoo! Board of Directors.*
- Represented several major Internet, retailer, pharmaceutical, financial services and telecommunications in connection with several hundred data security incidents that required analysis of breach reporting obligations under U.S. and international statutes.*
- Represent major public investment bank who suffered the theft of highly sensitive information regarding dozens of pending transactions.*
- Represented major public corporation whose data was exposed by Equifax.*
- Assisting corporations with preparation for and responses to sophisticated cybersecurity incidents.
Litigation and Regulatory Enforcement
- SolarWinds Litigation: Represent the former CEO of SolarWinds in congressional testimony, regulatory investigations, and securities and derivative litigation in multiple fora.
- Pygin v. Bombas, LLC. (N.D. Cal 2020): Representing corporate defendant against class action data breach allegations.
- Reetz v. Advocate Aurora Health, Inc. (Wis. 2020): Representing corporate defendant against class action data breach allegations.
- Scardina v. Advocate Aurora Health. We represented Advocate Aurora Health in a class action arising from data incidents at its constituent hospitals and were successful in having all claims dismissed after our motion to dismiss. We also advised the hospital system on the underlying data incidents, including forensic fact development, legal and factual analysis, development of appropriate notifications, and advocacy with state and federal regulators regarding the incidents.
- Commonwealth of Virginia v. Bombas, LLC, No. 18-5526-7 (Richmond Cir. Ct. 2018). Defense of online clothing retailer against claims based on alleged information security weaknesses after a card skimming attack.*
- Whalen v. Michaels Stores Inc., No. 16-260 (2nd Cir. 2016, E.D.N.Y 2016). Successful defense of retailer after a credit card breach. Grant of motion to dismiss affirmed by appellate court.*
- Rodriguez v. Universal Property & Casualty Ins. Co., No. 16-60442 (S.D. Fla. 2016). Defense of Fair Credit Reporting Act class action against property insurance company based on alleged information security weaknesses.*
- Frank v. The Neiman Marcus Group, No. 1:14-cv-233 (E.D.N.Y. 2014). Successful defense of retailer after a credit card breach. Motion to dismiss granted.*
- Moyer v. Michaels Stores Inc., 2014 WL 3511500 (N.D. Ill. 2014). Successful defense of retailer after a credit card breach. Motion to dismiss granted.*
- Adheris v. Sebelius (D.D.C. 2013) – Successful constitutional challenge to HIPAA/HITECH refill reminder regulations.*
- In re Google Inc. Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (2012).Defended Internet advertising company, PointRoll, in litigation regarding cookies and browser settings.*
- In re National Security Agency Telecommunications Records Litigation, MDL. No 1791 (N.D.Cal. and 9th Cir. 2006-12) – Defense of AT&T against constitutional and statutory claims in multiple purported class actions related to alleged national security programs, resulting in dismissal of all claims.*
- MeadWestvaco Corporation v. Rexam PLC (E.D. Va. 2010-11). Represented party regarding effect of French blocking statute on U.S. discovery requirements.*
- Accusearch v. Federal Trade Commission (10th Cir. 2008). Represented the Privacy Commissioner of Canada as amicus curiae in appeal from privacy enforcement action.*
Counseling and Compliance
- Analysis and revision of a financial services company’s data governance framework in light of data subject access right requests, data processing agreements, and global data protection requirements.
- Providing comprehensive product counseling to a AR company on cutting-edge legal issues, including the use of permissions-based access controls, and counseling on developer permissions policies.
- Advising an international pharmaceutical company on data protection issues relevant to its expansion into the United States, including issues that arise from the international data transfer of medical data.
- Advising Invesco’s North American internal data governance and privacy data structure for policy and procedures.
- Directing diligence of key data, privacy, and cybersecurity issues in dozens of private equity transactions.
- Helping insurance, automotive, and Internet companies formulate big data governance programs for systems that generate actionable insights and enhance customer choice while mitigating legal risk.*
- Representing the Internet Cross-Community Working Groups with respect the historic transition of the Internet domain name system to private governance by the ICANN multi-stakeholder community.*
- Counseling major U.S. and global companies on response to the EU General Data Protection Regulation and California Consumer Protection Act.*
- Providing analysis, advice and regulatory counseling regarding major U.S. and international privacy and data security laws and regulations, including ECPA, CFAA, COPPA, GLBA, the FCRA, and unfair or deceptive trade practice restrictions for several telecommunication and Internet companies.
- Developed innovative data governance structures for several “big data” / data science projects for connected car, political analytics, smart home, smart grid, and related analytics issues.*
- Advising several investment advisors and hedge funds with respect to rapidly evolving cybersecurity rules.
- Counseling several branded pharmaceutical manufacturers on a range of privacy compliance issues.
- Analyzing compliance with U.S. and international privacy and data security laws and regulations, including advertising restrictions and children’s privacy for major media companies.*
Books and Chapters
- “USA Law & Practice and Trends & Developments,” Chambers Global Practice Guide Cybersecurity 2022 (with Kevin Angle and Fran Faircloth) (2022)
- “U.S. Cybersecurity Laws and Regulations,” chapter in International Comparative Legal Guide - Cybersecurity 2022 (January 2022)
- “Cybersecurity 2021: USA,” Chambers Cybersecurity 2021 Global Practice Guide (with Kevin Angle and Fran Faircloth) (2021)
- Cybersecurity: A Practical Guide to the Law of Cyber Risk, PLI Treatise (lead general editor) (2015, 2016, 2018, 2019, 2020, 2021)
- “Privacy and Security,” Business and Commercial Litigation in Federal Courts, 3d Ed. (co-author of chapter on implications of privacy and data security laws for commercial litigation) (2011, 2017, 2020, 2021)
- Federal Trade Commission Enforcement of Privacy and Data Security, 500 Privacy & Data Security Practice Series, Bloomberg BNA (with Andrew Strenio and Clayton Northouse) (2014, 2018, 2020)
- Privacy and Security Issues in Cloud Computing, 520 Privacy & Data Security Practice Series, Bloomberg BNA (with William Long, Yuet Ming Tham, Mark Kaufmann and Colleen Brown) (2014, 2020)
- “U.S. Efforts to Change Leak Laws,” Whistleblowers, Leaks and the Media (2014)
- Health Information Privacy and Security, 505 Privacy & Data Security Practice Series, Bloomberg BNA (co-author with lead author Anna Spencer) (2014)
- “Autonomy: The Key Theory for Understanding the Evolution of US Privacy Law,” Privacy and Surveillance Legal Issues (2014)
- “Privacy And Security,” Successful Partnering Between Inside and Outside Counsel (co-author of a chapter on working together on privacy and security to achieve client objectives) (2013, 2017, 2020)
- “Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists,” ABA Section of Science and Technology Law (contributor) (2011)
- Quoted, “SEC Cyber Rules: How to Prepare for the New 8-K Incident Mandate,” Cybersecurity Law Report (August 10, 2022)
- Quoted, “Playing By The (SEC) Book,” Strategic CIO 360 (July 8, 2022)
- Co-author, “FDA updates guidance on cybersecurity responsibilities for medical device manufacturers,” Westlaw Today (May 23, 2022)
- Co-author, “Cybersecurity 2022,” Chambers Global Practice Guides (2022)
- Quoted, “SEC Proposal May Add Cybersecurity to the ESG Mix,” Ignites (March 10, 2022)
- Profiled, “This Week in Legal Blogging,” LexBlog (December 17, 2020)
- Co-author, “Pandemic-Related Privacy Bill May Be Unconstitutional” Law360 (May 14, 2020)
- Co-author, “Data Privacy Compliance Best Practices For Asset Managers,” Law360 (October 9, 2019)
- “Hack Attack: Reducing the Risks of Stockholder Litigation Arising From Data Breaches,” Bloomberg BNA’s Corporate Law and Accountability Report (with Alex J. Kaplan, James Heyworth and Charlotte K. Newell) (2017)
- “Five Key Responsibilities of Boards in Managing Cybersecurity Risk,” Corporate Board Member magazine (with Clayton G. Northouse) (2017)
- “CFTC Issues Cybersecurity Rules on System Safeguards Testing Requirements,” Futures and Derivatives Law Report (co-author) (2016).
- “Considerations for Employers Collecting Health Information,” eHealth Law & Policy (with Anna Spencer) (June 6, 2016)
- “Broker-dealers need to respond to recent focus on cybersecurity threats,” Journal of Investment Compliance (with David S. Petron and Michael D. Wolk) (2014)
- “Cybersecurity Insurance to Mitigate Cyber-Risks and SEC Disclosure Obligations,” BNA’s Privacy & Security Law Report (August 19, 2013)
- “Standing to Challenge Statutory Violations of Privacy Laws After First American Finance Corporation v. Edwards," BNA’s Privacy & Security Law Report (with Jonathan Adams) (July 23, 2012)
- “Regulated Social Media: Practical Advice for Addressing Evolving Technologies in Regulated Industries,” BNA’s Privacy & Security Law Report (with Sabrina Ross) (June 14, 2010)
- “End of the Notice Paradigm?: FTC’s Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements,” BNA’s Electronic Commerce & Law Report (with Alan Raul et al.) (July 15, 2009)
- “National Security Letters: Practical Advice For Understanding and Handling Exceptional Requests,” BNA Privacy & Security Law Report (March 30, 2009)
- “Competitive Privacy: Towards A New Area of Privacy Litigation?” IAPP Privacy Tracker (with Jennifer Tatel) (July/August 2008)
- Quoted, “Hot Market for Cyber Insurance Begins to Stabilize,” The Wall Street Journal (November 15, 2022)
- Quoted, “SEC Proposal May Add Cybersecurity to the ESG Mix,” Financial Times Ignites (March 10, 2022)
- Quoted, “New Board Duties in SEC Cybersecurity Rule Proposal,” BoardIQ (February 15, 2022)
- Quoted, “SEC Floats Cybersecurity Rule for Funds,” Financial Times Ignites (February 10, 2022)
- Quoted, “Imposters Steal Manager Names for Fake Emails, Webpages,” Financial Times FundFire (February 9, 2022)
- Quoted, “Arizona Bill Would Ban Taxpayer-Funded Ransomware Payments,” Global Data Review (January 13, 2022)
- Quoted, “The Biggest Privacy Developments Of 2021,” Law360 (December 21, 2021)
- Quoted, “US makes ransomware a top national security priority,” Global Data Review (November 18, 2021)
- Quoted, “NIST’s New IoT Standard: Inspiring a Wave of New Device Security Guidance,” The Cybersecurity Law Report (March 11, 2020)
- Quoted, “NIST’s New IoT Standard: Boosting Security As States Launch Laws,” The Cybersecurity Law Report (March 4, 2020)
- Quoted, “4 Considerations For Landlords Amid Rise Of Co-Working,” Law360 (February 12, 2020)
- Quoted, “California’s privacy law arrives to confusion and costs for businesses,” Financial Times (January 1, 2020)
- Quoted, “US retirement accounts offer tempting target for cyber attacks,” Financial Times (October 30, 2019)
- Quoted, “Kreutzer’s Take: Bracing for California’s New Data Privacy Law,” WSJ Pro Private Equity (September 23, 2019)
- Quoted, “Deep Dive: Prepare to do battle with data privacy,” Private Funds CFO (July 8, 2019)
- Presenter, “Key Data Laws of Asia,” Privacy & Security Forum Spring Academy (March 24, 2022)
- Speaker, “Acquisitions of Technology Companies,” Association of Corporate Counsel, Northeast Chapter (February 8, 2022)
- Presenter, “The Biden Approach to Privacy and Cybersecurity,” NY Chapter of the Association of Corporate Counsel (May 13, 2021)
- Moderator, “Data Ethics & Emerging Technology,” Securities Industry and Financial Markets Association (May 13, 2021)
- Presenter, “Incident Response – State of Play,” Cybersecurity Docket Incident Response Forum Masterclass 2021 (April 8, 2021)
- Speaker, “Understanding Potential Cybersecurity Risks and the Paths to Compliance in the U.S.,” The Legal 500 (March 9, 2021)
- Presenter, “U.S. Privacy Law Update: Key Developments From the Past Year and What to Expect in 2021,” NY Chapter of the Association of Corporate Counsel (December 10, 2020)
- “International Aspects of Privacy Protection and Enforcement,” Berkeley Center for Law & Technology Privacy Law Forum (October 9, 2020)
- “Evaluation of Key Privacy Risks for Mid-Market Companies,” Ropes & Gray Webinar (October 6, 2020)
- “Litigation Under the CCPA,” Ropes & Gray Webinar (September 22, 2020)
- “Updates on California Privacy Laws,” Ropes & Gray Webinar (September 15, 2020)
- “The Future of State Privacy Law,” Event for the New York Chapter of the ACC (June 30, 2020)
- “From Innovation to Solutions: Building Strategic Partnership in an Evolving Digital Health Landscape,” Ropes & Gray Digital Health Forum (September 18, 2019)
- “Chinese Cybersecurity Law,” Privacy+Security Forum (October 4, 2018, Washington, DC)
- “Improving the Transatlantic Privacy Relationship,” (September 25, 2018, Washington, DC)
- “Getting Ready for the California Consumer Privacy Act of 2018” (September 6, 2018, Washington, DC)
- 2nd Annual Patient Support Services Compliance Summit (Integrate 2018) (July 23-25, 2018, Philadelphia, PA)
- “European Public Policy Trends Legal Panel,” 2nd Annual API-IOGP Cybersecurity Europe Conference for the Oil and Natural Gas Industry (June 28, 2018, London, UK)
- “Chinese Cybersecurity Challenges,” American Chemistry Counsel (June 27, 2018)
- “U.S. Privacy and Cybersecurity Update,” DP Legal (June 26, 2018, Copenhagen, Denmark)
- “Cybersecurity In Europe – What Do the New Laws Mean for You?”, Georgetown Cybersecurity Institute (May 24, 2018, Washington, DC)
- “Privacy & Cybersecurity Issues for Human Augmentics,” University of Illinois at Chicago, (April 12, 2018, Chicago, IL)
- “Emerging Compliance Topics: China’s Cybersecurity Law,” Loyola University Chicago School of Law (March 20, 2018, Chicago, IL)
- “Privacy & Cybersecurity Outlook for 2018,” CLEs (January 19-20, 2018, San Jose, CA)
- “Critical Issues in Cybersecurity,” IAA’s 2017 Investment Adviser Compliance Conference (March 2, 2017)
- “Will the Surveillance State Doom Transatlantic Data Transfer? The Future of the U.S. – EU Privacy Shield Agreement,” New York City Bar Association presentation (February 28, 2017)
- “Preparing for a Cybersecurity Event,” Association of Corporate Counsel In-house Counsel Conference (Universal City, CA, January 17, 2017)
- “Cybersecurity: Considerations for Legal and Compliance,” SIFMA Compliance and Legal Society Annual Seminar (Orlando, FL, March 14, 2016)
- “Cybersecurity Roundtable,” Credit Suisse Prime Services Leadership Conference (Orlando, FL, March 10, 2016)
- “Hot Topics in Data Privacy for Pharmaceutical Manufacturers,” DP Legal US Annual Meeting (Indianapolis, IL, November 18, 2015)
- “Cybersecurity Policy: The Role of the Government,” Privacy + Security Forum (Washington D.C., Oct. 22–23, 2015)
- Privacy, Data, and Information Security, The Conference Board (Washington, D.C., October 15, 2015)
- “Cybersecurity,” 15th Annual LICONY Legislative & Regulatory Conference (Cooperstown, NY, October 7–9, 2015)
- “Cybersecurity & Data Privacy”, OFII (Washington, D.C., October 2, 2015)
- “FTC Calling? How to Navigate a Data Security Investigation Before, During and After,” IAPP Privacy. Security. Risk. Conference /CSA Congress (Las Vegas, NV, September 30, 2015)
- “Data Breach Class Cases,” DRI Class Action Seminar (Washington, D.C., July 23–24, 2015)
- “Cybersecurity Process & Practice for Asset Managers,” Regulatory Compliance Association (Webinar, July 23, 2015)
- “Cybersecurity Concerns for Senior Managers and Boards of Directors,” Investment Company Institute (London, UK, July 14, 2015)
- “Cybersecurity: How Not to Make the Evening News,” Futures Industry Association Law & Compliance Conference (Washington, D.C., June 22, 2015)
- “Cybersecurity Regulation and Preparedness: Focusing on the Insurance Sector,” Insurance Cybersecurity and Privacy Roundtable (New York, NY, June 1, 2015)
- “Cybersecurity for Financial Services,” IA Watch Conference (Washington, D.C., May 20, 2015)
- “Cybersecurity for the Insurance Industry,” ALIC Conference (Breakers, FL, May 18, 2015)
- “The Legal Pitfalls of Failing to Develop Secure Cloud Services,” RSA Conference (San Francisco, CA, April 23, 2015)
- “Cyber-risk Oversight: Emerging Trends and Considerations for Directors,” NACD Advisory Councils (Washington, D.C., March 31, 2015)
- “Cybersecurity: Practical Considerations for Legal and Compliance,” SIFMA Compliance & Legal Society 2015 Annual Seminar (Phoenix, AZ, March 16, 2015)
- “The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches” (ACA Webcast, March 12, 2015)
- “Commerce and Competition in the Internet Age,” Center for American Progress Panel for the German Industry and Trade Representation (Washington, D.C., January 27, 2015)
- “Cyber Incident Investigations,” EEI Conference on Cybersecurity Law for Utilities (New York, NY, October 24, 2014)
- “Cybersecurity: New Privacy Laws and New Threats From Organized Crime and Nation States,” ABA 3rd Intl. White Collar Crime Institute (London, UK, October 14, 2014)
- “Cybersecurity: Trends, Incident Response, Remediation and Disclosures,” ACA Fall Compliance Conference (San Diego, CA, October 9, 2014)
- “Cybersecurity, Data Protection and Privacy,” OFII General Counsel Conference (Washington, D.C., September 18, 2014)
- “Cyber Security – What You Need to Know,” SIFMA Compliance and Legal Society Annual Seminar (Orlando, FL, April 2014)
- “Cybersecurity: Managing Risk Around New Data Threats,” Ethisphere (Webinar, January 2014)
- “An International Perspective on Health Care Privacy and Security,” Presentation at the American Conference Institute 3rd Annual Health Care Privacy and Security Forum (New York, NY, May 23, 2013)
- “At the Ready: Preparing U.S. Organizations for the Proposed EU Regulation,” IAPP Global Privacy Summit (Washington, D.C., March 8, 2013)
- “Cellular Phones and Mobile Privacy,” Information Society Project at Yale Law School, Location Tracking and Biometrics Conference (New Haven, CT, March 3, 2013)
- “Cloud Computing: Understanding and Mitigating the Risks, Utilizing the Latest Security Controls and Ensuring Protection ‘In the Cloud’,” Conference on the Privacy and Security of Consumer and Employee Information (San Francisco, CA, July 2012)
- “Toward a Safe Harbor for the Cloud,” iTech Law European Conference (Rome, Italy, October 2012)
- “Privacy in a Time of Change,” Twin Cities Privacy Retreat (St. Paul, MN, January 15, 2009)
- “Minimizing the Weight of Regulation,” Security Standard Conference (Chicago, IL, September 2007)
- “Why Privacy Matters — Protecting Your Reputation, Practice and Clients,” AICPA National Conference on Fraud and Litigation Services (Las Vegas, NV, September 2006)
- “Privacy: The Importance of Getting It Right,” 2006 CSO Perspectives Conference (Orange County, CA, March 2006)
- JD, cum laude, Harvard Law School, 1996; Editor, Harvard Law Review
- AB, summa cum laude, Princeton University, 1991; Phi Beta Kappa; Woodrow Wilson School Thesis Prize
Admissions / Qualifications
- District of Columbia
- U.S. Supreme Court
- U.S. Court of Appeals for the First Circuit
- U.S. Court of Appeals for the Second Circuit
- U.S. Court of Appeals for the Fourth Circuit
- U.S. Court of Appeals for the Fifth Circuit
- U.S. Court of Appeals for the Sixth Circuit
- U.S. Court of Appeals for the Ninth Circuit
- U.S. Court of Appeals for the Tenth Circuit
- U.S. Court of Appeals for the District of Columbia Circuit
- U.S. District Court for the District of Columbia
- U.S. District Court for the Central District of Illinois
- U.S. District Court for the District of Maryland
- U.S. District Court for the Eastern District of Michigan
- Who’s Who Legal – Leading Data Attorneys (2023)
- BTI Client Service All-Star (2022)
- Cybersecurity Docket “Incident Response 40” (2021-2022)
- The National Law Journal, D.C. Trailblazer (2020)
- The Best Lawyers in America (2021-2023)
- Chambers Global (2011-2022)
- Chambers USA (2008-2022)
- National Law Journal, Cyber Security Trailblazer (2016)
- Legal 500, Cyber law and Data Protection and Privacy (2012-2020)
- The International Who’s Who of Internet, e-Commerce & Data Protection Lawyers (2010-2012)
- Who’s Who Legal: Internet, eCommerce & Data Protection (2011-2017); Information Technology (2013, 2015-2017); Data Law (2018-2021); Information Technology, Data Security and Data Privacy & Protection (2021)
- Thought Leaders – Global Elite, Data Law (2019-2021)
- Computerworld, Top 25 Privacy Experts
- Cybersecurity Docket, Incident Response 30 (2016, 2018-2020)
- Washingtonian, Washington, D.C.’s Best Lawyers (2015, 2019)