Heather Egan Sussman
Heather Egan Sussman is a partner and co-head of the Privacy and Cybersecurity Practice Group, based in Ropes & Gray’s Boston office. Her practice focuses on privacy, cybersecurity and information management, and she is ranked by Chambers USA and The Legal 500 United States as a leader in her field.
Heather routinely guides clients through the existing patchwork of U.S. federal and state laws, including FCRA, ECPA, TCPA, HIPAA, CAN-SPAM, GLBA and California’s Online Privacy Protection Act, state breach notification laws, state information security laws, as well as existing self-regulatory frameworks, including those covering online advertising and payment card processing. She manages teams of talented local counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy policies for global rollout and implements data transfer mechanisms for the free flow of data worldwide.
Heather also helps clients manage information and leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meets security needs and solidify brand and consumer trust.
Heather conducts internal investigations stemming from data incidents, and drafts comprehensive privacy and security programs for businesses operating across multiple jurisdictions and industry lines. She drafts and negotiates contracts concerning data-related vendors and arrangements, guides clients through privacy and security assessments, and vets privacy and security risks in corporate transactions. She regularly counsels businesses on how to mitigate the risk associated with the collection, use, retention, disclosure, transfer and disposal of personal information.
In the event of a privacy or security breach, she helps clients respond and remediate. Heather also helps clients protect themselves from – and respond to – incidents of doxing (doxxing).
Her clients come from diverse business sectors, including technology, asset management, retail, consumer products, telecommunications, healthcare and life sciences, manufacturing, food and beverage, media, academic institutions, service industries, energy, banks and other financial institutions.
Heather has successfully litigated, mediated and arbitrated both small and large-scale disputes at state and federal agencies and in courts nationwide. Companies routinely rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties. She represents clients during investigations by regulatory authorities in connection with data security breaches and complaints regarding privacy and security practices. She defends companies facing individual and class action claims involving privacy, information security and consumer protection.
- Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe.
- Managed a team providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia.
- Developed a global privacy program for a major food products company operating in more than 40 countries around the globe.
- Created and implemented a successful “bring your own device” global strategy for a major multinational in the healthcare industry.
- Performed a privacy and security compliance assessment for a U.S. public company in the manufacturing industry, which has operations spanning four continents.
- Advised a major academic institution on the full range of acceptable information use and sharing practices in light of the differing ways and roles in which the university may receive information, including on-campus clinics, campus police, admissions, hosting e-mail and social media platforms, and more.
- Addressed privacy and security aspects for a U.S. and EU rollout of a popular mobile application and provide continuing support through the rollout of additional versions, features and technologies, particularly as the company contemplates new data uses.
- Guided multiple major multinational corporations through U.S./EU/Swiss Safe Harbor certification and re-certification.
- Advised a major U.S. healthcare provider on integrating federal contracting requirements to existing privacy and security compliance program.
- Drafted and revised a website privacy statement of an intelligent media company to address data collection use and disclosure through multiple platforms, including website, mobile, and social as well as integrating client's existing safe harbor policy.
- Developed a privacy and security infrastructure for companies in a broad array of business sectors in connection with the implementation of U.S. state and federal privacy and security laws and regulations.
- Successfully resolved numerous U.S. state and multi-state attorney general investigations following data incidents, including security breaches.
- Successfully litigated claims against departing executives absconding with client confidential information, including regulated data.
- Regularly advises both small and large financial institutions, healthcare institutions, and other general industry companies that have experienced security breaches and other security events involving personal data.
Some of the above representations were completed prior to joining Ropes & Gray.
Heather frequently writes on current privacy and information security issues before trade and legal organizations, and has been quoted in hundreds of major news outlets, including MSNBC.com, ABCNews.com, The New York Times, The Los Angeles Times, Bloomberg BusinessWeek, The San Francisco Chronicle, Washington Times, Houston Chronicle and many more.
- Quoted, “FBI Director Vows To Treat Hacked Companies As ‘Victims’,” Law360 (March 7, 2018)
- Quoted, “SEC Solidifies Liability Risks With Cybersecurity Guidance,” Law360 (March 2, 2018)
- Co-author, “Global Perspectives On High Court Microsoft Warrant Case,” Law360 (January 10, 2018)
- Quoted, “GDPR Rules Put Privacy, Anti-Bribery Enforcement on Collision Course,” WSJ Pro Cybersecurity (December 12, 2017)
- Quoted, “Managing Data Privacy Across Multiple Jurisdictions,” The Cybersecurity Law Report (November 8, 2017)
- Quoted, “New Far-Reaching Data Regulation Set to Upend Managers' Ops,” FundFire (November 7, 2017)
- Co-author, “EU-U.S. Privacy Shield Review—Not Bad but ‘Room for Improvement,’” Bloomberg BNA’s Privacy and Security Law Report (October 25, 2017)
- Quoted, “SEC Hack Raises Tech and Legal Concerns,” The Wall Street Journal (September 22, 2017)
- Quoted, “Hack Response Opens SEC to Criticism,” The Wall Street Journal (September 21, 2017)
- Quoted, “Uber Settlement Highlights Benefits of a Privacy Impact Assessment,” The Cybersecurity Law Report (August 23, 2017)
- Quoted, “Amazon's Whole Foods Deal Offers Lessons for Acquiring Data,” WSJ Pro Cybersecurity (July 10, 2017)
- Quoted, “Legal Costs, Notification Fees Inflate U.S. Data Breach Costs,” WSJ Pro Cybersecurity (June 27, 2017)
- Quoted, “Using Big Data Legally and Ethically While Leveraging Its Value (Part Two of Two),” The Cybersecurity Law Report (May 31, 2017)
- Co-author, “Countdown to Compliance: 1 Year to Go Until GDPR Enforcement,” Law360 (May 26, 2017)
- Quoted, “Using Big Data Legally and Ethically While Leveraging Its Value (Part One of Two),” The Cybersecurity Law Report (May 17, 2017)
- Co-author, “Trump Cybersecurity Order: Ambitious Goals, Tight Timelines,” Law360 (May 16, 2017)
- Quoted, “Massachusetts Mobile Ad Company Won’t Target Patients,” Bloomberg Law: Privacy & Data Security (April 5, 2017)
- Co-author, “Recent Decisions Highlight Product Cybersecurity Issues,” Law360 (November 18, 2016)
- Co-author, “Key Data Privacy and Security Concerns for Investment Firms,” Law360 (May 20, 2016)
- Quoted, “Uncertainty Abounds in Europe’s Data Privacy Overhaul,” The Wall Street Journal (April 25, 2016)
- Quoted, “CFPB Asserts Jurisdiction Over E-Commerce Privacy Regulation” E-Commerce Times (April 12, 2016)
- Co-author, “The EU-U.S. Privacy Shield–Challenges and Observations,” Bloomberg BNA World Data Protection Report (March 2016)
- Quoted, “Tech start-up Dwolla fined $100,000 for cyber defence flaws,” Financial Times (March 2, 2016)
- Co-author, “Impact of the European Union’s Approved General Data Protection Regulation On Scientific Research and Secondary Uses of Personal Data,” Bloomberg BNA Medical Research Law & Policy Report (Feb. 17, 2016)
- Quoted, “Yahoo’s Tech Fix Shows Importance of Privacy Disclosures,” Law360 (Jan. 22, 2016)
- Co-Author, “Oracle Case Expands Pool Of Potential Data Security Defendants,” Law360 (Jan. 14, 2016)
- Quoted, “Data Security Impasse Overturns Safe Harbor Program” Compliance Week (October 6, 2015)
- Co-Author, “Inside National Futures Association Cybersecurity Guidance,” Law360 (October 2, 2015)
- Author, “Wearable Devices are Here to Stay,” CorporateWellnessMagazine.com (August 14, 2015)
- Co-Author, “Should We Hack Back? The DOJ on Preventing and Combating Cybercrime,” The National Law Review (June 4, 2015)
- Co-Author, “Update on State Breach Notification Laws: Wyoming, Montana and Alabama,” The National Law Review (May 7, 2015)
- Co-Author, “DOJ Guidance for Victims of Cybercrime: The Dos and Do Nots of Cyber Preparedness,” The National Law Review (May 6, 2015)
- Co-Author, “Update on State Breach Notification Laws,” The National Law Review (April 14, 2015)
- Co-Author, “Employers with Group Health Plans: Have You Notified State Regulators of the Breach?,” The National Law Review (February 20, 2015)
- Co-Author, “Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data,” The National Law Review (February 17, 2015)
- Author, “In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part III,” The National Law Review (January 15, 2015)
- Co-Author, “Privacy and Data Protection: 2014 Year in Review,” The National Law Review (December 17, 2014)
- Co-Author, “Protecting Children Online: New Compliance Obligations for Digital Marketing to Children,” Boston Bar Journal (July 18, 2013)
- Co-Author, “A Close Look At The White House Privacy Report,” Law360 (April 26, 2012)
- Co-Author, “Privacy Class Actions And The Harm Threshold,” Law360 (January 25, 2012)
- Co-Author “10 Questions Board Members Should Ask Management to Mitigate Their Company’s Risk of the Next WikiLeaks Scandal,” Boardmember.com (February 14, 2011)
- Co-Author “Lessons Learned From WikiLeaks: Don't Be a Target,” Corporate Counsel (December 17, 2010)
- Panelist, “Preparing for the New World of Data Protection,” Institutional Investor Forum, New York, NY (February 27, 2018)
- Panelist, “Top 10 Mistakes Companies Make in Incident Preparedness and Response, and How to Avoid Them,” Ropes & Gray Privacy & Cybersecurity Summit, New York, NY (February 8, 2018)
- Panelist, “Successful Strategies for Privacy Across Borders,” Privacy + Security Forum, Washington D.C. (October 4-6, 2017)
- Presenter, “The GDPR Drive Toward Compliance,” Coalfire Webinar (August 23, 2017)
- Presenter, “The Ever-Changing Privacy and Cybersecurity Landscape and its Impact on Health Care Companies,” Ropes & Gray Webinar (July 20, 2017)
- Panelist, “Cybersecurity,” SIFMA Compliance & Legal Society Boston Regional Seminar, Boston, MA (June 7, 2017)
- Moderator, “Cybersecurity – What Lawyers Need to Know,” BBA Privacy and Cybersecurity Forum, Boston, MA (May 24, 2017)
- Moderator, “The Ever-Changing Privacy and Cybersecurity Landscape and its Impact on Private Equity Firms,” Ropes & Gray Roundtable (May 9-10, 2017)
- Panelist, “Managing M&A: Cyber Risk,” The Deal Webcast (May 4, 2017)
- Co-Presenter, “What U.S. Companies Need to Know about the EU General Data Protection Regulation (GDPR),” Boston Bar Association (May 2, 2017)
- Moderator, “Latest Developments in Digital Advertising,” IAPP Global Privacy Summit (April 19, 2017)
- Panelist, “Managing the Cybersecurity Threat Landscape,” Cybersecurity Symposium, Boston, MA (April 5, 2017)
- Panelist, “Managing the Threat Landscape—Preparing for, Responding to and Surviving a Cyberattack”, First Annual Cybersecurity Symposium, Ropes & Gray, Washington DC (September 21, 2016)
- Panelist, “How are GDPR Practical Preparations Progressing,” IAPP Boston KnowledgeNet (June 22, 2016)
- Panelist “The Privacy Conundrum for U.S. Companies Transacting Business in Europe,” Ropes & Gray New England General Counsel Symposium (June 15, 2016)
- Presenter, “Privacy in the U.S. Work Place,” University of Maine Law School Information Privacy Summer Institute (June 2-3, 2016)
- Panelist, Harvard Law School Comparative Online Privacy Seminar (May 2, 2016)
- Co-Chair, ACI Data Breach & Privacy and Litigation Enforcement Conference (March 2016)
- Panelist, “17th Annual Cybersecurity Conference,” AT&T (October 2015)
- Panelist, “Cybercrime and Data Security and Privacy,” American Bar Association Event (September 2015)
- Co-Presenter, “International: Managing a Global Privacy Program and Preparing, Collecting, Using and Transferring Data Across Borders,” American Conference Institute’s 15th Advanced Global Legal & Compliance Forum on Cyber Security & Data Privacy and Protection, (January 15-16, 2015)
- Co-Presenter, “U.S. Privacy and Data Protection: 2014 Year in Review and a Look Ahead to 2015,” IAPP KnowledgeNet Seminar (January 8, 2015)
- Co-Presenter, “Making Your Privacy Practices Public - Understanding the CalOPPA Guidance,” IAPP Webinar (June 7, 2014)
- Moderator, “Conversations in Privacy Featuring Julie Brill, Commissioner, US Federal Trade Commission,” BBA Meet the Privacy Officers CLE Seminar (May 16, 2014)
- Co-Presenter, “Track Me, Track Me Not: Complying with California's Do Not Track Disclosure Requirements,” Lorman Education Webinar (February 25, 2014)
- Co-Presenter, “Privacy and Security of Consumer and Employee Data,” American Conference Institute’s 14th Advanced Global Legal & Compliance Forum on Cyber Security & Data Privacy and Protection, (January 16, 2014)
- Co-Presenter, “You're (Not) Fired!" How to Use Social Media, Credit Checks and Background Investigations without Offending the NLRB, EEOC, or U.S. Privacy Laws,” IAPP Global Privacy Summit (March 7, 2012)