Edward McNicholas leads Ropes & Gray’s global data, privacy & cybersecurity practice. He represents technologically sophisticated clients facing complex data, privacy, and cybersecurity issues in litigation, investigative, and counseling matters. His clients include financial institutions, technology companies, insurance companies, branded pharma companies, healthcare providers, data brokers, and e-commerce retailers.

Ed has significant experience with investigations and class action litigation related to cybersecurity incidents, as well as enforcement actions by the FTC, state Attorneys General, the SEC, OCR, Data Protection Authorities outside of the U.S., and other government agencies. He leads internal investigation and litigation matters that frequently involve complex, multi-jurisdictional, and multi-national litigation issues, particularly federal court jurisdictional and constitutional concerns related to the First and Fourth Amendments. Ed has experience dealing with Internet and information law matters involving data breaches, ransomware, Internet governance, and national security issues.

Ed also advises clients on the full range of federal, state and foreign privacy and data security requirements including in the areas of financial privacy, health care privacy, communications privacy, ad-tech, artificial intelligence / machine learning, cybersecurity, and national security. He frequently helps companies design global data governance programs to allow for efficient data transfers across corporate entities governed by multiple privacy regimes, such as US privacy laws, including the Gramm Leach Bliley Act, FCRA, HIPAA, TCPA, and the California Consumer Privacy Act (CCPA), as well as the EU’s General Data Protection Regulation (GDPR) and the various privacy and cybersecurity regimes in China and across Asia.

Ed previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. Ed has developed unique experience representing clients facing media-driven legal challenges. His crisis management skills are particularly useful in coordinating the swirl of complex litigation, congressional hearings, and federal and state investigations that can follow from major privacy and cybersecurity incidents.

Ed is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He is the lead editor of the PLI treatise Cybersecurity: A Practical Guide to the Law of Cyber Risk, now in its second edition, as well as several other works.

Experience

Crisis Management and Incident Response

  • Representing an online retailer with respect to multiple investigations by Attorneys General and Data Protections Authorities in the EU and Canada into a data breach.
  • Represent a major medical device manufacturing against FTC allegations of privacy violations.
  • Defend a major dialysis provider against allegations relating online advertising pixels.
  • Advising an international media consulting company on its response to a ransomware attack.
  • Representing a quantitative trading fund that suffered an insider attack on significant IP assets by a foreign national.
  • Represented a provider of professional services to major film studios who suffered an insider theft of personal data.
  • Represented a Midwestern hospital that suffered an intrusion and resulting investigations and litigation in the midst of the pandemic.
  • Investigated data breaches for the independent Special Cybersecurity Review Committee of the Yahoo! Board of Directors.*
  • Represent major public investment bank who suffered the theft of highly sensitive information regarding dozens of pending transactions.*
  • Represented major public corporation whose data was exposed by Equifax.*
  • Represented several major Internet, retailer, pharmaceutical, financial services and telecommunications in connection with several hundred data security incidents that required analysis of breach reporting obligations under U.S. and international statutes.* 

Litigation and Regulatory Enforcement

  • SolarWinds Litigation: Represent the former CEO of SolarWinds in congressional testimony, regulatory investigations, and securities and derivative litigation in multiple fora. 
  • Securly (S.D. Cal.; D. Min.): Represent a leading EdTech company against purported class action student privacy allegations.
  • Strong v. LifeStance (D. Ariz.): Represent an online behavioral health service against purported medical privacy allegations.
  • In re Advocate Aurora Health Pixel Litigation (D. Wis): Represent large healthcare system against alleged misuse of website advertising pixels.
  • Pygin v. Bombas, LLC. (N.D. Cal 2020): Representing corporate defendant against class action data breach allegations.
  • Reetz v. Advocate Aurora Health, Inc. (Wis. 2020): Representing corporate defendant against class action data breach allegations.
  • Scardina v. Advocate Aurora Health. We represented Advocate Aurora Health in a class action arising from data incidents at its constituent hospitals and were successful in having all claims dismissed after our motion to dismiss. We also advised the hospital system on the underlying data incidents, including forensic fact development, legal and factual analysis, development of appropriate notifications, and advocacy with state and federal regulators regarding the incidents.
  • Commonwealth of Virginia v. Bombas, LLC, No. 18-5526-7 (Richmond Cir. Ct. 2018). Defense of online clothing retailer against claims based on alleged information security weaknesses after a card skimming attack.* 
  • Whalen v. Michaels Stores Inc., No. 16-260 (2nd Cir. 2016, E.D.N.Y 2016). Successful defense of retailer after a credit card breach. Grant of motion to dismiss affirmed by appellate court.*
  • Rodriguez v. Universal Property & Casualty Ins. Co., No. 16-60442 (S.D. Fla. 2016). Defense of Fair Credit Reporting Act class action against property insurance company based on alleged information security weaknesses.*
  • Frank v. The Neiman Marcus Group, No. 1:14-cv-233 (E.D.N.Y. 2014). Successful defense of retailer after a credit card breach. Motion to dismiss granted.*
  • Moyer v. Michaels Stores Inc., 2014 WL 3511500 (N.D. Ill. 2014). Successful defense of retailer after a credit card breach. Motion to dismiss granted.*
  • Adheris v. Sebelius (D.D.C. 2013) – Successful constitutional challenge to HIPAA/HITECH refill reminder regulations.*
  • In re Google Inc. Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (2012).Defended Internet advertising company, PointRoll, in litigation regarding cookies and browser settings.*
  • In re National Security Agency Telecommunications Records Litigation, MDL. No 1791 (N.D.Cal. and 9th Cir. 2006-12) – Defense of AT&T against constitutional and statutory claims in multiple purported class actions related to alleged national security programs, resulting in dismissal of all claims.*
  • MeadWestvaco Corporation v. Rexam PLC (E.D. Va. 2010-11). Represented party regarding effect of French blocking statute on U.S. discovery requirements.*
  • Accusearch v. Federal Trade Commission (10th Cir. 2008). Represented the Privacy Commissioner of Canada as amicus curiae in appeal from privacy enforcement action.*

Counseling and Compliance

  • Analysis and revision of a financial services company’s data governance framework in light of data subject access right requests, data processing agreements, and global data protection requirements.
  • Providing comprehensive product counseling to an AR company on cutting-edge legal issues, including the use of permissions-based access controls, and counseling on developer permissions policies.
  • Advising an international pharmaceutical company on data protection issues relevant to its expansion into the United States, including issues that arise from the international data transfer of medical data.
  • Advising a large investment advisor on internal data governance and privacy data structure for policy and procedures.
  • Directing diligence of key data, privacy, and cybersecurity issues in dozens of private equity transactions.
  • Helping insurance, automotive, and Internet companies formulate big data governance programs for systems that generate actionable insights and enhance customer choice while mitigating legal risk.
  • Representing the Internet Cross-Community Working Groups with respect the historic transition of the Internet domain name system to private governance by the ICANN multi-stakeholder community.*
  • Counseling major U.S. and global companies on response to the EU General Data Protection Regulation and California Consumer Protection Act.
  • Providing analysis, advice and regulatory counseling regarding major U.S. and international privacy and data security laws and regulations, including ECPA, CFAA, COPPA, GLBA, the FCRA, and unfair or deceptive trade practice restrictions for several telecommunication and Internet companies.
  • Developed innovative data governance structures for several “big data” / data science projects for connected car, political analytics, smart home, smart grid, and related analytics issues.
  • Advising several investment advisors and hedge funds with respect to rapidly evolving cybersecurity rules.
  • Counseling several branded pharmaceutical manufacturers on a range of privacy compliance issues.
  • Analyzing compliance with U.S. and international privacy and data security laws and regulations, including advertising restrictions and children’s privacy for major media companies.
*Experience prior to joining Ropes & Gray

Areas of Practice