Heather Egan Sussman is Global Co-chair of Orrick’s Cyber, Privacy & Data Innovation practice, and the leader of Orrick’s Boston Office. Her practice focuses on privacy, cybersecurity and information management, and she is ranked by Chambers USA and The Legal 500 United States as a leader in her field. Chambers explains companies turn to Heather because she is “generous with her time and endeavors greatly to educate her clients and understand a given client’s risk profile."
Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe. In the U.S. this includes advising on federal and state laws such as FCRA, ECPA, TCPA, HIPAA, CAN-SPAM, GLBA, California’s Consumer Privacy Act, state breach notification laws, and state data security laws, as well as existing self-regulatory frameworks, including those covering online advertising and payment card processing. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy notices for global rollout and implements data transfer mechanisms for the free flow of data worldwide.
Heather also helps clients develop and achieve their data innovation strategies, so they can leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs and solidify brand and consumer trust.
Heather devotes a significant part of her practice to helping clients reduce the risk of privacy and security incidents, and she offers a comprehensive menu of services designed to do just this. In the event of a privacy or security breach, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. Companies routinely rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.
Heather guides clients through comprehensive privacy and cybersecurity assessments worldwide, vets privacy and security risks in corporate transactions, conducts internal investigations stemming from data incidents, and she drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data.
Her clients come from diverse business sectors, including technology, financial services, retail, consumer products, energy and infrastructure, healthcare and life sciences, manufacturing, food and beverage, media, academic institutions, service industries.
Heather frequently writes on current privacy and information security issues before trade and legal organizations and has been quoted in hundreds of major news outlets, including MSNBC.com
, The New York Times
, The Los Angeles Times
, Bloomberg BusinessWeek
, The San Francisco Chronicle
, Washington Times
, Houston Chronicle
On February 7 and again on February 10, 2020, the California Attorney General Xavier Becerra released an updated draft of proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). The updated drafts feature significant changes, clarifications and reversals of policy from the original proposal.
The updated draft regulations—available here (clean) and here (redline to the original October 2019 Draft)—reflect input gathered during the public comment period and series of public hearings which concluded on December 6, 2019. The first draft of the proposed regulations, the public comments and the transcripts and audio of the public hearings are available on the Attorney General’s CCPA webpage. The Attorney General also updated the online cache of documents and other information relied upon in preparing the revised draft regulations here.
Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE
Webinar | November 21, 2019
Please join Heather Sussman and Kyle Kessler for the Cyber, Privacy & Data Innovation practice’s webinar “CCPA Compliance – It’s Not Too Late to Get Started!”
With the January 1, 2020 effective date of the California Consumer Privacy Act (the “CCPA”) rapidly approaching, all eyes have been on the California legislature’s consideration of a robust suite of amendments that would clarify ambiguities and address discrepancies underlying the prominent privacy statute. On October 11, 2019, six CCPA amendments were signed into law by the California Governor, as well as an amendment to the state’s breach notification statute. The rest of the CCPA amendments have either failed or will have to wait until next year for further consideration.
On October 10, 2019, the California Attorney General added to the complexity of the California Consumer Privacy Act of 2018 (“CCPA”) by releasing long-awaited proposed regulations that provide guidance on various elements of the CCPA. The text of the proposed regulations is available here and the California Attorney General has made other documents and information relating to the proposed regulations available here. The comment period for the proposed regulations will close on December 6, 2019. Interested parties may review and provide written comments addressing the proposed regulations prior to that date or attend one of four scheduled public hearings on the proposed regulations to be held on December 2-5, 2019. READ MORE
Webinar | October 30, 2019
Please join Heather Sussman, Emily Tabatabai, and Nick Farnsworth for the Cyber, Privacy & Data Innovation practice’s webinar “Last-Minute Amendments- Changes to California’s New Privacy Law Ahead of the Effective Date.”
Webinar | July 30.2019
Please join Heather Sussman, Barrie VanBrackle and David Curtis for the Cyber, Privacy & Data Innovation practice’s webinar “Spotlight on Fintech – How the New California and Nevada Privacy Laws Will Impact Data in Fintech.”
While the California Consumer Privacy Act (“CCPA”) has inspired many states to consider their own consumer privacy bills, including Nevada which recently enacted a new law, not to be lost in the CCPA-focused frenzy is the fact that states continue to revise their data breach notification statutes. In recent weeks, the new Massachusetts breach notification amendment has gone into effect, New Jersey, Maryland, Oregon, Texas, and Washington have enacted their own breach notification amendments, and Illinois has proposed a bill that is poised to become law in the near term. READ MORE
Webinar (recording available) | June.25.2019
Click to Play
Download Powerpoint Presentation
Please join Heather Sussman and Matthew Coleman for the Cyber, Privacy & Data Innovation practice’s webinar “California’s and Nevada’s New Privacy Laws – What Companies Need to Know.”
California was the first U.S. state to enact a sweeping new privacy law, known as the CCPA, with an effective date of January 2020. Nevada has now enacted a scaled-down version of the CCPA that is slated to take effect even sooner – as early as October 2019.
At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019. The conference focused on lessons learned from the first year of GDPR enforcement in Europe, the expansion of European-style rights to more jurisdictions around the world, plans for addressing new obligations imposed by the CCPA in California, and the future of privacy law in the United States including whether federal legislature is likely or desired – especially in light of the CCPA and similar proposed legislation in states throughout the nation. READ MORE