Heather Egan Sussman

Partner

Boston


Read full biography at www.orrick.com

Heather Egan Sussman is Head of Orrick's Global Cyber, Privacy & Data Innovation Practice Group. Her practice focuses on privacy, cybersecurity and information management, and she is ranked by Chambers USA, Chambers Global and The Legal 500 United States as a leader in her field. Chambers explains companies turn to Heather because she “understands all the business issues and the dynamics of how to implement privacy programs [and is] extraordinarily thoughtful, very pragmatic and responsive.”

Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe. In the U.S. this includes advising on federal and state laws such as FCRA, ECPA, TCPA, HIPAA, CAN-SPAM, GLBA, California’s Consumer Privacy Act, state breach notification laws, and state data security laws, as well as existing self-regulatory frameworks, including those covering online advertising and payment card processing. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy notices for global rollout and implements data transfer mechanisms for the free flow of data worldwide.

Heather also helps clients develop and achieve their data innovation strategies, so they can leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs and solidify brand and consumer trust.

Heather devotes a significant part of her practice to helping clients reduce the risk of privacy and security incidents, and she offers a comprehensive menu of services designed to do just this. In the event of a privacy or security breach, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. Companies routinely rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties. 

Heather guides clients through comprehensive privacy and cybersecurity assessments worldwide, vets privacy and security risks in corporate transactions, conducts internal investigations stemming from data incidents, and she drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data.

Her clients come from diverse business sectors, including technology, financial services, retail, consumer products, energy and infrastructure, healthcare and life sciences, manufacturing, food and beverage, media, academic institutions, service industries.

Heather frequently writes on current privacy and information security issues before trade and legal organizations and has been quoted in hundreds of major news outlets, including MSNBC.com, ABCNews.com, The New York Times, The Los Angeles Times, Bloomberg BusinessWeek, The San Francisco Chronicle, Washington Times, Houston Chronicle.

Posts by: Heather Egan Sussman

Brazil’s LGPD Poised to Take Effect in a Matter of Days

Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days.  Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux.  In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president.  The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021. READ MORE

CA Businesses Poised to Have CCPA Compliance Deadline Extended for B2B and Employee Data

The California legislature has passed AB 1281 to the Governor’s desk for signature and, given the absence of legislative opposition, it appears the bill is now well positioned to be signed into law.  AB-1281 extends by one year the expiration date of the business-to-business (“B2B”) and employee-related exemptions provided for under the California Consumer Privacy Act (“CCPA”) (previously discussed here).  If signed into law, it will give California businesses at least one more year to work on folding employee and B2B data into their existing CCPA compliance programs, a welcome reprieve for California employers facing a resurgence of coronavirus cases in workplaces around the State.  READ MORE

Final CCPA Regulations Effective Immediately With Last-Minute Revisions

On August 14, 2020, the California Office of Administrative Law (“OAL”) approved the final implementing regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). This final and approved version of the CCPA regulations went into effect immediately and contains a last round of revisions to language that has been refined across several iterative drafts.[1] While the majority of the changes are grammatical in nature and will have no effect on CCPA compliance requirements, there were a few substantive changes that could impact certain businesses. READ MORE

Legislative Update: Privacy Bills Not Immune to COVID-19 As Legislative Efforts Persist and Evolve

Today, we are all facing a public health crisis unlike any other we have seen in our lifetime. In addition to serious consequences to global health, the COVID-19 pandemic has created significant disruption in the legal system and privacy law initiatives have not been immune to the virus’s impact. With many state legislatures nearing or at the end of legislative sessions taken over by pandemic priorities, state privacy bill initiatives across the country are grinding to a halt. However, some lawmakers are pushing forward with targeted proposals to protect individual privacy in the face of COVID-19 and some states, particularly California, continue public and private efforts to bolster privacy in their jurisdiction. Below is a summary of the 2020 privacy legislative efforts to date and the impact COVID-19 has had on their progress. READ MORE

Wait…CCPA 2.0? What Is the California Privacy Rights Act of 2020 and Will It Become Law?

On May 4, 2020, Californians for Consumer Privacy announced that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020 (“CPRA”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018 (“CCPA”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.

READ MORE

Two Diverging Federal COVID-19 Privacy Bills Proposed

In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle. Here is a high-level summary of the key points addressed in each bill: READ MORE

How to Move to Remote Work and Comply with U.S. Privacy and Cybersecurity Laws

Cybercriminals are known to attack networks and individuals at inopportune times of crisis—and the coronavirus pandemic unfortunately presents just such an opportunity as millions are accessing corporate networks and databases from home. This past weekend New Jersey and Connecticut joined the growing list of jurisdictions (e.g., California, Delaware, Illinois, Louisiana, Ohio, and New York) to issue orders effectively requiring non-essential workers to avoid the workplace, and in some cases, to shelter-in-place. READ MORE

California Attorney General Releases Updated Drafts of Proposed CCPA Regulations

On February 7 and again on February 10, 2020, the California Attorney General Xavier Becerra released an updated draft of proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”).  The updated drafts feature significant changes, clarifications and reversals of policy from the original proposal.

The updated draft regulations—available here (clean) and here (redline to the original October 2019 Draft)—reflect input gathered during the public comment period and series of public hearings which concluded on December 6, 2019. The first draft of the proposed regulations, the public comments and the transcripts and audio of the public hearings are available on the Attorney General’s CCPA webpage.  The Attorney General also updated the online cache of documents and other information relied upon in preparing the revised draft regulations here.

READ MORE

The CCPA Is in Effect and It Is Not Too Late to Get Started in 2020

Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE