Heather Egan

Heather helps companies navigate security and privacy incidents and guides them through investigation, remediation, notification, and any ensuing government inquiries. Heather provides comprehensive crisis management support managing the legal risks of cyber crises, investigations and government enforcement actions.

To help clients navigate complex global regulatory compliance challenges, Heather builds global privacy programs, leads comprehensive cybersecurity and privacy assessments, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She frequently counsels businesses on ways to mitigate risks associated with the collection, use, retention, disclosure, transfer, and disposal of personal data.

Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe, including, Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), Electronic Communications Privacy Act (ECPA), Fair Credit Reporting Act (FCRA), Gramm–Leach–Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and the Telephone Consumer Protection Act (TCPA). She also works with clients on state breach notification laws, state data security laws, self-regulatory frameworks (advertising and payment card processing) and several state privacy laws: California’s Consumer Privacy Act (CCPA) California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) Virginia Consumer Data Protection Act (VCDPA), and the increasing number of US state privacy laws, designing flexible, scalable compliance programs that meet clients’ needs.

• Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe
• Managed a team providing advice to a US-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia
• Developed a global privacy program for a major food products company operating in more than 40 countries around the globe
• Created and implemented a bring your own device global strategy for a major healthcare industry multinational
• Performed a privacy and security compliance assessment for a US public company in the manufacturing industry, which has operations spanning four continents
• Advised a major academic institution on the full range of acceptable information use and sharing practices in light of the differing ways and roles in which the university may receive information, including on-campus clinics, campus police, admissions, hosting e-mail and social media platforms, and more
• Addressed privacy and security aspects for a US and EU rollout of a popular mobile application and provide continuing support through the rollout of additional versions, features and technologies, particularly as the company contemplates new data uses.
• Guided multiple major multinational corporations through US/EU/Swiss Safe Harbor certification and re-certification
• Advised a major US healthcare provider on integrating federal contracting requirements to existing privacy and security compliance program
• Drafted and revised a website privacy statement of an intelligent media company to address data collection use and disclosure through multiple platforms, including website, mobile, and social as well as integrating client's existing safe harbor policy
• Developed a privacy and security infrastructure for companies in a broad array of business sectors in connection with the implementation of US state and federal privacy and security laws and regulations
• Successfully resolved numerous US state and multi-state attorney general investigations following data incidents, including security breaches
• Successfully litigated claims against departing executives absconding with client confidential information, including regulated data
• Regularly advises both small and large financial institutions, healthcare institutions, and other general industry companies that have experienced security breaches and other security events involving personal data