Heather Egan

Heather Egan is the Business Unit Leader for Orrick’s Strategic Advisory & Government Enforcement (SAGE) Business Unit. Heather focuses on cybersecurity, privacy and information management. A strategic advisor to clients, she is ranked by Chambers USA, Chambers Global and The Legal 500 United States as a leader in her field. Chambers explains companies turn to Heather because she “understands all the business issues and the dynamics of how to implement privacy programs [and is] extraordinarily thoughtful, very pragmatic and responsive.”

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe, including but not limited to:

• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
• Electronic Communications Privacy Act (ECPA)
• Fair Credit Reporting Act (FCRA)
• Gramm–Leach–Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Telephone Consumer Protection Act (TCPA)
• Virginia Consumer Data Protection Act (VCDPA)
• State breach notification laws
• State data security laws
• Self-regulatory frameworks (advertising and payment card processing)