Overview
Amy C. Pimentel advises clients on U.S. and international data protection, privacy and cybersecurity. Her clients are diverse – from multinational Fortune 500 companies to start-ups – and operate in a variety of industries, including health care, technology, consumer products, retail, media, and financial services.
Amy is skilled at harmonizing requirements across industries and jurisdictions to build practical, risk-based and business-focused global privacy and cybersecurity programs. In the U.S., this includes advising on federal and state laws such as HIPAA, FCRA, GLBA, TCPA, CAN-SPAM, CCPA, state breach notification laws, and state data security laws, as well as existing self-regulatory frameworks, including those covering online advertising and payment card processing. She works with clients to understand their obligations under international laws such as PIPEDA, the GDPR and ePrivacy, and China’s cybersecurity and privacy laws, and helps clients implement cross-border transfer mechanisms, such as Privacy Shield and EU Model Clauses, to enable the flow of data between company entities and third parties.
Amy also manages large and complex cyber incidents by guiding clients through the phases of breach response and post-incident remediation. She has teamed with forensic vendors and other consultants to help clients investigate, remediate, mitigate and notify required parties. She has also teamed with her white collar and litigation colleagues to manage and respond to ensuing government investigations.
In addition, Amy helps clients implement pragmatic approaches to managing and leveraging big data, advises clients through comprehensive privacy and cybersecurity assessments, vets privacy and security risks in corporate transactions, and drafts and negotiates contracts concerning data-related partners and vendors.
Results
- Developed and implemented GDPR and CCPA compliance programs for numerous US and international organizations, advising on, as applicable, GDPR and CCPA applicability analysis, data mapping, data transfer mechanisms, privacy notices, consent mechanisms, data subject and consumer rights, data security assessments, breach response programs, selection of Data Protection Officers and EU Representatives, and employee training
- Managed the development of a global data privacy assessment of a multibillion-dollar food service company to evaluate the process through which it collects, stores, protects, shares and manages information in more than 100 countries
- Developed a data privacy risk assessment that leverages in-depth analyses of the data collection consent laws in Europe, Asia, the Americas, the Middle East and Africa to help a multinational tech firm better strategize its global privacy and data protection approaches
- Developed a global records retention policy and schedule for a multinational software company that complied with records retention requirements across seven different countries
- Vetted privacy and security risks in a private equity fund’s multimillion-dollar acquisition of four national data brokers, and advised on post-closing implementation of privacy and security controls.
- Performed and documented HIPAA breach analyses for a large regional hospital system to assess whether uses and disclosures of protected health information resulted in a reportable breach, drafting notification letters when appropriate
- Acted as an interim privacy officer for a large regional hospital system
Recognitions
Community
- Boston Bar Association
- National Asian Pacific American Bar Association, Data Security and Privacy Committee Co-Chair
- International Association of Privacy Professionals
- Filipino American Lawyers Association of Massachusetts, founding member
Credentials
Education
Northeastern University School of Law, JD, 2014
Duke University, BA, 2007
Admissions
Massachusetts
Languages
English
Spanish
