Michael Morgan is a leader of the Firm’s Global Privacy and Cybersecurity practice.
Recognized as one of the nation’s leading lawyers in cybersecurity, Mike has guided clients through some of the largest and most complex data breaches, breaches involving more than 50 million records and incidents affecting persons in over 100 countries around the world. He counsels clients on compliance with US and international regulations relating to cybersecurity and data privacy, including compliance with the EU’s General Data Protection Regulation and China’s Network Security Law.
Mike has particular experience on complex legal issues arising from advanced technologies. He represents companies on privacy and cybersecurity issues arising from vehicle autonomy and connectivity and is an expert on the fast-changing regulatory environment relating to autonomous vehicles in the US and around the world. He also advises clients on matters relating to international data transfers (e.g. EU model clauses and Privacy Shield), cryptocurrency, e-commerce security, and blockchain applications. He represents clients in a range of industries, including financial services, big data, automotive, telecommunications, healthcare, insurance, and automotive.
Over the course of his career, Mike has handled scores of privacy and cybersecurity-related cases, including more than one hundred lawsuits involving claims under the FCRA, UDAAP statutes and consumer protection statutes. He has defended against government investigations by the FTC, CFPB, FCC and state attorneys general. Mike is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).
Advised a big data company on a 15 million-record data breach, including forensics, consumer notification, response to government investigations and defense of litigation
Handled a series of data breaches involving personnel records of employees in the United States and more than 50 countries, including advice on compliance with notification obligations and communications with affected employees
Handled the response to ransomware incident at a California hospital involving records for more than 250,000 patients, including overseeing the forensic investigation, defending the government investigation into the incident, advising on legal obligations (e.g., under HIPAA and state laws), managing the notification and communication program, and recommending remediation measures
Handled responses to numerous incidents involving the compromise of patient information at hospitals and health providers, including overseeing the forensic investigation into the incidents, advising on legal obligations, advising on Bitcoin payment issues, preparing a notification and communication program, and recommending appropriate mitigation measures
Represented an e-commerce company in a dispute with its technology provider relating to the adequacy of the security in the provider’s solution, including the encryption algorithm used to secure the transactions between the e-commerce company and its customers
Advised numerous companies on responses to ransomware and phishing incidents, including preservation of privilege, coordination with law enforcement, retention of a forensics provider, advice on Bitcoin and cryptocurrency issues, communications with affected patients and regulators, and remediation and recovery from the incident
Advised an international university regarding GDPR compliance, including the scope of application of the GDPR to activities in the EU, the lawful grounds for processing personal data (such as consent), appointment of a DPO, and various other GDPR compliance issues
Advised a European telecommunications provider regarding GDPR compliance, including the scope of application of the GDPR to certain activities in the EU and the US, the lawful grounds for processing personal data and various other GDPR compliance issues
Advised a multinational technology provider on certification of compliance with the US-EU Privacy Shield, data mapping, review and evaluation of internal and external policies and procedures, and vendor contract amendments to comply with Privacy Shield requirements
Cybersecurity Docket 2016, “Incident Response 30” list of leading cybersecurity lawyers
Top Cyber/Artificial Intelligence Lawyers 2018, Daily Journal
Los Angeles City College Foundation, board member
University of California – Los Angeles School of Law, JD, 1993
University of Pennsylvania, Wharton School of Business, BS, cum laude, 1989
Courts / Agencies
Supreme Court of the United States
US District and State Courts of California (all)
US District Court for the District of Colorado
US Court of Appeals for the Ninth Circuit
US Court of Appeals for the Tenth Circuit
Pro hac vice admissions: Oregon, Kansas, Hawaii, Utah, Virginia and Arizona
Do not send any information or documents that you want to have treated as secret or confidential. Providing information to McDermott via email links on this website or other introductory email communications will not create an attorney-client relationship; will not preclude McDermott from representing any other person or firm in any matter; and will not obligate McDermott to keep confidential the information you provide. McDermott cannot enter into an attorney-client relationship with you until McDermott has determined that doing so will not create a conflict of interest and until you and McDermott have entered into a written agreement or engagement letter that sets forth the terms of our relationship.