Michael Morgan is recognized as one of the nation’s leading lawyers in cybersecurity and data privacy. He has guided clients through some of the largest and most complex data breaches, breaches involving more than 50 million records, incidents affecting persons in over 100 countries around the world, and incidents involving sensitive defense-related information. He counsels clients on compliance with US and international regulations relating to cybersecurity and data privacy, including compliance with the California Consumer Privacy Act, the EU’s General Data Protection Regulation and China’s Network Security Law. Mike is the US head of the Firm’s Global Privacy & Cybersecurity Practice Group.
Mike has particular experience on complex legal issues arising from advanced technologies. He represents companies on privacy and cybersecurity issues arising from vehicle autonomy and connectivity and is an expert on the fast-changing regulatory environment relating to autonomous vehicles and in the US and around the world. He also advises clients on matters relating to international data transfers (e.g. EU model clauses and Privacy Shield), cryptocurrency, e-commerce security, and blockchain applications. He represents clients in a range of industries, including financial services, big data, automotive, telecommunications, healthcare, insurance, and automotive, as well as defense contractors and subcontractors subject to requirements under DFARS and the CMMC Framework.
Mike has handled scores of privacy and cybersecurity-related cases, including more than one hundred lawsuits involving claims under the FCRA, UDAAP statutes and consumer protection statutes. He has particular expertise in the defense of cases involving claims for statutory damages and advises clients on mitigation of legal risks arising from the CCPA’s statutory damages provisions applicable to data breaches. He has defended against government investigations by the FTC, CFPB, FCC and state attorneys general.
Mike is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).
- Advised a global provider of connected car applications on compliance with privacy and cybersecurity regulations, including the GDPR and China’s Cybersecurity Law
- Advised a big data company on its cybersecurity compliance program, including the development and implementation of a vulnerability management and data breach response plan
- Advised an Internet of Things (IoT) provider on compliance issues arising from the global launch of a personal digital assistant device
- Advised a big data company on a 15 million-record data breach, including forensics, consumer notification, response to government investigations and defense of litigation
- Handled a series of data breaches involving personnel records of employees in the United States and more than 50 countries, including advice on compliance with notification obligations and communications with affected employees
- Handled the response to ransomware incident at a California hospital involving records for more than 250,000 patients, including overseeing the forensic investigation, defending the government investigation into the incident, advising on legal obligations (e.g., under HIPAA and state laws), managing the notification and communication program, and recommending remediation measures
- Handled responses to numerous incidents involving the compromise of patient information at hospitals and health providers, including overseeing the forensic investigation into the incidents, advising on legal obligations, advising on Bitcoin payment issues, preparing a notification and communication program, and recommending appropriate mitigation measures
- Represented an e-commerce company in a dispute with its technology provider relating to the adequacy of the security in the provider’s solution, including the encryption algorithm used to secure the transactions between the e-commerce company and its customers
- Advised numerous companies on responses to ransomware and phishing incidents, including preservation of privilege, coordination with law enforcement, retention of a forensics provider, advice on Bitcoin and cryptocurrency issues, communications with affected patients and regulators, and remediation and recovery from the incident
- Advised an international university regarding GDPR compliance, including the scope of application of the GDPR to activities in the EU, the lawful grounds for processing personal data (such as consent), appointment of a DPO, and various other GDPR compliance issues
- Advised a European telecommunications provider regarding GDPR compliance, including the scope of application of the GDPR to certain activities in the EU and the US, the lawful grounds for processing personal data and various other GDPR compliance issues
- Advised a multinational technology provider on certification of compliance with the US-EU Privacy Shield, data mapping, review and evaluation of internal and external policies and procedures, and vendor contract amendments to comply with Privacy Shield requirements
- Los Angeles City College Foundation, board member
University of California – Los Angeles School of Law, JD, 1993
University of Pennsylvania, Wharton School of Business, BS, cum laude, 1989
Courts / Agencies
Supreme Court of the United States
US District and State Courts of California (all)
US District Court for the District of Colorado
US Court of Appeals for the Ninth Circuit
US Court of Appeals for the Tenth Circuit
Pro hac vice admissions: Oregon, Kansas, Hawaii, Utah, Virginia and Arizona