Amy C. Pimentel (CIPM) advises clients on global data protection, privacy and cybersecurity. She is skilled at harmonizing requirements across jurisdictions and legal regimes to build practical and business-focused global privacy and cybersecurity programs. She also helps multinational companies understand privacy rules and balance their legal risk when entering new markets or breaking into new or non-traditional industries.
Amy provides day-to-day product counseling and advises on data strategies. She works with clients across industries – spanning the health care/life sciences industries to big tech, finance, media and consumer products – to help them leverage and transfer data in a compliant way. She also partners with multi-disciplinary teams to advise on product development, digital advertising, artificial intelligence/machine learning and other emerging technologies to incorporate privacy-by-design and security-by-design principles. Her pragmatic approaches to managing data enable clients to achieve their business objectives while remaining compliant with their dynamic regulatory environment.
In addition to regulatory and product counseling, Amy also drafts and negotiates complex data arrangements and manages privacy and cyber risks in corporate transactions and outsourcing. She advises clients on effective due diligence strategies when vetting risks of purchasing and disclosing data and regularly partners with transaction co-counsel to evaluate the regulatory impact of specific privacy and cybersecurity matters, including government investigations and security breaches. She also companies on their legal obligations with respect to supply chain management and third-party risk management.
- Developed and implemented global compliance programs for numerous US and international organizations, including advice on GDPR, HIPAA, CCPA/CPRA (and new state privacy laws in Virginia and Colorado), data mapping, data transfer mechanisms, privacy notices, consent mechanisms, data subject and consumer rights, data security assessments, incident response preparation, program governance (including appointment of Privacy Officers and EU Representatives) and employee training
- Advised big tech companies on development of new technologies and consumer products, including software-as-a-service offerings, wearable fitness devices, vaccine passports, remote care platforms, automotive infotainment systems and mobile applications
- Managed the development of a global data privacy assessment and data mapping of a multibillion-dollar food service company to evaluate the process through which it collects, stores, protects, shares and manages information in more than 100 countries
- Advised on privacy and data security considerations in a multi-jurisdictional pharmaceutical clinical trial, including negotiations with clinical research organizations, sharing of data with research institutions and preparing contracts and informed consent documents
- Advised healthcare client on applicability of general privacy and data security laws (including the CCPA, GDPR, COPPA and state data security laws) to collection of data through non-traditional means, including how such laws impact requirements under HIPAA and state health information privacy laws
- Advised insurance and financial service clients on applicability of GLBA, FCRA and state privacy laws to the digital transformation of their traditional businesses and growth of new lines of business involving the collection and use of consumer data, modeling and algorithm development
- Vetted privacy and security risks in a private equity fund’s multimillion-dollar acquisition of four national data brokers, and advised on post-closing implementation of privacy and security controls
- Handled responses to numerous incidents involving the compromise of personal data, including overseeing the forensic investigation into the incidents, advising on legal obligations, preparing a notification and communication program and recommending appropriate mitigation measures
- Acted as an interim privacy officer for a large regional hospital system
Northeastern University School of Law, JD, 2014
Duke University, BA, 2007