Amy C. Pimentel focuses her practice on data privacy and cybersecurity. Her clients operate in a variety of industries in the United States and internationally, including health care, consumer products, retail, food and beverage, technology, banking and other financial services.
Amy assists clients in identifying, evaluating and remediating privacy and data security risks on an enterprise level and global scale. She focuses on customizing pragmatic approaches to privacy, cybersecurity and other information management compliance matters, and advising on best practices that reflect a harmonization of international regulatory requirements. Amy also manages large and complex cyber incidents by guiding clients through the phases of breach response and post-incident remediation. In addition, Amy identifies and evaluates privacy and security risks in mergers, acquisitions and other corporate transactions.
In addition to data privacy and cybersecurity, Amy also helps health industry clients with their transaction and regulatory compliance needs. Amy has drafted employment, service and affiliation agreements between various players in the health care industry. She also has experience acting as an interim privacy officer of a large regional hospital system.
Amy has been published in the Buffalo Law Review and the Benefits Law Journal. While in law school, Amy worked at the US Department of Justice in the Office of International Affairs and interned in the Appeals Chamber of the International Criminal Tribunal for the Former Yugoslavia in The Hague, The Netherlands.
Advised an international e-commerce retailor regarding the global implementation of a GDPR compliance program, including assessment of current practices, analysis of gaps, development of work plan and assistance in implementation of compliance actions
Advised clients on the implementation of data transfer mechanisms, including EU Model Clauses and the EU-US and Swiss-US Privacy Shield
Worked with a multinational manufacturer and distributor of food products to develop internationally compliant privacy and data security policies that articulate the company’s position on how it handles information it receives and uses in the normal course of business
Managed the development of a global data privacy assessment of a multibillion-dollar food service company to evaluate the process through which it collects, stores, protects, shares and manages information in more than 100 countries
Developed a data privacy risk assessment that leverages in-depth analyses of the data collection consent laws in Europe, Asia, the Americas, the Middle East and Africa to help a multinational tech firm better strategize its global privacy and data protection approaches
Developed a records retention policy and schedule for a multinational software company that complied with records retention requirements across seven different countries
Vetted privacy and security risks in a private equity fund’s multimillion-dollar acquisition of a national data broker
Performed and documented HIPAA breach analyses for a large regional hospital system to assess whether uses and disclosures of protected health information resulted in a reportable breach, drafting notification letters when appropriate
Provided transactional support, conducted due diligence and advised on material risks in a transaction involving a private equity-backed portfolio company acquiring multiple community-based and regional health care providers