Overview
Amy C. Pimentel advises clients on US and international data protection, privacy and cybersecurity. Her clients are diverse – spanning the health care/life sciences industries to big tech, media and consumer products, and ranging from Fortune 500 companies to early stage start-ups.
Amy is skilled at harmonizing requirements across jurisdictions and legal regimes to build practical, risk-based and business-focused global privacy and cybersecurity programs. She works with clients to understand their obligations under US federal and state laws, the growing body of international privacy laws and self-regulatory frameworks so that they can leverage and transfer data in a compliant way.
Amy also manages large and complex cyber incidents by guiding clients through the phases of breach response and post-incident remediation. She has teamed with forensic vendors and other consultants to help clients investigate, remediate, mitigate and notify required parties. She has also teamed with her white collar and litigation colleagues to manage and respond to ensuing government investigations.
In addition, Amy helps clients implement pragmatic and approaches to managing big data, advises clients through comprehensive privacy and cybersecurity assessments, vets privacy and security risks in corporate transactions and she drafts and negotiates contracts concerning data-related partners and vendors.
Results
- Developed and implemented global compliance programs for numerous US and international organizations, including advice on HIPAA, GDPR, CCPA/CPRA (and developing state privacy laws in Virginia and Colorado), data mapping, data transfer mechanisms, privacy notices, consent mechanisms, data subject and consumer rights, data security assessments, incident response preparation, program governance (including appointment of Privacy Officers and EU Representatives), and employee training
- Advised big tech companies on development of new technologies and consumer products, including software-as-a-service offerings, wearable devices, remote care platforms, infotainment systems, and mobile applications
- Managed the development of a global data privacy assessment and data mapping of a multibillion-dollar food service company to evaluate the process through which it collects, stores, protects, shares and manages information in more than 100 countries
- Advised on privacy and data security considerations in a multi-jurisdictional pharmaceutical clinical trial, including negotiations with clinical research organizations, sharing of data with research institutions, and preparing contracts and informed consent documents
- Advised healthcare client on applicability of general privacy and data security laws (including the CCPA, GDPR, COPPA, and state data security laws) to collection of data through non-traditional means, including how such laws impact requirements under HIPAA and state health information privacy laws
- Advised insurance and financial service clients on applicability of GLBA, FCRA, and state privacy laws to new lines of business involving the collection and use of consumer data
- Advised a big data company on its cybersecurity compliance program, including the development and implementation of a vulnerability management and data breach response plan
- Vetted privacy and security risks in a private equity fund’s multimillion-dollar acquisition of four national data brokers, and advised on post-closing implementation of privacy and security controls
- Handled responses to numerous incidents involving the compromise of personal data, including overseeing the forensic investigation into the incidents, advising on legal obligations, preparing a notification and communication program, and recommending appropriate mitigation measures
- Acted as an interim privacy officer for a large regional hospital system
Recognitions
Community
Credentials
Education
Northeastern University School of Law, JD, 2014
Duke University, BA, 2007
Admissions
Massachusetts
Languages
English
Spanish