Lynn C. Percival

• International Association of Privacy Professionals
• Carolina Privacy Officials’ Network
• North Carolina State Bar
• North Carolina Bar Association
• Wake County Bar
• Raleigh Chamber of Commerce, Leadership Raleigh, Class 40

• Assisted clients across industry sectors with large-scale data incidents and breaches, including by leading and supervising investigations, advising on legal obligations and strategy, drafting and overseeing distribution of individual notifications, preparing regulatory filings, responding to regulatory inquiries, and advising on remediation efforts.
• Advised clients across industry sectors on compliance with the GDPR and implementation of related compliance requirements, including creation of privacy policies, advice on individual rights mechanisms, response to specific individual rights requests, limitations on secondary use of data, and negotiation of customer and vendor agreements.
• Advised clients across industry sectors on incident response readiness and preparation of incident response plans.
• Advised clients on establishment of AI governance programs and compliance with emerging AI regulation, including the EU Artificial Intelligence Act.
• Advised global fintech client on application of banking legislation and the implications for the client’s provision of existing services and development of new lines of business.
• Advised media client on data monetization strategy and approach to minimizing legal risk associated with Federal Trade Commission enforcement, comprehensive state privacy laws, and novel legal claims under Wiretap Act and California Invasion of Privacy Act.
• Developed and assisted in implementation of strategy for healthcare client to leverage customer data to improve services across client’s customer base and develop new products and services.
• Advised clients on implementing international data transfer mechanisms and minimizing risk associated with Schrems II decision.
• Advised media client on consolidation of compliance efforts to address comprehensive state privacy laws, including the CCPA, CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, and the Utah Consumer Privacy Act.
• Managed negotiation of large-scale vendor contract update initiative to address regulatory changes on behalf of Fortune 50 client.
• Negotiated M&A buy- and sell-side transactions involving regulated entities subject to legal regimes including HIPAA, FCRA, GLBA, and GDPR.
• Advised publicly-traded client on creation and implementation of HIPAA compliance program.
• Led privileged privacy-and-data security assessments of a technology client’s organization that incorporated multiple assessment standards and advised on remediation of assessment findings.
• Represented technology clients in connection with negotiation of personal data licensing and adtech agreements.
• Negotiated banking-as-a-service agreements on behalf of bank clients.
• Advised Fortune 500 client on creation of a telephone outreach compliance program designed to address requirements of the Telephone Consumer Protection Act, Telemarketing Sales Rule, and state law corollaries.
• Managed large-scale project to renegotiate vendor data protection addenda to address requirements associated with the California Consumer Privacy Act.
• Advised Fortune 500 client on implementation of employee-monitoring program, including advice on compliance with Federal Wiretap Act, state law corollaries, and related privacy and data security laws.

• Privacy and Information Security Law Specialist, North Carolina State Bar Board of Legal Specialization
• Certified Information Privacy Professional (United States), International Association of Privacy Professionals

Recent posts from our privacy and data security blog, Practical Privacy.

• Don’t Call It a Breach Rule: FTC Health Breach Notification Rule Has Been Here for Years, Now Updated to Serve as a Backdoor Privacy Regulation
• SEC Adopts Final Cybersecurity Rules
• Consent Horizon: BetterHelp to Pay $7.8 Million to Settle FTC Claims
• Reading the Tea Leaves: Insights into FTC’s Areas of Focus from Chair Khan’s First Public Address
• Everything is (Somewhat) Illuminated: The EDPB Defines “Transfer”
• The EU Commission’s New SCCs for International Transfers: Top 5 Immediate Takeaways
• Schrems II: What About US-Based Organizations with Consumer-Facing Websites and Apps? (Part 1 of 2)
• Final CCPA Regulations Are Approved and Effective Immediately
• Final CCPA Regs Are Finally Here, Effective Date is Unclear
• Still at the Drawing Board: Unpacking the Third Draft of the California AG’s CCPA Regulations
• Back to the Drawing Board? The Top Ten Impacts of the California AG’s Modified CCPA Regulations (Part 1 of 2)
• Nevada’s New Privacy Law: More Bark than Bite

• SEC Adopts Final Cybersecurity Rules
• SEC’s Pending Proposed Rules on Cybersecurity Incident and Risk Management Disclosure
• Proposed Overhaul of North Carolina Security Breach Notification Law Would Make It One of the Toughest in the Nation
• $1 Million Fine Signals SEC’s Focus on Red Flags Rule and Safeguards Rule Compliance
• Client Alert: Double Jeopardy—The Growing Trend of Privacy Regulators Piling On Multiple Enforcement Actions after a Data Breach

• Ethics in Privacy and Data Security Law, North Carolina Bar Association Privacy and Data Security CLE, October 28, 2021
• Preserving Privilege in a Data Breach Investigation After the Capital One Decision, North Carolina Bar Association Privacy and Data Security CLE
• Artificial Intelligence, Cyber Security, and Ethics, NC State Lawyers Annual Meeting & CLE, November 8, 2019
• Marketing and Advertising: Challenges in the Current Privacy Landscape; International Association of Privacy Professionals, Raleigh/Durham KnowledgeNet Chapter Meeting, June 25, 2019
• $1 Million Fine Signals SEC’s Focus on Red Flags Rule and Safeguards Rule Compliance, Nov 18, 2018
• Client Alert: DC Circuit Partially Overturns 2015 FCC Order in Long-Awaited TCPA Ruling, March 16, 2018
• Reining in the FCC: DC Circuit Overturns Some (Not All) of 2015 TCPA Order, International Association of Privacy Professionals, March 23, 2018
• Elliott Davis Decosimo 2017 Risk Management Seminar, Understanding Data Breach Reporting Obligations and Minimizing Legal Risk, May 11, 2017
• Making the Move: Safe Harbor to the Privacy Shield, Triangle Part Eleven and Electronic Stakeholders Meeting, September 22, 2016
• Client Alert: Lessons Learned from Target’s Data Breach Discovery Win – Five Strategies for Maintaining Privilege in the Aftermath of a Data Breach, October 30, 2015
• President Obama’s Security Breach Notification Bill Needs Work, January 16, 2015, J.D. Supra
• Client Alert: New COPPA Rule Now in Effect, July 1, 2013
• Client Alert: Privacy Regulators Take to the Web in Search of Deficient Privacy Policies, May 30, 2013
• Client Alert: HIPAA Risk Analysis, February 6, 2013
• Client Alert: President Obama’s Cybersecurity Executive Order and What it Means for Your Organization, February 14, 2013
• Client Alert: Coping with the Threat of Fraudulent Funds Transfers, October 28, 2012
• Public Policy Favoritism in the Online World: Contract Voidability Meets the Communications Decency Act, 17 Texas Wesleyan Law Review 165 (2011)
• Article I Torture Courts: A Constitutional Means of Compensation and Deterrence? 54 Howard Law Journal 83 (2010)