Bio

Alex dedicates his practice to privacy and data security law. He assists clients with compliance strategies, policy development and implementation, data monetization and data use analyses, privacy and security issues in transactions, privacy and security incident response, and regulatory and litigation matters that involve privacy and data security issues.
 
Alex represents clients in the information technology, financial services, healthcare, and retail industries, among others. His experience includes:

  • formulating and implementing strategies for clients to comply with comprehensive privacy laws and regulations such as the European Union’s General Data Protection Regulation (GDPR) and state consumer privacy laws including the California Consumer Privacy Act (CCPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA); Utah Consumer Privacy Act (UCPA), and Virginia Consumer Data Protection Act (VCDPA);
  • counseling clients in the healthcare, life sciences, and digital health sectors on compliance with federal and state privacy and data security requirements, including the Health Insurance Portability and Accountability Act (HIPAA) and state health information privacy laws;
  • counseling fintech companies and financial services institutions on compliance with state and federal privacy and cybersecurity standards, including the Gramm-Leach-Bliley Act (GLBA), the New York Department of Financial Services Cybersecurity Regulations, and network and payment card rules such as PCI-DSS; advising public companies on compliance with Securities and Exchange Commission (SEC) rules regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure;
  • leading the response to cybersecurity incidents and data breaches, including interactions with state and federal regulators;
  • drafting and negotiating cloud computing, technology services, and data processing agreements; and
  • representing clients in disputes that implicate privacy and data-security issues, including disputes arising from fraudulent funds transfer schemes and litigation involving cross-border discovery.

Alex understands firsthand the challenges that confront organizations seeking to understand and manage the risks posed by this dynamic field. Before returning to private practice in 2017, he served for six years as in-house counsel for SAS, a global provider of analytics, business intelligence, and data management software and services. As the company’s lead Privacy Counsel, Alex managed the company’s global privacy program and advised on domestic and international privacy and data security issues arising throughout the company’s operations.

In 2018 Alex was certified as a Specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization as part of its inaugural class of board-certified Specialists in the field. He has also been certified by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional/United States (CIPP/US), a Certified Information Privacy Technologist (CIPT), and a Fellow of Information Privacy (FIP), and in 2018 was designated by the IAPP as a Privacy Law Specialist as part of its inaugural class of specialists in the area of Privacy Law.

Alex received his B.A., summa cum laude, from Wake Forest University as a Phi Beta Kappa graduate. He received his J.D., with distinction, from Stanford Law School. Following law school, he served as a law clerk for the Honorable Milton I. Shadur in the United States District Court for the Northern District of Illinois.

Alex writes extensively on privacy matters. Visit our privacy law blog to read his take on current data privacy-related events.

  • North Carolina Bar Association, Founding Member and Past Chair, Privacy and Data Security Section
  • International Association of Privacy Professionals, Past Chair of Raleigh/Durham KnowledgeNet Chapter
  • Sedona Conference Working Group 11, Data Security and Privacy Liability
  • Advised clients based across industry sectors on compliance with comprehensive privacy and data protection laws such as GDPR, CCPA, and other state privacy laws and implementation of relevant compliance requirements, including creation of privacy policies, advice on individual rights mechanisms, responses to specific individual rights requests, design and implementation of data security programs, and negotiation of customer and vendor agreements.
  • Advised clients in several industry sectors on compliance with European and U.S. state and federal laws and regulations governing the use of cookies and other online tracking technologies.
  • Advised publicly-traded clients on the preparation of annual and current reports with respect to SEC rules on cybersecurity incident and risk management disclosures.
  • Advised clients in a range of industries on the design and implementation of employee monitoring programs under relevant privacy and data protection laws, including GDPR, the federal Stored Communications Act and Wiretap Act, and state law corollaries.
  • Advised clients in a range of industries on direct marketing and other consumer outreach efforts, including via text message and email, under the Telephone Consumer Protection Act (TCPA), CAN-SPAM, and European Union’s ePrivacy Directive.
  • Advised on, and negotiated terms relating to, privacy and data security considerations in M&A buy- and sell-side transactions, including that involved entities subject to privacy laws and regulations such as CCPA, GDPR, and HIPAA.
  • Represented clients in technology, media, retail, financial services, and other industry sectors in the drafting and negotiation of data licensing and AdTech agreements.
  • Directed privileged risk and vulnerability assessments and compliance reviews for clients in the life sciences, manufacturing, retail, and technology sectors.
  • Led the response to large-scale data security incidents, including as a result of ransomware, business email compromise, hacking, and other root causes, for clients in a broad range of industries, including managing and directing privileged forensic investigations, preparing required notices to individuals and regulatory authorities, and responding to follow-up regulator inquiries and investigations.
  • Advised fintech platform on compliance with federal and state privacy and data security laws, including GLBA, CCPA, and state online privacy laws.
  • Designed and oversaw the implementation of strategies to comply with cross-border data transfer restrictions under GDPR and the Court of Justice of the European Union’s Schrems II judgment for clients in the software, information technology, and other industry sectors, including the preparation of data transfer agreements and transfer impact assessments (TIAs) and certification to the EU-US Data Privacy Framework.
  • Privacy and Information Security Law Specialist, North Carolina State Bar Board of Legal Specialization
  • Privacy Law Specialist, International Association of Privacy Professionals
  • Fellow of Information Privacy, International Association of Privacy Professionals
  • Certified Information Privacy Professional/United States (CIPP/US), International Association of Privacy Professionals
  • Certified Information Privacy Technologist (CIPT), International Association of Privacy Professionals

Recent posts from our privacy and data security blog, Practical Privacy.

  • Capture the Privacy Red Flag: Privacy Issue Spotting for the Non-Privacy Lawyer, NC Bar Association, January 24, 2023
  • If You Give a Regulator a Cookie: Targeted Advertising Challenges in the Current Privacy Legal Landscape; Panelist, Moderator; IAPP Raleigh-Durham KnowledgeNet; Raleigh, NC; December 8, 2022
  • A “Reasonable” Approach to Data Security, Privacy + Security Forum Fall Academy, Washington, D.C., November 3, 2022
  • The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered Under GDPR, January 2021 (Editor-in-Chief)
  • Where Are We Now? The CCPA 9 (or so) Months In; International Association of Privacy Professionals, Raleigh/Durham KnowledgeNet Chapter Meeting, September 23, 2020.
  • The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered under GDPR, Sedona Conference Webinar, July 30, 2020
  • “Time for a National Privacy Law? Fragmented patchwork of state laws creates compliance issues.” Delaware Lawyer, Spring 2020
  • U.S. Judicial Enforcement of Orders Entered Under the EU General Data Protection Regulation (GDPR), The Sedona Conference Working Group 11 Annual Meeting, April 15, 2020
  • GDPR, CCPA, and Beyond: What Risk Managers Need to Know about the Evolving Data Privacy Law Landscape; Risk and Insurance Management Society, Southeastern Regional Conference, September 19, 2019
  • Marketing and Advertising: Challenges in the Current Privacy Landscape; International Association of Privacy Professionals, Raleigh/Durham KnowledgeNet Chapter Meeting, June 25, 2019
  • U.S. Judicial Enforcement of Orders Entered Under the EU General Data Protection Regulation (GDPR), The Sedona Conference Working Group 11 Annual Meeting Houston, TX, February 28, 2019
  • The Shape of Things to Come: Why GDPR Matters for your Business; North Carolina Bar Association Business Law and International Law and Practice Sections Joint Annual Meeting and CLE, February 15, 2019
  • Security Considerations for a Paperless Practice; North Carolina Bar Association Center for Practice Management CLE, February 8, 2019
  • Damage Control or Control Damages? How Corporate Counsel Can Take Care of the Brand and Legal Arguments in a Crisis; North Carolina Bar Association Corporate Counsel Section Annual Meeting and CLE, January 25, 2019
  • International Association of Privacy Professionals Raleigh/Durham KnowledgeNet Chapter Meeting, November 28, 2018
  • “Can Companies Disclaim and Limit Liability for Data Breaches in Online Terms of Service?” Journal of Internet Law, July 2018
  • The Inside Job: Cybersecurity, Trade Secret Protection, and Departing Employee Data Theft; Association of Corporate Counsel-Research Triangle Area Chapter Meeting, Cary, NC, May 16, 2018
  • Darned if you do? Navigating Conflicts Between International Data Protection Laws and US Discovery, International Association of Defense Counsel Webinar, April 11, 2018
  • “Defending the Business-to-Business Data Breach Lawsuit,” DRI For the Defense, December, 2017
  • “Defending Novel Theories of Harm in Data-Breach Litigation,” Bloomberg Law Privacy and Data Security Law Report, October 30, 2017
  • “Data security law: Managing the legal risks of cloud and collaboration tools,” Business North Carolina 2017 Law Journal, September, 2017
  • Managing Privacy and Data Security Risk in eDiscovery, Women in eDiscovery, Raleigh/Durham Chapter Meeting, June 13, 2017
  • “Strategies for Managing Privacy and Data Security Risk in Vendor Engagements,” The Inside Scoop, Corporate Counsel Section, North Carolina Bar Association, April 2017
  • Legislative and Regulatory Developments in Cybersecurity and Data Privacy; Benchmark Data Security and Privacy Forum, February 14, 2017
  • Key Issues and Ingredients of Compliant and Effective Information Governance: Compliance with respect to handling data from the U.S. and from outside the U.S.; NCHICA Academic Medical Center Security and Privacy Conference, June 27, 2016
  • Risks, Costs, Disputes and Litigation; North Carolina Chamber and U.S. Chamber of Commerce Cybersecurity Conference, December 15, 2015
  • Best Legal Practices for Information Security and Privacy: Advising Private and Governmental Clients; NC State Lawyers Alumni Annual Meeting, October 30, 2015
  • Data Privacy and HR; Triangle Society for Human Resource Management Meeting, April 24, 2015