Alex dedicates his practice to privacy and data security law. He assists clients with compliance strategies, policy development and implementation, data monetization and data use analyses, privacy and security issues in transactions, privacy and security incident response, and regulatory and litigation matters that involve privacy and data security issues.
Alex represents clients in the information technology, financial services, healthcare, and retail industries, among others. His experience includes:
- formulating and implementing strategies for clients to comply with comprehensive privacy laws and regulations such as the European Union’s General Data Protection Regulation (GDPR), and state consumer privacy laws including the California Consumer Privacy Act (CCPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA); Utah Consumer Privacy Act (UCPA), and Virginia Consumer Data Protection Act (VCDPA);
- counseling clients in the healthcare, life sciences, and digital health sectors on compliance with federal and state privacy and data security requirements, including the Health Insurance Portability and Accountability Act (HIPAA) and state health information privacy laws;
- counseling fintech companies and financial services institutions on compliance with state and federal privacy and cybersecurity standards, including the Gramm-Leach-Bliley Act (GLBA), the New York Department of Financial Services Cybersecurity Regulations, and network and payment card rules such as PCI-DSS;
- leading the response to cybersecurity incidents and data breaches, including interactions with state and federal regulators;
- drafting and negotiating cloud computing, technology services, and data processing agreements; and
- representing clients in disputes that implicate privacy and data-security issues, including disputes arising from fraudulent funds transfer schemes and litigation involving cross-border discovery.
Alex understands firsthand the challenges that confront organizations seeking to understand and manage the risks posed by this dynamic field. Before returning to private practice in 2017, he served for six years as in-house counsel for SAS, a global provider of analytics, business intelligence, and data management software and services. As the company’s lead Privacy Counsel, Alex managed the company’s global privacy program and advised on domestic and international privacy and data security issues arising throughout the company’s operations.
In 2018 Alex was certified as a Specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization as part of its inaugural class of board-certified Specialists in the field. He has also been certified by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional/United States (CIPP/US), a Certified Information Privacy Technologist (CIPT), and a Fellow of Information Privacy (FIP), and in 2018 was designated by the IAPP as a Privacy Law Specialist as part of its inaugural class of specialists in the area of Privacy Law.
Alex received his B.A., summa cum laude, from Wake Forest University as a Phi Beta Kappa graduate. He received his J.D., with distinction, from Stanford Law School. Following law school, he served as a law clerk for the Honorable Milton I. Shadur in the United States District Court for the Northern District of Illinois.
Alex writes extensively on privacy matters. Visit our privacy law blog to read his take on current data privacy-related events.
- North Carolina Bar Association, Founding Member and Past Chair, Privacy and Data Security Section
- International Association of Privacy Professionals, Past Chair of Raleigh/Durham KnowledgeNet Chapter
- Sedona Conference Working Group 11, Data Security and Privacy Liability
- Led response to data security incident experienced by securities broker-dealer, including coordination with federal law enforcement and preparation of required notices to individuals and regulatory authorities.
- Led response to ransomware incident experienced by manufacturing firm, including coordination of investigation and preparation of required notices to individuals and regulatory authorities.
- Led the creation and implementation of CCPA compliance program for multinational contract research organization.
- Advised fintech platform on compliance with federal and state privacy and data security laws, including GLBA, CCPA, and state online privacy laws.
- Represented health care provider in investigation by Department of Health and Human Services Office for Civil Rights arising from security incident involving patients’ health information.
- Designed and oversaw the implementation of strategy to comply with cross-border data transfer restrictions under GDPR for global software and information technology provider, including the preparation of data transfer agreements and transfer impact assessments (TIAs).
- Represented online retailer in response to multistate payment card data breach.
- Privacy and Information Security Law Specialist, North Carolina State Bar Board of Legal Specialization
- Privacy Law Specialist, International Association of Privacy Professionals
- Fellow of Information Privacy, International Association of Privacy Professionals
- Certified Information Privacy Professional/United States (CIPP/US), International Association of Privacy Professionals
- Certified Information Privacy Technologist (CIPT), International Association of Privacy Professionals
Recent posts from our privacy and data security blog, Practical Privacy.
- The Next Post They Write Might Be About You: The FTC’s Business Blog Calls Out Health Data Practices That Can Violate Section 5
- Less Is More, Too Much Is Not Enough: What the Irish DPC’s €390 Million Fine Against Meta Could Mean for Your Privacy Notice
- Glow Up or Blow Up: Five Takeaways from the CCPA Enforcement Action Against Sephora
- Carnival Cruise Line’s $1.25 Million Multistate Breach Settlement: 5 Lessons to Avoid and Mitigate Unstructured Data Breaches
- Buyers Beware: the FTC’s Case Against CafePress Highlights Privacy and Data Security Risks in Corporate Transactions
- To-Do in 2022: Top 5 Data Protection Contracting Tasks
- The EU Commission’s New SCCs for International Transfers: Top 5 Immediate Takeaways
- High Stakes: North Carolina Consumer Privacy Bill Sees Virginia’s CDPA and Raises a Private Right of Action with Automatic Treble Damages
- Cranking up the Pressure: Federal Financial Regulators’ Proposed Rule on Computer-Security Incident Notification and How it Could Impact Banks, Fintech Firms, and Other Bank Service Providers
- The California Attorney General’s Settlement with Glow: A Wake-Up Call for Consumer Health App Developers
- Could Data Subjects or EU Supervisory Authorities Use the US Court System to Enforce GDPR?
- Zoom for Improvement: Lessons Learned from Zoom’s Privacy and Security Backlash
- Back to the Drawing Board? The Top Ten Impacts of the California AG’s Modified CCPA Regulations (Part 2 of 2)
- So Don’t Sue Me: Strategies for Responding to CCPA Consumer Enforcement Notices
- Update Your Status: Takeaways from Facebook’s $100 Million Privacy Settlement with the SEC
- Latest GDPR Fine Emphasizes Need for Privacy and Data Security Due Diligence in Corporate Acquisitions
- Capture the Privacy Red Flag: Privacy Issue Spotting for the Non-Privacy Lawyer, NC Bar Association, January 24, 2023
- If You Give a Regulator a Cookie: Targeted Advertising Challenges in the Current Privacy Legal Landscape; Panelist, Moderator; IAPP Raleigh-Durham KnowledgeNet; Raleigh, NC; December 8, 2022
- A “Reasonable” Approach to Data Security, Privacy + Security Forum Fall Academy, Washington, D.C., November 3, 2022
- The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered Under GDPR, January 2021 (Editor-in-Chief)
- Where Are We Now? The CCPA 9 (or so) Months In; International Association of Privacy Professionals, Raleigh/Durham KnowledgeNet Chapter Meeting, September 23, 2020.
- The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered under GDPR, Sedona Conference Webinar, July 30, 2020
- “Time for a National Privacy Law? Fragmented patchwork of state laws creates compliance issues.” Delaware Lawyer, Spring 2020
- U.S. Judicial Enforcement of Orders Entered Under the EU General Data Protection Regulation (GDPR), The Sedona Conference Working Group 11 Annual Meeting, April 15, 2020
- GDPR, CCPA, and Beyond: What Risk Managers Need to Know about the Evolving Data Privacy Law Landscape; Risk and Insurance Management Society, Southeastern Regional Conference, September 19, 2019
- Marketing and Advertising: Challenges in the Current Privacy Landscape; International Association of Privacy Professionals, Raleigh/Durham KnowledgeNet Chapter Meeting, June 25, 2019
- U.S. Judicial Enforcement of Orders Entered Under the EU General Data Protection Regulation (GDPR), The Sedona Conference Working Group 11 Annual Meeting Houston, TX, February 28, 2019
- The Shape of Things to Come: Why GDPR Matters for your Business; North Carolina Bar Association Business Law and International Law and Practice Sections Joint Annual Meeting and CLE, February 15, 2019
- Security Considerations for a Paperless Practice; North Carolina Bar Association Center for Practice Management CLE, February 8, 2019
- Damage Control or Control Damages? How Corporate Counsel Can Take Care of the Brand and Legal Arguments in a Crisis; North Carolina Bar Association Corporate Counsel Section Annual Meeting and CLE, January 25, 2019
- International Association of Privacy Professionals Raleigh/Durham KnowledgeNet Chapter Meeting, November 28, 2018
- “Can Companies Disclaim and Limit Liability for Data Breaches in Online Terms of Service?” Journal of Internet Law, July 2018
- The Inside Job: Cybersecurity, Trade Secret Protection, and Departing Employee Data Theft; Association of Corporate Counsel-Research Triangle Area Chapter Meeting, Cary, NC, May 16, 2018
- Darned if you do? Navigating Conflicts Between International Data Protection Laws and US Discovery, International Association of Defense Counsel Webinar, April 11, 2018
- “Defending the Business-to-Business Data Breach Lawsuit,” DRI For the Defense, December, 2017
- “Defending Novel Theories of Harm in Data-Breach Litigation,” Bloomberg Law Privacy and Data Security Law Report, October 30, 2017
- “Data security law: Managing the legal risks of cloud and collaboration tools,” Business North Carolina 2017 Law Journal, September, 2017
- Managing Privacy and Data Security Risk in eDiscovery, Women in eDiscovery, Raleigh/Durham Chapter Meeting, June 13, 2017
- “Strategies for Managing Privacy and Data Security Risk in Vendor Engagements,” The Inside Scoop, Corporate Counsel Section, North Carolina Bar Association, April 2017
- Legislative and Regulatory Developments in Cybersecurity and Data Privacy; Benchmark Data Security and Privacy Forum, February 14, 2017
- Key Issues and Ingredients of Compliant and Effective Information Governance: Compliance with respect to handling data from the U.S. and from outside the U.S.; NCHICA Academic Medical Center Security and Privacy Conference, June 27, 2016
- Risks, Costs, Disputes and Litigation; North Carolina Chamber and U.S. Chamber of Commerce Cybersecurity Conference, December 15, 2015
- Best Legal Practices for Information Security and Privacy: Advising Private and Governmental Clients; NC State Lawyers Alumni Annual Meeting, October 30, 2015
- Data Privacy and HR; Triangle Society for Human Resource Management Meeting, April 24, 2015