Samuel D. Goldstick
Senior Counsel
Samuel (Sam) Goldstick is a data privacy and cybersecurity attorney, advising clients across a broad range of industries on all aspects of compliance with international, federal, and state data privacy and security laws. He is a senior counsel in the firm’s Technology Transactions, Cybersecurity, and Privacy Practice, and a member of the Sports & Entertainment Industry Team and Innovative Technology Sector.
Sam counsels companies in nearly every sector of the economy — including the retail, hospitality, manufacturing, financial services, health care, insurance, sports, aerospace, energy, government contracting, education, information technology, transportation, and travel industries — on a full array of data privacy and security compliance issues, such as those involving:
- Data breach notification requirements at the state, federal, and international level
- EU and UK General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other similar comprehensive U.S. state consumer privacy laws
- Gramm-Leach-Bliley Act (GLBA)
- The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation
- State insurance data security laws (including those modeled after the NAIC model law)
- Illinois’ Biometric Information Privacy Act (BIPA) and other state biometric privacy laws
- Telephone Consumer Protection Act (TCPA) and state law equivalents
- Health Insurance Portability and Accountability Act (HIPAA) and state law equivalents
- Department of Defense (DoD) cybersecurity requirements for federal contractors, including DFARS 252.204-7012, NIST SP 800-171, and CMMC
Sam assists clients of all sizes with their incident preparedness, such as reviewing and updating incident response (IR) policies and procedures, negotiating three-party agreements with forensics and other third-party IR providers to help maintain attorney-client privilege and work product protections during an incident, and running tabletop exercises that simulate real-life cyber-attacks.
On the reactive front, Sam frequently guides clients through the entire incident response process, from the early stages of the investigation to the notification of affected individuals and government regulators, as well as through any resulting enforcement actions or regulatory investigations. To date, Sam has handled hundreds of data breaches and security incidents for clients, and his depth of experience in this area allows him to provide clients with practical and business-oriented solutions in the event of a data incident and its aftermath.
Representative Experience
- Negotiated more than 50 different vendors’ GDPR DPAs on behalf of a large financial institutional client.
- Advised a Fortune 10 company on the applicability of new U.S. state comprehensive consumer privacy laws and recommended measures for compliance in connection with a myriad of business initiatives.
- Updated website terms of use and general online and offline privacy policies with jurisdiction-specific addendums (i.e., GDPR, CCPA/CPRA, VCDPA, and CPA) for global retailers, sports clubs, and manufacturers, among many others.
- Developed a practical handbook for a large insurer to use in responding to consumer rights requests under the CCPA/CPRA (with model templates).
- Updated an extensive set of information security policies for a mutual insurance company to align with applicable requirements under HIPAA, PCI DSS, and relevant state insurance data security laws.
- Updated IR and crisis communications policies for, proactively entered into a three-party forensic agreement with an IR provider (to maintain privilege and work product protections) on behalf of and helped facilitate separate tabletop exercises simulating mock breaches for, a global electronics manufacturing services company.
- Counseled a global aerospace defense contractor through a DoD-reportable “cyber incident” involving controlled unclassified information (CUI) and handled regulatory follow-ups on their behalf.
- Guided a self-funded employee health plan through a complex OCR investigation and prepared a sophisticated response with over 20 exhibits to an OCR data request, in connection with a HIPAA breach that affected over 2,000 individuals.
- Guided an insurance vendor through a data breach affecting over 4 million individuals and managed the entire notification process from start to finish (including interfacing with regulators).
Awards and Recognition
- Best Lawyers: Ones to Watch in America™ – Technology Law (2021-2025)
Affiliations
- Certified Information Privacy Professional – United States (CIPP/US)
- Certified Information Privacy Professional – Europe (CIPP/E)
- Member, International Association of Privacy Professionals (IAPP)
- Member, American Bar Association (ABA)
- Member, Chicago Bar Association Cyber Law & Data Privacy Committee
- Member, Midwest Cyber Security Alliance (MCSA)
Presentations and Publications
- Moderator, “Masterclass: Supply Chain Due Diligence” Panel, Lexology Live: Cyber Risk, New York, NY (June 20, 2024)
- Co-presenter, “Episode 7: Data Privacy Deadline for Colorado and Connecticut,” Innovative Technology Insights Podcast (July 13, 2023)
- Panelist, “Risky Business,” University of Notre Dame’s IDEA Week (April 20, 2023)
- Co-presenter, “Deadlines Fast Approaching For Compliance with New U.S. Consumer Privacy Laws and Latest Cybersecurity Legal Developments,” Foley’s CLE Weeks (November 16, 2022, and December 14, 2022)
- Co-presenter, “Cybersecurity: Ransomware Update & Anatomy of A Tabletop Exercise” Original Equipment Suppliers Association (OESA) Chief Financial Officers Council Meeting (June 8, 2022)
- Co-presenter, “The Evolving State of Cybersecurity & Consumer Data Privacy Laws in the US and Related Vendor Contract Negotiation Tips,” Foley’s CLE Week (November 18, 2021, and December 15, 2021)
- Co-author, “Appellate Court ruling on limitation periods for biometric data-related claims,” article published by OneTrust DataGuidance (November 2021)