Michael G. Morgan

Morgan focuses on global privacy and cybersecurity issues. He has more than 20 years’ experience advising clients on the mitigation of cybersecurity legal risks. He specializes in data breach response; U.S. and international regulations relating to cybersecurity and privacy, including the California Consumer Privacy Act and the European Union’s General Data Protection Regulation; and complex legal issues arising from advanced technologies including autonomous vehicles and connectivity, consumer data and digital marketing.

He moved to McDermott from Jones Day in 2016. “I’m thrilled to be here,” he said. “The team is stronger, with larger clients and a truly excellent platform.”

Morgan has long sought to keep clients ahead of the speedy advances in his specialties. He led a McDermott team that reported to the National Electrical Manufacturers Association on “Legal Barriers to Using Device-Generated or Device-Collected Data,” last year as the emerging Internet of Things raised new privacy and cybersecurity questions.

Now, with a pandemic shaping the field, he’s on it. “There’s been a pretty steady flow of Covid-19 issues,” he said. “Contact tracing apps have raised privacy issues, and I am advising clients in that regard. And as lockdowns have eased, questions arise about what information can employers collect about their workers’ health-related status, and under what circumstances can they share it with a government agency. And there are third-party providers offering return-to-work services—we have a major studio using a consulting firm in that regard. Employees value their privacy, but they also want to know what steps are being taken to protect their health.”

Blockchain, the record-keeping technology behind the Bitcoin network, remains a relatively new field from the privacy law perspective. Morgan advises fintech companies on best practices for compliance and risk mitigation. “You can put any kind of data on a blockchain, financial in nature or health-related in nature,” he said. “It’s important to businesses to understand just how the security works, because they are subject to licenses and regulatory oversight.”

Regulators try to avoid the issue of keeping fully abreast of the technology by requiring “reasonable” security, a standard Morgan said involves maintaining a best practices approach that can be defensible if challenged. “You want to arrive at a comfortable compliance posture so you are protected even if something goes wrong and there’s a breach.

Ransomware attacks are another current concern. “The attacks have increased by a factor of six,” Morgan said. “That’s a dramatic increase not only in quantity but because the attackers are getting more effective and purposeful. They encrypt their targets’ data, yes, but now they identify specific data repositories where a breach would be the most damaging. It’s an ongoing concern we work hard to get ahead of.”

— John Roemer