Andrew B. Serwin

Back around 1999 or 2000, “when the internet was just starting to tilt up” commercially, Serwin realized data security would become an important issue. So he shifted his practice from consumer protection to that nascent area.

“I saw this as a market opportunity, really. I didn’t think anyone was really doing this kind of work, and I thought it had to be done,” he said.

Now, 20-plus years later, he is the U.S. chair and global co-chair of his firm’s data protection, privacy and security practice. Serwin represents clients including Visa, Dropbox and SolarWinds. He served as the expert on U.S. cybersecurity and privacy law in Irish litigation that led to a big change in the law on moving data between Europe and this country. He chairs the board of a public-private group that aids the Federal Bureau of Investigations with cybercrime cases. He also runs his own think tank.

The Irish case is Data Protection Commissioner v Facebook Ireland Ltd., Maximillian Schrems, or Schrems II. The key issue was whether U.S. law adequately protects data flowing to and from Europe, as presumed by a treaty called the EU-U.S. Privacy Shield.

Serwin was brought in to give his expert opinion about U.S. laws regarding security, surveillance, standing and remedies to the Irish Data Protection Commissioner. His testimony and report served as the basis for the commissioner’s draft decision, finding that U.S. laws do not protect European citizens’ privacy adequately under European Union law.

The Irish courts affirmed the decision and then, on July 16, 2020, so did the Court of Justice of the European Union, invalidating the treaty. The decision still allows data transfers per corporate rules and standard contract clauses, Serwin pointed out.

A very different case that kept him busy last year was the massive hacking attack on the major information technology vendor SolarWinds Inc. Serwin was the lead incident response attorney on the DLA Piper team assisting the company. He oversaw the legal aspects of all regulatory and communications activities.

He also provides outside privacy and security advice to Visa Inc. and DropBox Inc. The DropBox work is especially challenging because the company operates in so many jurisdictions around the world, each with differing rules and laws, he said.

Recently, he served as privacy and security diligence counsel for Visa during its $2.1 billion acquisition of Swedish open banking platform Tink.

Apart from his work for clients, Serwin chairs the board of National Cyber-Forensics & Training Alliance, a federally funded private organization. “We are basically an information-sharing organization that helps companies mitigate cyber threats by fusing together academia, law enforcement and the private sector,” he said.

In addition, he is the chief executive officer and executive director of the Lares Institute, a cybersecurity think tank he founded in 2011. “We’re advising the European Commission on digital transformation,” he said.

- Don DeBenedictis