Michael La Marca

Mike’s practice focuses on privacy, cybersecurity and data protection issues. Mike advises clients on a diverse range of global privacy and information security issues. A significant focus of his practice is assisting a variety of clients, from multinational companies to startups, with evaluating and managing privacy and cybersecurity risks and policy issues. Much of his work has centered on navigating complex privacy and cybersecurity issues on behalf of companies in the financial services industry as well as companies engaged in cutting-edge technologies and information practices, such as AI/machine learning, biometrics, geolocation tracking, and Internet of Things (IoT) devices.

Mike has extensive experience advising clients on compliance with federal, state and international privacy and data security laws. He also regularly assists companies with building and implementing their privacy and information security programs and addressing related governance issues, including developing written policies and procedures; designing incident response programs and conducting breach response preparedness activities; developing cross-border data transfer solutions; preparing data protection impact assessments; and developing and enhancing vendor management programs. He also regularly assists clients with negotiating commercial transactions, including privacy, cybersecurity and data monetization issues in commercial contracts and M&A transactions.

Mike’s practice also focuses significantly on helping clients manage large-scale cybersecurity incidents, including advising on data breach response and notification obligations, providing advice regarding communications strategies, engaging third-party experts, and managing US and international regulatory investigations.

Mike also advises numerous clients on managing AI-related legal risks at each stage of the AI lifecycle, including issues related to privacy and cybersecurity, the protection of proprietary information and other commercial assets, fairness and bias, and regulatory compliance. He regularly assists clients with structuring and implementing cross-functional AI governance and risk management programs and negotiating AI agreements.

Mike also has significant experience advising clients on electronic monitoring and surveillance issues, including legal issues and risks associated with the Electronic Communications Privacy Act (ECPA) and Foreign Intelligence Surveillance Act (FISA).

Mike is a certified information privacy professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).

In addition, Mike maintains an active pro bono practice. He has represented pro bono clients in asylum cases and has advised a variety of issues, including privacy and cybersecurity obligations and US national security policies and regulations.

• Advising numerous clients on compliance with the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act (CPRA), and the Virginia Consumer Data Protection Act, including conducting due diligence, preparing gap analyses, developing remediation plans, and undertaking compliance projects.
• Advising multiple technology and financial services companies, on developing and managing global privacy programs, including assessing global legal requirements and developing compliance roadmaps, conducting data protection impact assessments, implementing privacy governance structures, designing policies and procedures, and creating training programs.
• Advising financial services clients on compliance and managing risk associated with privacy, data security and incident response requirements, including under the Gramm-Leach Bliley Act and its implementing regulations and guidance and the New York State Department of Financial Services cybersecurity regulations.

• Advising numerous clients on building compliance programs and managing risk associated with biometric technology initiatives.
• Assisting numerous client with implementing AI governance programs and evaluating AI-related legal risks.
• Represented multiple clients, including in the financial services, consumer technology, critical infrastructure, and retail sectors, on global privacy and data security matters, including implementing and enhancing global data protection programs, advising on relevant privacy and cybersecurity requirements, and assisting with data security incidents.
• Advised several fintech companies on global privacy and data security issues, including regulatory compliance, data sharing arrangements, cyber preparedness, and incident response.
• Assisted a global retail and technology company with a cybersecurity incident affecting approximately 150 million user accounts, managing response efforts including notification, follow-up investigations by regulators and data protection authorities, and resulting litigation.
• Advises multinational companies on privacy and cybersecurity due diligence issues.
• Advises clients on managing U.S. and international regulatory inquiries in connection with information security incidents, including FTC and state Attorney General investigations and enforcement actions.
• Advises technology companies, retailers, consumer goods companies and financial institutions on data breach response, including preparation of required notifications pursuant to state breach notification laws, call center training and development of media strategies.
• Represented numerous multinational companies with managing and responding to global security incidents, including ransomware, credential stuffing attacks, and advanced persistent threats.
• Provides advice on cybersecurity risks, including proactive breach readiness activities such as developing data breach toolkits, reviewing incident response plans and preparing tabletop exercises.
• Drafts comprehensive data protection policies, standards and procedures in connection with corporate privacy and information security programs.
• Assists numerous clients with implementing a vendor management program, including evaluating and negotiating privacy and data security provisions in vendor agreements.
• Advises clients on risk mitigation and compliance strategies associated with monitoring and surveillance issues.
• Advises clients on their international data transfer strategies, including mechanisms for addressing the Court of Justice of the European Union’s Schrems II ruling.

• Recommended for Cyber Law (Including Data Privacy and Data Protection), Legal 500 United States, 2023-2024
• Recognized in Global Data Review’s 2021 40 Under 40 List