Jennifer C. Archie

Jennifer’s experience includes:

US Privacy Litigation

• Quon v. Arch Wireless 
• Satterfield v. Simon & Schuster
• People v. Delta Air Lines
• FTC Enforcement Orders agreed with VIZIO (Smart TV privacy), Instant Checkmate/Truthfinder (data broker), HyperBeard (COPPA), Miniclip (COPPA), Cory Rellas (Drizly data secuity), among others
• HHS Corrective Action agreed with large healthcare organization

Cyber Security Incident Response

• Ransomware/Extortion: Advised public and private companies on all aspects of technical and legal response to ransomware and other threats, across diverse industries, such as fintech, cybertech, SaaS, healthcare, and commercial real estate, telecom. 
• Supply chain security: Represented power grid vendor in multiple complex cybersecurity and data leakage matters involving electricity reliability and supply chain security (B2B security promises).
• Advanced malware: Served as lead legal advisor to multiple global enterprises (gross revenues exceeding US$10 billion) following state-sponsored advanced persistent threat cyberattacks targeting highly sensitive corporate data (i.e., where external direct expense on investigation and recovery have exceeded US$25 million)
• Insider threat: Lead advisor to technology companies following discovery that employees or vendors have improperly handled critical intellectual property, including supervising key crisis workstreams, such as employee interrogation, expert forensic investigation, dark web research, and other damage assessment; communications with external stakeholders; internal remedial actions; and follow on whistleblower issues.
• Personal data: Supervise forensic, investigatory, insurance, advisory, and litigation workstreams in connection with theft or leakage of consumer or employee data on behalf of dozens of clients in consumer, healthcare, retail, professional services, and technology sectors.
• Denial of Service.Credential stuffing: Advised financial institutions, software-as-service-provider, online platforms, and other companies on suspected distributed denial of service attack.
• Leakage/Loss of Confidential Data: Handled major leaks/hacks of sensitive consumer data not fully secured against such attacks or access in cloud storage, working with leading forensic advisors to understand and mitigate root cause, manage legal reporting obligations, and supervise regulatory response.

Regulatory Enforcement 

Jennifer has particular expertise defending clients in Federal Trade Commission and state consumer protection investigations and preparing for and leading the response to complex and large-scale data breach incidents. 

• Defended FTC matter contending that online businesses that sell access to contact information and background reports, lacked sufficient internal controls to prevent employers and landlords from accessing information like arrest records in order to deny consumers their Fair Credit Reporting Act rights. Following a multi-year investigation, matter resolved with nominal payment and a corrective action plan providing much-needed clarity for sellers of non-FCRA public data. (Instant Checkmate/Truthfinder)
• Defended first-ever FTC matter involving allegations of individual executive liability arising from company data breach, imposing limited post-employment information security management responsibilities (Drizly) 
• Represented large healthcare organization regarding breach of patient data, including crisis response, forensic and investigations, damage assessment, breach reporting to impacted parties, liaising with governmental authorities, insurance liaison and recovery, and supporting defense of class actions
• Lead counsel to online casual gaming company in FTC investigation into compliance with Section 5 of the FTC Act and the Children’s Online Privacy Protection Act (Miniclip)
• Defended mobile app company in resolving an FTC investigation into compliance with Section 5 of the FTC Act and ’COPPA (HyperBeard)
• Defended Smart TV manufacturer in FTC and New Jersey AG investigation of viewing data collection and use practices ; in this precedent-setting enforcement action, the FTC established a new industry standard for data collection from Smart TVs (VIZIO)
• Defended an email marketing platform, hospitality company, consumer technology and other businesses in a California Attorney General enforcement inquiry regarding compliance with the California Consumer Privacy Act (CCPA)
• Represented multibillion-dollar healthcare provider in US Department of Health and Human Services (HHS) investigation and resolution of HIPAA violations associated with inadvertent leakage of patient data to the internet (NY Presbyterian)
• Defended a FTC civil investigative demand served on a national retail brand related to potential violations of federal laws and regulations governing using dealers to conduct outbound telemarketing and lead generation activities (closed without enforcement action)
• Defend regulator consumer protection-based inquiries into account takeover fraud, credential stuffing, brute force attacks, and other fraud and security matters (all closed without enforcement action)
• Defended Family Products LLC (direct response marketing/ infomercial company) in a multiyear FTC investigation into allegedly deceptive claims or practices regarding recurring payments, claims and substantiation, and testimonials and endorsements 
• Defended marketer of debt relief solutions in FTC investigation of telemarketing and financial practices (Southeast Trust)
• Defended Delta Air Lines in first-ever state AG enforcement action under Calif Online Privacy Protection Act, securing dismissal upheld on appeal, establishing pre-emption of AG authority over airline privacy practices under federal ADA
• Defended a client in an FTC investigation of mobile gaming platform compliance with COPPA (closed with closing letter) 
• Defended retail client (>US$18 billion revenue) in two successive FTC investigations of adequacy and reasonableness of information security and anti-fraud measures in connection with website and mobile application (closed voluntarily without public disclosure)
• Defended online rewards and survey site regarding FTC investigation into collection, use or sharing of precise geo-location data (closed without enforcement)

Advisory

• Competitively selected as designated outside counsel on data security matters for multibillion-dollar enterprises across diverse industry sectors, including asset managers, a global telecommunications conglomerate, a global retail and investment bank, a commercial airline, global accounting firms, global engineering firms, healthcare providers, technology companies, and online and retail companies
• International data privacy audits and global compliance solutions for multibillion-dollar global professional services firms with a significant Middle East presence
• Regularly advising large financial institutions, investors, and private equity clients on due diligence with respect to cybersecurity risks in connection with investments, acquisitions, and public offerings 
• Standing up and documenting new service offerings and proprietary technologies, enabling entities to exchange consumer data across heterogeneous IT systems and databases, using advanced AI and data analytics tools
• Standing up corporate structure, regulatory compliance, and outsourcing agreements for a highly advanced, secure, interoperable technology platform for hospitals and other healthcare industry members, involving the exchange and processing of protected health information to support treatment decisions 
• Crafting customer loyalty and rewards programs in compliance with privacy and other consumer protection laws
• Social media integration into consumer engagement programs
• Application of US privacy laws, including FCC, FDA, and FTC regulations and state law requirements
• Developing the contract forms to protect against liabilities associated with advanced data sharing and analytics projects (e.g., use of technology, insurance, improved processes and procedures) without adverse effect on initiative profitability 
• Documenting and arranging lawful transfers of personal data to US-based networks, systems, and applications
• Privacy statement and policy development for dozens of US, Middle Eastern, and EU companies across all industries
• Internal privacy documentation to implement privacy-compliant operational processes and data protection by design and default

Thought Leadership

• Speaker, “CPOs and CISOs: Getting Your Privacy and Cybersecurity House in Order,” PLI Privacy and Cybersecurity Law Institute, June 2024
• Speaker, “Data Brokers In The Crosshairs: Regulatory, Legislative, and Enforcement Trends and Insights,” Privacy + Security Forum, May 2024
• Speaker, “Cyber Regulations: The New SEC and NYDFS Rules,” Women Leaders in Cybersecurity, NYU School of Law, January 2024
• Speaker, “Communications as Key: How Communications Preparedness, Not Just Protections, Will Save Your Privacy Practice, ” Privacy + Security Forum, November 2023
• Speaker, “Handling a Breach: Mitigating Liability Through Compliance,” ALM Women, Influence & Power in Law (WIPL) Conference, October 2023
• Speaker, “Incident Response: State of Play 2023,” Cybersecurity Docket Incident Response Forum Masterclass, April 2023
• Speaker, “The Cost of Inadequate Security Measures: How Private Parties and Federal and State Regulators Seek Redress After a Health-Data Breach,” ABA Healthcare Cybersecurity, 2020
• Co-author, “The Definitive Cybersecurity Guide for Directors and Officers (Chapter 21: Cybersecurity Due Diligence in M&A Transactions: Tips for Conducting a Robust and Meaningful Process),” Latham & Watkins Article, October 2015
• Speaker, “2015 Cyber Risk and Directors & Officers Forum.” Latham & Watkins