Andrew Serwin is co-chair of Morrison & Foerster’s market-leading Global Privacy and Data Security Group and is an internationally recognized thought leader in the fields of privacy, cybersecurity, information governance, and information sharing. Mr. Serwin provides global advice to a number of emerging and Fortune 500 companies and handles some of the highest-profile data security incidents and privacy enforcement and litigation matters.
Mr. Serwin serves on the Board of Directors of the private sector of the federally- funded National Cyber Forensic Training Alliance (NCFTA), an entity that functions as a conduit between private industry and law enforcement, with a core mission to identify, mitigate, and neutralize cybercrime. In addition, he serves as an advisor to the Naval Postgraduate School’s Center for Asymmetric Warfare and is the CEO and Executive Director of the Lares Institute, a think tank focused on privacy, information superiority, and national security issues.
Clients turn to Mr. Serwin to provide global regulatory advice regarding privacy, security, and technology transactions, with particular emphasis on: international compliance; health care; security incidents; forensic investigations; remediation of security issues; government requests for information; COPPA; CAN-SPAM; mobile; behavioral advertising; ECPA and wiretap issues; electronic marketing concerns; social media; HIPAA; and compliance with FTC requirements. He has provided advice to companies in a diverse set of industries, including: technology; social media; financial services; health; retail; data brokers; online businesses; hospitality; utilities; and insurance. Mr. Serwin also has extensive global enforcement experience, having handled numerous high-profile enforcement matters. He also frequently represents companies in consumer protection and privacy litigation matters.
The only law firm lawyer ever to be named to Security Magazine’s prestigious “25 Most Influential Industry Thought Leaders,” Mr. Serwin was also named a 2015 Cyber Security & Data Privacy Trailblazer by the National Law Journal, recognizing the 50 people “who have helped make a difference in the fight against criminal cyber activity.” He was also ranked second in the most recent Computerworld survey of top global privacy advisors. He is also recognized by Chambers USA and Chambers Global (2009-2016) as one of the top privacy and data security attorneys. Chambers USA notes that Mr. Serwin “attracts praise for his consultative and strategic approach to complex matters” and is “savvy when dealing with regulatory bodies . . . very good on international issues.” He was described by clients as “a tireless worker, holding onto the ever-shifting puzzle pieces of the law in this area in a way that other privacy lawyers cannot” by Chambers Global. The Legal 500 has recognized him as a Leading Lawyer in data protection and privacy (2010-2016) and recommended him for cyber law (2016), and clients stated that he “understands business concerns and provides practical, to-the-point advice.” He was selected for inclusion in the San Diego Super Lawyers lists (2007-2015), including being ranked in the Top 50 lawyers of 2012. Mr. Serwin was selected by his peers for inclusion in Best Lawyers in America in the field of information technology law (2010-2015), where he was noted to be “one of the top privacy lawyers able to focus not only on the complexity of the laws in the United States, but also globally, including European data protection laws and the APEC privacy framework.”
Mr. Serwin is a noted public speaker and author, and has written the leading treatise on privacy and security, “Information Security and Privacy: A Guide to Federal and State Law and Compliance,” and “Information Security and Privacy: A Guide to International Law and Compliance” (West 2006-2015), collectively a 5,500-page, three-volume treatise that examines all aspects of privacy and security laws, published by Thomson-West. The treatise has been called “the best privacy sourcebook,” “an indispensable resource for privacy professionals at all levels,” and “a book that everybody in the information privacy field should have on their desk.” It was cited by Ostergren v. Cuccinelli, 615 F.3d 263 (4th Cir. 2010), and the international title was named one of Thomson-Reuters’s Best Selling Books for 2010.
Mr. Serwin is a co-author of “Health Care Privacy and Security” (West 2013-2015), “West’s Corporate Counsel’s Primer on International Privacy and Security,” and “Internet Marketing and Consumer Protection” (West 2005–2015). He was the lead author of Privacy, Security and Information Management: An Overview, published by the American Bar Association Business Law Section. He is also the author of several leading law review articles: “Privacy 3.0—The Principle of Proportionality,” 42 U. Mich. J.L. Reform 869 (2009); “Poised on the Precipice: A Critical Examination of Privacy Litigation,” 25 Santa Clara Computer & High Tech. L.J. 883 (2009), cited by Hammond v. The Bank of New York Mellon Corp., 2010 WL 2643307 (S.D.N.Y., June 25, 2010) and Joseph Oat Holdings, Inc. v. RCM Digesters, Inc., 2010 WL 5065037 (3d Cir. Dec. 13, 2010); and “The Federal Trade Commission and Privacy: Defining Enforcement and Encouraging the Adoption of Best Practices,” 48 San Diego L. Rev. 809 (2011).
A member of the Board of Directors of the Securing Our e-City Foundation, Mr. Serwin previously served as general counsel of the RIM Council of the Ponemon Institute, LLC; the University of San Diego School of Law Alumni Board; the Law Practice Management and Technology Section of the State Bar of California; and is a current member of the Data Privacy Day Advisory Committee, as well as a member of the International Advisory Council of APCO Worldwide (a group of more than 60 recognized global leaders and policy experts). He previously served as co-chair of the Survey Committee of the American National Standards Institute’s report on PHI, as well as of the privacy and the legal subcommittees of the Public Service Accounting Board (PSAB) of the California Health and Human Services Agency. He also previously served as co-chair of the California State Bar’s Cyberspace Law Committee, as a member of the Committee of Administration of Justice, and as a member of the San Diego County Bar Association’s delegation to the Conference of Delegates to the State Bar of California. Mr. Serwin served as a member of the Publications Board for the Business Law Section of the American Bar Association, as well as on the San Diego Venture Group’s PitchFest Board. He is a member of the editorial board of the Cyberspace Lawyer.
Mr. Serwin received his J.D. cum laude from the University of San Diego School of Law in 1995, where he was a member of the Order of the Coif. He earned his B.A. in political science cum laude from the University of California, San Diego, in 1992, where he was a member of the Provost’s List (1988-1992). He is admitted to practice law in California, New York, and the District of Columbia.
In the Matter of Spokeo, Inc.
Represented Spokeo, a data broker, in the first FTC matter alleging violations of the FCRA and Section 5, arising from the sale of Internet information, as well as an alleged violation of the endorsement guidelines.
In the Matter of CVS Caremark
Represented CVS Caremark before the FTC and the Office of Civil Rights in connection with a consent decree and resolution agreement arising from allegations related to information security.
In the Matter of Playdom, Inc., a subsidiary of Disney Enterprises, Inc.
Represented company before the FTC in an investigation alleging a violation of COPPA and Section 5.
In the Matter of MySpace, Inc.
Represents company before the FTC in connection with a consent decree arising from an alleged violation of Section 5 based upon information privacy concerns.
TrafficSchool.com, Inc. v. EDriver Inc.
653 F.3d 820, 2011 WL 3198226 (9th Cir. 2011). Represented appellants in a case involving First Amendment and Lanham Act issues. Obtained appellate decision ordering reconsideration of a permanent injunction on First Amendment grounds that ultimately resulted in the vacation of a permanent injunction that mandated a “splash page” on a website.
Pulte Homes, Inc. v. Laborers‘ International Union of America
648 F.3d 295 (6th Cir. 2011). Obtained reversal of district court ruling that a union’s alleged misuse of phone system and emails did not state a claim for violation of the Computer Fraud and Abuse Act (CFAA).
Represent numerous clients in investigations related to information security by the OCR, the Office of the Inspector General, and state attorneys general.
Blue Cross of California Website Security Cases.
Represented the defendants in a series of consolidated class actions arising from an alleged data security incident.
People of the State of New York v. Synergy 6, Inc., et al.
Represented two of the defendants in an action brought by Eliot Spitzer arising out of the alleged improper sending of commercial emails. The case sought $20,000,000 in civil penalties and was ultimately resolved for $50,000.
Represented a Fortune 20 company in a multistate attorney general investigation arising out of false claims allegations.
Smith v. Trusted Universal Standards in Electronic Transactions, Inc.
2010 WL 1799456 (D.N.J., 2010). Obtained dismissal of privacy litigation based upon allegations of wiretapping.
Yahoo, Inc. v. XYZ Companies
Represented Yahoo in a matter based upon allegations of trademark infringement, spamming, and deceptive claims regarding online lotteries.
Stone v. Howard Johnson International, Inc
Representing the defendant in a class action based upon allegations of wiretapping.
Mirkarimi v. Great Lakes Higher Education Corporation
Representing the defendant in a class action based upon allegations of the improper recording of telephone calls. Case was voluntarily dismissed.
Davis v. Carbonite, Inc
Represented Carbonite in a putative class action arising from data loss allegations. The matter settled on confidential terms and was dismissed, with prejudice, before class certification.
Raymond James Financial Services, Inc. v. Otteman
Represented Raymond James in an action alleging the improper use and disclosure of sensitive information on the Internet, and obtained a temporary restraining order (TRO) enjoining the defendant from disclosing information, and requiring the destruction of the information.
Welsh v. Acxiom Corporation
Represented Acxiom in a matter alleging unfair competition, trade secret violations, and interference torts.
People of the State of California v. American Home Craft, Inc., et al.
Represented the defendants in an action brought by the California attorney general alleging a violation of the federal Do-Not-Call Act and California’s Unfair Competition Law (UCL).