You are here

Cyber and Data Security

Legal, technical and commercial expertise to keep your business cyber secure


Strategies that make the most of technology bring significant efficiencies and growth opportunities, but also a range of risks.

Our global cyber and data security team has an unrivalled breadth and depth of expertise and includes specialists from our data privacy, dispute resolution, financial services regulatory, corporate crime and investigations, insurance and employment practices, amongst others.

As a global full service firm, we are able to advise on cyber security issues wherever they may arise, and simultaneously across multiple jurisdictions where an incident requires it. We work closely with third party experts, such as forensic consultants, PR consultants etc., as needed to manage data incidents.

Our team advises across the full cyber security lifecycle, including before-the-event cyber risk management and advisory, incident response (including data breaches) and non-contentious transactional and project work.

Find out more about that here.

We have also developed an in-house software tool and workflow which allows us, efficiently and cost-effectively, to identify the personal data that has been compromised in a data breach and the risk to individuals concerned.

Read more here.



Our approach in more detail

We advise across the full cyber security lifecycle, including before-the-event cyber risk management and advisory, incident response (including data breaches) and non-contentious transactional and project work.

Some examples of this are illustrated in the below carousel.


Before-the-event cyber risk management and advisory

Cyber risk assessment and management, drafting policies and procedures, contractual review, data protection compliance and policies, regulatory compliance, procurement (such as contractor vetting and contractual protections), data retention and insurance.



Incident response

Full incident management, advice on discrete elements, investigating and coordinating the response in conjunction with internal or third party technical incident response teams, regulatory notifications and reporting, liaison with data protection authorities and law enforcement, management of communications with affected parties and the media, handling of any ensuing litigation (including class actions).



Transactional and project work

Advice on cyber and data security issues as part of transactional work, joint ventures, projects work and outsourcing including cyber security due diligence, supply chain risk management or contractual reviews.



We approach cyber security on the basis of the full cyber security lifecycle (for example as embodied in NIST's cyber security framework), which we summarise below:

Identify - threat / risk assessment


We tailor our approach to your business, working flexibly with your existing cyber teams, and any existing policies and procedures to provide bespoke and practical advice as required. We can also draw upon our local country and regional experts. Many of our team have technical backgrounds, enabling them to understand the technical causes and implications of cyber issues, and to work seamlessly with your internal IT teams or third party technical consultants.

Our global coverage enables us to offer 24/7 incident response, advice and assistance where necessary.



Our data breach response capability

Cyber security incidents and data breaches require an immediate, decisive and multi-disciplinary response. We offer this through our unrivalled breadth and depth of expertise spanning cyber security, data privacy, financial services regulatory, corporate crime and investigations, dispute resolution, insurance and employment.

Breaches frequently cross geographical and jurisdictional borders. We have experts in our 27 global offices together with a network of ‘best-friend’ firms enabling us to assist you wherever you need it.

We will immediately assemble the right team to be by your side in those crucial first hours and days of a crisis. We will support you to respond quickly and to mitigate the risks arising from the incident. We have decades of experience helping clients take control of all aspects of crises.

We can liaise with regulators where necessary, and have proprietary tools to assist in identifying what personal data has been breached so that it can be reviewed and assessed quickly and accurately in order to inform notification decisions.

We can help to address disputes and claims arising from an incident through our top tier dispute resolution and class action practice, and can also assist with obtaining injunctions to contain incidents where personal data or intellectual property are published online.

Our cyber insurance experts know how to manage cover and recovery in a cyber-incident to limit the financial impact that a breach could have.


We have developed an in-house software tool and workflow to work as part of our multi-disciplinary approach which helps us, efficiently and cost effectively, to identify the personal data that has been compromised and the risk it poses to the individuals concerned.

This will put structure around unstructured data by rapidly identifying the most significant and sensitive personally identifiable information and prioritising that for review. The tool helps to identify where the affected data subjects are and helps produce distribution lists for subsequent notification, thereby providing not only a swift decisive response to the incident but also aiding compliance with the GDPR and other international data protection regulation.

Our software and workflow brings together our global legal experts, our global Alternative Legal Services document review teams and Legal Process Management teams to provide a seamless and cost effective process. This complements our best-in-class document review platform (Relativity) which offers powerful predictive coding and keyword searching capabilities to assist in the review of the compromised materials.

Recent Experience


Assisting on privacy law reform, big data analytics, loyalty programs, privacy training, regulatory investigations, direct marketing and targeted advertising across multiple channels including email, web, social media and mobile apps.


Assisting in relation to all aspects of its data breach involving customer information, including liaising with regulators in four countries, advising the board, preparing external communications and reviewing relevant agreements.  

A global financial services company

We are appointed as the sole APAC and EMEA cyber security counsel to a global financial services company to assist in managing cyber security risks and incidents across 26 countries.


We are the preferred cyber security legal counsel to an energy multinational, advising globally.

a global company

We acted for a global company in relation to incident response following the inadvertent disclosure of the entirety of its global HR database to an unrelated third party by one of its cloud service providers. The incident affected employees in multiple jurisdictions across Australasia, Europe and the Americas. Herbert Smith Freehills London coordinated the global response (engaging local counsel where required). 


We advised a global investment bank in relation to a cyber security incident which saw US$40 million taken from a number of accounts, including reporting to and subsequent liaison with the relevant regulators, and on litigation by the account holders seeking to recover their losses from the bank. 


Andrew Moir, Global Head of Cyber and Data Security "is absolutely the lawyer you want at your side if you suffer a cyber attack".

Legal 500, Data Protection, privacy and cybersecurity, 2020
Miriam Everett

Miriam Everett, Head of Data Protection "provides technically sound advice and is commercial in her approach."

Legal 500, data protection and cyber security 2018

“Very good at advising on the cutting-edge developments in this area”

Chambers 2017, Data Protection and Cyber security

“Fantastic level of service, paired with very responsive and practical guidance and an efficient approach”

Legal 500 UK 2017 Risk Advisory, Data Protection, Privacy and Cyber Security
The Data Economy

Data has evolved to become the lifeblood of global trade. Data connects almost every aspect of modern life, and the commercial value and opportunities attributed to data have increased dramatically in ways that were not previously possible.

Find out more

Insights and updates

25th November 2022
Building a robust data governance and privacy compliance regime requires strategic planning and meaningful business...
22nd August 2022
Like all forms of insurance, the cover actually provided by policies which might be thought...
5th October 2022
Recent amendments to the Security of Critical Infrastructure Act 2018 (“the Act”) constitute some of...
5th May 2022
Our technology disputes practitioners have recently published a Q&A in Practical Law on Disputes in...

Our People