Andrew M. Lewis

Andrew Lewis, CIPP/US, is an attorney in the firm's privacy and security group. He has broad litigation and counseling experience, drawing on years of representing some of the largest technology, retail, and media companies in the country to provide exceptional counsel to clients on all matters regarding cybersecurity, privacy, incident response, and related investigations.

Andrew specializes in advising cloud service providers and technology companies on strategies to identify and mitigate their most complex information security challenges, including drafting written information security policies, incident response plans and policies, data classification policies, and cybersecurity standards, as well as advising clients on incident response handling, including pre-breach tabletop exercises and post-breach investigations and notification requirements.

An effective solutions-oriented attorney, Andrew has broad knowledge of data security laws and regulations and provides practical, actionable advice on compliance requirements related to information security and data privacy laws and frameworks in the United States and abroad, including the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and implementing regulations issued by the Cybersecurity & Infrastructure Security Agency (CISA); the California Consumer Privacy Act (CCPA) and its cybersecurity audit regulations; the Gramm-Leach-Bliley Act (GLBA), including the Consumer Financial Protection Bureau's (CFPB) Regulation P and the Federal Trade Commission's (FTC) Safeguards Rule; the Communications Act and regulations issued by the FCC; the Health Insurance Portability and Accountability Act (HIPAA) and its implementing rules; Executive Order 14028 (Improving the Nation's Cybersecurity); the NYDFS Cybersecurity Regulation; the Payment Card Industry Data Security Standard (PCI DSS); the European Union's NIS2 Directive; Digital Operational Resilience Act (DORA) and Cyber Resilience Act (CRA); and state privacy, data breach, and data security laws.

Andrew also works closely with federal and state contractors on information security and privacy requirements for procurement programs, including requirements of the Federal Risk and Authorization Management Program (FedRAMP), StateRAMP, the Cybersecurity Maturity Model (CMMC), the Federal Acquisition Regulation (FAR), the Defense Federal Acquisition Regulation Supplement (DFARS), and special publications by the National Institute of Standards and Technology (NIST).

Andrew regularly advises companies on information security and privacy risks related to mergers and acquisitions, including companies looking to acquire FedRAMP authorized services.

Also trained in economics, political science, and public policy, Andrew was an intern on Capitol Hill in Washington, D.C., and worked in legal and judicial consulting before practicing law.