Andrew Gray

Andrew Gray advises multinational and emerging companies alike on a variety of information security, workplace privacy, cybersecurity, background checks and credit reporting, and other data-related issues, with a particular emphasis on data security incident response and compliance with U.S. and international privacy laws. He is a core member of Littler’s market-leading Privacy and Data Security and Background Checks practice groups.

Andrew has focused his practice on these areas since joining Littler directly out of law school, and leverages his experience to offer a practical approach in helping clients with:

• Building and operationalizing privacy and data protection programs, in compliance with U.S. state and federal privacy laws and regulations, health privacy laws and other sector-specific requirements, and global privacy developments and legislative changes;
• Managing all facets of data security incident response and breach notification, including initial containment and investigation, liaising with third-party experts and law enforcement, drafting individual notifications, FAQs and communication strategies, and reporting to government regulators and credit reporting agencies;
• Handling responses to breach-related inquiries from Attorneys General, other U.S. state and federal regulators, and global data protection authorities;
• Drafting and negotiating data processing agreements, business associate agreements, and other privacy-related contracts provisions with service providers and other third parties;
• Establishing compliant employee background checks and screening programs, preparing applicable notices, forms, and other required documentation, and providing strategic advice to navigate the patchwork of federal, state, and local “ban-the-box,” consumer reporting, and “fair chance” laws;
• Assessing and implementing new AI tools, biometric technologies, “bring-your-own-device” programs, wearable devices, employee monitoring and surveillance, cookies and similar online tracking tools, and other data-driven consumer or workplace technologies;
• Developing workplace policies and procedures, website privacy policies and other consumer- or employee-facing notices, outsourcing agreements and other vendor contracts, and related privacy and compliance functions;
• Advising on multinational compliance issues, including conducting risk assessments, cross-border data transfer requirements, and implementations related to global expansions and other corporate transactions;
• Taking proactive steps to prevent fraud, insider threats, and other security risks throughout the hiring and employment lifecycle; and
• Training legal, compliance, security, HR and marketing teams on key privacy, data security, and background checks issues.

As a Certified Information Privacy Professional (CIPP/US), Andrew understands clients’ businesses and the complex legal and regulatory challenges they face. This includes regularly counselling clients on:

• The California Consumer Privacy Act (CCPA), Colorado Privacy Act, Texas Data Privacy and Security Act, and other comprehensive state data protection laws;
• The EU General Data Protection Regulation (GDPR), Brazilian Data Protection Law (LGPD), Mexico’s Federal Law on the Protection of Personal Data, and other global data protection laws;
• The Health Insurance Portability and Accountability Act (HIPAA), California Confidentiality of Medical Information Act, the Washington My Health My Data Act, and related health privacy laws;
• The Fair Credit Reporting Act (FCRA), California’s Investigative Consumer Reporting Agency Act (ICRAA), and similar consumer reporting laws;
• Various state and local fair chance, ban-the-box, and employment screening laws and regulations;
• The Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws;
• The Electronic Communications Privacy Act (ECPA), Stored Communications Act, and numerous state wiretapping, recording, surveillance, and tracking laws, such as the California Invasion of Privacy Act (CIPA);
• U.S. state and federal information security and data breach notification laws, and similar global breach notification requirements;
• Legal and regulatory requirements on artificial intelligence and machine learning, including the Colorado AI Act, and New York City’s Automated Employment Decision Tool regulations; and
• Social media, electronic marketing, and other communications laws, including the Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act.

Andrew also brings experience advising clients and collaborating with Littler colleagues on matters intersecting with privacy and data security, including issues involving state and federal laws and regulations on labor and employment, employee benefits, consumer protection, and national security. He is also a frequent speaker and writer on subjects relating to workplace privacy and information security.

Andrew is an Austin native, and received his J.D. from the University of Texas School of Law, where served as managing editor of the American Journal of Criminal Law. He is also a former NCAA baseball player, and an Eagle Scout.