Heather Egan
Heather Egan is a leading practitioner in cybersecurity, privacy, incident response, and information management. For nearly 25 years, Heather has advised on privacy and cybersecurity laws worldwide, developing a broad understanding of how multinational businesses have adapted their practices to evolving laws. She provides strategic advice to clients, including some of the world’s most recognizable brands, seeking to leverage emerging technologies, including artificial intelligence and advertising technology. Chambers recognizes her as “really sharp and impressive” and “thoughtful, strategic, and proactive.” Whether helping clients navigate a cyber crisis, build global privacy compliance programs, or deploy new products or services in an uncertain regulatory environment, Heather assists companies in solving their most pressing cybersecurity and privacy challenges.
Heather helps companies navigate security and privacy incidents and guides them through investigation, remediation, notification, and any ensuing government inquiries. Heather provides comprehensive crisis management support managing the legal risks of cyber crises, investigations and government enforcement actions.
To help clients navigate complex global regulatory compliance challenges, Heather builds global privacy programs, leads comprehensive cybersecurity and privacy assessments, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She frequently counsels businesses on ways to mitigate risks associated with the collection, use, retention, disclosure, transfer, and disposal of personal data.
Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe, including, Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), Electronic Communications Privacy Act (ECPA), Fair Credit Reporting Act (FCRA), Gramm–Leach–Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and the Telephone Consumer Protection Act (TCPA). She also works with clients on state breach notification laws, state data security laws, self-regulatory frameworks (advertising and payment card processing) and several state privacy laws: California’s Consumer Privacy Act (CCPA) California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) Virginia Consumer Data Protection Act (VCDPA), and the increasing number of US state privacy laws, designing flexible, scalable compliance programs that meet clients’ needs.
- Performed privacy, security and digital needs assessment for consumer products company with operations in more than 100 countries around the globe
- Managed a team providing advice to a US-based technology company on privacy and security compliance relevant to planned expansion in Europe, Middle East, Africa and Asia
- Developed a global privacy program for a major food products company operating in more than 40 countries around the globe
- Created and implemented a bring your own device global strategy for a major healthcare industry multinational
- Performed a privacy and security compliance assessment for a US public company in the manufacturing industry, which has operations spanning four continents
- Advised a major academic institution on the full range of acceptable information use and sharing practices in light of the differing ways and roles in which the university may receive information, including on-campus clinics, campus police, admissions, hosting e-mail and social media platforms, and more
- Addressed privacy and security aspects for a US and EU rollout of a popular mobile application and provide continuing support through the rollout of additional versions, features and technologies, particularly as the company contemplates new data uses.
- Guided multiple major multinational corporations through US/EU/Swiss Safe Harbor certification and re-certification
- Advised a major US healthcare provider on integrating federal contracting requirements to existing privacy and security compliance program
- Drafted and revised a website privacy statement of an intelligent media company to address data collection use and disclosure through multiple platforms, including website, mobile, and social as well as integrating client's existing safe harbor policy
- Developed a privacy and security infrastructure for companies in a broad array of business sectors in connection with the implementation of US state and federal privacy and security laws and regulations
- Successfully resolved numerous US state and multi-state attorney general investigations following data incidents, including security breaches
- Successfully litigated claims against departing executives absconding with client confidential information, including regulated data
- Regularly advises both small and large financial institutions, healthcare institutions, and other general industry companies that have experienced security breaches and other security events involving personal data
- Boston College Law School, 2000, J.D.
- University of Massachusetts Dartmouth, 1996, B.A., magna cum laude
- Massachusetts
- US Court of Appeals for the Seventh Circuit
- US District Court for the District of Massachusetts


Listed, The Best Lawyers in America, Privacy and Data Security Law, Boston (2026)
Listed, Lawdragon’s 500 Leading Global Cyber Lawyers, Boston, Cybersecurity, Privacy, Information Management (2025)
Listed, Hall of Fame, Cyber Law (including data privacy and data protection), Legal 500 (2024)
Listed, Technology Transactions, Super Lawyers (2024)
Listed, “Incident Response 40,″ Cybersecurity Docket’s (2020-2024)
Named, "AI Visionaries," Relativity (2022)
Named, Client Service All-Star, BTI Consulting Group (2022)
Named, Go To Lawyers, Cybersecurity & Data Privacy, Massachusetts Lawyers Weekly (2022)
Ranked, Band 2, Privacy & Data Security, USA, Chambers Global (2024)
Band 1, Privacy & Data Security: Adtech, Nationwide, Chambers USA (2025)
Ranked, Privacy & Data Security: Cybersecurity, Nationwide, Chambers USA (2025)
Ranked, Privacy & Data Security: Privacy, Nationwide, Chambers USA (2025)
Member, Boston Bar Association, Intellectual Property Law Section Steering Group
Member, International Association of Privacy Professionals
