Brian J. McGinnis

Brian McGinnis is a founder and co-chair of Barnes & Thornburg’s Data Security and Privacy Law practice group, a Certified Information Privacy Professional (CIPP/US), and the firm’s chief privacy officer (CPO). With nearly 20 years of experience, Brian's practice is strategically focused at the critical intersection of law and technology, providing comprehensive guidance to clients navigating the complex digital landscape.

Brian provides experience-tested guidance on a broad range of technology-based legal matters spanning privacy and data security, intellectual property, artificial intelligence (AI), corporate transaction, software, and internet law. Brian offers his clients practical, risk-based solutions that effectively balance legal obligations with business goals. His incisive understanding of privacy and technology law enables him to help clients overcome their legal challenges in the rapidly evolving digital environment.

Brian works closely with the firm’s cybersecurity, IP, corporate, and marketing teams to provide holistic, multidisciplinary advice tailored to each client's unique needs. He believes that effective legal counsel in the digital age requires not just know-how, but also a commitment to understanding each client's specific business challenges. Brian strives to be not just a legal adviser, but a strategic partner, offering proactive, business-minded solutions that promote adherence to current legal obligations and also prepare clients to tackle emerging technology-related challenges.

In addition to his client work, Brian serves as Barnes & Thornburg's first appointed CPO, leading the firm's internal data privacy program and initiatives. In this role, he guides the firm on practical implementation of privacy principles, further enhancing his ability to provide insightful and experience-tested guidance to clients facing similar challenges.

Privacy and Data Protection 

Brian operates an international privacy and data protection practice, advising multinational corporations and emerging growth companies from around the world on a full range of privacy and data protection matters. 

He serves as outside privacy counsel to clients to develop privacy programs in compliance with evolving U.S. and global privacy laws, such as the EU General Data Protection Regulation (GDPR), and U.S. state privacy laws such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). He further advises clients regarding data breach response and regulator enforcement matters involving the Federal Trade Commission (FTC), state attorneys general, and European Data Protection Authorities. 

Privacy Compliance Strategy and Program Development

Leveraging a deep understanding of U.S. and global privacy laws, Brian strategically develops robust yet operational data protection programs to help clients meet their legal compliance obligations. His experience includes:

• U.S. state privacy laws (e.g., California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA))
• International regulations (e.g. EU General Data Protection Regulation (GDPR))
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Data breach notification laws
• Federal Trade Commission (FTC) standards

Brian takes a proactive approach to compliance by developing tailored policies and procedures that target key actions such as:

• Data flow mapping and analysis, including cross-border data flows
• Privacy notice development for domestic and international data subjects
• “Do Not Sell My Personal Information” assessments
• Vendor management and data privacy agreements (DPAs)
• Data subject access requests (DSAR) 
• Data sharing agreements (DSAs)
• Data privacy impact assessments (DPIAs)
• Notice and consent strategies compliant with global standards
• Legal basis identification for data processing in various jurisdictions
• Cross-border data transfer strategies, including Standard Contractual Clauses (SCCs) assessments and the EU-U.S. Data Privacy Framework (DPF)
• Compliance program documentation for domestic and international operations
• Risk mitigation strategies for global data protection challenges

Brian's experience additionally covers the privacy implications of emerging technologies like AI, big data, and biometrics. Through guiding clients on strategically implementing these cutting-edge technologies, Brian helps clients leverage these powerful tools in compliance with relevant law.

Brian is extensively engaged in advising international clients expanding into or out of the U.S. on navigating the intricate realm of domestic and global privacy regulations. His counsel enables clients to make well-informed choices, craft compliant data protection frameworks, deftly maneuver through the ever-changing landscape, mitigate risks, and capitalize on global opportunities.

Data Breach and Incident Response

Brian is a trusted adviser during data security incidents, offering strategic guidance through every stage of data breach investigation and response. With extensive experience in complex cybersecurity incidents – including ransomware attacks and business email compromises – he helps clients effectively investigate and remediate breaches, manage multi-jurisdictional incidents, and ensure compliance with legal obligations.

During a breach, he works closely with clients as a “data breach coach” to assess the scope and impact, collaborating with forensics providers, internal IT teams, cybersecurity insurance, and other stakeholders to execute a comprehensive response plan, ensuring that legal privilege is maintained throughout the process. Following a breach, Brian assists with investigations, enforcement actions, and litigation, including high-profile class action cases and regulatory investigations by entities such as the FTC, SEC, OCR/HHS, and state attorneys general.

Recognizing the importance of proactive measures to address data privacy incidents, Brian works with clients to improve their security posture and incident preparedness. He designs and conducts realistic tabletop exercises, helping clients identify vulnerabilities, test incident response plans, and train personnel to effectively mitigate risks and respond to breaches.

Regulatory Investigations and Enforcement

Brian strategically guides clients through regulatory scrutiny, ensuring effective cross-jurisdictional compliance and management of legal risks. He plays a critical role in handling high-profile privacy, data security, and consumer protection cases, defending against enforcement actions under various regulations. His guidance enables clients to confidently navigate enforcement challenges while advancing business objectives within the rapidly evolving regulatory landscape.

Technology, Artificial Intelligence, and Intellectual Property

Brian guides clients through the legal complexities surrounding the development, deployment, and use of AI solutions, while also advising on a wide range of technology-focused agreements. His practice also encompasses trademark, brand protection, copyright, and internet law matters, where he assists clients in developing, protecting, and enforcing their intellectual property rights.

Artificial Intelligence

As a thought leader in the rapidly evolving fields of AI and emerging technologies, Brian advises on the responsible development, deployment, and use of AI solutions. He helps clients design systems that respect legal rights and address challenges such as the “black box” problem, AI errors, and IP infringement issues related to AI-generated content. Brian assists clients with regulatory compliance, evaluating AI vendor products, and developing comprehensive AI compliance plans. As AI continues to advance, Brian stays at the forefront of legal and regulatory developments. He actively participates in industry discussions concerning AI regulation, providing clients with insights and strategic advice to make informed decisions in this rapidly evolving field.

Internet, Technology, and Tech Transactions

Brian further counsels clients on legal and regulatory compliance related to cloud computing, e-commerce, online contracts, social media, online speech, liability for online platforms under the Communications Decency Act (CDA 230), and Internet of Things (IoT). He advises on compliance with the Digital Millennium Copyright Act (DMCA), as well as on software protection and licensing, including mobile applications, cloud-based technologies, social media, and online service provider issues.

With his strong transactional skills as a skilled negotiator and contract drafter, clients regularly call on him to draft and negotiate a wide range of privacy and technology agreements, such as:

• Software and Software-as-a-Service (SaaS) contracts
• Master Services Agreements (MSAs)
• Statements of Work (SOWs)
• Non-Disclosure Agreements (NDAs)
• IP transfers and licenses,
• Vendor agreements, and
• Contracts governing software, content, and licensing

As an internet law adviser, Brian develops strategies for policing and protecting IP rights on the internet; handles Uniform Domain Name Dispute Resolution Policy (UDRP) disputes, foreign and country code top-level domain (ccTLD) issues, and generic top-level domain (gTLD) matters; and enforces clients' rights against cybersquatters.

Trademark, Brand Protection, and Copyright

Brian brings nearly 15 years of experience as a trademark, brand protection, copyright, and internet lawyer. He provides counsel on internet law matters, including laws and regulations such as Children's Online Privacy Protection Act (COPPA), Telephone Consumer Protection Act (TCPA), and the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM).

In intellectual property, Brian assists with the development, registration, protection, and enforcement of brands trademarks, trade dress, copyrights, and software copyrights. He manages client domestic and international trademark portfolios, Trademark Trial and Appeal Board (TTAB) litigation, and develops IP portfolio management and enforcement programs tailored to clients’ specific brand challenges. Brian advises on online advertising and marketing compliance, right of publicity, unfair competition, and consumer protection.

He is a frequent speaker on data privacy and cybersecurity law, IP, AI, and technology matters to business groups, legal organizations and privacy seminars, including providing continuing education credit for attorneys and certified privacy professionals through legal groups and for the International Association of Privacy Professionals (IAPP).