Samuel D. Goldstick
Senior Counsel
Samuel (Sam) Goldstick is a data privacy and cybersecurity attorney, advising clients across a broad range of industries on all aspects of compliance with international, federal, and state data privacy and security laws. He is a senior counsel in the firm鈥檚 Technology Transactions, Cybersecurity, and Privacy Practice, and a member of the Sports & Entertainment Industry Team and Innovative Technology Sector.
Sam counsels companies in nearly every sector of the economy 鈥 including the retail, hospitality, manufacturing, financial services, health care, insurance, sports, aerospace, energy, government contracting, education, information technology, transportation, and travel industries 鈥 on a full array of data privacy and security compliance issues, such as those involving:
- Data breach notification requirements at the state, federal, and international level
- EU and UK General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other similar comprehensive U.S. state consumer privacy laws
- Gramm-Leach-Bliley Act (GLBA)
- The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation
- State insurance data security laws (including those modeled after the NAIC model law)
- Illinois鈥 Biometric Information Privacy Act (BIPA) and other state biometric privacy laws
- Telephone Consumer Protection Act (TCPA) and state law equivalents
- Health Insurance Portability and Accountability Act (HIPAA) and state law equivalents
- Department of Defense (DoD) cybersecurity requirements for federal contractors, including DFARS 252.204-7012, NIST SP 800-171, and CMMC
Sam assists clients of all sizes with their incident preparedness, such as reviewing and updating incident response (IR) policies and procedures, negotiating three-party agreements with forensics and other third-party IR providers to help maintain attorney-client privilege and work product protections during an incident, and running tabletop exercises that simulate real-life cyber-attacks.
On the reactive front, Sam frequently guides clients through the entire incident response process, from the early stages of the investigation to the notification of affected individuals and government regulators, as well as through any resulting enforcement actions or regulatory investigations. To date, Sam has handled hundreds of data breaches and security incidents for clients, and his depth of experience in this area allows him to provide clients with practical and business-oriented solutions in the event of a data incident and its aftermath.
Representative Experience
- Served as legal advisor to TruStage, a financially strong insurance and financial services provider, in the sale of its Digital Storefront business to Demopolis Equity Partners.
- Negotiated more than 50 different vendors鈥 GDPR DPAs on behalf of a large financial institutional client.
- Advised a Fortune 10 company on the applicability of new U.S. state comprehensive consumer privacy laws and recommended measures for compliance in connection with a myriad of business initiatives.
- Updated website terms of use and general online and offline privacy policies with jurisdiction-specific addendums (i.e., GDPR, CCPA/CPRA, VCDPA, and CPA) for global retailers, sports clubs, and manufacturers, among many others.
- Developed a practical handbook for a large insurer to use in responding to consumer rights requests under the CCPA/CPRA (with model templates).
- Updated an extensive set of information security policies for a mutual insurance company to align with applicable requirements under HIPAA, PCI DSS, and relevant state insurance data security laws.
- Updated IR and crisis communications policies for, proactively entered into a three-party forensic agreement with an IR provider (to maintain privilege and work product protections) on behalf of and helped facilitate separate tabletop exercises simulating mock breaches for, a global electronics manufacturing services company.
- Counseled a global aerospace defense contractor through a DoD-reportable 鈥渃yber incident鈥 involving controlled unclassified information (CUI) and handled regulatory follow-ups on their behalf.
- Guided a self-funded employee health plan through a complex OCR investigation and prepared a sophisticated response with over 20 exhibits to an OCR data request, in connection with a HIPAA breach that affected over 2,000 individuals.
- Guided an insurance vendor through a data breach affecting over 4 million individuals and managed the entire notification process from start to finish (including interfacing with regulators).
Awards and Recognition
- Best Lawyers:聽Ones to Watch聽in America鈩 鈥 Technology Law (2021-2025)
Affiliations
- Co-Vice Chair, e-Privacy Law Committee, American Bar Association (ABA)
- Certified Information Privacy Professional 鈥 United States (CIPP/US)
- Certified Information Privacy Professional 鈥 Europe (CIPP/E)
- Member, International Association of Privacy Professionals (IAPP)
- Member, ABA
- Member, Chicago Bar Association Cyber Law & Data Privacy Committee
- Member, Midwest Cyber Security Alliance (MCSA)
Presentations and Publications
- Presenter, 鈥淧rivacy and Security 鈥 2025 Update,鈥 Annual Conference for the Association of Fraternal Benefit Counsel (AFBC), Savannah, GA (June 13, 2025)
- Co-author, 鈥淕auging Professional Sport Biometric Data Privacy Concerns,鈥 Law360 (May 15, 2025)
- Co-presenter, “State of Confusion: How to Make Sense of Continually Emerging State Privacy Laws,鈥 ABA Privacy and Emerging Technology National Institute and Spring Meeting (PRISM), Washington D.C. (Mar. 21, 2025)
- Co-presenter, 鈥淯nsubscribing from Data Risks鈥擟yber, Privacy, and Crisis Management,鈥 Consumer Brands CPG Legal Forum (February 27, 2025)
- Co-presenter, 鈥淏est Practices for Preparing for and Responding to Cybersecurity Incidents,鈥 33rd Annual Law of Product Distribution & Franchise Seminar (October 23, 2024)
- Moderator, 鈥淢asterclass: Supply Chain Due Diligence鈥 Panel, Lexology Live: Cyber Risk, New York, NY (June 20, 2024)
- Co-presenter, 鈥淓pisode 7: Data Privacy Deadline for Colorado and Connecticut,鈥 Innovative Technology Insights Podcast (July 13, 2023)
- Panelist, 鈥淩isky Business,鈥 University of Notre Dame鈥檚 IDEA Week (April 20, 2023)
- Co-presenter, 鈥淒eadlines Fast Approaching For Compliance with New U.S. Consumer Privacy Laws and Latest Cybersecurity Legal Developments,鈥 麻豆传媒鈥檚 CLE Weeks (November 16, 2022, and December 14, 2022)
- Co-presenter, 鈥淐ybersecurity: Ransomware Update & Anatomy of A Tabletop Exercise鈥 Original Equipment Suppliers Association (OESA) Chief Financial Officers Council Meeting (June 8, 2022)
- Co-presenter, 鈥淭he Evolving State of Cybersecurity & Consumer Data Privacy Laws in the US and Related Vendor Contract Negotiation Tips,鈥 麻豆传媒鈥檚 CLE Week (November 18, 2021, and December 15, 2021)
- Co-author, 鈥淎ppellate Court ruling on limitation periods for biometric data-related claims,鈥 article published by OneTrust DataGuidance (November 2021)
麻豆传媒 Represents Wasabi Technologies in Acquisition of Seagate鈥檚 Lyve Cloud Business
麻豆传媒 advised Wasabi Technologies, the hot cloud storage company, in its acquisition of the Lyve Cloud business from Seagate Technology LLC (NASDAQ: STX), a leading innovator of mass-capacity data storage.
The Compliance Tightrope: Balancing Uniformity and Precision Across U.S. State Consumer Privacy Laws
This article is designed to provide an overview of the current state consumer privacy landscape in the United States, the key distinctions among these state laws, practical compliance approaches, and actionable takeaways for operationalizing privacy programs in a fragmented regulatory environment.
/Passle/6719610cd4590e288ff40ff4/SearchServiceImages/2026-02-02-20-22-34-871-6981078aca17697a2bad9e52.jpg)
In Case You Missed It: Data Privacy Week 2026
Last week, our Cybersecurity & Data Privacy team delivered a packed lineup of insights, expert discussions, and practical guidance to...
/Passle/6719610cd4590e288ff40ff4/MediaLibrary/Images/2026-01-28-16-53-48-406-697a3f1ce8715be98459ab20.jpg)
Privacy Podcast Episode Three: State of Confusion: Navigating the U.S. Privacy Law Maze
Key Takeaways U.S. privacy compliance has become significantly more complex due to the rapid growth of state consumer privacy laws, each...
Combatting Supply Chain Cyber Threats: Safeguarding Data and Protecting Digital Supply Chains in a Rapidly Evolving Cyber Landscape
Manufacturing supply chains face escalating cyber threats, with attacks up 431% since 2021. Learn how poor vendor oversight increases risk鈥攁nd how cyber resilience strategies like C-SCRM and security-by-design can protect operations and boost competitiveness."
麻豆传媒 Advises TruStage鈩 in Sale of Digital Storefront Business
麻豆传媒 served as legal advisor to TruStage, a financially strong insurance and financial services provider founded in 1935, in the sale of its Digital Storefront business to Demopolis Equity Partners.