Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace.
Data Privacy and Security
As chair of the firm’s data privacy and security team, Andrew leads a nationally recognized team of professionals dedicated to protecting clients’ systems, networks and data, managing information, and responding to cyber incidents.
In his own practice, Andrew assists clients in the development of information governance and data protection programs, and regularly counsels clients on data breach remediation, as well as privacy and security issues in vendor contracts and M&A/private equity transactions. Andrew principally focuses on proactive protective measures that a company can employ in the construction of its policies and critical contracts in order to prevent the occurrence of security breaches, investigations, lawsuits and similar harmful events. He also counsels clients on interpreting and complying with the Payment Card Industry Data Security Standard (PCI/DSS).
Andrew speaks and writes regularly on topics relating to privacy, security and vendor contract management. He was recognized as a “Leading Lawyer” in cyber law by Legal 500 in 2017. He holds the CIPP/US credential as a Certified Information Privacy Professional from the International Association of Privacy Professionals (IAPP).
Supply Chain Management
Andrew also chairs the supply chain management practice, helping clients anticipate and avoid costly disputes and litigation with their vendors and institutional customers. He and his team provide (usually on an alternate fee basis) an individually customized and comprehensive review and evaluation of the client’s suite of contracts, together with suggested recommendations for remedying deficiencies determined during the analysis. Depending on the client’s needs and objectives, he can then undertake a full-scale revision and renegotiation of the relevant agreements, or develop a more targeted approach of focusing only on the essential provisions.
A Business-focused Background
Andrew also has experience in general corporate governance, mergers and acquisitions and private equity. He has counseled companies on a variety of corporate topics and transactions, including entity selection and formation, equity and debt financings (control and non-control), securities compliance, employment matters and technology licensing.
Andrew has a background in consulting and holds an MBA from the Darden School of Business at the University of Virginia. This experience provides him with a keen understanding of the operational, financial and strategic needs of clients, enabling him to take a practical business approach to serving their needs. He has experience representing clients in numerous industries, including a specific emphasis on telecommunications, financial services and manufacturing companies.
- Co-led a team that advised a large financial institution on one of the most complex, high-value disclosures of sensitive customer information in history. The investigation involved all 50 U.S. states and over 30 foreign jurisdictions.
- Regularly advise client on maintaining the security and integrity of its credit/debit card data and payment systems, as well as compliance with Payment Card Industry and Payment Application Data Security Standards, focusing on ensuring the proper use, storage, transmission, access and monitoring of cardholder data and sensitive authentication data.
- Representation of leading prepaid wireless carrier in the drafting and renegotiation of its portfolio of key service provider contracts dealing with the multichannel distribution and billing of airtime, processing of airtime payments, and reporting of key sales and expense metrics.
- Advise telecommunications client in connection with its provision of retail and wholesale cloud services, including SaaS and IaaS offerings.
- Representation of wireless provider on data privacy, information security and payment processing matters relating to its partnership with a Big Three automobile manufacturer to provide interactive vehicle connectivity services.
- Representation of Fortune 100 cable services provider in the drafting and negotiation of contracts relating to the build-out and management of a private cloud computing structure, including successfully managing the software license, maintenance and service level negotiations, as well as the development of key specifications.
- Counsel to Fortune 100 wireless telecommunications provider in negotiating with an industry-leading debit card provider to migrate the client’s rebate submission and issuance program from a check-based system to a prepaid debit card-based system.
- Representation of multiple technology and healthcare companies in connection with various M&A transactions, venture capital investments and private equity financings.
- Regularly advise cable provider in the negotiation of complex procurement and critical infrastructure agreements.
- Counsel to telecommunications client on various initiatives designed to broaden and enhance the functionality of its enterprise-wide recurring payment processing systems, including analyzing all applicable laws, regulations and standards, and presenting business-friendly legal solutions that enable these systems to function and grow.
- Representation of medical device companies in negotiating strategic alliance, linking and intellectual property licensing transactions.
- Negotiation of key business and legal terms on behalf of financial services company with its e-commerce and online banking services provider, focusing on consumer electronic billing and payment services, e-bill hosting and distribution services, service level agreements, pricing models, integration of legacy platforms and protocols relating to information security, fraud management and disaster recovery.
- Representation of international property and casualty insurance company in negotiating and drafting global information systems outsourcing agreements with ACS Outsourcing Solutions.
- Representation of Southeast regional supermarket chain in negotiating and drafting technology, pharmacy and consumer products vendor contracts, including agreements with Western Union, IDT Telecom, Taleo and Accruent.
- Negotiation and documentation for leveraged buyout of assets of manufacturing business.
- Representation of international industrial thread manufacturing company in negotiating and drafting various supply chain and customer contracts, including agreements with General Electric, Michelin and Kimberly-Clark.
- Negotiation and documentation of value added reseller and sales agent agreements for publicly held industrial products company.
Events
- Panelist, "State of Play in Privacy and Cybersecurity," California MCLE Day, February 26, 2025
- Speaker, "Privacy, Incident Response and What You Can Do to Mitigate Risk," 18th Annual Nonprofit Seminar, November - December 2021
- Speaker, "Cybersecurity: Finding Stability in Uncertainty," Compliance in the Real World — A Practical Roundup of Today’s Top Issues, October 25, 2017
- Speaker, "When Compliance Programs Fail: Truth and Consequences," Compliance in the Real World: A Practical Discussion About Today’s Top Issues, McGuireWoods LLP Conference, May 2017
- Panelist, "Cybersecurity – How to Protect Your Business," Houston CFO Roundtable – Cybersecurity: How to Protect Your Business, December 2016
- Speaker, "Cross-border Data Transfer from the EU: Data Flow within the New Framework," The Data Privacy and Security Puzzle: Do You Have All the Pieces?, November 2016
- Co-speaker, "Cyber Threats and Related Legal Exposures to Community Banks," Community Bank Cyber-Law Forum, November 2013
- Co-presenter, EU Data Privacy and Security Conference, Client Seminar, Telecommunications Industry, June 2013
- Moderator, Tysons Data Privacy and Security Forum, McGuireWoods LLP, June 2013
- Panelist, 3rd Annual Best Practices Litigation Roundtable, McGuireWoods LLP, May 2013
- Speaker, "The Tangled Web of Data Privacy & Security in Education," North Carolina Bar Association, Education Law Section Annual Meeting, May 2013
- Co-presenter, "Data Privacy & Security for Power Utilities," Client Seminar, Energy Industry, February 2013
- Co-presenter, "Data Privacy & Security Forum," Client Seminar, Automotive Industry, January 2013
- Speaker, "Data Privacy & Security Issues Facing The Nonprofit Entity," 10th Annual Nonprofit Seminar, September and October 2012
- Speaker, "The Value (and Risks) of Information: No Business is Safe from Data Security and Privacy Risks," Virginia CLE 42nd Annual Advanced Business Law Conference: Retooling for the Rebound, October 2012
- Speaker, "Data Security for CFOs," Led Education Roundtable, September 2012
- Presenter, "The Life & Times of a Supply Chain Transaction," Association of Corporate Counsel, National Chapter, April 2012
- Co-presenter, "Data Privacy & Security: Update," Client Seminar, Defense Industry, April 2012
- Co-presenter, "Data Privacy & Security: Update," Client Seminar, Telecommunications Industry, March 2012
- Co-presenter, "Data Security & Privacy," Client Seminar, Telecommunications Industry, January 2012
- Co-presenter, "Data Security and Privacy," Charlotte ACC: Data Security and Privacy, November 2011
- Presenter, "Information Security & Data Integrity," Internet Summit 2008, November 2008
- Presenter, "Managing Your Vendor Contracts: A Class for Non-Lawyers," Client Seminar, Food & Beverage Industry, October 2008
Insights
- Author, NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to Know, Password Protected, November 20, 2025
- Author, Halloween Reminder – Don’t Get Haunted by Hacks, Password Protected, October 29, 2025
- Author, Department of Defense Issues Final Rule on Cybersecurity Standards for Contractors, Subject to Inquiry, September 10, 2025
- Author, California Defense Contractor and Private Equity Firm Agree to Pay $1.75M to Resolve False Claims Act Liability Relating to Voluntary Self-Disclosure of Cybersecurity Violations, Subject to Inquiry, August 4, 2025
- Author, Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations, Password Protected, June 5, 2025
- Author, SEC Settles Charges for Alleged Misleading Disclosures, Shedding Light on Materiality in Cyber Context, McGuireWoods Legal Alert, October 29, 2024
- Author, DoD Issues Final CMMC Framework for Defense Contractors, McGuireWoods Legal Alert, October 23, 2024
- Author, SEC Adopts Cybersecurity Risk Management Strategy Governance Incident Disclosure Rules, McGuireWoods Legal Alert, July 27, 2023
- Author, DHS Issues Final Rule Regulating Federal Contractors’ Handling of Controlled Unclassified Information, McGuireWoods Legal Alert, July 19, 2023
- Author, TSA Notice of Proposed Rulemaking Targets Cyber Risk Management for Pipelines and Railways, McGuireWoods Legal Alert, January 24, 2023
- Author, New Year Brings New State-Level Data Privacy Protections, Password Protected, December 15, 2022
- Author, FinCEN Leader’s Remarks Focus on Securing Digital Identity, Subject to Inquiry, September 12, 2022
- Author, DOJ and Aerojet Settle for $9 Million in Qui Tam Cybersecurity False Claims Act Case, McGuireWoods Legal Alert, July 14, 2022
- Author, SEC Proposes New, Formal Cybersecurity Disclosure Rules, McGuireWoods Legal Alert, March 16, 2022
- Author, DOJ Settles First False Claims Act Enforcement Action Since Launch of Civil Cyber-Fraud Initiative, Subject to Inquiry, March 10, 2022
- Author, Department of Justice Announces Increased FCA Enforcement Through New Civil Cyber-Fraud Initiative, Subject to Inquiry, October 12, 2021
- Author, Biden Administration Orders Improvements to Cybersecurity and Federal Networks Amid Cyberattacks, McGuireWoods Legal Alert, May 20, 2021
- Author, Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too, Password Protected, January 28, 2021
- Author, Are We (Finally) Ready to Zoom?, Password Protected, June 8, 2020
- Author, Privacy vs. Containment, Part 2: The Democratic Answer to a Framework for Federal Privacy Legislation on COVID-19, Password Protected, June 3, 2020
- Author, Privacy vs. Containment: Federal Privacy Legislation Meets COVID-19, Password Protected, May 18, 2020
- Author, Update: Coronavirus Cyberscams and Other Attacks – Scammers Are Still at It, Password Protected, April 9, 2020
- Author, Between a Rock and a Hard Place: SEC Disclosure Analysis in Light of Yahoo Settlement, McGuireWoods Legal Alert, May 8, 2018
- Author, New SEC Cybersecurity Guidance Outlines Disclosure Obligations, Password Protected, February 27, 2018
- Author, DoD Cyber Compliance Deadline Fast Approaching – Here’s What Government Contractors Need to Know, Password Protected, November 1, 2017
- Author, The Equifax Breach: How to Protect Your Company and Your Customers, Password Protected, September 22, 2017
- Author, Law Firms’ Data Duty: Protecting Client Information From Cybercriminals, McGuireWoods Legal Alert, July 11, 2017
- Author, Massive Cyberattack Developing Worldwide, Password Protected, June 27, 2017
- Author, The WannaCry Cyberattack: Steps Businesses Must Take Now, Password Protected, May 15, 2017
- Author, Friday’s Massive Malware Attack – Cyber Insurance and the Importance of IMMEDIATE Notice to Insurers, McGuireWoods Legal Alert, May 13, 2017
- Author, ALERT: Beware of W-2 Scam!, Password Protected, February 16, 2017
- Author, Cybersecurity and Data Privacy in 2017: Eight Topics to Follow, Password Protected, January 31, 2017
- Author, Insurance Coverage for Lost Profits Arising from Cyber Attacks on the U.S. Power Grid – Contingent Business Interruption Coverage for the Internet of Things, McGuireWoods Legal Alert, January 10, 2017
- Author, A Closer Look: Practical Tips to Managing a Ransomware Attack (Part 2), Password Protected, November 4, 2016
- Author, A Closer Look: Practical Tips to Managing a Ransomware Attack (Part 1), Password Protected, November 1, 2016
- Author, "Cybersecurity Concerns Creep Into M&A Transactions," Law360, August 17, 2015
- Author, Data Privacy and Security Considerations in M&A Transactions, McGuireWoods Legal Alert, April 16, 2015
- Author, Data Privacy Legislation Reintroduced, McGuireWoods Legal Alert, January 9, 2014
- Author, Cybersecurity Executive Order Impacts Business, McGuireWoods Legal Alert, February 27, 2013
The rules of professional conduct in some jurisdictions require disclosure of selection methodology for certain public accolades and recognitions. Click here to view available selection methodologies.
- Selected for inclusion in “Legal 500 United States,” Cyber Law, 2020-2023, 2024; Media, technology and telecoms: cyber law (including data protection and privacy), 2025
- Named to “Legal Elite,” Virginia Business, 2011, 2012, 2014, 2022-2024
- Selected for inclusion as a “Leading Lawyer,” Cyber Law, Virginia, Legal 500 US, 2017-2018