Sam Castic

Practice Areas

Data Privacy, Data Security, Data Breach Response, Artificial Intelligence and Machine Learning

Professional Memberships

International Association of Privacy Professionals (IAPP)

IAPP Publications Advisory Board Member, 2024 - present

IAPP Privacy Law Specialist Advisory Board Member, 2024 - present

Lambda Legal National Leadership Council, Member, 2013 - present

Publications

“Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule,” Hintze Law Blog — April 14, 2025

“DOJ Data Rule Creating ‘Seismic’ Shift for US Privacy Compliance,” Privacy Daily, Sam Castic Quoted — March 10, 2025

“Compliance Pointers For DOJ's Sweeping Data Security Rule,” Law360 — February 21, 2025

“Examining DOJ’s Final Rules on Access to Government and Sensitive U.S. Personal Data,” Cybersecurity Law Report, Sam Castic Quoted — January 29, 2025

“10 areas for US-based privacy programs to focus in 2025,” IAPP Blog — January 14, 2025

“New U.S. Regulations Impose Significant Restrictions on Cross-Border Data Flows,” Hintze Law Blog — January 9, 2025

“Data privacy in 2024: 10 Moments that shaped the year,” OneTrust DataGuidance, Sam Castic quoted — December 2024

“New CCPA Enforcement Action: Lessons for Tracking Technologies and Child Users,” Hintze Law Blog — June 21, 2024

“Compliance Considerations For New Data Protection Law,” Law360 — May 23, 2024

“Steps to Reduce CIPA Litigation Risks for Companies,” Law360 — March 14, 2024

“Connecticut AG’s Report Highlights Enforcement Risks and Points to Action Steps for Companies,” Cybersecurity Law Report, Sam Castic quoted — March 13, 2024

“10 Privacy Compliance Areas To Focus On In 2024,” Law360 — January 1, 2024

“Emerging trends in fintech privacy: 5 key areas to watch in 2024,” IAPP — November 29, 2023

“Takeaways from the IAPP AI Governance Global Conference,” IAPP — November 15, 2023

“Addressing the duty of care in state privacy laws,” IAPP — August 15, 2023

“Analyzing 2023’s New State Privacy Laws: Oregon and Delaware Join the Strictest Tier,” Cybersecurity Law Report, Sam Castic quoted — July 12, 2023

“FTC’s Health Privacy Actions Offer 5 Advertising Takeaways,” Law360 — March 16, 2023

“Privacy Operations to Update in the First Half of 2023 for California and Colorado Regulations,” The Privacy AdvisorIAPP — January 24, 2023

“Your 2022 End—of—Year Privacy ‘To Do’ List,” The Privacy AdvisorIAPP — October 25, 2022

“How Cos. Can Improve Web Compliance After 1st CCPA Fine,” Law360 — September 6, 2022

“EU—U.S. Privacy Shield: Companies Can Now Certify,” Lexology — August 2, 2016

“Is Ransomware a Notifiable Data Breach Event?,” Lexology — July 29, 2016

“FCC Privacy Regulations: The Next Litigation Trend?,” Legal Newsline, Sam Castic quoted — July 19, 2016

“EU—U.S. Privacy Shield Approved by EU Member States,” Lexology — July 8, 2016

“FCC Privacy Regulations: The Next Litigation Trend?,” Lexology — June 21, 2016

“Germany Issues Privacy Guidelines for Employer Access to Employee Email and Internet Use,” Lexology — May 25, 2016

“IP Addresses as Personal Data — Website Providers To Come Under Even More Scrutiny With EU Data Privacy Law,” Lexology — May 17, 2016

“Data transfers in limbo — U.S. companies face fines by German data protection authorities,” Lexology — May 11, 2016

“2016 IAPP Global Privacy Summit: Key Themes and Takeaways,” Lexology — May 10, 2016

“The FCC’s Proposed Privacy Regulations: What They Mean for ISPs and Those That Do Business with Them,” Lexology — May 2, 2016

“7th Circuit Revives P.F. Chang’s Data Breach Class Action Suit,” Lexology — April 21, 2016

“Proposed FCC Regs Could Disrupt ISPVendor Practices,” Law360 — April 20, 2016

“Tennessee Amends Breach Notice Statute: Sets Notice DeadlineEliminates Encryption Safe Harbor,” Lexology — April 4, 2016

“FTC Puts Teeth into Native Ads Guidance: Lord & Taylor Settles Deceptive Ad Claim,” Lexology — March 24, 2016

“Internet Providers on Notice: Draft Privacy Regulations Coming Soon,” Lexology – March 15, 2016

“Biometrics: A Fingerprint for Privacy CompliancePart I,” Lexology — March 4, 2016

“FTC Cybersecurity and Data Protection Regulatory Authority Affirmed by US Court of Appeals–What Could Come Next?,” Computer Law Review International — December 2015

“European Decision Invalidates Safe Harbor Framework for EU/US Data Transfers,” Inside Counsel — November 3, 2015

“U.S.—EU SAFE Harbor Invalidated. What Next?,” Electronic Discovery Law — October 6, 2015

“Children’s PrivacyUnited States v. Artist Arena,” E—Commerce Law Reports Vol. 12 Iss. 6 — December 2012

“Mobile Commerce Faces Increased Privacy Scrutiny,” Computer Law Review International — June 2012

“Mobile Apps – US v. W3 InnovationsLLC,” E—Commerce Law Reports Vol. 11 Iss. 5 — November 2011

“The Year of Privacy Protection,” Law360 – March 24, 2011

Experience

Sam helps companies in all sectors to build, scale, and right-size privacy programs and strategies. He worked for years as a chief privacy officer and head of privacy, and is approaching two decades of experience advising companies on privacy and data security law. Sam uses this background to provide clients with practical and actionable strategies for privacy programs that achieve strategic, compliance, and business objectives, including when:

* Structuring effective and efficient privacy teams, programs, and operations;

* Innovating and bringing products and services to market;

* Entering new markets and launching new lines of business;

* Establishing and operating global privacy capabilities, including for data subject rights, privacy incidents and breaches, and data protection assessments;

* Developing repeatable processes for negotiating and resolving customer and vendor data use and processing agreements.

Sam also excels at distilling US federal and state privacy, data security, and AI laws into actionable and practical advice. This includes providing strategic and tactical support:

* Resolving transactional negotiations on data privacy, security, and use issues

* Driving responses to regulatory inquiries and investigations

* Accomplishing mergers, acquisitions, and investments, and developing and executing post-transaction integration strategies

* Supporting product, service, and technology launches and innovations

* Preparing for and responding to data breaches

* Enabling adtech, tracking, marketing, and advertising capabilities

* Advising on privacy, data security, and AI laws and regulations, including US state privacy laws like the California Consumer Privacy Act (CCPA), breach notification laws, COPPA, CAN-SPAM, DPPA, FCRA, GLBA, TCPA, and VPPA.

Sam works with US and global clients in all sectors, including fintech, technology, automotive, insurance, gaming, telecom, social media, retail, media, and adtech companies.

Career

Sam worked for years as a chief privacy officer and head of privacy, and is approaching two decades of experience advising companies on privacy and data security law. Sam was formerly Chief Privacy Officer for Blackhawk Network, a global fintech company with B2B and B2C digital payment and gift card products. Before that, Sam was the head of privacy at Nordstrom, where he led the teams responsible for privacy law, compliance, and operations. Sam also worked in-house at T-Mobile where he supported the marketing and advertising teams including on data, policy, and privacy compliance.

In addition to Sam’s experience leading corporate privacy teams and programs, Sam has advised clients ranging from early-stage startups to large global corporations on privacy, cybersecurity, and data protection matters at Orrick and at K&L Gates.

Industry Sector Expertise

Sam has the following certifications from the International Association of Privacy Professionals:

Privacy Law Specialist

Certified Artificial Intelligence Governance Professional (AIGP)

Certified Information Privacy Professional – United States (CIPP/US)

Certified Information Privacy Manager (CIPM)

Fellow of Information Privacy (FIP)

Education