Greg Szewczyk is a partner in Ballard Spahr’s Denver and Boulder offices and Practice Leader of the Privacy and Data Security Group. Greg leverages a career that includes both high-stakes transactions and litigation to help companies take a practical approach to assessing risk and complying with the ever expanding patchwork of state, federal, and international privacy and data security statutes and regulations.
Greg helps companies of all sizes, from Fortune 500s to start ups, build and maintain their privacy and data security programs. He has advised hundreds of companies on various compliance issues—from the use of artificial intelligence to vendor management to routine data processing matters that arise in day-to-day business—relating to the Colorado Privacy Act (CPA), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standards (PCI DSS), the Illinois Biometric Information Privacy Act (BIPA), the Gramm-Leach-Bliley Act (GLBA), state financial privacy laws, the Telephone Consumer Privacy Act (TCPA), and various other laws and regulations. Greg also advises clients in connection with corporate transactions, such as mergers, acquisitions, and partnerships. In doing so, he helps his clients assess the potential risks involved and develop creative solutions to data issues.
Experience
Representative Privacy and Data Security Matters
- Advised on various types of transactions—including mergers and acquisitions, business partnerships, co-branded and private label credit cards, and rounds of funding—by conducting due diligence, assessing risks, and negotiating representations and warranties relating to privacy and data security issues
- Counseled on building and modifying privacy and data security programs, including privacy policies, vendor management policies, information security plans, incident response programs, terms of use, biometric consent and retention policies, and various other policies
- Advised on the potential legal implications and risks from incorporating artificial intelligence into business operations, including by developing AI governance policies
- Assisted in performing internal trainings for employees across substantive fields, including executive decision-makers and information technology teams
- Defended data breach and privacy class action lawsuits, including lawsuits involving international media publications, casinos, industrial manufacturers, and retailers
Representative Litigation Matters
- Represented the brother-in-law of the King of Jordan in a three-week jury trial involving defense contracts for the transportation of oil to U.S. troops in Iraq, ultimately securing a $28.8 million jury verdict
- Defended an international media organization in a lawsuit alleging that the website’s use of analytic tools violated state wiretap laws
- Represented a major U.S. satellite-television distributor in a breach of contract action against a programming provider, ultimately securing a multimillion-dollar jury verdict in federal court
- Represented an oil company in an action for fraudulent misappropriation of a majority interest in a Russian oil field
Representative Artificial Intelligence Matters
- Advised clients ranging from Fortune 500 companies to tech startups on identifying whether certain technologies or processing constitute “automated profiling” or “automated decisionmaking” under international and state privacy laws, such as the GDPR, the CCPA, the Colorado Privacy Act, and other state privacy laws.
- Determined whether certain automated technologies, which are often driven by generative learning, trigger the application of biometric identifiers regulated by various privacy laws.
- Assessed vendor contracts and licensing agreements involving automated processing to assess how those provisions impact rights, obligations, and compliance regimes.
Professional Highlights
Professional Activities
American Bar Association
Colorado Bar Association
Denver Bar Association
New York City Bar Association, Military Affairs and Justice Committee
Recognition & Accomplishments
Denver Business Journal, "40 Under 40," 2023
JD Supra Readers' Choice Award, Top Author in Cybersecurity and Data Privacy, 2023
Benchmark Litigation, "40 & Under List," - Entertainment, Intellectual Property, Media (Midwest), 2022-2024
Certified Information Privacy Professional/United States
Speaking Engagements
Speaker, "Baked-In Bias: Practical steps to avoiding the hidden risks of AI," MyLawCLE, December 7, 2023
Speaker, "The End of the 'See No Evil' Approach to Vendor Management," Colorado Cybersecurity Summit, Denver, September 2018
Speaker, "Inside the Laboratory: State Legislation Impacting Privacy and Data Security," Consumer Data Industry Association Teleseminar, August 8, 2018
Board Memberships & Community Service
Protect Our Winters, Advisory Board
Publications
Author, "Navigating the Biggest Privacy Risks Facing Media Companies Today," Headlines and Deadlines, Pennsylvania Newsmedia Association, November 2023
Co-author, "What Is the Potential Liability for Zoombombing, and How Safe Are Zoom Alternatives?," Cybersecurity Law Report, April 29, 2020
Co-author, "Utah Privacy Law Would Be First to Require Search Warrant for Government to Access Stored Data," The National Law Review, March 28, 2019
Co-author, "What Companies Need to Know About Changes to Colorado's Cybersecurity Law," ColoradoBiz Magazine, September 16, 2018
Credentials
Education
Harvard Law School (J.D. 2009)
University of Notre Dame (B.A., cum laude, 2006)
Admissions
Colorado
New York
U.S. District Court for the District of Colorado
U.S. District Court for the Eastern District of New York
U.S. District Court for the Southern District of New York
U.S. Court of Appeals for the Ninth Circuit
U.S. Court of Appeals for the Tenth Circuit