Bio

Marci Rozen advises companies on cybersecurity and privacy issues, with deep expertise in risk assessment, policy development, and regulatory compliance. She has extensive experience in cybersecurity preparedness counseling, including policy development, risk assessment, and compliance with laws, regulations, and standards, including the PCI-DSS, the HIPAA Security Rule, CIS 18 Critical Security Controls, and the GLBA Safeguards Rule. She has also helped clients develop vulnerability disclosure programs and vendor security diligence and contracting processes.

In her incident response practice, Marci has guided organizations of all sizes through each phase of an incident, including containment, forensic investigation, consumer and regulatory notifications, law enforcement coordination, media statements, and remediation. She has experience responding to a wide array of incidents, including malware intrusions, state-sponsored attacks, extortion schemes, and accidental data disclosures. Incident preparedness is also a core part of her practice, including drafting incident response plans and developing and facilitating tabletop exercises to test response capabilities.

Beyond incident response, Marci helps companies strategically address evolving data protection laws. She advises on compliance with the EU GDPR and U.S. state privacy laws (CCPA, CPA, VCDPA, and others), offering practical guidance on implementing technological solutions like consent management platforms. She also advises on compliance with health-related privacy laws, including HIPAA, Washington’s My Health My Data, and similar state laws.  Most recently, she has helped clients unpack the new DOJ Rule on Transfers of U.S. Sensitive Personal Data and Government-Related Data, particularly its impact on ad tech and vendor contracts.

Prior to joining ZwillGen, Marci was an associate in the Privacy, Data Security, and Information Law Group at Sidley Austin LLP, where she counseled technology, telecommunications, retail, and industrial companies on a range of issues involving data security and privacy.