Senior Counsel, Data Privacy & Security

About The Position

Requirements

• Juris Doctor (JD), Law Degree from a United States accredited law school or equivalent accredited institution.
• 6+ Years of Legal experience with significant focus on data privacy and cybersecurity law, risk management.
• Licensed to practice law in the US
• Demonstrated experience working with US and global cybersecurity and privacy laws, regulations and frameworks (GLBA, HIPAA, CCPA, GDPR, NIST CSF, NIST PF, CIS, ISO, SOC2)
• Proven ability to assess privacy and cybersecurity risks, translate regulatory requirements into practical controls and support remediation efforts.
• Hands on experience with incident response, US breach notification processes and regulatory reporting obligations.
• Strong documentation skills – drafting policies, agreements, standards, procedures and reports.
• Deep understanding of US and global data protection laws and regulations
• Extensive knowledge of incident response and personal data breach notification requirements, as well as of cybersecurity legal frameworks and industry standards (CCPA, SEC requirements, NIST CSF, NIST PF, SOC 2, ISO)
• Strong understanding of cloud computing, data analytics, and emerging technologies
• Knowledge of U.S. financial, insurance or reinsurance business operations
• Advanced experience with reviewing, drafting, amending and negotiating contracts including data processing addendums and cybersecurity addendums
• Experience with cross-border data transfers and international privacy frameworks
• Highly advanced interpersonal skills, with demonstrated ability to positively influence change among clients and working groups.
• Expert skills in managing multiple projects and/or sub-teams simultaneously
• Highly advanced ability to make timely and effective decisions and produce results through strategic planning and the implementation and evaluation of programs and policies

Nice To Haves

• Advanced degree (LLM), Privacy law, cybersecurity, or technology law are preferred
• CISSP, CIPP, CIPM, CIPT, CISA or equivalent are preferred
• In-house counsel and leadership experience at a financial services, insurance, or technology company is preferred.
• Experience supporting public company, or SEC regulated environments

Responsibilities

• Provide legal advice on US and global: (i) data privacy laws including GLBA, HIPAA, CAN-SPAM ACT, CCPA, PIPEDA, GDPR, PDPA; (ii) AI [governance requirements?]; and (iii) other existing and emerging regulations related to data privacy, cybersecurity and AI
• Advise on regulatory privacy requirements for financial services and insurance sectors
• Review and negotiate contracts including data processing agreements and clauses and cybersecurity exhibits
• Advise on privacy impact assessments (PIAs) and data protection impact assessments (DPIAs)
• Assist with data subject rights requests and incident response procedures within the legal team
• Advise on legal risk identification and mitigation efforts and privacy compliance efforts including privacy-by-design in business operations, product development, data analytics and technology solutions
• Provide legal guidance on cybersecurity risk management and incident response
• Advise on cybersecurity laws and regulations, including CCPA, SEC cybersecurity rules, US and non-US breach notification requirements
• Support global breach notification obligations
• Collaborate with IT security teams on legal aspects of security controls and frameworks
• Advising on reasonable security safeguards from legal perspective
• Advise on regulatory cybersecurity requirements for financial services and insurance sectors
• Review and negotiate cybersecurity exhibits in vendor contracts and reinsurance agreements.
• Monitor and interpret evolving data protection, cybersecurity and AI regulations globally
• Conduct legal risk assessments for data-related business activities
• Develop training programs and awareness initiatives for workforce members and business stakeholders
• Support internal audits and regulatory examinations related to data practices
• Partner with IT, risk management, compliance, and business teams on data-related initiatives
• Support M&A due diligence on data privacy and cybersecurity matters
• Collaborate with external counsel and privacy consultants as needed
• Participate in industry associations and regulatory working groups
• Contribute to enterprise risk management and business continuity planning

Benefits

• RGA also maintains a full range of health, retirement, and other employee benefits.