Samuel D. Goldstick

Senior Counsel

Samuel D. Goldstick

Senior Counsel

Samuel (Sam) Goldstick is a data privacy and cybersecurity attorney, advising clients across a broad range of industries on all aspects of compliance with international, federal, and state data privacy and security laws. He is a senior counsel in the firm’s Technology Transactions, Cybersecurity, and Privacy Practice, as well as a member of the Sports & Entertainment Industry Team and Innovative Tech Sector.

Sam counsels companies in nearly every sector of the economy — including the retail, hospitality, manufacturing, financial services, health care, insurance, sports, aerospace, energy, government contracting, education, information technology, transportation, and travel industries — on a full array of data privacy and security compliance issues, such as those involving:

  • Data breach notification requirements at the state, federal, and international level
  • EU and UK General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other similar comprehensive U.S. state consumer privacy laws
  • Gramm-Leach-Bliley Act (GLBA)
  • The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation
  • State insurance data security laws (including those modeled after the NAIC model law)
  • Illinois’ Biometric Information Privacy Act (BIPA) and other state biometric privacy laws
  • Telephone Consumer Protection Act (TCPA) and state law equivalents
  • Health Insurance Portability and Accountability Act (HIPAA) and state law equivalents
  • Department of Defense (DoD) cybersecurity requirements for federal contractors, including DFARS 252.204-7012, NIST SP 800-171, and CMMC

Sam assists clients of all sizes on their incident preparedness, such as reviewing and updating incident response (IR) policies and procedures, negotiating three-party agreements with forensics and other third-party IR providers to help maintain attorney-client privilege and work product protections during an incident, and running tabletop exercises that simulate real-life cyber-attacks.

On the reactive front, Sam frequently guides clients through the entire incident response process, from the early stages of the investigation to the notification of affected individuals and government regulators, as well as through any resulting enforcement actions or regulatory investigations. To date, Sam has handled hundreds of data breaches and security incidents for clients, and his depth of experience in this area allows him to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath.

Representative Experience

  • Negotiated more than 50 different vendors’ GDPR DPAs on behalf of a large financial institutional client.
  • Advised a Fortune 10 company on the applicability of new U.S. state comprehensive consumer privacy laws and recommended measures for compliance in connection with a myriad of business initiatives.
  • Updated website terms of use and general online and offline privacy policies with jurisdiction-specific addendums (i.e., GDPR, CCPA/CPRA, VCDPA, and CPA) for global retailers, sports clubs, and manufacturers, among many others.
  • Developed a practical handbook for a large insurer to use in responding to consumer rights requests under the CCPA/CPRA (with model templates).
  • Updated an extensive set of information security policies for a mutual insurance company to align with applicable requirements under HIPAA, PCI DSS, and relevant state insurance data security laws.
  • Updated IR and crisis communications policies for, proactively entered into a 3-party forensic agreement with an IR provider (to maintain privilege and work product protections) on behalf of and helped facilitate separate tabletop exercises simulating mock breaches for, a global electronics manufacturing services company.
  • Counseled a global aerospace defense contractor through a DoD-reportable “cyber incident” involving controlled unclassified information (CUI) and handled regulatory follow-ups on their behalf.
  • Guided a self-funded employee health plan through a complex OCR investigation and prepared a sophisticated response with over 20 exhibits to an OCR data request, in connection with a HIPAA breach that affected over 2,000 individuals.
  • Guided an insurance vendor through a data breach affecting over 4 million individuals and managed the entire notification process from start to finish (including interfacing with regulators).

Awards and Recognition

  • Best Lawyers: Ones to Watch in America™ – Technology Law (2021-2024)


  • Certified Information Privacy Professional – United States (CIPP/US)
  • Certified Information Privacy Professional – Europe (CIPP/E)
  • Member, International Association of Privacy Professionals (IAPP)
  • Member, American Bar Association (ABA)
  • Member, Chicago Bar Association Cyber Law & Data Privacy Committee
  • Member, Midwest Cyber Security Alliance (MCSA)

Presentations and Publications

  • Co-presenter, “Episode 7: Data Privacy Deadline for Colorado and Connecticut,” Innovative Technology Insights Podcast (July 13, 2023).
  • Panelist, “Risky Business,” University of Notre Dame’s IDEA Week (April 20, 2023)
  • Co-presenter, “Deadlines Fast Approaching For Compliance with New U.S. Consumer Privacy Laws and Latest Cybersecurity Legal Developments,” Foley’s CLE Weeks (November 16, 2022, and December 14, 2022)
  • Co-presenter, “Cybersecurity: Ransomware Update & Anatomy of A Tabletop Exercise” Original Equipment Suppliers Association (OESA) Chief Financial Officers Council Meeting (June 8, 2022)
  • Co-presenter, “The Evolving State of Cybersecurity & Consumer Data Privacy Laws in the US and Related Vendor Contract Negotiation Tips,” Foley’s CLE Week (November 18, 2021 and December 15, 2021)
  • Co-author, “Appellate Court ruling on limitation periods for biometric data-related claims,” Article Published by OneTrust DataGuidance (November 2021)
09 April 2024 Manufacturing Industry Advisor

Combatting Supply Chain Cyber Threats: Safeguarding Data and Protecting Digital Supply Chains

As supply chains have become more digitized and interconnected, they have also become more vulnerable to a range of cyber threats.
21 September 2023 Deals and Wins

Foley Advises Knowles Corporation in Acquisition of Cornell Dubilier

Foley & Lardner LLP served as legal adviser to Knowles Corporation, a leading global supplier of high performance components and solutions, including ceramic capacitors and radio frequency filters, advanced medtech microphones, balanced armature speakers, and audio solutions, in entering a definitive agreement to acquire Cornell Dubilier.
06 September 2023 Innovative Technology Insights

Increased Litigation From Various Website Tracking Technologies

How can companies protect themselves from litigation resulting from the use of tracking pixels, chatbots, and session replay technologies on their websites?
17 August 2023 Honors and Awards

Foley Attorneys Recognized in 2024 Best Lawyers in America

Foley & Lardner LLP proudly announced today that 236 of the firm’s attorneys across 20 U.S. offices have received recognition in the 2024 edition of The Best Lawyers in America©.
13 July 2023 Innovative Technology Insights Podcast

Episode 7: Data Privacy Deadline for Colorado and Connecticut

In our seventh episode, Jennifer Urban and Samuel Goldstick sit down to discuss the newest states with data privacy laws that went into effect on July 1, 2023: Colorado and Connecticut.
10 July 2023 Innovative Technology Insights

Third Time’s the Charm? “Privacy Shield 2.0” Emerges as EU Approves New Data Transfer Deal with the United States

Nearly three years after the European Union’s high court struck down the EU-U.S. Privacy Shield Framework, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework on July 10, 2023.