Andrew Baer

Chair, Technology, Privacy & Data Security

Recent Publication:

NYDFS Issues Guidance on Cybersecurity Risks Arising from Artificial Intelligence [Alert]

Andrew Baer and Robert Rubenstein discuss the New York Department of Financial Services industry letter on the cybersecurity risks associated with AI.

Andrew Baer is the founder and chair of Cozen O’Connor’s Technology, Privacy & Data Security practice. He was among the first attorneys in the country to launch a dedicated technology practice and has led development of a unique multidisciplinary approach to tech, privacy, IP, cyber, and internet law.

Today, Andrew’s practice focuses on advising sophisticated clients on cutting-edge technology transactions and privacy/cybersecurity compliance. He represents diverse clients ranging from startups to Fortune 500 giants, including financial institutions, SaaS/IaaS/PaaS companies, digital interactive agencies, adtech companies, online ad networks, data brokers, mobile app developers, life sciences companies, media monitors, and e-commerce companies. Andrew also represents AI developers and crypto companies. 

Andrew regularly leads mission-critical deals — from both the buy-side and sell-side — that implicate issues in cloud computing, software, data privacy, security compliance, copyrights and trademarks, digital advertising systems and platforms, and interactive marketing compliance. He is deeply knowledgeable about state, federal, and international legal regimes relating to data privacy, cybersecurity, and artificial intelligence.

Since joining Cozen O’Connor, Andy has built a technology practice leading the way on team training, client service, and alternative fee structures. Before coming to Cozen O’Connor, Andrew served for 10 years as managing partner of Baer Crossey McDemus, a technology and venture capital boutique that he co-founded. Prior to that, he was lead tech/IP/privacy counsel at Advanta Corp., chief legal officer to a life sciences technology company, and an attorney in the intellectual property and information technology practice groups of WolfBlock.

Andrew is a frequent speaker, author, podcaster, and blogger. He is a lecturer at The Wharton School, a faculty member with the Pennsylvania Bar Institute and other continuing legal education groups, and a national contributor to online and print legal publications on technology and cybersecurity law. In 2010, Andrew co-authored the “Corporate Security and Privacy Duties, Policies and Forms” chapter of West’s Data Security and Privacy Law treatise.

Andrew earned his bachelor’s degree from Dartmouth College and his law degree from University of Chicago Law School.

Experience

News

Announcing Cozen O’Connor Canada’s Technology and Privacy Team

January 23, 2024

We are excited to launch Cozen O’Connor Canada’s Privacy and Technology team.

Technology, Privacy & Data Security Practice Launches Cyber Law Monitor Podcast

November 01, 2022

The Cyber Law Monitor podcast from Cozen O’Connor’s Technology, Privacy & Data Security practice group covers emerging trends, developments, and best practices.

Andrew Baer, Mira Baylson Named to The Philadelphia Business Journal's Best of the Bar 2022

September 26, 2022

Andrew Baer and Mira Baylson have been named to The Philadelphia Business Journal’s “Best of the Bar 2022.”

Privacy Policy To Watch For The Rest Of 2022

July 29, 2022

Andy Baer discusses the fate of privacy legislation for the remainder of 2022 and what it means for businesses and consumer advocates in a Law360 article.

Andrew Baer Named Legal Innovator by The Legal Intelligencer

July 01, 2022

This award honored law firms, lawyers, and legal professionals who push the envelope, think outside the box, and have demonstrated an ability to distinguish their brands in a crowded market to build their businesses.

FTC Chair Poised To Offer Glimpse Into Privacy Priorities

April 08, 2022

Andy Baer discusses what he expects the Federal Trade Commission (FTC) will address at the International Association of Privacy Professionals Global Privacy Summit in an article in Law360.

Cybersecurity & Privacy Policy To Watch For Rest Of 2021

July 30, 2021

Andy Baer was quoted in a Law360 article discussing the impact cyber security and privacy developments that occurred during the first half of 2021 will have on the remainder of the year.

Colorado Adds Wrinkle To Emerging State Privacy Law Quilt

June 18, 2021

Andrew Baer was quoted in an article in Law360 discussing Colorado’s position on becoming the third state in the U.S. to enact a comprehensive consumer privacy legislation.

Philadelphia Business Journal's 2020 in Review: Philadelphia-area Lawyers Who Made the Biggest Moves This Year

January 12, 2021

The article stated, “... the biggest winner this year was Cozen O'Connor, which had three of the top 10 lateral hires.”

Microsoft-TikTok Deal Would See Deadline Pressure, Privacy Risks

August 04, 2020

Andrew Baer was quoted in an article published in Bloomberg Law discussing Microsoft’s potential acquisition of Bytedance’s TikTok, and the company’s ability to resolve the attendant privacy and security concerns in advance of Donald Trump’s September 15, 2020, deadline to reach a deal.

Cozen O’Connor Boosts its Technology, Privacy, Data Security and Emerging Growth Practices by Adding Nine Attorneys from Philadelphia Law Boutique Baer Crossey McDemus LLC

May 04, 2020

Andrew Baer, Michael Crossey, and Christopher McDemus will stretch the firm’s reach within the global technology, and emerging growth business communities.

Publications

NYDFS Issues Guidance on Cybersecurity Risks Arising from Artificial Intelligence [Alert]

October 24, 2024

Andrew Baer and Robert Rubenstein discuss the New York Department of Financial Services industry letter on the cybersecurity risks associated with AI.

The EU AI Act: Part Four – Low Risk AI Systems and Enforcement [Cyber Law Monitor Blog]

October 16, 2024

This is part four of our examination of the European Union’s new artificial intelligence law, the (“EU AI Act”).  In part one, we introduced the scope of the EU AI Act and discussed what types of AI systems are outright banned. In part two, we discussed high risk AI systems. In part three, we...

The EU AI Act: Part Three – General-Purpose Models [Cyber Law Monitor Blog]

September 12, 2024

This is part three of our examination of the European Union’s new artificial intelligence law (the “EU AI Act”).  In part one , we introduced the scope of the EU AI Act and discussed what types of AI systems are outright banned. In part two, we discussed high risk AI systems. In this article,...

The EU AI Act: Part Two – High-Risk AI Systems [Cyber Law Monitor Blog]

July 11, 2024

This is part two of our examination of the European Union’s new artificial intelligence law, the (“EU AI Act”). In part one, we introduced the scope of the EU AI Act and discussed what types of AI systems are outright banned. In this article, we look at what types of AI systems are considered...

Joint Guidelines for Secure AI Deployment [Alert]

April 25, 2024

The new cybersecurity guidance, issued jointly by agencies in the U.S., Australia, New Zealand, the U.K., and Canada, focuses on best practices for organizations that deploy third-party-developed AI.

The European Union Artificial Intelligence Act: Part One – Scope and Prohibited Systems [Cyber Law Monitor Blog]

April 23, 2024

The European Union recently enacted its new artificial intelligence regulation, the (“EU AI Act”). The new law is expected to have a substantial impact on the AI industry, including on companies outside of the EU, much as the GDPR did. Overall, the EU AU Act follows a risk-based approach...

California Appellate Court Greenlights Enforcement of Privacy Regulations [Alert]

February 15, 2024

The California Privacy Protection Agency's regulations for the California Consumer Privacy Act are back in effect. Andrew Baer and Daniel Kilburn discuss crucial details on data privacy rights and enforcement priorities.

California’s Delete Act Creates Universal Deletion Requirement Aimed at Data Brokers [Alert]

October 17, 2023

The Delete Act expands on regulations already in place and shifts enforcement from the Secretary of State to the California Privacy Protection Agency (CPPA).

SEC Adopts Final Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure

July 27, 2023

Cozen O’Connor’s multidisciplinary Technology, Privacy & Data Security practice discusses the new rules, their reporting requirements, and when they go into effect.

EU Adopts the EU-US Data Privacy Framework [Alert]

July 11, 2023

On July 10, 2023, the EU adopted the EU-US Data Privacy Framework in response to the Schrems II decision, which struck down the EU-US Privacy Shield.

Irish Data Protection Commission’s Decision Throws Use of Standard Contractual Clauses Into Doubt [Alert]

May 30, 2023

Ireland’s Data Protection Commission has imposed a €1.2 billion fine on Meta Platforms for violating the EU's General Data Protection Regulation.

AI: What You Need to Know [Cyber Law Monitor Blog]

May 01, 2023

Andy Baer is joined by three of his Cozen O'Connor colleagues for a panel discussion exploring the evolving law of artificial intelligence in the U.S. and Europe, including legal risks associated with ChatGPT and other AI tools, the current state of regulation, and how providers and users of AI...

You’ve Been Breached - Who Do You Call? [Cyber Law Monitor Blog]

January 30, 2023

Host Andrew Baer is joined by Matthew Klahre from Cozen O'Connor's Technology, Privacy, & Data Security practice group for a discussion, with practical tips, on how to manage internal and external communications following a data breach. Download this episode....

Update on EU-US Personal Data Transfers [Cyber Law Monitor Blog]

November 14, 2022

Andy Baer is joined by Christopher Dodson of Cozen O'Connor to discuss EU-US personal data transfers after Schrems II, including the latest on the EU-US Data Privacy Framework. Download this episode....

Incoming State Privacy Laws in 2023 [Cyber Law Monitor Blog]

November 01, 2022

Introducing the Cyber Law Monitor Podcast, a podcast from Cozen O’Connor’s Technology, Privacy & Data Security practice group with discussions and perspectives on emerging trends, developments and best practices. In the inaugural episode, host Andrew Baer is joined by his Cozen O'Connor...

Another New CA Privacy Law Targets Collection of Information from Minors [Alert]

October 03, 2022

The California Age-Appropriate Design Code Act imposes stringent new privacy requirements on businesses that sell to consumers under 18 years of age.

Federal Privacy Law Passage in Doubt? [Cyber Law Monitor Blog]

August 29, 2022

A few months ago it seemed like the American Data Privacy and Protection Act (ADPPA) was gaining momentum in Congress and represented the best hope in years for passage of a federal data privacy law that would preempt the five overlapping (but not totally consistent) state comprehensive privacy...

The New Standard Contractual Clauses Deadline is Approaching [Cyber Law Monitor Blog]

August 15, 2022

On June 4, 2021, the European Commission introduced the new set of Standard Contractual Clauses (“SCCs”), a primary mechanism for lawfully transferring personal data from Europe to the United States under the European Union’s General Data Protection Regulation. These new SCCs replace the three...

AI and Cybersecurity Issues Look Set to Dominate the Privacy Landscape in 2022 [Cyber Law Monitor Blog]

April 15, 2022

Meghan Stoppel, who spent over a decade serving as an Assistant Attorney General, and later a Consumer Protection Chief, to both Democratic and Republican state attorneys generals, talks to Andy Baer, Chair of Cozen O’Connor’s Technology, Privacy and Data Security practice, about how state AGs are...

SEC Proposes New Rules for Cybersecurity Incident Reporting [Alert]

March 28, 2022

In March, the SEC proposed new rules pertaining to reporting material cybersecurity incidents and their cybersecurity risk management and governance.

FFIEC Updates Guidance to Financial Institutions for Authentication and Access [Alert]

September 14, 2021

Chris Dodson and Andy Baer discuss FFIEC's updated guidance and best practices for financial institutions for information system authentication and access management controls.

Victims of SolarWinds Cyberattack Face Investigation Costs, Liability Issues

January 26, 2021

Andrew Baer and Christopher Dodson discuss the significant costs and potential liability issues faced by the victims of the SolarWinds Corp. cyberattack.

European Data Protection Board Releases Guidance on Cross-Border Data Flows in the Wake of Schrems II [Cyber Law Monitor Blog]

December 14, 2020

On November 10, the European Data Protection Board (EDPB), the European Union’s top data privacy regulator, issued long-awaited guidance setting out a framework for navigating transfers of data out of the European Economic Area (EEA) in light of this July’s landmark ruling from the Court of...

California Privacy Rights Act Will Revamp CCPA to Include GDPR-Type Requirements [Cyber Law Monitor Blog]

July 08, 2020

On June 24, the eve of the July 1 enforcement date for the California Consumer Privacy Act (CCPA), the California Secretary of State certified the California Privacy Rights Act (CPRA), the latest brainchild of privacy activist (and CCPA spiritual father) Alastair Mactaggart, to appear on the...

Education

  • University of Chicago Law School, J.D., 1996
  • Dartmouth College, B.A., 1993

Awards & Honors

2022 Law Firm Innovators, The Legal Intelligencer

Best of the Bar, Philadelphia Business Journal, 2022

  • New York
  • New Jersey
  • Pennsylvania