Drew T. Ricci

Drew T. Ricci advises companies on complex data governance, artificial intelligence and cybersecurity matters where regulatory risk, product strategy and enterprise exposure intersect. He partners with executive leadership, in-house counsel and technical teams to design governance structures that support innovation while mitigating legal, operational and reputational exposure.

Drew’s practice focuses on enterprise privacy strategy, AI governance, cybersecurity incident response and complex data-related litigation. He regularly counsels organizations operating across multiple jurisdictions and regulatory regimes, translating evolving legal frameworks into practical, defensible controls.

Data Privacy & Enterprise Governance

Drew advises clients on compliance with U.S. and international privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (CDPA), the Children’s Online Privacy Protection Act (COPPA) and other state comprehensive privacy statutes, as well as the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH), the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA). His work extends beyond regulatory interpretation to the design and implementation of scalable privacy programs.

He assists organizations with:

Enterprise data mapping and classification
Risk assessments and impact analyses
Cross-border data transfer strategy
Consumer rights intake and fulfillment processes
Vendor and SaaS risk allocation
Data sharing and licensing agreements
Regulator-facing documentation and preparedness

Drew frequently negotiates complex technology and data processing agreements, with particular focus on liability allocation, indemnification, security representations and audit rights.

Artificial Intelligence & Emerging Technology

Drew maintains a focused practice advising clients deploying artificial intelligence and machine learning technologies across product, marketing, operational and internal environments. He counsels companies on establishing governance frameworks that address evolving regulatory expectations while preserving speed to market and competitive positioning.

His AI-related experience includes:

Development of AI governance and oversight structures
Assessment of automated decision-making and bias risk
Generative AI deployment policies
Vendor diligence and contractual controls
Transparency, disclosure, and consumer protection risk
EU AI Act readiness and emerging U.S. regulatory developments

Drew works closely with product and engineering teams to ensure AI deployment aligns with regulatory standards and long-term enterprise risk management.

Cybersecurity & Incident Response

Drew advises organizations in connection with cybersecurity incidents, including forensic coordination, regulatory notification analysis, contractual exposure assessment and litigation risk mitigation. His experience defending data-related claims informs his approach to incident response planning and post-incident strategy.

Litigation & Enforcement Matters

In addition to his advisory practice, Drew represents national companies in complex federal and state litigation involving data governance and consumer protection statutes, including matters arising under the Fair Credit Reporting Act. His litigation experience shapes his compliance counseling, ensuring governance programs are structured with defensibility in mind.

Drew holds the Certified Information Privacy Professional (CIPP/US) Certification and regularly writes and presents on artificial intelligence governance, cybersecurity risk and privacy regulatory developments.