The Data Security & Privacy Practice Group at Kirkland focuses on the evolving business, technological, and legal issues relating to the security and privacy of networks and data. This multi-disciplinary practice group represents clients in investigations, crisis response to data breach incidents, litigation, government relations, counseling, and transactions. The group consists of lawyers in different practice groups, resident in the United States, Europe, and Asia. The group draws on the deep experience that many of its partners have had in government service, including a former U.S. Deputy Attorney General, a former U.S. Attorney for the Southern District of New York, a former Chairman of the Federal Trade Commission, former Chief of Enforcement at the Securities and Exchange Commission, and several senior Department of Justice Officials. Their backgrounds allow Kirkland to deploy unmatched experience on matters including application of the Electronic Communications Privacy Act (ECPA), Economic Espionage Act and state trade secret laws, the Stored Communications Act (SCA), the Wiretap Act, Foreign Intelligence Surveillance Act (FISA), Children's Online Privacy Protection Act (COPPA), the Telephone Consumer Protection Act (TCPA), and other statutes applicable to evolving issues in data security and privacy.
Incident Response and Investigations
The group works closely with clients to lead forensic and incident response teams in security breach matters. With their deep understanding of federal and state breach laws and practical experience, Kirkland assists clients with internal investigations, crisis management, public disclosures (including public company disclosure obligations under U.S. securities law, CF Disclosure Guidance: Topic No. 2: Cybersecurity), law enforcement disclosure and coordination, and pre-litigation strategies. Kirkland also works closely with a network of third party specialists to provide necessary technical and operational support. The group has worked on more than 30 security breaches.
Litigation and Government Relations
Kirkland's litigation experience encompasses both plaintiff and defense work. On the defense side, the Firm has defended clients in matters ranging from private class action suits to federal and state enforcement actions. On the plaintiff side, Kirkland has represented clients seeking recovery for losses in a variety of contexts, including against perpetrators directly, negligent enablers of perpetrators, contractual counter-parties, and insurance carriers. Additionally, incidences of digital trade secret theft are on the rise, and Kirkland's attorneys continue to draw on the formidable depth of the Intellectual Property and Commercial Litigation practices to litigate a wide range of trade secret matters, including misappropriations by company insiders and by competitors.
The group counsels clients regarding the evolving web of global legal and compliance developments relating to data security and privacy laws, industry standards, and “voluntary” government guidelines. Kirkland’s lawyers counsel clients in a variety of business settings, including government requests for data, spyware, spam, reasonable safeguards, product and service design (i.e., “privacy-by-design”), marketing and advertising practices, social networking, and consumer profiling. The team works closely with attorneys from Kirkland’s Advertising, Marketing and Promotions practice group. Kirkland’s counseling experience includes industry-specific laws and requirements (such as GLB, HIPAA, HITECH, and Payment Card Industry Data Security Standard (PCI DSS)), the EU Data Protection Directive and the related EU - U.S. Privacy Shield, and governmental guidelines like the FTC Behavioral Advertising Guidelines. The group also counsels clients on the obligations created under the EU General Data Protection Regulation (GDPR), which will replace the EU Data Protection Directive.
The practice group includes members from Kirkland's Transactions Practice Group who represent clients in deals where data is a significant aspect. Important data issues can arise in a variety of deal contexts, including mergers, acquisitions, divestitures, restructurings, joint ventures, strategic alliances, outsourcing, licenses, and other commercial agreements. Some deals are built entirely on the value of data being collected or shared. Data is a strategic asset for any company and commitments relating to the use, sharing, or acquisition of data can have long-term impact on a company's business. Issues can arise relating to ownership, usage, restrictions (including with respect to selling customer lists), obligations (including with respect to securing data and handling breaches), risk allocation (representations, warranties and indemnities), and liability schema (including limitations on remedies and damages).
Representative Litigation Matters
In re Anthem, Inc. Customer Data Security Breach Litigation
Kirkland represented the Blue Cross & Blue Shield Association and Health Care Service Corporation in connection with this putative nationwide class action arising out of the highly publicized cyber security breach involving Anthem, Inc., which allegedly resulted in the theft of the protected health information and other personal information of up to 80 million people.
Strautins v. Trustwave Corp.; Morgan v. Director of South Carolina Department of Revenue, et al.
Kirkland represented Trustwave Holdings in two putative consumer class action lawsuits arising from a high profile South Carolina Department of Revenue data security breach that purportedly compromised the personal data of millions of South Carolina taxpayers. In 2013 and 2014, Kirkland won dismissal of all claims in both suits. An appeal in the South Carolina state case was voluntarily dismissed by the plaintiff in 2015.
Federal Trade Commission (FTC) v. Wyndham Hotel Group LLC, et al.
Kirkland represented Wyndham Worldwide Corporation in a lawsuit brought under Section 5 of the FTC Act, where the FTC alleged that Wyndham’s data-security practices constituted “unfair” and “deceptive” trade practices and led to data breaches and millions of dollars in fraud losses involving hotel guests’ personal information. Won a change of venue motion in 2013. Following an interlocutory appeal, the parties announced a settlement agreement in 2015.
State of Minnesota v. Accretive Health Inc. and related matters
Kirkland represented Accretive Health, Inc. in a federal lawsuit brought by the Minnesota attorney general, investigations before two congressional committees, the FTC and state regulatory agencies, and securities and consumer lawsuits. The lawsuits and investigations, arising from the theft of a laptop containing hospital patient records, alleged the company's policies and practices violated HIPAA, the Fair Debt Collection Practices Act, and other state privacy, debt collection, and consumer protection laws. While Accretive's motion to dismiss was pending, a favorable settlement was reached. On August 7, 2012, the court dismissed the action with prejudice.
Vamvakias v. Lincoln National Corporation
Kirkland represents Lincoln National in a class action in the Central District of California in which plaintiffs allege that the recording of telephone calls is in violation of the California Invasion of Privacy Act.
America Online Class Action Privacy Litigation
Kirkland defended AOL in one of the largest lawsuits ever filed under the Stored Communications Act. The case was brought in the U.S. District Court for the Northern District of California on behalf of a putative class of 680,000 customers who claimed that AOL wrongly made available for download certain Internet search queries in 2006. Plaintiffs sought statutory damages of at least $685 million and unspecified punitive damages. Kirkland secured the complete pre-trial dismissal of the case. The case was then refiled in Virginia and Kirkland negotiated a class wide settlement.
Shakib v. Discover Financial Services
Kirkland represented Discover Financial Services and Discover Bank in a state class action in which plaintiffs alleged information-sharing practices constituted unfair competition and violated the privacy rights of California credit card members.
Teamsters v. Bankers Life
Kirkland obtained dismissal of a putative class action alleging invasion of privacy and misappropriation of trade secrets in connection with our client's disclosure of customer names to a third party.
Other Select Breach Matters (resolved or proceeding confidentially)
Kirkland has successfully achieved confidential resolutions to many security breach matters in private settlements without resorting to litigation, including:
Negotiating a successful settlement with several credit card companies after the significant theft of credit card data from a nationwide retailer.
Working with the FBI to apprehend the perpetrator of a security breach at a payroll company, and negotiating outcomes with affected customers.
Negotiating successful outcomes with two regulators on behalf of a financial services company that experienced a data breach involving social security numbers and financial account data.
Assisting a private equity firm in successfully recovering the firm's stolen funds from a bank.
Representing multiple health care companies in ongoing regulatory (DHHS/OCR) matters involving breaches of personal health information.
Representative Counseling Matters
Advised a financial services firm regarding privacy risks and compliance with respect to Gramm-Leach-Bliley and the European Data Directive.
Counseled a major cosmetics company with respect to privacy and data protection issues for its global e-commerce websites, including compliance with the European Data Directive.
Advised a client in connection with EU data protection compliance issues in six countries and also in the implementation of its CRM platform.
Provided advice to a financial services firm on the application of the European electronic communications directive to the client's operations.
Represented various investor groups in the acquisitions and/or sales of the following companies in the data security field: SecurityLink, Tenable Security, SonicWALL, and FishNet Security.
Represented both service providers and customers in different outsourcing deals, including in the financial services, health care, retail, and insurance industries. Deals have implicated a number of applicable regulatory requirements (e.g., HIPAA, HITECH, GLBA, GINA, URAC, NCQA and other U.S. state/federal and EU requirements).
Advised a multi-national company with numerous data monetization transactions relating to the acquisition and licensing of geographical mapping data.
Represented clients in joint ventures relating to data-intensive businesses, including health care alliances (electronic medical records), payment processing deals, and retail alliances regarding internet traffic.
Represented an internet company in an infrastructure outsourcing transaction involving the migration of data centers from Europe to the United States.
Represented a brokerage firm in connection with the creation of a data consortium for the commingling and sale of inter-dealer broker data for credit instruments.
Advised clients in cloud computing transactions involving strategic corporate and personal information.
Represented a computer hardware company on a privacy agreement proposed by a retailer to govern the parties' relationship.