Seth C. Harrington
Seth, a partner in Ropes & Gray’s privacy & data security practice, has counseled clients through the array of legal issues arising from a data breach, including some of the largest U.S. companies. He has also developed a nuanced understanding for evaluating cyberrisk insurance contracts and assisting clients and brokers in obtaining the right coverage based on his expertise in defending clients against the various claims that may arise.
Seth collaborates with colleagues across numerous practices on privacy and cybersecurity compliance and on breach response, applying lessons learned from significant incidents to help clients ensure compliance and effective planning. He has directed all aspects of the response to a privacy or data security incident, from navigating the forensic investigation of a breach to defending against litigation and regulatory inquiries.
Seth also has specific experience representing clients in connection with claims by credit card brands and financial institutions around payment card-related data breaches. Seth has advised clients on the Payment Card Industry Data Security Standards and negotiation of agreements implicating payment card data.
- Serving as lead counsel for Arby’s Restaurant Group in defending against all third-party claims arising from a payment card incident announced in February 2017.
- Advising Hilton Worldwide regarding potential card brand claims stemming from two separate data security incidents that affected certain Hilton-branded hotels around the world in 2014 and 2015. We are also advising Hilton in litigation against Hilton's former payment card processor in connection with a commercial dispute relating to the data security incidents.
- The Aldo Group Inc. Represents Aldo in the ongoing defense of card brand claims in connection with data security breach discovered in 2010. Also assisting Canadian counsel with litigation against MasterCard and Aldo’s processor regarding penalties imposed by MasterCard and collected from Aldo by the processor.
- Genesco Inc. Represents Genesco in the ongoing defense of card brand claims in connection with data security breach announced in 2010, including litigation against Visa seeking recovery of fines and assessments imposed by Visa and collected from Genesco by Genesco’s acquiring banks.
- Heartland Payment Systems Inc. Represents Heartland in the ongoing defense of various legal challenges stemming from the data security breach announced in 2009, including the putative financial institution class action. Advised the client regarding settlements with the card brands under which Heartland received releases from card issuers representing the majority of potentially at-risk payment card accounts.
- The TJX Companies Inc. Represented TJX in the defense of card brand claims and financial institution class action arising out of the data security breach announced in 2007. The card brand claims were favorably settled, and the financial institution class action was dismissed by joint motion following affirmance by the First Circuit of the trial court’s dismissal of almost all of the class action claims.
- Wyndham Hotels & Resorts. Represented Wyndham in the defense of card brand claims related to data security breaches suffered by certain of the Wyndham-branded hotels in 2008-2010.
- Co-author, “Protecting Colleges & Universities Against Real Losses in a Virtual World,” The John Marshall Journal of Information Technology & Privacy Law Volume 33, Issue 2 (2017)
- Co-author, “Your Bitcoin or Your Business: The Growing Threat of Ransomware Across Industries,” Westlaw Journals (December 2017)
- Quoted, “Forensic Firms: Understanding and Leveraging Their Expertise From the Start,” The Cybersecurity Law Report (February 22, 2017)
- Quoted, “How to prepare for and respond to that inevitable data 'incident',” IAPP’s “The Privacy Advisor” (December 9, 2016)
- Co-author, “Practical Tips for In-House Counsel From Recent Private Data Security Breach Litigation,” Bloomberg BNA’s Privacy and Security Law Report (September 13, 2016)
- Co-author, “Expert Q&A on Avoiding Common Mistakes in Data Breach Prevention and Response,” Thomson Reuters “Practical Law” (May 2016)
- Co-author, “FTC Study Could Lead To Changes In PCI DSS Certification,” Law360 (April 6, 2016)
- Quoted, “Breach insurance: Not just for the big guys,” USA Today (Dec. 9, 2014)
- Panelist, “Post-breach – how to do the right thing for your organization,” Advisen’s Cyber Risk Insights Conference, Chicago, IL (May 23, 2018)
- Panelist, New England Litigation Technology Professional Conference, Cybersecurity Panel, Boston, MA (May 10, 2018)
- Panelist, “Reducing Cybersecurity Risks for SEC Regulated Entities – preparing for exams, and managing risk through insurance,” Ropes & Gray Privacy & Cybersecurity Summit, New York, NY (February 8, 2018)
- Panelist, “Cyber Crisis Communication Plans: What Works and What to Avoid,” Cybersecurity Law Report Webinar (December 12, 2017)
- Panelist, “Connected Devices for Consumers and Industry,” BBA Privacy and Cybersecurity Forum, Boston, MA (May 24, 2017)
- Speaker, “The Insider Threat Editorial session,” SC Congress (September 29, 2016)
- Co-presenter, “Cyber Security: Tackling the Beyond From Within in 2015 and Beyond,” The Knowledge Group (August 2015)
- Speaker, “What’s NOT in Your Wallet?” #iLAW Summit: All Things Internet, Mobile and Social (March 2015)