Michelle Visser


  • JD, Stanford Law School, 2005; Order of the Coif; Symposium Editor, Stanford Law Review; Managing Editor, Stanford Journal of Law, Business & Finance
  • BA (Mathematics & Economics), (Honors degree, with greatest distinction), Calvin College, 2002


  • California, 2011
  • Massachusetts, 2005

Court Admissions

  • U.S. Court of Appeals for the Second Circuit
  • U.S. Court of Appeals for the Ninth Circuit
  • U.S. Court of Appeals for the Eleventh Circuit
  • U.S. District Court for the Central District of California
  • U.S. District Court for the Northern District of California
  • U.S. District Court for the Southern District of California
  • U.S. District Court for the District of Massachusetts
  • Honorable Bruce M. Selya, U.S. Court of Appeals for the First Circuit
  • Global Data Review 40 Under 40 (2018)
  • The San Francisco Recorder Women Leaders in Technology Law (2015)
  • Legal 500 (2015-2018)
  • Law 360 Rising Star (2015)
  • San Francisco Daily Journal “20 under 40” (2015)
  • Northern California Super Lawyers, Rising Star (2015)

Michelle Visser


Michelle Visser focuses her practice on complex business litigation matters. She has extensive experience assisting companies in responding to the variety of legal issues that can result from data security breaches, including experience in overseeing forensic investigations and defending against claims made or threatened by credit card companies, financial institutions and regulators. She also regularly represents companies in defending against class actions, with experience in class actions involving securities, antitrust and data security claims.


  • LabMD. Represented LabMD in its successful petition to the U.S. Court of Appeals resulting in the first-ever court decision overturning an FTC cybersecurity action.
  • Supervalu Inc. Represented Supervalu in responding to regulatory inquiries stemming from the data security breach that Supervalu announced in 2014.
  • Target. Represented Target in responding to card brand inquiries and defending card issuer class action litigation stemming from the data security breach that Target announced in 2013.
  • Sony. Represented Sony and its various entities in investigating the data security breaches announced in 2011 and in responding to regulatory and card brand inquiries stemming from those security breaches.
  • Hitachi-LG Data Storage. Represents the Korean-Japanese joint venture in defending civil class actions, opt-out actions, and a state action alleging price-fixing in the optical disk drive industry.
  • Heartland Payment Systems. Represented Heartland in the FTC investigation stemming from the data security breach announced by Heartland in 2009, which the FTC closed without taking any action against the company.
  • American Dental Partners Inc. Represented ADPI in securities fraud and derivative litigation stemming from ADPI’s announcement of a prior litigation loss, not litigated by Ropes & Gray. Secured dismissal of the derivative action and settlements within insurance policy limits to terminate the securities actions.
  • The TJX Companies Inc. Represented TJX in securing a favorable settlement to terminate the investigation of a multi-state working group of 40 Attorneys General into the data security breach announced by TJX in 2007.



  • Presenter, “Cybersecurity Risk Management: New Methods to Gain Control,” Mandiant Webinar (October 23, 2018) 
  • Panelist, “Practitioner’s Panel,” Berkeley Center for Law and Technology Privacy Law Forum, East Palo Alto, CA (March 23, 2018) 
  • Panelist, “Data Security and Privacy Litigation,” “The Exchange" Privacy & Cybersecurity Forum, San Francisco, CA (March 19, 2018) 
  • Presenter, “Privacy & Cybersecurity Litigation Roundup,” Ropes & Gray Roundtable, Palo Alto, CA (March 13, 2018) 
  • Panelist, “Emerging Data Concerns: Algorithms, Biometrics, Connected Devices and More,” Ropes & Gray Privacy & Cybersecurity Summit, New York, NY (February 8, 2018)
  • Panelist, “Mitigating Liability: How to Prepare for and Respond to Breach,” 2018 Law Review Symposium (January 26, 2018)
  • Panelist, “Privacy/Security Litigation Update – What the Big Developments in 2017 Mean in 2018 and Beyond,” The 2018 Midwest Legal Conference on Privacy & Data Security (January 25, 2018)
  • Panelist, “Data Privacy & Protection,” PWC Regulatory Briefing Series, San Francisco, CA (May 23, 2017)
  • Panelist, “It’s a Hack! Data Breach Incident Response, Preserving the Attorney-Client Privilege, and Ethical Obligations with Litigation on the Horizon,” ABA Litigation Annual Conference (May 2017)
  • Panelist, “Rethinking Information and Data Governance in Light of Multiplying Regulatory Requirements,” Sandpiper/PwC Governance Briefing (May 2017)
  • Speaker, “Cyberattacks: Incident Response Strategies to Reduce Legal Exposure,” ACC-SFBA CLE Lunch Seminars (May 2017)
  • Panelist, “Hackers, phishers and squatters, oh my! Dealing with Cyberspace when lots of folks spy,” U.S. Court of Appeals Fifth Circuit Judicial Conference (May 2017)
  • Speaker, “Cyber Security and the Move to the Cloud: The Practical and Legal Challenges of Securing and Controlling Data,” ACC-SFBA CLE Lunch Seminars (July 2016)
  • Panelist, “Cybersecurity: the new reality,” San Francisco Regional Compliance & Ethics Conference (May 2016)
  • Panelist, “Sleuthing: Investigation & Evidence Collection in a Cyber World,” HB Litigation Conference (February 2016)
  • Speaker, “Practical Tips from 2015 Data Breach Litigation Decisions and Enforcement Actions,” ACC-SFBA CLE Lunch Seminars (January 2016)
  • Panelist, “Protecting Information Assets in the Face of More Vexing Cyber Attacks,” 12th Annual Stanford E-Commerce Best Practices Conference, Stanford, CA (June 2015)
  • Speaker, “Best Practices in Dealing with Post Cyber Attack Litigation Risk in 2015,” Knowledge Congress Live Webcast Series (June 2015)
  • Panelist, “Data Security: Are There (Legal) Solutions?,” 4th Annual BCLT Privacy Law Forum: Silicon Valley (March 2015)
  • Speaker, "The Internet of Things and United States Data Handling and Protection Laws: Risk & Opportunity in Big Data," Ropes & Gray Tokyo Morning Briefing Teleconference (February 2015)
  • Speaker, “Sensitive Data & the Business Judgment Rule,” ACC-SFBA CLE Lunch Seminars (February 2015)
  • Speaker, “Medical and Lifestyle Devices and Apps: Who Says You Can't Collect That Data?” IAPP Global Privacy Summit, Washington DC (March 2014)
  • Speaker, “When it Happens to You: How to Navigate a Payment Card Breach,” West Coast Lunchtime Legal Briefing Teleconference (February 2014)
  • Speaker, “By Design – Why Smart App Developers Don’t Wait Until Launch Before Thinking About IP and Data Privacy Matters,” West Coast Lunchtime Legal Briefing Teleconference (September 2012)
Cookie Settings