Data, Privacy & Cybersecurity

Privacy & Cybersecurity

Ropes & Gray is a leader in helping clients navigate the increasingly complex legal landscape surrounding data, from managing complex global advisory matters to responding to litigation and investigations stemming from security incidents and alleged privacy violations and advising on transactions involving the acquisition and management of data.


Global Network

The use of data knows no geographic boundaries. Our global team can diagnose issues presented by regulatory regimes around the world, working closely with a network of leading privacy lawyers in many countries. 

“They were top-notch and really displayed a level of thinking that is much more analytical and strategic than I have seen elsewhere.” Client, Chambers USA
“They were absolutely fantastic—extremely knowledgeable and experienced.” Client, Chambers USA


In today’s global and digital business environment, advances in technology have greatly increased the value of data as an asset, and regulation of data has increased its risk as a liability affecting individuals, businesses and governments worldwide.  Ropes & Gray’s Data Practice helps clients manage the full array of issues and matters that arise from the collection, use, storage, commoditization, disclosure, transfer and disposal of data, including:

  • Privacy and cybersecurity compliance and counseling, including advice on the key components of relevant laws and regulations, developing tailored compliance plans, and preparing for and responding to cyber incidents.  
  • Corporate and transactional support, including privacy and cybersecurity-related diligence for mergers and acquisitions and advice related to the buying, selling and licensing of data, as well as complex collaborations to develop or exploit data.
  • Regulatory investigations and litigation arising from cyberincidents and any resulting theft, loss or unauthorized use of confidential or personal information, as well as alleged violations of applicable data privacy requirements.

Compliance and Counseling

Our attorneys help clients properly comply with the law and minimize privacy and cybersecurity risks. By undertaking comprehensive privacy and security risk assessments, building global compliance programs, and providing ongoing counseling and advice, we help clients understand and meet their legal obligations and position themselves to avoid attacks on their systems. Our attorneys also provide advice to clients on how to prepare for a cyber incident and assist clients in responding after an incident has occurred. Our goal is to help clients manage information and leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, and solidify brand and consumer trust. 

Corporate and Transactional

Our attorneys help clients identify privacy and cybersecurity risks that may be underlying a potential deal, performing privacy- and cybersecurity-specific due diligence to assess and address risk in the context of private equity deals, mergers and acquisitions, and other corporate transactions. They also provide support for securities offerings and issuances, review and negotiate contracts concerning data and vendor relationships, review investment disclosures, and analyze risks inherent in the investment in and use of alternative data.

Litigation and Enforcement

Even when companies prepare well and respond properly to an incident, claims of privacy violations and/or cybersecurity failures often follow. If an incident does occur, our litigation and enforcement attorneys advise on the myriad legal issues that arise, representing clients in all manner of federal, state and international regulatory and civil claims. Our team handles the class-action litigation, regulatory investigations, and related disputes and lawsuits that frequently result from these situations or accusations, drawing on our extensive knowledge and experience to master the relevant facts quickly for asserting or defending the company’s interests on all of these fronts.


Ropes & Gray has been retained by clients in many of the most complex and groundbreaking privacy and cybersecurity cases.


  • Managed a global team of privacy and security experts providing advice to a U.S.-based technology company on privacy and security compliance relevant to planned expansion in Europe, the Middle East, Africa and Asia
  • Rolled out a global privacy policy, terms of use and a correspond­ing user dashboard for a popular suite of fitness apps, using teams of local counsel spanning five continents
  • Performed a privacy, security and digital risk assessment for a consumer products company with operations in more than 100 countries
  • Developed a comprehensive suite of policies mapped to the National Institute of Standards and Technology cybersecurity framework with HIPAA Security Rule requirements layered in for a health industry client
  • Overhauled vendor onboarding processes and diligence of cybersecurity practices for a multinational asset management client, reporting regularly to the board committee overseeing the project
  • Conducted a comprehensive, global cybersecurity risk assessment a multinational analytical science and instrument development company
  • Advised on the privacy and cybersecurity aspects of home auto­mation systems, wearable devices and geolocation tracking components, including privileged security assessments (testing of both hardware and software), security vulnerability remedia­tion, and the implications of the EU’s General Data Protection Regulation, among other areas

Regulatory Enforcement & Litigation

  • Representing LabMD in its petition to the U.S. Court of Appeals for review of the first FTC decision holding a company liable for allegedly having unreasonable data security practices that violate Section 5 of the FTC Act
  • Serving as lead counsel for Arby’s Restaurant Group in defending against all third-party claims arising from a payment card incident announced in February 2017
  • Advised The Home Depot in responding to card brand inquiries stemming from the cyberincident that Home Depot announced in September 2014
  • Served as lead outside counsel for Supervalu Inc. in defending and responding to all litigation claims and regulatory inquiries stemming from the cyberincident that Supervalu announced in August 2014
  • Represented Target as lead outside counsel in responding to card brand inquiries and defending card issuer litigation stemming from the cyberincident that Target announced in December 2013
  • Represented Heartland Payment Systems in obtaining dismissal of all class-action claims, and closure of all regulatory investigations, stemming from one of the largest computer cyberincidents ever
  • Advised Wyndham Hotels and Resorts with regard to card brand claims and regulatory investigations stemming from cyberincidents involving a number of the independently owned Wyndham-branded hotels
  • Represented TJX in favorably resolving the class-action litigation, card brand claims and regulatory investigations stemming from what was then the largest cyberincident ever
  • Represented Genesco in the first lawsuit against Visa to challenge the lawfulness of cyberincident penalties imposed by Visa

Incident Response

  • Regularly advise both small and large financial institutions, health care institutions, and other companies that have experienced security breaches and other security events involving personal data
  • Developed a comprehensive incident response plan for large insurance and financial industry clients, addressing coordinated response and crisis management across the organization
  • Managed privileged cybersecurity assessments for a complex financial industry client and conducted a successful red team exercise
  • Provide ongoing cybersecurity advice to one of the world’s leading franchisors, with more than 19,000 locations around the globe


  • Financial services / asset management
    • Bain Capital
    • The Carlyle Group
    • TPG Capital
  • Health care
    • Athenahealth
    • Heartland Dental
    • Aurora Health Care Inc
  • Life sciences
    • Hologic
    • Bioventis
    • Pfizer
  • Banks and investment banks
    • Santander Bank
  • Colleges & universities
    • Wake Forest
    • NYU
Cookie Settings