Ropes & Gray has represented clients in regulatory enforcement and civil litigation matters triggered by many of the largest and most highly publicized cybersecurity incidents that companies have faced.
Our attorneys skillfully navigate the complicated web of federal, state and international regimes that make up the cybersecurity regulatory environment. We frequently represent clients in responding to US federal and state regulatory investigations into cybersecurity incidents and the collection, use and protection of consumer information, and we have served as global coordinating counsel in worldwide regulatory investigations for some of the world’s most recognized brands. In cases where those regulatory investigations lead to enforcement actions, we are fully prepared to represent our clients’ interests in court, having represented Wyndham and LabMD in two of the best known litigated cases arising from regulatory investigations of cybersecurity incidents.
We also have unparalleled experience defending clients in the civil litigation that often follows a major cybersecurity incident or alleged privacy violation. This especially includes large class actions, where plaintiffs seek monetary recovery and attorneys fees for claimed injuries allegedly resulting from the breach or from the collection or use of consumer information.
Our clients in such matters include victims of some of the largest cybersecurity incidents involving personal information to date, facing claims by individual consumers, financial institutions, card brands and shareholders. We also represent clients confronted by alleged privacy violations, such as alleged unlawful workarounds for third-party cookies and alleged violations of the Telephone Consumer Protection Act.
A pioneer in cybersecurity litigation, Ropes & Gray is the only firm to have litigated against Visa and MasterCard regarding the lawfulness of fines, fees and assessments they impose following a cybersecurity incident.
From very early on as cybersecurity incidents began to make an impact on global commerce, Ropes & Gray’s attorneys have been developing their extensive experience in privacy and cybersecurity regulatory enforcement and civil litigation, including in some of the highest profile cybersecurity incidents with hundreds of millions of dollars as stake. These representations have been on behalf of clients throughout the United States; we have defended clients in the courts of Arizona, California, Delaware, Florida, Georgia, Illinois, Indiana, Massachusetts, Minnesota, Missouri, New Hampshire, New Jersey, New York, Ohio, Tennessee, and Texas, and before the First, Third, Fifth, Sixth, Eighth, and Eleventh Circuits; before the FTC, Office of Civil Rights, and virtually every Attorney General’s office and many state officials; and in regard to non-U.S. regulatory investigations in Australia, Brazil, Canada, Hong Kong, Ireland, Japan, and the United Kingdom. Our most substantial representations of this sort include:
- LabMD in its petition to the U.S. Court of Appeals for review of the first FTC decision holding a company liable for allegedly having unreasonable data security practices that violate Section 5 of the FTC Act.
- A multinational advertising and public relations company in class action litigation and regulatory investigations related to an alleged “workaround” by which third-party cookies could be set on browsers that had been configured to deny such cookies
- Supervalu Inc. in defending and responding to all litigation claims and regulatory inquiries stemming from cybersecurity incidents announced in 2014
- Multiple clients in diverse industries in defending against payment card brand claims seeking to impose fines and issuing bank reimbursement assessments arising from cybersecurity incidents involving payment card data. Such clients include TJX, Hannaford Brothers, Heartland, Wyndham Hotels, Target, Neiman Marcus, Aldo, Hilton, Landry’s, Destination Hotels, Sally Beauty, Supervalu, Home Depot, and Arby’s.
- Arby’s Restaurant Group as lead counsel in defending against all third-party claims, including the pending issuer and consumer class actions, arising from a cyber incident announced in February 2017
- Hilton Worldwide in litigation against Hilton’s former payment card processor in connection with a commercial dispute relating to a cybersecurity incident
- A large regional healthcare network in defending against class action litigation and regulatory inquiries arising out of alleged theft of physical records containing personal and health information
- A Fortune 100 Insurance Company with respect to class action litigations and regulatory inquiries arising from a cybersecurity incident on a portion of its computer network
- Massachusetts Eye and Ear Infirmary in connection with an enforcement action by the OCR relating to the loss of a laptop containing unencrypted protected health information
- Massachusetts General Hospital in connection with an enforcement action by the OCR relating to the loss of certain documents containing protected health information by an employee
- Sony in its widely reported computer network attacks in April 2011, including multidistrict class action litigation and regulatory inquiries across jurisdictions
- Multiple clients in defense of regulatory inquiries into application and product security regarding privacy and cybersecurity practices around collection and use of customer information, even in the absence of a cybersecurity incident
- A publicly traded healthcare technology company in class action litigation involving alleged violation of the Telephone Consumer Protection Act (TCPA)
- Multiple clients in class action litigation under the Fair and Accurate Credit Transactions Act (FACTA) relating to information printed on payment card receipts
- Target as lead outside counsel in defending card issuer litigation stemming from the cybersecurity incident that Target announced in December 2013
- Wyndham Hotels and Resorts in connection with the FTC investigation and ensuing litigation stemming from a series of cybersecurity incidents during 2008-2010 of the computer networks of a substantial number of independently owned Wyndham-branded hotels
- Heartland Payment Systems in various class action claims and regulatory investigations, stemming from one of the largest computer cybersecurity incidents ever
- The TJX Companies, Inc. in regard to consumer class actions, issuer class actions, shareholder claims, and state, federal, and foreign regulatory investigations arising from cybersecurity incidents in 2005 and 2006 that affected store chains in the United States, Puerto Rico, Canada, and the United Kingdom
- Hilton Worldwide in litigation against Hilton's former payment card processor and acquiring bank in connection with a commercial dispute relating to previously-announced cybersecurity incidents
- A large regional hospital organization in defense against class action litigation and regulatory inquiries arising out of alleged theft of physical records containing personal and health information.
- Supervalu Inc. as lead outside counsel in defending and responding to all litigation claims and regulatory inquiries stemming from the cybersecurity incidents that Supervalu announced in August 2014 and September 2014
- Wyndham Hotels and Resorts in regulatory investigations stemming from cybersecurity incidents involving a number of the independently owned Wyndham-branded hotels, including the first ever litigation brought by the FTC over cybersecurity issues.
- TJX in class-action litigation and regulatory investigations stemming from what was then the largest cybersecurity incident ever
- Genesco in the first lawsuit against Visa to challenge the lawfulness of cybersecurity incident penalties imposed by Visa
- Aldo in the first lawsuit against MasterCard to challenge the lawfulness of cybersecurity incident penalties imposed by MasterCard