Regulatory Enforcement & Civil Litigation

When organizations face claims of privacy violations and/or cybersecurity failures, skilled legal representation is essential. Ropes & Gray’s privacy & cybersecurity enforcement team has the knowledge and experience to master quickly the relevant facts and develop an effective defense strategy.


Ropes & Gray has represented clients in regulatory enforcement and civil litigation matters triggered by many of the largest and most highly publicized cybersecurity incidents that companies have faced.

Regulatory Enforcement

Our attorneys skillfully navigate the complicated web of federal, state and international regimes that make up the cybersecurity regulatory environment. We frequently represent clients in responding to US federal and state regulatory investigations into cybersecurity incidents and the collection, use and protection of consumer information, and we have served as global coordinating counsel in worldwide regulatory investigations for some of the world’s most recognized brands. In cases where those regulatory investigations lead to enforcement actions, we are fully prepared to represent our clients’ interests in court, having represented Wyndham and LabMD in two of the best known litigated cases arising from regulatory investigations of cybersecurity incidents.

Civil Litigation

We also have unparalleled experience defending clients in the civil litigation that often follows a major cybersecurity incident or alleged privacy violation. This especially includes large class actions, where plaintiffs seek monetary recovery and attorneys fees for claimed injuries allegedly resulting from the breach or from the collection or use of consumer information.

Our clients in such matters include victims of some of the largest cybersecurity incidents involving personal information to date, facing claims by individual consumers, financial institutions, card brands and shareholders. We also represent clients confronted by alleged privacy violations, such as alleged unlawful workarounds for third-party cookies and alleged violations of the Telephone Consumer Protection Act.

A pioneer in cybersecurity litigation, Ropes & Gray is the only firm to have litigated against Visa and MasterCard regarding the lawfulness of fines, fees and assessments they impose following a cybersecurity incident.


From very early on as cybersecurity incidents began to make an impact on global commerce, Ropes & Gray’s attorneys have been developing their extensive experience in privacy and cybersecurity regulatory enforcement and civil litigation, including in some of the highest profile cybersecurity incidents with hundreds of millions of dollars as stake. These representations have been on behalf of clients throughout the United States; we have defended clients in the courts of Arizona, California, Delaware, Florida, Georgia, Illinois, Indiana, Massachusetts, Minnesota, Missouri, New Hampshire, New Jersey, New York, Ohio, Tennessee, and Texas, and before the First, Third, Fifth, Sixth, Eighth, and Eleventh Circuits; before the FTC, Office of Civil Rights, and virtually every Attorney General’s office and many state officials; and in regard to non-U.S. regulatory investigations in Australia, Brazil, Canada, Hong Kong, Ireland, Japan, and the United Kingdom. Our most substantial representations of this sort include:

  • LabMD in its petition to the U.S. Court of Appeals for review of the first FTC decision holding a company liable for allegedly having unreasonable data security practices that violate Section 5 of the FTC Act.
  • A multinational advertising and public relations company in class action litigation and regulatory investigations related to an alleged “workaround” by which third-party cookies could be set on browsers that had been configured to deny such cookies.
  • Supervalu Inc. in defending and responding to all litigation claims and regulatory inquiries stemming from cybersecurity incidents announced in 2014.
  • Multiple clients in diverse industries in defending against payment card brand claims seeking to impose fines and issuing bank reimbursement assessments arising from cybersecurity incidents involving payment card data. Such clients include TJX, Hannaford Brothers, Heartland, Wyndham Hotels, Target, Neiman Marcus, Aldo, Hilton, Landry’s, Destination Hotels, Sally Beauty, Supervalu, Home Depot, and Arby’s.
  • Arby’s Restaurant Group as lead counsel in defending against all third-party claims, including the pending issuer and consumer class actions, arising from a cyber incident announced in February 2017.