Cyber Security

Ropes & Gray’s cybersecurity practice ensures that our clients are prepared for the pervasive and insidious risk of cyber threats, and are in compliance with ever-changing international, federal and state cybersecurity regulations.



Global Network

Data breaches, cyberattacks and other cyber threats pose serious financial, operational and reputational risks that no organization can afford to ignore. Managing cyber risk in an interconnected world requires a sophisticated, proactive approach, and real-time guidance when incidents—and associated regulatory inquiries—occur.

Ropes & Gray’s comprehensive transactional, regulatory and litigation capabilities enable us to provide proactive protection from increasingly complex cyber threats, and to respond immediately in the event of an incident. Our global presence means that we can have a threat response team in place within 24 hours—anywhere its services are needed around the globe. 

Bringing experience in risk assessment and investigations to bear, Ropes & Gray’s cybersecurity practice helps clients from all industries in all areas of cyber threat prevention and response, including:

  • cybersecurity incident response and compliance
  • preparedness and counseling, including pre-incident advice and assessments
  • preparing for and responding to government surveillance inquiries and enforcement activities
  • risk management and insurance coverage issues
  • address cybersecurity of products and network infrastructure in corporate transactions, from diligence through corporate integration, separation or unwinding
  • representing clients in post-breach litigation
  • representing clients in cybersecurity statute and regulation violation investigations and litigation


  • Managed privileged cybersecurity assessments of complex financial industry client and successful red team exercise.  
  • Represents LabMD in its petition to the U.S. Court of Appeals for review of the first-ever FTC decision holding a company liable for allegedly having unreasonable data security practices in violation of Section 5 of the FTC Act.
  • Overhauled vendor onboarding processes and diligence of cybersecurity practices for multinational asset management client, with regular reports to the Board committee overseeing the project.    
  • Represented TPG Capital, one of the world’s largest private equity firms, in Intel’s spinout of cybersecurity software company McAfee to the private equity firm. Under the $3.1 billion deal TPG will own 51% of the new company. In addition to the firm’s private equity advisors, our intellectual property transactions team is heavily involved in the initial transaction and spinout from Intel, which is expected to be completed in the second quarter of 2017.
  • Conducted a comprehensive cybersecurity risk assessment for all of a multinational analytical science and instrument development company’s global operations.
  • Represented WeddingChannel in an action in the Southern District of New York for infringement of WeddingChannel’s patent relating to an Internet-based gift registry, and for violation of federal and state computer fraud and abuse statutes. Presently prosecuting The Knot’s patent portfolio post-merger.
  • Successfully resolved numerous U.S. state and multi-state attorney general investigations following data incidents, including security breaches.
  • Developed comprehensive suite of policies mapped to the NIST cybersecurity framework with HIPAA Security Rule requirements layered-in for health industry client.
  • Representing Genesco as lead counsel in connection with a 2010 criminal network intrusion, with a successful settlement reached in 2016. The case has been described as a “first of its kind” litigation to recover over $13 million in fines and assessments wrongfully collected by Visa from the banks Genesco contracted with to process Visa transactions.
  • Regularly advise both small and large financial institutions, healthcare institutions, and other general industry companies that have experienced security breaches and other security events involving personal data.
  • Successfully litigated claims against departing executives absconding with client confidential information, including regulated data.
  • For large insurance and financial industry clients, developed comprehensive Incident Response Plan, addressing coordinated response and crisis management across IT, legal, compliance and business teams, conducted table top exercises and testing of the plans through guided discussions and simulated scenarios.  
  • Provide ongoing cybersecurity advice to one of the world’s leading franchisors, with more than 19,000 locations around the globe.



Ropes & Gray’s cybersecurity team will be participating in the following upcoming events:

Recent Speaking Engagements

  • Heather Sussman was a panelist at, “Managing M&A: Cyber Risk,” The Deal Webcast (May 2017)
  • Heather Sussman was a speaker at, “What U.S. Companies Need to Know About the EU General Data Protection Regulation (GDPR),” BBA Seminar (May 2017)
  • Rohan Massey, Doug Meal, and Heather Sussman moderated, “The Ever-Changing Privacy and Cybersecurity Landscape and its Impact on Private Equity Firms,” Ropes & Gray Roundtable (May 2017)
  • Cori Lable and Andrew Dale were presenters at, “Cybersecurity: Global Legal and Compliance Developments,” IDEX Legal Counsel Congress Roundtable, Mumbai (April 2017)
  • Doug Meal was a speaker at, “Data Breach Litigation and Regulatory Investigations,” Cybersecurity and Privacy Protection Conference, Cleveland, OH (April 2017)
  • Doug Meal was faculty at, “The Exchange” Data Privacy and Cybersecurity Forum, Boston, MA (April 2017)
  • Rohan Massey moderated, “How to GDPR-ify Your Vendor Management Program,” IAPP Global Privacy Summit (April 2017)
  • Heather Sussman moderated, “Latest Developments in Digital Advertising,” IAPP Global Privacy Summit (April 2017)
  • Doug Meal was a speaker at, “The State of Data Breach Litigation Today,” IAPP Global Privacy Summit (April 2017)
  • Doug Meal was a panelist at, “Understanding and Managing Legal Exposure Created by Cyberattacks,” Cybersecurity Symposium, Boston MA (April 2017)
  • Heather Sussman was a panelist at, “Managing the Cybersecurity Threat Landscape,” Cybersecurity Symposium, Boston, MA (April 2017)
  • Doug Meal was a panelist at, “Managing Retail Data Breaches,” Incident Response Forum, Washington, DC (April 2017)
  • Doug Meal was a panelist on the Practitioner’s Panel, 6th Annual BCLT Privacy Law Forum, San Francisco, CA (March 2017)
  • Heather Sussman was a panelist at “Roundtable Discussion on Cyber Security Policy and Regulation,” Boston, MA (March 2017)
  • Doug Meal and Heather Sussman were panelists at “Understanding and Managing Legal Exposure Created by Security Breaches,” Washington, D.C. (September 2016)
  • Rohan Massey was a speaker at “Cybersecurity Law (NIS) and the GDPR Together: A Perfect Regulatory Storm?” IAPP Privacy. Security. Risk. (September 2016)
  • Jim DeGraw and Michelle Visser were speakers at “Cyber Security and the Move to the Cloud: The Practical and Legal Challenges of Securing and Controlling Data,” ACC-SFBA CLE Lunch Seminars (July 2016)
  • Doug Meal was a panelist at “How Ongoing Data Privacy Litigation Should Be Factored Into Your Data Processing and Breach Response Protocols,” Mid-Year Cybersecurity and Data Protection Legal Summit (June 2016)
  • Doug Meal was keynote speaker and presented at “Cybersecurity: Conquering the New Frontier of Legal Risks,” 49th Annual IFA Legal Symposium (May 2016)
  • Michelle Visser was a panelist at “Cybersecurity: The New Reality,” San Francisco Regional Compliance & Ethics Conference (May 2016)
  • Doug Meal was a panelist at “Litigation Trends in Data Breaches,” 2016 Cybersecurity Law Institute (May 2016)