Privacy & Data Security

law firm data breach

From managing privacy and data protection to responding effectively to litigation and regulatory investigations stemming from data security breaches and alleged data privacy violations, Ropes & Gray is a leader in helping clients comply with the increasingly complex legal landscape surrounding privacy and data security.


“They were absolutely fantastic – extremely knowledgeable and experienced.” Client Quoted in Chambers USA
“They were top notch and really displayed a level of thinking that is much more analytical and strategic than I have seen elsewhere.” Client Quoted in Chambers USA


Long ranked as a leading practice by Chambers USA, Chambers Global, and Legal 500, and named a “Privacy & Consumer Protection Group of the Year” by Law360 four of the last five years, Ropes & Gray’s privacy & data security practice helps clients manage the full array of issues and matters involving privacy and data security law, including:

  • Claims, litigation, and regulatory investigations arising from data security breaches and any resulting theft, loss, or unauthorized use of confidential or personal information
  • Regulatory investigations and litigation arising from alleged violations of applicable data privacy requirements 
  • Privacy and data security compliance, counseling, response, and prevention
  • Health care privacy/HIPAA compliance

Our multidisciplinary privacy and data security team consists of litigators, and transactional, health care and intellectual property attorneys who work together to counsel clients across a broad range of industries on compliance with, and defending against alleged violations of privacy and data security laws.

Data Security Breaches

Representing clients in many of the largest and most highly publicized data security breaches in history, our integrated team is able to respond quickly and simultaneously on numerous fronts, providing advice on the high-stakes claims, litigation, and regulatory investigations that inevitably arise as a result of a major data security breach.

Privacy Litigation & Regulatory Investigations

Our team handles the class-action litigation and regulatory investigations that frequently result when a company is accused of having violated the applicable laws protecting the privacy of consumer information.

Privacy and Data Security Compliance & Counseling 

Companies are faced with a growing litany of complex international federal and local requirements governing privacy and data security including in the U.K. and EU, with which they must comply or face the risk of government investigation or private litigation. We help clients create data protection compliance programs, revise existing data privacy processes, and conduct privacy and data security assessments in an attorney-client privileged fashion.

Health Privacy & Security

Our attorneys have extensive experience advising health care clients on the impact of the regulations promulgated under HIPAA. Our advice encompasses the effect the HIPAA privacy and security regulations have on their operations, as well as on the development and implementation of comprehensive HIPAA compliance and notification strategies.

Health Information Technology (HIT) & Electronic Health Records

We work closely with hospital systems, providers, physician groups, quasi-state agencies, and information technology vendors to successfully license, design, implement, and operate secure and effective HIT systems. We also counsel clients on how to manage state disclosure and federal accounting requirements in the event of unauthorized system access. 


Retained by clients in many of the most complex and ground-breaking cases, our recent representations include:

Data Security Breaches

  • The Home Depot in responding to card brand inquiries stemming from the data security breach that Home Depot announced in September 2014
  • Supervalu Inc. as lead outside counsel in defending and responding to all litigation claims, and regulatory inquiries, stemming from the data security breach that Supervalu announced in August 2014
  • Sally Beauty Products in responding to card brand inquiries stemming from the data security breach that Sally Beauty announced in March 2014
  • Neiman Marcus in responding to card brand inquiries stemming from the data security breach that Neiman Marcus announced in January 2014
  • Target as lead outside counsel responding to card brand inquiries and defending card issuer litigation stemming from the data security breach that Target announced in December 2013
  • A Leading Consumer Technology Company and its entities as global coordinating counsel in multiple litigations and government investigations arising from criminal cyber-attacks on certain computer networks
  • Heartland Payment Systems in obtaining dismissal of all class action claims, and closure of all regulatory investigations, stemming from one of the largest-ever computer data security breaches
  • Fortune 100 Insurance Company with respect to the litigations and regulatory inquiries arising from the criminal cyber-attack on a certain portion of the company’s computer network.
  • Wyndham Hotels and Resorts with regard to card brand claims and regulatory investigations stemming from data security breaches involving a number of the independently owned Wyndham-branded hotels
  • Hannaford Bros. Co. defending the card brand claims resulting from a data breach involving malicious software that may have been used by hackers to collect in-transit, unencrypted payment card data during the payment card authorization process 
  • Aldo Group in the first-ever lawsuit to challenge the lawfulness of data breach penalties imposed by MasterCard
  • TJX in favorably resolving the class action litigation, card brand claims and regulatory investigations stemming from what was then the largest-ever data security breach
  • Genesco in the first-ever lawsuit against Visa challenging the lawfulness of data breach penalties imposed by Visa

Alleged Data Privacy Violations

  • Large not-for-profit hospital system in connection with a compliance review by the U.S. Department of Health and Human Service, Office of Civil Rights (OCR) related to the possible theft of documents containing protected health information
  • Partners Healthcare System, Inc. in connection with the negotiation and settlement of an enforcement action by the OCR 
  • World leader in advertising and marketing services with respect to litigation and regulatory investigations stemming from allegations of an unlawful workaround setting third-party cookies on Safari browsers 
  • Massachusetts Eye & Ear Infirmary in connection with the negotiation and settlement of an enforcement action by the OCR relating to the loss of a laptop containing unencrypted protected health information 
  • WellCare Health Plans, Inc. in assisting with the implementation of its compliance obligations under the Corporate Integrity Agreement it entered into with the Office of Inspector General
  • Various clients in addressing claims under Massachusetts General Laws Chapter 93A based on alleged unlawful collection of zip codes in connection with customers’ payment card transactions

Privacy and Data Security Compliance & Counseling

  • Partners Healthcare System, Inc. with respect to an ongoing review by the OCR to assess compliance with the HIPAA Security Rule 
  • Major life sciences and pharmaceutical company in developing a digital media governance program on all aspects of social media and digital media initiatives 
  • Stanford Hospital as outside counsel advising on complex questions of privacy and patient health information 
  • Global private equity firm in developing a response to a significant security breach when the laptop of a firm employee was stolen 
  • Skillsoft Corporation in connection with a variety of ongoing international data privacy and security matters, including implementing privacy policies and terms of use for the company’s websites and online portals 
  • Union Health Center, Inc. in connection with its participation in a newly launched health information exchange (HIE) and advising on the HIPAA privacy and security complexities that arise when forming an HIE 
  • Public biotechnology company in connection with the investigation of a data security breach involving approximately 30 laptops owned by a company acquired by our client 
  • International automotive company on applicable laws, regulations, risks, and best practices related to the collection and use of consumer data worldwide 
  • Leading medical technology company in performing health care regulatory due diligence, including HIPAA and HITECH privacy and security issues, in connection with its acquisition of a physician-led health care services company