Practice Contact

Attorneys & Professionals

View List

Privacy & Data Security

Data Breaches

Vorys has helped clients prepare for and respond to data breaches for more than a decade. We’ve counseled clients involved in some of the country’s largest breaches.  We repeatedly have taken on the payment card industry on behalf of our clients to reduce their financial burden and set precedent that helps future victims.

Data Breach Preparedness & Response and Litigation

Data Breach Response

Vorys Cybersecurity Emergency Hotline

Vorys Cybersecurity Emergency Hotline


PrepareIn advising clients on cybersecurity and data breaches, our philosophy is one of preparedness.  Our attorneys have significant experience assisting clients in the development of comprehensive data privacy and security strategies, including online and mobile privacy policies and off-line procedures for – and governance of – collecting, storing and sharing customer information and other sensitive data, evaluating new products or services for privacy and security issues, and ensuring that these procedures support statements made in privacy policies.  We often train our clients’ employees on relevant privacy and information security issues, and negotiate appropriate contractual protections into agreements with vendors and service providers.  We also advise clients on privacy and security issues related to the Internet of Things and the collection and use of big data. We advise on proactive security enhancements, such as tokenization and point-to-point encryption; and conduct privacy risk assessments and gap analysis.

TrainWhen preparing incident response plans, we take a holistic approach.  We work with our clients to develop an internal response team, define workflow processes, identify ways to escalate the initial possibility of a breach, develop post-incident review processes, engage forensic investigators, assist in evaluating contractual relationships with vendors, create internal and external communications strategies and materials, and assist in determinations regarding call centers.  We regularly conduct customized trainings for executives and senior management.

RespondShould an incident occur, we are able to quickly provide clear and efficient guidance.  We have assisted companies that vary from ones in the Fortune 500 to small businesses, and we have represented clients in a variety of industries, including health care, retail and higher education.  Our attorneys have considerable experience in dealing with all aspects of such incidents, including managing forensic investigations of data breaches, crafting customer communications and media relations strategies, and responding to inquiries from federal and state officials and regulators.  We also have assisted clients by working directly with their acquiring banks and with credit card associations to resolve claims including fraudulent charges, and to reduce the liability arising from such claims.

DefendOur firm has vast experience in data security litigation.  Our efforts have produced some of the leading decisions in the nation and have helped define the standards that courts are applying in data privacy litigation. In a number of cases, our efforts have resulted in dismissal of the claims asserted against our clients. Our cases have addressed many issues of first impression or defined statutory causes of action. Our attorneys who practice in this area combine their skills as experienced and practical litigators with substantive knowledge of privacy and data security law. In addition, we have represented national clients before the Federal Trade Commission (FTC) in investigations of data breaches, assisted in concluding investigations without further action and, when necessary, negotiated the resulting consent decrees and advised on the compliance obligations imposed by those consent agreements.

We also counsel entities that have experienced breaches in managing such incidents, and we defend merchants and their banks who are sued in the wake of such incidents by consumers, banks that have issued credit cards, state attorneys general, or other parties. Our cases have addressed many issues of first impression in privacy litigation – such as standing to sue, the existence of cognizable injury, causation, and the ability of plaintiffs to expand traditional common law claims and defined statutory causes of action. In a number of cases, our efforts have resulted in dismissal of the claims asserted against our clients, sometimes even before costly discovery was required. Our experience includes the successful defense of dozens of data security class actions around the country, consolidation of cases through the Judicial Panel on Multidistrict Litigation and the defeat of class certification.

Representative Data Breach Litigation Experience