Attorneys & ProfessionalsView List
Vorys has helped clients prepare for and respond to data breaches for more than a decade. We’ve counseled clients involved in some of the country’s largest breaches. We repeatedly have taken on the payment card industry on behalf of our clients to reduce their financial burden and set precedent that helps future victims.
Data Breach Preparedness & Response and Litigation
In advising clients on cybersecurity and data breaches, our philosophy is one of preparedness. Our attorneys have significant experience assisting clients in the development of comprehensive data privacy and security strategies, including online and mobile privacy policies and off-line procedures for – and governance of – collecting, storing and sharing customer information and other sensitive data, evaluating new products or services for privacy and security issues, and ensuring that these procedures support statements made in privacy policies. We often train our clients’ employees on relevant privacy and information security issues, and negotiate appropriate contractual protections into agreements with vendors and service providers. We also advise clients on privacy and security issues related to the Internet of Things and the collection and use of big data. We advise on proactive security enhancements, such as tokenization and point-to-point encryption; and conduct privacy risk assessments and gap analysis.
When preparing incident response plans, we take a holistic approach. We work with our clients to develop an internal response team, define workflow processes, identify ways to escalate the initial possibility of a breach, develop post-incident review processes, engage forensic investigators, assist in evaluating contractual relationships with vendors, create internal and external communications strategies and materials, and assist in determinations regarding call centers. We regularly conduct customized trainings for executives and senior management.
Should an incident occur, we are able to quickly provide clear and efficient guidance. We have assisted companies that vary from ones in the Fortune 500 to small businesses, and we have represented clients in a variety of industries, including health care, retail and higher education. Our attorneys have considerable experience in dealing with all aspects of such incidents, including managing forensic investigations of data breaches, crafting customer communications and media relations strategies, and responding to inquiries from federal and state officials and regulators. We also have assisted clients by working directly with their acquiring banks and with credit card associations to resolve claims including fraudulent charges, and to reduce the liability arising from such claims.
Our firm has vast experience in data security litigation. Our efforts have produced some of the leading decisions in the nation and have helped define the standards that courts are applying in data privacy litigation. In a number of cases, our efforts have resulted in dismissal of the claims asserted against our clients. Our cases have addressed many issues of first impression or defined statutory causes of action. Our attorneys who practice in this area combine their skills as experienced and practical litigators with substantive knowledge of privacy and data security law. In addition, we have represented national clients before the Federal Trade Commission (FTC) in investigations of data breaches, assisted in concluding investigations without further action and, when necessary, negotiated the resulting consent decrees and advised on the compliance obligations imposed by those consent agreements.
We also counsel entities that have experienced breaches in managing such incidents, and we defend merchants and their banks who are sued in the wake of such incidents by consumers, banks that have issued credit cards, state attorneys general, or other parties. Our cases have addressed many issues of first impression in privacy litigation – such as standing to sue, the existence of cognizable injury, causation, and the ability of plaintiffs to expand traditional common law claims and defined statutory causes of action. In a number of cases, our efforts have resulted in dismissal of the claims asserted against our clients, sometimes even before costly discovery was required. Our experience includes the successful defense of dozens of data security class actions around the country, consolidation of cases through the Judicial Panel on Multidistrict Litigation and the defeat of class certification.
Representative Data Breach Litigation Experience
- Representing a national grocer in its defense against a proposed class of shoppers in customer data security breach litigation. In the case, several class actions were consolidated into multi-district litigation and the shoppers alleged that they were harmed when hackers gained access to and installed malicious software on the payment-processing network for payment card transactions at stores where the payment-processing network was used. Vorys successfully showed that the shoppers failed to allege sufficient harm to pursue their claims in court. The judge dismissed the shoppers’ claims before significant discovery occurred.
- Represented payment processors in data breach litigation in the First, Third and Fifth Circuits; in each case, the favorable rulings from the district courts were substantially upheld. Each of these cases was one of first impression in their respective Circuit, and resulted in groundbreaking opinions in the area of data security breach law.
- Representing one of the nation’s largest financial institutions in its role as payment card processor in one of the largest-ever compromises of credit and debit card data from a merchant. The litigation stemmed from the reported theft of nearly 50 million payment cards from the T.J. Maxx chain of stores. Vorys successfully assisted in abating and mitigating the compromise and developing strategies to address numerous liabilities. Vorys successfully defended against dozens of class actions filed by consumers and financial institutions in numerous federal courts throughout the country, obtained consolidation of those cases through the Judicial Panel on Multidistrict Litigation, defeated class certification and obtained dismissal of the remaining claims. Additionally, our firm was intimately involved in sensitive negotiations with payment card networks that yielded tens of millions of dollars in recovery to issuers of payment cards (unprecedented in the industry at that time), and with no liability to our client.
- Assisting a financial institution to avoid any liability whatsoever in a dispute that arose from a data breach of one of its customers.