Data Strategy

From collection, use, selling and cross-border sharing to protecting and disposing of data, we work with clients to navigate the ever-changing patchwork of domestic and global privacy and data security laws and regulations.  We have also guided companies’ responses to some of the earliest and largest data breaches in the U.S. and have led precedent-setting litigation stemming from those incidents.

Who We Represent

We advise a range of clients on the full spectrum of privacy and data security matters, from representing one of the nation’s largest financial institutions in litigation involving the reported theft of nearly 50 million payment cards to serving as compliance advisor to global retailers – including many that are headquartered steps away from Vorys’ office in Columbus, Ohio.

We counsel clients on privacy and data security matters in a wide range of industries, such as:

  • Nearly one-third of the National Retail Federation’s Top 100 list, including more than half of the Top 25 retailers
  • More than 150 financial institutions, including 50 national and regional banks
  • National grocery chains, restaurant chains, and franchises
  • Manufacturers
  • Defense contractors
  • Insurance companies
  • Large health care providers
  • International energy companies
  • Colleges and universities
  • eCommerce merchants
  • Hotels

Our 360-Degree Approach

Whether by conducting privacy audits, refining data security and privacy policies, negotiating data processing agreements, or developing incident response and crisis communication plans, we help our clients comply with constantly changing domestic and global regulations and implement best practices.  We routinely counsel clients through the complete data lifecycle:

  • Developing internal and external-facing policies and procedures for management of the collection, use, sharing, selling, storage, transfer and disposal of regulated data
  • Negotiating privacy and security contract provisions with service providers, vendors and customers
  • Mapping the collection, use and sharing of regulated data
  • Assisting with management of individual privacy rights requests
  • Developing incident response and crisis communication plans
  • Conducting training exercises from the C-Suite to frontline employees
  • Responding and reporting to regulatory inquiries and investigations
  • Managing responses to data security breaches
  • Conducting privileged and non-privileged forensic investigations
  • Conducting gap assessments and reviews against applicable security frameworks
  • Litigation over privacy and cybersecurity claims
When clients experience data breaches despite their prevention efforts, we represent them in regulatory investigations ranging from the Federal Trade Commission (FTC) to multi-state attorneys general investigations, negotiate consent decrees and advise clients on applicable breach notification laws.  Our crisis management team is available 24/7 to help clients through cybersecurity emergencies and can be reached by calling the Vorys’ emergency hotline: (833) 525-2100.  When legal disputes arise, we mobilize Vorys’ nationwide bench of trial and appellate lawyers to defend clients in state and federal courts across the country.

National Recognition

Vorys is consistently recognized as a top firm for advising clients in a range of industries that are particularly vulnerable to data breaches and privacy-related litigation.

We have earned a nationwide ranking for retail in the prestigious Chambers USA guide for the past five years.  In its 2023 edition, Chambers and Partners notes Vorys’ “broad range of strengths in the retail sector,” including data security adding that Vorys is frequently engaged by retailers facing consumer class actions.

In the guide, Chambers also recognizes the firm’s representation of clients in health care matters and states that Vorys “is noted for its work on HIPAA matters and IT issues.”


Complying with the growing number of domestic and international privacy and data security regulations is increasingly complex.  We stay abreast of federal regulations and the patchwork of state laws governing marketing, privacy and security and help our clients develop strategies to ensure that their policies and procedures are compliant.

We advise on matters involving a range of regulations, laws and industry-specific standards, such as:

  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)
  • California Invasion of Privacy Act (CIPA)
  • California Online Privacy Protection Act (CalOPPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Illinois Biometric Information Privacy Act (BIPA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Children’s Online Privacy and Protection Act (COPPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Fair Credit Reporting Act (FCRA)
  • General Data Protection Regulation (GDPR)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Application Data Security Standard (PA-DSS)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Section 5 of the FTC Act as well as FTC guidelines, reports and orders
  • Telemarketing Sales Rule (TSR)
  • Telephone Consumer Protection Act (TCPA)

What We Do

IT & Technology Contract Review

With the increased regulatory focus and media attention on privacy issues related to vendor management, we assist clients in negotiating privacy provisions in payments, marketing, cloud services and analytics contracts, as well as in transactions involving:

  • Electronic health records systems
  • Equipment
  • Medical billing systems
  • Point of sale (POS) systems
  • Radio frequency identification (RFID) tags
  • Software licenses
  • Technology services

Our work also includes advising clients on:

  • Emerging opportunities relating to analytics and big data
  • Privacy and data security challenges related to the Internet of Things (IOT)
  • Emerging legal issues surrounding online and e-commerce business operations
  • Practical methods to minimize privacy and data security risks
  • Negotiating cyber insurance policies covering data breaches and other cyber issues

Advertising, Marketing and Consumer Protection

We help our clients ensure that their marketing campaigns and other promotional activities are compliant with state and federal laws, regulations and guidelines.

Our attorneys have substantial experience advising on consumer disclosures and disclaimers relating to:

  • Accessibility
  • Advertising
  • Biometrics
  • Direct mail campaigns
  • Email marketing
  • Escheat issues
  • Gift card and customer loyalty programs, contests and promotions
  • Infomercials
  • Merchandise return policies
  • Mobile applications
  • Order fulfillment
  • Rebates
  • Restrictions on card expiration and loss of value
  • Telemarketing
  • Text messaging
  • Transaction processing

Our experience extends to the unique joint marketing, customer service and contracting issues that are raised by private label and affinity credit card programs.  We also negotiate third-party provisions of email marketing and call center services, as well as contracts for the services of actors, musicians, models and other talent hired for marketing initiatives.

When claims of deceptive or unfair trade practices arise, we help clients respond to consumer complaints, investigations and enforcement actions brought by federal and state regulators. 

Health Privacy & Security

With deep experience in the developing area of health information privacy and security, our attorneys advise clients on the confidentiality of medical information, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the patchwork of state laws.

We help clients navigate the rapidly changing fields of health information exchanges and data sharing, electronic health records, telehealth services, paper and electronic data privacy and security, health information management, and state and federal discovery rules for electronically stored information (ESI).

We have advised large health care providers and trade associations on the full spectrum of legal issues pertaining to HIPAA and privacy compliance, including: 

  • Developing HIPAA privacy policies and procedures
  • Federal financial incentives for the development of electronic health records HIPAA/privacy compliance training
  • Health information exchange (HIE) issues
  • Interoperability and information blocking
  • Production of individually identifiable health information in response to discovery requests, court orders, law enforcement investigations and public health concerns
  • State and federal notice of breach requirements
  • Telehealth privacy issues
  • Third-party service vendors’ information systems and related privacy issues

Employee Privacy

Every employer holds some form of sensitive information about their employees, whether it’s human resources data, employee health records or employee email accounts.  We help our clients protect that data while retaining their own ability to access information when they need it, whether data is stored on their own servers, on their employees’ personal devices or in the cloud.

Global Privacy Programs

Backed by an international network of local counsel, Vorys spearheads the creation and coordination of global privacy programs for clients’ international businesses.  We advise on best practices for collecting data in foreign jurisdictions, such as the European Union (EU), Canada and the Asia-Pacific Economic Cooperation (APEC) regions, and counsel clients on transferring and sharing data across international borders.  Vorys is a member of Ally Law, a network of more than 70 select, business-oriented law firms operating in more than 50 countries.

Cyber Security

Vorys has helped clients respond to some of the earliest and largest data breach incidents in the U.S. over the past two decades.  We leverage our experience to help clients across a wide array of industries to proactively prepare for future incidents and to comply with the growing contractual and regulatory cybersecurity obligations that impact companies of all sizes.

Our cyber lawyers work with clients on a full range of customized services that can be provided on a predictable, fixed fee basis.  Whether it is AI, biometric, block chain, drone or cloud-based implementations, we help clients evaluate cutting edge solutions against potential privacy and security issues.  We routinely advise clients on developing comprehensive data security strategies that are consistent with their contractual and regulatory obligations.

Our work also includes:

  • Working with IT experts to conduct risk and gap assessments of companies’ cyber posture
  • Developing written information security programs, policies, and procedures
  • Mapping the collection, use, sharing, and disposal of regulated data
  • Developing compliant data retention schedules
  • Evaluating contractual relationships with IT and cybersecurity vendors and service providers
  • Developing incident response plans, including internal and external communications plans
  • Conducting customized training and tabletop exercises for executives, senior management, and other personnel
  • Negotiating contractual protections for vendor and service provider agreements 
  • Advising on protective security enhancements, such as tokenization and point-to-point encryption
  • Evaluating cyber insurance policies and other cyber risk mitigation techniques
  • Working with your cyber insurance carrier on coverage of preferred vendors in advance of an incident

Tabletop Trainings

Preparing for a data breach is an essential element to any cybersecurity strategy, particularly now that some incidents are required to be reported to certain regulators within hours of discovery.  We train our clients’ directors, executives, and employees on relevant privacy and information security issues and use tabletop exercises that simulate crisis situations to test plans, identify potential gaps and develop muscle memory to position clients’ incident response teams to efficiently and effectively manage future incidents.

We customize our tabletop exercises based on our clients’ goals, which often include:

  • Introducing Response Plans: educate and train stakeholders on their roles and responsibilities when a data breach occurs
  • Testing Response Plans: simulate how a particular department or the entire enterprise adheres to existing incident response plans, including internal information security teams and third-party vendor investigations of potential incidents
  • Refining Response Plans: identify gaps in a response plan and modify it to facilitate improvements
What To Expect

Prior to a tabletop exercise, we thoroughly vet which participants to include in the simulation, we ask questions that allow us to maximize our customization of the program and fit the exercise to the organization’s IT environment.

The Exercise

The objectives of our exercises are three-fold:

  • We observe your incident response plan in action and discuss revisions
  • We consider appropriate roles and responsibilities for each of the participants involved
  • We document, discuss and share the lessons we have collectively learned to make appropriate changes

Although completely customizable, our exercises operate under the guidance that all key stakeholders must participate and respond to the scenario as if it is a real event, and participants must help create an environment in which all questions and input are welcome.

Vorys regularly partners with technical experts and moderators to facilitate realistic exercises based on current threats and often records training sessions to track issues as we progress through the exercise.

Group Discussion

After each exercise, we facilitate a discussion covering lessons learned and recommended changes.

Questions discussed may include:

  • Who are the stakeholders who need to be included in incident response?
  • Does the client’s insurance policy require notification of potential events in a certain timeframe and/or use of certain vendors?
  • Are there other parties that would require notice of a potential event?
  • Have all stakeholders been trained on invoking attorney-client privilege?
  • What is the organization’s risk tolerance in these scenarios?
  • What are the appropriate escalation protocols, including escalation to senior management and the board?
  • Is the organization fully aware of its potential legal obligations in these situations?
  • How can the organization best protect itself during these crises?

After a tabletop exercise is completed, we produce specific deliverables as discussed with each client, which typically include detailed recommendations to strengthen incident response plans.

Incident Response & Litigation

Vorys’ cyber lawyers and crisis management professionals regularly assist clients.  This includes providing legal strategy, privileged and non-privileged investigations and support, and assisting clients with media relations issues surrounding data breaches and cybersecurity incidents.  Your organization may have legal obligations to report an incident within hours of its discovery.  Our team is available 24/7 through Vorys’ emergency hotline at (833) 525-2100.

Data Breach Litigation and Investigations

Vorys has more than 20 years of experience leading data breach response efforts and related litigation that have helped define standards subsequently applied by courts across the country.

Our experience includes leading cases that have addressed issues of first impression in privacy litigation, such as standing to sue, the existence of cognizable injury, causation and the ability of plaintiffs to expand traditional common law claims and defined statutory causes of action.

In a number of cases, our efforts have resulted in the dismissal of claims and the defeat of class certification before costly discovery was required.  In cases where classes are certified, Vorys mobilizes its nationwide bench of trial and appellate lawyers to represent clients in state and federal courts across the country.  Serving as national counsel in multidistrict litigation (MDL), we use the U.S. Judicial Panel on Multidistrict Litigation process to coordinate cases pending in multiple federal courts, avoid duplication and reduce defense costs. 

Our attorneys have represented clients before the FTC and multi-state attorneys general in investigations of data breaches, assisted in concluding investigations without further action and, when necessary, negotiated the resulting consent decrees and advised on compliance obligations imposed by those agreements.

Our experience also includes defending merchants and their banks who are sued in the wake of data breach incidents by consumers, banks that have issued credit cards, state attorneys general and other parties.  We have a long track record for successfully taking on the payment card industry to reduce clients’ financial burdens and set precedents that help future victims.

Representative Experience

  • Representing payment processors in data breach cases of first impression in the First, Third and Fifth U.S. Circuit Courts of Appeals – each resulting in precedent-setting opinions that are largely upheld today
  • Representing one of the nation’s largest financial institutions in litigation stemming from one of the largest-ever data breaches, which involved the reported theft of nearly 50 million payment cards from a group of T.J. Maxx stores
  • Advising a large university and its special response committee in responding to a data breach involving 700,000 individuals
  • Guiding a restaurant chain through a data breach and working with a forensic investigator to identify the cause of the breach involving approximately one-third of its locations, resulting in the significant reduction of loss assessments by payment card brands
  • Conducting a multiyear desktop incident response training for an international energy company and amending its incident response plans
  • Representing a national food and beverage chain before the FTC during a data breach investigation and negotiating consent decrees with no monetary liability to our client
  • Persuading a judge to dismiss claims brought by a proposed class of shoppers – before significant discovery occurred – in a consolidated multidistrict litigation (MDL) alleging harm when hackers installed malicious software on a national grocer’s in-store payment-processing network

News & Insights




  • 24/7 Cyber
    24/7 Cyber
    Incident Response Team

    Vorys’ cyber lawyers provide legal strategy, privileged and non-privileged investigations and support, and assisting clients with media relations issues surrounding data breaches and cybersecurity incidents.  Your organization may have legal obligations to report an incident within hours of its discovery.  Our team is available 24/7 through our hotline at (833) 525-2100.

    grey faded arrow
Jump to Page