Cybersecurity & Data Privacy

Whether stemming from ransomware, phishing or spoofing, our team provides companies with trusted advice and counseling in the immediate aftermath of a cybersecurity incident. With a deep understanding of federal and state laws and extensive experience, we work closely with in-house personnel and industry-leading forensic consultants to conduct internal investigations into the incident, determine notification obligations, develop internal and external communications; and mitigate regulatory and litigation risks.

In the event that a threat actor is identified, we provide real-time guidance to review options and work with external cyber intelligence firms to gain insight into their motivations and the expected timeline for negotiation. We evaluate legal and business implications of responding to monetary demands and work with external negotiation firms to develop strategies for negotiating with the threat actor(s) to facilitate the safe and successful release and recovery of stolen data.

Select Incident Response Experience

• Advising a medical billing company in its response to a cybersecurity incident involving ransomware and theft of customer health data.
• Representing a public software solutions company in its response to SEC, DOJ and state AG investigations, as well as customer inquiries and associated remediation, following a cybersecurity incident.
• Led the investigation and remediation of a cyber data breach of an investment management company's network caused by a foreign threat actor.
• Advising an educational software company in connection with a cybersecurity incident and investigations being conducted by the FTC and various state AGs involving possible violations of state privacy and cybersecurity laws.

Our Cybersecurity & Data Privacy team, backed by our world-renowned litigation department, routinely defends companies in high-impact litigation, including nationwide consumer class actions, shareholder lawsuits, material government regulatory actions, and commercial litigation between business partners.

We handle cases brought under general consumer protection statutes, state-specific privacy laws, wiretapping statutes, contractual claims drawn from terms of use or privacy policies, data breach notification statutes, and even constitutional privacy rights.

Our deep experience with the evolving security and privacy landscape sets us up to achieve the best litigation results — whether in court or across the bargaining table — as critical issues are identified early and then used to maximize advantages in the litigation and negotiation processes.

Select Data Breach Class Actions

• Representing Ascension Health in numerous class actions regarding claims related to data privacy and security stemming from a cyber incident.
• Representing IBM in putative class action regarding claims related to data privacy and security. Plaintiff alleges that IBM and co-defendant Johnson & Johnson Health Care Systems failed to properly secure and safeguard protected health information (PHI) and personally identifiable information (PII), in violation of HIPAA. Plaintiff’s suit includes claims for negligence, breach of confidence, breach of implied contract and others.
• Representing CorrectCare Integrated Health in putative class action arising out of a data breach targeting its network. The plaintiffs allege that CorrectCare failed to implement adequate cybersecurity protocols necessary to protect their information, and as a result more than 500,000 individuals are at risk of exposure of highly sensitive data, including social security numbers, full names and health information.
• Defending Accenture in multidistrict consumer class action arising from a data breach involving Marriott’s guest reservation database. Kirkland successfully obtained Rule 23(f) review and ultimately reversal of a class-certification order.
• Represented Illuminate Education in consolidated putative class action litigation arising out of an alleged data-security incident. Kirkland won full dismissal of initial and amended claims.

Select Privacy Class Actions

• Representing GoodRx in the landmark FTC healthcare privacy investigation and related consolidated data privacy putative class actions alleging violations of state consumer protection laws involving the use of pixels and software development kits. Favorable class settlement pending.
• Representing PowerSchool Holdings in a putative class action lawsuit alleging violations of privacy rights in connection with pixel software.
• Represented The Blackstone Group in putative class actions alleging violations of the Illinois Genetic Privacy Act (GIPA) related to Blackstone’s acquisition of Ancestry.com, a leading company in digital family history services. Won full dismissal. Affirmed on appeal.
• Representing Datanyze a wholly owned subsidiary of ZoomInfo Technologies Inc., in putative class action litigation alleging violation of Ohio and Illinois right of publicity laws related to ZoomInfo’s online database of business contact information.
• Represented Facebook in a putative class action involving claims under the Telephone Consumer Protection Act (TCPA) alleging Facebook sent text messages to the plaintiffs without their prior consent. The New York case was voluntarily dismissed; the plaintiff refiled in California, and Kirkland won dismissal twice. The U.S. Supreme Court granted review of a 9th Circuit reversal, and unanimously adopted Kirkland's arguments, finding that Facebook did not violate a key clause in the TCPA. This victory will have a significant impact on the TCPA class action industry.

We have extensive experience representing companies in connection with cybersecurity incidents and data privacy investigations conducted by U.S. and overseas government agencies, including the FTC, state AGs, the SEC, the U.S. Department of Health and Human Services Office of Civil Rights (HHS-OCR), Congressional committees and the UK Information Commissioner’s Office, among others.

Drawing upon the decades of combined government experience of many of our partners, we are highly effective advocates who proactively engage with government entities on behalf of our clients and, where there is parallel litigation filed, work hand-in-hand with our commercial litigation partners to provide coordinated responses across regulatory enforcement actions and civil litigation. Additionally, we routinely counsel clients in their response to government requests for information regarding data, product and service design (i.e., “privacy-by-design”), marketing and advertising practices, social networking and consumer profiling practices.

Select Data Breach Investigations

• Representing a national healthcare system in its response to a ransomware attack, including conducting an internal investigation into the incident; in government, congressional and state AG investigations, and related litigation.
• Lead counsel for numerous companies in connection with high profile congressional hearings regarding ransomware attacks.
• Representing a healthcare third-party benefits administrator in its response to investigations by HHS-OIG and several state AGs regarding possible violations of HIPAA and state data privacy laws, and assisted the company with the investigation and remediation of a cyber data exposure incident.
• Obtained complete closure of SEC and FTC investigations into a healthcare technology company regarding disclosure issues regarding a data breach and potential insider trading with no action taken against the company.
• Advised a cloud-based platform provider in its response to a ransomware attack on company systems. Kirkland conducted a comprehensive review of exfiltrated customer data for personally identifiable information and assisted the company in its response to customers regarding the incidents and in communications with government authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

Select Privacy Investigations

• Obtained complete closure of FTC investigation into telecom service provider’s data privacy practices related to its encryption technology.
• Represented major fitness device manufacture in government investigation related to data privacy concerns arising from acquisition.
• Secured settlement on behalf of a health and wellness company in FTC investigation into compliance with COPPA.
• Obtained complete closure of FTC investigation into a major educational technology company’s data privacy practices including compliance with COPPA.

Our team routinely advises clients across all industries regarding the ever-changing global framework of legal and compliance developments relating to cybersecurity and data privacy laws and industry standards. This work includes advising on company policies and procedures; compliance reviews/audits; contracting and data sharing; consumer/patient requests and complaint management; and internal and external reporting/monitoring relating to cybersecurity and data privacy.

Our counseling experience includes industry- and jurisdiction-specific laws and requirements such as the Gramm-Leach-Bliley (GLB) Act, the FTC Health Breach Notification Rule, HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, the EU GDPR and the China Cybersecurity Law. Through this work, we often help companies develop valuable relationships with regulators, consultants and vendors in the space. Additionally, we provide cybersecurity and data privacy trainings for in-house teams and Boards of Directors.

Our group includes members from Kirkland’s Transactional Practice Group, who represent clients in deals where data is a significant aspect and are familiar with the important data issues that can emerge in a variety of deal contexts, including mergers, acquisitions, divestitures, restructurings, joint ventures, strategic alliances, outsourcing, licenses and other commercial agreements.

Some deals are built entirely on the value of data being collected or shared. Data is a strategic asset for any company and commitments relating to the use, sharing or acquisition of data can have long-term impact on a company’s business. Our group has extensive experience navigating clients through issues that can arise relating to ownership, usage, restrictions (including with respect to selling customer lists and other data monetization), obligations (including with respect to securing data and handling breaches), risk allocation (representations, warranties and indemnities) and liability schema (including limitations on remedies and damages).

Select Transactions Experience

• Thoma Bravo in its $12.3 billion take-private acquisition of Proofpoint (NASDAQ: PFPT), a cybersecurity company that offers a range of enterprise security and compliance products and services.
• Private equity firm in its sale of a developer of a content marketing and digital asset management software.
• AE Industrial Partners-backed BigBear.ai, a provider of artificial intelligence, machine learning, big data analytics and cyber engineering solutions, in its business combination with GigCapital4.
• Private equity firm in its acquisition of a manufacturer and supplier of temperature controlled packaging systems for pharmaceutical and healthcare industries, including advising regarding GDPR compliance.
• Investment bank in the potential U.S. initial public offering (IPO) of a China-based developer of a financial data analytics platform intended to provide global financial data and trading services.
• GIC on its $3.9 billion additional joint ventures with Equinix to expand the xScaleTM data center program.

Our group includes attorneys with specific experience in privacy and cybersecurity matters affecting the healthcare and life sciences sector. We regularly advise various clients in this space, including hospitals and health systems, health information technology companies, device and pharmaceutical manufacturers, laboratories, clinical research organizations, rehabilitation centers and physician platforms.

We counsel healthcare and life sciences clients in responding to and mitigating breaches involving health information and impacting patient care, and navigating the various privacy and cybersecurity requirements applicable to their business and patient care initiatives, including research & development, marketing, data storage and electronic health records integration, and revenue cycle management. Further, we advise clients on implementing compliance frameworks that address privacy and cybersecurity considerations that not only cover HIPAA/HITECH, but other federal requirements, such as Centers for Medicare & Medicaid Services rules and 42 CFR Part 2 (Part 2) and state medical records confidentiality and consumer health laws, including Washington’s My Health My Data Act.

Select Healthcare and Life Sciences-related Experience

• Advised a physician-owned hospital in developing and implementing its HIPAA privacy and security policies and procedures.
• Counseled an international life sciences company in its internal investigation regarding its data privacy and security practices.
• Represented a health benefits administrator in its internal investigation stemming from a data security incident.
• Advised a U.S.-based pharmaceutical manufacturer in its use of customer website and mobile app-based data.

For additional information, please visit our Healthcare & Life Sciences Regulatory page.

Our attorneys have handled varied matters related to the evolving legal, policy and regulatory frameworks surrounding artificial intelligence (AI), machine learning, deep learning and natural language process. The transformative and disruptive nature of AI and its myriad applications present exciting opportunities for businesses and content creators. However, these opportunities come with significant risk and legal implications. Our multidisciplinary team leverages decades of experience to help companies navigate the complex legal landscape of AI.

Legal and business concerns related to the use of AI intersect with numerous practice areas, including adherence to data security and confidentiality standards, as well as the interplay of AI applications and privacy, such as the use of facial recognition. We have long represented clients in industries where AI is helping lead innovation and change, including software, emerging technology, healthcare, life sciences, medical devices, consumer products, automotive and transportation, and aerospace and defense. We have experience in matters involving automated decision making, autonomous vehicles, voice assistants and robots, and conversational AI, among others.

Select AI-related Experience

• Defending a private research university in a putative class action alleging patient privacy violations that stemmed from the sharing of certain patient data with a third party as part of a researching partnership aiming to use machine learning to analyze medical records and improve predictive analysis of hospitalizations and patient care. Kirkland won full dismissal. Unanimously affirmed on appeal.
• Advising a provider of online web accessibility products in connection with a confidential investigation by the FTC regarding its implementation and use of artificial intelligence technology, as well as policies and practices regarding data collection, data security, data privacy and the marketing of its products and services.
• Representing PowerSchool Holdings and its subsidiary, Hobsons, in a putative class action challenging the use of AI and analytical data products in the EdTech sector.