Privacy + Data Security Litigation

Our privacy litigators have successfully handled some of the largest and highest-profile privacy and data security class actions and investigations. We have a deep bench and a long and successful track record defending high-stakes cases that threaten a company’s brand reputation, business model, and bottom line. Our expertise covers the spectrum of privacy litigation, from data breach class actions to cases alleging violations of federal and state privacy laws, to regulatory and attorney general investigations and enforcement.

Our team is comfortable with technical issues and has a deep understanding of many of the issues that companies face as they implement business strategies involving consumer data or take steps to increase the resilience of their systems prior to a breach. We work with our clients to understand the technology or systems at issue and communicate these complex concepts to opposing counsel, judges, and regulators in plain English.

Our Integrated Approach

Our litigators work seamlessly with our regulatory and compliance teams to develop a defense plan before or when litigation arises. We coordinate across offices, continents, and specialties, all with deep insights into the latest developments related to new legislation and how it impacts the case. Working effectively with the regulatory teams will allow us to provide a cost‐effective and comprehensive response to litigation and the overall risk posed by data breaches and other privacy risks. Developing a cohesive understanding of the matter at hand and using a single vocabulary allows us to avoid the hiccups that could arise when different narratives or terms are used with regulators, state AGs, and data protection authorities, or in the defense of class action litigation.

Our Practical Approach

We believe the most efficient way to approach most projects is with a small dedicated team (led by a primary point of contact) that works closely with your team so we have “end-to-end” knowledge of the project. Coupled with our deep experience and prior solutions, this staffing model makes the team more nimble, responsive, and cost-efficient.

We recognize that the changing nature of technology has been a driving factor in data protection regulation in recent years. From big data to cybersecurity, user-generated content to behavioral targeting, and cloud computing to the Internet of Things, our lawyers work on cutting-edge issues. Our privacy litigators are equally comfortable in the courtroom or with regulatory authorities in contentious situations.

In litigation, we look for efficient ways to resolve a dispute from the moment we begin to work on a case. If a case cannot be resolved quickly, we prepare as if we are going to trial (and our opponents know that), which puts our clients in a strong negotiating posture during settlement discussions.

We Look Around Corners

Our clients benefit from the firm’s in-depth institutional knowledge of privacy issues, market norms, and industry concerns. Our extensive experience coordinating multijurisdictional privacy programs and strategies renders us particularly effective in solving privacy issues quickly and efficiently, and we are uniquely suited to advise and represent clients in litigation involving new privacy laws such as the California Consumer Privacy Act or in litigation alleging new liability theories under existing privacy laws.

Our lawyers have broad subject matter experience in these areas:

Data Breach Litigation. From very early cases, like our work on behalf of LexisNexis in 2006, to more recent matters, we have extensive experience defending data breach cases, including developing defenses to claims — most commonly the lack of any common (or any) injury. Later cases we have handled, like Target, have become the model for 100+ class action MDL proceedings.

We implement best practices to manage breach litigation matters (and control their expense), develop a comprehensive plan to address regulatory and other issues that may arise from a breach, and collaborate with the company to meets its business objectives. In the event of a breach, and before any litigation is filed, we will work to identify likely fact issues and challenges so we can develop initial litigation themes. This pre-litigation work will best position your company to be several steps ahead of plaintiffs’ counsel when any actions are filed. As litigation progresses, our team’s expertise will allow us to identify potential fact issues that will help us shape our discovery strategy as well.

Data Breach AG and Regulatory Investigations. A consistent and coherent approach to notification of the various regulators and individuals is essential to preventing a breach from turning into a legal crisis. Our experience with U.S. and international regulators and breaches is one of our primary differentiators.

We have handled a number of multistate AG investigations and Health & Human Services Office of Civil Rights investigations for matters involving protected health information. We also have significant experience with data protection authorities around the world. Each of these representations involved a detailed command of the facts and a strong understanding of the relevant regulatory processes, procedures, and enforcement tactics and priorities, as well as cultural expectations. Owing to the breadth of our practice, we are able to provide insight regarding unique procedural aspects and past practices of the data protection authorities.

Our team also includes former SEC attorneys who are at the forefront of representing clients on SEC matters relating to cyber security.

TCPA. TCPA class actions bring a combination of enormous potential statutory damages and significant legal uncertainty. We have particular expertise defending against class actions alleging violations of the TCPA. Our expertise in TCPA class action litigation is enhanced by our outstanding capabilities and experience with FCC regulatory issues. Our winning track record and commitment to learning our clients’ business to identify potential problems before they arise are the hallmarks of our practice.

CCPA. The CCPA is arguably the most significant U.S. privacy development ever, and we are on the forefront of defending clients as the AG and plaintiff’s attorneys test the boundaries of the new law. Our experience counseling hundreds of companies on compliance issues translates into deep knowledge and expertise we are already applying in defending the first lawsuits filed under the Act.

FCRA. We regularly guide clients through complex FCRA issues (both before and after disputes arise), such as navigating federal court decisions and regulatory guidance regarding characterization of products as “consumer reports,” preemption, implementation of the risk-based pricing requirements, investigation of disputed information by consumers, federal and state statutory schemes, various “furnishing” requirements, use of credit reports in employment, and “firm offers of credit.”

Our deep knowledge of the rules helps us counsel clients even in the absence of clear signposts or directions from the regulators and the courts.

We believe in doing everything possible to prevent public exposure and avoid litigation in this area of high regulatory scrutiny and exposure. We regularly win early dismissal of cases for clients, and few firms can match our record of decisions denying class certification.

FTC Investigations. Our team has extensive experience defending our clients in FTC investigations, frequently convincing FTC staff to close an investigation without bringing an enforcement action or negotiating a favorable settlement. The team includes attorneys who draw on their prior work experience at the FTC to help our clients navigate the process.

Other California Privacy Statutes. California leads the nation in its focus on protecting its citizens’ constitutional right to privacy. We have extensive experience representing companies sued for alleged violations of the alphabet soup of state privacy statutes, including the Song-Beverly Act and COPPA.

Show More



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.