Cyber Investigations and Privacy Litigation

Overview

Hunton is at the forefront of cybersecurity and data breach litigation, representing clients in the assessment, investigation, and litigation of matters arising from cybersecurity and data breach incidents. The firm has assisted clients with more than 5,000 data breaches and cybersecurity events worldwide and has defended our clients in some of the largest, most high-profile litigations. We assist our clients with every aspect of an information security event, including (i) directing incident investigations; (ii) retaining and overseeing cybersecurity consultants; (iii) mitigating financial loss and loss of confidential information; (iv) coordinating notification to affected individuals; (v) setting up call centers and training call center personnel; (vi) preparing for litigation, including advising on retention obligations; (vii) engaging with law enforcement officials and other government (federal, state and overseas) regulators; and (viii) defending resulting enforcement actions and litigation.

We regularly serve as liaisons to the FBI, US Secret Service, US Department of Justice, Federal Trade Commission and state attorneys general on behalf of our clients in these matters. We also routinely engage on our clients’ behalf with foreign data protection authorities in their investigations and enforcement actions. Our lawyers have represented clients throughout the US in federal and state courts, and globally before regulatory agencies and in alternative dispute resolution proceedings. These matters arise out of data security events asserted by regulators, consumers, our clients’ business partners and other parties.

Our experience assisting clients with highly complex, large-scale cybersecurity events is internationally acclaimed. For example, our data breach litigation team is ranked Nationwide Privacy & Data Security: Litigation by Chambers USA and has earned the recognition of “Top Defense Verdict” in California by the Daily Journal for a precedent-setting win with regard to the California Consumer Privacy Act. And our team members have been repeatedly recognized by Law360, the National Law Journal and the Daily Journal in the area of cybersecurity and privacy litigation.

Our lawyers work as part of a multidisciplinary team that is frequently involved immediately after a cybersecurity incident to help clients evaluate and manage all aspects of the event, often with our lawyers leading the investigation, coordinating the global legal analysis and notification to affected individuals and regulators, and generally coordinating the panoply of incident response activities. Information security matters implicate multiple risks and response issues. Because of that complexity, we represent our clients with an interdisciplinary and coordinated team that includes our internationally recognized Privacy and Cybersecurity practice, ranked in all Computerworld magazine surveys as the top law firm practice globally for privacy.

Representative experience includes the following:

Represented Yahoo! (now Verizon) in all aspects of its nation-state and criminal cybersecurity attacks that compromised approximately 3 billion user accounts worldwide, reported at the time to be the largest data breach in history. Serving as lead counsel, we defended the company in over 40 consumer class actions across several districts. The firm directed the forensic investigation and provided regulatory and litigation counsel and prepared litigation coordination strategies for Yahoo!
Secured motion to dismiss for a multinational electronics corporation faced with 17 lawsuits around the country that included more than 60 causes of action relating to a data security incident in connection to an unauthorized third party obtaining certain customers' Personally Identifiable Information (PII) from some of its US systems. The Judicial Panel on Multidistrict Litigation consolidated and transferred the cases to the District of New Jersey. The court also disposed of several individual "harms" plaintiffs alleged, such as increased spam and phishing attempts and emotional distress, and rejected plaintiffs' conclusory allegations of lost value of their PII.
Won a pivotal victory for a giant big box retailer when the court dismissed a data breach class action lawsuit in its entirety and with prejudice, earning recognition by the Daily Journal as a "Top Defense Verdict" in California. This significant victory represents one of the earliest decisions rendered on the merits with respect to the plaintiff-friendly California Consumer Privacy Act (CCPA) and established an important precedent for future CCPA litigation.
Secured motion to dismiss for a major retailer in a high-stakes class action involving multiple prominent retailers. Alleging violations of the CCPA, plaintiffs claimed retailers shared consumer data without consent with a loss prevention vendor, which developed a "risk score" to combat fraudulent and abusive store returns.
Obtained victories on behalf of the largest pipeline system for refined oil products in the US in three high-profile, class action data breach cases in the Northern District of Georgia. We secured the dismissal of all cases in their entirety.
Representing an American multinational technology conglomerate, spearheading at least 20 statutory actions in a string of litigation filed against worldwide app developers, web developers, online advertising companies, deceptive cloaking services, and a data analytics firm - that are multi-jurisdictional in scope, and in several cases unprecedented-for deceptive practices that target our client and its users.
Prevailed on motion to compel arbitration for a luxury retailer in a class action alleging violation of the CCPA and failure to properly secure and safeguard personally identifiable information from hackers, arising from a widely reported data security incident affecting approximately 4.6 million online customers.

Representing an American mobile analytics, monetization, and advertising company in a putative class action alleging the unauthorized exchange of private and confidential information in connection with Flo Health, which owns one of the most successful health and fitness apps in the world.
Representing an American global hospitality and entertainment company in a data security litigation class action lawsuit, following its announcement of an intrusion into a third-party cloud server that contained a limited amount of information for certain previous hotel guests.
Represented one of the country's leading quick service restaurant chains operating in 28 states and the District of Columbia in a class action lawsuit filed by customers who claimed their personal identifiable information was compromised by a malware intrusion that affected over 100 franchise restaurants. The data breach was reported to have affected 1.5 million payment transactions.
Defending a department store chain against multiple class actions alleging claims of negligence, breach of implied contract, violation of various consumer protection laws, and other claims resulting from a data breach involving customer data stored on a cloud platform in class action litigation.
Defending numerous clients against various claims of negligence and breach of contract resulting from the MOVEit data breach, a massive incident that affected over 1,000 organizations and 60 million individuals. We are coordinating strategy within a complex multidistrict litigation.
Defending a medical device company against multiple class actions alleging claims of negligence, breach of implied contract, violation of various consumer protection laws, and other claims arising from a data breach of PII and PHI.
Defending an ophthalmology partner and its clinics against multiple class actions alleging claims of negligence, breach of implied contract, unjust enrichment, and violation of various consumer protection laws arising from a cybersecurity incident affecting PII and PHI.
Representing a Fortune 500 company that provides insurance and financial services, to current and former members of the US military and their families, in a class action lawsuit alleging negligence and violation of the Driver's Privacy Protection Act resulting from a data breach. The complaint alleges the data breach was a direct and proximate result of the company's flawed system design, where personal identifiable information was disclosed without authorization to unknown third parties.
Representing a Fortune 500 pharmacy chain in a class action suit alleging negligence and breach of implied contract related to mishandling of plaintiffs' personal identifiable information and personal health information following a data breach. The breach alleged exposure of the prescription information, first and last names, and dates of birth of more than 2.6 million customers.
Defending a multinational telecommunications conglomerate in a mass arbitration against allegations by over 6,000 customers that the company inadequately disclosed certain administrative charges on their bills. In cutting-edge litigation, we have obtained favorable judgments in each of the bellwether claims that have gone to merits on behalf of the client. We have successfully moved to enforce the arbitration clause in court and in the AAA. Each of the bellwether cases decided on the merits has resulted in an award for the defense.
Representing a multinational telecommunications conglomerate in a class action lawsuit filed by employees related to an alleged data breach involving employee information. The company revealed in a notification to the Maine Attorney General that an employee gained unauthorized access to a file containing sensitive employee information. The personal information for 63,000 employees, including plaintiffs, was allegedly affected by this data breach.
Managing the docket for a multinational telecommunications conglomerate against individual demands, lawsuits, and arbitration proceedings involving alleged unauthorized SIM swaps and port-outs. The claimants in these cases are the company's customers in various states throughout the country who seek recovery on an individual basis. The claims derive from alleged unauthorized access to customer personal information allowing a bad actor to port-out and take over the account to facilitate access to cryptocurrency or other financial accounts.
Obtained a dismissal in a putative data breach class action where a financial institution announced that one of its vendors shared credit card transaction reports containing credit card information with other financial institution clients which included unauthorized personally identifiable information. Plaintiff alleged our client's failure to implement and maintain reasonable security practices to protect consumers' sensitive personal information, citing violation of the CCPA, California Unfair Competition Law and Breach of Contract.
Representing a multinational telecommunications conglomerate in a sim card swap complaint filed in the US District Court for the Southern District of New York in which the claimant alleged our client failed to protect his personal information resulting in theft of cryptocurrency from claimant.
Defending a software services company in several cases, most putative class actions, arising from an information security incident. The New Jersey-based company provides retailers and other e-commerce firms with inventory, order, and customer management software solutions to help increase sales and grow business. The riskiest claims against our client were dismissed without prejudice.
Representing a major metropolitan newspaper company in a class action lawsuit alleging violation of the California Invasion of Privacy Act ("CIPA"). This case is among the latest in the evolution of lawsuits challenging technologies that allegedly track website users, where California class action plaintiffs have begun to file under a new theory-the pen register and trap and trace device theory under Section 638.51 of the CIPA.
Advised a company that provides software and hardware used to issue financial cards, user authentication to access secure networks or conduct financial transactions in response to a serious data security incident that affected individuals in multiple jurisdictions. This work involved coordinating with key client stakeholders and forensic experts to remediate the incident. In addition, we prepared incident notifications to regulators and individuals in multiple jurisdictions, including the UK, EU, US and other global jurisdictions.
Defending against a class action lawsuit filed in the US District Court, Northern District of Illinois alleging clients violated the Illinois Biometric Privacy Act, 740 ILCS 14/1, et seq. ("BIPA") by not making appropriate disclosures or obtaining written consent prior to collecting and using customer voiceprints. Separately, we are also representing the company in response to allegations that the client's digital watch collects and stores users' biometric data also in violation of the Illinois BIPA with plaintiffs threatening the filing of a class action lawsuit.
Defending a putative nationwide class action litigation regarding the alleged exposure of current and former employees’ personal information due to a spear-phishing attack.
Representing a global networking equipment manufacturer in an ongoing non-public investigation into data security practices related to networked devices.
Advising a large global manufacturer of mobile devices on its response to an extensive FTC inquiry issued to the company and seven other mobile device companies regarding their security updates process.
Represented a personal device manufacturer in a class action lawsuit stemming from alleged violations of customer privacy concerns. The lawsuit alleged that the company collected personal data from its products sold to customers, including the plaintiff alleging violations of the US federal Wiretap Act, the Illinois wiretapping law, the Illinois Consumer Fraud and Deceptive Business Practices Act, and common law and equitable claims. We prepared a motion to dismiss but then sought early mediation and were able to agree to successfully settle for monetary and injunctive relief.
Assisted a major retailer in managing its investigation of and response to its cybersecurity incident that occurred in the wake of major breaches in the industry. We oversaw an extensive forensic investigation with external consultants, coordinated with law enforcement, assisted with state attorney general investigations, oversaw an extensive and lengthy FTC investigation (successfully avoiding an FTC enforcement action), and advised on significant class action litigation.
Defended an international hotel group against a lawsuit alleging a data breach and privacy violations for theft of personally identifiable information.
Represented a financial institution client that was victimized by a sophisticated internationally organized crime ring, which breached the client’s network and perpetrated a large-scale theft utilizing the ATM network. We led the investigation of the cyber intrusion, worked with US and international law enforcement agencies, managed communications with financial institution regulators, assisted the client in assessing and responding to litigation risks from customers and other third parties, and successfully resolved the ensuing class actions litigations.
Assisted a large health care plan with a data security incident involving 1.2 million individuals. The firm assisted the company with its response to the breach, including the forensic investigation, and advised on compliance with relevant regulatory obligations, such as notification to affected individuals, media outlets and state agencies. The firm also managed a state attorney general investigation and handled a precedent-setting class action lawsuit resulting from the incident.
Defended a retail merchant client in all aspects of a significant point-of-sale system data breach, including notification to affected individuals, media outlets and state agencies, as well as an FTC investigation and interactions with law enforcement authorities and class action litigation.
Advised numerous retailers on privacy and data security advice concerning claims that arose from a significant skimming incident in which payment cards were compromised. We also manage state and federal government investigations and federal law enforcement cooperative activities.
Counseled multiple clients in cyber-extortion matters and other incidents where our clients have been criminally victimized, and we have coordinated with law enforcement on behalf of our clients in such matters.

Insights

News

February 20, 2026
News
Southern California Super Lawyers Names Hak Stepanyan to 2026 Rising Stars
February 13, 2026
News
Super Lawyers Recognizes Partner Larry Bracken in Georgia for 2026
February 12, 2026
News
Chambers Recognizes Hunton in its 2026 Global Guide
January 13, 2026
News
Los Angeles Business Journal Recognizes Jason Kim for the Fourth Time as a 2026 Leader of Influence: Minority Attorney
January 6, 2026
News
Lexology 100: Data Names Hunton Among Global Elite for 2026
November 14, 2025
News
Los Angeles Times Honors Ann Marie Mortimer and Jane Hinton Among 2025 Inspirational Women
October 1, 2025
News
Legal 500 Names Hunton Among Top Law Firms in UK 2026 Guide
September 8, 2025
News
NAPABA Names Counsel Reiko Koyama Among 2025 Best Under 40
August 20, 2025
News
Corporate Counsel Honors Andrea DeField in the 2025 Women, Influence & Power in Law Awards
June 30, 2025
News
Chambers Crisis & Risk Management 2025 Names Hunton Among Leading Firms
June 11, 2025
News
Legal 500 US Ranks Hunton Among Top Law Firms in 2025 Guide
June 5, 2025
News
Chambers USA Honors Hunton Among Top Firms in 2025 Guide
May 27, 2025
News
Los Angeles Business Journal Names Ann Marie Mortimer to 2025 Women of Influence: Attorneys
May 5, 2025
News
The Recorder Honors Ann Marie Mortimer in 2025 California Legal Awards
April 25, 2025
News
Los Angeles Times Honors Ann Marie Mortimer as a Business of Law 2025 Legal Visionary
February 13, 2025
News
Chambers Recognizes Hunton in Its 2025 Global Guide
February 10, 2025
News
Daily Journal Honors Ann Marie Mortimer as a 2025 Leading Commercial Litigator
January 31, 2025
News
Los Angeles Business Journal Recognizes Jason Kim for the Third Time as a 2025 Leader of Influence: Minority Attorney
November 21, 2024
News
Los Angeles Times Honors Two Hunton Andrews Kurth Partners as 2024 Business of Law Visionaries
October 21, 2024
News
Miami-Dade Bar Recognizes Two Hunton Andrews Kurth Attorneys at Inaugural Circle of Excellence Awards
October 14, 2024
News
Los Angeles Times Recognizes Jane Hinton and Jason Kim as Diversity & Inclusion Visionaries
August 28, 2024
News
The Recorder Recognizes Ann Marie Mortimer in 2024 California Legal Awards
June 26, 2024
News
Chambers Crisis & Risk Management 2024 Recognizes Hunton Andrews Kurth
June 24, 2024
News
Daily Journal Recognizes Partner Ann Marie Mortimer Among 2024 Top Woman Lawyers in California
June 11, 2024
News
Southern California Rising Stars Names Associate Hak Stepanyan to 2024 List
April 1, 2024
News
Hunton Andrews Kurth Promotes Eleven to Partner
March 25, 2024
News
Los Angeles Business Journal Recognizes Jane Hinton and Jason Kim for Diversity & Inclusion
January 22, 2024
News
Los Angeles Business Journal Recognizes Jason Kim as a 2024 Leader of Influence: Minority Attorney
December 18, 2023
News
Los Angeles Business Journal Names Two California Attorneys to “Thriving in Their 40s” List
November 27, 2023
News
Los Angeles Times Recognizes Jason Kim and Julia Trankiem as Diversity & Inclusion Visionaries
October 31, 2023
News
Hunton Andrews Kurth Promotes Three to Litigation Counsel
October 6, 2023
News
BTI Litigation Outlook 2024 Recognizes Hunton Andrews Kurth
September 7, 2023
News
Daily Journal Names Shannon S. Broome and Ann Marie Mortimer Among Top 100 Lawyers in California for 2023
June 28, 2023
News
Chambers Crisis & Risk Management 2023 Recognizes Hunton Andrews Kurth
June 21, 2023
News
Daily Journal Names Partner Ann Marie Mortimer a 2023 Top Woman Lawyer in California
January 23, 2023
News
Los Angeles Business Journal Names Jason Kim to “Leaders of Influence: Minority Attorneys”
January 5, 2023
News
GDR 100 Recognizes Hunton Andrews Kurth in its Global Elite Ranking
November 1, 2022
News
BTI Litigation Outlook 2023 Recognizes Hunton Andrews Kurth
September 21, 2022
News
Daily Journal Honors Shannon S. Broome and Ann Marie Mortimer Among 2022 Top 100 Lawyers in California
June 29, 2022
News
Chambers Crisis & Risk Management 2022 Recognizes Hunton Andrews Kurth
December 20, 2021
News
GDR 100 Recognizes Hunton Andrews Kurth LLP as Member of Elite 25
November 30, 2021
News
Hunton Andrews Kurth Launches National Security Practice
September 2, 2021
News
Law360 Recognizes Ann Marie Mortimer and Deidre Duncan as 2021 MVPs of the Year
December 21, 2020
News
Los Angeles Business Journal Recognizes Two California Attorneys in “Thriving in their 40s” Awards
November 11, 2020
News
Daily Journal Recognizes Hunton Andrews Kurth Partner as a Top Cyber Lawyer in California
October 6, 2020
News
Law360 Recognizes Ann Marie Mortimer as 2020 Cybersecurity & Privacy MVP
March 26, 2020
News
BTI Names Hunton Andrews Kurth Among CyberSavvy 16
June 26, 2019
News
The Recorder Names Ann Marie Mortimer Among Top California Trailblazers
June 11, 2019
News
National Law Journal Names Ann Marie Mortimer a Trailblazer in Technology Law
November 3, 2017
News
Global Investigations Review Ranks Hunton & Williams White Collar Practice
July 14, 2017
News
Hunton’s Privacy and Cybersecurity Practice Helps Businesses Prepare for Ransomware and Cyber Attacks
May 17, 2017
News
Hunton’s Cyber and Physical Security Task Force Helps Businesses Prepare for Ransomware and Cyber Attacks
April 4, 2016
News
Hunton & Williams Launches Cyber and Physical Security Task Force
March 23, 2016
News
Jason Beach Named to Daily Report’s 2016 On The Rise Class
January 4, 2016
News
Jason Beach Discusses Data Breaches with Law360
October 1, 2015
News
Hunton Recognized in GIR 100 for White Collar Defense and Internal Investigations Practice
September 11, 2015
News
Westlaw Talks With Jason Beach About IRS Data Breach Lawsuit
August 25, 2015
News
Jason Beach reviews US class actions against Ashley Madison with Reuters
August 2, 2015
News
Business Insurance Discusses Uncertainty of Data Breach Litigation with Jason Beach
July 29, 2015
News
Jason Beach Talks About Fact Patterns in Data Breach Cases With MLex
February 27, 2015
News
Hunton & Williams Promotes Seven to Counsel, from Corporate and Litigation Practices
January 27, 2014
News
Hunton & Williams Named to Global Litigation Top 50 by The Lawyer

Cyber Investigations and Privacy Litigation

Overview

Insights

Legal Updates

Events

Publications

Blog Posts

News

Contacts

Lawrence J. Bracken II

John J. Delionado

Ann Marie Mortimer

Blogs

Related Services

Highlights