Background - Privacy & Cybersecurity

Crisis Management: Breach Response and Litigation


Crowell & Moring represents clients that have experienced security breaches involving personal information, trade secrets, and other proprietary information. We are on the ground from the initial internal investigation stage through the notification, government enforcement, and class action stages. Despite the prevalence of data incidents today, particularly cyber intrusions, a data infiltration is not necessarily a catastrophe for a business. Rather, proper crisis management, timely remedial action, accurate assessments of harm, and, if necessary, individual and governmental notifications can salvage, or at least mitigate, a breach crisis. We handle all aspects of breach response including:

  • Assisting with the legal/business decision whether to notify given the facts, and if so, the extent of notification required; we have developed detailed outlines and spreadsheets of the various requirements of and nuances between the many state security breach laws to make this a quick and effective process.
  • Drafting notifications to individuals and regulators.
  • Preparing statements for external sources, e.g., media and law enforcement.
  • Assisting with communications to other required agencies, such as consumer reporting agencies.
  • Preparing statements, e-mail notices, and personalized correspondence with employees affected by security incidents.
  • Advising clients on both legal requirements and best practices with respect to post-incident assistance to those affected (e.g., credit monitoring, insurance, etc.).
  • Defending against state and federal regulatory investigations.
  • Defending against state attorneys general lawsuits.
  • Defending individual and class action lawsuits arising from data and privacy breaches.
  • Responding to individual complaints regarding privacy and data security.
  • Conducting postmortem analysis of breach to enhance cybersecurity and corporate compliance programs to safeguard data against future security breaches.

Representative Matters

Crowell & Moring has handled major data breach litigation and demonstrated its capabilities in addressing litigation risks and legal developments in the cybersecurity arena including Advanced Persistent Threats (APT). Crowell & Moring’s litigation experience includes both federal and state actions arising out of security breaches, as well as representing companies in investigations involving such breaches.

Representative engagements include the following:

Litigation Defense

  • Defended Starwood Hotels in a federal data security class action filed after Starwood announced that cyber criminals had installed malware on point of sale terminals at dozens of Starwood locations that permitted the cyberattackers to access customers’ credit card information.  We obtained a voluntary dismissal of the action with prejudice with no payout to the plaintiff, after filing a motion to dismiss and convincing the court that, among other things, the plaintiff had failed to allege sufficient injury to establish federal jurisdiction.
  • Crowell & Moring defended Health Net in some of the largest data privacy class action lawsuits filed under The California Confidentiality of Medical Information Act (“CMIA”). These actions involved several computer hard drives that Health Net’s IT management vendor could not account for at Health Net’s data center in Rancho Cordova, California.  Seventeen plaintiffs’ law firms filed 11 actions on behalf of putative nationwide and California classes of over two million Health Net members, seeking upwards of $2 billion in statutory damages. In the federal case, the district court agreed with Health Net that the lack of evidence of harm was fatal to the plaintiffs’ case and dismissed the class action complaint for failure to allege actual injury.  Crowell & Moring represented the client throughout the breach response process, including in the internal investigation, investigations by state attorneys general, and departments of insurance and the United States Health and Human Services Office for Civil Rights (OCR). We resolved the OCR investigation without payment of fines or mandatory corrective actions.
  • Currently representing UCLA Health System Center in 17 class actions filed against it in California state courts stemming from a cyber-intrusion involving the records of 4.5 million individuals.  We were retained to investigate the matter and defend the class actions.
  • Represented a large university system in a class action brought against it in state court under the California Confidentiality of Medical Information Act (“CMIA”) alleging that the university had improperly disclosed confidential medical information of more than one million patients. When Crowell & Moring was retained as successor counsel, the trial court had already denied a motion for summary judgment and the university was facing potential liability for statutory penalties exceeding $1 billion.  We were able to successfully resolve the action without any payment to class members.
  • Handled protest litigation in federal court and the U.S. Government Accountability Office involving cybersecurity requirements, adverse past performance due to security breaches, and failure to develop and maintain a compliant federal cybersecurity program.
  • Represented a national electronic data-management company in third-party action between a New York City hospital and a security company over a data breach, succeeding in preventing our client from becoming party to the litigation.
  • Represented a Fortune 500 company in cyber-theft litigation including coordinating forensics efforts to track down and prove improper download of company computer files and addressed issues relating to computer management and inventory of data.
  • Defended a data-management company after an employee inadvertently transmitted data pertaining to students from 48 universities to the wrong university.

Crisis Management Investigations, and Regulatory Enforcement Defense

  • Represented a national health care company in a nationwide incident involving lost disk drives affecting more than 2 million individuals.  Multiple state regulators investigated the matter.  Crowell & Moring defended the company in actions commenced by Connecticut and Vermont regulators and resolved these matters favorably for the client.
  • Represented a health insurance plan that had been under investigation with the Office for Civil Rights for a HIPAA violation.  We helped reframe the size of the incident and called into question OCR’s jurisdiction. OCR ultimately closed the investigation with no fines.
  • Represented a Blues Plan in an OCR investigation alleging disclosure of PHI in the processing of payments.  OCR declined to fine the Client and closed the case.
  • Currently representing a Blues Plan in any ongoing OCR investigation involving claims of improper marketing under HIPAA.
  • Represented a trade association client in investigating and responding to a cybersecurity attack, including preparing notification to individuals whose information may have been accessed, retaining and directing a forensic consultant to investigate the cyber incident, providing guidance to the client’s employees to prevent similar incidents in the future, and assisting with outreach to law enforcement.
  • Represented a national health care provider in investigations commenced by OCR and California regulators arising from a lost laptop.
  • Advised universities on cyber incidents, complex information technology, and information security operational and investigation issues.
  • Advised numerous companies on criminal financial investigations involving international organizations attempted financial fraud.
  • Advised a national retail chain on the theft of millions of financial information records, which involved extensive investigation involving federal and state law enforcement coordination and nationwide disclosures.
  • Represented a major U.S. company operating as a HIPAA Covered Entity when an employee of a business associate stole and sold data regarding the client’s employees. Crowell & Moring ultimately persuaded the business associate to pay for all costs related to the investigation and notification and obtained a broad indemnity agreement.
  • Represented a transportation industry client in a breach involving sensitive employee information. Crowell & Moring coordinated the forensic investigation, reported to and assisted the FBI and local law enforcement in the criminal investigation, prepared notification to individuals and authorities, negotiated credit services and assisted with public relations issues.  No enforcement actions were brought, and the client received multiple letters from attorneys general praising its prompt and effective response to the situation.
  • Represented a defense contractor whose vendor’s system was accessed by a Hactivist group and employee travel information and PII was compromised. Crowell & Moring assisted with the forensic investigation and coordinated notification to individuals and authorities with the vendor organization.  We also assisted the client with internal notifications and employee relations issues.
  • Represented a major global consumer products trading company whose payment processing vendor inadvertently sent payment data to a third party.  Crowell & Moring worked with the vendor to mitigate the situation and secure the data.
  • Advised and represented energy and energy transportation companies on multiple and simultaneous investigations into an intrusion by an advanced threat actor related to industrial control systems and business systems.
  • Represented a global provider of software to the energy industry in response to a security incident. Crowell & Moring handled all aspects of the incident response including notifications to individuals, state attorneys general, and its utility clients.  We also worked with the client to develop post-incident processes that were satisfactory to the utility clients, including recommending changes to the customer application and data collection process for utility rebate programs.
  • Represented a County Organized Health System that contracts with the local health agencies to arrange and pay for the provision of state-subsidized managed care services to eligible members after a security incident involving a web portal.  Crowell & Moring advised the client on notification obligations under HIPAA and state law and assisted with the risk assessment and notification decision.
  • Represented a global financial institution on a sophisticated international criminal attack involving the theft of significant funds.  The investigation involved coordinating with the insurance company and multiple federal law enforcement agencies and resulted in criminal prosecution and arrest of attackers.
  • Assisted a Fortune 125 manufacturer after the FBI produced files showing confidential corporate data on foreign servers (including technology data of clients and vendors), counseled key stakeholders during initial crisis management, and prepared the notice to government authorities for reporting inadvertent loss of export- controlled data; retained by client to develop corporate compliance program to safeguard export-controlled data against future security breaches.
  • Worked with a major aerospace company to manage a  cyber breach by Chinese hackers that compromised employee files and personal data, developed a strategy and process for notifying government authorities and affected individuals, defended company, and cooperated with state attorney general’s office regarding breach and avoided sanctions or fines.
  • Assisted a major construction company in response to FBI subpoena for access to the corporate network following an APT breach of the network and data; negotiated scope and terms of government access to protect company’s privileges and confidential data.