Kate M. Growley, CIPP/G, CIPP/US

Counsel
Washington, D.C.
kgrowley@crowell.com
Phone: +1 202.624.2698
1001 Pennsylvania Avenue NW
Washington, DC 20004-2595

Kate M. Growley (CIPP/US, CIPP/G) is a counsel in the Washington, D.C. office of Crowell & Moring. She is a member of the Steering Committee for the firm's Privacy & Cybersecurity Group, while working closely with the firm's Government Contracts and Litigation groups. Her practice covers a wide range of information security counseling and litigation engagements, including cybersecurity compliance, incident response, regulatory investigations, and disputes surrounding data breaches and trade secrets.

Kate is a Certified Information Privacy Professional for both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She has been named a “Rising Star” by both Law360 (2018) and the American Bar Association's Science & Technology Section (2016). Kate serves as co-chair of the ABA Public Contract Law Section’s Cybersecurity, Privacy, & Data Protection Committee, as well as the Science & Technology Section's Homeland Security Committee. Kate also sits on PubK Law’s Advisory Board, advising on cybersecurity issues for government contractors. Most recently, Kate was inducted as a Fellow of the American Bar Foundation.

Kate received her J.D. from the University of Virginia School of Law, where her studies focused on national security. Prior to law school, she graduated first in her class from Florida State University, summa cum laude with honors.

Cybersecurity for Government Contractors

Kate maintains a robust cybersecurity practice focused on the government contracting community, particularly those working with the Department of Defense. Her recent engagements address issues including:

  • Crafting and implementing strategies to comply with DFARS 252.204-7012, including the drafting of system security plans (SSPs) and plans of action & milestones (POAMs).
  • Assessing whether, when, and how to report cyber incidents under DFARS 252.204-7012, and responding to customer "damage assessment" media requests.
  • Understanding and negotiating cloud service provider agreements under DFARS 252.204-7012 and DFARS 252.239-7010.
  • Complying with basic safeguarding requirements under FAR 52.204-21 and privacy training requirements under FAR 52.224-3, as well as NIST SP 800-171 and NIST SP 800-53.
  • Assessing and complying with security obligations under the NISPOM, Privacy Act, and FISMA.
  • Evaluating and managing insider threat and supply chain risks, including potential disclosures.
  • Evaluating entry into the Defense Industrial Base (DIB) Cybersecurity Information Sharing Program.
  • Advising on jurisdictional and accessibility issues related to data hosting, including the Fourth Amendment and Foreign Intelligence Surveillance Act (FISA).
  • Negotiating voluntary use of government investigation and hunt teams, including with the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Missile Defense Agency (MDA).
  • Advising on cybersecurity concerns in pre-award contractual negotiations at both the federal and state levels.

Incident Response

On a daily basis, Kate is helping clients manage and respond to cyber incidents. Her practice covers the full incident lifecycle from tailoring incident response plans to finalizing formal notifications. Her work frequently involves close engagement with in-house and third-party forensics firms, as well as regulatory and business stakeholders. Example engagements include:

  • Represented major technology company in assessing and responding to well-publicized security incident, including assessments of global customer notification obligations and litigation exposure, as well as extensive cooperation with U.S. and foreign law enforcement.
  • Advised national professional services firm in responding to and analyzing legal implications of network compromise potentially linked to an insider threat.
  • Assisted large manufacturer in responding to security incident stemming from Internet-connected devices provided by third parties, including assessments of potential legal liabilities and assistance with government agency investigations.
  • Counseled major technology services provider in assessing customer notification obligations associated with large exfiltration of company data to a foreign nation.
  • Advised international manufacturer regarding crisis management strategy in response to security vulnerability disclosure.
  • Counseled global manufacturer in assessing legal obligations stemming from globally-publicized ransomware attack.
  • Represented non-government organization in investigating and remediating security incident implicating personally identifiable information (PII), as well as leading required individual and state Attorney General notifications.
  • Led large research organization’s response to ransomware incident, including forensic investigation, assessment of customer and employee notification obligations, and regulator outreach.

Investigations, Litigation, and Arbitration

In addition to her counseling practice, Kate maintains a steady docket of dispute resolution matters. Her engagements include:

  • Represented multiple health care plans in regulatory investigations instituted by The Department of Health & Human Services Office of Civil Rights in response to privacy and security incidents.
  • Represented large non-profit organization and technology services provider in response to state Attorney General inquiries stemming from security incidents.
  • Defended health care system in complex class actions stemming from security incident potentially affecting over 4.5 million individuals.
  • Defended former federal official regarding Bivens liability stemming from post-9/11 PENTTBOM investigation at the trial level and on appeal, including before the Supreme Court of the United States in Ziglar v. Abbasi.
  • Defended acting foreign official from allegations of terrorism.
  • Pursued indemnification claim under Public Law 85-804 on behalf of major defense contractor.
  • Defended insurer against complex cyber coverage claims brought by insured.
  • Defended Medicare Advantage organization at both the trial and appellate levels in dispute brought by multiple health providers over the exhaustion of administrative remedies.
  • Represented international hospitality company in federal litigation and related arbitration regarding claims of unfair competition and misappropriation of trade secrets.
  • Represented software service provider in arbitration regarding contractual and unauthorized access claims, including those brought under the Computer Fraud & Abuse Act (CFAA).

Privacy and Cybersecurity Counseling

Kate also regularly counsels clients on a variety of privacy and information security issues, including:

  • Artificial intelligence (AI) and big data
  • Autonomous vehicles (AVs)
  • Cloud migration and other digital transformation initiatives
  • Europe’s General Data Protection Regulation (GDPR)
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Internet of Things (IoT), including California and Oregon state law
  • New York’s Department of Financial Services (DFS) Cybersecurity Requirements
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Penetration testing
  • UAS/UAV (“drone”) regulations

Affiliations

Admitted to practice: District of Columbia and Virginia; U.S. Supreme Court



Highlights, News & Knowledge

Speeches & Presentations

  • "Cybersecurity for Contractors," Government Contracts 101 Conference, Tysons Corner, VA (October 23, 2019). Speakers: Stephanie L. Crawford, Kate M. Growley, Peter B. Miller, Evan D. Wolff.
  • "Cybersecurity for Contractors," Government Contracts "101" - Back to Basics, McLean, VA (October 23, 2019). Moderator: Kate M. Growley; Panelists: Evan D. Wolff, Peter B. Miller, and Stephanie L. Crawford.
  • "Webinar Series: Safeguarding Your Secrets in the Digital Age - Part 2," Crowell & Moring Webinar (October 8, 2019). Presenters: Kate M. Growley and Julia Milewski.
  • "Confronting the Challenges of Supply Chain Security," Crowell & Moring Webinar (September 25, 2019). Presenters: Adelicia R. Cliffe, Paul Freeman, Kate M. Growley, and Michael G. Gruden.
  • "A Mountain of Requirements: Cybersecurity and Privacy for Contractors," Crowell & Moring's Ounce of Prevention Seminar (OOPS) 2019, Washington, DC (May 8, 2019). Moderator: Kate M. Growley; Speakers: Evan D. Wolff and Peter B. Miller.
  • "Cybersecurity Developments Affecting Government Contracting," ABA's 25th Annual Federal Procurement Institute, Annapolis, MD (March 14, 2019). Panelist: Kate M. Growley.
  • "Smart Technologies and Privacy," American Bar Association 2018 Women in Products Liability Regional CLE Program, Washington, D.C. (October 25, 2018). Presenter: Kate M. Growley.
  • "Cybersecurity for Contractors," Government Contracts "101" - Back to Basics, Washington, D.C. (October 10, 2018). Presenters: Evan D. Wolff and Kate M. Growley.
  • "GDPR and Beyond," Crowell & Moring's Government Contracts Breakfast Series, McLean, VA (September 19, 2018). Presenters: Adelicia R. Cliffe, Evan D. Wolff Maria, Alejandra (Jana) del-Cerro, and Kate M. Growley.
  • "What Will the New Year Bring: Top Headlines, Headaches, and Developments for Government Contractors to Watch in 2018," Crowell & Moring Webinar (January 25, 2018). Presenters: Crowell & Moring Government Contracts Group.
  • "Intellectual Property, Information Technology and Cybersecurity," PubKGroup's 3rd Annual Year In Review Webinar (December 7, 2017). Panelist: Nicole Owren-West and Kate M. Growley.
  • "Cybersecurity for Contractors," Government Contracts "101" - Back to Basics, Washington, D.C. (October 26, 2017). Presenters: Paul M. Rosen, Evan D. Wolff and Kate M. Growley.
  • "Cyber and Information Technology Compliance and Lessons Learned," CIECI 2017 Best Practices Forum, Denver, CO (October 9, 2017). Panelist: Kate M. Growley.
  • "Information Governance & Cybersecurity," Women in E-Discovery, Washington, D.C. (September 20, 2017). Panelist: Kate M. Growley.
  • "Hurry-Up Offense: Keeping Pace with Information Security and Privacy," OOPS 2017, Crowell & Moring's 33rd Annual Ounce of Prevention Seminar, Washington, D.C. (May 4, 2017). Presenters: Peter B. Miller, Paul M. Rosen, Evan D. Wolff, and Kate M. Growley.
  • "The Trump Administration's Acquisition Policy Agenda," The Coalition for Government Procurement Webinar (March 15, 2017). Presenters: Robert A. Burton, Stephen J. McBrady, and Kate M. Growley.
  • ABA Public Contract Law Section’s 3rd Annual Government Perspectives Panel on Cybersecurity, Washington, D.C. (February 22, 2017). Moderator: Kate M. Growley.
  • "What Will the New Year (and Administration) Bring for Government Contractors?" Crowell & Moring First 100 Days Webinar, Washington, D.C. (January 25, 2017). Presenters: Crowell & Moring Government Contracts Group.
  • "The Incoming Administration's Acquisition Policy Focus: Analysis & Commentary," 2016 Fall Training Conference, The Coalition for Government Procurement, Washington, D.C. (November 17, 2016). Presenters: Robert A. Burton, Stephen J. McBrady, and Kate M. Growley.
  • "Legal Careers in Cybersecurity, Privacy, and Information Law: An Evening of Networking and Discussions with the Experts on How They Arrived," American Bar Association Cross-Section Program (October 13, 2016). Moderators: David Z. Bodenheimer and Kate M. Growley. Speaker: Cheryl A. Falvey.
  • "Cybersecurity Table Top for a Congressional Cyber Security Lab Program," Wilson Center, Washington, D.C. (June 10, 2016). Moderator: Evan D. Wolff. Facilitators: Peter B. Miller, Harvey Rishikof, Maida Oringher Lerner, Elliot Golding, and Kate Growley.
  • "Regulating Information: Cybersecurity, Internet of Things, & Exploding Rules," OOPS 2016, Crowell & Moring's 32nd Annual Ounce of Prevention Seminar, Washington, D.C. (May 25-26, 2016). Moderator: David Z. Bodenheimer. Panelists: Evan D. Wolff and Kate M. Growley.
  • "Federal Contracting and Cybersecurity: What Higher Education Institutions Need to Know," Webinar (March 3, 2016). Panelists: Laurel Pyke Malson, Evan D. Wolff, Lorraine M. Campos, Harvey Rishikof and Kate M. Growley.
  • "What Will the New Year Bring," Crowell & Moring Webinar, Washington, D.C. (January 14, 2016). Presenters: Crowell & Moring Government Contracts Group.
  • "Government Contracting on the Cybersecurity Frontier: Cyber Landmines, Compliance Risks, and Emerging Rules," American Bar Association Webinar (December 17, 2015). Presenters: David Z. Bodenheimer and Kate M. Growley.
  • "Understanding Drone Privacy Law Regarding Unmanned Aerial Vehicles (UAVs)," ABA Webinar (December 1, 2015). Moderator: Kate M. Growley.
  • "Cybersecurity," Women in eDiscovery, Washington, D.C. (October 21, 2015). Presenter: Kate M. Growley.
  • "Cybersecurity & Data Privacy: Tackling Tough Questions for Federal Agencies & Contractors," Thompson Interactive Webinar (May 7, 2015). Presenters: Kate M. Growley, Gordon Griffin, Yuan Zhou, and Sharmistha Das.
  • "Cybersecurity Risk Management: The View from Washington and Beyond," OOPS 2015, Crowell & Moring's 31st Annual Ounce of Prevention Seminar, Washington, D.C. (May 5-6, 2015). Moderator: Peter B. Miller; Panelists: Evan D. Wolff, Maida Oringher Lerner, and Kate M. Growley.
  • "Cybersecurity and Government Contracting: Regulations, Implications and Compliance," Federal Publications Seminars, Washington, D.C. (April 14, 2015). Presenters: David Z. Bodenheimer, Kate M. Growley, Yuan Zhou, and Sharmistha Das.
  • "Issues Relating to Cybersecurity Rules Affecting Government Contractors," ABA Public Contract Law Section Council Meeting, Washington, D.C. (March 14, 2015). Speaker: Kate M. Growley.
  • "ABA Young Leaders on Cybersecurity, Privacy, & Information Law: Rapid-Fire Retrospectives on 2014 and Predictions for 2015," ABA's PCL and SciTech Sections, teleconference (December 8, 2014). Panelists: Elliot Golding and Kate M. Growley.
  • "Cyber Crisis Management: Are You Prepared?" OOPS 2014, Crowell & Moring's 30th Annual Ounce of Prevention Seminar, Washington, D.C. (May 13-14, 2014). Moderator: Evan D. Wolff; Presenters: David Z. Bodenheimer, Kelly T. Currie, and Kate M. Growley.
  • "Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny," L2 Federal Resources Webinar (September 19, 2013). Presenters: Gordon Griffin, Elliot Golding, Amelia Schmidt, and Kate Molony.
  • “Issues in Cybersecurity,” Lecture at University of Virginia’s Sorensen Institute Political Leaders Program (July 13, 2013). Presenters: Kate Molony and Dr. Steven Bucci of the Heritage Foundation.
  • "Cybersecurity for the Next Generation of Government Contractors," Presentation to L2's NextGen Government Contractors Association (April 30, 2013). Presenters: David Z. Bodenheimer, Gordon Griffin, and Kate Molony.

Publications


Client Alerts & Newsletters


In the News


Firm News & Announcements

Feb.22.2019 Law360 Names Crowell & Moring's Government Contracts Group a "Practice Group of the Year" for the Ninth Consecutive Year
Aug.22.2018 Crowell & Moring Counsel Kate Growley Named a Law360 2018 Cybersecurity & Privacy 'Rising Star'
Jan.09.2017 Crowell & Moring Elects Six New Partners and Promotes 19 Associates to Counsel
Jan.09.2015 Crowell & Moring's Government Contracts Group Named to Law360's "Practice Groups of the Year" for Fifth Consecutive Year
Jun.05.2014 Crowell & Moring Releases "Data Law Trends & Developments" Report