Data Breach Preparation & Response

The risk of experiencing a data breach is rising in spite of strict privacy requirements for businesses. Nixon Peabody’s team offers future-focused breach planning and quick response, so you can be ready for anything.

Our Approach

Data breaches imperil your customer service and your brand reputation. We understand there’s no time to waste when your data is at risk. Our team offers prompt and efficient data breach response and guidance in the face of complex statutory and regulatory requirements.  With experience handling hundreds of sensitive security incidents, we can guide you through a breach and help you ensure it doesn’t happen again.

We focus on:

  • Preventing attacks through proactive mitigation programs and policies
  • Monitoring and detecting potential cyber risks
  • Responding to breaches and other adverse events

Our team’s core experience includes:

  • Directing and coordinating forensic investigations
  • Advising on statutory, regulatory, and contractual breach notification requirements
  • Working with law enforcement agencies
  • Counseling on corporate governance and fiduciary responsibilities
  • Representing companies in government investigations and enforcement actions
  • Defending against civil class actions and arbitrations
  • Coordinating public relations and media strategy efforts

Recent Experience Representing

  • A leading apparel company in its investigation and reporting efforts following discovery of a data breach during M&A activity.
  • A financial institution in its investigation, remediation, and reporting efforts under the General Data Protection Regulation (GDPR) following a phishing scam involving unauthorized access to personal information and customer funds.
  • A boutique hotel chain after its computer network was hacked by a former employee, including working closely with forensic investigators, advising on mandatory notifications, and successfully avoiding litigation.
  • A group of affiliated health care providers after their collective network was victimized by a ransomware attack while working closely with forensic investigators to assess scope of penetration and advising on reporting requirements and remediation.
  • A country club after its network was penetrated by a former employee, including coordinating forensic investigation and advising on reporting requirements, thus avoiding follow-on litigation.
  • Health care entities on whether an event triggers a reportable breach under Health Insurance Portability and Accountability Act (HIPAA), state law, or contract, including coordination of forensic investigators, counsel on notifications, and public relations teams. 
  • A client following the loss of laptops containing personal information of individuals from 31 different states.
  • A marketing provider after its network was penetrated by a former employee, bringing a John Doe complaint in federal court to utilize subpoena power to assist in uncovering the former employee.
  • An event management and ticket distribution company in dozens of pre-litigation business-to-business disputes following data breach of client’s website, successfully avoiding any litigation.

Corporate spending on cybersecurity continues to increase

Rochester Business Journal | October 25, 2019

Jenny Holmes, Nixon Peabody associate, is quoted in this article about the trend of rising costs for cybersecurity protection.

Read fine print on cyberthreat coverage

Providence Business News | September 26, 2019

Providence Complex Commercial Disputes partner Steven Richard is quoted in this article about how more Rhode Island businesses are purchasing insurance to protect against the fallout from potential data breaches.

Is a ransomware attack a reportable data breach?

Providence Business News | April 26, 2019

Providence Complex Commercial Disputes partner Steven Richard authored this column about ransomware attacks and how businesses should respond, including considering whether the ransomware attack is reportable or subject to notification requirements.

Facebook lawsuit underscores importance of transparent collection and use of data

Rochester Business Journal | January 25, 2019

Rochester Corporate partner Jeremy Wolk wrote this contributed column analyzing a lawsuit filed against Facebook in Washington, DC, alleging violations of state-level consumer protection laws by the social media company. This article incorporates perspective from an alert written by Washington Complex Commercial Disputes associate Brian Donnelly, Rochester Corporate associate Jenny Holmes, and Los Angeles Government Investigations & White Collar Defense associate Karina Puttieva.

Problems with the California Consumer Privacy Act

Los Angeles/San Francisco Daily Journal | January 23, 2019

Los Angeles Government Investigations and White Collar Defense partner Jason Gonzalez and associate Karina Puttieva co-wrote this contributed article identifying issues with the “remarkably unclear” California Consumer Privacy Act, a measure passed last year that regulates large businesses businesses who buy, sell or share consumers’ personal information.


Jason C. Kravitz

Co-leader, Intellectual Property
Leader, Cybersecurity & Privacy

Phone: 617-345-1318

Jenny L. Holmes

Deputy Leader, Cybersecurity & Privacy

Phone: 585-263-1494

Christopher M. Mason

Deputy Leader, Class Actions and Aggregate Litigation
Leader, Arbitration Team
Former Member, Firm Policy Committee
Member, Firm Pro Bono Committee

Phone: 212-940-3017

Back to top