O’Melveny’s Data Security and Privacy group helps clients prepare for and respond to the serious legal and financial risks posed by evolving data protection and privacy obligations. Our lawyers provide counsel across the entire life-cycle of privacy and data security concerns—from pre-incident counseling and policy formation, to managing incident responses, internal investigations, litigation, and regulatory proceedings. Senior business executives, company boards, and corporate legal departments look to our team as they anticipate challenges, shape their strategies, and address the business, legal, and policy issues surrounding privacy and cybersecurity. 

We also leverage the in-depth knowledge and experience of our lawyers who have held high-level posts in government and the private sector—allowing us to help clients navigate the complex and shifting decision-making procedures followed by federal agencies, Congress, and other governmental and regulatory bodies. O’Melveny’s award-winning litigation and investigations lawyers draw on their decades of success in and out-of-court to advise clients when data breaches result in class action litigation or regulatory proceedings. 


  • Training and education for in-house counsel and information security officials on existing regulatory regimes, managing cyber risks, and potential liabilities in the event of data breaches.
  • Strategic counseling on the cyber threat landscape and the rapidly evolving legal risks associated with cyber-attacks, including presentations geared to the Board and other high-level decisions makers. 
  • Privileged and confidential assessments of cybersecurity risks of existing holdings, including review and recommendations for enhancements of incident response plans, and other pre-breach preparations, such as table top exercises, employee training, insider threat management, and penetration testing. 
  • Supply Chain Risk Management assessments, including review and recommendations to mitigate exposure and risks from cybersecurity incidents of suppliers and vendors. 
  • Post incident response, including internal investigations, compliance with notification and SEC disclosure requirements, and the management of relationships with law enforcement and regulatory agencies (federal, state, foreign) in order to mitigate investigative risks. 
  • Defense of regulatory enforcement matters, class action litigation (consumer, employee, and shareholder derivative), and other breach related litigation, and the handling of cyber insurance issues.

E-Commerce Company

O’Melveny represented a leading internet search engine in class actions related to data privacy in federal court. These cases involved claims that the company tracked or disclosed personally-identifiable user information to third parties and that the company itself accessed user information without authorization. Read

Insurance Company

O’Melveny conducted an internal investigation for a large insurance company into a cyber attack on client accounts and advised the company on responding to the attack. Read

International Cosmetics and Household Goods Company

We performed an international analysis covering regulatory requirements for the online collection and cross-border transfers of customer information for the U.S., China, and the European Union. Read

Major financial services institutions

O’Melveny advises several financial institutions on cybersecurity preparedness and incident response. We are currently advising a large banking client in responding to the Equifax data breach and are advising a separate banking client on cybersecurity issues as part of stress testing exercises mandated by Dodd-Frank. We have also advised a large insurance and retirement firm on response in the aftermath of a cybersecurity incident affecting customer accounts. Additionally, we have helped a large mortgage-market participant prepare for privacy and data security issues related to the implementation of a large database used for predictive analytics and research purposes. Separately, we helped that same client develop protocols for information-sharing with federal regulators and law enforcement, and advised on privilege consideration surrounding the company’s disclosure of threat and incident information. Read

Managed Care and Health Care Providers

We provide advice and counseling to multiple clients in the health care industry on data security preparedness and breach response planning and have assisted in evaluating crisis management practices. This work has included designing HIPAA and 50-state compliant incident response policies, testing incident response plans, and enhancing policies and procedures to cure any determined gaps or risks. Read

Multinational corporations

We advise numerous multinational corporations on the impact of the China Cyber Security Law on their China operations. Read


O’Melveny represented the specialty pharmacy in defending multiple class actions under statutory privacy laws involving separate alleged violations of calling and faxing activities to patients and medical practices related to its services. O’Melveny successfully resolved the first class action without providing classwide relief and reached a favorable settlement in the second action. Read

Online Music Company

We counseled an online music company on its response to a ransomware demand and worked with the company to inform state governments of the data breach. Read


O’Melveny represents Visa on matters related to data compromise events at merchants or processors, including on issues related to many of the largest account data compromise events in the history of the payment card industry, such as counseling on and the settlement of claims arising from data breaches at Target Corporation, The Home Depot, Heartland Payment Systems, and others. Read