Aravind Swaminathan

Partner

Seattle


Read full biography at www.orrick.com
Aravind Swaminathan is global co-chair of the firm's Cybersecurity & Data Privacy team, which was named Privacy Practice Group of the Year in 2016 by Law360, and is nationally ranked by The Legal 500 in two categories. Aravind earned "particular praise" from Legal 500, as part of a team known for being "extremely responsive and client focused, succeeding at meeting the needs of both in-house counsel and tech-savvy business clients." Aravind is a former federal cybercrime prosecutor, an accomplished trial lawyer, and class action litigator, with extensive experience in handling cybersecurity incidents and data breaches, government and internal investigations, and privacy-related matters.

Aravind advises clients in cybersecurity risk assessment and management, breach incident response planning, and corporate governance responsibilities related to cybersecurity. Aravind has directed over 100 data breach investigations and cybersecurity incident response efforts, including ones with national security implications. He also represents companies and organizations facing cybersecurity and privacy-oriented FTC, SEC, and State Attorney General investigations and class action litigation. Aravind is a sought-after speaker on cybersecurity issues, including threat landscapes, mitigation strategies, incident response plans, and threat management in mobile device ecosystems. Aravind previously served on the City of Seattle’s Privacy Advisory Committee, as general counsel to Washington State Governor Jay Inslee's task force on drone legislation, and is currently serving as counsel to PISCES, a first-of-its-kind organization whose purpose is to facilitate information sharing between state and local agencies and municipalities to improve threat intelligence availability to support critical government services.

Until 2013, Aravind served as an Assistant United States Attorney for the Western District of Washington, where he served as one of the district's Computer Hacking and Intellectual Property Section attorneys. As a prosecutor, Aravind investigated and prosecuted a broad array of cybercrime cases, including ones involving hacking, phishing, theft of trade secrets, click fraud, cyber threats, and identity theft. Aravind also led the United States Attorney's Office cybercrime outreach program for the Western District of Washington, where he worked with members of the Department of Justice, state and federal regulators, law enforcement and other organizations on cybersecurity and related privacy issues.

Cybersecurity and Privacy Matters

  • Represented computer hardware manufacturer in security breach affecting credit card information, and ensuing state and federal investigations
  • Represented information security professionals in litigation and investigations in connection with large data breaches
  • Represented major contracting company in national security-related cybersecurity breach that compromised of industrial control systems
  • Represented enterprise software and information solutions company in breach of credit card and login/password information
  • Represented IT management software company compromised by botnet that leveraged managed endpoints to mine for digital currency
  • Represented digital currency security company in phishing attack directed at senior management that resulted in extortionate hacker threats
  • Represented major city in connection with compromise of personal information of utility customers and citizens
  • Represented industrial supply company in compromise of usernames and passwords for business to business customers
  • Represented non-profit institutions in investigation of compromised social security information affecting its members and employees
  • Directed cybersecurity assessments and planned remediation efforts for technology, financial services, and other companies
  • Advised networking infrastructure company in developing technical global privacy compliance strategy
  • Counseled companies in cybersecurity incident response planning, and facilitated tabletop exercises
  • Advised boards of directors on corporate governance responsibilities relating to cybersecurity and data privacy

Privacy/Cybersecurity Class Action Litigation

  • Represented major retailers in class action litigation alleging deceptive trade practices in connection with gift cards
  • Represented payment processor litigation with acquiring bank and ISO in connection with processing of credit card transactions
  • Represented application and software company in spyware and consumer protection investigation by Washington State Attorney General
  • Represented company in data breach class action litigation affecting tens of thousands of employees' Social Security number and tax information.
  • Represented numerous companies in class action litigation brought under the Telephone Consumer Protection Act
  • Represented information solutions company against claims asserted under the Electronic Communications Privacy Act
  • Served as General Counsel to Washington State Governor Jay Inslee's task force on drone legislation
  • Served as member of City of Seattle Privacy Advisory Committee

White Collar and Investigation Matters

  • Represented one of the nation's largest independent automobile dealerships in federal money laundering and tax investigation resulting in favorable non-prosecution agreement for individual company owners
  • Represented individual in government procurement and false statements investigation and prosecution
  • Represented healthcare provider in negligent homicide investigation
  • Represented large healthcare provider and leading pharmaceutical company in separate false claims investigation by Washington State Attorney General
  • Represented pharmacy chain in DEA diversion investigation
  • Represented Japanese individuals in Department of Justice and Securities and Exchange Commission investigation arising out of cross-border healthcare receivables investment company
  • Represented environmental technology solutions company in federal criminal grant fraud investigation, resulting in no charges brought
  • Represented Hong Kong-based national in Foreign Corrupt Practices Act investigation
  • Led internal investigation at public technology company of allegations of Wiretap and Washington State Recording Act violations

Posts by: Aravind Swaminathan

No Harm, But Foul? FTC Sues Internet of Things Maker D-Link for Security “Vulnerabilities” Despite No Allegations of Breach

Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.

READ MORE

What Did They Say About Cybersecurity in 2016? 8 Proclamations from Regulators and the Courts

We at Trust Anchor have our ears to the ground. Here are some of the most important things we heard regulators, courts, and legislatures say about cybersecurity in 2016, and what they mean for you and your organization

There is no such thing as compliance with the NIST Cybersecurity Framework (FTC).
In September, the FTC dispelled a commonly held misconception regarding the NIST Framework: It “is not, and isn’t intended to be, a standard or checklist. . . .  there’s really no such thing as ‘complying with the Framework.'” The Framework provides guidance on process. It does not proscribe the specific practices that must be implemented.  Rather, the NIST Framework lays out a risk-based approach to assessment and mitigation that is “fully consistent” with the concept of “reasonableness” embedded in the FTC’s Section 5 enforcement record. Takeaway: Organizations should consider using the NIST Framework—or another framework—to guide their cybersecurity investments and program development. Use of the NIST Framework alone does not signal that an organization is secure.

READ MORE

2016 Data Breach Legislation Roundup: What to Know Going Forward

2016 U.S. State Data Breach Legislation Roundup Data Breach Hacker Information Incursion Image of Confernce Table with Businessperson pointing to Data Breach on Screen

States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.

Expanded Definition of “Personal Information”

Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.

READ MORE

DFARS and DIB: Compliance Steps for DoD’s Newly Finalized Cybersecurity Rules for Contractors

Department of Defense Finalized Cybersecurity Rules for Contractors and Other Awardees. The First rule amends the Defense Federal Acquisition Regulation Supplement and went into effect on October 21, 2016 (“DFARS Rule”). The other rule modifies the previously voluntary DoD cybersecurity information sharing program (“DIB Rule”) and is set to come into effect on November 3, 2016. Aerial view of the Pentagon, the Department of Defense headquarters in Arlington, Virginia

For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the interim rules promulgated in late 2015. The first rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS Rule”) and went into effect on October 21, 2016.  The second rule modifies the previously voluntary DoD cybersecurity information-sharing program in connection with the Defense Industrial Base (“DIB Rule”) and went into effect on November 3, 2016.

We previously explained the changes brought about by the interim rules. Here, we explain what changed after the rules’ comment periods, and provide suggestions for compliance.

READ MORE

Keep Reading: Standing Affirmed, but Barnes & Noble Data Breach Class Action Halted

It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.

READ MORE

10 German Data Privacy Supervisory Authorities Investigating Potential Unlawful International Data Transfers

German Data Privacy Supervisory Authorities Investigating Potential Unalwful International Data Transfers Global Data Transfer Map

According to a press release of the Data Protection Supervisory Authority in the Land Mecklenburg Vorpommern of November 3, German supervisory authorities have randomly selected 500 companies in Germany and sent them requests for information on their international data transfers. The German supervisory authorities are undertaking this coordinated action in order to increase awareness among companies of the need to ensure data privacy compliance of international data transfers.

READ MORE

New Cybersecurity Reporting Requirements? FinCEN Advisory Identifies Cybersecurity Events for Financial Institutions to Report

FinCEN Advisory Identifies Cybersecurity Events for Financial Institutions to Report Financial Building Facade

Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity Reports (SARs).  This Advisory follows former FinCEN Director Jennifer Shasky Calvery’s recent statements reminding “financial institutions to include cyber-derived information (such as IP addresses or bitcoin wallet addresses) in suspicious activity reports.”  It also follows the launch of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT).  Although the Advisory does not change existing Bank Secrecy Act (BSA) requirements or other regulatory obligations, the Advisory highlights a series of cybersecurity events–such as Distributed Denial of Service (DDoS) attacks and ransomware incidents–that should be reported on SARs filed with FinCEN, even though they often (but not always) fall outside the traditional notion of a data breach or a compromise of personal information.

READ MORE

Does Your Insurance Cover Phishing Attacks and Business Email Compromise? The Uncertainty Continues…

Vendor-Impersonation E-mail Scam Illustration of Two Computers Facilitating Online Money Transfer

The coverage landscape for “Business E-mail Compromise” (BEC) scams remains somewhat tenuous, as organizations and carriers continue to battle in court over the extent of coverage. Although recent positive, policyholder-friendly trends in the Eighth Circuit (hacker who took over a bank’s computer system) and federal district court in Georgia (scheme based on spoofing a CEO’s e-mail) found insurance coverage for fraudulently transferred funds, a recent unpublished Fifth Circuit opinion moves in the other direction.  Unfortunately, this new ruling—and the uncertainty it creates—may embolden insurers in fighting coverage for these scams under crime insurance policies.

READ MORE

What is the FTC Doing About Privacy and Drones?

4 Major Takeaways from Federal Trade Commission FTC October 2016 panel on drones & privacy

Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this workshop would provide some insight into the FTC’s perspective and position on regulation of drones and privacy, the workshop left attendees with more questions than answers. We were there, and provide you with some of the key takeaways.

READ MORE

What Happens When My Company Receives a National Security Letter? A Primer.

Cyber Security Keyboard Button National Cybersecurity Awareness Month

Even today, most companies—even technology companies—do not think they have information that the U.S. Government wants or needs, particularly as it might relate to a national security investigation. The reality is that as terrorists and others who threaten national security use a broader spectrum of technology resources to communicate and to finance and conduct operations, the U.S. Government has significantly increased its collection of data from technology companies and others.

READ MORE