Antony (Tony) Kim, is a partner in the Antitrust & Competition practice in Washington, D.C., and Global Co-chair of the Cybersecurity & Data Privacy team, which is nationally recognized for "an aggressive yet practical approach" that "meets the needs of both in-house counsel and tech-savvy business clients."
Tony represents clients in investigations before the Federal Trade Commission and the Department of Justice, and in litigation and counseling engagements, across an
array of competition issues, as well as data privacy,
cybersecurity, incident response, and sales & marketing matters. His
clients are engaged in diverse industries, such as software, hardware, financial services, fintech, transportation, chemicals,
medical devices, media, fashion, and cutting-edge online and mobile platforms.
The National Law Journal named Tony to its 2014 list of D.C. Rising Stars, a 40-under-40 group of "game changing" private, government and public interest attorneys. Based on extensive market surveys of general counsel and senior in-house lawyers, Tony was awarded the Client Choice Award by the International Law Office (ILO)/Lexology in 2015, and was named an Acritas Star Lawyer in 2016. He is recognized by The Legal 500, by Benchmark Litigation, by Super Lawyers D.C. Rising Stars, and by Cybersecurity Docket, who named Tony to its inaugural "Incident Response 30" list of the top professionals to call when facing a major cyberattack. In 2016, Law360 named Orrick's Cybersecurity & Data Privacy team a "Practice Group of the Year" in the data protection category.
Representative Cybersecurity and Data Privacy experience:
- Cybersecurity/Incident Response. Tony works with in-house legal departments, C-Suites, Boards of Directors and IT teams on proactive corporate cybersecurity preparedness programs and risk mitigation strategies. He is regularly before Boards of Directors on critical cybersecurity training and compliance matters. He has also directed forensic investigations, cross-border notifications, responses to regulatory enforcement actions, and civil defense strategies in hundreds of cyberattacks and data breaches involving personal information of employees and customers, such as payment card data, as well as proprietary data and trade secrets, and on behalf of private and public companies as well as governmental entities.
- Data Privacy/Sales & Marketing. Tony has worked with brick-and-mortar and online companies across industries to design and develop effective privacy disclosures, privacy-by-design processes, enterprise-wide privacy and data security programs, online and offline marketing strategies, and a host of other data-handling compliance mechanisms and policies.
- Regulatory Investigations. Tony has defended clients in dozens of federal and state regulatory investigations, including on behalf of: a consumer marketing company in a FTC investigation following a consent decree requiring privacy disclosures and security assessments; an online marketplace lender in an FTC investigation involving advertising practices and claims substantiation issues; an online retailer in an FTC investigation involving "negative option" marketing programs; a national events and ticketing company in an investigation by the FTC and 25 state attorneys general involving a major cyberattack and data breach; a national mobility device maker in investigations by the FTC, New York, New Jersey, Ohio, Pennsylvania and Washington attorneys general involving the Telemarketing Sales Rules (TSR), the Do-Not-Call Rules (DNC), and state analogs; a social gaming network in an investigation by the FTC involving the Children’s Online Privacy Protection Act (COPPA); and a national mortgage company in an FTC investigation involving the Gramm Leach Bliley Act (GLBA) and Fair Credit Reporting Act (FCRA).
- Civil Litigation. Tony has led or co-led the defense in numerous consumer class actions, including in the Northern District of Illinois and Southern District of Florida on behalf of online service providers against claims under the Telephone Consumer Protection Act (TCPA) for SMS-text message marketing; in the Southern District of Florida on behalf of a high fashion boutique against claims under the Fair and Accurate Credit Transactions Act (FACTA) for allegedly non-compliant, point-of-sale receipts; in four federal and three state class actions on behalf of a national merchant credit card provider against alleged violations of the Credit Repair Organizations Act (CROA) and the Fair Credit Reporting Act (FCRA) provisions on “firm offers” of credit.
Representative Antitrust and Competition experience:
- Mergers & Acquisitions. Tony has led or co-led the defense in merger investigations before the U.S. Department of Justice’s Antitrust Division and U.S. Federal Trade Commission, on behalf of clients such as IronPlanet (online auctions and related disposition formats), Blackfriars (polymer products distribution), Elance (online freelancer platforms), Crane Co. (unattended payment systems), Instagram (mobile photo-sharing app), BASF (specialty chemicals), INEOS Group (styrenics plastics), NOVA Chemicals (styrenics plastics), Exxaro Resources (mineral sands), CoorsTek (alumina wear tiles) and New Times Media (alternative newsweeklies). Tony also has experience assisting clients to evaluate and purchase assets and businesses out of agency divestiture proceedings.
- Cartel Investigations. Tony has extensive experience conducting internal investigations, complying with grand jury subpoenas and requests for information, and defending companies in criminal cartel proceedings before the U.S. Department of Justice’s Antitrust Division, including investigations involving Parcel Tankers, DRAM/SRAM, and a variety of Auto Parts.
- Civil Litigation. Tony has litigated numerous antitrust actions and claims, including at the intersection of intellectual property and antitrust, on behalf of plaintiffs and defendants in state, federal and arbitration proceedings. His clients have included DHL (as “opt-out” plaintiff in the Air Cargo price-fixing class actions), Microsoft (as defendant in an ITC proceeding involving the “patent misuse” defense), Whole Foods Market (as plaintiff in a multi-prong strategy in response to the FTC’s post-consummation challenge to the Wild Oats acquisition), Halcor S.A. (as defendant in a federal price-fixing class action), SF Weekly (as defendant in a California state predatory-pricing action) and Foundry Networks (as antitrust counter-claimant in a case involving alleged abuses in the standard-setting context).
(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals. The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh). In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.
The D.C. Circuit’s holding is an important development. First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers). Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.
We at Trust Anchor have our ears to the ground. Here are some of the most important things we heard regulators, courts, and legislatures say about cybersecurity in 2016, and what they mean for you and your organization
There is no such thing as compliance with the NIST Cybersecurity Framework (FTC). In September, the FTC dispelled a commonly held misconception regarding the NIST Framework: It “is not, and isn’t intended to be, a standard or checklist. . . . there’s really no such thing as ‘complying with the Framework.'” The Framework provides guidance on process. It does not proscribe the specific practices that must be implemented. Rather, the NIST Framework lays out a risk-based approach to assessment and mitigation that is “fully consistent” with the concept of “reasonableness” embedded in the FTC’s Section 5 enforcement record. Takeaway: Organizations should consider using the NIST Framework—or another framework—to guide their cybersecurity investments and program development. Use of the NIST Framework alone does not signal that an organization is secure.
States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.
Expanded Definition of “Personal Information”
Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.
Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.
It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.
Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity Reports (SARs). This Advisory follows former FinCEN Director Jennifer Shasky Calvery’s recent statements reminding “financial institutions to include cyber-derived information (such as IP addresses or bitcoin wallet addresses) in suspicious activity reports.” It also follows the launch of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT). Although the Advisory does not change existing Bank Secrecy Act (BSA) requirements or other regulatory obligations, the Advisory highlights a series of cybersecurity events–such as Distributed Denial of Service (DDoS) attacks and ransomware incidents–that should be reported on SARs filed with FinCEN, even though they often (but not always) fall outside the traditional notion of a data breach or a compromise of personal information.