Trust Anchor

Douglas H. Meal

Partner

Boston

Read full biography at www.orrick.com

Seasoned trial lawyer Doug Meal defends clients targeted by litigation and government investigations stemming from major privacy and cybersecurity incidents. According to Chambers USA, clients select Doug because “[h]e is the premier expert in this field and knows how to run a breach response process from A to Z”; is “extremely experienced [and] can give immediate advice off the top of his head”; “has been in court through trials and negotiations, all aspects of the litigation, and is highly effective in all of them”; and “is good to work with, personable and very authoritative.” Based on client assessments like these, Chambers USA has named Doug as the first and only “Band 1” litigator in the Privacy and Data Security category, describing him as the “market leader,” being “regarded by market sources as the leading privacy litigator in the USA.”

As the lead outside lawyer handling claims stemming from the data security breaches suffered by Target, Neiman Marcus, The Home Depot, Hilton Worldwide, Landry’s, Arby’s, Supervalu, Sally Beauty, Sony, Heartland Payment Systems, TJ Maxx, Hannaford Brothers, Aldo, Genesco, and Wyndham Hotels—some of the most highly publicized data security breaches in recent years—Doug has become the national leader in defending companies that suffer significant cybersecurity breaches involving consumer information against the ensuing claims and regulatory investigations. Doug’s recent successes include leading the team that prevailed in the closely-watched LabMD v. FTC, convincing the U.S. Court of Appeals for the Eleventh Circuit to become the first court ever to overturn a cybersecurity enforcement action by the Federal Trade Commission.

Posts by: Doug Meal

Sedona Conference Proposes Legal Test for “Reasonable Security”

Doug Meal and David CohenPosted on October 12, 2020

The legal risks associated with cybersecurity continue to increase, as regulators and plaintiffs’ lawyers become more and more aggressive in bringing cybersecurity claims under existing laws and as legislatures continue to enact new ones. A key element of many of the cybersecurity claims brought under these laws is a requirement to show that the company in question failed to implement “reasonable” security for personal information. California’s new Consumer Privacy Act (“CCPA”), for instance, allows consumers to sue businesses for statutory damages when specified types of personal information are subject to unauthorized access and exfiltration, theft, or disclosure because of a failure to implement and maintain “reasonable” security measures and the business has not cured the alleged violation within the CCPA’s pre-suit period. Cal. Civ. Code § 1798.150. Even though consumers often suffer no injury in a data beach, the CCPA provides for statutory damages of $100–$750 per consumer per incident. READ MORE →

Seventh Circuit Bolsters Article III Standing for Actions Under the Illinois Biometric Information Privacy Act

Doug Meal, Michelle Visser, David Cohen, Nicole Gelsomini and Lauren KesslerPosted on May 14, 2020

On May 5, 2020, the Seventh Circuit held in Bryant v. Compass Group USA, Inc. that a plaintiff who asserted a violation of the Illinois Biometric Information Privacy Act’s (“BIPA’s”) notice and consent requirements had Article III standing to pursue her claim in federal court. With respect to BIPA’s retention schedule posting requirement, however, the Seventh Circuit found that allegations of a statutory violation did not, on their own, suffice to confer Article III standing. This decision will make it easier for defendants to keep BIPA claims in federal court, and its standing analysis has significant implications for BIPA cases, as well as other privacy and data security cases more broadly.

Seventh Circuit Rejects FTC Authority to Obtain Equitable Money Relief Under Section 13(b) of the FTC Act

Doug Meal, Seth Harrington, Jonathan Direnfeld, David Cohen and Rochelle SwartzPosted on October 3, 2019

On August 21, 2019, the U.S. Court of Appeals for the Seventh Circuit held in FTC v. Credit Bureau Center, LLC, 2019 WL 3940917 (7th Cir. 2019) that the Federal Trade Commission (“FTC”) lacks authority to obtain monetary relief under Section 13(b) of the FTC Act. The FTC has relied on Section 13(b) to seek money relief in consumer protection enforcement actions, including privacy and cybersecurity matters, and had, prior to the Credit Bureau decision, suggested an intent to do so more frequently in the future. READ MORE →

2019 IAPP Global Privacy Summit: Lessons from GDPR, Plans for CCPA and the Future of U.S. Privacy Law

Heather Egan Sussman, Aravind Swaminathan, Doug Meal, Nicholas Farnsworth and Kyle KesslerPosted on May 17, 2019

At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019. The conference focused on lessons learned from the first year of GDPR enforcement in Europe, the expansion of European-style rights to more jurisdictions around the world, plans for addressing new obligations imposed by the CCPA in California, and the future of privacy law in the United States including whether federal legislature is likely or desired – especially in light of the CCPA and similar proposed legislation in states throughout the nation. READ MORE →