Melanie Phillips

Cybersecurity Associate

Los Angeles


Read full biography at www.orrick.com

Businesses of all kinds are facing complex legal issues relating to data collection, management, and security.  As a cyber attorney in the firm’s nationally and internationally recognized Cyber, Privacy & Innovation team, Melanie Phillips works with clients to create practical solutions to their cyber and privacy concerns.

Melanie advises clients in various critical areas, including incident response planning, incident response, consumer breach litigation and regulatory enforcement actions. She has worked on cybersecurity incident and data breach investigations for a range of clients, including enterprise-wide network intrusions. Melanie also assists clients with digital crime investigations. With more than a decade of litigation experience, including in key areas of trade secret, employment, and consumer protection matters, she has a holistic understanding of the key drivers of privacy and security in organizations big and small.

Melanie has dedicated countless hours to pro bono work over her career, focused on issues relating to domestic violence. She was awarded the Honorable Benjamin Aranda III Outstanding Public Service Award in 2014 in recognition of her work with the Los Angeles County Bar Association Domestic Violence Clinic. She also earned the Pro Bono Award at Orrick for her outstanding commitment to pro bono work in 2007 relating a complicated VAWA petition on behalf of an Iraqi interpreter working for the United States military.

Posts by: Melanie D. Phillips

Nevada Passes Opt-Out Law, Effective October 2019 – Three Months Before the CCPA

Following in California’s footsteps, Nevada has passed a new privacy law providing consumers the right to opt out of the sale of their personal information. Senate Bill 220 (SB-220), signed into law by Governor Steve Sisolak on May 29, 2019, amends Nevada’s existing online privacy statute, NRS 603A.340, to include a requirement that online operators provide consumers with a means to opt out of the sale of specific personal information collected by websites or online services. The act goes into effect on October 1, 2019 – three months ahead of the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) – which may force companies to fast track implementation efforts for opt-out requests in particular. READ MORE

FTC Staff Issues Comments Discussing Key Security and Privacy Issues Surrounding Connected and Automated Vehicles

Given the explosive growth in the connectivity of every day “things,” several government agencies are focused on how best to support innovation and the benefits of an increasingly connected, data driven society, while weighing options for mitigating the cybersecurity and privacy risks relating to the Internet of Things.[1]  The pace of development with respect to connected cars and autonomous vehicles has drawn particular attention.   READ MORE

Standing Only Gets You So Far. Scottrade Offers Tactics to Win the Data Breach Class Action War

A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants.  As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure.  READ MORE

Will I Get Sued After a Data Breach? D.C. Circuit Broadens Scope of Data That Gives Rise to Identity Theft in CareFirst

In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals.  The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh).  In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.

The D.C. Circuit’s holding is an important development.  First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers).  Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE