Overview
Aaron Charfoos serves as Chair of the Chicago Litigation Department and Co-Chair of the Data Privacy and Cybersecurity group. He is an accomplished cybersecurity, privacy, class action and data protection trial lawyer. Mr. Charfoos has litigated a variety of privacy and cybersecurity cases including data breach class actions, Video Privacy Protection Act (VPPA), Illinois Biometric Information Privacy Act (BIPA), California Invasion of Privacy Act (CIPA) and other pixel and third-party tracking technology cases. Mr. Charfoos also defends clients in regulatory investigations brought by various U.S. and international regulatory bodies.
He has also guided his clients through numerous data breaches, including breaches involving tens of millions of impacted individuals. Mr. Charfoos is particularly skilled in guiding clients through cybersecurity vulnerability disclosures, including the Meltdown and Spectre computer chip vulnerabilities, supply chain interdictions, and various other matters, some of which have involved both congressional and regulatory investigations.
Building on this knowledge of post-breach risks, Mr. Charfoos helps companies in numerous industries—including healthcare, financial services, technology, and consumer products—to develop global privacy and data security programs. This includes compliance with the SEC’s new rules for public company reporting related to cybersecurity, EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Illinois’ Biometric Information Privacy Act (BIPA), the Video Privacy Protection Act (VPPA), and other worldwide privacy regimes.
Recognitions
- The Legal 500 USA, Cyber Law Including Data Privacy and Data Protection (2022)
- Quoted in Law360, “Biden’s Cybersecurity Order Likely To Reach Beyond Gov’t” (May 14, 2021)
- Recognized multiple times in The Best Lawyers in America for privacy and data security law and in Illinois Super Lawyers for IP litigation.
Education
- Northwestern University Law School, J.D. (cum laude), 2002
- Northwestern University, B.A. (with honors), 1997
Representations
Privacy and Data Security
- Representing a major sports league NFT marketplace in a putative class action alleging violations of the Video Privacy Protection Act.
- Representing a large national retailer against claims of violation of California’s Invasion of Privacy Act related to social media pixel technology.
- Representing a large cosmetics company in a putative class action alleging violations of the Illinois Biometric Information Privacy Act.
- Representing GoTo and LastPass in multiple putative class actions related to the 2023 data breach of both companies.
- Advising numerous public companies on compliance with the new SEC Public Company cybersecurity rules.
- Assisted a major entertainment company in developing VPPA compliance program.
- Representing cloud software company in response to a cybersecurity attack.
- Representing multiple companies in response to the Log4j vulnerability including coordinating the response, responding to regulatory inquiries and working with third parties.
- Counseling a medical device manufacturer on a coordinated vulnerability disclosure from a third party researcher on one of the projects.
- Counseling multiple companies on increased cyber risk resulting from the Ukraine and Russia conflict.
- Defending L’Oreal USA, Inc. against multiple putative class actions alleging that L’Oreal’s virtual makeup try on service violates Illinois’ Biometric Information Privacy Act. Obtained voluntary dismissal in two separate actions.
- Represented BioFire Diagnostics, LLC in a $100 million trade secret and breach of contract action brought by U.S. Medical Networks LLC relating to medical diagnostic technologies.
- Leading a global manufacturing company’s response to the disclosure of potential vulnerabilities in its products.
- Leading an internal investigation into a multinational information technology company’s supply chain and computer network security, and representing the company in a related SEC investigation.
- Assisting a global pharmaceutical company in implementing a global data governance structure, including clinical data, sales and marketing data, and employee information.
- Representing an access solutions and products company in an EU GDPR data breach, following a failure of servers at a data center impacting EU residents, as well as notifying the relevant Supervisory Authority.
- Represented an e-commerce and digital marketing company in response to unauthorized disclosure of personal data in a public marketing campaign, including reporting and coordination with Supervisory Authority in the EU.
- Represented a diversified financial services group in a data breach litigation brought against a check processing and payday loan company for negligently allowing client’s check information to be compromised, resulting in millions of dollars of fraudulent checks being written.
- Counseled one of the world’s largest e-commerce and payments processing companies in all aspects of its GDPR compliance and cross-border data transfer systems.
- Advised a major international manufacturing conglomerate on its privacy and data security systems, with a particular emphasis on meeting GDPR requirements.
- Advised an OEM auto parts company in response to a data breach relating to the theft of W-2 information for employees across seven states.
- Guided several of the world’s largest automakers on the development of its privacy and data security programs for their U.S. autonomous vehicle fleets and various aftermarket parts.
- Advised one of the largest construction equipment rental companies on the development of its privacy and data security programs for its Canadian and European affiliates and protecting data transfers from that region.
- Advised a U.S. college on a school-wide review of its privacy and data security programs, particularly with respect to information received from international applicants.
- Represented a major financial institution in its development of its privacy and data protection program, including compliance with European Union privacy and data transfer laws and data breach response plans.
- Worked with a large, multinational automobile parts supplier on the development of its privacy policies and data breach response plan.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. The customer alleged that certain personally identifiable information was visible on public terminals even after users logged off. After a six-week bench trial, the court found that no data breach had occurred, among other findings for the client.
- Represented a financial services firm against two large competitors in a trade secret, misappropriation, trademark infringement, and breach of copyright lawsuit related to Exchange Traded Funds.
- Advised a national automotive parts supplier on its Privacy Shield certification and compliance.
- Advised an international metal manufacturer on compliance with GDPR, including reviewing and revising external facing privacy notices.
- Advising one of the world’s largest hedge funds on worldwide privacy and cybersecurity matters including, international privacy compliance programs and transfer mechanisms.
- Represented one of the world’s largest hedge funds in a series of data breaches involving personal health information, personally identifiable information and company confidential information.
- Represented Spectrum Pharmaceuticals, Inc. in an internal investigation into a ransomware attack against the company.
- Lead an energy technology company’s response to a cybersecurity incident, including communications with third parties and regulators, through the successful completion of the merger.
Intellectual Property
- Advised LORD Corporation in its $3.675 billion acquisition by Parker Hannifin Corporation.
- Representing Norwest Equity Partners in connection with the acquisition and related financing of 4M Capital, Ltd. d/b/a Arteriors Home, a leading designer and supplier of artisanal lighting, furnishings, and home décor accessories.
- Advised LendingTree, Inc. in its $105 million acquisition of Value Holding Inc., the parent company of ValuePenguin.com, a personal finance website that conducts in-depth research and analysis on a variety of topics from insurance to credit cards.
- Advised PolyOne Corporation, a premier global provider of specialized polymer materials, services, and solutions, in its $120 million acquisition of Fiber-Line, a global leader in customized engineered fibers and composite materials.
- Served as lead trial counsel in a patent litigation filed against a Chinese competitor in the medical device field. After commencement of discovery and claim construction, secured a major victory for client when the competitor agreed to withdraw all accused products from the market.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. After successfully compelling the customer to produce tens of thousands of documents improperly held under various claims of privilege, scored a significant victory prior to trial, winning summary judgment against the customer on all of its fraud claims. After a six-week bench trial, the Marion County Superior Court awarded client more than $52 million on its claims against the former customer for payment for services rendered. The court simultaneously dismissed the customer’s claims for breach of contract, including its claim for more than $1.3 billion in damages. Also, successfully defended against a data privacy breach claim brought by the customer.
- Defended a corporation in a lawsuit relating to mobile device management. Prior to trial, plaintiff dropped one of its patents from the litigation, and the court invalidated more than half of the claims in the remaining patent. The case was tried to a verdict in 2012. After the verdict, the judge granted defendant’s JMOL motion, finding that defendant did not infringe the plaintiff’s patent. Awarded one of the top 25 defense verdicts in California in 2012.
- Represented plaintiffs in a multi-patent lawsuit relating to peritoneal dialysis. Defendant conceded infringement on a number of patents prior to trial. The case was tried to verdict in 2010.
- Defended two corporations in a patent infringement litigation. After the U.S. District Court for the District of Delaware ruled in client’s favor on claim construction, the plaintiffs stipulated judgment in client’s favor. The U.S. Court of Appeals for the Federal Circuit affirmed the district court’s claim construction and upheld the judgment of no infringement.
- Represented Chicago’s largest no-kill animal organization in the prosecution of a trademark in the U.S. Patent and Trademark Office. In addition, performed a comprehensive IP asset evaluation for client to determine other areas of potential protection.
- Representing Software as Service provider in data breach involving exfiltration of data.
- Representing one of the largest software as service providers in multiple U.S. and international regulatory investigations arising from data breaches.
- Representing software as service providers in multiple class action litigations relating to data breach.
- Obtained a voluntary dismissal in a case against our client, an identification verification provider, in a class action brought under the Illinois Biometric Information Privacy Act.
news
- Paul Hastings Advised HIG Capital Management in Its Acquisition of Northwest Pump & Equipment Co. - November 26th, 2024
- Paul Hastings Advised May River Capital in its Acquisition of Cashco - November 14th, 2024
- Paul Hastings Advised The Riverside Company in Sale of PFB Holdco, Inc. Plasti-Fab Segment to Carlisle Companies Incorporated - October 21st, 2024
- Paul Hastings Advises Oakley Capital on Sale of Ocean Technologies Group to Lloyd’s Register - September 3rd, 2024
- Paul Hastings Advised Carlyle Portfolio Co. NSM Insurance Group on InsurEvo Acquisition - August 19th, 2024
- Paul Hastings Advised Industrial Growth Partners in its Acquisition of Alpha Metalcraft Group - August 8th, 2024
- Paul Hastings Advised H.I.G. Growth Partners in Acquisition of Mobile Health Consumer - June 18th, 2024
- Paul Hastings Advised H.I.G. Growth Partners in Sale of CarltonOne - June 6th, 2024
- Paul Hastings Advised H.I.G. Capital in its Acquisition of Segers - April 11th, 2024
- Paul Hastings Advised The Riverside Company in its Investment in U.S. Cabinet Depot - March 13th, 2024
- Paul Hastings Advised H.I.G. Capital in Acquisition of Penhall Company - December 22nd, 2023
- Paul Hastings Advised Abry Partners in Chambers and Partners Acquisition - November 14th, 2023
- Paul Hastings Advised Lenders in Connection with Legends’ Acquisition of ASM Global - November 7th, 2023
- Paul Hastings Advises Madison Industries in $226 Million Purchase of CAE Healthcare - October 25th, 2023
- Moove Acquires PetroChoice from Golden Gate Capital - May 23rd, 2022
- Sensata Technologies to Acquire Dynapower - May 9th, 2022
- Paul Hastings Celebrated as Most Impressive Investigations Practice at Global Investigations Review’s Annual Awards - November 10th, 2021
- Paul Hastings Named to World’s Top 10 Best Investigations Practices by Global Investigations Review - October 23rd, 2020
- Romeo Power Technology to list on NYSE through merger with RMG Acquisition Corp. - October 6th, 2020
- Paul Hastings Accelerates Lateral Growth with Addition of Leading Entertainment and Media Litigation Partner - June 22nd, 2020
Recognitions
- Paul Hastings Data Privacy & Cybersecurity Practice Highly Regarded by Chambers USA 2022 - June 1st, 2022
- Paul Hastings Named 'White Collar Group of the Year' by Law360 - January 27th, 2022
- Paul Hastings Championed as Most Impressive Investigations Practice by Global Investigations Review - November 10th, 2021
- 2021 Legal 500 United States Guide Ranks More Than Fifteen Paul Hastings’ Intellectual Property Practice Lawyers - June 17th, 2021
insights
- SEC Cybersecurity Incident Disclosure Report - December 18th, 2024
- Paul Hastings Hosts Perspectives From Cybersecurity Regulators Panel at Privacy+Security Forum - November 8th, 2024
- NYDFS Issues AI Industry Letter - November 1st, 2024
- U.S. Department of Defense Set to Implement Its Cybersecurity Maturity Model Certification Program With Publication of New Rule - October 24th, 2024
- Reminder: More New York Department of Financial Services (NYDFS) Requirements Go Into Effect Next Month - October 10th, 2024
- DOJ to Evaluate AI Compliance Programs - October 10th, 2024
- Colorado Attorney General Proposes Amendments to the Colorado Privacy Act Focused on Biometric Data and Children’s Privacy - September 24th, 2024
- California Privacy Protection Agency (CPPA) to Businesses: Avoid Dark Patterns - September 16th, 2024
- Getting to Know Michelle Reed - August 14th, 2024
- SEC Adopts Amendments to Regulation S-P - June 5th, 2024
- Intellectual Property Considerations for AI Companies: A Guide for Investors and Startups - May 29th, 2024
- Illinois Legislature Passes Major BIPA Amendment - May 17th, 2024
- Key Takeaways From the Spring 2024 Privacy+Security Forum: Misinformation and Youth Online Safety - May 14th, 2024
- CISA Proposes Sweeping Cybersecurity Incident Reporting for U.S. Companies - April 1st, 2024
- Revised FTC Safeguards Rule Brings Breach Reporting Obligations to Non-Banking Financial Institutions in May 2024 - March 12th, 2024
- NYDFS Releases Major Update to Part 500 Cybersecurity Requirements for Financial Services Companies - November 2nd, 2023
- NYDFS Releases Major Update to Part 500 Cybersecurity Requirements for Financial Services Companies - November 2nd, 2023
- White House Passes Sweeping AI Executive Order - November 1st, 2023
- Preparing for New State Privacy Laws in 2024 - October 30th, 2023
- Proposed FAR Cybersecurity Requirements Will Add New Obligations for Contractors - October 25th, 2023
Engagement & Publications
- Presenter, IANS Executive Communications Q3 Recap, “Ransomware’s Evolution and the Business/Legal Implications” (October 27, 2020)
- Speaker, IANS 2020 Boston Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (October 21, 2020)
- Speaker, IANS 2020 New York Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (September 24, 2020)
- Speaker, IANS 2020 Chicago/Columbus Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (September 15, 2020)
- Speaker, Ankura 2020 Privacy Webinar Series, “Return to Work Privacy Alert” (June 30, 2020)
- Adjunct professor at the Mitchell Hamline School of Law, lecturing on international data privacy, global data breach response, and data governance.
- Presented on U.S. and European privacy considerations for an internationally focused webinar on “Managing COVID-19 through Technology: Locational Tracking and Privacy,” May 2020
- Quoted, “Hacker Diplomacy: Minimizing Business Risks Stemming From Vulnerability Disclosures,” Above the Law, August 2020
- Podcast, “Legal Ramifications of Vulnerability Disclosure,” The Cyber5 by Nisos, August 2020