Overview
Aaron Charfoos serves as Chair of the Chicago Litigation Department and Co-Chair of the Data Privacy and Cybersecurity group. He is an accomplished cybersecurity, privacy, class action and data protection trial lawyer. Mr. Charfoos has litigated a variety of privacy and cybersecurity cases including data breach class actions, Video Privacy Protection Act (VPPA), Illinois Biometric Information Privacy Act (BIPA), California Invasion of Privacy Act (CIPA) and other pixel and third-party tracking technology cases. Mr. Charfoos also defends clients in regulatory investigations brought by various U.S. and international regulatory bodies.
He has also guided his clients through numerous data breaches, including breaches involving tens of millions of impacted individuals. Mr. Charfoos is particularly skilled in guiding clients through cybersecurity vulnerability disclosures, including the Meltdown and Spectre computer chip vulnerabilities, supply chain interdictions, and various other matters, some of which have involved both congressional and regulatory investigations.
Building on this knowledge of post-breach risks, Mr. Charfoos helps companies in numerous industries—including healthcare, financial services, technology, and consumer products—to develop global privacy and data security programs. This includes compliance with the SEC’s new rules for public company reporting related to cybersecurity, EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Illinois’ Biometric Information Privacy Act (BIPA), the Video Privacy Protection Act (VPPA), and other worldwide privacy regimes.
Recognitions
- The Legal 500 USA, Cyber Law Including Data Privacy and Data Protection (2022)
- Quoted in Law360, “Biden’s Cybersecurity Order Likely To Reach Beyond Gov’t” (May 14, 2021)
- Recognized multiple times in The Best Lawyers in America for privacy and data security law and in Illinois Super Lawyers for IP litigation.
Education
- Northwestern University Law School, J.D. (cum laude), 2002
- Northwestern University, B.A. (with honors), 1997
Representations
Privacy and Data Security
- Representing a major sports league NFT marketplace in a putative class action alleging violations of the Video Privacy Protection Act.
- Representing a large national retailer against claims of violation of California’s Invasion of Privacy Act related to social media pixel technology.
- Representing a large cosmetics company in a putative class action alleging violations of the Illinois Biometric Information Privacy Act.
- Representing GoTo and LastPass in multiple putative class actions related to the 2023 data breach of both companies.
- Advising numerous public companies on compliance with the new SEC Public Company cybersecurity rules.
- Assisted a major entertainment company in developing VPPA compliance program.
- Representing cloud software company in response to a cybersecurity attack.
- Representing multiple companies in response to the Log4j vulnerability including coordinating the response, responding to regulatory inquiries and working with third parties.
- Counseling a medical device manufacturer on a coordinated vulnerability disclosure from a third party researcher on one of the projects.
- Counseling multiple companies on increased cyber risk resulting from the Ukraine and Russia conflict.
- Defending L’Oreal USA, Inc. against multiple putative class actions alleging that L’Oreal’s virtual makeup try on service violates Illinois’ Biometric Information Privacy Act. Obtained voluntary dismissal in two separate actions.
- Represented BioFire Diagnostics, LLC in a $100 million trade secret and breach of contract action brought by U.S. Medical Networks LLC relating to medical diagnostic technologies.
- Leading a global manufacturing company’s response to the disclosure of potential vulnerabilities in its products.
- Leading an internal investigation into a multinational information technology company’s supply chain and computer network security, and representing the company in a related SEC investigation.
- Assisting a global pharmaceutical company in implementing a global data governance structure, including clinical data, sales and marketing data, and employee information.
- Representing an access solutions and products company in an EU GDPR data breach, following a failure of servers at a data center impacting EU residents, as well as notifying the relevant Supervisory Authority.
- Represented an e-commerce and digital marketing company in response to unauthorized disclosure of personal data in a public marketing campaign, including reporting and coordination with Supervisory Authority in the EU.
- Represented a diversified financial services group in a data breach litigation brought against a check processing and payday loan company for negligently allowing client’s check information to be compromised, resulting in millions of dollars of fraudulent checks being written.
- Counseled one of the world’s largest e-commerce and payments processing companies in all aspects of its GDPR compliance and cross-border data transfer systems.
- Advised a major international manufacturing conglomerate on its privacy and data security systems, with a particular emphasis on meeting GDPR requirements.
- Advised an OEM auto parts company in response to a data breach relating to the theft of W-2 information for employees across seven states.
- Guided several of the world’s largest automakers on the development of its privacy and data security programs for their U.S. autonomous vehicle fleets and various aftermarket parts.
- Advised one of the largest construction equipment rental companies on the development of its privacy and data security programs for its Canadian and European affiliates and protecting data transfers from that region.
- Advised a U.S. college on a school-wide review of its privacy and data security programs, particularly with respect to information received from international applicants.
- Represented a major financial institution in its development of its privacy and data protection program, including compliance with European Union privacy and data transfer laws and data breach response plans.
- Worked with a large, multinational automobile parts supplier on the development of its privacy policies and data breach response plan.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. The customer alleged that certain personally identifiable information was visible on public terminals even after users logged off. After a six-week bench trial, the court found that no data breach had occurred, among other findings for the client.
- Represented a financial services firm against two large competitors in a trade secret, misappropriation, trademark infringement, and breach of copyright lawsuit related to Exchange Traded Funds.
- Advised a national automotive parts supplier on its Privacy Shield certification and compliance.
- Advised an international metal manufacturer on compliance with GDPR, including reviewing and revising external facing privacy notices.
- Advising one of the world’s largest hedge funds on worldwide privacy and cybersecurity matters including, international privacy compliance programs and transfer mechanisms.
- Represented one of the world’s largest hedge funds in a series of data breaches involving personal health information, personally identifiable information and company confidential information.
- Represented Spectrum Pharmaceuticals, Inc. in an internal investigation into a ransomware attack against the company.
- Lead an energy technology company’s response to a cybersecurity incident, including communications with third parties and regulators, through the successful completion of the merger.
Intellectual Property
- Advised LORD Corporation in its $3.675 billion acquisition by Parker Hannifin Corporation.
- Representing Norwest Equity Partners in connection with the acquisition and related financing of 4M Capital, Ltd. d/b/a Arteriors Home, a leading designer and supplier of artisanal lighting, furnishings, and home décor accessories.
- Advised LendingTree, Inc. in its $105 million acquisition of Value Holding Inc., the parent company of ValuePenguin.com, a personal finance website that conducts in-depth research and analysis on a variety of topics from insurance to credit cards.
- Advised PolyOne Corporation, a premier global provider of specialized polymer materials, services, and solutions, in its $120 million acquisition of Fiber-Line, a global leader in customized engineered fibers and composite materials.
- Served as lead trial counsel in a patent litigation filed against a Chinese competitor in the medical device field. After commencement of discovery and claim construction, secured a major victory for client when the competitor agreed to withdraw all accused products from the market.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. After successfully compelling the customer to produce tens of thousands of documents improperly held under various claims of privilege, scored a significant victory prior to trial, winning summary judgment against the customer on all of its fraud claims. After a six-week bench trial, the Marion County Superior Court awarded client more than $52 million on its claims against the former customer for payment for services rendered. The court simultaneously dismissed the customer’s claims for breach of contract, including its claim for more than $1.3 billion in damages. Also, successfully defended against a data privacy breach claim brought by the customer.
- Defended a corporation in a lawsuit relating to mobile device management. Prior to trial, plaintiff dropped one of its patents from the litigation, and the court invalidated more than half of the claims in the remaining patent. The case was tried to a verdict in 2012. After the verdict, the judge granted defendant’s JMOL motion, finding that defendant did not infringe the plaintiff’s patent. Awarded one of the top 25 defense verdicts in California in 2012.
- Represented plaintiffs in a multi-patent lawsuit relating to peritoneal dialysis. Defendant conceded infringement on a number of patents prior to trial. The case was tried to verdict in 2010.
- Defended two corporations in a patent infringement litigation. After the U.S. District Court for the District of Delaware ruled in client’s favor on claim construction, the plaintiffs stipulated judgment in client’s favor. The U.S. Court of Appeals for the Federal Circuit affirmed the district court’s claim construction and upheld the judgment of no infringement.
- Represented Chicago’s largest no-kill animal organization in the prosecution of a trademark in the U.S. Patent and Trademark Office. In addition, performed a comprehensive IP asset evaluation for client to determine other areas of potential protection.
- Representing Software as Service provider in data breach involving exfiltration of data.
- Representing one of the largest software as service providers in multiple U.S. and international regulatory investigations arising from data breaches.
- Representing software as service providers in multiple class action litigations relating to data breach.
- Obtained a voluntary dismissal in a case against our client, an identification verification provider, in a class action brought under the Illinois Biometric Information Privacy Act.
Engagement & Publications
- Presenter, IANS Executive Communications Q3 Recap, “Ransomware’s Evolution and the Business/Legal Implications” (October 27, 2020)
- Speaker, IANS 2020 Boston Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (October 21, 2020)
- Speaker, IANS 2020 New York Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (September 24, 2020)
- Speaker, IANS 2020 Chicago/Columbus Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (September 15, 2020)
- Speaker, Ankura 2020 Privacy Webinar Series, “Return to Work Privacy Alert” (June 30, 2020)
- Adjunct professor at the Mitchell Hamline School of Law, lecturing on international data privacy, global data breach response, and data governance.
- Presented on U.S. and European privacy considerations for an internationally focused webinar on “Managing COVID-19 through Technology: Locational Tracking and Privacy,” May 2020
- Quoted, “Hacker Diplomacy: Minimizing Business Risks Stemming From Vulnerability Disclosures,” Above the Law, August 2020
- Podcast, “Legal Ramifications of Vulnerability Disclosure,” The Cyber5 by Nisos, August 2020