Aaron Charfoos serves as Global Chair of the Data Privacy and Cybersecurity Group and Chair of the Chicago Litigation Department. He is an accomplished cybersecurity, privacy, class action and data protection trial lawyer. He has also guided his clients through numerous data breaches, including breaches involving tens of millions of impacted individuals. He litigated his first privacy case in 2010, building on a decade of experience in patent and technology cases. Since then, he has litigated a variety of data breach, privacy and trade secret theft cases. Aaron also defended clients in regulatory investigations brought by various U.S. and international regulatory bodies.
Aaron is particularly skilled in guiding clients through cybersecurity vulnerability disclosures, including the Meltdown and Spectre computer chip vulnerabilities, supply chain interdictions, and various other matters, some of which have involved both congressional and regulatory investigations.
Building on this knowledge of post-breach risks, Aaron helps companies in numerous industries—including healthcare, financial services, technology, and consumer products—to develop global privacy and data security programs. This includes compliance with the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Illinois' Biometric Information Privacy Act (BIPA), the Video Privacy Protection Act (VPPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and other worldwide privacy regimes.
Aaron is also a certified information privacy professional for the U.S. Sector (CIPP/US) and has served as co-chair of the Chicago KnowledgeNet Chapter.
- The Legal 500 USA, Cyber Law Including Data Privacy and Data Protection (2022)
- Quoted in Law360, “Biden’s Cybersecurity Order Likely To Reach Beyond Gov’t” (May 14, 2021)
- Recognized multiple times in The Best Lawyers in America for privacy and data security law and in Illinois Super Lawyers for IP litigation.
- Northwestern University Law School, J.D. (cum laude), 2002
- Northwestern University, B.A. (with honors), 1997
Privacy and Data Security
- Assisted a major entertainment company in developing VPPA compliance program.
- Representing cloud software company in response to a cybersecurity attack.
- Representing multiple companies in response to the Log4j vulnerability including coordinating the response, responding to regulatory inquiries and working with third parties.
- Counseling a medical device manufacturer on a coordinated vulnerability disclosure from a third party researcher on one of the projects.
- Counseling multiple companies on increased cyber risk resulting from the Ukraine and Russia conflict.
- Defending L’Oreal USA, Inc. against multiple putative class actions alleging that L’Oreal’s virtual makeup try on service violates Illinois’ Biometric Information Privacy Act. Obtained voluntary dismissal in two separate actions.
- Represented BioFire Diagnostics, LLC in a $100 million trade secret and breach of contract action brought by U.S. Medical Networks LLC relating to medical diagnostic technologies.
- Leading a global manufacturing company’s response to the disclosure of potential vulnerabilities in its products.
- Leading an internal investigation into a multinational information technology company’s supply chain and computer network security, and representing the company in a related SEC investigation.
- Assisting a global pharmaceutical company in implementing a global data governance structure, including clinical data, sales and marketing data, and employee information.
- Representing an access solutions and products company in an EU GDPR data breach, following a failure of servers at a data center impacting EU residents, as well as notifying the relevant Supervisory Authority.
- Represented an e-commerce and digital marketing company in response to unauthorized disclosure of personal data in a public marketing campaign, including reporting and coordination with Supervisory Authority in the EU.
- Represented a diversified financial services group in a data breach litigation brought against a check processing and payday loan company for negligently allowing client’s check information to be compromised, resulting in millions of dollars of fraudulent checks being written.
- Counseled one of the world’s largest e-commerce and payments processing companies in all aspects of its GDPR compliance and cross-border data transfer systems.
- Advised a major international manufacturing conglomerate on its privacy and data security systems, with a particular emphasis on meeting GDPR requirements.
- Advised an OEM auto parts company in response to a data breach relating to the theft of W-2 information for employees across seven states.
- Guided several of the world’s largest automakers on the development of its privacy and data security programs for their U.S. autonomous vehicle fleets and various aftermarket parts.
- Advised one of the largest construction equipment rental companies on the development of its privacy and data security programs for its Canadian and European affiliates and protecting data transfers from that region.
- Advised a U.S. college on a school-wide review of its privacy and data security programs, particularly with respect to information received from international applicants.
- Represented a major financial institution in its development of its privacy and data protection program, including compliance with European Union privacy and data transfer laws and data breach response plans.
- Worked with a large, multinational automobile parts supplier on the development of its privacy policies and data breach response plan.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. The customer alleged that certain personally identifiable information was visible on public terminals even after users logged off. After a six-week bench trial, the court found that no data breach had occurred, among other findings for the client.
- Represented a financial services firm against two large competitors in a trade secret, misappropriation, trademark infringement, and breach of copyright lawsuit related to Exchange Traded Funds.
- Advised a national automotive parts supplier on its Privacy Shield certification and compliance.
- Advised an international metal manufacturer on compliance with GDPR, including reviewing and revising external facing privacy notices.
- Advising one of the world’s largest hedge funds on worldwide privacy and cybersecurity matters including, international privacy compliance programs and transfer mechanisms.
- Represented one of the world’s largest hedge funds in a series of data breaches involving personal health information, personally identifiable information and company confidential information.
- Represented Spectrum Pharmaceuticals, Inc. in an internal investigation into a ransomware attack against the company.
- Lead an energy technology company’s response to a cybersecurity incident, including communications with third parties and regulators, through the successful completion of the merger.
- Advised LORD Corporation in its $3.675 billion acquisition by Parker Hannifin Corporation.
- Representing Norwest Equity Partners in connection with the acquisition and related financing of 4M Capital, Ltd. d/b/a Arteriors Home, a leading designer and supplier of artisanal lighting, furnishings, and home décor accessories.
- Advised LendingTree, Inc. in its $105 million acquisition of Value Holding Inc., the parent company of ValuePenguin.com, a personal finance website that conducts in-depth research and analysis on a variety of topics from insurance to credit cards.
- Advised PolyOne Corporation, a premier global provider of specialized polymer materials, services, and solutions, in its $120 million acquisition of Fiber-Line, a global leader in customized engineered fibers and composite materials.
- Served as lead trial counsel in a patent litigation filed against a Chinese competitor in the medical device field. After commencement of discovery and claim construction, secured a major victory for client when the competitor agreed to withdraw all accused products from the market.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. After successfully compelling the customer to produce tens of thousands of documents improperly held under various claims of privilege, scored a significant victory prior to trial, winning summary judgment against the customer on all of its fraud claims. After a six-week bench trial, the Marion County Superior Court awarded client more than $52 million on its claims against the former customer for payment for services rendered. The court simultaneously dismissed the customer’s claims for breach of contract, including its claim for more than $1.3 billion in damages. Also, successfully defended against a data privacy breach claim brought by the customer.
- Defended a corporation in a lawsuit relating to mobile device management. Prior to trial, plaintiff dropped one of its patents from the litigation, and the court invalidated more than half of the claims in the remaining patent. The case was tried to a verdict in 2012. After the verdict, the judge granted defendant’s JMOL motion, finding that defendant did not infringe the plaintiff’s patent. Awarded one of the top 25 defense verdicts in California in 2012.
- Represented plaintiffs in a multi-patent lawsuit relating to peritoneal dialysis. Defendant conceded infringement on a number of patents prior to trial. The case was tried to verdict in 2010.
- Defended two corporations in a patent infringement litigation. After the U.S. District Court for the District of Delaware ruled in client’s favor on claim construction, the plaintiffs stipulated judgment in client’s favor. The U.S. Court of Appeals for the Federal Circuit affirmed the district court’s claim construction and upheld the judgment of no infringement.
- Represented Chicago’s largest no-kill animal organization in the prosecution of a trademark in the U.S. Patent and Trademark Office. In addition, performed a comprehensive IP asset evaluation for client to determine other areas of potential protection.
- Representing Software as Service provider in data breach involving exfiltration of data.
- Representing one of the largest software as service providers in multiple U.S. and international regulatory investigations arising from data breaches.
- Representing software as service providers in multiple class action litigations relating to data breach.
- Obtained a voluntary dismissal in a case against our client, an identification verification provider, in a class action brought under the Illinois Biometric Information Privacy Act.
Engagement & Publications
- Presenter, IANS Executive Communications Q3 Recap, “Ransomware’s Evolution and the Business/Legal Implications” (October 27, 2020)
- Speaker, IANS 2020 Boston Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (October 21, 2020)
- Speaker, IANS 2020 New York Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (September 24, 2020)
- Speaker, IANS 2020 Chicago/Columbus Virtual CISO Roundtable, “The Changing Landscape in Cybersecurity, Privacy, and Risk Management” (September 15, 2020)
- Speaker, Ankura 2020 Privacy Webinar Series, “Return to Work Privacy Alert” (June 30, 2020)
- Adjunct professor at the Mitchell Hamline School of Law, lecturing on international data privacy, global data breach response, and data governance.
- Presented on U.S. and European privacy considerations for an internationally focused webinar on “Managing COVID-19 through Technology: Locational Tracking and Privacy,” May 2020
- Quoted, “Hacker Diplomacy: Minimizing Business Risks Stemming From Vulnerability Disclosures,” Above the Law, August 2020
- Podcast, “Legal Ramifications of Vulnerability Disclosure,” The Cyber5 by Nisos, August 2020