Partner, Litigation Department
ChicagoPhone: 1(312) 499-6016
Aaron Charfoos serves as Global Chair of the Data Privacy and Cybersecurity Group and Chair of the Chicago Litigation Department. He is an accomplished cybersecurity, privacy, class action and data protection trial lawyer. He litigated his first privacy case in 2010, building on a decade of experience in patent and technology cases. Since then, he has litigated a variety of data breach and trade secret theft cases. He has also guided clients through numerous data breaches and defended clients in regulatory investigations brought by various U.S. and international regulatory bodies.
Aaron is particularly skilled in guiding clients through cybersecurity vulnerability disclosures, including the Meltdown and Spectre computer chip vulnerabilities, supply chain interdictions, and various other matters, some of which have involved both congressional and regulatory investigations.
Building on this knowledge of post-breach risks, Aaron helps companies in numerous industries—including healthcare, financial services, technology, and consumer products—to develop global privacy and data security programs. This includes compliance with the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and other worldwide privacy regimes
Aaron is also a certified information privacy professional for the U.S. Sector (CIPP/US) and has served as co-chair of the Chicago KnowledgeNet Chapter.
- The Legal 500 USA, Cyber Law Including Data Privacy and Data Protection (2022)
- Quoted in Law360, "Biden’s Cybersecurity Order Likely To Reach Beyond Gov’t" (May 14, 2021)
- Recognized multiple times in The Best Lawyers in America for privacy and data security law and in Illinois Super Lawyers for IP litigation.
- Northwestern University Law School, J.D. (cum laude), 2002
- Northwestern University, B.A. (with honors), 1997
Privacy and Data Security
- Representing cloud software company in response to a cybersecurity attack.
- Representing multiple companies in response to the Log4j vulnerability including coordinating the response, responding to regulatory inquiries and working with third parties.
- Counseling a medical device manufacturer on a coordinated vulnerability disclosure from a third party researcher on one of the projects.
- Counseling multiple companies on increased cyber risk resulting from the Ukraine and Russia conflict.
- Defending L’Oreal USA, Inc. against multiple putative class actions alleging that L’Oreal’s virtual makeup try on service violates Illinois’ Biometric Information Privacy Act. Obtained voluntary dismissal in two separate actions.
- Represented BioFire Diagnostics, LLC in a $100 million trade secret and breach of contract action brought by U.S. Medical Networks LLC relating to medical diagnostic technologies.
- Leading a global manufacturing company’s response to the disclosure of potential vulnerabilities in its products.
- Leading an internal investigation into a multinational information technology company’s supply chain and computer network security, and representing the company in a related SEC investigation.
- Assisting a global pharmaceutical company in implementing a global data governance structure, including clinical data, sales and marketing data, and employee information.
- Representing an access solutions and products company in an EU GDPR data breach, following a failure of servers at a data center impacting EU residents, as well as notifying the relevant Supervisory Authority.
- Represented an e-commerce and digital marketing company in response to unauthorized disclosure of personal data in a public marketing campaign, including reporting and coordination with Supervisory Authority in the EU.
- Represented a diversified financial services group in a data breach litigation brought against a check processing and payday loan company for negligently allowing client’s check information to be compromised, resulting in millions of dollars of fraudulent checks being written.
- Counseled one of the world’s largest e-commerce and payments processing companies in all aspects of its GDPR compliance and cross-border data transfer systems.
- Advised a major international manufacturing conglomerate on its privacy and data security systems, with a particular emphasis on meeting GDPR requirements.
- Advised an OEM auto parts company in response to a data breach relating to the theft of W-2 information for employees across seven states.
- Guided several of the world’s largest automakers on the development of its privacy and data security programs for their U.S. autonomous vehicle fleets and various aftermarket parts.
- Advised one of the largest construction equipment rental companies on the development of its privacy and data security programs for its Canadian and European affiliates and protecting data transfers from that region.
- Advised a U.S. college on a school-wide review of its privacy and data security programs, particularly with respect to information received from international applicants.
- Represented a major financial institution in its development of its privacy and data protection program, including compliance with European Union privacy and data transfer laws and data breach response plans.
- Worked with a large, multinational automobile parts supplier on the development of its privacy policies and data breach response plan.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. The customer alleged that certain personally identifiable information was visible on public terminals even after users logged off. After a six-week bench trial, the court found that no data breach had occurred, among other findings for the client.
- Represented a financial services firm against two large competitors in a trade secret, misappropriation, trademark infringement, and breach of copyright lawsuit related to Exchange Traded Funds.
- Advised a national automotive parts supplier on its Privacy Shield certification and compliance.
- Advised an international metal manufacturer on compliance with GDPR, including reviewing and revising external facing privacy notices.
- Advising one of the world’s largest hedge funds on worldwide privacy and cybersecurity matters including, international privacy compliance programs and transfer mechanisms.
- Represented one of the world’s largest hedge funds in a series of data breaches involving personal health information, personally identifiable information and company confidential information.
- Represented Spectrum Pharmaceuticals, Inc. in an internal investigation into a ransomware attack against the company.
- Lead an energy technology company’s response to a cybersecurity incident, including communications with third parties and regulators, through the successful completion of the merger.
- Advised LORD Corporation in its $3.675 billion acquisition by Parker Hannifin Corporation.
- Representing Norwest Equity Partners in connection with the acquisition and related financing of 4M Capital, Ltd. d/b/a Arteriors Home, a leading designer and supplier of artisanal lighting, furnishings, and home décor accessories.
- Advised LendingTree, Inc. in its $105 million acquisition of Value Holding Inc., the parent company of ValuePenguin.com, a personal finance website that conducts in-depth research and analysis on a variety of topics from insurance to credit cards.
- Advised PolyOne Corporation, a premier global provider of specialized polymer materials, services, and solutions, in its $120 million acquisition of Fiber-Line, a global leader in customized engineered fibers and composite materials.
- Served as lead trial counsel in a patent litigation filed against a Chinese competitor in the medical device field. After commencement of discovery and claim construction, secured a major victory for client when the competitor agreed to withdraw all accused products from the market.
- Represented a Fortune 20 company on a modernization outsourcing contract that was terminated by its former customer. After successfully compelling the customer to produce tens of thousands of documents improperly held under various claims of privilege, scored a significant victory prior to trial, winning summary judgment against the customer on all of its fraud claims. After a six-week bench trial, the Marion County Superior Court awarded client more than $52 million on its claims against the former customer for payment for services rendered. The court simultaneously dismissed the customer’s claims for breach of contract, including its claim for more than $1.3 billion in damages. Also, successfully defended against a data privacy breach claim brought by the customer.
- Defended a corporation in a lawsuit relating to mobile device management. Prior to trial, plaintiff dropped one of its patents from the litigation, and the court invalidated more than half of the claims in the remaining patent. The case was tried to a verdict in 2012. After the verdict, the judge granted defendant’s JMOL motion, finding that defendant did not infringe the plaintiff’s patent. Awarded one of the top 25 defense verdicts in California in 2012.
- Represented plaintiffs in a multi-patent lawsuit relating to peritoneal dialysis. Defendant conceded infringement on a number of patents prior to trial. The case was tried to verdict in 2010.
- Defended two corporations in a patent infringement litigation. After the U.S. District Court for the District of Delaware ruled in client’s favor on claim construction, the plaintiffs stipulated judgment in client’s favor. The U.S. Court of Appeals for the Federal Circuit affirmed the district court’s claim construction and upheld the judgment of no infringement.
- Represented Chicago’s largest no-kill animal organization in the prosecution of a trademark in the U.S. Patent and Trademark Office. In addition, performed a comprehensive IP asset evaluation for client to determine other areas of potential protection.
- Representing Software as Service provider in data breach involving exfiltration of data.
- Representing one of the largest software as service providers in multiple U.S. and international regulatory investigations arising from data breaches.
- Representing software as service providers in multiple class action litigations relating to data breach.
- Obtained a voluntary dismissal in a case against our client, an identification verification provider, in a class action brought under the Illinois Biometric Information Privacy Act.
- Moove Acquires PetroChoice from Golden Gate Capital - May 23rd, 2022
- Sensata Technologies to Acquire Dynapower - May 9th, 2022
- Paul Hastings Celebrated as Most Impressive Investigations Practice at Global Investigations Review’s Annual Awards - November 10th, 2021
- Paul Hastings Named to World’s Top 10 Best Investigations Practices by Global Investigations Review - October 23rd, 2020
- Romeo Power Technology to list on NYSE through merger with RMG Acquisition Corp. - October 6th, 2020
- Paul Hastings Accelerates Lateral Growth with Addition of Leading Entertainment and Media Litigation Partner - June 22nd, 2020
- Paul Hastings Continues Lateral Growth Hot Streak, Adding Restructuring Partner James Grogan in Houston - April 16th, 2020
- Paul Hastings Welcomes Experienced Privacy and Cybersecurity Partner, Extending Lateral Hiring Spree - April 2nd, 2020
- Paul Hastings Data Privacy & Cybersecurity Practice Highly Regarded by Chambers USA 2022 - June 1st, 2022
- Paul Hastings Named 'White Collar Group of the Year' by Law360 - January 27th, 2022
- Paul Hastings Championed as Most Impressive Investigations Practice by Global Investigations Review - November 10th, 2021
- 2021 Legal 500 United States Guide Ranks More Than Fifteen Paul Hastings’ Intellectual Property Practice Lawyers - June 17th, 2021
- New BIPA Ruling Could Bring Additional Liability - February 22nd, 2023
- Another Step Forward to Implementing the European Union – U.S. Data Privacy Framework - October 18th, 2022
- The New York Department of Financial Services Cybersecurity Rules — What Companies Need to Know - October 11th, 2022
- SEC Proposed Cybersecurity Rules – What They Are and What Our Clients Should be Doing Now - October 10th, 2022
- SEC Proposed Cybersecurity Rules – What They Are and What Our Clients Should be Doing Now - October 10th, 2022
- New Comprehensive US State Privacy Laws Are Coming – Is Your Company Ready? - October 5th, 2022
- Data Privacy and Cybersecurity New Laws and Regulations Report - October 3rd, 2022
- One Step Forward: The EU and US agree to a Data Transfer Framework, but Many Questions Remain - March 28th, 2022
- California Is Considering Its Own Version of Illinois’ BIPA - March 8th, 2022
- SEC Proposes New Rules Aimed at Mitigating Cyber Risk - February 14th, 2022
- As Talks of Cyberattacks Related to the Ukraine Conflict Intensify, Companies Should Take Steps to Prepare - February 11th, 2022
- Cyber War: How the Insurance Industry is Trying to Limit Cyber Coverage for Data Breaches - February 9th, 2022
- Illinois Supreme Court Rejects Potentially Key BIPA Preemption Argument - February 8th, 2022
- The Integration of Business and Human Rights into International Regulatory Compliance: Reporting and Remediation - August 27th, 2021
- Another New Biometric Privacy Law as New York City Law Becomes Effective - July 6th, 2021
- Supreme Court Limits Article III Standing: Implications for Data Privacy Litigation - July 2nd, 2021
- SEC Reportedly Opens Investigation and Offers Possible Amnesty for SolarWinds Victims - June 23rd, 2021
- U.S. Supreme Court Narrows the Scope of Liability under the Computer Fraud and Abuse Act - June 10th, 2021
- Watching the Backdoor: Planning for and Responding to a Cybersecurity Incident at Medical Device Companies – An FDA Perspective - November 24th, 2020
- U.S. Government Publishes White Paper Following Schrems II Decision - October 5th, 2020
Engagement & Publications
- Presenter, IANS Executive Communications Q3 Recap, "Ransomware’s Evolution and the Business/Legal Implications" (October 27, 2020)
- Speaker, IANS 2020 Boston Virtual CISO Roundtable, "The Changing Landscape in Cybersecurity, Privacy, and Risk Management" (October 21, 2020)
- Speaker, IANS 2020 New York Virtual CISO Roundtable, "The Changing Landscape in Cybersecurity, Privacy, and Risk Management" (September 24, 2020)
- Speaker, IANS 2020 Chicago/Columbus Virtual CISO Roundtable, "The Changing Landscape in Cybersecurity, Privacy, and Risk Management" (September 15, 2020)
- Speaker, Ankura 2020 Privacy Webinar Series, "Return to Work Privacy Alert" (June 30, 2020)
- Adjunct professor at the Mitchell Hamline School of Law, lecturing on international data privacy, global data breach response, and data governance.
- Presented on U.S. and European privacy considerations for an internationally focused webinar on "Managing COVID-19 through Technology: Locational Tracking and Privacy," May 2020
- Quoted, "Hacker Diplomacy: Minimizing Business Risks Stemming From Vulnerability Disclosures," Above the Law, August 2020
- Podcast, "Legal Ramifications of Vulnerability Disclosure," The Cyber5 by Nisos, August 2020