Kari M. Rollins

Overview

Kari M. Rollins is a partner in the Intellectual Property Practice Group and an Office Managing Partner of the New York office.

Areas of Practice

Kari focuses on data privacy and data security, and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, retail and fashion, food services, hospitality, manufacturing, and technology industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums.

Kari serves as a trusted advisor to her clients, bringing a focused, strategic approach to complex litigation and data security matters alike. Her clients praise her ability to efficiently and effectively manage complex matters with multiple moving pieces, and to concisely and persuasively communicate the core issues of her clients’ cases to judges, regulators, and opposing counsel. These traits have enabled Kari to successfully argue critical motions, procure dismissals, and achieve successful resolutions for her clients in the context of complex commercial litigation, as well as effectively managing high-intensity incident response matters and regulatory inquiries arising from data privacy and security issues.

As it relates to her data security practice, Kari offers her clients the continuity of effective assistance during all three critical stages of the data security lifecycle: (1) cybersecurity preparedness (the before); (2) data breach investigation and response (the during); and (3) data breach litigation and regulatory enforcement (the after). As part of cybersecurity preparedness, Kari assists clients in crafting their existing security and compliance practices in the context of the ever-changing data security regulations so they are as well positioned as possible in the event of the inevitable data incident or inquiry. When a data incident occurs, Kari draws on her significant litigation and internal investigation experience to manage and direct all aspects of incident response for her clients—from directing forensic investigators, to liaising with insurance counsel, to determining whether the facts of the incident give rise to a duty to notify, to overseeing notification to consumers and regulatory bodies, and to assisting with communications to Boards and responding to media inquiries. Finally, post-breach, in the event litigation or regulatory inquiries ensue, Kari draws on her significant litigation experience to offer clients strategic assistance in defending against complex data privacy litigation and/or regulatory inquiries from state and/or federal regulators.

Recognizing her effective assistance in the area of data security, Kari was named to Cybersecurity Docket’s 2019, 2020, and 2021 Incident Response 30, which recognizes 30 of the best and brightest data breach response lawyers in the business who are key players in the most significant data breach responses worldwide. Crain’s New York Business named Kari as one of their Notable Women in Law in 2020, and Legal 500 recognized Kari as a Leading Lawyer in Cybersecurity in 2020 and 2021. Global Data Review also named Kari to its first annual “40 under 40” list in 2018, praising her as one of the top 40 practitioners in data privacy globally under the age of 40. Kari is also a partner in the Privacy and Cybersecurity team of Sheppard Mullin, which was recognized as a “2018 Practice Group of the Year” by Law360.

Kari is invited annually to give numerous speeches and seminars on data privacy and data breaches by organizations across the country, and regularly writes articles and blog posts on emerging trends and topics in data privacy. Notably, Kari wrote a chapter on cybersecurity standards and data breach response in Volume III of The US Privacy Equity Fund Compliance Guide published by Privacy Equity International, and currently sits on the Drafting Committee of the Sedona Conference WG11 on Data Security and Privacy Liability, which is responsible for drafting and publishing the Sedona Conference WG11 Incident Response Guide, a practitioners guide to navigating the law and issues relating to preparing for, managing, and responding to data breaches. Prior to her move to New York, Kari brought her experience to the classroom as an adjunct law professor at DePaul University’s College of Law in Chicago, teaching a course on data breach law.

Experience

Representative Cases By Industry:

Retail, Technology, and Consumer Products

Assisted a large manufacturer of consumer electronics products in responding to a government inquiry and successfully staving off an enforcement action relating to a data breach experienced by one of the company’s product lines.
Assisted several large fashion brands in conducting a data privacy internal investigation relating to a web-based retail platform and effectively responding to press, bank, board, and consumer inquiries relating to the incident.
Assisted a large consumer products brand in conducting a data privacy internal investigation into a security incident involving usernames and passwords.
Assisted a leader in global information services and publishing company in conducting two internal investigations.
Assisted a large international online retailer in conducting an investigation into a data incident, managing notification of the data incident to impacted consumers, liaising with law enforcement, responding to regulatory inquiries, and successfully avoiding state enforcement actions.
Assisted several retail and consumer products companies in investigating a recent plague of W2 phishing scams, managing the notification process to impacted employees, liaising with the FBI and IRS in efforts to catch the perpetrators, and responding to regulatory and individual inquiries.

Industrial Products and Manufacturing

Defended a large dairy cooperative (an alleged 65% market share participant) in the defense of a large, multi-district federal direct purchaser antitrust class action in the Eastern District of Tennessee, In re Southeastern Milk Antitrust Litigation, No. 08-MD-100, managing all aspects of this complex litigation up to trial and the successful settlement of matter.
Obtained a dismissal for a large dairy cooperative in an indirect purchaser antitrust class action filed in the Eastern District of Tennessee, Food Lion LLC, et al. v. Dean Foods Company, et al., No. 2:07-cv-188, arguing the summary judgment motion that successfully resulted in the dismissal of the client from the case while other defendants marched to trial or settlement.
Assisted a large industrial products brand in conducting an internal investigation into a data breach involving usernames and passwords and successfully effectuating notice to consumers and state attorneys general.
Assisted a large industrial products brand in swiftly investigating a breach involving theft of protected health information and efficiently effectuating notice to consumers and the relevant federal agency.
Assisted one of the world’s leading performance coatings companies in a confidential internal investigation.
Assisted a global autoparts manufacturer in investigating and responding to a data incident involving the theft of company and employee data.

Hospitality and Food Services

Assisted national fast-food company in defending multi-district federal consumer class action litigation stemming from disclosure of a data breach.
On behalf of an international hotel chain, and in cooperation with law enforcement, we led a team of cyber-forensic investigators in a multi-country internal investigation into a malware attack involving the possible unauthorized acquisition of guest information. Acting as its data breach coach, we aided the client in swiftly identifying, containing, and remediating the malicious activity, and provided counsel regarding the client’s obligations under the applicable myriad state breach notice laws and international regulations. As a result of our work, the client was able to efficiently notify impacted consumers and relevant regulators without incident and successfully manage the simultaneous demands of a data breach.
Assisted a global food company in swiftly and efficiently conducting two confidential internal investigations relating to its web-based platform and retail processing systems.
Assisted a national fast food company in investigating a data incident involving its point-of-sale systems and online platform.

Accounting and Auditing

Defended a large international accounting firm in a federal securities and shareholder derivative litigation arising from the collapse of HealthSouth Corporation, including the successful defense of the client in an arbitration pursued by HealthSouth itself against its former auditor on a variety of legal theories. After several months on trial, a three-judge arbitral panel granted judgment in the auditor’s favor.
Defended a large international auditing firm in securities fraud and professional liability litigation involving the New York-based financial services company Refco, Inc.

Financial Services

Represented a global financial services firm in the successful defense of an action that alleged it violated the Commodity Exchange Act by allegedly manipulating the 30-Year Treasury market. In a precedent-setting decision, the court ultimately denied class certification.
Represented a global financial services firm in the multi-district Credit Default Swaps Antitrust litigation pending in the Southern District of New York.
Represented a global financial services firm in the multi-district civil litigation surrounding the leveraged-buyout of the Tribune Company.
Represented the leading derivatives marketplace in connection with the bankruptcy and liquidation of MF Global, Inc.
Represented a national mortgage company in a federal putative class action alleging discrimination in lender’s reverse mortgage pricing policy in violation of the Civil Rights Act, the Fair Housing Act, and the Equal Credit Opportunity Act, managing all aspects of the complex, class action litigation and negotiating the successful settlement of the action on behalf of the client prior to certification.
Obtained a dismissal of all claims alleged against a national mortgage company in federal putative class action alleging fraud and wrongful foreclosure in connection with reverse mortgage lending practices.
Represented a large hedge fund in an SEC investigation and administrative hearing relating to certain derivatives transactions executed by the fund’s investment sub-advisor.
Assisted a large multi-national financial institution in swiftly investigating a breach involving the theft of protected personal information, and successfully guided the client in swiftly effectuating notice to its potentially impacted customers and relevant federal and state regulators.
Successfully represented several large insurance companies in responding to non-public inquiries from state governmental agencies.
Assisted a private equity firm in investigating a data incident involving phishing scam and deployment of malware.

Honors

Litigation Trailblazer, National Law Journal, 2023

Incident Response 50, Cybersecurity Docket, 2023

Incident Response 40, Cybersecurity Docket, 2021-2022

Incident Response 30, Cybersecurity Docket, 2019-2020

Notable Women in Law, Crain's New York Business, 2020

Leading Lawyers, Cyber Law, Legal 500, 2020-2021, 2023

Next Generation Lawyers, Legal 500, 2019

Recommended Lawyer - Cyber Law, Legal 500, 2019-2020, 2022

40 under 40, Global Data Review, 2018

Privacy and Cybersecurity Practice Group of the Year, Law360, 2018

Insights

Articles

Eye on Privacy: 2023 Year in Review
01.26.2024
Eye on Privacy 2021 Year in Review
01.11.2022
You Might Be an Inside Trader if . . .
Insights, 10.2018

Privacy Law Blog Posts

"SEC Gives Finality on Cybersecurity Disclosures for Public Companies," September 28, 2023
"NY AI Laws Going Live Next Month," June 14, 2023
"HHS Releases Cybersecurity Guide," March 29, 2023

"72 hours: The NCUA’s New Cyber Incident Reporting Requirement," March 16, 2023

"Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities," February 1, 2023

"Illinois Appellate Court Weighs in on Biometric Data Policies," December 14, 2022

"Lessons From New York AG Scrutiny of Breach Investigation and Response," November 14, 2022

"FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations," November 3, 2022

"New York City Set To Regulate Employment Decisions Made By AI," September 28, 2022
"Wegmans Settles With NYAG for $400,000 Over Data Incident," July 14, 2022
"UK ICO and NCSC Issue Caution About Making Ransomware Payments," July 11, 2022
"Maryland Amends Data Security and Breach Notice Obligations," June 22, 2022
"FTC Weighs In On Data Breach Notification," June 16, 2022
"NYAG Issues Credential Stuffing Guidance," January 26,2022
"Implications of SEC’s Scrutiny of Data Use Representations," November 16, 2021
"SEC Fine Highlights Importance of Cybersecurity Disclosures," August 25, 2021
"FTC Signals Focus on Healthcare and Technology Platforms, Among Others," August 12, 2021
"NYDFS Issues Ransomware Guidance," July 12, 2021
"New York City Biometric Ordinance Effective July 9, Are You Ready?," June 17, 2021
"The Impact of the Narrowed Scope of CFAA Liability in the Privacy and Security Realm," June 14, 2021
"Update on the State of Privacy Law in China," May 13, 2021
"Beware BIPA Bifurcation: Plaintiffs’ New Gambit to Split BIPA Claims Between State and Federal Courts," March 16, 2021
"Managing the World of Cybersecurity in a New Era," February 24, 2021
"Successful Dismissal of PayPal Class Action Over Breach Disclosures Serves as Risks Reminder," February 4, 2021
"What the First Enforcement Action under NYDFS Cybersecurity Reg Means to Companies," September 23, 2020
"Vermont Updates Data Breach Notification Law," June 24, 2020
"Seventh Circuit Issues Landmark BIPA Decision," May 20, 2020
"SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations," May 18, 2020
"Privacy and Data Protection Enactment and Enforcement Timelines During COVID-19," April 24, 2020

"Maryland Adds Insurance Commissioner to Breach Notification Requirements," September 23, 2019
"New York SHIELD Act Expands Breach Notice Requirements Starting in October," August 27, 2019
"Preparing for New York’s New Data Security Requirements," August 26, 2019
"Bombas Settles with NYAG Over Credit Card Data Breach," July 11, 2019
"SEC Issues Alert On Outsourcing and Data Security," June 11, 2019
"New Jersey Breach Notice Law Expands To Cover Online Account Breaches," May 16, 2019
"SEC To Focus on Cybersecurity in 2019," March 27, 2019
"Happy First Day of Spring! Ohio Insurance Law Effective Today," March 20, 2019
"Year In Review: Eye on Privacy 2018," January 28, 2019
"Upcoming Canadian Breach Notification Requirements Still in Flux," September 27, 2018
"New York Federal Court Dismisses Nationwide Class Action Arising Out of Alleged Spying by E-Commerce Retailers," September 10, 2018
"BIPA Claims Against United Airlines Must be Arbitrated Due to Collective Bargaining Agreement," September 5, 2018
"You Might Be an Inside Trader If: Insider Trading and Data Breaches Part II," June 21, 2018
"You Might Be an Inside Trader If…: Insider Trading and Breaches Part I," June 20, 2018
"NY Issues Data Breach Report," April 12, 2018
"Oregon Updates Its Data Breach Notification Law," March 29, 2018
"Privacy, Data Security, and Your Board: Day Five," March 2, 2018
"Privacy, Data Security, and Your Board: Day Four," March 1, 2018
"Privacy, Data Security, and Your Board: Day Three," February 28, 2018
"Privacy, Data Security, and Your Board: Day Two," February 27, 2018
"Privacy, Data Security, and Your Board: Day One," February 26, 2018

Government Contracts & Investigations Law Blog

"You Might Be an Inside Trader If…You Trade on Your Unconfirmed Suspicions of a Cybersecurity Event Prior to Its Public Revelation or Disclosure," June 26, 2018

Media Mentions

SEC disclosure rules leave IT pros asking: What’s ‘material’?
IT Brew, 01.10.2024
8 New York Managing Partners On Their Priorities For 2023
Law360, 01.03.2023
HR data is sought after on the dark web. How can employers protect worker info?
HR Dive, 11.08.2022
Ransomware Rise Means Greater Regulatory, Legal Risk for Victims
Bloomberg Law, 05.12.2021
What to do when a bug bounty request sounds more like extortion
SC Media, 04.15.2021
Sheppard Mullin Appoints Privacy Litigator
Commercial Dispute Resolution, 10.11.2017
Winston & Strawn Cybersecurity Atty Joins Sheppard Mullin
Law360, 10.05.2017

Speaking Engagements

"Incident Response Guide," The Sedona Conference, April 30, 2018
"Cybersecurity and Data Privacy Hot Topics for 2018," Association of Corporate Counsel’s New York Chapter – Fashion Retail Group, March 26, 2018