David Kitchen

Partner
Norton Rose Fulbright US LLP

Denver
United States
T:+1 303 801 2719
Denver
United States
T:+1 303 801 2719
David Kitchen

David Kitchen

vCard

Biography

David Kitchen is a highly-experienced partner in Norton Rose Fulbright's data protection, privacy and cybersecurity group. He has advised hundreds of clients through data security incidents involving domestic and international laws and regulations, including many complex incidents involving multi-national corporations as well as vendor and service provider  incidents impacting wide spectra of customers. He has also assisted many clients to develop incident response plans and prepare for data security incidents. His clients span the financial, healthcare, government, education, professional services, retail and hospitality, manufacturing, and other industries.

Drawing on his experience as a litigator, David also defends clients in connection with regulatory investigations brought by state, federal, and international agencies such as the FTC, New York Depart of Financial Services, US state attorneys general and departments of insurance, as well assisting with defence of class action lawsuits. He provides companies that have experienced security incidents with practical solutions that minimize regulatory and litigation risk. David has earned the CIPP/US certification through the International Association of Privacy Professionals (IAPP).

David's experience includes data breach incident assessments, including managing the forensic investigation, conducting notification analyses, advising on communications with media and impacted entities, coordinating outreach and responses to law enforcement, and overseeing the notification process to individuals and regulators. Such notifications have ranged from a single individual to over one million.

David also advises clients with respect to data security laws and regulations to create and enhance existing incident response plans and procedures, including state statutes, PCI-DSS, FERPA, HIPAA, FINRA, the Graham-Leach-Bliley Act, Insurance Commission Regulations, ABA Guidelines and others. He works with incident response teams, executives, and boards to conduct in-house security training, oversee risk assessments and penetration testing, and continuously measure the organization privacy and security posture for companies in a wide variety of industries. David also advises clients with respect to contract negotiation with service providers such as forensic, document review, notification and crisis communication firms.

David is licensed to practice in Ohio, and his practice in Colorado is temporarily authorized pending his admission in Colorado pursuant to C.R.C.P. 205.6.


Professional experience

Expand all Collapse all

JD, University of Chicago Law School, 2004
BS, Manufacturing Engineering and Technology, Brigham Young University, 2001

  • Colorado State Bar
  • Ohio State Bar


Privacy and Data Protection

  • Represented multiple large universities with multi-national operations in connection with numerous ransomware attacks, including engagement and oversight of the forensic investigation and ransom negotiations, guidance for containment and remediation of the impacted environments, developing and implementing a broad communications plan for faculty, students, and the community, advising on notification obligations, and coordinating assistance with law enforcement agencies
  • Represented hundreds of universities, school districts, charitable organizations, and other non-profits in addressing a ransomware incident experienced by a commonly-shared vendor, including coordinating information gathering from the vendor, overseeing analysis and compliance with notification obligations, and responding to a myriad of inquiries from state and federal regulators,
  • Represented multi-national manufacturers in connection with compromises of numerous email accounts and ERP systems that involved individuals worldwide, including coordinating the forensic investigation, overseeing data protection agreements, advising on notification obligations in the US, EU, and internationally, developing and implementing a broad communications plan, and resolving regulatory inquiries from GDPR regulators.
  • Represented numerous defence contractors in responding to nation state actors, ransomware attacks, email compromises, and other incidents, including overseeing reporting and coordination with law enforcement, breach analysis and notification compliance, and communications to impacted customers and media.
  • Represented a consortium of local school districts in connection with ransomware attacks on several of the schools, including coordinating the forensic investigation and ransom negotiations, developing and implementing a broad communications plan for faculty, students, and the community, advising on notification obligations, and coordinating assistance with law enforcement agencies.
  • Represented a large online portfolio-hosting provider in connection with a credential theft incident, including coordinating the forensic investigation, analyzing notification obligations, and overseeing notifications to impacted individuals and regulators.
  • Represented local and state governments in connection with ransomware attacks, including coordinating the forensic investigation and ransom negotiations, developing and implementing a broad communications plan for emergency services and the community, advising on notification obligations, and coordinating assistance with law enforcement agencies.
  • Represented a national insurance company in connection with multiple email incidents, including coordinating the forensic investigation, advising on notification obligations, and resolving inquiries from state departments of insurance.
  • Represented a regional law firm in connection with an email incident, including coordinating the forensic investigation, advising on notification obligations under state law and contractual obligations, developing and implementing a broad communications plan to clients and impacted individuals, and resolving regulatory inquiries.
  • Represented a state-owned university in connection with a stolen device incident, including coordinating the forensic investigation, advising on notification obligations, coordinating with numerous law enforcement agencies, developing and implementing a broad communications plan, providing notifications to students and other individuals, and resolving regulatory inquiries.
  • Represented a managed IT service provider in connection with ransomware attacks on many of the MSP's customers, including coordinating the forensic investigation and ransom negotiations, developing and implementing a broad communications plan for the impacted customers, coordinating assistance with law enforcement agencies, and resolving regulatory inquiries.
  • Advised a major theme park operator in developing incident response plans, negotiating agreements with incident response vendors, conducting tabletop exercises, and responding to data security incidents.


Litigation/Regulatory

  • Represented multi-state insurance providers in investigations brought by numerous state insurance commissions and the New York Department of Financial Services.
  • Represented corporate clients in privacy and consumer protection litigation and government investigations.
  • Represented healthcare providers and business associates in connection with an investigation by the Office of Civil Rights for HIPAA violations.
  • Represented Irving H. Picard, the court-appointed SIPA Trustee, in liquidation proceedings of BLMIS, including a central role in the Trustee's action to recover more than $500 million in fraudulent transfers from a group of feeder fund defendants.
  • Represented a child care product group of a Fortune 50 company as complainant before the ITC against a manufacturer of infringing products in a patent infringement action. Shortly before trial, obtained favorable settlement of all claims.
  • Defended a Fortune 50 manufacturer against claims of trade secret theft and RICO violations. All key claims were dismissed on summary judgment.
  • Obtained judgment following a jury trial in favor of a client, the plaintiff, in a patent infringement action relating to a materials shipment method patent. The two-week trial resulted in judgment for the client of infringement, patent validity and willful misconduct by the defendant companies. Successfully defended the judgment twice on appeal.
  • "How to Avoid the Ransomware Onslaught", National Defense Magazine, August 17, 2020
  • "Increased Ransomware Attacks are Affecting All Industries," The Computer & Internet Lawyer, March 2020
  • International Association of Privacy Professionals (IAPP)
  • American Bar Association
  • Ohio State Bar Association
  • Boy Scouts of America