Brenda Sharton, partner and co-chair of Dechert’s top ranked, global privacy & cybersecurity practice, is a top privacy and cybersecurity and commercial litigator. She is one of only 16 lawyers in the country ranked as a "Leading Lawyer" by The Legal 500 for Cyber Law and Data Protection/Breach Response. A first chair trial lawyer, Ms. Sharton counsels and represents public and private corporations and their boards in complex commercial litigation, arbitrations and civil government/regulatory and enforcement matters.
Ms. Sharton is a nationally recognized expert, pioneer and thought leader in the area of privacy and cybersecurity law. She has handled over 750 data breach investigations and cyber-attacks of every type and size for companies in every industry ranging from start-ups to global multi-billion dollar public companies. Ms. Sharton has handled some of the highest-profile data breaches brought by nation states, organized crime, insiders and other threat actors, including the negotiation of ransom/ransomware, business email interruption/Office 365 attacks, corporate and nation state espionage, DDoS, insider threats and theft of computer/electronic data of all types. She has defended companies in hundreds of privacy-related government investigations and enforcement actions brought by global and U.S. regulators, including state attorneys’ general, the FTC, HHS/OCR for HIPAA breaches, the SEC Cybersecurity Division, European regulators among others, as well as defended public and private companies in class action litigation arising from those data breaches.
Ms. Sharton’s experience is second-to-none in handling cyber attacks, including those brought by nation states, organized crime, and threat actors of all types. Since the late 1990s, she has handled hundreds of data breaches, including numerous high profile, front page news breaches. Since COVID-19 has forced a remote work environment, Ms. Sharton has counseled numerous companies on enhanced cyber and physical security related to the exponential increase in cyber attacks related thereto, including companies engaged in COVID-19 research. She counsels companies pre-breach cybersecurity counseling as well as handles all aspects of data breach investigations (crisis management, working with law enforcement and forensic firms, crisis and PR firms, as well as board, auditor and investor communications, advice on global notification obligations, and analysis of cyber insurance). She has litigated high profile landmark cases in this space, including one of the first bank online hacking cases to have been litigated to an appeals court. She provides counseling on cyber and physical security programs, in particular for high target companies.
Ms. Sharton has 30 years of experience in all manner of complex commercial litigation, internal investigations, arbitrations and civil government regulatory matters, involving contract claims, trade secret, post-closing disputes, non-compete, false advertising, business torts, fiduciary duties, banking and trust claims, fraud, minority shareholder and partnership disputes, among others. She is experienced with virtually every type of civil claim brought against financial services institutions, banks and asset managers and has a deep expertise in the financial services industry (including fintech and digital currency), as well as in the technology, life sciences, healthcare and artificial intelligence industries. Ms. Sharton has successfully tried cases to conclusion in federal and state courts throughout the country, and has represented clients in the full range of ADR procedures. In addition to trial work, she has defended government enforcement actions brought by an alphabet soup of federal and state regulators, including the SEC, FDIC, FTC, FINRA, DOL, FDA, HUD, OCC, HHS/OCR and the CFPB, among others.
Ms. Sharton has been recommended for commercial litigation, financial services litigation, and privacy and cybersecurity/breach response work by The Legal 500 United States consecutively for nearly a decade. She is named to Cybersecurity Docket’s Incident Response 40 list, the best data breach response lawyers in the business. She has been listed in U.S. News-Best Lawyers in the practice areas of Commercial Litigation, Litigation - Banking and Finance and, Mass Tort Litigation/Class Action - Defendants. A recognized thought leader, Ms. Sharton frequently writes on cybersecurity, having published and/or been quoted in publications such as the Harvard Business Review, Wall Street Journal, Thomson Reuters, Bloomberg, Law360, Risk Management and Practical Law, among others. She has also lectured at the Federal Reserve Bank, numerous state Bank Associations, the MIT Sloan School of Management and the Harvard Law School executive leadership program.
Prior to joining Dechert, Ms. Sharton was a senior partner, global practice group leader and member of the executive committee at another leading international law firm.
- "Brenda Sharton is an amazing senior lawyer who combines deep experience and knowledge with a calm and collected approach." - The Legal 500 US 2021
- "Brenda Sharton is a brilliant lawyer and a great client advocate. She is the lawyer you want in your corner. As a seasoned litigator and an experienced data security lawyer, she manages crises with confidence, finesse and strategy. Brenda will get into the weeds with the technical team and in the same breath turn to the legal team to interpret the significance and how it aligns with the bigger picture. Few lawyers have her depth, acumen and empathy but none have the same level of sincerity." - The Legal 500 US 2021
- "Brenda Sharton is one of the most experienced privacy lawyers in the market today, with deep experience and the ability to translate complexity in a way that is actionable and understandable. She cuts through the noise and focuses everyone on what is critical." - The Legal 500 US 2021
Representative Data Breach Investigations
- A global public Silicon Valley customer management software company in connection with data security breach where millions of customer credentials had been exposed.
- A health management company in data breach regarding disclosure of patient health and medical information and in OCR/HHS investigation.
- A developer of a push-to-talk app in a data breach that with compromised data of its 140 million users
- A global technology/social media company in connection with counseling on compliance with a FTC order and privacy program.
- A Chinese bitcoin mining company in connection with a global data breach in which US$500 million of bitcoin was stolen.
- A public biotech company in connection with nation state attack and cybersecurity management around sensitive drug development matters.
- A subscription-based business information database company on data breach affecting over 100 million database records from around the globe.
- A Silicon Valley-based healthcare company in a breach affecting millions of patient records and defense of OCR/HHS enforcement action in a case that had the highest ransom the FBI had seen to date.
- A public technology company specializing in 3D printing in a sophisticated global ransomware attack.
- European and Asian law enforcement in negotiating and coordinating multi-million dollar ransom.
- A public software company in connection with cyberattack by a nation state.
- A public education software company regarding a cyberattack by a nation state that affected student data and state AG, FTC and SEC Cybersecurity Division actions.
- A European health care app with over 100 million users in a data breach and defense of FTC action regarding its privacy practices.
- A global public bioscience company based in Hong Kong regarding a cyberattack that defrauded the company of millions of dollars.
- A cloud services and identity management company on a data breach in which an unauthorized user gained access to the company’s U.S. database, potentially accessing passwords and credentials for thousands of the company’s corporate customers. This matter remains one of the most significant recent data breaches in the tech and cloud services community. Also defended the company in an FTC enforcement action.
- A healthcare payment platform in connection with a highly sophisticated attack on its system that resulted in the theft of over US$10 million in customer funds.
- A global financial services provider on a Microsoft Office 365 email intrusion that lead to the exposure of thousands of health insurance records, including information protected under HIPAA; as well as the defense of HHS/OCR and day-to-day counseling on privacy/cybersecurity issues.
- A global biotech company on a breach involving the release of employee W-2 forms via a phishing scam. Also represented the company in a putative class action arising from the breach and defended the New York Attorney General’s action.
- The One Fund Boston, a charity created to provide financial assistance to survivors and families of those killed in the Boston Marathon bombings, in creating a complete privacy program and policies for employees, volunteers and collaborating parties of the charity, which was created to on a pro bono basis.
Representative Data Breach Litigation
- A health management company in two purported class action lawsuits regarding disclosure of patient information following a 2020 data breach.
- Macy’s Inc. in federal court against purported class action claims arising out of 2019 data breach.
- Taconic Biosciences, Inc in a putative class action in NY state court arising theft of employee information following phishing scam.
- People’s United Bank in a summary judgment victory in a landmark case, which involved an alleged breach of the bank’s online security system through keylogging malware. One of the first cases of its kind to be decided by an appellate court and named a “national case to watch” by the American Banker, the dispute was resolved after the First Circuit reversed in part and remanded the district court’s decision.
- Wellpoint Inc./Anthem in an Office of Civil Rights (HHS Division) investigation involving alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). At the time, the settlement was one of only 12 OCR settlements nationwide.
- Online video and media service providers in class action litigations filed nationwide challenging the alleged use of local shared objects, also known as “flash cookies.”
- Numerous companies in privacy-related government investigations and enforcement actions brought by states attorneys’ general, the FTC, HHS and the Office of Civil Rights, among others.
- Numerous public companies in hundreds of data security breaches, including global investigations and the handling one of the first major data breaches for a public company in 2002.
- Numerous companies in TCPA litigation.
Representative Business Litigation
- Minority shareholders of Diversified Communications, Inc. in a post-closing dispute related to the buyout of shares following the divestiture of the company’s electronic health records division.
- Hill Holliday Connors, Inc./Erwin-Penland, Inc. in winning a summary judgment in a case involving claims of trade secret misappropriation and breach of contract/fiduciary duty, as well as the rights to a national advertising campaign utilized by a Fortune 50 company. The case, in federal district court in South Carolina and with damages claimed of nearly US$100 million, was appealed to the Fourth Circuit, which affirmed summary judgment for the client.
- A public company in an arbitration involving trade secret and breach of acquisition agreement with another public company related to the right to do business in 21 states.
- New Balance, Inc./Warrior Lacrosse in the successful resolution of claims pending in federal district court in Michigan, for theft of trade secrets involving the hockey line, after successfully defeating an initial injunction motion.
- Zmags North America in a trial in federal court in Ohio after cross-examination of opposing party's CEO. Claims involved the alleged theft of the entire customer data base by a former employee.
- Numerous companies in successful resolutions to civil claims related to the Bernard L. Madoff Securities fraud.
Representative Financial Services Litigation
- Cape Cod Five Cents Savings Bank in a winning summary judgment in trust litigation brought against the bank as trustee of an estate in multi-year litigation alleging breaches of fiduciary duty, breach of contract, 93A, violation of the Mass Uniform Trust Act and tort claims among others.
- Citizens Bank in a winning motion to dismiss in federal court and in First Circuit Court of Appeals for in the defense of a putative class action arising from their overdraft fee program in a case. This case garnered the attention of legal news outlets, including as the leading story in Law360 on two different occasions.
- Southern Sun Asset Management in an arbitration award against claims brought by an international third-party marketing firm with claims of almost US$100 million; the arbitration award was challenged and successfully defended in federal court in Alabama.
- A Fortune 100 public financial institution in the successful resolution of a case in federal court in New York against for breach of fiduciary and financial fraud claims following its acquisition of a financial services company and the infusion of US$2 billion into that institution
- A major public mutual fund company in the successful defense of in connection with SEC and FDIC investigations that resulted in no charges for the company.
- A Fortune 50 company in the successful negotiation and resolution of a consumer financial services class action case, pending in Ohio state court for more than 10 years.
- A Fortune 100 financial institution in a successful defense in a class action case in both state court and Ohio appeals court alleging pregnancy discrimination in mortgage lending practices. The case was settled favorably for client.
- Massachusetts Bankers Association and other state banking associations for over a decade relating to litigation issues affecting banks.
- People’s United Bank in the successful dismissal of a putative class action complaint in state court in Connecticut, involving the bank’s overdraft fee program. Secured one of the few dismissals among the hundreds of overdraft cases that have been filed against banks across the country.
- East Cambridge Savings Bank in the successful dismissal of a complaint in its entirety with prejudice in a suit filed in Middlesex Superior Court arising out of a loan default. The Massachusetts Appeals Court affirmed the judgment in our client's favor.
- State Street Global Advisors in the successful dismissal of a complaint filed in Massachusetts Superior Court seeking recovery of losses during broad stock market decline. Successfully defended the dismissal in the Mass. Appeals Court.
- State Street Global Advisors in winning a summary judgment of a complaint alleging breach of fiduciary duty and breach of contract; claims dismissed as time barred under three-year statute of limitations. Summary judgment affirmed by the Mass. Appeals Court.
- Massachusetts Bankers Association and group of banks in winning a summary judgment in Massachusetts federal district court in a constitutional challenge to Massachusetts statutes that restricted how banks could sell insurance. First Circuit Court of Appeals dismissed the petition to vacate.
- Multiple banks, including BNY Mellon and HSBC, in the dismissal of numerous claims, in federal district court in California, involving alleged violations of Los Angeles rent ordinances. Ms. Sharton successfully argued the motion to dismiss in federal court on behalf of all the bank defendants.
Representative Internal Investigations
- A private company in an internal investigation related to potential fraud allegations related to FDA certifications.
- A board of trustees for registered mutual funds in an internal investigation related to alleged misconduct by advisor personnel in connection with trading timing.
- The Japanese subsidiary of a public company in an internal investigation involving a revenue recognition issue.
- The Somaly Mam Foundation Board of Directors in an internal investigation regarding the background of an international sex-trafficking activist.
Includes matters handled at Dechert or prior to joining the firm.
- SEC proposes 4-day breach reporting rule - Media Mention, Global Data Review (April 2022)
- Congress Seizes On Incident Reports In Fighting Cyberattacks - Media Mention, Law360 (March 2022)
- Cybersecurity Resolutions for 2022 - Media Mention, Cybersecurity Law Report (January 2022)
- FTC threatens enforcement on firms lax about Log4j vulnerability - Media Mention, Cybersecurity Dive (January 2022)
- Sinclair Broadcast Investigates a Ransomware Attack. The Stock Is Dropping - Barron's (October 2021)
- As Cyberthreats Mount, Advisors Have a Target on Their Backs - Media Mention, Barron's (September 2021)
- 10 Steps Companies Can Take to Reduce Cybersecurity Risk - IsraelDesks (June 2021)
- Seven Steps Companies Can Take to Reduce Risk in a Ransomware Attack - Inside Story (June 2021)
- ‘Hackers Love a Good Crisis’: Dechert’s Brenda Sharton on the Rise in Cybersecurity Threats and Ransom Demands - AmLaw Litigation Daily (May 2021)
- Ransomware Attacks Are Spiking. Is Your Company Prepared? - Harvard Business Review (May 2021)
- Expect Increased Scrutiny of 401(k) Cybersecurity: Lawyers - Media Mention, Ignites (May 2021)
- Biden's Cybersecurity Order Likely To Reach Beyond Gov't - Media Mention, Law360 (May 2021)
- Gov't May Lean On Private Sector To Stop Next Critical Hack - Media Mention, Law360 (May 2021)
- Data 'Scraping' Episodes Don't Fall Neatly Into Breach Laws - Media Mention, Law360 (April 2021)
- With Rising 401(k) Theft, DOL Issues Cybersecurity Guidance - Media Mention, Ignites (April 2021)
- 5th Circ. Creates Roadblocks For New HHS Privacy Enforcers - Media Mention, Law360 (February 2021)
- How Will the Biden Administration’s Approach to Cybersecurity Impact the Private Sector? - Media Mention, Cybersecurity Law Report (December 2020)
- Macy’s Ducks Suit Over 2019 Data Breach - Media Mention, Law360 (November 2020)
- Macy’s Dodges Customer’s Proposed Data Breach Class Action - Media Mention, Bloomberg Law (November 2020)
- Biden Term Could Spell Sanctions, Boost Data Transfer Deal - Media Mention, Law360 (November 2020)
- Macy’s Escapes Liability in Data Breach Suit - Media Mention, Law Street (November 2020)
- Preventing Insider Threats to Cybersecurity - Co-authored with John Ansbach of Stroz Friedberg, Risk Management (September 2020)
- Employees Present Cos.' Biggest Cyber Risk During Pandemic - Media Mention, Law360 (August 2020)
- Cyberattack on Freddie Mac Vendor Highlights Supply Chain Vulnerabilities - Wall Street Journal (July 2020)
- How Organizations Can Ramp Up their Cybersecurity Efforts Right Now - Harvard Business Review (May 2020)
- Will Coronavirus Lead to More Cyber Attacks? - Harvard Business Review (March 2020)
- Key Issues in Computer Fraud and Abuse Act (CFAA) Civil Litigation - Practical Law (2018)
- The Legal Risks of Monitoring Employees Online - Harvard Business Review (2017)
- Equifax and Why It’s So Hard to Sue a Company for Losing Your Personal Information - Harvard Business Review (2017)
- Defend Trade Secrets Act Creates Federal Trade Secret Clause of Action With Enhanced Seizure Remedies; Employers Should Give Notice to All Employees Regarding DTSA Whistleblower Immunity - Goodwin Alert (2016)
- DHS and NIST Issue Internet of Things Cybersecurity Guidance - Goodwin Alert (2016)
- Whatsapp-Facebook Data Sharing Affects Scrutiny From EU Privacy Authorities - Goodwin Alert (2016)
- EU-US Privacy Shield Framework Formally Adopted - Goodwin Alert (2016)
- European Commission Releases Details of EU-US Privacy Shield - Goodwin Alert (2016)
- European Commission and United States Agree to New Framework for Transatlantic Data Flows - Goodwin Alert (2016)
- SEC proposes 4-day breach reporting rule - Media Mention, Global Data Review (April 2022)
- John Hancock Global Law Conference Privacy Break-Out Session - Speaker, Webinar (May 2022)
- The Intersection of Cybersecurity, Data Privacy and Cyber Risk Management in M&A Transactions - Speaker, ABA Panel (January 2022)
- Cybersecurity and Privacy - Virtual California Investment Management Symposium, Dechert LLP, Webinar (October 27, 2021)
- Ransoms (Part 1): What are the Threats? - Speaker, Kayo Podcast (September 2021)
- Cybersecurity - Speaker, Dechert's Sovereign Counsel Series (April 2021)
- Hot Topics In Cybersecurity: “Not ‘If,’ But ‘When’” - Practical Tips to Reduce Risk - Speaker, Dechert's Q2 Directors' Forum Panel (April 2021)
- What Keeps You Up at Night? What Every Asset Manager Needs to Know About Cybersecurity - Speaker, Dechert's Mutual Funds Virtual Conference (March 2021)
- Not a Question of if, a Question of When: Reducing Cybersecurity Risk in Private Equity Transactions - Speaker, Kayo Podcast (March 2021)
- Committed Capital | Managing Cybersecurity Risk in Private Equity Transactions: Investing in the Modern Age - Speaker, Dechert Podcast (February 2021)
- Understanding the Impact of Brazil's New Data Protection Laws and Agency - Speaker, Dechert Webinar (February 2021)
- Coffee Break Compliance Broadcast Series | Episode Ten: A Conversation With The Experts - Hot Topics in Privacy & Cybersecurity - Speaker, Dechert Podcast (January 2021)
- Hot Topics In Cybersecurity: “Not ‘If,’ But ‘When’” - What Keeps In-House Counsel Up At Night - Speaker, Greater Philadelphia's Association of Corporate Counsel Webinar (January 2021)
- MassChallenge Innovation Summit: Securing the Future of Work - Moderator, MassChallenge, Israel (June 2020)
- Cybersecurity + COVID-19 - Goodwin Webinar (April 2020)
- Advising Boards of Directors About Cyberattacks and Incident Response - Speaker, Boston Bar Association Privacy and Cybersecurity Conference (2019)
- Unlocking the Value of Data in MedTech: Protect Your IP, Protect Your Business: Cybersecurity Deep Dive - Goodwin Webinar (2019)
- How to Anticipate, Investigate & Litigate a Data Breach in 2019 - Moderator, Consero Financial Services Litigation Forum (2019)
- Privacy + Cybersecurity Readiness: What every real estate company needs to know - Goodwin Webinar (2019)
- Digital Technology and the Law: Big Data, Cybersecurity and other Hot Spots - MIT Course, Guest Lecturer (2019)
- Cyber Liability Decoded - Massachusetts Bankers Association Webinar (2019)
- Privacy & Cybersecurity Legal Overview and Trends - Federal Reserve Bank of Boston Cyber-Threat Interest Group Meeting (2018)
- Challenges in Innovation – Navigating the Uncertain Terrain - Goodwin’s Annual Banking Symposium (2017)
- Cybersecurity and Incident Response: Managing the Issues - New York Bankers Association’s Financial Services Forum (2017)
- How Will Trump’s Administration Affect the Financial Services Industry? - Goodwin (2017)
- Data Breach & Privacy Litigation: Mitigating Enterprise Risk - Consero Financial Services Litigation Forum (2017)
- The Privacy Shield: What Does it Mean for Your Business? - Webinar, Moderator (2016)
- “I’m Negotiating with K-Mart!” and Other Truisms Dealing with Ransomware Hackers - IAPP's Privacy. Security. Risk. Conference (2016)
- Examine the Interplay of Cybersecurity and Patent Law to Strengthen Patent Innovation - The 13th Annual Patents for Financial Services Summit (2016)
- Hear From the Judges: Best Practices to Navigate the First Circuit Court of Appeals - Boston Bar Association (2016)
- Ch-Ch-Ch-Changes...A 20-year Privacy Law Veteran Discusses Notable Trends and Their Implications - IAPP Global Privacy Summit (2016)
- Seven Things You Should Know About Arbitration Clauses - Marcus Evans Chief Litigation Summit & IP Law Summit (2016)
- Privacy and Cybersecurity Litigation: What You Need to Know - Consero Financial Services Litigation Forum (2016)
- Cybersecurity Issues - Northeast Human Resources Association (NEHRA) FE Dinner (2016)
- John Hancock Global Law Conference Privacy Break-Out Session - Speaker, Webinar (May 2022)
- Massachusetts Supreme Judicial Court, Honorable Joseph R. Nolan
- Boston College, B.S., 1987, magna cum laude
- Boston College Law School, J.D., 1990, summa cum laude, valedictorian, Order of the Coif
- Supreme Court of the United States
- United States Court of Appeals for the First Circuit
- United States Court of Appeals for the Fourth Circuit
- United States District Court for the District of Massachusetts
- United States District Court for the District of Connecticut
- United States District Court for the Eastern District of Michigan
- United States Tax Court