Kristin Bryan is a litigator with deep expertise representing clients in complex bet-the-company data privacy, cybersecurity and data breach disputes in federal and state courts nationwide. She has obtained dismissals of numerous significant data privacy and cybersecurity litigations, in which plaintiffs collectively sought over US$280 billion in liquidated statutory damages for claims that her client’s business practices violated federal and state privacy laws.

Kristin is a pragmatic litigator and integral member of the firm’s privacy litigation team, which was ranked #2 in 2022 among all law firms by Global Data Review. She has broad experience defending data privacy, cybersecurity and data breach disputes across the country, including in the class action and multidistrict litigation context. Kristin has litigated cases brought under the Electronic Communications Privacy Act (ECPA), the Video Privacy Protection Act (VPPA), the Driver’s Privacy Protection Act (DPPA), the Fair Credit Reporting Act (FCRA), the Computer Fraud and Abuse Act (CFAA), the California Consumer Privacy Act (CCPA), the California Invasion of Privacy Act (CIPA) and the Illinois Biometric Privacy Act (BIPA), among others. Kristin has also efficiently resolved privacy and cybersecurity class actions concerning deceptive trade practice and breach of fiduciary duty claims. She is also experienced in defending website operators in putative class actions and in JAMS/AAA arbitrations concerning their privacy practices for claims brought under state wiretap laws and other theories of liability.

Kristin has advised clients concerning privacy issues implicated by the use of facial recognition technology and AI. She is currently defending a case concerning an AI consumer-facing platform in federal court in Illinois and recently opposed class certification. Kristin has represented clients in data breach litigations regarding the alleged disclosure of personal information and protected health information regulated under the Health Insurance Portability and Accountability Act (HIPAA). As part of her litigation practice, Kristin also advises clients on their most sensitive business, cybersecurity/privacy diligence and data breach issues, and in state and federal regulatory investigations regarding their privacy practices. She is editor-in-chief of the firm’s award-winning data privacy blog Consumer Privacy World and has published over 350 articles on developments regarding data privacy and cybersecurity.

Kristin is a Certified Information Privacy Professional (CIPP/US) and a leader in the data privacy and cybersecurity community. She holds a number of executive positions with the International Association of Privacy Professionals (IAPP), including with the Privacy Bar Advisory Board, is co-chair of her local KnowledgeNet Chapter, and was selected to participate in the IAPP’s 2022 Leadership Retreat. Kristin is also vice-chair of the American Bar Association’s Cybersecurity and Data Privacy Committee and on the ABA’s 11-member Technology and New Media Standing Committee.

Prior to joining the firm, Kristin practiced for five years at an international law firm in New York, specializing in data strategy and security.

Award Mouse thought multimedia interface book medal screen monitor
  • Obtaining dismissal on behalf of an insurance software provider in three competing federal class action litigations where plaintiffs sought to represent over 27 million putative class members and demanded over US$69 billion in statutory liquidated damages, as well as other relief concerning allegations that the provider stored drivers’ license information on unsecured external servers in violation of federal and state privacy laws. One of the cases was appealed to the Fifth Circuit, where in a case of first impression among the federal circuits, the court held that the alleged storage of information on an unsecured external server did not support a claim under the federal Driver’s Privacy Protection Act.
  • Defending commercial website operators in dozens of cases involving claims brought under state and federal wiretap laws as well as under the federal Video Privacy Protection Act concerning the alleged unauthorized disclosure of individuals’ personal information to third party advertisers, in both civil litigation and JAMS/AAA arbitration.
  • Defending multiple companies offering facial recognition and AI-based technologies in litigation concerning purported violation of the Illinois Biometric Information Privacy Act, among other claims.
  • Efficiently resolving two competing federal cybersecurity litigations brought against a healthcare institution concerning the alleged disclosure of personal information and protected health information under HIPAA, in relation to a data event involving a third-party services provider. Kristin obtained, along with the rest of the team, a ruling that her client was exempt from potential liability under the Florida Deceptive and Unfair Trade Practices Act.
  • Obtaining a dismissal after opposing class certification of putative class action filed in California federal court against a lending institution, concerning claims under the Fair Credit Reporting Act and the California Consumer Credit Reporting Agencies Act.
  • Defending a healthcare provider in privacy litigation concerning breach of fiduciary duty and other common law tort claims regarding the alleged unauthorized access and redisclosure of the plaintiff’s personal health record.
  • Representing a media company in multidistrict privacy litigation that went to Third Circuit Court of Appeals concerning allegations that the media company and co-defendant Google used cookies to track the online behavior of website visitors, including minors, in violation of federal and state privacy laws.
  • Representing a website operator in a state attorney general privacy investigation regarding the website operator’s marketing and ad sales practices.


  • Columbia Law School, J.D., 2010
  • Dartmouth College, B.A., 2007


  • Ohio, 2016
  • New York, 2011


  • U.S. Dist. Ct., N. Dist. of New York
  • U.S. Dist. Ct., S. Dist. of New York
  • U.S. Dist. Ct., N. Dist. of Ohio

Memberships & Affiliations

  • Co-chair, IAPP KnowledgeNet Chapter
  • Member, IAPP Privacy Bar Advisory Board
  • Vice-chair of the ABA’s Cybersecurity and Data Privacy Committee
  • Member of the ABA’s Technology and New Media Standing Committee
  • Named as a leading author in the Lexology Legal Influencers Q3 2022 for Technology, Media and Telecommunications (TMT) – US
  • Ranked as a Cybersecurity & Privacy MVP by Law360 2022
  • Recognized as a leading author in the Lexology Legal Influencers Q3 2021 for Technology, Media and Telecommunications (TMT) – US
  • Recognized in Best Lawyers: Ones to Watch in America 2021-2024 for Commercial Litigation

{{}} {{insights.type}} {{insights.contentTypeTag}}
{{blog.title}} {{blog.source}}

Recent Speaking Engagements

  • Speaker, “Federal Privacy and Cybersecurity Update,” Cleveland Marshall Annual Privacy and Cybersecurity Conference, April 20, 2023.
  • Speaker, “The Expanding Landscape of Biometric Data Law: Where We Are and What’s to Come,” Lexology Masterclass, March 28, 2023.
  • Speaker, “Federal Privacy Legislation: Within Reach After a Decade of Debate. If So, What Next?,” Lexology Masterclass, December 7, 2022.
  • Speaker, “AI and Biometrics Privacy: Trends and Developments,” IAPP, June 2, 2022.
  • Speaker, “Railroad Risk Management Roundtable Series-Cybersecurity,” February 3, 2022.
  • Speaker, “Defending Work Product Status and Attorney-Client Privilege of Forensic Reports,” webinar hosted by Lawline, January 11, 2022.

Award Mouse thought multimedia interface book medal screen monitor