Gicel Tomimbang is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice. A former deputy attorney general and Office of Civil Rights investigator, she advises domestic and international companies on data privacy and protection, advertising technology, digital health, cybersecurity readiness and incident response, and consumer protection law.

Gicel served as a deputy attorney general for the California Department of Justice – Office of the Attorney General, where she specialized in conducting health data privacy and cybersecurity-focused government investigations and enforcement pursuant to health privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA); state medical information laws, including the California Confidentiality of Medical Information Act; and state consumer protection laws prohibiting unfair and deceptive acts and practices, including the California Unfair Competition Law and False Advertising Law. She also provided legislative advice and drafted legal filings submitted on behalf of the attorney general.

Gicel also served as an investigator for the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), where she investigated domestic and international companies’ compliance with the HIPAA Privacy, Security, and Breach Notification rules. She provided technical assistance to help covered entities and business associates identify and address deficiencies in their HIPAA compliance programs and operationalize HIPAA requirements.

Gicel leverages her public sector experience to counsel traditional healthcare providers, digital health companies and clients across all other industries on a broad range of data privacy and cybersecurity compliance and regulatory issues. Clients frequently turn to her for advice and counsel on complex issues arising out of state and federal requirements for consumer data, healthcare data, and business planning and operational matters.

Gicel prepares clients in the public and private sectors to respond to future cybersecurity incidents by assisting them with development and implementation of proactive cybersecurity measures. She also works with IT forensic firms to help clients respond to and remediate cybersecurity incidents, including executing incident response strategy, incident response notification and reporting. She interfaces with law enforcement and regulatory authorities in the US and coordinates global incident response activities across jurisdictions.

Gicel is a Certified Information Privacy Professional (CIPP/US and CIPP/E), a Certified Information Privacy Manager (CIPM) and an IAPP Fellow of Information Privacy (FIP). She invests in her community through her active leadership in and contributions to the Los Angeles County Bar Association, the International Association of Privacy Professionals and various mentorship programs.

Award Mouse thought multimedia interface book medal screen monitor
  • Counseled a direct sales company on global data privacy compliance strategy in the US (California, Virginia, Colorado, Utah and Connecticut privacy laws), Australia and Canada.
  • Counseled an addiction treatment provider on HIPAA, 45 CFR Part 2 and US state privacy compliance strategy.
  • Counseled a healthcare provider organization on business and compliance considerations in establishing organized healthcare arrangement (OHCR) and affiliated covered entity (ACE) structures.
  • Counseled a state department of health on cybersecurity incident response and remediation strategy pertaining to a third-party vendor incident that resulted in the potential compromise of millions of records containing protected health information belonging to the states’ patients; appropriately notifying affected individuals and HHS/OCR; effectively managing media inquiries; and advising on litigation strategy for recovery of loss due to breach of contract and the gross negligence of a third-party vendor.
  • Counseled a multinational electronics and manufacturing company on cybersecurity incident response and remediation strategy pertaining to an incident that affected the personal information of current and former global personnel of a publicly traded multinational corporation. Researched notification obligations and drafted and submitted breach notifications to affected individuals and regulatory authorities in US, Asia Pacific and EU jurisdictions. Counseled on special notification obligations related to the client’s status as a critical infrastructure company.
  • Counseled a multinational rental and facility services company on the development and implementation of proactive cybersecurity and incident response strategy, conducted cybersecurity risk assessment and advised on strategy to address the gaps identified.
  • Counseled a nonprofit entity on federal and state breach notification obligations resulting from the inadvertent disclosure of personal information of clients receiving mental health counseling services.


  • Santa Clara University, J.D., 2018
  • Arizona State University, B.S., cum laude, 2011


  • California, 2019

Memberships & Affiliations

  • Los Angeles County Bar Association, Sector Vice Chairperson – Academic/Government, Privacy & Cybersecurity Section
  • International Associate of Privacy Professionals (IAPP), Young Privacy Professional 2021, Los Angeles KnowledgeNet Chapter
  • Women Lawyers Association of Los Angeles, Business Development Committee


  • English
  • Filipino (Tagalog)

{{}} {{insights.type}} {{insights.contentTypeTag}}
{{blog.title}} {{blog.source}}
Award Mouse thought multimedia interface book medal screen monitor