David E. Kitchen

Partner

Cleveland
T +1.216.861.7060
F +1.216.696.0740

Overview

David Kitchen is a member of the firm’s Chambers USA-ranked Privacy and Data Protection Team. He has advised hundreds of clients through data security incidents involving domestic and international laws and regulations. His clients span the financial, healthcare, government, education, professional services, retail, and other industries. Drawing on his experience as a litigator, David is also well-suited to help defend his clients in connection with regulatory investigations and class action lawsuits. David provides companies that have experienced security incidents with practical solutions that minimize regulatory and litigation risk. David has earned the CIPP/US certification through the International Association of Privacy Professionals (IAPP).

Select Experience

Privacy and Data Protection
  • Primary lead in hundreds of data breach incident assessments, including managing the forensic investigation, conducting notification analyses, advising on communications with media and impacted entities, coordinating outreach and responses to law enforcement, and overseeing the notification process to individuals and regulators. Such notifications have ranged from a single individual to over one million.
  • Advises clients in a wide range of industries, both domestically and abroad, including accounting, business and professional services, educational institutions (local and university), energy, engineering and manufacturing, healthcare, media, retail and hospitality, software, state and local government, and others.
Litigation / Regulatory
  • Represented corporate clients in privacy and consumer protection litigation and government investigations.
  • Represented healthcare providers and business associates in connection with an investigation by the Office of Civil Rights for HIPAA violations.
More »

Experience

Privacy and Data Protection
  • Primary lead in hundreds of data breach incident assessments, including managing the forensic investigation, conducting notification analyses, advising on communications with media and impacted entities, coordinating outreach and responses to law enforcement, and overseeing the notification process to individuals and regulators. Such notifications have ranged from a single individual to over one million.
  • Advises clients in a wide range of industries, both domestically and abroad, including accounting, business and professional services, educational institutions (local and university), energy, engineering and manufacturing, healthcare, media, retail and hospitality, software, state and local government, and others.
  • Advises clients with respect to data security laws and regulations, including state statutes, GDPR, PCI-DSS, FERPA, HIPAA, FINRA, GLBA, PIPEDA, Insurance Commission Regulations, ABA Guidelines, and others.
  • Represents clients in GDPR, DOE, FINRA, OCR, and state attorneys general investigations and enforcement actions for alleged data security and privacy violations.
  • Regularly conducts in-house security training and tabletop exercises for companies in a wide variety of industries to build awareness and help companies prepare to effectively and efficiently manage data security threats and incidents.
  • Advises clients with respect to contract negotiation with service providers such as forensic, document review, notification, and crisis communication firms.
  • Represented a multi-national manufacturer in connection with a compromise of numerous email accounts that involved individuals worldwide, including coordinating the forensic investigation, overseeing data protection agreements, advising on notification obligations in the US, EU, and internationally, developing and implementing a broad communications plan, and resolving regulatory inquiries from GDPR regulators.
  • Represented a consortium of local school districts in connection with ransomware attacks on several of the schools, including coordinating the forensic investigation and ransom negotiations, developing and implementing a broad communications plan for faculty, students, and the community, advising on notification obligations, and coordinating assistance with law enforcement agencies.
  • Represented a large online portfolio-hosting provider in connection with a credential theft incident, including coordinating the forensic investigation, analyzing notification obligations, and overseeing notifications to impacted individuals and regulators.
  • Represented local and state governments in connection with ransomware attacks, including coordinating the forensic investigation and ransom negotiations, developing and implementing a broad communications plan for emergency services and the community, advising on notification obligations, and coordinating assistance with law enforcement agencies.
  • Represented a national insurance company in connection with multiple email incidents, including coordinating the forensic investigation, advising on notification obligations, and resolving inquiries from state departments of insurance.
  • Represented a regional law firm in connection with an email incident, including coordinating the forensic investigation, advising on notification obligations under state law and contractual obligations, developing and implementing a broad communications plan to clients and impacted individuals, and resolving regulatory inquiries.
  • Represented a state-owned university in connection with a stolen device incident, including coordinating the forensic investigation, advising on notification obligations, coordinating with numerous law enforcement agencies, developing and implementing a broad communications plan, providing notifications to students and other individuals, and resolving regulatory inquiries.
  • Represented a managed IT service provider in connection with ransomware attacks on many of the MSP’s customers, including coordinating the forensic investigation and ransom negotiations, developing and implementing a broad communications plan for the impacted customers, coordinating assistance with law enforcement agencies, and resolving regulatory inquiries.
  • Advised a major theme park operator in developing incident response plans, negotiating agreements with incident response vendors, conducting tabletop exercises, and responding to data security incidents.
Litigation / Regulatory
  • Represented corporate clients in privacy and consumer protection litigation and government investigations.
  • Represented healthcare providers and business associates in connection with an investigation by the Office of Civil Rights for HIPAA violations.
  • Represented Irving H. Picard, the court-appointed SIPA Trustee, in liquidation proceedings of BLMIS, including a central role in the Trustee's action to recover more than $500 million in fraudulent transfers from a group of feeder fund defendants.
  • Represented a child care product group of a Fortune 50 company as complainant before the ITC against a manufacturer of infringing products in a patent infringement action. Shortly before trial, obtained favorable settlement of all claims.
  • Defended a Fortune 50 manufacturer against claims of trade secret theft and RICO violations. All key claims were dismissed on summary judgment.
  • Obtained judgment following a jury trial in favor of a client, the plaintiff, in a patent infringement action relating to a materials shipment method patent. The two-week trial resulted in judgment for the client of infringement, patent validity and willful misconduct by the defendant companies. Successfully defended the judgment twice on appeal.

Recognitions and Memberships

Recognitions

  • Certified Information Privacy Professional (CIPP/US)

Memberships

  • International Association of Privacy Professionals (IAPP)
  • American Bar Association
  • Ohio State Bar Association
  • Cleveland Metropolitan Bar Association
  • Cleveland Intellectual Property Law Association

News

News

Press Releases

Community

  • Boy Scouts of America
  • Cleveland Legal Aid Society

Pro Bono

  • Pursued a habeas appeal, including oral argument before the Sixth Circuit Court of Appeals, on behalf of an individual seeking to vacate his sentence.

Admissions

  • U.S. Court of Appeals, Federal Circuit, 2007
  • U.S. Court of Appeals, Sixth Circuit, 2007
  • U.S. District Court, Northern District of Illinois, 2014
  • U.S. District Court, Southern District of Ohio, 2011
  • U.S. District Court, Northern District of Ohio, 2004
  • Ohio, 2004

Education

  • J.D., University of Chicago Law School, 2004
  • B.S., Manufacturing Engineering and Technology, Brigham Young University, 2001, Tau Alpha Pi

Languages

  • Spanish

Blog

In The Blogs

Previous Next
Data Counsel
Key Changes to New York Breach Notification and Data Security Protection Requirements from the New York SHIELD Act
By Damon C. Barhorst, David E. Kitchen
June 9, 2020
The New York SHIELD Act,[1] officially titled the Stop Hacks and Improve Electronic Data Security Act, amends New York’s existing data breach notification law in several significant ways and adds a number of data security protection...
Read More ->
Data Counsel
DSIR Deeper Dive: The Ransomware Epidemic
By David E. Kitchen, Anthony P. Valach
May 18, 2020
Ransomware is among the most common and persistent threats faced by organizations of all sizes. In 2019, the ransomware threat landscape worsened in several significant ways: (1) average demands increased more than tenfold; (2) all...
Read More ->