Sandy Brian Garfinkel



Sandy Garfinkel is a business litigator who serves as the chair of the firm’s Data Security & Privacy Group. As a nationally regarded authority on data security and privacy matters, Sandy is regularly published and speaks at numerous industry conferences on preparing for and responding to data breaches. He works with clients on data security and privacy matters across a variety of industries and sectors, including laws pertaining to hospitality, consumer products, insurance, education, health care, manufacturing, and telecommunications.

Businesses struggle to stay ahead of the increasing threats to sensitive data and the emerging regulatory requirements, which is why Sandy counsels his clients on laws relating to the collection, use, and protection of personal information as well as mitigating risks and reducing exposure to investigations and litigation arising from the loss, theft, or exposure of personal data. He guides clients through all stages of breach matters, including advance planning and preparation, response and notification, government investigations and regulatory response, and, when necessary, litigation.

Sandy also maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. He has deep trial and appellate experience and enjoys a long, consistent track record of producing cost-effective, positive results for his litigation clients.


Representative Matters

Data Security and Responding to Data Theft

  • Counsels clients in responding to thefts of personal information and electronic data security breaches; has handled in excess of 50 data breach response matters.
  • Advises on the application of state laws requiring notification to state agencies and affected individuals and in required forensic investigation.
  • Drafts information security policies and data breach response plans.
  • Assisted clinical laboratory company in responding to theft of employee personal information by hacking that resulted in the filing of numerous fraudulent federal tax returns and an attempt to compromise the company’s bank account.
  • Represented multiple hotel owners in responding to a major breach of the electronic security and theft of credit card data from a major hotel brand, in an attack perpetrated by hackers from Russia.
  • Assisted a university in working with law enforcement investigators and complying with notification laws when a hacker attacked the university’s online applications database.
  • Represented insurance provider in meeting its obligations when personal information of insurance agents was inadvertently made accessible through the insurer’s web portal.
  • Represented manufacturing company in working with law enforcement agencies and addressing notification duties after a rogue employee stole personal information from employee files to be used to forge prescriptions for controlled substances.
  • Assisted public school district in responding to inadvertent disclosure of personal information captured in computerized database for visitor registration.
  • Drafted data breach response plans and reviewed/advised on cyber insurance coverage for bank and a nonprofit legal aid organization.
  • Formulating data breach response plan, reviewing internal privacy and security policies, and cyber insurance coverage for multi-state accounting firm.


  • Represents hotel and resort management companies, owners, and developers in commercial disputes and other issues.
  • Advises and represents hospitality industry clients with regard to dealings and disputes between and among hotel owners, managers, franchisors, vendors, and guests.
  • Provides legal services relating to compliance with electronic data security laws and industry standards, and in responding to breaches of data security.

Business Litigation

  • Represents manufacturing enterprises, commercial and residential builders and developers, oil and gas production companies, creative and computer design companies, professional athletes, insurance companies, professional associations, architectural firms, management companies, and communications companies in various types of tort and contract disputes.
  • Represents commercial and public sector clients in trial, arbitration, and appellate court practice as well as practice before governmental and administrative tribunals.
  • Tries numerous jury and non-jury trials in federal and state courts in various jurisdictions.
  • Argues before all Pennsylvania appellate courts and the U.S. Court of Appeals for the Third Circuit.

Real Estate and Land Use

  • Acts as regional counsel for major cellular carrier on land use and zoning matters for tower site acquisition;
  • Represents commercial real estate developers in zoning and land use applications and proceedings;
  • Represents real estate development companies, municipalities and public authorities in litigation matters arising from construction and real property disputes;
  • Handles real estate related litigation matters including real property taxation.

Professional Affiliations

  • International Association of Privacy Professionals (IAPP)

Community Involvement

  • WYEP Pittsburgh, Board President. WYEP is an independent listener-supported public radio station and media organization.

Awards and Recognition:

  • Selected for inclusion in Pennsylvania Super Lawyers


Employees are a soft spot in data security (

Sandy Garfinkel discusses the protection of business travelers' personal data and breach response (Business Travelers News)

Data Security: Risks, Compliance and How to be Prepared for a Breach

Data Breach Response: How to Counsel Your Client

Business Forum: Data Breach Oversaturation -- There's Danger in Complacency

Anatomy of a Hotel Breach

Manager vs. Owner: Which One Must Respond to a Data Breach?

Legal FAQ: Hotel Data Breaches

Incidents Which Trigger a Legal Obligation to Notify Guests

News and Insights


  • “Hotel Price Gouging,” – Convergence Blog, October 2016.
  • “Employees are a soft spot in data security,”, April 2016.
  • “Long Term Hotel Guests Might Not Be So Easy to Remove,” co-author, Hospitality Lawyer Converge blog, September 2015.
  • “Data Breach Response: How to Counsel Your Clients,” Lawyers Journal, May 2015.
  • “Business forum: Data breach oversaturation — there’s danger in complacency,” Pittsburgh Post-Gazette, November 2014.
  • “Anatomy of a Data Breach,” Hospitality Lawyer Converge blog, June 2014.
  • “Legal FAQ: hotel data breaches,” Hospitality World Network, June 2011.
  • “Incidents Which Trigger a Legal Obligation to Notify Guests: State Data Breach Laws Differ,” Hospitality Upgrade, Spring 2011.

Speaking Engagements:

  • “The Defense, The Response, and The Future,” presenter at Eckert Seamans’ Data Privacy and Security Forum, October 2016. 
  • “Response to Data Breaches,” Identity Theft, Pennsylvania Bar Institute (PBI) Continuing Legal Education (CLE) program, March 2016.
  • “Employees Are a Soft Spot in Data Security and Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.
  • “Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.
  • Data Security: Risks, Compliance and How to Be Prepared for a Breach,” Eckert Seamans’ CLE, September 2015.
  • “The Data Breach Reality: Preparing for the Inevitable,” PBI CLE , July 29, 2015.
  • “The Data Breach Reality: Preparing for the Inevitable,” co-presenter, June 15, 2015.
  • “The Data Breach Reality,” co-presenter at the Consortium of Universities of the Washington Metropolitan Area, 2015 Consortium Day, June 5, 2015.
  • “Data Breaches – Privacy and Liability,” co-presenter, Allegheny County Bar Association 2015 e-Discovery Symposium, April 17, 2015.
  • “Anatomy of a Hospitality Data Breach,” Hospitality Law Conference, February 10, 2015.
  • “The Data Breach Reality: What To Do When (Not If) You’re a Victim of a Cyber Attack,” Eckert Seamans’ CLE, August 2014.
  • “Protect My Data: Protection of Confidential Employee Information Under the Health Insurance Portability and Accountability Act,” co-presenter, Eckert Seamans Human Resources Forum, May 2014.
  • “Data Breach Response, State Laws Governing Data Breach Notification, and Federal Trade Commission Enforcement Actions,” PBI CLE, January 2014.
  • “Understanding and Managing the Challenges of Data Privacy Breaches in the U.S. and the E.U.,” a webcast presentation to the Association of Corporate Counsel, May 2012.
  • “Responding to Data Breaches,” PBI CLE, October 2011.
  • “Cyber Wars: Do You Know How to Respond if Your Data is Attacked?” presented at Eckert Seamans’ CLE, August 2011.

Media Coverage:

  • “Hotel Data Breaches: Can You Protect Business Travelers?” Business Travelers News, February 08, 2016.
  • “Tips to keep hotel data hackers at bay,” Hotel News Now, February 10, 2015.
  • “China’s Alleged Cyber Attach on Pittsburgh Companies – How Vulnerable is Your Business?” Our Region’s Business with Bill Flanagan, June 2014.


Sandy is an avid amateur photographer and musician (blues harmonica).