Sandy Brian Garfinkel
Chair, Data Security & Privacy Group
Sandy Garfinkel is a business litigator who serves as the chair of the firm’s Data Security & Privacy Group. As a nationally regarded authority on data security and privacy matters, Sandy is regularly published and speaks at numerous industry conferences on preparing for and responding to data breaches. In addition to his data breach response practice, Sandy works closely with the firm’s business clients concerning all aspects of General Data Protection Regulation (GDPR) compliance and enforcement. He works with clients on data security and privacy matters across a variety of industries and sectors, including hospitality, consumer products, insurance, education, health care, manufacturing, and telecommunications.
Businesses struggle to stay ahead of the increasing threats to sensitive data and the emerging regulatory requirements, which is why Sandy counsels his clients on laws relating to the collection, use, and protection of personal information as well as mitigating risks and reducing exposure to investigations and litigation arising from the loss, theft, or exposure of personal data. He guides clients through all stages of breach matters, including advance planning and preparation, response and notification, government investigations and regulatory response, and, when necessary, litigation.
Sandy also maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. He has deep trial and appellate experience and enjoys a long, consistent track record of producing cost-effective, positive results for his litigation clients.
Data Security and Responding to Data Theft
- Counsels clients in responding to thefts of personal information and electronic data security breaches; has handled in excess of 50 data breach response matters.
- Advises on the application of state laws requiring notification to state agencies and affected individuals and in required forensic investigation.
- Drafts information security policies and data breach response plans.
- Assisted clinical laboratory company in responding to theft of employee personal information by hacking that resulted in the filing of numerous fraudulent federal tax returns and an attempt to compromise the company’s bank account.
- Represented multiple hotel owners in responding to a major breach of the electronic security and theft of credit card data from a major hotel brand, in an attack perpetrated by hackers from Russia.
- Assisted a university in working with law enforcement investigators and complying with notification laws when a hacker attacked the university’s online applications database.
- Represented insurance provider in meeting its obligations when personal information of insurance agents was inadvertently made accessible through the insurer’s web portal.
- Represented manufacturing company in working with law enforcement agencies and addressing notification duties after a rogue employee stole personal information from employee files to be used to forge prescriptions for controlled substances.
- Assisted public school district in responding to inadvertent disclosure of personal information captured in computerized database for visitor registration.
- Drafted data breach response plans and reviewed/advised on cyber insurance coverage for bank and a nonprofit legal aid organization.
- Formulating data breach response plan, reviewing internal privacy and security policies, and cyber insurance coverage for multi-state accounting firm.
- Represents hotel and resort management companies, owners, and developers in commercial disputes and other issues.
- Advises and represents hospitality industry clients with regard to dealings and disputes between and among hotel owners, managers, franchisors, vendors, and guests.
- Provides legal services relating to compliance with electronic data security laws and industry standards, and in responding to breaches of data security.
- Represents manufacturing enterprises, commercial and residential builders and developers, oil and gas production companies, creative and computer design companies, professional athletes, insurance companies, professional associations, architectural firms, management companies, and communications companies in various types of tort and contract disputes.
- Represents commercial and public sector clients in trial, arbitration, and appellate court practice as well as practice before governmental and administrative tribunals.
- Tries numerous jury and non-jury trials in federal and state courts in various jurisdictions.
- Argues before all Pennsylvania appellate courts and the U.S. Court of Appeals for the Third Circuit.
Real Estate and Land Use
- Acts as regional counsel for major cellular carrier on land use and zoning matters for tower site acquisition;
- Represents commercial real estate developers in zoning and land use applications and proceedings;
- Represents real estate development companies, municipalities and public authorities in litigation matters arising from construction and real property disputes;
- Handles real estate related litigation matters including real property taxation.
- Global Alliance of Travel, Tourism & Hospitality Attorneys, Member
- International Association of Privacy Professionals (IAPP)
- Reading is FUNdamental Pittsburgh, elementary school reading mentor
Awards and Recognition:
- Selected for inclusion in Pennsylvania Super Lawyers – 2013, 2014, 2018
News and Insights
- “The Unique Challenges of Data Security for the Hotel Industry” , Beazley Breach Response Services Blog, March 23, 2017.
- “Employees are a soft spot in data security” , HR.BLR.com, April 2016.
- “Data Breach Response: How to Counsel Your Client” , Lawyers Journal, May 2015.
- “Business Forum: Data Breach Oversaturation — There’s Danger in Complacency” , Pittsburgh Post-Gazette, November 2014.
- “Anatomy of a Hotel Breach” , Hospitality Lawyer Converge blog, June 2014.
- “Legal FAQ: Hotel Data Breaches” , Hospitality World Network, June 2011.
- “Incidents Which Trigger a Legal Obligation to Notify Guests” , Hospitality Upgrade, Spring 2011.
- “Hospitality cyber threats are alive & well – Lessons from recent incidents,” HospitalityLawyer.com, July 16, 2019.
- “Circumstances That Could Lead To Accusations of Price Gouging,” Lodging Magazine, November 2017.
- “Data Security Soft Spots: Safeguarding a Property Against Cyber Attacks,” Lodging, the official magazine of the American Hotel and Lodging Association, June 2017.
- “Trump Administration’s Approach to Cybersecurity Remains Murky,” Eckert Seamans’ Data Security and Privacy Alert, March 2017.
- “Experian Forecast Predicts Major Data Breach Trends for 2017,” Eckert Seamans’ Data Security and Privacy Alert, March 2017.
- “Yahoo!’s Data Breach Incidents are Becoming an Extended Tale of Woe for the Company,” Eckert Seamans’ Data Security and Privacy Alert, January 2017.
- “Vizio — privacy concerns with “smart” devices are making the internet of things a focus for U.S. regulators,” Eckert Seamans’ Data Security and Privacy Alert, January 2017.
- “Hotel Price Gouging,” HospitalityLawyer.com – Convergence Blog, October 2016.
- “Long Term Hotel Guests Might Not Be So Easy to Remove,” co-author, Hospitality Lawyer Converge blog, September 2015.
- “Manager vs. Owner: Which One Must Respond to a Data Breach?” Hospitality Lawyer, Hospitality Lawyer, August 2011.
- “Data Security and Privacy Alert: Public Commentary Sought by California Attorney General’s Office Regarding the California Consumer Privacy Act of 2018” , January 2019.
- “In Pennsylvania, Employers Have A Legal Duty To Protect Employee Data” , Eckert Seamans' Data Security & Privacy Alert, November 2018.
- “GDPR IS HERE. ARE YOU READY?” , Eckert Seamans' Data Security and Privacy Alert, February 2018.
- “Data Security and Privacy Alert: Yahoo!’s Data Breach Incidents are Becoming an Extended Tale of Woe for the Company”
- “Data Security and Privacy Alert: Vizio — privacy concerns with “smart” devices are making the internet of things a focus for U.S. regulators”
- “Data Security and Privacy Alert: Trump Administration’s Approach to Cybersecurity Remains Murky”
- “Data Security and Privacy Alert: Experian Forecast Predicts Major Data Breach Trends for 2017”
- “Hospitality & Gaming Alert: States are Aggressively Investigating Hotels for Price Gouging During States of Emergency”
- “How the hotel industry has adapted to GDPR,” Hotel News Now, July 10,2019.
- “GDPR Takes Effect In Two Weeks,” Pittsburgh Business Times, May 11, 2018.
- “Hotel Data Breaches: Can You Protect Business Travelers?” Business Travelers News, February 08, 2016.
- “Tips to keep hotel data hackers at bay,” Hotel News Now, February 10, 2015.
- “China’s Alleged Cyber Attach on Pittsburgh Companies – How Vulnerable is Your Business?” Our Region’s Business with Bill Flanagan, June 2014.
- “Cyber Law Update,” presented for the 2019 Cyber Law and Privacy Symposium, Hosted by Carnegie Mellon University, May 2019.
- “Autonomous Vehicles: Legal Issues to Consider,” co-presenter, Eckert Seamans’ Continuing Legal Education Seminar, August 2018.
- “GDPR: The Impact on Data Privacy for U.S. Companies,” presented at the Pittsburgh Compliance Roundtable, June 2018.
- “The Unique Challenges of Data Security for the Hotel Industry,” presenter, 2018 Hospitality Law Conference, Houston, TX, April 2018.
- “Risk Transfer: Trends That Protect Your Firm’s Assets,” panelist at the Private Directors Association conference, Locking the Cyber Security Door: What Private Company Leaders Should Do Now, in Chicago, November 2017.
- “The Unique Challenges of Data Security for the Hospitality Industry,” co-presenter at Hospitality Law Conference, April 24, 2017.
- “The Current State of the Law: Data Privacy and Security,” presenter, Data Privacy & Security Update, March 2017.
- “The Defense, The Response, and The Future,” presenter at Eckert Seamans’ Data Privacy and Security Forum, October 2016.
- “Response to Data Breaches,” Identity Theft, Pennsylvania Bar Institute (PBI) Continuing Legal Education (CLE) program, March 2016.“Employees Are a Soft Spot in Data Security and Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.
- “Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.<
- “Data Security: Risks, Compliance and How to Be Prepared for a Breach,” Eckert Seamans’ CLE, September 2015.
- “The Data Breach Reality: Preparing for the Inevitable,” PBI CLE , July 29, 2015.
- “The Data Breach Reality: Preparing for the Inevitable,” co-presenter, June 15, 2015.
- “The Data Breach Reality,” co-presenter at the Consortium of Universities of the Washington Metropolitan Area, 2015 Consortium Day, June 5, 2015.
- “Data Breaches – Privacy and Liability,” co-presenter, Allegheny County Bar Association 2015 e-Discovery Symposium, April 17, 2015.
- “Anatomy of a Hospitality Data Breach,” Hospitality Law Conference, February 10, 2015.
- “The Data Breach Reality: What To Do When (Not If) You’re a Victim of a Cyber Attack,” Eckert Seamans’ CLE, August 2014.
- “Protect My Data: Protection of Confidential Employee Information Under the Health Insurance Portability and Accountability Act,” co-presenter, Eckert Seamans Human Resources Forum, May 2014.
- “Data Breach Response, State Laws Governing Data Breach Notification, and Federal Trade Commission Enforcement Actions,” PBI CLE, January 2014.
- “Understanding and Managing the Challenges of Data Privacy Breaches in the U.S. and the E.U.,” a webcast presentation to the Association of Corporate Counsel, May 2012.
- “Responding to Data Breaches,” PBI CLE, October 2011.
- “Cyber Wars: Do You Know How to Respond if Your Data is Attacked?” presented at Eckert Seamans’ CLE, August 2011.
Sandy is an avid amateur photographer and musician (blues harmonica).
J.D., Duquesne University School of Law, 1991; Duquesne Law Review; Appellate Moot Court Board
B.A., Emory University, 1986