Sandy  Brian Garfinkel pittsburgh

Sandy Brian Garfinkel



Sandy Garfinkel is a business litigator who serves as the chair of the firm’s Data Security & Privacy Group. As a nationally regarded authority on data security and privacy matters, Sandy is regularly published and speaks at numerous industry conferences on preparing for and responding to data breaches. In addition to his data breach response practice, Sandy works closely with the firm’s business clients concerning all aspects of General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance and enforcement.  He works with clients on data security and privacy matters across a variety of industries and sectors, including hospitality, consumer products, insurance, education, health care, manufacturing, and telecommunications.

Businesses struggle to stay ahead of the increasing threats to sensitive data and the emerging regulatory requirements, which is why Sandy counsels his clients on laws relating to the collection, use, and protection of personal information as well as mitigating risks and reducing exposure to investigations and litigation arising from the loss, theft, or exposure of personal data. He guides clients through all stages of breach matters, including advance planning and preparation, response and notification, government investigations and regulatory response, and, when necessary, litigation.

Sandy also maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. He has deep trial and appellate experience and enjoys a long, consistent track record of producing cost-effective, positive results for his litigation clients.

Representative Matters

Data Security and Responding to Data Theft

  • Counsels clients in responding to thefts of personal information and electronic data security breaches; has handled in excess of 100 data breach response matters.
  • Advises on the application of state laws requiring notification to state agencies and affected individuals and in required forensic investigation.
  • Drafts information security policies and data breach response plans.
  • Assisted clinical laboratory company in responding to theft of employee personal information by hacking that resulted in the filing of numerous fraudulent federal tax returns and an attempt to compromise the company’s bank account.
  • Represented multiple hotel owners in responding to a major breach of the electronic security and theft of credit card data from a major hotel brand, in an attack perpetrated by hackers from Russia.
  • Assisted a university in working with law enforcement investigators and complying with notification laws when a hacker attacked the university’s online applications database.
  • Represented insurance provider in meeting its obligations when personal information of insurance agents was inadvertently made accessible through the insurer’s web portal.
  • Represented manufacturing company in working with law enforcement agencies and addressing notification duties after a rogue employee stole personal information from employee files to be used to forge prescriptions for controlled substances.
  • Assisted public school district in responding to inadvertent disclosure of personal information captured in computerized database for visitor registration.
  • Drafted data breach response plans and reviewed/advised on cyber insurance coverage for bank and a nonprofit legal aid organization.
  • Formulating data breach response plan, reviewing internal privacy and security policies, and cyber insurance coverage for multi-state accounting firm.
  • Assisted several large clients in developing and implementing CCPA-compliant policies, practices and documents, including website and employee privacy statements, contracts and internal communications.
  • Helped numerous clients develop procedures and mechanisms for receiving and responding to individual information rights requests under GDPR and CCPA.


  • Represents hotel and resort management companies, owners, and developers in commercial disputes and other issues.
  • Advises and represents hospitality industry clients with regard to dealings and disputes between and among hotel owners, managers, franchisors, vendors, and guests.
  • Provides legal services relating to compliance with electronic data security laws and industry standards, and in responding to breaches of data security.

Business Litigation

  • Represents manufacturing enterprises, commercial and residential builders and developers, oil and gas production companies, creative and computer design companies, professional athletes, insurance companies, professional associations, architectural firms, management companies, and communications companies in various types of tort and contract disputes.
  • Represents commercial and public sector clients in trial, arbitration, and appellate court practice as well as practice before governmental and administrative tribunals.
  • Tries numerous jury and non-jury trials in federal and state courts in various jurisdictions.
  • Argues before all Pennsylvania appellate courts and the U.S. Court of Appeals for the Third Circuit.


Spotlight on . . . Sandy Garfinkel

Professional Affiliations

  • Global Alliance of Travel, Tourism & Hospitality Attorneys, Member
  • International Association of Privacy Professionals (IAPP)

Community Involvement

  • Reading is FUNdamental Pittsburgh, elementary school reading mentor

Awards and Recognition:

  • Selected for inclusion in Pennsylvania Super Lawyers – 2013, 2014, 2018

News and Insights


Media Coverage

Speaking Engagements

  • SUMMER SCHOOL: What Pennsylvania School Districts Need to Know About ESSER Relief Funds – Lesson 2: Data Security & Privacy,” co-presenter, Eckert Seamans’ Continuing Legal Education Seminar, July 26, 2021. (recording)
  • “Cybersecurity & Privacy Issues for Virtual Artists,” panelist, Creating Virtual Content: Logistics & Legalities for Arts Organizations, sponsored by the Pennsylvania Humanities Council and Pennsylvania Council on the Arts, October 14, 2020.
  • Price Gouging,” Virtual Hospitality Law Conference hosted by, June 30, 2020.
  • COVID-19 Data Security Issues,” Virtual Hospitality Law Conference hosted by, June 30, 2020.
  • “Price gouging,” Hospitality Lawyer COVID-19 Conference Call Series, May 11, 2020.
  • “Cyber security challenges with a remote work force,” Hospitality Lawyer COVID-19 Conference Call Series, March 30, 2020.
  • Hotel Owners & COVID-19: Price Gouging Laws,” co-presented for the Asian American Hotel Owners Association, March 30, 2020. 
  • Cyber Law Update: GDPR and CCPA,”presenter, Eckert Seamans’ Continuing Legal Education Seminar, August 2019. 
  • “Cyber Law Update,” presented for the 2019 Cyber Law and Privacy Symposium, Hosted by Carnegie Mellon University, May 2019. 
  • Autonomous Vehicles: Legal Issues to Consider,” co-presenter, Eckert Seamans’ Continuing Legal Education Seminar, August 2018.
  • “GDPR: The Impact on Data Privacy for U.S. Companies,” presented at the Pittsburgh Compliance Roundtable, June 2018.
  • “The Unique Challenges of Data Security for the Hotel Industry,” presenter, 2018 Hospitality Law Conference, Houston, TX, April 2018.
  • “Risk Transfer: Trends That Protect Your Firm’s Assets,” panelist at the Private Directors Association conference, Locking the Cyber Security Door: What Private Company Leaders Should Do Now, in Chicago, November 2017.
  • “The Unique Challenges of Data Security for the Hospitality Industry,” co-presenter at Hospitality Law Conference, April 24, 2017.
  • “The Current State of the Law:  Data Privacy and Security,” presenter, Data Privacy & Security Update, March 2017.
  • “The Defense, The Response, and The Future,” presenter at Eckert Seamans’ Data Privacy and Security Forum, October 2016.
  • “Response to Data Breaches,” Identity Theft, Pennsylvania Bar Institute (PBI) Continuing Legal Education (CLE) program, March 2016.“Employees Are a Soft Spot in Data Security and Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.
  • “Data Security Incident Response Plans,” Hospitality Law Conference, February 2016.
  • Data Security: Risks, Compliance and How to Be Prepared for a Breach,” Eckert Seamans’ CLE, September 2015.
  • “The Data Breach Reality: Preparing for the Inevitable,” PBI CLE , July 29, 2015.
  • “The Data Breach Reality: Preparing for the Inevitable,” co-presenter, June 15, 2015.
  • “The Data Breach Reality,” co-presenter at the Consortium of Universities of the Washington Metropolitan Area, 2015 Consortium Day, June 5, 2015.
  • “Data Breaches – Privacy and Liability,” co-presenter, Allegheny County Bar Association 2015 e-Discovery Symposium, April 17, 2015.
  • “Anatomy of a Hospitality Data Breach,” Hospitality Law Conference, February 10, 2015.
  • “The Data Breach Reality: What To Do When (Not If) You’re a Victim of a Cyber Attack,” Eckert Seamans’ CLE, August 2014.
  • “Protect My Data: Protection of Confidential Employee Information Under the Health Insurance Portability and Accountability Act,” co-presenter, Eckert Seamans Human Resources Forum, May 2014.
  • “Data Breach Response, State Laws Governing Data Breach Notification, and Federal Trade Commission Enforcement Actions,” PBI CLE, January 2014.
  • “Understanding and Managing the Challenges of Data Privacy Breaches in the U.S. and the E.U.,” a webcast presentation to the Association of Corporate Counsel, May 2012.
  • “Responding to Data Breaches,” PBI CLE, October 2011.
  • “Cyber Wars: Do You Know How to Respond if Your Data is Attacked?” presented at Eckert Seamans’ CLE, August 2011.


Sandy is an avid amateur photographer and musician (blues harmonica).