Antony Kim


Washington, D.C.

Antony (Tony) Kim is a partner in Orrick's internationally recognized global Cyber, Privacy & Data Innovation Group, which pursues "an aggressive yet practical approach" to data protection and innovation that "meets the needs of both in-house counsel and tech-savvy business clients."

When faced with a cyber crisis, companies call on Tony to help navigate critical legal, risk and reputational landmines. Tony has helped clients respond to hundreds of cyberattacks and data breaches. He has directed forensic investigations, cross-border notifications, and regulatory and private enforcement matters, in connection with incidents involving personal data of employees and customers, including PCI/payment card data, as well as proprietary data and corporate trade secrets, on behalf of private and public companies as well as governmental entities. 

Tony has also defended clients for nearly two decades in regulatory investigations and enforcement actions by the Federal Trade Commission (FTC) and State Attorneys General.  These matters have involved (i) cyberattacks and data breach incidents, (ii) privacy implications of innovative data use-cases, and (iii) consumer protection issues relating to online and offline sales & marketing and advertising practices -- particularly in the retail e-commerce and fintech/consumer finance industries.  Tony draws insights from his regulatory practice to inform his counseling work, where he regularly advises Legal, InfoSec/IT, Product/Marketing, and C-Suite/Board stakeholders on a host of governance, compliance, and risk mitigation strategies.

Recognized as a leading lawyer, Tony has been ranked in Chambers USA, The Legal 500 US, Benchmark Litigation, The Cybersecurity Docket and Super Lawyers D.C. Rising Stars. He’s been consistently named to The Cybersecurity Docket’s “Incident Response 30” list of the top IR professionals in the United States since the inception of that recognition. Clients endorse Tony, telling Chambers “He's fantastic,” “He takes the time to tend to companies’ needs and understands clients’ objectives.” The National Law Journal named Tony to its 2014 list of D.C. Rising Stars, a 40-under-40 group of “game changing” private, government and public interest attorneys. Based on surveys of senior in-house counsel, Tony was awarded the Client Choice Award by the International Law Office (ILO)/Lexology in 2015, and was named an Acritas Star Lawyer in 2016 and 2017.  In 2016, Law360 named Orrick’s Cyber, Privacy & Data Innovation practice “Practice Group of the Year” in the data privacy category. Chambers repeatedly ranks the Orrick team in Band 1; and in 2019, Chambers named Orrick the “Privacy/Data Security Law Firm of the Year.”

Tony serves on the Firm's Executive Management Committee, focusing on the area of practice innovation.  In 2020, the Financial Times named him one of the top 10 Most Innovative Practitioners in North America.

  • A representative selection of Tony's cybersecurity, data privacy, and consumer protection experience, includes the following:

    Cybersecurity/Incident Response. Tony has represented public and private companies, as well as governmental entities, in responding to hundreds of cyberattacks and data breaches involving the personal information of employees and customers (e.g., payment card data) as well as proprietary information and trade secrets.  In his response capacity, Tony collaborates with key stakeholders to:

    • direct forensic investigations
    • support law enforcement engagement
    • assess and execute on cross-border individual and regulator notifications
    • manage internal and external corporate communications
    • defend against regulatory inquiries and investigations (as well as PCI/Card Brand regimes)
    • advise on civil litigation strategy
    • assist in managing post-incident remediation

    Based on this experience, Tony helps clients design and deploy proactive governance, compliance, and risk mitigation strategies focused on incident preparedness (e.g., tabletop simulations), vendor management, and cyber training for Directors and Officers.

    Data Privacy/Sales & Marketing. Tony works with companies on critical internal and external data-use-cases relevant to privacy, as well as to state and federal "unfair" or "deceptive" trade practices law, including:

    • privacy policies and related disclosures
    • privacy-by-design programs and processes
    • evaluating new tools, technologies and vendors that leverage data (e.g., biometrics)
    • advertising program management (e.g., claims substantiation through data analytics)
    • sales and marketing compliance (e.g., telemarketing, SMS/text marketing, email and direct mail)

    In connection with this work, Tony regularly advises clients on a host of data-related rules and regulations, including but not limited to Section 5 of the Federal Trade Commission Act, the Telemarketing Sales Rule, the Telephone Consumer Protection Act, the CAN-SPAM Act, the Gramm Leach Bliley Act, and the Fair Credit Reporting Act, as well as relevant state law, including the California Consumer Privacy Act (CCPA), state "UDAP" statutes and specialty rules such as those concerning social security numbers, data brokers and biometric privacy.

    Regulatory Investigations. Tony has defended clients in federal and state regulatory investigations, across an array of cybersecurity, data privacy and consumer protection matters.  Highlights of his work include representations on behalf of the following clients: 

    • National ticketing and events company (FTC and AG investigations by 25 States in the aftermath of a major cybersecurity incident)
    • Consumer financing company (FTC investigation related to marketing of unique consumer financing product)
    • Bank marketing subsidiary (FTC investigation alleging violations of a prior consent decree requiring privacy disclosures and cyber assessments in relation to digital marketing and e-commerce platform)
    • Fintech lender (FTC investigation involving claims-substantiation in the advertising context)
    • Online retailer (FTC investigation involving "negative option," recurring subscription/auto-renewal membership programs)
    • Loan modification entity (FTC investigation and litigation involving credit repair services)
    • National mortgage provider (FTC investigation relating to a cybersecurity incident and data breach)
    • Consumer lender (FTC investigation involving Gramm Leach Act (GLBA) and Fair Credit Reporting Act (FCRA))
    • National mobility device maker (FTC and four state AG investigations involving the Telemarketing Sales Rules (TSR), the Do-Not-Call Rules (DNC), and state analogs)
    • Professional networking service (FTC investigation into collection, sharing, and use of personal information)
    • Social gaming network (FTC investigation involving cyber incident and data breach, implicating Children's Online Privacy Protection Act (COPPA))
    • Online background check service (FTC investigation related to collection, sharing and use of personal information)
    • Global retailer (Among FTC's first data privacy investigations regarding "online behaviorally targeted advertising")

    Consumer Litigation. Tony has led or co-led the defense in consumer class action matters, including for the following clients:

    • Gaming company (Telephone Consumer Protection Act (TCPA) claim related to text message marketing; Northern District of Illinois)
    • National ticketing and events company (cybersecurity and data breach incident)
    • Social network (TCPA claim related to SMS-based services; Southern District of Florida)
    • Boutique fashion retailer (Fair & Accurate Credit Transactions Act (FACTA) claim related to disclosures on POS receipts; Southern District of Florida)
    • Online dating network (unfair and deceptive trade practices claims; Maryland state court)
    • Catalog-based shopping club (Fair Credit Reporting Act (FCRA) claims related to “firm offers” of credit and the Credit Repair Organizations Act (CROA); Northern District of Illinois)
    • Merchant card provider (state telemarketing and deceptive trade practices claims; Alabama state court)

    Tony also has extensive experience in all facets of antitrust and competition law, including: 

    Mergers & Acquisitions.  Tony has led or co-led the defense in merger, acquisition and joint venture investigations before the U.S. Department of Justice’s Antitrust Division and U.S. Federal Trade Commission, on behalf of clients such as:

    • IronPlanet (online auctions and related disposition formats)
    • Blackfriars (polymer products distribution)
    • Elance (online freelancer platforms)
    • Crane Co. (unattended payment systems)
    • Instagram (mobile photo-sharing app)
    • BASF (specialty chemicals)
    • INEOS Group (styrenics plastics)
    • NOVA Chemicals (styrenics plastics)
    • Exxaro Resources (mineral sands)
    • CoorsTek (alumina wear tiles)
    • New Times Media (alternative newsweeklies)

    Cartel Investigations Tony has experience conducting internal investigations and defending companies in criminal proceedings before the U.S. Department of Justice’s Antitrust Division, including investigations involving the following industries:

    • Parcel Tankers
    • DRAM
    • Auto lighting
    • Auto electronics
    • Auto hoses

    Antitrust Litigation.  Tony has served on litigation/trial teams serving plaintiffs and defendants in state and federal courts, including for the following clients:

    • DHL (as “opt-out” plaintiff in relation to the Air Cargo price-fixing class actions)
    • Microsoft (as defendant in an ITC proceeding involving the “patent misuse” defense)
    • Whole Foods Market (as plaintiff in a multi-prong strategy in response to the FTC’s post-consummation challenge to the Wild Oats acquisition)
    • Halcor S.A. (as defendant in a federal price-fixing class action)
    • SF Weekly (as defendant in a California state predatory-pricing action)
    • Foundry Networks (as antitrust counter-claimant in a case involving alleged abuses in the standard-setting context)