Kim Phan

Kim Phan

Of Counsel
Tel 202.661.2286
Fax 202.661.2299
Washington, DC

Kim Phan writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities. Ms. Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations. Her work in this area encompasses strategic planning and guidance for companies to incorporate privacy and data security considerations throughout product development, marketing, and implementation. Ms. Phan also assists companies with data breach prevention and response, including establishing effective data security programs prior to a breach and the assessment of breach response obligations following a breach.

Ms. Phan has also done extensive e-commerce and mobile counseling with clients, including adapting an augmented reality mobile game for a retail client, conducting online behavioral advertising assessments of websites in order to update and enhance website privacy policies, and establishing employee training on social media interactions with consumers.

Ms. Phan's practice also focuses on providing guidance to clients on regulatory compliance matters, including supervisory and enforcement interactions with the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and other federal regulatory agencies. She has successfully represented multiple national companies through the FTC investigatory process, resulting in "no-action" letters. She has also counseled a national consumer reporting agency through its CFPB compliance obligations, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing an audit process to assess compliance with federal consumer financial laws. Ms. Phan has also counseled clients through state attorneys general and departments of consumer protection investigations.

Representative Matters

Privacy & Data Security

  • Provided guidance to numerous companies in responding to security incidents and data breaches.
  • Negotiated security requirements for a vendor agreement to provide cloud storage services.
  • Counseled a major credit card company in establishing employee training on social media interactions with consumers.
  • Conducted online behavioral advertising assessments of websites in order to update and enhance the online privacy policies of various financial institutions.
  • Assisted a national lender in establishing a Gramm-Leach-Bliley Act Privacy Rule compliance program, including drafting annual privacy notices.

Regulatory Compliance

  • Assisted a major credit company in conducting a comprehensive unfair, deceptive, or abusive acts or practices (UDAAP) assessment of card member rewards programs.
  • Represented a national consumer products retailer throughout the company’s response to an FTC enforcement investigation, resulting in a “no-action” letter.
  • Counseled a national consumer reporting agency in preparation for CFPB examination, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing a compliance management system to address federal consumer financial laws, including the Fair Credit Reporting Act (FCRA).
  • Submitted public comments on behalf of an industry trade association in response to the CFPB’s proposed rule on larger participants in the debt collection market.

Professional Activities

American Bar Association

National Asian Pacific American Bar Association–Asian Pacific American Bar Association

Ballard Spahr Diversity and Inclusion Council

Mortgage Bankers Association, Young Professionals Program, Steering Committee Member

Board Memberships

Vietnamese American Bar Association (VABA-DC), President, 2014-present

Recognition & Accomplishments

Recognized as one of the 25 Most Influential Women in Collections by Collection Advisor (September/October 2016)

Named to Lawyers of Color’s Inaugural Hot List for 2013, recognizing 100 attorneys younger than 40


"Gaining Cyber Insight," Canadian Underwriter, February issue, 2017

Co-author, "NYDFS Revises Cybersecurity Regulation, Extends Effective Date to March 1, 2017," Ballard Spahr alert, December 28, 2016 

Co-author, "New York Regulators Drive Cyber Security Accountability for the Financial Sector," Payments & FinTech Lawyer, November 10, 2016

Co-author, "Envelope's Display of Barcode With Embedded Account Number Does Not Violate FDCPA, Florida Federal Court Rules," Ballard Spahr alert, November 9, 2016

Co-author, "DC Circuit Hears TCPA Oral Argument," Ballard Spahr alert, October 26, 2016

Co-author, "Federal Banking Agencies Propose New Requirements for Managing Cyber Risk," Ballard Spahr alert, October 20, 2016

Co-author, "11th Circuit Holds That Entity Collecting Its Own Debt Not "Debt Collector" Under FDCPA," Ballard Spahr alert, October 4, 2016

Co-author, "N.Y. Moves Ahead with Proposed Cybersecurity Regulations for Financial Institutions," Ballard Spahr alert, September 19, 2016

Co-author, "FFIEC Provides Concrete Guidance on Setting Up Information Security Programs," Ballard Spahr alert, September 14, 2016

Co-author, "Important Lessons for Businesses from FTC's Opinion on LabMD's Data Security Practices," Ballard Spahr alert, August 12, 2016

Co-author, "International Regulators Issue Cybersecurity Guidance to the Financial Industry," Ballard Spahr alert, July 6, 2016

Co-author, "Seventh Circuit Refuses To Impose a Heightened Litigation Standard on Debt Collector," Ballard Spahr alert, June 3, 2016

Co-author, "TCPA Under Scrutiny in Court and by Senate," Ballard Spahr alert, May 24, 2016

Co-author, "FTC Highlights FDCPA Risks for Debt Collectors Using Social Media, Texts," Ballard Spahr alert, March 31, 2016

Co-author, "NY DFS Brings First Data Security Action," Ballard Spahr alert, March 24, 2016

"The CFPB Becomes the Latest Federal Agency to Take on Data Security," Journal of Internet Law, May 2016

Co-author, "FTC Enforcement Action Highlights Advertising Risks for Retailers," Ballard Spahr alert, March 18, 2016

Co-author, "FTC Examines Process by which Companies Assess Compliance with PCI DSS," Ballard Spahr alert, March 9, 2016

Co-author, "CFPB Initiates Its First Data Security Enforcement Action," Ballard Spahr alert, March 3, 2016

Co-author, "President Obama Gives EU Citizens Judicial Redress for Privacy Violations," Ballard Spahr alert, March 1, 2016

"Recent Trends in the FTC’s Data Security and Privacy Enforcement Actions," Journal of Internet Law, March 2016

Co-author, "Creditor Can Obtain TCPA "Prior Express Consent" Through Intermediary, Sixth Circuit Rules," Ballard Spahr alert, February 26, 2016

Co-author, "President Creates Cybersecurity National Action Plan and Commission on Enhancing National Cybersecurity," Ballard Spahr alert, February 24, 2016

Co-author, "DOJ/DHS Issue Interim Guidance on Implementation of Cybersecurity Information Sharing Act," Ballard Spahr alert, February 23, 2016

Co-author, "Voicemail Messages on Debtor's Phone Did Not Violate FDCPA, Federal Court Rules," Ballard Spahr alert, February 22, 2016

Co-author, "Court: Debt Collector's Implicit Suggestion that Consumer Should Make Payment Within Dispute Period Violates FDCPA," Ballard Spahr alert, February 19, 2016

Co-author, "FTC Announces ''Operation Collection Protection'' Developments," Ballard Spahr alert, January 14, 2016

Co-author, "FTC Provides Guidance to Businesses Engaged in Native Advertising," Ballard Spahr alert, January 4, 2016

Co-author, "LifeLock to Pay $100 Million to Settle Charges It Violated 2010 Court Order," Ballard Spahr alert, December 28, 2015

Co-author, "FTC Takes Action against App Developers on COPPA Allegations Involving Persistent Identifiers," Ballard Spahr alert, December 23, 2015

Co-author, "ACC Foundation Releases Largest Study of its Kind on Cybersecurity Among In-House Counsel Study Underwritten by Ballard Spahr," Ballard Spahr alert, December 9, 2015

Co-author, "FTC Announces "Operation Collection Protection","  Ballard Spahr alert, November 5, 2015

Co-author, "FDCPA “Communication” Must Imply Existence of a Debt, Sixth Circuit Rules," Ballard Spahr alert, October 30, 2015

Co-author, "New NIST Guide Advises Health Care Companies on Securing Patient Health Information on Mobile Devices," Ballard Spahr alert, August 11, 2015

Co-author, "FFIEC Tool Helps You Assess Cyber Risk," Ballard Spahr alert, July 8, 2015

Co-author, "FCC Order Creates New TCPA Challenges for Companies," Ballard Spahr alert, July 13, 2015

Co-author, "FTC Follows in CFPB Footsteps with GLBA Privacy Notices," Ballard Spahr alert, June 22, 2015

Co-author, "State AG – Credit Bureaus Settlement: What Furnishers Need to Know," Ballard Spahr alert, May 27, 2015

Co-author, "FTC Announces Settlement with Retail Tracking Company," Ballard Spahr alert, April 28, 2015

Co-author, "New York Agency’s Report Focuses on Data Vulnerability of Banks’ Third-Party Vendors," Ballard Spahr alert, April 13, 2015

Co-author, "Federal Financial Regulators Offer Advice To Address Malware, Compromised Credentials," Ballard Spahr alert, April 1, 2015

Co-author, "President Obama Proposes Consumer Privacy Bill of Rights," Ballard Spahr alert, March 6, 2015

Co-author, "Anthem's Breach: How Employers Should Respond," Ballard Spahr alert, February 10, 2015

Co-author, "Internet of Things: Federal Agencies Offer Privacy and Data Security Best Practices," Ballard Spahr alert, January 29, 2015

Co-author, "NY Attorney General To Propose Bill To Strengthen Cybersecurity," Ballard Spahr alert, January 27, 2015

Co-author, "FTC Sees Privacy as Paramount for Debt Buying Industry," Law360, December 1, 2014

Co-author, "FTC Continues Regulatory Scrutiny of the Debt Buying Industry," Ballard Spahr alert, November 18, 2014

Co-author, "President Issues Executive Order to Improve Security of Federal Payment Systems," Ballard Spahr alert, October 22, 2014

Co-author, "FTC Brings First ROSCA Enforcement Action," Ballard Spahr alert, October 22, 2014

Co-author, "CFSA Presses Its Case against ‘Operation Choke Point’," Ballard Spahr alert, October 8, 2014

Co-author, "Is a Uniform Debt Buying Code on Its Way?" Ballard Spahr alert, September 3, 2014

Co-author, "Sixth Circuit Establishes 'Baseline' Information To Verify a Debt," Ballard Spahr alert, August 11, 2014

"Policy Preparedness: A CFPB Focus for Compliance Management,", July 21, 2014

Co-author, "California Attorney General Releases Privacy Policy Guidance for 'Do Not Track' Disclosures," Ballard Spahr alert, May 27, 2014

Co-author, "CFPB Proposes New Rules on Gramm-Leach-Bliley Act Annual Privacy Notices," Ballard Spahr alert, May 16, 2014

Co-author, "New York Department of Financial Services To Begin Cybersecurity Examinations of Financial Institutions," Ballard Spahr alert, May 8, 2014

Co-author, "New Internet Top-Level Domains Unveiled," Ballard Spahr alert, December 13, 2013

"CFPB: No 'Crisis' in Debt Collection, but Problems Need Correcting,", December 10, 2013

"U.S. Safe Harbor at Risk from NSA Storm," Privacy Laws & Business International Report, October 2013

"New Rules of the Road: Preparing for a Bumpy Ride as the CFPB Begins Developing Fair Debt Collection Practices Act Rules," DBA Magazine, Fall 2013

"Assessing Risk: Data Breach Litigation in U.S. Courts," International Association of Privacy Professionals, The Privacy Advisor, Vol. 12, No. 9, November 2012

"CFPB To Begin Supervision of the Debt Buying Industry," DBA Magazine, Fall 2012

"The U.S. Executive Branch Steps Up Privacy Activity," Privacy Laws & Business International Report, April 2012 

Speaking Engagements

"Perspectives on the Debt Collection Industry in 2017," Consumer Finance Committee of the D.C. Bar Litigation Section, Washington, D.C., February 22, 2017

"Preparing for NYDFS's Revised Cybersecurity Regulations," Ballard Spahr webinar, January 12, 2017

"Beyond the CFPB – The Enforcement Role of the FTC Post-Election," Ballard Spahr webinar, January 4, 2017

"You've Been Hacked: Now What?" NAPABA Conference 2016, November 4, 2016

"Privacy and Data Security," Pennsylvania Bar Institute Consumer Financial Services & Banking Law Update, October 18, 2016

"Managing Security Program Risk & Effectiveness," CISO Executive Network, October 12, 2016

"Social Media For Marketing – Legal Considerations," RESPRO Fall Conference, Washington, D.C., September 23, 2016

"Cybersecurity Today," MBA Regulatory Compliance Conference, Washington, D.C., September 20, 2016

"Cybersecurity and Health Care," Ballard Spahr presentation, Cherry Hill, New Jersey, September 15, 2016

"Enterprise Security Vulnerability," CISO Executive Network, August 31, 2016

"Attorneys in the Matrix: Legal Best Practices Against Black Hat Threats," Maryland Association of Counties Summer Conference, Ocean City, Maryland, August 16, 2016

"Lavender Law Cybersecurity Workshop," Lavender Law Conference, August 4, 2016

"Using Social Media and Texts for Debt Collection," Ballard Spahr webinar, May 5, 2016

"Emerging Law on Cybersecurity," MBA Conference, May 3, 2016

"Social Media – Legal Considerations in Using Social Media as a Marketing Tool," RESPRO Conference, April 20, 2016

"Data Security and Privacy Requirements: How Do They Affect My Business?" RESPRO Conference, April 19, 2016

"Advanced Identity & Access Management Techniques," CISO Executive Network: Philadelphia Breakfast Roundtable 2 of 6, April 6, 2016

"The CFPB's Priorities During the Next Two Years," Ballard Spahr webinar, March 29, 2016 

"The CFPB's First Data Security Enforcement Action," Ballard Spahr webinar, March 18, 2016

"The State of Cybersecurity Report," Association of Corporate Counsel, Philadelphia, February 18, 2016

"Legal Landscape: How Past Cases Impact the Industry Today," DBA Conference, February 9, 2016

"FinTech Data Privacy and Security," Ballard Spahr webinar, February 4, 2016

"Lessons Learned: Best Practices for In-House Counsel from the ACC Cybersecurity Report," Ballard Spahr webinar, January 12, 2016

"Cybersecurity Preparedness Among In-House Counsel," Association of Consumer Vehicle Lessors – Legal Committee Meeting, January 6, 2016

"Cybersecurity Across the Board (of Directors): Key Considerations and Practical Steps," Ballard Spahr webinar, December 10, 2015

"The FTC as the De Facto Privacy Regulator: 10 Things You Need to Know," Ballard Spahr CLE program, November 20, 2015

"Data Privacy and Data Security," Utah State Bar Fall Forum, Salt Lake City, November 19, 2015

"Building a Best-In-Class Regulatory Function," Public Affairs Council, Advocacy for Regulatory Success, October 27, 2015

"Data-Focused Protection Legal Insights," CISO Executive Network, Philadelphia Chapter, September 2, 2015

Panelist, "TCPA - Robocalls, Text Messages and the New FCC Ruling," Credit Union National Association webinar, September 1, 2015

Panelist, "The FFIEC Cybersecurity Assessment Tool: Is Your Company at Risk?"  FFIEC Webinar, August 4, 2015

"Securely Managing Access & Identities," CISO Executive Network: Philadelphia Breakfast Roundtable 3 for 2015, June 10, 2015

"CFPB Examinations 101,"CFPB Exam Prep Workshop, ARM-U: ARM-U Free Virtual Conference 6 Ops and Compliance Webinars, June 3, 2015

"Defining (and Divining) Reasonableness in US Privacy and Data Security," Baltimore, Maryland, June 3, 2015

"Compliance in the Era of Thinking Devices," Association of Corporate Counsel, Philadelphia, May 19, 2015

"ALFN + NARCA Advocacy Day," American Legal and Financing Network (ALFN) & National Association of Retail Collection Attorneys (NARCA), Washington, D.C., April 13, 2015 

"Building Your Data Breach Prevention & Response Playbook," PaymentsSource & American Banker: Card Forum & Expo 2015, April 9, 2015

"Advanced Threat Detection & Analysis," Ballard Spahr-Hosted CISO Executive Network Breakfast Roundtable, April 1, 2015

"Law School for the CFO: The Digital Divide," Philadelphia CFO Leadership Council program, March 19, 2015

"Securing Applications," Ballard Spahr-hosted CISO Executive Network Breakfast Presentation, February 11, 2015

"Regulatory Forecast: There's More to It than the CFPB," ARM-U Conference, Washington, D.C., October 14, 2014

"The CFPB-ACE Cash Express Consent Order: Bad News for Debt Collectors and Lenders?" Ballard Spahr webinar, August 19, 2014

Panelist, "Best-Kept Secrets: How To Develop an Effective Data Privacy Infrastructure," Eighth Annual National Conference of Vietnamese American Attorneys, Orlando, June 28, 2014

"Measuring, Analyzing, and Reporting," Ballard Spahr and CISO Executive Network: Breakfast Roundtable, Washington, D.C., June 5, 2014

"Enterprise Security Architecture," Ballard Spahr and CISO Executive Network: Breakfast Roundtable, Washington, D.C., March 27, 2014

"The CFPB's Financial Literacy Mandate: What It Means for Industry," Ballard Spahr webinar, March 11, 2014

"The CFPB's Debt Collection Rulemaking: Our Predictions and the Potential Impact on the Industry," Ballard Spahr webinar, November 25, 2013

"Employers Strike Gold and Legal Barriers Mining Social Media for Job Applicant and Employee Data," Privacy Laws & Business Annual Conference, July 2, 2012

George Mason University School of Law (J.D. 2006)
Notes Editor, Federal Circuit Bar Journal; President and Student Law Fellow, Student Bar Association; 11th Circuit Lt. Governor, American Bar Association

University of Pennsylvania (B.A. 2001, cum laude, general honors)
Benjamin Franklin Scholar

District of Columbia


U.S. District Court for the Eastern District of Virginia