Kim Phan

Tel 202.661.7647
Fax 202.661.2299
Washington, DC

Kim Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations, including the California Consumer Privacy Act (CCPA). Her work in this area encompasses strategic planning and guidance for companies to incorporate privacy and data security considerations throughout product development, marketing, and implementation. She also assists companies with data breach prevention and response, including establishing effective data security programs prior to a breach and the assessment of breach response obligations following a breach.

Kim writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities.

Kim also has provided extensive e-commerce and mobile counseling with clients, including adapting an augmented reality mobile game for a retail client, conducting online behavioral advertising assessments of websites in order to update and enhance website privacy policies, adapting websites functions for accessibility in compliance with the Americans with Disabilities Act (ADA), and establishing employee training on social media interactions with consumers.

Kim's practice also focuses on providing guidance to clients on regulatory compliance matters, including supervisory and enforcement interactions with the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and other federal regulatory agencies. She has successfully represented multiple national companies through the FTC investigatory process, resulting in "no-action" letters. She has also counseled a national consumer reporting agency through its CFPB compliance obligations, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing an audit process to assess compliance with federal consumer financial laws. Kim also has counseled clients through state attorneys general and departments of consumer protection investigations.

Representative Matters

Privacy & Data Security

  • Provided guidance to numerous companies in responding to security incidents and data breaches
  • Negotiated security requirements for a vendor agreement to provide cloud storage services
  • Counseled a major credit card company in establishing employee training on social media interactions with consumers
  • Conducted online behavioral advertising assessments of websites in order to update and enhance the online privacy policies of various financial institutions
  • Assisted a national lender in establishing a Gramm-Leach-Bliley Act Privacy Rule compliance program, including drafting annual privacy notices

Regulatory Compliance

  • Assisted a major credit company in conducting a comprehensive unfair, deceptive, or abusive acts or practices (UDAAP) assessment of card member rewards programs.
  • Represented a national consumer products retailer throughout the company's response to an FTC enforcement investigation, resulting in a "no-action" letter.
  • Counseled a national consumer reporting agency in preparation for CFPB examination, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing a compliance management system to address federal consumer financial laws, including the FCRA.
  • Submitted public comments on behalf of an industry trade association in response to the CFPB's proposed rule on larger participants in the debt collection market

Professional Activities

International Association of Privacy Professionals

American Bar Association, Consumer Financial Services Committee

National Asian Pacific American Bar Association-Asian Pacific American Bar Association, Financial Services Network

Mortgage Bankers Association

Real Estate Service Providers Council

American Financial Services Association, CCPA Working Group

Receivables Management Association International – Member of RMAI Editorial & Social Media Committee

National Conference of Vietnamese American Attorneys – Social Networking Committee Chair, Member of Organizing Committee 2020

Data Privacy Committee, MLRC Defense Counsel

Recognitions & Accomplishments

Chambers FinTech Legal USA, Data Protection & Cyber Security, 2020-2021

The Legal 500, Fintech, 2020

Named a Top 50 Receivables Professionals of the Year by Receivables Advisor, 2019 

Recognized as one of the 25 Most Influential Women in Collections by Collection Advisor, 2016

Named to Lawyers of Color's Inaugural Hot List for 2013, recognizing 100 attorneys younger than 40


Kim is a frequent contributor to two Ballard Spahr blogs: CyberAdviser, focused on the latest news and developments in privacy and cybersecurity law, and Consumer Finance Monitor.

"FTC brings GLBA Safeguards Rule enforcement action against mortgage vendor," Ballard Spahr Consumer Finance Monitor blog, December 22, 2020

Co-author, "Federal Agencies Consider Requiring Reporting of Computer Security Incident," Ballard Spahr CyberAdviser blog, December 21, 2020

Co-author, "FTC Seeks Privacy Information from Social Media and Video Streaming Companies," Ballard Spahr CyberAdviser blog, December 14, 2020

"FTC-Zoom consent order: implications for remote workforces," Ballard Spahr Consumer Finance Monitor blog, November 10, 2020

"The CFPB’s final collections rule: impact on credit reporting," Ballard Spahr Consumer Finance Monitor blog, November 10, 2020

"CCPA Amendments Signed into Law," Ballard Spahr CyberAdviser blog, October 6, 2020

Co-author, "FTC Holds Workshop on Data Portability," Ballard Spahr CyberAdviser blog, September 29, 2020

Co-author, "CCPA Regulations Go Into Effect – With a Few Final Changes," Ballard Spahr CyberAdviser blog, August 19, 2020

Co-author, "FTC Holds Workshop on GLBA Safeguards Rule," Ballard Spahr CyberAdviser blog, July 17, 2020

Co-author, "Privacy Shield Invalidated by the European Court of Justice," Ballard Spahr CyberAdviser blog, July 17, 2020

"Federal COVID-19 Privacy Legislation to be Introduced," Ballard Spahr CyberAdviser blog, May 6, 2020

Co-author, "Remote Learning – Privacy and Data Security Challenges," Ballard Spahr alert, April 23, 2020

Co-author, "State AGs ask Director Kraninger to withdraw CFPB COVID-19 credit reporting guidance," Ballard Spahr Consumer Finance Monitor blog, April 16, 2020

Co-author, "CFPB issues credit reporting guidance during COVID-19 pandemic," Ballard Spahr Consumer Finance Monitor blog, April 2, 2020

Co-author, "CARES Act includes provisions on credit reporting and student loans," Ballard Spahr Consumer Finance Monitor blog, March 30, 2020

Co-author, "Collecting Personal Information to Combat Coronavirus and the CCPA," Ballard Spahr CyberAdviser blog, March 18, 2020

Co-author, "California AG Issues Modified CCPA Regulations," Ballard Spahr CyberAdviser blog, February 7, 2020

"FTC announces improvements to orders in data security cases," Ballard Spahr CyberAdviser blog, January 15, 2020

"CFPB settles enforcement action against employment background screening company for alleged FCRA violations," Ballard Spahr CyberAdviser blog, November 25, 2019

Co-author, "California AG Releases Proposed CCPA Regulations," Ballard Spahr CyberAdviser blog, October 10, 2019

Co-author, "Facebook to Pay $5 Billion for Violating 2012 FTC Consent Order," Ballard Spahr CyberAdviser blog, July 24, 2019

Co-author, "Equifax Reaches Historic $575 Million Settlement Agreement Arising from 2017 Data Breach," Ballard Spahr CyberAdviser blog, July 23, 2019

"Denmark DPA Rules on How GDPR Applies to Voice Recordings," Ballard Spahr alert, April 18, 2019

"D.C. Circuit TCPA Decision Gives Industry Partial Victory, but No Certainty," Ballard Spahr CyberAdviser blog, March 21, 2018

"FTC Releases "Best Practices" to Improve Mobile Device Security," Ballard Spahr CyberAdviser blog, March 6, 2018

"Lyft Employees Demonstrate Need for Privacy Compliance Management," Ballard Spahr CyberAdviser blog, February 9, 2018

"OCC Report Identifies Cybersecurity as Key Risk for Federal Banking System," Ballard Spahr CyberAdviser blog, January 23, 2018

Co-author, "Privacy and Data Security and Emerging Technologies - Spotlight on the Internet of Things and Biometrics," Ballard Spahr CyberAdviser blog, January 14, 2018

Co-author, "FTC Provides Guidance to Social Media Influencers in Live Twitter Chat," Ballard Spahr alert, October 4, 2017

Co-author, "FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach," Ballard Spahr alert, August 31, 2017

"Credit Reporting: Adapting to Regulatory Expectations," RMA Insights, Fall 2017 

Co-author, "The NYDFS Cybersecurity Approach Marks a Radical Shift for Financial Institutions," Cornerstone Support, April 20, 2017

"Gaining Cyber Insight," Canadian Underwriter, February 2017

Co-author, "New York Regulators Drive Cyber Security Accountability for the Financial Sector," Payments & FinTech Lawyer, November 10, 2016

Co-author, "Envelope's Display of Barcode With Embedded Account Number Does Not Violate FDCPA, Florida Federal Court Rules," Ballard Spahr alert, November 9, 2016

Co-author, "DC Circuit Hears TCPA Oral Argument," Ballard Spahr alert, October 26, 2016 

Co-author, "FFIEC Provides Concrete Guidance on Setting Up Information Security Programs," Ballard Spahr alert, September 14, 2016

Co-author, "Important Lessons for Businesses from FTC's Opinion on LabMD's Data Security Practices," Ballard Spahr alert, August 12, 2016

"The CFPB Becomes the Latest Federal Agency to Take on Data Security," Journal of Internet Law, May 2016

Co-author, "NY DFS Brings First Data Security Action," Ballard Spahr alert, March 24, 2016

Co-author, "FTC Enforcement Action Highlights Advertising Risks for Retailers," Ballard Spahr alert, March 18, 2016

Co-author, "FTC Examines Process by which Companies Assess Compliance with PCI DSS," Ballard Spahr alert, March 9, 2016 

"Recent Trends in the FTC’s Data Security and Privacy Enforcement Actions," Journal of Internet Law, March 2016

Co-author, "DOJ/DHS Issue Interim Guidance on Implementation of Cybersecurity Information Sharing Act," Ballard Spahr alert, February 23, 2016

Co-author, "FTC Provides Guidance to Businesses Engaged in Native Advertising," Ballard Spahr alert, January 4, 2016

Co-author, "LifeLock to Pay $100 Million to Settle Charges It Violated 2010 Court Order," Ballard Spahr alert, December 28, 2015

Co-author, "FTC Takes Action against App Developers on COPPA Allegations Involving Persistent Identifiers," Ballard Spahr alert, December 23, 2015

Co-author, "ACC Foundation Releases Largest Study of its Kind on Cybersecurity Among In-House Counsel Study Underwritten by Ballard Spahr," Ballard Spahr alert, December 9, 2015

Co-author, "FTC Follows in CFPB Footsteps with GLBA Privacy Notices," Ballard Spahr alert, June 22, 2015

Co-author, "State AG - Credit Bureaus Settlement: What Furnishers Need to Know," Ballard Spahr alert, May 27, 2015 

Co-author, "Internet of Things: Federal Agencies Offer Privacy and Data Security Best Practices," Ballard Spahr alert, January 29, 2015

Co-author, "FTC Sees Privacy as Paramount for Debt Buying Industry," Law360, December 1, 2014 

"Policy Preparedness: A CFPB Focus for Compliance Management,", July 21, 2014

Co-author, "California Attorney General Releases Privacy Policy Guidance for 'Do Not Track' Disclosures," Ballard Spahr alert, May 27, 2014

Co-author, "New Internet Top-Level Domains Unveiled," Ballard Spahr alert, December 13, 2013

"CFPB: No 'Crisis' in Debt Collection, but Problems Need Correcting,", December 10, 2013

"U.S. Safe Harbor at Risk from NSA Storm," Privacy Laws & Business International Report, October 2013

"New Rules of the Road: Preparing for a Bumpy Ride as the CFPB Begins Developing Fair Debt Collection Practices Act Rules," DBA Magazine, Fall 2013

"Assessing Risk: Data Breach Litigation in U.S. Courts," International Association of Privacy Professionals, The Privacy Advisor, Vol. 12, No. 9, November 2012

"CFPB To Begin Supervision of the Debt Buying Industry," DBA Magazine, Fall 2012

"The U.S. Executive Branch Steps Up Privacy Activity," Privacy Laws & Business International Report, April 2012


"The Main Takeaways from the Recent FTC Settlement with Zoom," Ballard Spahr Business Better podcast, December 9, 2020

Speaking Engagements

"On to 2021: What Lies Ahead?" ACC Minnesota Lunch and Learn, December 16, 2020

"Leadership in the Legal Community," George Mason University Antonin Scalia Law School webinar, November 17, 2020

"Credit Reporting Under the New CFPB Debt Collection Rule," ACA International Huddle webinar series, November 11, 2020

"Consumer Financial Services in Turbulent Times: Privacy and Data Security," Ballard Spahr CLE Webcast Series, November 6, 2020

"Privacy and Data Security Updates," ACA International Fall Forum Session, November 5, 2020

Moderator, "If You Think the CFPB Stepped Back From Supervision and Enforcement, You’re Not Paying Attention," RESPRO, November 5, 2020

"Consumer Financial Services in Turbulent Times: Electronic Contracting," Ballard Spahr CLE Webcast Series, October 26, 2020

Panelist, "PRIVACY: The More Things Change, the More They Stay the Same," CDIA Law & Industry Conference, September 24, 2020

Panelist, "Legal Education: Big Brother Is Watching: Privacy Protection Statutes in 2020," ACA International’s 2020 Virtual Convention & Expo, July 15, 2020

"Credit Union and Community Banks Mortgage Regulatory Update Part III," Ballard Spahr webinar, July 10, 2020

"ADA Digital Accessibility Update for Financial Institutions in the COVID-19 Era," Ballard Spahr webinar, June 24, 2020

"Artificial Intelligence – A Primer for Lawyers," Ballard Spahr webinar, June 18, 2020

"Through the California Looking Glass: Making the Requirements of the CCPA Clear and Understandable," RMAI conference, February 4, 2020

"Surveying the Murky Landscape of Data Privacy Laws: Illuminating Tips on a Clear Path to Compliance," RMAI conference, February 4, 2020

Panelist, "Putting the Person into Personal Data: The Expansion of Personal Data and How to Navigate its Changes, its Regulation and its use in Financial Svcs (including Blockchain)," American Bar Association Consumer Financial Services Committee Winter Meeting, January 18, 2020

"CCPA: The Home Stretch", RESPRO CCPA webinar, December 10, 2019

"CCPA Compliance Update – What You Need To Know By January 1", CDIA CCPA webinar, December 4, 2019

"Data Security Requirements for the ARM Industry", ARM-U webinar, November 20, 2019

"The Proliferation of State Consumer Privacy Laws and Their Impact on Credit and Collections," Webinar, November 14, 2019

"New Proposed Regulations to the California Consumer Privacy Act," Ballard Spahr webinar, November 8, 2019

"Privacy and Data Security" Lunch Presentation, Ballard Spahr Housing Authority Summit, November 7, 2019

"Privacy and Data Security Update" and "Social Media Update," Credit Card Bank Compliance Association Fall Meeting, 2019

"Developments Regarding Data Security and Privacy," Pennsylvania Bar Institute's (PBI) Consumer Financial Services and Banking Law Update 2019, Philadelphia, PA, October 29, 2019

"Social Media Update for Financial Institutions," Ballard Spahr webinar, October 25, 2019

"Data Management for Business Operations," American Financial Services Association (AFSA) Annual Meeting, Nashville, TN, October 23, 2019

"Nevada's New Cybersecurity Legislation", CyberWire podcast, October 23, 2019

"The Tipping Point? What Lawyers Need to Know About the Alphabet Soup of Data Privacy Laws," 13th Annual National Conference of Vietnamese American Attorneys, Dallas, TX, October 5, 2019

"Cloud Services in the Financial Services Industry," Ballard Spahr webinar, September 24, 2019

"The Coming Rules on Data Privacy and Security," MBA's Regulatory Compliance Conference 2019, Washington, D.C., September 23, 2019

"Fintech Regulatory Developments in 2019," Ballard Spahr CLE, September 20, 2019

"GLBA Safeguard Rule – FTC Proposed Amendments," Real Estate Service Providers Council's Fall Seminar, Charleston, SC, September 12, 2019

"Women in Leadership," 2019 ACA International Convention, San Diego, CA, July 15, 2019

"Credit Reporting," Deep Dive Webinar Series: CFPB Notice of Proposed Debt Collection Rulemaking, ACA International Webinar, June 18, 2019

"Is the FTC the New CFPB?" Ballard Spahr webinar, June 12, 2019

"Security Orchestration, Automation, and Incident Response (SOAR)," CISO Executive Network, June 6, 2019

"The Importance of Privacy & Data Security in Retail," Ballard Spahr webinar, May 29, 2019

"Exploring Privacy Legislation at the Federal and State Levels," ACA International Washington Insights, May 16, 2019

"Card Issuers Workshop," Ballard Spahr workshop, Sioux Falls, May 15, 2019

"Card Issuers Workshop," Ballard Spahr workshop, Minneapolis, May 14, 2019

"A Look at the FTC's Proposed GLBA Rules," Ballard Spahr podcast, April 25, 2019

"Cybersecurity and Privacy Enforcement – Recent and Future Federal and State Activity," TechGC New York, January 16, 2019

"Consumer Protection Update," ABA Section of Antitrust Law, December 11, 2018

"Credit Cards & Data Mining: How Big Data Can Add Value," Credit Card Bank Compliance Association, November 11, 2018

"GDPR Guidance, Compliance and Enforcement Priorities," ACC Foundation Webcast, September 18, 2018

"Cybersecurity," Conference on Consumer Finance Law, June 1, 2018

"Navigating the Open Source Landscape," Atlanta, November 29, 2017

"Reporting Standards Under SSAE/SOC," Auriemma Vendor Management Roundtable, November 10, 2017

"What You Need to Know About the Application of the FCRA to Non-Credit Products and Services," Ballard Spahr webinar, October 17, 2017

"Does Your New Project Website Keep You Up at Night? Emerging Best Practices Applicable to the Real Estate Industry in the Digital Age," Ballard Spahr breakfast event, September 27, 2017

"Program on NYDFS Cybersecurity Regulations," Women in Housing & Finance, Inc., July 26, 2017

"CFSA Webinar - The Ongoing CFPB Threat," Ballard Spahr webinar, May 31, 2017

"Network & System Architecture as a Defense," CISO Executive Network, May 24, 2017 

"Implementing New York's New Cyber Security Regulation," RESPRO Annual Conference, Las Vegas, April 19, 2017

"My Cybersecurity Career Journey: Tips and Tools to Succeed," Women in Cybersecurity Conference, Tucson, Arizona, April 1, 2017

"Alternative Credit - Opportunities, Risks, and the CFPB's Request for Data," Ballard Spahr webinar, March 21, 2017

"CFPB Questions the Ability of Consumers to Give Third Parties Access to Their Digital Financial Records," Ballard Spahr webinar, March 16, 2017

Panelist, "The Consumer Regulation Regime for 2017," Credit Union National Association Governmental Affairs Conference, Washington, D.C., February 28, 2017

"Perspectives on the Debt Collection Industry in 2017," Consumer Finance Committee of the D.C. Bar Litigation Section, Washington, D.C., February 22, 2017 

"Beyond the CFPB - The Enforcement Role of the FTC Post-Election," Ballard Spahr webinar, January 4, 2017

"You've Been Hacked: Now What?" NAPABA Conference 2016, November 4, 2016

"Managing Security Program Risk & Effectiveness," CISO Executive Network, October 12, 2016

"Social Media For Marketing - Legal Considerations," RESPRO Fall Conference, Washington, D.C., September 23, 2016 

"Enterprise Security Vulnerability," CISO Executive Network, August 31, 2016

"Attorneys in the Matrix: Legal Best Practices Against Black Hat Threats," Maryland Association of Counties Summer Conference, Ocean City, Maryland, August 16, 2016

"Lavender Law Cybersecurity Workshop," Lavender Law Conference, August 4, 2016

"Using Social Media and Texts for Debt Collection," Ballard Spahr webinar, May 5, 2016

"Advanced Identity & Access Management Techniques," CISO Executive Network: Philadelphia Breakfast Roundtable 2 of 6, April 6, 2016

"The CFPB's First Data Security Enforcement Action," Ballard Spahr webinar, March 18, 2016

"The State of Cybersecurity Report," Association of Corporate Counsel, Philadelphia, February 18, 2016

"Legal Landscape: How Past Cases Impact the Industry Today," DBA Conference, February 9, 2016 

"Cybersecurity Preparedness Among In-House Counsel," Association of Consumer Vehicle Lessors - Legal Committee Meeting, January 6, 2016

"Data Privacy and Data Security," Utah State Bar Fall Forum, Salt Lake City, November 19, 2015

"Building a Best-In-Class Regulatory Function," Public Affairs Council, Advocacy for Regulatory Success, October 27, 2015

Panelist, "TCPA - Robocalls, Text Messages and the New FCC Ruling," Credit Union National Association webinar, September 1, 2015

Panelist, "The FFIEC Cybersecurity Assessment Tool: Is Your Company at Risk?" Ballard Spahr webinar, August 4, 2015

"CFPB Examinations 101," CFPB Exam Prep Workshop, ARM-U: ARM-U Free Virtual Conference 6 Ops and Compliance Webinars, June 3, 2015

"Compliance in the Era of Thinking Devices," Association of Corporate Counsel, Philadelphia, May 19, 2015

"ALFN + NARCA Advocacy Day," American Legal and Financing Network (ALFN) & National Association of Retail Collection Attorneys (NARCA), Washington, D.C., April 13, 2015

"Building Your Data Breach Prevention & Response Playbook," Payments Source & American Banker: Card Forum & Expo 2015, April 9, 2015

"Law School for the CFO: The Digital Divide," Philadelphia CFO Leadership Council program, March 19, 2015 

"Employers Strike Gold and Legal Barriers Mining Social Media for Job Applicant and Employee Data," Privacy Laws & Business Annual Conference, July 2, 2012

Board Memberships

Board Member and Immediate Past President, Vietnamese American Bar Association of the Greater Washington, D.C. Area (VABA-DC)

George Mason University, Antonin Scalia Law School (J.D. 2006)
Notes Editor, Federal Circuit Bar Journal
President, Student Bar Association
11th Circuit Lt. Governor, American Bar Association

University of Pennsylvania (B.A., cum laude, 2001)
Benjamin Franklin Scholar

District of Columbia


U.S. District Court for the Eastern District of Virginia

U.S. Supreme Court