Kim Phan

Tel 202.661.7647
Fax 202.661.2299
Washington, DC

Kim Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act, and other federal and state privacy and data security statutes and regulations. Her work in this area encompasses strategic planning and guidance for companies to incorporate privacy and data security considerations throughout product development, marketing, and implementation. She also assists companies with data breach prevention and response, including establishing effective data security programs prior to a breach and the assessment of breach response obligations following a breach.

Kim writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities.

Kim also has provided extensive e-commerce and mobile counseling with clients, including adapting an augmented reality mobile game for a retail client, conducting online behavioral advertising assessments of websites in order to update and enhance website privacy policies, and establishing employee training on social media interactions with consumers.

Kim's practice also focuses on providing guidance to clients on regulatory compliance matters, including supervisory and enforcement interactions with the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and other federal regulatory agencies. She has successfully represented multiple national companies through the FTC investigatory process, resulting in "no-action" letters. She has also counseled a national consumer reporting agency through its CFPB compliance obligations, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing an audit process to assess compliance with federal consumer financial laws. Kim also has counseled clients through state attorneys general and departments of consumer protection investigations.

Representative Matters

Privacy & Data Security

  • Provided guidance to numerous companies in responding to security incidents and data breaches
  • Negotiated security requirements for a vendor agreement to provide cloud storage services
  • Counseled a major credit card company in establishing employee training on social media interactions with consumers
  • Conducted online behavioral advertising assessments of websites in order to update and enhance the online privacy policies of various financial institutions
  • Assisted a national lender in establishing a Gramm-Leach-Bliley Act Privacy Rule compliance program, including drafting annual privacy notices

Regulatory Compliance

  • Assisted a major credit company in conducting a comprehensive unfair, deceptive, or abusive acts or practices (UDAAP) assessment of card member rewards programs.
  • Represented a national consumer products retailer throughout the company's response to an FTC enforcement investigation, resulting in a "no-action" letter.
  • Counseled a national consumer reporting agency in preparation for CFPB examination, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing a compliance management system to address federal consumer financial laws, including the FCRA.
  • Submitted public comments on behalf of an industry trade association in response to the CFPB's proposed rule on larger participants in the debt collection market

Professional Activities

International Association of Privacy Professionals

American Bar Association

National Asian Pacific American Bar Association-Asian Pacific American Bar Association

Recognitions & Accomplishments

Recognized as one of the 25 Most Influential Women in Collections by Collection Advisor, 2016

Named to Lawyers of Color's Inaugural Hot List for 2013, recognizing 100 attorneys younger than 40


Kim is a frequent contributor to two Ballard Spahr blogs: CyberAdviser, focused on the latest news and developments in privacy and cybersecurity law, and Consumer Finance Monitor.

"Denmark DPA Rules on How GDPR Applies to Voice Recordings," Ballard Spahr alert, April 18, 2019

Co-author, "FTC Provides Guidance to Social Media Influencers in Live Twitter Chat," Ballard Spahr alert, October 4, 2017

Co-author, "FTC Settles GLBA Enforcement Action Against TaxSlayer Stemming From 2015 Data Breach," Ballard Spahr alert, August 31, 2017

"Credit Reporting: Adapting to Regulatory Expectations," RMA Insights, Fall 2017

Co-author, "White House Issues New Cybersecurity Executive Order," Ballard Spahr alert, May 17, 2017

Co-author, "The NYDFS Cybersecurity Approach Marks a Radical Shift for Financial Institutions," Cornerstone Support, April 20, 2017

"Gaining Cyber Insight," Canadian Underwriter, February 2017

Co-author, "New York Regulators Drive Cyber Security Accountability for the Financial Sector," Payments & FinTech Lawyer, November 10, 2016

Co-author, "Envelope's Display of Barcode With Embedded Account Number Does Not Violate FDCPA, Florida Federal Court Rules," Ballard Spahr alert, November 9, 2016

Co-author, "DC Circuit Hears TCPA Oral Argument," Ballard Spahr alert, October 26, 2016

Co-author, "11th Circuit Holds That Entity Collecting Its Own Debt Not "Debt Collector" Under FDCPA," Ballard Spahr alert, October 4, 2016

Co-author, "FFIEC Provides Concrete Guidance on Setting Up Information Security Programs," Ballard Spahr alert, September 14, 2016

Co-author, "Important Lessons for Businesses from FTC's Opinion on LabMD's Data Security Practices," Ballard Spahr alert, August 12, 2016

"The CFPB Becomes the Latest Federal Agency to Take on Data Security," Journal of Internet Law, May 2016

Co-author, "NY DFS Brings First Data Security Action," Ballard Spahr alert, March 24, 2016

Co-author, "FTC Enforcement Action Highlights Advertising Risks for Retailers," Ballard Spahr alert, March 18, 2016

Co-author, "FTC Examines Process by which Companies Assess Compliance with PCI DSS," Ballard Spahr alert, March 9, 2016

Co-author, "CFPB Initiates Its First Data Security Enforcement Action," Ballard Spahr alert, March 3, 2016

Co-author, "President Obama Gives EU Citizens Judicial Redress for Privacy Violations," Ballard Spahr alert, March 1, 2016

"Recent Trends in the FTC’s Data Security and Privacy Enforcement Actions," Journal of Internet Law, March 2016

Co-author, "DOJ/DHS Issue Interim Guidance on Implementation of Cybersecurity Information Sharing Act," Ballard Spahr alert, February 23, 2016

Co-author, "FTC Provides Guidance to Businesses Engaged in Native Advertising," Ballard Spahr alert, January 4, 2016

Co-author, "LifeLock to Pay $100 Million to Settle Charges It Violated 2010 Court Order," Ballard Spahr alert, December 28, 2015

Co-author, "FTC Takes Action against App Developers on COPPA Allegations Involving Persistent Identifiers," Ballard Spahr alert, December 23, 2015

Co-author, "ACC Foundation Releases Largest Study of its Kind on Cybersecurity Among In-House Counsel Study Underwritten by Ballard Spahr," Ballard Spahr alert, December 9, 2015

Co-author, "FTC Follows in CFPB Footsteps with GLBA Privacy Notices," Ballard Spahr alert, June 22, 2015

Co-author, "State AG - Credit Bureaus Settlement: What Furnishers Need to Know," Ballard Spahr alert, May 27, 2015

Co-author, "FTC Announces Settlement with Retail Tracking Company," Ballard Spahr alert, April 28, 2015

Co-author, "Internet of Things: Federal Agencies Offer Privacy and Data Security Best Practices," Ballard Spahr alert, January 29, 2015

Co-author, "FTC Sees Privacy as Paramount for Debt Buying Industry," Law360, December 1, 2014

Co-author, "CFSA Presses Its Case against ‘Operation Choke Point’," Ballard Spahr alert, October 8, 2014

"Policy Preparedness: A CFPB Focus for Compliance Management,", July 21, 2014

Co-author, "California Attorney General Releases Privacy Policy Guidance for 'Do Not Track' Disclosures," Ballard Spahr alert, May 27, 2014

Co-author, "New Internet Top-Level Domains Unveiled," Ballard Spahr alert, December 13, 2013

"CFPB: No 'Crisis' in Debt Collection, but Problems Need Correcting,", December 10, 2013

"U.S. Safe Harbor at Risk from NSA Storm," Privacy Laws & Business International Report, October 2013

"New Rules of the Road: Preparing for a Bumpy Ride as the CFPB Begins Developing Fair Debt Collection Practices Act Rules," DBA Magazine, Fall 2013

"Assessing Risk: Data Breach Litigation in U.S. Courts," International Association of Privacy Professionals, The Privacy Advisor, Vol. 12, No. 9, November 2012

"CFPB To Begin Supervision of the Debt Buying Industry," DBA Magazine, Fall 2012

"The U.S. Executive Branch Steps Up Privacy Activity," Privacy Laws & Business International Report, April 2012

Speaking Engagements

"GLBA Safeguard Rule – FTC Proposed Amendments," Real Estate Service Providers Council's Fall Seminar, Charleston, SC, September 12, 2019

"Women in Leadership," 2019 ACA International Convention, San Diego, CA, July 15, 2019

"Credit Reporting," Deep Dive Webinar Series: CFPB Notice of Proposed Debt Collection Rulemaking, ACA International Webinar, June 18, 2019

"Is the FTC the New CFPB?" Ballard Spahr webinar, June 12, 2019

"Security Orchestration, Automation, and Incident Response (SOAR)," CISO Executive Network, June 6, 2019

"The Importance of Privacy & Data Security in Retail," Ballard Spahr webinar, May 29, 2019

"Exploring Privacy Legislation at the Federal and State Levels," ACA International Washington Insights, May 16, 2019

"Card Issuers Workshop," Ballard Spahr workshop, Sioux Falls, May 15, 2019

"Card Issuers Workshop," Ballard Spahr workshop, Minneapolis, May 14, 2019

"A Look at the FTC's Proposed GLBA Rules," Ballard Spahr podcast, April 25, 2019

"Cybersecurity and Privacy Enforcement – Recent and Future Federal and State Activity," TechGC New York, January 16, 2019

"Consumer Protection Update," ABA Section of Antitrust Law, December 11, 2018

"Credit Cards & Data Mining: How Big Data Can Add Value," Credit Card Bank Compliance Association, November 11, 2018

"GDPR Guidance, Compliance and Enforcement Priorities," ACC Foundation Webcast, September 18, 2018

"Cybersecurity," Conference on Consumer Finance Law, June 1, 2018

"Navigating the Open Source Landscape," Atlanta, November 29, 2017

"Reporting Standards Under SSAE/SOC," Auriemma Vendor Management Roundtable, November 10, 2017

"What You Need to Know About the Application of the FCRA to Non-Credit Products and Services," Ballard Spahr webinar, October 17, 2017

"Does Your New Project Website Keep You Up at Night? Emerging Best Practices Applicable to the Real Estate Industry in the Digital Age," Ballard Spahr breakfast event, September 27, 2017

"Program on NYDFS Cybersecurity Regulations," Women in Housing & Finance, Inc., July 26, 2017

"CFSA Webinar - The Ongoing CFPB Threat," Ballard Spahr webinar, May 31, 2017

"Network & System Architecture as a Defense," CISO Executive Network, May 24, 2017

"Data Privacy and Cyber Security," MBA's Legal Issues and Regulatory Compliance Conference, Miami, May 9, 2017

"Digital Legal Hot Topics," RESPRO Annual Conference, Las Vegas, April 20, 2017

"Implementing New York's New Cyber Security Regulation," RESPRO Annual Conference, Las Vegas, April 19, 2017

"My Cybersecurity Career Journey: Tips and Tools to Succeed," Women in Cybersecurity Conference, Tucson, Arizona, April 1, 2017

"Alternative Credit - Opportunities, Risks, and the CFPB's Request for Data," Ballard Spahr webinar, March 21, 2017

"CFPB Questions the Ability of Consumers to Give Third Parties Access to Their Digital Financial Records," Ballard Spahr webinar, March 16, 2017

Panelist, "The Consumer Regulation Regime for 2017," Credit Union National Association Governmental Affairs Conference, Washington, D.C., February 28, 2017

"Perspectives on the Debt Collection Industry in 2017," Consumer Finance Committee of the D.C. Bar Litigation Section, Washington, D.C., February 22, 2017

"Preparing for NYDFS's Revised Cybersecurity Regulations," Ballard Spahr webinar, January 12, 2017

"Beyond the CFPB - The Enforcement Role of the FTC Post-Election," Ballard Spahr webinar, January 4, 2017

"You've Been Hacked: Now What?" NAPABA Conference 2016, November 4, 2016

"Privacy and Data Security," Pennsylvania Bar Institute Consumer Financial Services & Banking Law Update, October 18, 2016

"Managing Security Program Risk & Effectiveness," CISO Executive Network, October 12, 2016

"Social Media For Marketing - Legal Considerations," RESPRO Fall Conference, Washington, D.C., September 23, 2016

"Cybersecurity Today," MBA Regulatory Compliance Conference, Washington, D.C., September 20, 2016

"Enterprise Security Vulnerability," CISO Executive Network, August 31, 2016

"Attorneys in the Matrix: Legal Best Practices Against Black Hat Threats," Maryland Association of Counties Summer Conference, Ocean City, Maryland, August 16, 2016

"Lavender Law Cybersecurity Workshop," Lavender Law Conference, August 4, 2016

"Using Social Media and Texts for Debt Collection," Ballard Spahr webinar, May 5, 2016

"Advanced Identity & Access Management Techniques," CISO Executive Network: Philadelphia Breakfast Roundtable 2 of 6, April 6, 2016

"The CFPB's First Data Security Enforcement Action," Ballard Spahr webinar, March 18, 2016

"The State of Cybersecurity Report," Association of Corporate Counsel, Philadelphia, February 18, 2016

"Legal Landscape: How Past Cases Impact the Industry Today," DBA Conference, February 9, 2016

"FinTech Data Privacy and Security," Ballard Spahr webinar, February 4, 2016

"Lessons Learned: Best Practices for In-House Counsel from the ACC Cybersecurity Report," Ballard Spahr webinar, January 12, 2016

"Cybersecurity Preparedness Among In-House Counsel," Association of Consumer Vehicle Lessors - Legal Committee Meeting, January 6, 2016

"Data Privacy and Data Security," Utah State Bar Fall Forum, Salt Lake City, November 19, 2015

"Building a Best-In-Class Regulatory Function," Public Affairs Council, Advocacy for Regulatory Success, October 27, 2015

Panelist, "TCPA - Robocalls, Text Messages and the New FCC Ruling," Credit Union National Association webinar, September 1, 2015

Panelist, "The FFIEC Cybersecurity Assessment Tool: Is Your Company at Risk?" FFIEC Webinar, August 4, 2015

"CFPB Examinations 101," CFPB Exam Prep Workshop, ARM-U: ARM-U Free Virtual Conference 6 Ops and Compliance Webinars, June 3, 2015

"Compliance in the Era of Thinking Devices," Association of Corporate Counsel, Philadelphia, May 19, 2015

"ALFN + NARCA Advocacy Day," American Legal and Financing Network (ALFN) & National Association of Retail Collection Attorneys (NARCA), Washington, D.C., April 13, 2015

"Building Your Data Breach Prevention & Response Playbook," Payments Source & American Banker: Card Forum & Expo 2015, April 9, 2015

"Law School for the CFO: The Digital Divide," Philadelphia CFO Leadership Council program, March 19, 2015

"Regulatory Forecast: There's More to It than the CFPB," ARM-U Conference, Washington, D.C., October 14, 2014

Panelist, "Best-Kept Secrets: How To Develop an Effective Data Privacy Infrastructure," Eighth Annual National Conference of Vietnamese American Attorneys, Orlando, June 28, 2014

"The CFPB's Financial Literacy Mandate: What It Means for Industry," Ballard Spahr webinar, March 11, 2014

"Employers Strike Gold and Legal Barriers Mining Social Media for Job Applicant and Employee Data," Privacy Laws & Business Annual Conference, July 2, 2012

Board Memberships

Board Member and Immediate Past President, Vietnamese American Bar Association of the Greater Washington, D.C. Area (VABA-DC)

George Mason University, Antonin Scalia Law School (J.D. 2006)
Notes Editor, Federal Circuit Bar Journal
President and Student Law Fellow, Student Bar Association
11th Circuit Lt. Governor, American Bar Association

University of Pennsylvania (B.A., cum laude, 2001)
Benjamin Franklin Scholar

District of Columbia


U.S. District Court for the Eastern District of Virginia