Philip N. Yannella

As Practice Leader of Ballard Spahr's Privacy and Data Security Group, and Practice Leader of the firm's E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation's Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

Phil has extensive experience in complex litigation and investigations involving digital evidence, particularly data breaches, class actions, and theft of trade secrets. He guides clients through data breaches, including identifying exposure, facilitating public notice under state and federal laws, coordinating forensic examinations, negotiating report resolution, and managing resolution. He frequently works with experts to investigate the usage, availability, and reliability of structured datasets in the context of class certification, damages models, proportionality, and spoliation motions.

Phil is a frequent commentator, presenter and author on legal issues related to data privacy, cybersecurity, eDiscovery and information governance. He received a 2017 Readers' Choice award from JD Supra for his writing on cybersecurity issues. He is the author of Pennsylvania eDiscovery (ALM Media).

Representative matters include:

Complex Litigation and Investigations

• Successful representation of an auto finance company in a bet-the-company TCPA action with damage allegations of over $100 million. Defeated class certification and won summary judgment.
• Successful representation of a pharmaceutical client in a civil action seeking publication of anonymized clinical data valued at $1 billion. Using a re-identification analysis, successfully persuaded the court that publication would reveal private health information of 95 percent of clinical trial patients.
• Defense of a major bank in overdraft class action. Retained an expert to model damages from archival and legacy data.
• Successful defense of a major bank in a TCPA class action. Retained an expert to assess ascertainability of class members based on structured dialer data.
• Counseled a nonprofit hacked by Chinese nationals and coordinated a response with the FBI. Guided the client through an initial investigation of criminal attack on staging server, including engagement of a forensic team, collaboration with governmental entities to pursue the attackers, and review of forensic analysis.
• Counseled an auto finance company in connection with a data breach of customer personal information, involving multi-state reporting.
• Counseled a biotech in connection with theft of trade secrets by a former contractor.
• Counseled a university in connection with a data breach stemming from inadvertent posting of student social security data in an internet kiosk.
• Counseled a major telecom company on potential legal exposure arising out of review of hacked Sony emails posted to WikiLeaks.
• Conducted an internal investigation for a major retailer arising out of suspected violations of access and identity management policies, resulting in developer access to production environments.
• Represented a gaming company in connection with an investigation into suspected exfiltration of customer social security information held on unencrypted webserver.
• Counseled a pharmaceutical client in response to a series of spear phishing attacks. Guided the client through an initial investigation, assisted in delisting of its domain, advised on WHOIS search, and prepared filings to the FBI cybercrime unit.
• Counseled a gaming company in response to a suspected credit card skimming operation. Guided the client through an initial investigation, engagement with credit card fraud units and government entities, and advice on data breach notification procedures.
• Successful defense of a major bank in an overdraft class action. Retained, developed, and elicited expert testimony concerning limitations of structured data and impact on the plaintiff’s damages model.
• Defense of a clinical laboratory in a multi-state attorney general investigation alleging overpayment of Medicaid costs. Served as national discovery counsel, worked with an expert to model damages from legacy datasets.
• Represents a manufacturer in multi-state products liability litigation relating to property damage allegedly caused by an herbicide.
• Served on a national coordinating counsel team for a major pharmaceutical manufacturer in litigation relating to an anti-anemia medication.
• Served on a national coordinating counsel team for a medical device company in litigation relating to latex gloves.
• Served on a national coordinating counsel team for a biologics company in litigation relating to Factor IX products.
• Served on a national coordinating counsel team for a major cigarette manufacturer in multi-state litigation. Obtained multiple summary judgment awards in favor of a major cigarette manufacturer in Pennsylvania state court.
• Served as a member of the team that created new Pennsylvania law by successfully arguing that the "heeding presumption" was inapplicable to consumer products voluntarily purchased and consumed.
• Obtained summary judgment on behalf of a university in asbestos litigation venued in Philadelphia court.
• Obtained a favorable result for a major pharmaceutical manufacturer in trial relating to weight loss medication.
• Served as lead counsel for a pharmaceutical device company in a toxic tort class action arising from the alleged release of chemicals from the company's North Carolina facility.
• Successful representation of an oil refiner in litigation arising from alleged benzene exposure at a refining plant.

E-Discovery & Information Governance

• Served as national discovery counsel for a major pharmaceutical manufacturer in litigation relating to a COX-2 inhibitor.
• Served as national discovery counsel for a pharmaceutical joint venture in litigation relating to statin.
• Served as national discovery counsel for a major pharmaceutical manufacturer in litigation relating to an antipsychotic medication.
• Serves as national discovery advisor to a major accounting firm.
• Successful defense of a pharmaceutical company in a spoliation motion arising out of the loss of SAS program files. Led the investigation, including forensic exam, and developed and presented expert testimony.
• Successful representation of a major stock exchange in a regulatory investigation and class actions arising out of the failure of an IPO pricing engine. Managed and coordinated eDiscovery, including forensic examinations and ESI investigation, for over 100 employees.
• Successful representation of a pharmaceutical company in a spoliation hearing stemming from the loss of data held in a wiki used for regulatory submissions.
• Developed records retention and IG programs for two dozen companies in the following industries: auto finance, automotive, car rental, aerospace, pharmaceutical, medical device, commercial paint products, banking, real estate lending, and insurance.
  
  

Professional Activities

The Sedona Conference Institute
Member, International Data Privacy, eDiscovery, and Cross-Border Data Transfer Issues Working Groups

Defense Research Institute

IAPP

ARMA

Publications

Co-author, "Utah Privacy Law Would Be First to Require Search Warrant for Government to Access Stored Data," The National Law Review, March 28, 2019

Co-author, "Avoid Taking the Bait of W-2 Phishing Schemes," Ballard Spahr alert, March 6, 2019

Co-author, "No Actual Damages Required to Sue Under Illinois Biometric Information Privacy Law," Ballard Spahr alert, January 28, 2019

Co-author, "PA Supreme Court: Businesses Have Duty to Safeguard Sensitive Employee Information," Ballard Spahr alert, November 27, 2018

Author, "European Union Discovery Presents Compliance Headaches for U.S. Litigants," The Legal Intelligencer, February 5, 2018

Co-author, "U.S. Supreme Court Rejects Second Bid for Review in Spokeo," Ballard Spahr alert, January 24, 2018

Co-author, "AV START Act Addresses Privacy and Cybersecurity Issues Associated With the Development of Highly Automated Vehicles," Ballard Spahr alert, December 15, 2017

Co-author, "Article 29 Working Party Issues Guidance on Breach-Notification Obligations under GDPR," Ballard Spahr alert, October 28, 2017

Co-author, "FTC Provides Guidance to Social Media Influencers in Live Twitter Chat," Ballard Spahr alert, October 4, 2017

Co-author, "Worldwide Group of Data Privacy Regulators Issues Guidance on Connected-Car Technologies," Ballard Spahr alert, October 2, 2017 

Co-author, "Uber Settles FTC Dispute Over Consumer Data Privacy and Security Allegations," Ballard Spahr alert, August 18, 2017 

Co-author, "Delaware Amends Data Breach Statute," Ballard Spahr alert, August 17, 2017

Co-author, "D.C. Circuit Reverses Data Breach Class Action Dismissal on Standing Grounds," Ballard Spahr alert, August 2, 2017  

Co-author, "Nevada Becomes the Third State to Enact Website Privacy Notification Law," Ballard Spahr alert, August 1, 2017  

Co-author, "NYDFS Updates FAQs to Clarify Cybersecurity Regulations," Ballard Spahr alert, July 14, 2017  

Co-author, "Ponemon Institute Study on Costs of Data Breaches Highlights Improvement and New Risks for U.S. and Global Companies," Ballard Spahr alert, June 28, 2017

Co-author, "FTC Submits Comment To Aid NTIA In Developing Internet of Things Guidance," Ballard Spahr alert, June 21, 2017

Co-author, "Autonomous Cars One Step Closer to Reality in Colorado," Ballard Spahr alert, June 19, 2017  

Co-author, "Colorado Division of Securities Publishes Final Cybersecurity Rules," Ballard Spahr alert, May 23, 2017  

Co-author, "Is Your Organization Ready for a Systemwide Ransomware Attack?" Ballard Spahr alert, May 16, 2017  

Co-author, "To DPO or Not to DPO: Revised Guidance Issued on Data Protection Officers Under GDPR," Ballard Spahr alert, May 3, 2017

Co-author, "United Kingdom Privacy Office Issues Guidance on Consent Under GDPR," Ballard Spahr alert, March 15, 2017 

Co-author, "Eighth Circuit Remands Proposed Settlement in Target Data Breach Class Action," Ballard Spahr alert, February 2, 2017 

Co-author, "IRS and Others Renew Warnings About Fraudulent Emails Targeting Employee Tax Information," Ballard Spahr alert, January 30, 2017

Co-author, "Disclosure Is Key for Cross-Device Tracking, FTC Staff Report Says," Ballard Spahr alert, January 25, 2017 

Co-author, "Data Breach Class Action Reinstated Against Horizon Healthcare Services Inc.," Ballard Spahr alert, January 23, 2017

Co-author, "EU e-Privacy Regulation Raises Stakes for Compliance," Ballard Spahr alert, January 12, 2017

Co-author, "Affair Website Ashley Madison Fined $8.75 Million Over Data Breach, Misrepresentations," Ballard Spahr alert, December 15, 2016  

Co-author, "HHS Designates Cloud Service Providers as Business Associates Under HIPAA," Ballard Spahr alert, November 4, 2016

Co-author, "DOT Issues Proposed Cybersecurity Guidance to Automotive Industry," Ballard Spahr alert, October 27, 2016  

Co-author, "European Court Of Justice Rules That Dynamic IP Addresses Are Personal Data," Ballard Spahr alert, October 25, 2016

Co-author, "Federal Banking Agencies Propose New Requirements for Managing Cyber Risk," Ballard Spahr alert, October 20, 2016 

Co-author, "UK ICO Offers Guidance on Privacy Notices Under the GDPR and the UK Data Protection Act," Ballard Spahr alert, October 18, 2016

Co-author, "To (Dis)Close for Comfort–FTC Workshop Seeks Effective Consumer Disclosures," Ballard Spahr alert, September 26, 2016 

Co-author, "Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm," Ballard Spahr alert, August 17, 2016 

Co-author, "Important Lessons for Businesses from FTC's Opinion on LabMD's Data Security Practices," Ballard Spahr alert, August 12, 2016

Co-author, "OCR Announces First HIPAA Enforcement Action against a Business Associate," Ballard Spahr alert, July 25, 2016

Co-author, "Court: Stored Communications Act Warrant Cannot Be Used to Seize Data Held Overseas," Ballard Spahr alert, July 19, 2016

Co-author, "Ninth Circuit Vastly Expands Scope of Criminal, Civil Liability for Computer Fraud," Ballard Spahr alert, July 15, 2016

Co-author, "International Regulators Issue Cybersecurity Guidance to the Financial Industry," Ballard Spahr alert, July 6, 2016

Co-author, "Cybersecurity, Use of Internet of Things Technology Concern Manufacturers," Ballard Spahr alert, June 28, 2016

Co-author, "President Obama Signs Defend Trade Secrets Act into Law," Ballard Spahr alert, May 11, 2016

Co-author, "The Defend Trade Secrets Act Signed into Law," Ballard Spahr alert, May 5, 2016

Co-author, "Class Certification Improper in Data Breach Case, PA Appellate Court Finds," Ballard Spahr alert, May 4, 2016

Co-author, "European Parliament Adopts EU General Data Protection Regulation; 12 Steps Businesses Should Take Now," Ballard Spahr alert, April 21, 2016

Co-author, "TCPA Exemption for Collection of Federal Debts Applies Retroactively, CA Federal Court Rules," Ballard Spahr alert, April 18, 2016

Co-author, "EU-U.S. Privacy Shield Framework Text Published: Imposes New Obligations on U.S. Entities that Seek Data Transfers from the EU," Ballard Spahr alert, March 8, 2016

Co-author, "CFPB Initiates Its First Data Security Enforcement Action," Ballard Spahr alert, March 3, 2016

Co-author, "California Data Breach Report Defines “Reasonableness” Standard for Data Protection," Ballard Spahr alert, March 2, 2016

Co-author, "President Obama Gives EU Citizens Judicial Redress for Privacy Violations," Ballard Spahr alert, March 1, 2016

Co-author, "Views on Cybersecurity Risk Management in Postmarket Medical Devices," a Q&A with Bloomberg BNA Privacy Law Watch, February 25, 2016

Co-author, "President Creates Cybersecurity National Action Plan and Commission on Enhancing National Cybersecurity," Ballard Spahr alert, February 24, 2016

Co-author, "DOJ/DHS Issue Interim Guidance on Implementation of Cybersecurity Information Sharing Act," Ballard Spahr alert, February 23, 2016

Co-author, "From Safe Harbor to Privacy Shield: New EU-U.S. Agreement for Transatlantic Data Flows," Ballard Spahr alert, February 9, 2016

Co-author, "FDA Issues Draft Guidance on Cybersecurity for Postmarket Medical Devices," Ballard Spahr alert, January 27, 2016 

Co-author, "Use of Big Data May Violate Federal Consumer Protection Laws, FTC Report Warns," Ballard Spahr alert, January 13, 2016

Co-author, "LifeLock to Pay $100 Million to Settle Charges It Violated 2010 Court Order," Ballard Spahr alert, December 28, 2015

Co-author, "FTC Takes Action against App Developers on COPPA Allegations Involving Persistent Identifiers," Ballard Spahr alert, December 23, 2015

Co-author, "ACC Foundation Releases Largest Study of its Kind on Cybersecurity Among In-House Counsel Study Underwritten by Ballard Spahr," Ballard Spahr alert, December 9, 2015

Co-author, "President Signs Bill Creating Exception to GLBA Annual Notice Requirement," Ballard Spahr alert, December 8, 2015

Co-author, "Company Prevails in Challenge to FTC Data Security Complaint," Ballard Spahr alert, November 30, 2015

Co-author, "California Updates Data Breach Notification Statute," Ballard Spahr alert, October 19, 2015

Co-author, "Court of Justice of the European Union Invalidates U.S. Safe Harbor Framework," Ballard Spahr alert, October 7, 2015

Co-author, "Pennsylvania Data Breach Class Action Survives Motion to Dismiss," Ballard Spahr alert, October 6, 2015

Co-author, "European Court of Justice May Invalidate Safe Harbor Framework," Ballard Spahr alert, September 30, 2015

Co-author, "NIST Guide Highlights Cybersecurity Considerations for Utilities and Manufacturing Companies," Ballard Spahr alert, August 24, 2015

Co-author, "Seventh Circuit Green Lights Data Breach Class Action Against Neiman Marcus," Ballard Spahr alert, July 28, 2015

Co-author, "UPenn Fracking Study Can't Give Plaintiffs Causation," Law360, July 30, 2015

Co-author, "Penn Study Unlikely to Result in Flood of Fracking Lawsuits," Ballard Spahr alert, July 16, 2015

Co-author, "FTC Follows in CFPB Footsteps with GLBA Privacy Notices," Ballard Spahr alert, June 22, 2015

Co-author, "Pennsylvania Court Rejects Request to Create Common Law Duty to Protect Sensitive Personal and Financial Information," Ballard Spahr alert, June 4, 2015

Co-author, "FTC Announces Settlement with Retail Tracking Company," Ballard Spahr alert, April 29, 2015

Co-author, "Report Identifies Cybersecurity Risks in Banking Sector: New York Agency's Report Focuses on Data Vulnerability of Banks' Third-Party Vendors," Ballard Spahr alert, April 13, 2015

Co-author, "FDA Issues Guidance on Mobile Medical Devices," Ballard Spahr alert, March 31, 2015 

Co-author, "NJ Data Encryption Law: Will It Become National Standard?" New Jersey Law Journal, March 24, 2015

Co-author, "President Obama Proposes Consumer Privacy Bill of Rights," Ballard Spahr alert, March 6, 2015

Co-author, "Anthem's Breach: How Employers Should Respond," Ballard Spahr alert, February 10, 2015

Co-author, "Internet of Things: Federal Agencies Offer Privacy and Data Security Best Practices," Ballard Spahr alert, January 29, 2015

Co-author, "NY Attorney General To Propose Bill To Strengthen Cybersecurity," Ballard Spahr alert, January 27, 2015

Co-author, "President Obama's 2015 Priorities Include Cybersecurity," Ballard Spahr alert, January 22, 2015

Co-author, "Pennsylvania Supreme Court Declines To Adopt Restatement (Third) of Torts," Ballard Spahr alert, November 21, 2014

Co-author, "Phishing Attacks Target University Employee Payroll Information," Ballard Spahr alert, November 14, 2014

Co-author, "Federal Court Addresses Frequently Overlooked Nuances of Electronic Document Production," Ballard Spahr alert, October 30, 2014

Author, Pennsylvania eDiscovery, published by The Legal Intelligencer, August 2014

Co-author, "Massive Hacking Operation Further Reveals Weakness of Passwords," Ballard Spahr alert, August 11, 2014

Co-author, "Proposed Changes to Civil Rules Could Limit Scope of eDiscovery," Ballard Spahr alert, May 1, 2014

Co-author, "Federal Court Ruling in Pa. Narrows Computer Fraud and Abuse Act," Ballard Spahr alert, March 25, 2014

Co-author, "Plaintiffs May Assert Negligent-Design Claims for Prescription Drugs, Pa. Supreme Court Holds," Westlaw Journal Pharmaceutical, March 2014

Co-author, "Pa. Supreme Court Opens Door to Latent-Disease Lawsuits," The Legal Intelligencer, February 11, 2014

Co-author, "Plaintiffs May Assert Negligent Design Claims for Prescription Drugs, Pa. Supreme Court Holds," Ballard Spahr alert, January 23, 2014

Co-author, "Proposed eDiscovery Rule Would Bring Relief from Specter of Sanctions," Ballard Spahr alert, November 8, 2013 

"Bits and Bytes: What Forensic Analysis Can Reveal," The Legal Intelligencer, January 29, 2013

Speaking Engagements

"Emerging Data Security Laws: An Innovation Opportunity," Comcast Labs Connect's Security by the Schuylkill, Philadelphia, April 16, 2019

Speaker, "The California Consumer Privacy Act: What Comes Next?" Ballard Spahr webinar, March 20, 2019

Co-host and Moderator, "Ghosts in the Machine: Data Privacy, Cybersecurity & the Evolving Face of Risk," Thomson Reuters Legal Executive Institute Concordant Crossroads: Regulation and Innovation in the Automotive Industry, New York City, October 2018

"From Brussels with Love: A GDPR Valentine's Day Special," Ballard Spahr webinar, February 14, 2018 

"Preventing Internal Breaches: The Critical Role of Corporate Counsel," BloombergLaw/UnitedLex webinar, February 13, 2018

"The Legal Impact of Autonomous Vehicle Connectivity (Part Two)," Thomson Reuters Legal Executive Institute podcast, February 6, 2018

"The State of Cybersecurity Report: A Preview of the 2018 Report," ACC Foundation Cybersecurity Summit, Washington, D.C., February 6, 2018

"Ethics for Discovery 2017," Practising Law Institute, New York, July 12, 2017

"Countdown to GDPR: Practical and Technological Solutions for Compliance," Delaware State Ballard Spahr CLE, Philadelphia, May 10, 2017 

"Game of Drones, Autonomous Vehicles, and Other Connected Devices," Delaware State Bar Association, Wilmington, April 12, 2017

"Higher Education and the Changing Administration," Ballard Spahr webinar, February 23, 2017 

"The State of Cybersecurity Report," ACC Cybersecurity Summit, Washington, D.C., January 31, 2017

"ACC Foundation Report: Takeaways to Enhance Cybersecurity Preparedness," Ballard Spahr CLE program, Washington, D.C., September, 29, 2016

"Ethics for Discovery 2016," Practising Law Institute, New York, July 25, 2016

"Cyber Insurance," Pennsylvania Bar Institute, Philadelphia, July 11, 2016

"Worst Case Scenario – The State of Cybersecurity and Lessons Learned," ACC Mid-Year Meeting, New York, April 12, 2016

"Advanced Identity & Access Management Techniques," CISO Executive Network: Philadelphia Breakfast Roundtable 2 of 6, April 6, 2016

"The ACC Foundation Cybersecurity Report: Discussion with the ACC President and CEO Veta Richardson," Ballard Spahr CLE program, Philadelphia, February 18, 2016

"A Look at the New Federal Rules and What They Mean for Your Practice," Pennsylvania Bar Institute, Philadelphia, July 30, 2015

"Ethics for Discovery 2015," Practising Law Institute, New York, July 27, 2015

"Ethics for Discovery 2014," Practising Law Institute, New York, July 15, 2014

"How the Proposed Amendments to the Federal Rules of Civil Procedure Will Affect Discovery," Ballard Spahr CLE program, live in Philadelphia and via webinar, June 25, 2014

"E-Discovery Breakfast Briefing: Taking Control in Litigation and Regulatory Matters," The Huron Legal Institute, Philadelphia, May 20, 2014

"Ethics for Discovery 2013," Practising Law Institute, New York, July 22, 2013

"Avoiding the Pitfalls of 'Bring Your Own Device' Policies," Ballard Spahr webinar, June 12, 2013

"New Amendments to Pa. Rules of Civil Procedure On eDiscovery," Pennsylvania Bar Institute, August 8, 2012

"Ethics for Discovery 2012," Practising Law Institute, July 27, 2012

"eDiscovery & Social Media in Litigation: Practical, Legal & Ethical Issues," Camden County Bar Association, May 9, 2012

"Leveraging Predictive Coding To Focus on Litigation Strategy," Navigant Expert Insights webinar, February 8, 2012

"Data Security in the Cloud and its Implications on eDiscovery," IQPC's The 6th eDiscovery for Pharma, Biotech, and Medical Devices Industries Conference, Philadelphia, October 25, 2011

"Taxation of E-Discovery Costs Not Limited to High-Profile Cases, Says Big Firm Partner," Association of Certified E-Discovery Specialists Podcast Interview, August 17, 2011

"Ethics for E-Discovery 2010," Practising Law Institute, July 28, 2010

"Federal Rule of Evidence 502: The Changing Landscape of Discovery in the Electronic Age," Webcast by DRI's Product Liability Committee, June 3, 2010

"Data Security, Corporate Compliance and E-Discovery: Navigating the Data Morass," NJCCA's 7th Annual All-Day Conference, September 24, 2009

"Rule 502 and Its Impact on E-Discovery: Using the New Provisions to Reduce the Costs of Privilege Review Without Increasing the Risks of Waiver," ACI's E-Discovery and Document Management Conference, September 22, 2009

"Designing, Implementing, and Maintaining Document Management Policies that Survive Multi-Jurisdictional and International Discovery of Scientific E-Data," ACI's Document Management, E-Discovery, and Litigation Readiness Conference, April 1, 2008

"Responding to Electronic Discovery Requests and Preparing for Rule 26(f) Conferences," Association of Corporate Counsel's E-Discovery: Bridging the Gap between Legal and IT Seminar, July 9, 2007

"Document Retention and Disposal Management in an E-Discovery World," Ethisphere, October 15, 2006

Temple University James E. Beasley School of Law (J.D. 1997)
Member, Political and Civil Rights Law Review; Member, Temple Moot Court; Recipient, Trial Advocacy Program's Outstanding Advocate award

Temple University (B.A. 1991, summa cum laude)

New Jersey

Pennsylvania

U.S. District Court for the Eastern District of Pennsylvania

U.S. Court of Appeals for the Third Circuit