Donald DePass helps clients tackle challenging state, federal, and at times international privacy and data security issues. He advises on compliance with the Health Insurance Portability and Accountability Act (HIPAA), state health privacy laws, the FTC Act, the Family Educational Rights and Privacy Act (FERPA), among other privacy and data security laws and regulations.
Donald regularly counsels clients on incident response, including breach notification obligations, as well as response to government investigations and enforcement actions in the wake of large-scale cyber-attacks. He also helps clients develop and implement compliance programs and draft contractual language for safeguarding sensitive information and legitimizing cross-border data transfers.
Donald counsels clients facing dynamic regulatory environments in a wide range of industries, primarily in the technology, life sciences and healthcare, and education sectors. In addition to assisting clients with complex legal matters, Donald helps clients resolve complicated policy issues affecting data privacy and security. In a rapidly evolving marketplace, he provides practical solutions that help clients meet legal and policy challenges and retain consumer trust.
While in law school, Donald served as a student attorney in the Georgetown Social Enterprise & Nonprofit Clinic and was a member of The Tax Lawyer.
Donald graduated with honors from Georgetown University Law Center and from Duke University, where he earned a bachelor's degree in public policy studies.
Areas of Focus
Privacy counsel in largest health-related cyber attacks in U.S. history, supporting breach response, government investigation, and privacy compliance.
Obtained successful resolution, without penalty, in numerous HHS OCR investigations of academic institutions and insurance organizations.
Advised clients on privacy-related HHS OCR and state attorney general and Insurance Commission investigations and enforcement actions.
Assisted a major U.S. university in responding to cybersecurity incidents, including forensic review, notification analysis, and remediation.
Conducted privacy- and cybersecurity-related diligence for several transactions involving healthcare and education companies.
Helped a global company assess compliance with privacy laws in multiple countries, focusing on privacy notices, cross-border transfers, and data use restrictions.