Donald DePass

Donald DePass

Senior Associate
Washington, D.C.

Email [email protected]​

Phone +1 202 637 3286

Fax +1 202 637 5910


Practice groupGlobal Regulatory

Donald DePass helps clients tackle challenging state, federal, and international privacy and data security issues. He advises on compliance with the Health Insurance Portability and Accountability Act (HIPAA), state health-privacy laws, the Federal Trade Commission (FTC) Act, and the Family Educational Rights and Privacy Act (FERPA), among other privacy and data security laws and regulations.

Donald regularly counsels clients on incident response, including breach notification obligations as well as response to government investigations and enforcement actions in the wake of large-scale cyberattacks. He also helps clients develop and implement compliance programs and draft contractual language for safeguarding sensitive information and legitimizing cross-border data transfers.

Donald counsels clients facing dynamic regulatory environments in a wide range of industries, primarily in the technology, life sciences and health care, and education sectors. In addition to assisting clients with complex legal matters, Donald helps clients resolve complicated policy issues affecting data privacy and security. In a rapidly evolving marketplace, he provides practical solutions that help clients meet legal and policy challenges and retain consumer trust.

While in law school, Donald served as a student attorney in the Georgetown Social Enterprise & Nonprofit Clinic and was a member of The Tax Lawyer.

Awards and recognitions


Top 40 Under 40
The National Black Lawyers


Recognized for work in Privacy and Data Security
Best Lawyers: Ones to Watch

Education and admissions


J.D., Georgetown University Law Center, with honors, 2014

B.A., Duke University, with honors, 2011


Member, American Bar Association

Member, International Association of Privacy Professionals

Bar admissions and qualifications

District of Columbia

New York

Representative experience

Obtained successful resolution, without penalty, in numerous HHS OCR investigations of academic institutions and insurance organizations.

Assisted a major U.S. university in responding to cybersecurity incidents, including forensic review, notification analysis, and remediation.

Helped a global company assess compliance with privacy laws in multiple countries, focusing on privacy notices, cross-border transfers, and data use restrictions.

Advised clients on privacy-related HHS OCR and state attorney general and insurance commission investigations and enforcement actions.

Conducted privacy- and cybersecurity-related diligence for several transactions involving health care and education companies.

Privacy counsel in largest health-related cyberattacks in U.S. history, supporting breach response, government investigation, and privacy compliance.

Loading data