Kimberly Kiefer Peretti

Partner,

Washington, D.C.

Phone: +1 202 239 3720
Email: kimberly.peretti@alston.com

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team and National Security & Digital Crimes Team, Kim is recognized by select publications and is frequently quoted by the media.

Security Incident Response

Represented a health care client involved in a ransomware attack, requiring both a complex forensic investigation and extensive data review and restoration processes.
Represented a global company in connection with a network and cloud service provider attack by multiple state-sponsored actors targeting the infrastructure for both espionage and financial crime-based purposes. The response included extensive forensic investigation and data analytics efforts to identify and report on impacted information affecting both individuals and companies as well as working with national security and law enforcement arms of the U.S. government.
Represented a global technology company in a targeted business email compromise scheme involving unauthorized wire transfers of multiple business partners over a several month period.
Represented a health care client in an extensive cyber intrusion involving the collection of a large volume of data and provided advice on incident response, oversaw forensic investigators, and assisted with a large data review.
Representing a large health care provider in a vendor website breach, including vandalism and attempted theft of databases with millions of PHI records compromised.
Assisted one of the world’s largest payment processors with investigation and notification in a security incident involving a subsidiary’s e-commerce platform and payment card data. Our counsel included assistance with oversight of the forensic investigation, advising on issues related to investigation by the payment card brands, and individual and regulatory notifications in over 20 countries.
Assisted a major financial services holding company in managing incident response, regulatory inquiries, and extensive cooperation efforts with the FBI for one of the top ten HIPAA breaches of 2018, resulting from social engineering and vishing attacks by foreign actors.
Represented a large telecommunications company in investigating a sophisticated state-sponsored attack with national security implications, including facilitation of classified law enforcement interactions.
Represented a large health care company in review and analysis of a ransomware incident involving an extensive and sophisticated intrusion.
Represented a large international retail company with an incident involving cyber extortion of a subsidiary in connection with potential theft of personal data.
Assisted a regional financial institution with hundreds of locations in analyzing breach notification and response obligations for skimming incidents.
Assisted a community bank with investigation and response of incident involving placement of skimming device on ATMs.
Represented several large global organizations in connection with government-led national security investigations resulting from state-sponsored attacks originating from different countries/threat actors.
Represented a large, franchised restaurant business in connection with a cybersecurity incident investigation, including ongoing analysis of cybersecurity insurance issues, incident litigation, and regulatory defense.
Represented one of the largest home improvement retailers in the U.S. in connection with a sophisticated cyberattack and criminal intrusion involving customized malware targeting payment card data from point-of-sale systems. The representation includes, among other areas, coordinating with the payment card brand networks and federal and state law enforcement agencies, directing the forensic investigation of the PFI and other third-party forensic firms, and defending multiple putative class actions filed by financial institutions.
Represented a global diversified industrial company in connection with a targeted attack by sophisticated threat actors engaged in industrial espionage and financial fraud.
Represented a global provider of business information in connection with a sophisticated intrusion by Eastern European organized criminal groups that impacted data breach laws and regulations in more than 50 countries. The incident response included directing a complex and technical forensic investigation involving U.S. and non-U.S. systems; analyzing U.S. state and federal and international breach notification statutes, regulations, and recommendations and coordinating the notification process; responding to numerous state attorneys general inquiries; development and execution of crisis communication plans; and participating in frequent senior executive and board-level meetings.
Represented a global payment processor in connection with a technical, complex computer crime investigation involving a sophisticated cyber threat actor. The crisis response effort included advising on myriad legal issues, including securities law guidance, regulatory issues, class action defense, governmental investigations, and insurance coverage and issues. The effort also included supervising and managing a complex cyber forensic investigation that included a rapid response to a sophisticated intruder with deep and persistent access to the environment; development of containment, eradication, and remediation strategies; and coordination of the activities of multiple third parties, including an independent forensic investigator, several payment card brand networks, financial regulators, and federal law enforcement.
Represented a global retail company in a sophisticated cyberattack involving customized malware targeting payment card data from point-of-sale systems. The crisis response included coordinating the activities of multiple third parties, including state and federal regulators, payment card brand networks, federal law enforcement agencies, and the Department of Justice, as well as directing multiple third-party forensic firms in conducting a technical, forensic investigation.
Represented a global payments company in an extensive data theft incident by a former employee. The representation included directing a technical forensic investigation, overseeing a complex fraud data analytics analysis, preparing evidence for law enforcement and federal prosecution, and counseling on disclosure and customer communications strategies.
Represented a global electronics company in connection with a sophisticated reshipping fraud scheme operated out of Eastern Europe impacting high-end electronics and involving multiple vendors.
Represented one of the world’s largest interactive marketing services providers in a massive network breach, involving more than 60 million individual records.
Worked with a global energy company suspected of being compromised by advanced persistent threat actors. The response included enhanced monitoring of critical systems; preventive forensics, including a breach indicator assessment, a review of existing an investigation, and law enforcement information; and assisting management with briefings to executives.

Cybersecurity Preparedness

Board Training/Governance and Enterprise Risk Management:
- Developed training materials for the boards of directors of several companies, including major banks, one of the world’s largest construction and industrial equipment rental providers, a global non-car vehicle manufacturer, a global digital media company, and a large insurance company. The presentations and materials highlighted the companies’ cybersecurity risks and the legal and regulatory landscape and provided recommendations on overseeing improvements to their companies’ data security posture as part of cyber risk management.
- Presenting annually to the board of directors of one of the largest U.S. financial institutions on issues of cyber risk and cybersecurity, including evaluating the board’s duties in this area.
Breach Response Plan Development:
- Representing one of the world’s largest retailers in developing their worldwide data breach response plan.
- Developed global breach response plans for a global insurance company with operations in 27 countries.
- Developed security incident and/or data breach response plans for several global insurance companies, financial institutions, e-commerce companies, retailers, global consulting firms, and digital media corporations.
- Developed a ransomware-specific breach response for a large telecommunications company.
Tabletop Exercises:
- Developed and facilitated cyber tabletop exercises for one of the largest shipment and logistics companies in the world, a global provider of health services, one of the largest financial institutions in the U.S., and several large global insurance companies.
- Conducted international tabletop exercises in several Asian and South American countries for a global insurance company.
- Assisted all of these companies with enhancing their breach response strategies and procedures through prioritized recommendations and corrective action plans.
Cybersecurity Assessments and Legal Reviews:
- Conducted a cybersecurity preparedness legal review for a large state bank assessing its cybersecurity program against guidance from federal and state financial regulators; presented findings to the board.
- Conducted an enterprise-wide privacy and data security assessment for a large entertainment media company, assessing its practices for managing and securing sensitive information against a number of laws, regulations, enforcement actions, and guidance materials from regulators. Assisted in performing a risk assessment using the NIST Cybersecurity Framework to enable the company to prioritize its remediation and improvement activities.
- Advising an independent county agency in a privacy and data security assessment regarding its policies, practices, and procedures. The project includes conducting detailed client interviews, policy review, and preparation of memorandums regarding identified gaps.
- Performed cybersecurity legal reviews for clients in other industries, such as transportation.
Representing a financial services information-sharing advisory association on various issues related to information sharing and cybersecurity in the financial services sector.
Consulting with a number of domestic and international banks on their response to and preparation for recent highly sophisticated and suspected state-sponsored DDoS attacks on their networks.
Represented a retail industry trade association on issues related to cybersecurity information-sharing mechanisms and related congressional testimony.
Represented a global telecommunications company in connection with a cloud service provider’s security standards accreditation.
Worked with a global transportation company in developing cybersecurity policies and strategies. The project included ongoing monitoring of federal government initiatives dealing with critical infrastructure cybersecurity and development of appropriate responses, policies, and procedures related to cyber intelligence gathering, information sharing, and cybersecurity practices.
Worked with an international monetary organization on a multiphased, comprehensive information security risk assessment based on the global information security standard ISO 27001. Our involvement included leading a threat-modeling workshop to help the company understand its current threats and defenses and identify any known gaps in its information security infrastructure, in particular with sophisticated attacks, such as state-sponsored attacks.
Worked with a multiservices organization on a multiphased, enterprise security risk assessment in which we led an incident response workshop and cyber tabletop exercises to identify any known weaknesses in incident response processes and procedures, in particular with scenarios related to sophisticated cyberattacks and intrusions.
Worked with a large global consulting firm in an assessment of the company’s practices, controls, policies, and procedures concerning the ease with which sensitive client data and company confidential data could leave the company’s systems, whether by an inadvertent act by an employee or a malicious act by an insider or outsider.

Privacy-Related Regulatory Inquiries

Represented a number of clients in federal and state regulatory inquires involving Internet-based practices potentially violating federal and state unfair and deceptive trade practices acts, including a large online advertising company’s practices in the use of third-party cookies, a mobile phone carrier’s practices in a user’s browser experience, and an automotive dealership’s practices in collecting user information and monitoring user behavior online.

Languages

German

Bar Admissions

District of Columbia
Illinois
U.S. Supreme Court

Education

University of Munich, Germany (LL.M., 1997)
Georgetown University (J.D., 1996)
University of Wisconsin (B.A., 1992)

Memberships

U.S. Secret Service, Cyber Investigation Advisory Board (2022-present)
Certified Information Systems Security Professional (CISSP)
American Bar Association, Section of Science and Technology Law and Litigation Section
American Friends of the Alexander von Humbolt Bundeskanzler Foundation, board of directors
CyberTheory, CISO advisory board
Sedona Conference on Cyber Liability, faculty (2013–present)
Georgetown University Law Center Cybersecurity Law Institute, co-chair (2015–present)
PLI Twenty-Third Annual Institute on Privacy and Cybersecurity Law, co-chair (2022, Chicago)
Georgetown University Law Center Cybersecurity Law Institute, advisory board (2013–2015)
Financial Services Information Sharing and Advisory Center, board adviser (2010–2012)
eFraud Network, Program Committee (2008–2011); e-Privacy Committee, co-chair (2012–present); councilmember and budget officer (2004–2009)
ABA Section of Science and Technology Law, Information Security Committee, co-chair (2001–2004)
Alexander von Humbolt Bundeskanzler Foundation, Bonn, Munich, Germany, 1996–1997
Fellow: Liaison with German government officials and business leaders

Court Admissions

United States Court of Appeals for the Ninth Circuit
United States Court of Appeals for the District of Columbia Circuit
United States District Court for the District of Columbia

Accolades

Chambers USA – Privacy and Data Security (2017-present); Privacy and Data Security: Incident Response (2021 – present)
Chambers Global – Privacy and Data Security (2018 – present); Privacy and Data Security: Incident Response (2022 – present)
The Best Lawyers in America^® – Privacy and Data Security Law (2023 – 2025)
Legal 500 – Cyber Law “Leading Lawyer” (2022 – present)
Cybersecurity Docket “Incident Response 40” (2016 – present)
SC Magazine – “Industry Pioneer”
BTI Consulting Group – “Client Service All-Star”
Washingtonian – “Top Lawyers – Cybersecurity”
Burton Award for Legal Achievement – “Cybersecurity: What Directors Need to Know in an Era of Increased Scrutiny”