Brandon Reilly

Brandon Reilly is the leader of Manatt’s Privacy and Data Security practice and is recognized globally for his work in privacy and cyber law and as a “Top 40 Under 40,” “Top Cyber,” and “Top Artificial Intelligence” lawyer in California. A trusted go-to advisor on privacy, data governance, data security and AI issues for a sophisticated client base, Brandon is skilled at developing business-focused privacy and security frameworks aimed at maximizing data asset value and mitigating future enforcement and litigation risk. His practice spans legal and consulting disciplines, including strategic advice, regulatory compliance, transactions, government policy, security compliance and procedures, data breach responses, litigation, and government investigations and enforcement actions.

Brandon has experience advising and representing Fortune 500s, multinational corporations, emerging companies and nonprofits across all industries. In particular, his work with health care and digital health companies has been recognized globally by Chambers. His practice also leverages deep experience with emerging technologies such as artificial intelligence and machine learning, data science, privacy-enhancing technologies (PETs), biometrics, telematics, the Internet of things (IoT), blockchain, cryptocurrencies, social media and Web3. He has also lent his depth of experience in data protection and government investigations to clients for matters involving national security, foreign sanctions compliance and cross-border data transfers.

In the compliance area, Brandon advises clients on proactively orienting their operations to all manner of federal, state and international laws and regulations, including:

  • State comprehensive privacy laws, such as the California Consumer Privacy Act (CCPA) and similar laws passed in over a dozen states.
  • Health privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), California’s Confidential Medical Information Act (CMIA) and Washington’s My Health, My Data Act (MHMD).
  • Financial privacy laws, such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.
  • Children’s privacy laws such as the Children’s Online Privacy Protection Act (COPPA) and Maryland Age-Appropriate Design Code Act (Maryland AADC).
  • International privacy laws such as the European Union’s General Data Protection Regulation (GDPR), the United Kingdom’s General Data Protection Regulation (U.K. GDPR) and Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Self-regulatory frameworks such as the Payment Card Industry Data Security Standard (PCI DSS) and National Institute of Standards and Technology (NIST) Frameworks for Cybersecurity, Privacy and AI Risk Management.

In the incident response area, Brandon assists clients with security incident investigation, containment and mitigation as well as management of data breach responses, and he assists impacted entities before and during litigation, regulatory inquiry and government enforcement. He has counseled clients on incidents involving ransomware and other malware, botnet and other automated attacks, social engineering attacks, business email compromises (BEC), insider threats, independent security researchers and black and gray hat hackers, and other fraud and identity theft schemes.

Also a civil litigator with broad experience in federal and state courts, Brandon has significant experience defending a wide range of businesses in privacy, data breach, and consumer protection cases and class actions. He leverages his privacy and data security and litigation experience to assist clients facing such litigation and government enforcement actions.

A thought leader and frequent speaker in the privacy and data security space, Brandon is a Certified Information Privacy Professional for the U.S. Private Sector (CIPP/US) and an active member of the International Association of Privacy Professionals (IAPP) and co-founder of its local Orange County chapter. Brandon has also spoken at national industry organizations, including IAPP, the Association of Corporate Counsel (ACC), the Health Care Compliance Association (HCCA), the Institute for Internal Auditors (IIA), ISACA (the Information Systems Audit and Control Association) and the Information Systems Security Association (ISSA). He has been quoted by Bloomberg Law, Daily Journal, VentureBeat and Cybersecurity Law Report, as well as published in other notable publications.

Brandon serves on Manatt’s Board of Directors. He also regularly provides pro bono representation in the area of veterans’ benefits and discharge upgrades, as well as advising small businesses and underserved communities regarding data governance and privacy compliance.

Partner

Brandon Reilly

San Francisco

714.338.2701

Services

Privacy and Data Security

Office

San Francisco, Silicon Valley

On This Page

Bio

Brandon Reilly

Brandon Reilly is the leader of Manatt’s Privacy and Data Security practice and is recognized globally for his work in privacy and cyber law and as a “Top 40 Under 40,” “Top Cyber,” and “Top Artificial Intelligence” lawyer in California. A trusted go-to advisor on privacy, data governance, data security and AI issues for a sophisticated client base, Brandon is skilled at developing business-focused privacy and security frameworks aimed at maximizing data asset value and mitigating future enforcement and litigation risk. His practice spans legal and consulting disciplines, including strategic advice, regulatory compliance, transactions, government policy, security compliance and procedures, data breach responses, litigation, and government investigations and enforcement actions.

Brandon has experience advising and representing Fortune 500s, multinational corporations, emerging companies and nonprofits across all industries. In particular, his work with health care and digital health companies has been recognized globally by Chambers. His practice also leverages deep experience with emerging technologies such as artificial intelligence and machine learning, data science, privacy-enhancing technologies (PETs), biometrics, telematics, the Internet of things (IoT), blockchain, cryptocurrencies, social media and Web3. He has also lent his depth of experience in data protection and government investigations to clients for matters involving national security, foreign sanctions compliance and cross-border data transfers.

In the compliance area, Brandon advises clients on proactively orienting their operations to all manner of federal, state and international laws and regulations, including:

  • State comprehensive privacy laws, such as the California Consumer Privacy Act (CCPA) and similar laws passed in over a dozen states.
  • Health privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), California’s Confidential Medical Information Act (CMIA) and Washington’s My Health, My Data Act (MHMD).
  • Financial privacy laws, such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.
  • Children’s privacy laws such as the Children’s Online Privacy Protection Act (COPPA) and Maryland Age-Appropriate Design Code Act (Maryland AADC).
  • International privacy laws such as the European Union’s General Data Protection Regulation (GDPR), the United Kingdom’s General Data Protection Regulation (U.K. GDPR) and Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Self-regulatory frameworks such as the Payment Card Industry Data Security Standard (PCI DSS) and National Institute of Standards and Technology (NIST) Frameworks for Cybersecurity, Privacy and AI Risk Management.

In the incident response area, Brandon assists clients with security incident investigation, containment and mitigation as well as management of data breach responses, and he assists impacted entities before and during litigation, regulatory inquiry and government enforcement. He has counseled clients on incidents involving ransomware and other malware, botnet and other automated attacks, social engineering attacks, business email compromises (BEC), insider threats, independent security researchers and black and gray hat hackers, and other fraud and identity theft schemes.

Also a civil litigator with broad experience in federal and state courts, Brandon has significant experience defending a wide range of businesses in privacy, data breach, and consumer protection cases and class actions. He leverages his privacy and data security and litigation experience to assist clients facing such litigation and government enforcement actions.

A thought leader and frequent speaker in the privacy and data security space, Brandon is a Certified Information Privacy Professional for the U.S. Private Sector (CIPP/US) and an active member of the International Association of Privacy Professionals (IAPP) and co-founder of its local Orange County chapter. Brandon has also spoken at national industry organizations, including IAPP, the Association of Corporate Counsel (ACC), the Health Care Compliance Association (HCCA), the Institute for Internal Auditors (IIA), ISACA (the Information Systems Audit and Control Association) and the Information Systems Security Association (ISSA). He has been quoted by Bloomberg Law, Daily Journal, VentureBeat and Cybersecurity Law Report, as well as published in other notable publications.

Brandon serves on Manatt’s Board of Directors. He also regularly provides pro bono representation in the area of veterans’ benefits and discharge upgrades, as well as advising small businesses and underserved communities regarding data governance and privacy compliance.

Experience

  • Led the Manatt team in developing the CCPA compliance framework from the ground up for a national retailer, including its retail, pharmacy and health plan business lines. The team’s work included project management of the initiative from start to finish, as well as an enterprisewide data mapping project to identify all data collection, uses and disclosures that are subject to the CCPA, and providing legal counsel to all business units. The Manatt team also supported efforts to determine which data is exempt from the CCPA based on regulations under HIPAA, the GLBA and other statutes.
  • Served as chief outside privacy counsel to a Fortune 500 multinational consumer products business on all manner of U.S. privacy and data security law and relevant overlaps with international law, including the GDPR and related member state regulations and guidelines. Brandon’s work here included advising on the design and complete restructuring of the company’s privacy governance framework, vendor procurement program and cross-border data transfer protocol.
  • Piloted the investigation of a sophisticated ransomware incident for a marketing and technology solutions company, which involved all 50 states and over a dozen international jurisdictions. The incident involved a first-of-its-kind strain of the Ryuk ransomware variant. Brandon led the Manatt team in coordinating and supervising the forensic investigation of the matter, the analysis of domestic and international breach notification obligations, and business partner relations, and he advised on remediation and containment.
  • Led the investigation of, and response to, a ransomware incident with national security implications for a consumer electronic communications company, including close coordination with the U.S. federal government and federal law enforcement agencies.
  • Serves as day-to-day legal counsel to a large wellness technology company relating to HIPAA, the GDPR, the CCPA and other privacy and security issues. He also provides contractual support as the company enters into strategic contracts with health providers and health plans.
  • Led the investigation and incident response for a major e-commerce company arising from alleged system vulnerabilities claimed by a gray hat security researcher, including interfacing with the security researcher and close cooperation with a federal law enforcement investigation, ultimately resulting in the federal prosecution of the researcher.
  • Represented a nationwide tax preparation company with responding to, investigating, and engaging with regulators and notifying customers about multiple data security incidents involving sensitive customer property and information.
  • Advised health care startups and telehealth companies on developing privacy infrastructure.
  • Advised a national restaurant chain with respect to privacy and data security issues, including an adverse financial assessment by one of the members of the PCI Security Standards Council related to an alleged data security incident and the chain’s PCI DSS compliance.
  • Defended a major health care insurer in connection with a nationally publicized alleged information security incident, including defending against a series of putative class actions in federal and state courts across the country.
  • Served as a core member of trial teams, including on behalf of a multinational energy company, an international motor vehicle manufacturer, banks, mortgage servicers, tribal lending entities and other financial institutions.

Accomplishments

Session Leader, “Convergence of Privacy, Data Strategy, Data Governance, Data Protection, and Cybersecurity,” Association of Corporate Counsel Foundation’s 2024 Cyber Security Summit, Los Angeles, CA, March 26, 2024

Panelist, “ChatGPT and Data Privacy,” ELN Cybersecurity, Privacy and Data Protection Retreat, Carlsbad, CA, February 6, 2024

Panelist, “Privacy Compliance and Data Monetization,” Enterprise Leadership Network, Newport Beach, CA, January 16, 2024

Speaker, “Privacy Outlook 2024: Unwrapping the Future,” Exterro Webinar, December 21, 2023

Panelist, “AI in Data Retention: A Friend or a Foe?,” International Association of Privacy Professionals (IAPP) Privacy. Security. Risk. 2023, San Diego, CA, October 6, 2023.

Speaker, “Beyond HIPAA: Protecting Health Data in the Next Generation of Consumer Privacy Laws,” Health Care Compliance Association, September 28, 2023.

Speaker, “Legal Issues for Games Businesses,” Digital Media Wire’s Annual LA Games Conference VIP Edition, May 10, 2023.

Moderator, “Beyond HIPAA: Protecting Health Data in the Next Generation of Consumer Privacy Laws,” HCCA 27th Annual Compliance Institute, April 25, 2023.

Panelist, “Lessons Learned from the first CCPA Enforcement Action,” Exterro and ACC’s IT, Privacy & E-Commerce Network, December 7, 2022.

Speaker, “CCPA & HR Data & Sephora $1.2M Fine – OH MY!,” Association of Corporate Counsel (ACC), November 3, 2022.

Panelist, “Stress-Testing Your DSAR Process: Are You Ready for the Nightmare Letter?” International Association of Privacy Professionals (IAPP) Privacy. Security. Risk. 2022, Austin, TX, October 13, 2022.

Speaker, “When Health Care and Consumer Data Rules Collide: Ensuring Compliance with the Latest Generation of Data Privacy Laws,” Association of Corporate Counsel (ACC), September 21, 2022.

Speaker, The Privacy & Cybersecurity Retreat, PrivacyOC, Newport Beach, CA, September 14, 2022.

Panelist, “Legal Data Privacy Deep Dive: Federal, State & Local Updates,” PrivacyOC, Irvine, CA, August 11, 2022.

Speaker, “Fraud, Cyber-Risk and Ethics,” Institute of Internal Auditors (IIA) and Association of Certified Fraud Examiners (ACFE) Joint Training Conference, ISACA Orange County Chapter, March 24, 2022.

Panelist, “The Rise of Double-Extortion Ransomware,” Sub-Four Capital Management’s Cybersecurity, Privacy & Data Protection Audit, Risk & Regulatory Compliance Retreat, November 3, 2021.

Speaker, “Navigating Privacy and Employment Risk in Managing COVID Testing, Vaccinations, and Exposure Mitigation,” 2021 Upper Midwest Employment Law Institute, May 24, 2021, and Minnesota CLE Hybrid Workplaces Seminar, September 14, 2021.

Panelist, “Navigating the Shifting Federal and State Privacy Standards Landscape,” Online Lenders Alliance (OLA) Compliance University, May 12, 2021.

Speaker, “Breaking Down Your 2021 Regulatory Compliance Checklist,” Exterro and ACC’s IT, Privacy & E-Commerce Network, May 6, 2021.

Panelist, “Cyber Insurance, Breach Response & Law Enforcement: You Thought You Were Protected—But Are You?,” 2021 IIA Los Angeles Conference, March 8, 2021.

Speaker, “Navigating Privacy and Employment Risk in Managing COVID Testing, Vaccinations, and Exposure Mitigation,” 2021 Upper Midwest Employment Law Institute, February 9, 2021.

Panelist, “Cyberthreats, Supply Chain Attacks and Data Privacy,” The Laserfiche Empower Executive Leadership Summit, February 23, 2021.

Panelist, “Data – Keeping Too Much?,” PrivacyOC Privacy Week Forum, January 27, 2021.

Panelist, ISSA-LA December Monthly Virtual Meeting 2020, December 16, 2020.

Speaker, FINEX Flash Webinar Series - California Proposition 24, Willis Towers Watson, December 10, 2020.

Speaker, “2021 State Privacy Law Landscape,” International Association of Privacy Professionals, November 19, 2020.

Speaker, “CCPA Enforcement and the CPRA Voting Results - The Action Has Begun!” ISACA Annual CCPA Forum, November 19, 2020.

Speaker, “Where We Stand with CPRA, and How This Impacts Your Organization,” International Association of Privacy Professionals, November 5, 2020.

Speaker, “How to Limit Exposure and Minimize Your Risk Under the CCPA: Data Retention Is Critical,” International Association of Privacy Professionals, September 24, 2020.

Speaker, “California Attorney General CCPA Enforcement Actions and Suits Filed to Date,” International Association of Privacy Professionals, Orange County Chapter Meeting, August 13, 2020.

Speaker, “Laying the Groundwork for CCPA Litigation: Data Retention,” Data Protection World Forum, July 28, 2020.

Speaker, “How's Your CCPA Response Going?,” Privageo, June 18, 2020.

Speaker, “Beyond the Hype: How Disruptive Technologies will Change Government, Business and Consumer Experiences,” ISACA Los Angeles Annual Conference, August 17, 2020.

Moderator, “Fraud Prevention, Data Security and Verification,” Marketplace Lending and Alternative Financing Summit, December 10, 2019.

Speaker, “CCPA Roles, Responsibilities, and Awareness,” ISACA CCPA Forum, November 14, 2019.

Speaker, “After the Gold Rush: Making Sense of the California Consumer Privacy Act,” Industry Impact 2020, October 23, 2019.

Speaker, “Winter is Coming…again: The Twin Dragons of Data Privacy and Security Compliance,” HMG 2019 Southern California CIO Executive Leadership Summit, October 8, 2019.

Moderator,  “A Theory of Everything: Is Harmonization of Privacy Laws Even Possible?” Privacy Security Risk 2019, International Association of Privacy Professionals, September 25, 2019.

Speaker, “Preparing for the Open and Hidden Litigation Risks of the CCPA,” Manatt Webinar, September 4, 2019.

Speaker, “End-to-End Solutions to Address Access, Deletion and Opt-Out Rights in View of the CCPA and Other Privacy Regulations,” Information Systems Security Association, 34th Annual SoCal Security Symposium, September 12, 2019.

Speaker, “Gearing Up for the CCPA,” Orange County KnowledgeNet, International Association of Privacy Professionals, May 30, 2019.

Speaker, “Making Sense of the California Consumer Privacy Act,” Information Systems Security Association, Summit XI, May 17, 2019.

Speaker, “Data Governance and the Privacy Landscape,” ISACA Security Leaders’ Summit, May 14, 2019.

Speaker, “Toward a National Standard: How the CCPA’s Impact Extends Beyond California,” Manatt Webinar, May 7, 2019.

Presenter, "Privacy Issues in Document Collection and Discovery," Orange County Bar Association MCLE Last Dash Seminar, January 12, 2019.

Speaker, “Preparing for the Implementation of California’s Consumer Privacy Act,” Clear Law Institute Webinar, December 12, 2018.

Speaker, “Is Your Organization Prepared for a Data Breach in the Post-CCPA World?,” Manatt Webinar, November 14, 2018.

Speaker, “The Midterm Elections: How They May Impact Your Business in 2018 and Beyond,” Bloomberg Next Webinar, November 8, 2018.

Speaker, “A National Privacy and Data Security Game Changer,” Bloomberg Next Webinar, October 17, 2018.

Speaker, National Association of Optometrists and Opticians annual meeting, Las Vegas, NV, September 27, 2018.

Speaker, “CaCPA: Preparing for Compliance & Avoiding Litigation Landmines,” X1 Discovery Inc. Webinar, September 25, 2018.

Speaker, “Dissecting California’s Privacy Legislation and What It Means For You,” Manatt Webinar, August 14, 2018.

Speaker, “A Lawyer’s Primer on Cybersecurity in 2017,” West LegalEdcenter, June 15, 2017.

Speaker, “Top Privacy Concerns Facing In-House Counsel and Related Ethical Considerations,” Los Angeles, CA, November 17, 2016.

Speaker, “Forensics: A Weapon and a Shield in Data Breach Litigation,” Washington, D.C., October 25, 2016.

Speaker, “The Litigator’s Role in Privacy & Data Security,” Los Angeles, CA, June 16, 2016.

Speaker, “Privacy & Data Security: Legal Ethics and the Protection of Client Data,” Los Angeles, CA, November 19, 2015.

Chambers Global, Top-Ranked Attorney, Privacy and Data Security: Healthcare, 2025

Orange County Visionaries, Los Angeles Times, 2024

Top Artificial Intelligence Lawyers, Daily Journal, 2024

Lawyers on the Fast Track, The Recorder, 2024

Chambers USA, Top-Ranked Attorney, Privacy and Data Security: Healthcare (USA), 2024

Daily Journal, Top Cyber Lawyer, 2022

Named to Daily Journal’s “Top 40 Under 40” list for work across data privacy, security, procedure, breach response and compliance, 2021

Named to The Legal 500 United States’ “Rising Stars” list for Cyber Law (Including Privacy and Data Protection), 2019

Selected as a “Southern California Rising Star” by Super Lawyers magazine, 2017–2023

Admitted to practice in the state of California and in the U.S. District Court for the Central, Eastern, Northern and Southern Districts of California

Admitted to practice before the U.S. Department of Veterans Affairs

Certified Information Privacy Professional/United States (CIPP/US)

Board member, STEM Advantage

Orange County regional chair, USC Gould School of Law Alumni Association

Member, International Association of Privacy Professionals

Member, Orange County Bar Association

Founding co-chair, Orange County Chapter of the International Association of Privacy Professionals

Co-author, “Data Minimization: A Crucial Pillar of Cyber Security,” Cyber Security: A Peer-Reviewed Journal, February 11, 2025.

Quoted, “Big Tech, Advertisers Fight California Privacy Rule Proposal,” Bloomberg Law, February 2, 2025.

Featured, “'The Front Line of Regulating AI': Manatt's Brandon Reilly on CPPA's Move to Adopt New Data Broker and AI Rules,” The Recorder, November 15, 2024.

Quoted, “CPPA advances new data collection rules,” Daily Journal, November 13, 2024.

Quoted, “Private-sector AI bill clears Utah Legislature,” IAPP, March 6, 2024.

Quoted, “Analyzing 2023’s New State Privacy Laws: Oregon and Delaware Join the Strictest Tier,” Cybersecurity Law Report, July 12, 2023.

Quoted, “Neuralink’s problems may be beginning for AI medical device industry,” Daily Journal, December 9, 2022.

Quoted, “Compliance Checklist for Consumer and Employee DSARs,” Cybersecurity Law Report, November 16, 2022.

Quoted, “Watch Out B-to-B Companies, Your CCPA Data Exemption has an Expiration Date,” Adweek, September 8, 2022.

Quoted, “Privacy law rules to be considered by board next week,” Daily Journal, June 2, 2022.

Co-author, “When healthcare and consumer data rules collide: Compliance with the latest generation of data privacy laws,” Cosmos, June 2022.

Quoted, “California Businesses Gain Clarity on Consumer Data Requests,” Bloomberg Law, March 21, 2022.

Quoted, “California’s Late Privacy Rules Crunch Prep Time for Companies,” Bloomberg Law, March 4, 2022.

Featured, “Top Cyber Lawyers 2022,” Daily Journal, January 19, 2022.

Co-author, "Consumer Financial Services Answer Book (2022 Edition)," Practising Law Institute, November 2021.

Featured, “Top 40 Under 40: Brandon P. Reilly,” Daily Journal, July 28, 2021.

Quoted, “Colorado Privacy Law Finishes Third, but Could Become the New Standard,” Cybersecurity Law Report, June 23, 2021.

Quoted, “How the new Colorado Privacy Act will impact your business,” VentureBeat, June 9, 2021.

Quoted, “Other states copy California’s Consumer Privacy act,” Daily Journal, April 16, 2021.

Interviewed, “California Privacy Agency Board Poised to Tackle Tech Equity,” Bloomberg Law, March 18, 2021.

Co-author, “The California Privacy Rights Act Has Passed: What’s In It?” Pratt’s Privacy & Cybersecurity Law Report, November/December 2020.

Author, “California Harmonizes CCPA, HIPAA But Providers Still Face Obligations,” Bloomberg Law, October 27, 2020.

Co-author, “California's E-Receipts Bill Could Run Up Against Privacy Law,” MediaPost, May 28, 2020.

Co-author, “Why the Cannabis Industry Must Address the Unique Challenges of Mandated Data Retention,” Legaltech News, March 11, 2020.

Co-author, “6 Changes In California's New Draft Privacy Regulations,” Law360, March 2, 2020.

Co-author, Consumer Financial Services Answer Book (2020 Edition), Practising Law Institute, September 2019.

Interviewed, “What Does the California Consumer Privacy Act Mean for Healthcare Companies?” Healthcare Innovation, July 18, 2019.

Co-author, “Changing Exposures and Risks Posed by the Consumer Privacy Act: What You Need to Know and What Lies Ahead,” Decode Cyber Brief: Winter 2019 Edition, January 18, 2019.

Co-author, “INSIGHT: Even as the CCPA Remains a Moving Target, California’s New Law Portends a Surge of Consumer Litigation – Rain or Shine,” Bloomberg Law, September 17, 2018.

Co-author, "Tracking and the Consumer Privacy Issue," Retailing Today, October 4, 2013.

Co-author, "Expansion of California’s Anti-Deficiency Laws Means More Litigation For Creditors," JD Supra, September 26, 2013.

Co-author, "Dukes in California: Checking In On Mortgage Class Actions In the Golden State," Westlaw Journal, Vol. 19, Issue 2, June 17, 2013.

Co-author, "California's Homeowner Bill of Rights," Mortgage Banking Magazine, January 15, 2013.

California

University of Southern California Gould School of Law, J.D., 2011
Chair, Hale Moot Court Honors Program, National Moot Court Team

Pepperdine University, B.A., magna cum laude, 2007

Related Practices

Services

Litigation

Class Actions

Privacy and Data Security

Industries

Manatt Retail and Consumer Products

Consumer Financial Services

Manatt Digital and Technology

Metaverse

Artificial Intelligence

Gaming

Join our newsletter to stay up to date on features and releases.

ATTORNEY ADVERTISING, pursuant to New York DR 2-101(f)

© 2025 Manatt, Phelps & Phillips, LLP. All rights reserved.

Newsletter Subscription