Philip N. Yannella



Phil Yannella regularly counsels clients on data, privacy, and cybersecurity issues relating to the use of digital information. He represents financial institutions, media organizations, tech companies, online platforms, life sciences companies, global manufacturers, gaming companies, and higher eds.

Phil has counseled and represented clients in a wide array of privacy and data security litigations including lawsuits filed under the Telephone Consumer Protection Act (“TCPA”), Defense of Trade Secrets Act, Computer Fraud and Abuse Act, Stored Communications Act, Video Privacy Protection Act (“VPPA”), and Illinois Biometric Information Protection Act, as well as state wiretap and data breach class actions and website accessibility claims. He has extensive experience coaching clients through data breaches. He has handled over 500 breaches for clients to date, managing breach notification in all 50 states and more than 35 foreign jurisdictions, and has led the defense of numerous regulatory investigations relating to data breaches, including those brought by state Attorney Generals, the Office of the Comptroller of the Currency (“OCC”), New York State Department of Financial Services (“NY DFS”), the UK Information Commissions Office, and Canadian privacy regulators.

In addition, Phil regularly advises clients on compliance with federal, state, and international data protection laws including California, Virginia, Colorado, Connecticut, and Utah state privacy laws, the Children's Online Privacy Protection Act, Health Insurance Portability and Accountability Act (“HIPAA”) security rules, the General Data Protection Regulation (“GDPR”), UK Data Protection Act, UK Age Appropriate Design Code, and ePrivacy Directive. He works closely with banks and other financial institutions on compliance with the privacy and security components of the Gramm Leach Bliley Act, Interagency Guidelines, NY DFS cyber-regulations, and the Payment Card Industry Data Security Standard (“PCI DSS”). He is accredited as a Certified Information Privacy Professional (“CIPP/US”).

Phil is a frequent commentator, presenter, and author on legal issues related to data privacy, cybersecurity, and information governance. He has received multiple Readers’ Choice awards from JD Supra for his writing on cybersecurity issues. He is the author of Cyber Litigation (Thomson Reuters, March 2021). He has been named to The Legal 500 US, Dispute Resolution.

While in law school, Phil was a member of the Political and Civil Rights Law Review and Temple Moot Court and a recipient of the Trial Advocacy Program’s Outstanding Advocate Award.


Complex Litigation & Regulatory Investigations

  • Obtained dismissal in a putative class action under the VPPA, alleging that a radio station shared video viewing history of subscribers via use of Meta Pixel.
  • Obtained dismissal of a putative class action under the VPPA, alleging that a broadcasting company shared video viewing history of subscribers via use of Meta Pixel.
  • Obtained dismissal of state healthcare department in class action premised on vendor’s breach of personal medical information collected as part of COVID-19 tracking program.
  • Successfully represented a software-as-a-service provider in an action seeking a preliminary injunction to require the company to implement additional security controls in its software.
  • Obtained dismissal of a lifestyle magazine in wiretap litigation under Florida state law premised on company’s use of “session replay” software.
  • Represented a major data aggregator in NY DFS investigation relating to the exposure of driver’s license information in online insurance quote tools.
  • Successfully represented an auto finance company in a bet-the-company TCPA action with damage allegations of more than $100 million. Defeated class certification and prevailed on summary judgment on grounds that the client had not used an auto-dialer within meaning of TCPA.
  • Successfully represented a national bank in overdraft litigation, asserting eight-figure losses relating to use of decisioning tools for processing of debit card transactions that trigger overdraft fees. Successful defense of settlement against objector claims in Eleventh Circuit.
  • Successfully represented a national bank in overdraft litigation, asserting nine-figure losses relating to use of decisioning tools for processing of debit card transactions that trigger overdraft fees.
  • Represented a biopharmaceutical business regarding effect of French, German, and UK data protection laws on discovery of clinical trial and other information in U.S. products liability litigation.
  • Successfully represented a science and technology company in a civil action seeking publication of anonymized clinical data valued at one billion dollars. Using a re-identification analysis, successfully persuaded the court that publication would reveal private health information of 95 percent of clinical trial patients. Represented party regarding effect of French blocking statute and UK Data Protection Act on discovery in U.S. litigation.

Crisis Management & Incident Response

  • Represented an international FinTech company in connection with ransomware attack of vendor systems by Maze/Ragnar threat actors. Attack resulted in exfiltration and exposure of 500 GB of customer data. Assisted in defense of client in follow-on Securities and Exchange Commission investigation.
  • Representing international toy manufacturer in ransomware attack by Hive threat actors, managing U.S. and EU reporting obligations.
  • Represented international household appliance manufacturer in ransomware attack involving exfiltration of 50 GB of consumer and employee data.
  • Counseled a nonprofit hacked by Chinese nationals and coordinated a response with the FBI.
  • Counseled health finance company on HIPAA and Federal Trade Commission reporting obligations arising from use of online tracking technologies.
  • Counseled a major telecommunications company on potential legal exposure arising out of review of hacked e-mails posted to WikiLeaks.
  • Conducted multiple internal investigations spanning several years for a leading online retailer arising out of suspected violations of access and identity management policies, resulting in developer access to production environments.
  • Counseled a gaming company in response to a suspected credit card skimming operation. Guided the client through an initial investigation and engagement with credit card fraud units and government entities, and provided advice on data breach notification procedures.
  • Represented national mortgage processor in OCC investigation relating to security incident involving alleged compromise of customer account information.
  • Counseled a global biotech in connection with theft of trade secrets by a former contractor.

Privacy Counseling

  • Advised clients in identifying technologies that constitute artificial intelligence (“AI”) under existing privacy laws, such as GDPR and California Consumer Privacy Act (“CCPA”), that trigger additional compliance requirements and risk assessments. These technologies include employee screening and monitoring tools, facial recognition AI, etc.
  • Advised clients regarding AI biometric scanning technologies covered under U.S. biometric laws.
  • Counseled multiple tech startups on compliance with U.S. biometric laws in connection with development of facial surveillance software.
  • Advised a lifestyle magazine on privacy, data security, e-commerce, and 2257/FOSTA issues in connection with launch of Centerfold platform.
  • Counseled numerous media and gaming companies on privacy and tech compliance in connection with mergers, sales, and acquisitions.
  • Counseled international FinTech company on data protection compliance in connection with launch of data cloud and analytics-as-a-service platform.
  • Assisted numerous banks, telecommunications companies, rental car companies, specialty chemical manufacturers, and life science companies on the implementation of global information governance programs.
  • Advising gaming companies on privacy, contractual, intellectual property, and wiretapping issues in connection with use of ChatGPT.
  • Counseling business information provider on consenting and notice requirements under CCPA, GDPR, UK GDPR, and Swiss, Australian, and Brazilian privacy laws relating to the sale of business contact information.
  • Counseling a leading rental company on ownership and monetization of connected car data.
  • Assisting a major auto loan finance company in connection with PCI DSS compliance project.
  • Counseling media organizations, gaming companies, and buy-now-pay-later payment providers on compliance issues relating to use of application programming interfaces and web scraping tools.

News & Views

See all News and Views


  • 2023, Readers' Choice Award, Top Author in Cybersecurity and Data Privacy, by JD Supra
  • 2019, Dispute resolution – E-discovery, listed in The Legal 500 United States



  • Defense Research Institute
  • ARMA International
  • International Association of Privacy Professionals
  • The Sedona Conference Institute
Professional Activities

Phil serves as a member of The Sedona Conference Institute’s International Data Privacy, eDiscovery, and Cross-Border Data Transfer Issues Working Groups.



  • Pennsylvania
  • New Jersey


  • Temple University Beasley School of Law, JD
  • Temple University, BA, summa cum laude