Home > People > Melissa Ventrone, CIPP/US

Melissa Ventrone, CIPP/US


312 580 2219 direct

When a cybersecurity incident strikes, Melissa coordinates a swift and strong breach response to manage her clients' situation and minimize damage. As chair of Thompson Coburn's cybersecurity practice, she leads teams of first responders, including lawyers and forensic investigators, in jumping head-on into a crisis.

Melissa and her team work around the clock to control a breach situation and manage any public or regulatory fallout. When not in urgent response mode, Melissa represents her clients in cybersecurity litigation and proactively managing data privacy and security risks.

Breach response

Melissa has led cybersecurity incident response teams in connection with small breaches impacting a few hundred people to larger breaches impacting millions on behalf of merchants, financial institutions, medical providers and educational institutions. Melissa and her team work with clients to preserve evidence, determine a breach's scope, document the response and craft communications that both meet legal requirements and protect a company's brand. She also advises on establishing incident call centers and staff training, in addition to formulating other methods to protect impacted individuals from potentially negative outcomes.

Cybersecurity litigation

Melissa has attained considerable success in defending companies facing data security and privacy litigation, including class actions. She represents numerous clients in litigation and arbitration, including disputes related to privacy, invasion of privacy, contracts, consumer fraud, statutory claims and other matters. She has litigated cases of first impression establishing favorable law, including obtaining summary judgment in a class action case alleging damages from the theft of a hard drive.

Cybersecurity risk management

Melissa advises clients on compliance with state, federal and international laws and regulations. She helps companies ensure that policies, procedures and cyber crisis response plans are sufficient. Melissa runs breach simulation exercises, which are very useful tools for training, testing and enhancing a company's response time in a breach situation. When vulnerabilities are found, Melissa works with management teams, boards of directors, vendors, outside consultants and other third parties to build and execute risk-reducing action plans.

In addition, Melissa drafts and negotiates contractual agreements concerning data use and retention and privacy and security, including cloud computing contracts. She also serves as a first responder for situations involving use or misuse of computers and other devices.

Accomplished leader

Melissa's leadership abilities extend beyond her legal practice. She recently completed a distinguished 21 years of service in the Marine Corps Reserve, holding several key positions, including Company Commander for a 200-person unit, Executive Officer for a 329-person company deployed to Afghanistan, Operations Officer for a 1,000-person motor transport battalion, and the Logistics Officer for Combat Logistics Regiment 4. She also volunteers as an ombudsman for the Employer Support for the Guard and Reserve in which she serves as a mediator on employment-related disputes.

The Supreme Court of Illinois does not recognize certifications of specialties in the practice of law, and the CIPP/US certificate is not a requirement to practice law in Illinois.

Melissa and her breach response team have attained notable success in litigation and defending clients in a variety of situations. Recent examples include:

Three hours after being retained by an international client, Melissa mobilized her team to file a temporary restraining order preventing an Internet service provider (ISP) from permitting an unauthorized individual, who had changed the access codes for the account, from gaining further access to the account or data within the account.

Melissa was retained to assist a company with domain names that had been hacked and transferred to a different ISP. Acting quickly to prevent the domains from being redirected to a malicious server, Melissa mobilized her team in the appropriate jurisdictions. She filed documents with the court to be heard on an emergency basis, requesting the domains be transferred back to the appropriate ISP. The court granted the request, preventing the company from suffering any further harm.

Melissa successfully defended a health care performance improvement company in class action litigation resulting from a stolen hard drive that contained personally identifiable information. The plaintiff alleged that the client was negligent and violated consumer fraud statutes because it failed to properly protect the information on the hard drive, resulting in emotional distress, lost wages, lost time for researching identity theft and risk of identity theft.

Melissa also has a consistent track record of favorably resolving countless breach situations. Specially crafted responses have successfully enhanced the reputations of breached entities that Melissa and her team represented. For example, they:

Represented an educational institution when one of its vendors disclosed personal health information of the institution's employees and dependents to the wrong employees. Working quickly, Melissa coordinated with the vendor to determine the scale of the breach and that the error had been remediated, provided a communication plan that enabled the employer to notify the employees in person, and arranged for an identity restoration resolution with an outside vendor. Based on this response, the employees expressed satisfaction with the institution's actions.

Assisted a health care facility in responding to a breach that involved a stolen hard drive. When the facility learned that a hard drive containing key data, including union employee personal and health care information, had been stolen, Melissa and the breach response team members quickly obtained identity restoration services for the impacted individuals and helped ensure compliance with breach notification laws, while working with the HIPAA compliance team to address HIPAA issues and coordinate with local regulators. The impacted individuals and their unions were pleased with the facility's response, as were regulators. Press accounts noted that the facility's response to its breach was an example of how a breach should be handled.

Successfully represented several merchants that had suffered a credit card breach, working with forensic investigators who specialize in payment card breaches as well as the processor, banks and the credit card companies to reduce any potential fines or assessments. Melissa has a proven track record of reducing the overall liability of the company based on her in-depth knowledge of the payment card industry's processes.


Dealing with Vendors and Data Security

One Year to Implementation: What Companies Need to Know About the GDPR and EU Data Privacy Laws

Ethics and Cybersecurity


Bank regulators issue guidance on cyber insurance

South Dakota enacts its first data breach notification law, leaving Alabama the last holdout

SEC announces new interpretive guidance in cybersecurity

Beware this years’ taxpayer refund scams and data breaches: 8 steps recommended by the IRS

4 ways to manage cybersecurity risks in business and transactions

Bipartisan bills bolster cybersecurity protections for small business

7 things you might not know about cybersecurity insurance

Illinois takes the lead on employee privacy: What employers need to know

3 things your school should know about Missouri State Auditor’s emphasis of cybersecurity

Executive order presents three-pronged approach to improving U.S. cybersecurity