• vcard
  • Education
    • J.D., University of Southern California Gould School of Law, 2015
    • B.B.A., Emory University Goizueta Business School, 2012
  • Court Admissions
    • U.S. District Court, Northern District of Illinois, 2015
    • U.S. District Court, Central District of Illinois, 2018
    • U.S. District Court, Southern District of Illinois, 2018
    • U.S. District Court, Northern District of Indiana, 2018

Sal Phillips is an associate attorney in the Technology Transactions and Data Privacy practice group. He regularly advises clients on issues of breach response, risk assessment and management, policies and procedures, table top exercises, and information security due diligence associated with corporate transactions. Sal also assists clients with implementing compliance programs under the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) Standards, and the Defense Federal Acquisition Regulation Supplements (DFARS).

In addition, Sal has extensive experience with U.S. and international privacy laws, including the California Consumer Privacy Act (CCPA), the New York Department of Financial Services Cybersecurity Regulation, the Gramm-Leach-Bliley Act (GLBA), the New York SHIELD Act, the European Union’s General Data Protection Regulation (GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act. Sal uses his knowledge to advise clients on their legal rights and responsibilities under state, federal and international privacy laws, including notification to individuals affected by a breach and to regulatory authorities. 

Sal also represents clients in connection with state and federal government investigations and third-party claims that arise out of a cybersecurity incident. In this capacity, Sal handles issues that arise during investigations by state and federal agencies, including the U.S. Department of Health and Human Services Office for Civil Rights and various state Attorneys General.

Sal is a Certified Information Privacy Professional for Europe (CIPP/E) and the United States (CIPP/US). Before joining Polsinelli, he worked for an international law firm, where he assisted large and small entities with incident response and other emerging privacy and data security challenges, including compliance with newly enacted laws.

  • Assisted the Federal Bureau of Investigation, the U.S. Secret Service, and the U.S. Department of Homeland Security in investigating cyber-crimes and cyber-attacks by bad state actors.
  • Designed and implemented risk management protocols, including testing breach response plans and certifying HIPAA compliance, for an optometry office.
  • Counseled numerous entities in situations involving wire fraud and other types of cyber fraud. 
  • Served as breach counsel to college following brute-force password attack resulting in the compromise of personally identifiable information (PII) of over 250,000 students, alumni, parents, and employees residing in more than 40 states and several foreign countries.
  • Assisted the U.S. Attorney’s Office for the Middle District of Florida in its investigation into and subsequent prosecution of a healthcare worker who was found to have sold patients’ Social Security numbers on the dark web.
  • Represented client in an indemnification dispute following a Point of Sale (POS) breach.
  • Served as breach counsel for a national physical therapy network that experienced multiple Office365 compromises impacting over 115,000 patients residing in over 35 states. 
  • Counseled numerous entities in Office365 and other email compromises.
  • Served as breach response and regulatory counsel for health care provider in breach involving the unauthorized acquisition of patient list and related records by a former physical therapist.
  • Counseled numerous entities in situations involving ransomware and other types of cyber-extortion.