Photograph of Kate M. Growley, CIPP/G, CIPP/US View LinkedIn page Download V-card

Kate M. Growley, CIPP/G, CIPP/US

Phone: +1 202.624.2698
1001 Pennsylvania Avenue NW
Washington, DC 20004-2595

Kate M. Growley is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm's Privacy & Cybersecurity, Government Contracts, and Litigation groups. Her practice covers a wide range of counseling and litigation engagements, including cybersecurity compliance reviews, risk assessments, incident response, law enforcement cooperation, regulatory investigations, data breach class actions, trade secrets litigation, and health care disputes.

Kate is a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/US, CIPP/G) and has been named a “Rising Star” by both Law360 (2018) and the American Bar Association's Science & Technology Section (2016). Kate serves as co-chair of the Science & Technology Section's Homeland Security Committee and as vice-chair of the Public Contract Law Section’s Cybersecurity, Privacy, & Data Protection Committee. Kate also sits on PubK Law’s Advisory Board, advising on cybersecurity issues for government contractors. Additionally, she is an award-winning author and frequent public speaker, and she regularly trains clients, regulators, and other attorneys on cyber and data security issues.

Kate is an active leader within Crowell & Moring, supporting countless firm initiatives, including serving as the immediate former co-chair of the firm's Women Attorneys' Network.

She received her J.D. from the University of Virginia School of Law, where her studies focused on national security. Prior to law school, she graduated first in her class from Florida State University, summa cum laude with honors.

Cybersecurity for Government Contractors

Kate maintains a robust cybersecurity practice focused on the government contracting community, particularly those working with the Department of Defense. Her recent engagements address issues including:

  • Crafting and implementing strategies to comply with DFARS 252.204-7012, including the drafting of system security plans (SSPs) and plans of action & milestones (POAMs).
  • Assessing whether, when, and how to report cyber incidents under DFARS 252.204-7012.
  • Understanding and negotiating cloud service provider agreements under DFARS 252.204-7012 and DFARS 252.239-7010.
  • Complying with basic safeguarding requirements under FAR 52.204-21 and privacy training requirements under FAR 52.224-3, as well as NIST SP 800-171 and NIST SP 800-53.
  • Assessing and complying with security obligations under the NISPOM, Privacy Act, and FISMA.
  • Evaluating and managing insider threat and supply chain risks, including potential disclosures.
  • Evaluating entry into the Defense Industrial Base (DIB) Cybersecurity Information Sharing Program.
  • Advising on jurisdictional and accessibility issues related to overseas data hosting, including the Foreign Intelligence Surveillance Act (FISA) and Presidential Policy Directive 28 (PPD-28).
  • Negotiating voluntary use of government investigation and hunt teams, including with the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Missile Defense Agency (MDA).
  • Advising on cybersecurity concerns in pre-award contractual negotiations at both the federal and state levels.

Incident Response

On a daily basis, Kate is helping clients manage and respond to cyber incidents. Her practice covers the full incident lifecycle from tailoring incident response plans to liaising with relevant stakeholders. Example engagements include:

  • Represented major technology company in assessing and responding to well-publicized security incident, including assessments of global customer notification obligations and litigation exposure, as well as extensive cooperation with U.S. and foreign law enforcement.
  • Assisted large manufacturer in responding to security incident stemming from Internet-connected devices provided by third parties, including assessments of potential legal liabilities and assistance with government agency investigations.
  • Counseled major government contractor in assessing customer notification obligations associated with large exfiltration of company data to a foreign nation.
  • Advised international manufacturer and government contractor regarding crisis management strategy in response to security vulnerability disclosure.
  • Counseled non-government organization in investigating and remediating security incident implicating personally identifiable information (PII), as well as leading required individual and state Attorney General notifications.
  • Led large research organization’s response to ransomware incident, including forensic investigation, assessment of customer and employee notification obligations, and regulator outreach.

Investigations, Litigation, and Arbitration

In addition to her counseling practice, Kate maintains a steady docket of dispute resolution matters. Recent engagements include:

  • Represented multiple health care plans in regulatory investigations instituted by The Department of Health & Human Services Office of Civil Rights in response to privacy and security incidents.
  • Represented large non-profit organization and technology services provider in response to state Attorney General inquiries stemming from security incidents.
  • Defended health care system in complex class actions stemming from security incident potentially affecting over 4.5 million individuals.
  • Defended former federal official regarding Bivens liability stemming from post-9/11 PENTTBOM investigation at the trial level and on appeal, including before the Supreme Court of the United States in Ziglar v. Abbasi.
  • Defended acting foreign official from allegations of terrorism.
  • Pursued indemnification claim under Public Law 85-804 on behalf of major defense contractor.
  • Defended Medicare Advantage organization at both the trial and appellate levels in dispute brought by multiple health providers over the exhaustion of administrative remedies.
  • Defended Blue Cross and Blue Shield companies in national and statewide class actions asserting antitrust claims.
  • Represented multiple manufacturers in pursuing trade secret misappropriation claims in federal and state courts.
  • Represented international hospitality company in federal litigation and related arbitration regarding claims of unfair competition and misappropriation of trade secrets.
  • Represented software service provider in arbitration regarding contractual and unauthorized access claims, including those brought under the Computer Fraud & Abuse Act (CFAA).

Privacy and Cybersecurity Counseling

Kate also regularly counsels clients on a variety of privacy and information security issues, including:

  • Artificial intelligence (AI) and big data
  • Autonomous vehicles (AVs)
  • California’s Confidentiality of Medical Information Act (CMIA)
  • Cloud migration and other digital transformation initiatives
  • Europe’s General Data Protection Regulation (GDPR)
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Internet of Things (IoT)
  • New York’s Department of Financial Services (DFS) Cybersecurity Requirements
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Penetration testing
  • UAS/UAV (“drone”) regulations


  • Florida State University, B.A. (2008) summa cum laude with honors
  • University of Virginia School of Law, J.D. National Security Law (2011)


Admitted to practice: District of Columbia and Virginia; U.S. Supreme Court

View More

"DCMA Revises Cyber Supply Chain Review: Updated Guidebook Modifies Audit Standards," Government Contracts Bullet Points (July 16, 2019). Contacts: Evan D. Wolff, Nicole Owren-Wiest, Maida Oringher Lerner, Kate M. Growley, CIPP/G, CIPP/US, Michael G. Gruden, CIPP/G
Client Alert/Newsletter
"NIST Extends Comment Period for Two New Drafts," Crowell & Moring's Data Law Insights (July 15, 2019). Authors: Kate M. Growley, CIPP/G, CIPP/US and Allegra K. Flamm.
"These Are a Few of Our Favorite IoT: NIST Finalizes Internet of Things Cyber Guidance," Government Contracts Bullet Points (July 2, 2019). Contacts: Kate M. Growley, CIPP/G, CIPP/US, Cheryl A. Falvey, Evan D. Wolff, Peter B. Miller, CIPP/G/US/E, CIPM, CIPT, Michael G. Gruden, CIPP/G
Client Alert/Newsletter
"Double Whammy: NIST Unveils Draft Enhanced Security Requirements and Revisions to NIST SP 800-171," Government Contracts Bullet Points (June 21, 2019). Contacts: Kate M. Growley, CIPP/G, CIPP/US, Evan D. Wolff, Maida Oringher Lerner, Michael G. Gruden, CIPP/G
Client Alert/Newsletter
"DoD Previews New Third-Party Cyber Certification Requirements," Government Contracts Bullet Points (June 17, 2019). Contacts: Evan D. Wolff, Maida Oringher Lerner, Kate M. Growley, CIPP/G, CIPP/US, Michael G. Gruden, CIPP/G
Client Alert/Newsletter
"Oregon Latest State to Require Reasonable Security for IoT Devices," Regulatory Alert (June 7, 2019). Contacts: Kate M. Growley, CIPP/G, CIPP/US, Cheryl A. Falvey, Lee Matheson, CIPP/US/E/A, CIPM, PCIP
Client Alert/Newsletter
"The U.S. Announces Endorsement of OECD’s Principles for Responsible AI," Government Contracts Bullet Points (June 4, 2019). Contacts: Kris D. Meade, Rebecca L. Springer, Kate M. Growley, CIPP/G, CIPP/US, Laura J. Mitchell Baker, Michelle D. Coleman
Client Alert/Newsletter
Pentagon To Require New Cybersecurity 'Certification' From Defense Contractors Inside Defense (May 31, 2019)
In the News
"More Storms Ahead for the Defense Sector Supply Chain? GAO to Conduct Review of Climate Change-Driven Security Risks," Government Contracts Bullet Points (May 29, 2019). Contacts: Paul Freeman, Robert Meyers, Adelicia R. Cliffe, Kate M. Growley, CIPP/G, CIPP/US, Peter Eyre
Client Alert/Newsletter
"New Executive Order on IT Supply Chain Takes Aim at Huawei and Others, Poses Significant Implications for Government Contract Supply Chains," Government Contracts Bullet Points (May 16, 2019). Contacts: Paul Freeman, Adelicia R. Cliffe, Peter Eyre, Kate M. Growley, CIPP/G, CIPP/US, Evan D. Wolff
Client Alert/Newsletter

For all Highlights, News & Knowledge, please click here to view desktop bio.

Crowell & Moring LLP is an international law firm with more than 500 lawyers representing clients in litigation and arbitration, regulatory, and transactional matters. The firm is internationally recognized for its representation of Fortune 500 companies in high-stakes litigation, as well as its ongoing commitment to pro bono service and diversity. The firm has offices in Washington, DC, New York, Los Angeles, San Francisco, Orange County, London, and Brussels.

View Desktop Site | Mobile Sitemap

Contact | Subscribe | Terms of Use/Privacy Policy | Alumni

© Crowell & Moring LLP 2019
Attorney advertising - prior results do not guarantee a similar outcome.