Kim H. Phan

Partner

804.697.1445

More ways to contact Kim Phan

Overview
Representative Matters
Insights
Awards

Kim is a privacy, data security, and regulatory compliance attorney who provides strategic guidance to companies throughout their business cycle. From product development, marketing, and implementation to breach prevention and response, she provides practical and forward-thinking advice that helps clients to mitigate risk and achieve their goals. Kim has worked with clients across all major industry sectors, and offers particular depth in consumer financial services, retail, hospitality, higher education, and energy.

Kim provides comprehensive advice on federal and state privacy and data security statutes and regulations, helping organizations to incorporate privacy and data security best practices throughout all aspects of their business, including the development and deployment of artificial intelligence. Her experience ranges from helping clients establish effective data governance programs to preparing for, assessing, and responding to data breaches.

With an extensive background in artificial intelligence, e-commerce and mobile issues, Kim regularly counsels clients on updating and enhancing website privacy policies, adapting website functions for accessibility in compliance with the Americans with Disabilities Act (ADA), and establishing employee training on social media interactions with consumers.

Kim’s regulatory compliance practice centers on helping clients with a wide range of state and federal investigations, enforcement actions, and other interactions. She regularly handles matters involving the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and other federal regulatory agencies. Kim has successfully represented multiple national companies through the FTC investigatory process, resulting in “no-action” letters, and has counseled clients through state attorneys general and departments of consumer protection investigations.

  • Assisted a retail client with the adaption of an augmented reality mobile game.
  • Counseled a national consumer reporting agency through its CFPB compliance obligations, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing an audit process to assess compliance with federal consumer finance laws.
  • Assisted several clients in developing and launching mobile apps in concert with Apple and Google app store requirements, as well as during the appeals process.
  • Provided guidance to numerous companies in responding to security incidents and data breaches.
  • Negotiated security requirements for a vendor agreement to provide cloud storage services.
  • Counseled a major credit card company in establishing employee training on social media interactions with consumers.
  • Conducted online behavioral advertising assessments of websites to update and enhance the online privacy policies of various financial institutions.
  • Assisted a national lender in establishing a Gramm-Leach-Bliley Act Privacy Rule compliance program, including drafting annual privacy notices.
  • Assisted a major credit company in conducting a comprehensive unfair, deceptive, or abusive acts or practices (UDAAP) assessment of card member rewards programs.
  • Represented a national consumer products retailer throughout the company’s response to an FTC enforcement investigation, resulting in a “no-action” letter.
  • Counseled a national consumer reporting agency in preparation for CFPB examination, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing a compliance management system to address federal consumer financial laws, including the FCRA.
  • Submitted public comments on behalf of an industry trade association in response to the CFPB’s proposed rule on larger participants in the debt collection market.
  • Thomson Reuters Stand-out Lawyer (2024-2025) – independently rated lawyers
  • Chambers FinTech Legal USA, Data Protection & Cyber Security (2020-2025)
  • American College of Consumer Financial Services Lawyers, Fellow
  • JD Supra Readers’ Choice Awards, Data Privacy (2025)
  • Wonderful Women Lawyers of Color 2023
  • Legal 500 United States for Fintech (2020-2021)
  • Named a Top 50 Receivables Professionals of the Year by Receivables Advisor (2019)
  • Recognized as one of the 25 Most Influential Women in Collections by Collection Advisor (2016)
  • Named to Lawyers of Color’s Inaugural Hot List for 2013, recognizing 100 attorneys younger than 40
Overview

Kim is a privacy, data security, and regulatory compliance attorney who provides strategic guidance to companies throughout their business cycle. From product development, marketing, and implementation to breach prevention and response, she provides practical and forward-thinking advice that helps clients to mitigate risk and achieve their goals. Kim has worked with clients across all major industry sectors, and offers particular depth in consumer financial services, retail, hospitality, higher education, and energy.

Kim provides comprehensive advice on federal and state privacy and data security statutes and regulations, helping organizations to incorporate privacy and data security best practices throughout all aspects of their business, including the development and deployment of artificial intelligence. Her experience ranges from helping clients establish effective data governance programs to preparing for, assessing, and responding to data breaches.

With an extensive background in artificial intelligence, e-commerce and mobile issues, Kim regularly counsels clients on updating and enhancing website privacy policies, adapting website functions for accessibility in compliance with the Americans with Disabilities Act (ADA), and establishing employee training on social media interactions with consumers.

Kim’s regulatory compliance practice centers on helping clients with a wide range of state and federal investigations, enforcement actions, and other interactions. She regularly handles matters involving the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and other federal regulatory agencies. Kim has successfully represented multiple national companies through the FTC investigatory process, resulting in “no-action” letters, and has counseled clients through state attorneys general and departments of consumer protection investigations.

Representation Matters
  • Assisted a retail client with the adaption of an augmented reality mobile game.
  • Counseled a national consumer reporting agency through its CFPB compliance obligations, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing an audit process to assess compliance with federal consumer finance laws.
  • Assisted several clients in developing and launching mobile apps in concert with Apple and Google app store requirements, as well as during the appeals process.
  • Provided guidance to numerous companies in responding to security incidents and data breaches.
  • Negotiated security requirements for a vendor agreement to provide cloud storage services.
  • Counseled a major credit card company in establishing employee training on social media interactions with consumers.
  • Conducted online behavioral advertising assessments of websites to update and enhance the online privacy policies of various financial institutions.
  • Assisted a national lender in establishing a Gramm-Leach-Bliley Act Privacy Rule compliance program, including drafting annual privacy notices.
  • Assisted a major credit company in conducting a comprehensive unfair, deceptive, or abusive acts or practices (UDAAP) assessment of card member rewards programs.
  • Represented a national consumer products retailer throughout the company’s response to an FTC enforcement investigation, resulting in a “no-action” letter.
  • Counseled a national consumer reporting agency in preparation for CFPB examination, including conducting risk assessments of consumer products and services, updating policies and procedures, and establishing a compliance management system to address federal consumer financial laws, including the FCRA.
  • Submitted public comments on behalf of an industry trade association in response to the CFPB’s proposed rule on larger participants in the debt collection market.
Insights

Articles + Publications

Trump Administration’s Landmark Report on Digital Assets

Firm Events

State Regulations – Navigating the Evolving Landscape

Firm Events

Hot Topics in Solar Finance

Podcasts

Driving Digital Security: The FTC’s Safeguards Rule Explained

See all insights from Kim Phan

Awards
  • Thomson Reuters Stand-out Lawyer (2024-2025) – independently rated lawyers
  • Chambers FinTech Legal USA, Data Protection & Cyber Security (2020-2025)
  • American College of Consumer Financial Services Lawyers, Fellow
  • JD Supra Readers’ Choice Awards, Data Privacy (2025)
  • Wonderful Women Lawyers of Color 2023
  • Legal 500 United States for Fintech (2020-2021)
  • Named a Top 50 Receivables Professionals of the Year by Receivables Advisor (2019)
  • Recognized as one of the 25 Most Influential Women in Collections by Collection Advisor (2016)
  • Named to Lawyers of Color’s Inaugural Hot List for 2013, recognizing 100 attorneys younger than 40

Top areas of focus

  • Conference on Consumer Finance Law, Governing Committee, member
  • National Conference of Vietnamese American Attorneys, president-elect, Board member, secretary for the 2021-2022 Board
  • Vietnamese American Bar Association of the Greater D.C. Area (VABA-DC), Board member and immediate past president
  • International Association of Privacy Professionals
  • American Bar Association, Consumer Financial Services Committee
  • National Asian Pacific American Bar Association-Asian Pacific American Bar Association, Data Security and Privacy Committee, Financial Services Network
  • Mortgage Bankers Association, Data Protection Working Group member
  • Real Estate Service Providers Council
  • American Financial Services Association, CCPA Working Group
  • Receivables Management Association International – member of RMAI Editorial & Social Media Committee, member of Privacy Working Group

Education

  • George Mason University Antonin Scalia Law School, J.D., 2006, notes editor, Federal Circuit Bar Journal; president, Student Bar Association; Eleventh Circuit Lt. Governor, American Bar Association
  • University of Pennsylvania, B.A., cum laude, 2001, Benjamin Franklin Scholar

Bar Admissions

  • District of Columbia
  • Virginia

Court Admissions

  • Supreme Court of the United States
  • U.S. District Court, Eastern District of Virginia
  • Speaker, “Marketing Under Pressure: How New Laws like HPPA and Old Rules Collide,” CDIA, October 8, 2025.
  • Speaker, Mortgage Bankers Association: Legal Issues & Regulatory Compliance Conference, May 14-17, 2025.
  • Speaker, “Deep Dive into CPFB’s Agenda in a New Administration,” CDIA Connect, May 8, 2025.
  • Speaker, “FCRA Regulatory Requirements and Practical Solutions for Compliance,” Receivables Management Association International Webinar, April 16, 2025.
  • Speaker, “Navigating Legislative Updates, Litigation Trends, and Compliance Strategies,” PBSA Mid-Year Legislative & Regulatory Conference, March 25, 2025.
  • Speaker, “Privacy, Data Privacy and Information Security: Compliance in a Changing Landscape,” Credit Card Bank Compliance Association Panel, March 6, 2025.
  • Speaker, RMAi 2025 Annual Conference, February 11, 2025.
  • Speaker, “Maintaining Data Security in an Ever-Changing World,” Online Lenders Alliance Compliance University, July 16, 2024.
  • Speaker, The Technology Association of Georgia, June 26, 2024.
  • Speaker, “The Future of Finance: Consumer Data, Cash Flow, and Credit Reporting,” Consumer Data Industry Association, June 6, 2024.
  • Speaker, “Trends and Tools in Cyber and Fraud Protection,” AFSA Independents Conference, May 23, 2024.
  • Speaker, “U.S. State Privacy Laws: Compliance in an Evolving Landscape,” IAPP DC KnowledgeNet, May 21, 2024.
  • Panelist, “Use of AI in the Mortgage Industry and the Evolving Regulatory Landscape,” Mortgage Bankers Association 2024 Legal Issues and Regulatory Compliance Conference, May 7, 2024.
  • Panelist, “Artificial Intelligence Key Legal Considerations,” Troutman Pepper CLE Webinar, March 25, 2024.
  • Speaker, “2023 Data Privacy & Security Roundup,” Receivables Management Association Annual Conference, February 7, 2024.
  • Speaker, Troutman Pepper’s 2023 Public Company Seminar, December 7, 2023.
  • Panelist, “Navigating the AI Revolution: Crafting Effective Policies for Generative AI,” Association of Corporate Counsel (ACC) Greater Philadelphia Chapter — Women’s Summit, November 14, 2023.
  • Speaker, “Privacy 101: Moving From Concepts to Implementation,” Compliance Week, November 9, 2023.
  • Panelist, “Privacy, Politics, Pre-Emption and Private Causes of Action: What You Need to Know to Plan for 2024,” AccountsRecovery.net, November 2, 2023.
  • Speaker, “The Impact of the CFPB’s FCRA Rulemaking on the Consumer Reporting Industry,” Consumer Data Industry Association, October 26, 2023.
  • Speaker, “Exploring the Intersection of AI and Credit Union Compliance,” National Association of Federally-Insured Credit Unions (NAFCU) 2023 Regulatory Compliance & BSA Seminar, September 28, 2023.
  • Speaker, “Artificial Intelligence: Promise and Peril for Mortgage Lending,” Mortgage Bankers Association, Arlington, VA, September 22, 2023.
  • Panelist, “Staying Ahead of the Compliance Curve: Managing Regulatory & Legislative Change,” Consumer Data Industry Association: Law & Industry Conference, Washington, D.C., September 21, 2023.
  • Moderator, “Generative Artificial Intelligence: Transformative or Treacherous?,” National Conference of Vietnamese American Attorneys Annual Conference, Seattle, WA, September 16, 2023.
  • Speaker, TPPPA 2023 Solving the Payments Puzzle Conference, September 12-14, 2023.
  • Speaker, “Privacy Parade: How to Navigate the Rush of New State Privacy Laws,” Association of Corporate Counsel, July 20, 2023.
  • Speaker, “Navigating the AI Landscape: Privacy, IP, Policies and More – An Industry Expert Roundtable,” Troutman Pepper webinar, July 20, 2023.
  • Speaker, “Cybersecurity CLE,” Association of Corporate Counsel Charlotte, CLE, July 20, 2023.
  • Speaker, “Data Privacy and Data Security – What Every Compliance Professional Should Know,” Online Lenders Alliance, Compliance University, July 18, 2023.
  • Speaker, “The AAPI Experience in Leadership and Law,” Troutman Pepper, May 30, 2023.
  • Speaker, “Privacy Round-Up,” ACA International webinar, May 17, 2023.
  • Speaker, “Navigating Legislative Changes in Data Privacy & Security,” Consumer Data Industry Association, webinar, May 11, 2023.
  • Speaker, “Data Security and How to Protect Consumer Information,” Mortgage Bankers Association, Legal Issues and Regulatory Compliance Conference, May 9, 2023.
  • Speaker, “Who’s Watching the Watchers: A New Wave of Website Litigation,” Troutman Pepper, April 19, 2023.
  • Panelist, “Consumer Access to Data,” Online Lenders Alliance, April 19, 2023.
  • Speaker, “Regulatory Trends in Privacy and Data Security,” Credit Card Bank Compliance Association, April 13, 2023.
  • Speaker, “Hold, Please: TCPA and State Law Compliance After Autodialers,” National Association of Federally-Insured Credit Unions, March 30, 2023.
  • Speaker, “What You Need to Know About the Changing Data Security and Privacy Landscape Facing the Fintech Industry,” Online Lenders Alliance Legal Issues Conference, February 24, 2023.
  • Speaker, “Gramm-Leach-Bliley Act Safeguards Rule,” Coalition of Higher Education Assistance Organizations Annual Conference, February 14, 2023.
  • Speaker, “Federal Data Privacy and Security Update,” RMAI 2023 Annual Conference, February 8, 2023.
  • Speaker, Troutman Pepper’s 2022 Public Company Seminar Presentation on Cybersecurity Risk Management, December 8, 2022.
  • Speaker, “Data Security as an Element of Vendor Management,” RMAI Webinar, December 1, 2022.
  • Speaker, “All About Data: Ownership, Uses, Privacy and Security,” TPPPA – Solving the Payments Puzzle 2022 Annual Conference, November 18, 2022.
  • Speaker, ACA International 2023 Privacy and Data Security Wrap-up, November 9, 2022.
  • Speaker, NAFCU webinar on Preventing Inadvertent Privacy Violations, October 25, 2022.
  • Speaker, PayPal Legal Academies presentation on CPRA and Fintech, October 5, 2022.
  • Speaker, “Dawn of the Web3 Era and the Legal Landscape on Blockchain, NFTs, and Metaverses,” National Conference of Vietnamese American Attorneys, September 24, 2022.
  • Speaker, “State Privacy Law Developments,” RESPRO ’22 Fall Seminar, September 27, 2022.
  • Speaker, “Key Updates Track: The Shifting Data Privacy and Data Protection Landscape,” Mortgage Banking Association’s Regulatory Compliance Conference 2022, September 19, 2022.
  • Speaker, “Data Ownerships and Security,” LEND360, September 12, 2022.
  • Speaker, “FTC/GBLA Safeguards Rule – Huddle,” The Association of Credit and Collection Professionals, August 31, 2022.
  • Speaker, “Data Security: Failure Is Not an Option,” Online Lenders Alliance (OLA) 2022 Compliance University, July 20, 2022.
  • Speaker, “RESPRO Data Breach,” July 13, 2022.
  • Speaker, “To Be or Not to Be? Bipartisan U.S. Federal Privacy Bill Gains Momentum,” Consumer Data Industry Association (CDIA), July 6, 2022.
  • Speaker, “Where the Action Is: What Is the Future of Privacy Law?,” CDIA Law Conference, Session, June 7, 2022.
  • Navigating the Critical Differences Between the CCPA and the CPRA,” Troutman Pepper, May 26, 2022.
  • Speaker, “Data Security and Ransomware,” MBA Legal Issues and Regulatory Compliance Conference, May 24, 2022.
  • Speaker, “Examining the CFPB’s New IT Regulatory Guidelines,” Mike Gibb Accounts Recovery Webinar, May 3, 2022.
  • Speaker, “Is There a New Era for Data Privacy on the Horizon?,” Online Lenders Alliance, Executive Policy Summit, April, 27, 2022.
  • “State Privacy Laws – Complying with and Preparing for New Requirements,” Real Estate Services Providers Council, Inc. Webinar, April 13, 2022.
  • “Consumer Privacy,” Petroleum Marketing Attorneys’ Meeting, April 1, 2022.
  • “ADA Compliance,” CMBA’s Legal Overview of ADA Issues and Best Practices 2022, March 28, 2022.
  • “State of Consumer Privacy,” NAFCU’s Strategic Growth Conference, March 21 – 23, 2022.
  • “Privacy & Data Security Preview 2022,” Consumer Data Industry Association – Webinar, March 10, 2022.
  • “Cybersecurity: Emerging Legal Standards and Trends,” Receivables Management Association International, Annual Conference, February 8, 2022.
  • “Regulatory Landscape Update 2021,” Consumer Data Industry Association – Webinar, November 10, 2021.
  • “Prioritizing Privacy – Building a Compliance Program for Evolving State Laws,” Association of Consumer Vehicle Lessors – Annual Conference, October 21, 2021.
  • “How Data Furnishers Should Prepare for a Regulatory Exam,” SIMPLICITY 2021- e-OSCAR Users’ Conference, October 13, 2021.
  • “Cybersecurity for the Student Loan Industry: Preventing and Responding to Incidents,” Education Finance Council, September 28, 2021.
  • “Legal Update: Identity & Access Management,” CISO Executive Network, Philadelphia Chapter, September 22, 2021.
  • “Data Privacy and Security,” Mortgage Bankers Association, Regulatory Compliance Conference, September 13, 2021.
  • “Time for a Data Governance Checkup? Keeping Your Privacy and Data Security Compliance Program Healthy,” Conference on Consumer Finance Law, July 21, 2021.
  • “Credit Reporting,” Minnesota Bankers Association, July 15, 2021.
  • “PRIVACY: Is Virginia the New California and Will Congress Finally Weigh In?” CDIA Law & Industry Conference, July 13, 2021.
  • “Compliance Considerations for Your Websites and Online Resources,” ACA webinar, June 24, 2021.
  • “Social Media Opportunities and Pitfalls for Your Company—Setting Guardrails and Guidelines,” ACA webinar, June 17, 2021.
  • “Recent Federal and State Privacy/Data Security Developments,” ACA webinar, June 10, 2021.
  • “Data Protection and Privacy Challenges,” Legal Issues & Regulatory Compliance Conference, Mortgage Bankers Association, May 26, 2021.
  • “CCPA to CPRA – Enhancing Privacy Compliance Systems,” RESPRO28, April 8, 2021.
  • “Credit Reporting Under the CARES Act,” RESPRO28, April 8, 2021.
  • “The Age of Consent: Managing Consumer Communication Preferences in a Clear and Conspicuous Way,” ACA IGNITE, March 25, 2021.
  • “Use of Connected Car Data by Auto Finance Companies,” 2021 Vehicle Finance Conference, Operations and Regulatory Compliance Committee Meeting, American Financial Services Association, February 18, 2021.
  • “FCRA & Covid-19: Legislation & Regulatory Update,” Risk & BSA Conference, CCUL Risk Management Resources, January 8, 2021.
  • “ACA Huddle CFPB Rule Series Part Two: Credit Reporting 101,” ACA International, January 6, 2021.
  • “On to 2021: What Lies Ahead?,” ACC Minnesota Lunch and Learn, December 16, 2020.
  • “Leadership in the Legal Community,” George Mason University Antonin Scalia Law School webinar, November 17, 2020.
  • “Credit Reporting Under the New CFPB Debt Collection Rule,” ACA International Huddle webinar series, November 11, 2020.
  • “Privacy and Data Security Updates,” ACA International Fall Forum Session, November 5, 2020.
  • Moderator, “If You Think the CFPB Stepped Back From Supervision and Enforcement, You’re Not Paying Attention,” RESPRO, November 5, 2020.
  • Panelist, “PRIVACY: The More Things Change, the More They Stay the Same,” CDIA Law & Industry Conference, September 24, 2020.
  • Panelist, “Legal Education: Big Brother Is Watching: Privacy Protection Statutes in 2020,” ACA International’s 2020 Virtual Convention & Expo, July 15, 2020.
  • “Through the California Looking Glass: Making the Requirements of the CCPA Clear and Understandable,” RMAI Conference, February 4, 2020.
  • “Surveying the Murky Landscape of Data Privacy Laws: Illuminating Tips on a Clear Path to Compliance,” RMAI Conference, February 4, 2020.
  • Panelist, “Putting the Person Into Personal Data: The Expansion of Personal Data and How to Navigate its Changes, its Regulation and its use in Financial Svcs (including Blockchain),” American Bar Association Consumer Financial Services Committee Winter Meeting, January 18, 2020.