Kamran Salour



Kamran Salour is a partner in the Orange County office of Lewis Brisbois and Co-Chair of the Data Privacy & Cybersecurity Practice. 

Kamran focuses his practice on leading his clients through the incident response process. This process includes directing forensic investigations, developing post-incident response notification plans, and responding to regulatory investigations. Kamran also helps his clients assert or defend against claims in state and federal litigation resulting from data security incidents.

For each data incident, Kamran seeks to answer three main questions for his clients: (1) how the incident occurred; (2) how best to comply with any legal obligations the incident created; and (3) how to reduce the likelihood of an incident happening again. In his response work, Kamran strives to minimize disruption to his clients, preserve their customer relationships, and reduce the likelihood and consequences of litigation and regulatory investigations.

As part of his security incident response work, Kamran also helps clients with pre-incident planning, including developing incident response plans and modifying vendor agreements to clarify each parties’ obligations should an incident occur. As a Certified Information Privacy Professional for the U.S. and Europe (CIPP/US/E) and a Certified Privacy Information Technologist (CIPT), Kamran can also counsel companies about information governance and help them comply with data protection laws.

Armed with years of experience as a litigator, Kamran provides his clients with a unique perspective on data privacy and protection issues. He brings a pragmatic problem-solving approach to his incident response work, an approach that he developed and honed through years of resolving high-stakes litigation disputes on behalf of his clients. Because of his litigation experience, Kamran’s skill set includes messaging an incident in a way to minimize litigation and business disruption.

Primary Area(s) of Practice

  • Data Privacy & Cybersecurity



US Dist Court for the Central Dist of CA

US Dist Court for the Northern Dist of CA

US Dist Court for the Eastern Dist of CA

US Dist Court for the Southern Dist of CA


  • International Association of Privacy Professionals
  • Los Angeles County Bar Association, Privacy and Cybersecurity Section

Awards & Honors

“Rising Star,” Southern California Super Lawyers, 2014-2018

Professional Presentations

  • Speaker, Panel, “The Rise of Double-Extortion Ransomware,” Consumer Financial Services Committee, Business Law Section Winter Meeting, January 7-9, 2024. 
  • “A Toast to the New Year – A Recap of 2023 & Preview of 2024,” Lewis Brisbois Webinar, December 7, 2023.
  • “Data Protection for Lawyers – You Owe It to Your Client,” DANY CLE, Virtual, October 3, 2023.
  • “Cybersecurity for Lawyers – Yes, You Are a Target,” DANY CLE, Virtual, October 3, 2023.
  • "Cyber Risk Management Will be a Top Priority for Business Leaders in 2023," ELN Cybersecurity, Privacy and Data Protection Retreat - Monterey Plaza Hotel & Spa, Monterey, CA, September 12, 2023.
  • “Are We Really Not Paying the Ransom," IAPP. Privacy.Security.Risk., San Diego, CA,  October 6, 2023.
  • “Cybersecurity: Practical Tips & Best Practices,” Virtual CLE for Quimbee, July 26, 2023.
  • “Navigating Privacy, GRC, and Security in Today's Business Environment,” Virtual Roundtable, June 28, 2023.
  • “Artificial Intelligence: What It Is, Ways It Can Help My Legal Practice, and Its Risks & Limitations,” Virtual CLE for Lawyers Mutual, June 27, 2023.
  • “Buckle Up: The Future of Data Security & AI is Here! How it Affects You and Your Enterprise and What You Need to Know About This Data Infrastructure Revolution,” Congressional Country Club, Bethesda, MD, June 20, 2023.
  • “The Coming SEC Cybersecurity Rules,” Privacy + Security Forum, Washington DC, May 11, 2023.
  • Speaker, “The Rise of Double-Extortion Ransomware,” Sub-Four Cybersecurity Privacy Data Protection Retreat, July 12, 2022. 
  • Speaker, “The Rise of Double-Extortion Ransomware,” Sub-Four Cybersecurity Privacy Data Protection Retreat, May 24, 2022.
  • Speaker, “Are the Russians Coming?,” Credit and Collection News Conference 2022, April 5, 2022.
  • Speaker, “Ransomware: Practical Ways to Limit Its Impact on Your Organization,” ISACA OC Event, March 25, 2022. 
  • Speaker, Panel, Sub-Four Capital, Cybersecurity, Privacy & Data Protection Audit, Risk & Regulatory Compliance, November 3, 2021.
  • Speaker, “You’ve Experienced a Ransomware Attack – Now What?,” Celesq AttorneysEd Center, October 26, 2021.
  • Speaker, “Anatomy of a Ransomware Attack,” Lewis Brisbois Data Privacy & Cybersecurity Webinar Series, April 29, 2021
  • Speaker, “The Data Breach Duty,” Lawyers Mutual, March 24, 2021
  • Speaker, “The Price of Privacy,” OC Legal Tech Conference, June 6, 2020
  • Speaker, Panel, IG3 West eDiscovery and Information Governance Conference, December 12, 2019
  • Speaker, “Privacy Piracy” Radio Show, August 19, 2019
  • Speaker, Panel, IG3 Mid-Atlantic Conference, June 26, 2019
  • Presenter, OC Legal Tech Conference, May 4, 2019
  • Speaker, IP Law Careers, Thomas Jefferson School of Law, February 9, 2019
  • Speaker, Lawyer’s Role in Data Privacy, Thomas Jefferson School of Law, September 7, 2018
  • Presenter, Course on the California Consumer Privacy Act, August 17, 2018
  • Presenter, Course on Deposition Preparation, June 20, 2018


Emory University School of Law

Juris Doctor, with honors, 2006

  • ABA/BNA Award for Excellence in the Study of Intellectual Property
  • National Moot Court Team

University of California, Los Angeles

Bachelor of Science, 2001

Representative Matters

  • Ransomware: Regularly lead an organization’s incident response after a ransomware attack. This includes overseeing forensic investigations and ransomware negotiations, as well as crafting messaging to preserve customer relationships and complying with applicable legal, contractual, and regulatory obligations.
  • Network Intrusion: Regularly lead public and private companies in response to various network interruption incidents, which includes helping clients minimize the incident’s impact on operations and complying with applicable statutory, contractual, and regulatory obligations.
  • PCI Incident: Experience representing retailers respond to attacks on their card-present and e-commerce payment systems. Worked with retailers and third parties through the incident response process, including: determining the source and scope of the attack, devising a plan to remediate the incident and avoid a future attack, complying with any resulting notice obligations, addressing card network fines and assessments, and minimizing likelihood and impact of litigation.


  • Utilizing knowledge as a Certified Information Privacy Professional (CIPP/US), Certified Privacy Information Technologist (CIPT), and frequent author and speaker on a wide array of privacy issues, assisted numerous companies develop, implement, and maintain privacy programs that comply with applicable data protection laws, including the California Consumer Protection Act (CCPA).
  • Provided counsel to nationally recognized tele-communication company on structuring of third-party vendor agreements to minimize impact of CCPA on business operations.
  • Advised leading student data and research organization on CCPA requirements and corresponding obligations in connection with organization’s corporate restructuring.


  • Defended a prominent physician against $20 million fraud and perjury claims that threatened to bankrupt him. On second day of trial, resolved matter for less than half of plaintiff’s prior settlement demand.
  • On the eve of trial, secured walk-away for an Orange County commercial broker and his company against competitor’s defamation and unfair competition claims.
  • Turned demand letter from organization threatening to rescind client’s contract into that organization paying client a five-figure sum without having to file suit.
  • Obtained injunctive relief on behalf of the Gulf Cooperation Council preventing the Internet Corporation of Assigned Names and Numbers (ICANN) from issuing the PERSIANGULF generic top-level domain name.
  • Archived complete defense of $10 million breach of contract claim against video game developer after two-week trial.


  • Certified Information Privacy Professional, United States (CIPP/US)
  • Certified Information Privacy Technologist (CIPT)


  • Co-author, Cyber Capsule.
  • Co-host, Unauthorized Access Podcast.
  • Co-author, “Did You Suffer a Data Breach and What Are Your Notice Obligations?,” Daily Journal, March 10, 2023.
  • Co-author, “The Safeguards Rule: Protecting Information at Financial Institutions,” Thomson Reuters Westlaw, January 25, 2023.
  • Co-author, “January 2023 Tech Tip - How to Know if You Should Consult a Breach Coach,” Orange County Bar Association, January 10, 2023.
  • Co-author, “A Little Breathing Room — California Privacy Agency Modifies Proposed Regulations,” Reuters, December 8, 2022.
  • Co-author, “Forensic Artifacts Play Legal Role in Cyber Incident Response,” Law360, December 2, 2022.
  • Co-author, “Cybersecurity Awareness Month - October 2022,” DBA Digest, October 7, 2022.
  • Co-author, “Four Strategies for Drafting Effective Consumer Breach Notices,” Law360, September 30, 2022.
  • Co-author, “The Do’s and Don’ts of Cybersecurity Forensic Investigations,” Law360, August 26, 2022.
  • Co-author, “California ADCA Bill Aims to Increase Children’s Data Privacy,” Security Magazine, August 24, 2022.
  • Podcast, “Successfully Responding and Reacting to Cyber Incidents,” Cyber Security & Insurance Leaders, June 9, 2022.
  • Co-author, “CPRA Series: Part Four – Data Processing Obligation,” Daily Journal, May 23, 2022.
  • Co-author, “CPRA Series: Part Two – Consumer Rights,” Daily Journal, April 20, 2022.
  • Co-author, “Understanding the ULC’s Model Privacy Law,” Bloomberg Law, April 2022.
  • Co-author, “CPRA Series: Part One – Introduction and Overview,” Daily Journal, April 11, 2022.
  • Co-author, “How Much Is Too Much to Protect Your Children Against Sexual Predators?,” Daily Journal, September 2, 2021.
  • Co-Author, “Legal Notification – One Size Does Not Fit All,” Digital Insights, May 21, 2021
  • Co-Author, “Expect he Best, but Prepare for the Worst: 5 Practical Steps to Take Before a Ransomware Attack,” Digital Insights, April 22, 2021
  • Co-Author, “You’ve Experienced A Ransomware Attack – Now What,” Digital Insights, March 11, 2021
  • Author, “BIPA: How A Privacy Law is Helping Shape Security Standards,” Daily Journal, August 14, 2020
  • Author, “WPA is latest piece of the privacy legislation puzzle,” Daily Journal, February 6, 2020
  • Author, “Recent Deanonymization Study Creates Further Uncertainty on CCPA Compliance,” JD Supra.com, July 26, 2019
  • Author, “Oakland Becomes Latest City to Preemptively Ban Facial Recognition Software,” JD Supra.com, July 19, 2019
  • Author, “Hey Alexa, Are You Capturing My Biometric Information Without My Consent?,” JD Supra.com, July 10, 2019
  • Author, “The New York Privacy Act: If I Can Make It Here…,” JD Supra.com, June 26, 2019
  • Author, “4 Rights and 2 Wrongs with Maine’s New Internet Privacy Law,” JD Supra.com, June 18, 2019
  • Author, “Three Shortcomings of Nevada’s Newly Amended Privacy Law,” JD Supra.com, June 11, 2019
  • Author, “How a 2008 Illinois Statute Is Shaping US Privacy Law,” JD Supra.com, June 4, 2019
  • Author, “3 Takeaways from San Francisco’s Facial Recognition Software Ban,” May 28, 2019

Media Commentary