Serrin Turner represents clients in their highest-stakes cybersecurity and privacy-related matters.

A former federal prosecutor, Serrin is an experienced trial and appellate lawyer who advises clients on a wide range of cybersecurity and privacy-related matters, including:

  • Class action litigation
  • Regulatory investigations
  • Commercial disputes
  • Incident response

Serrin has twice been named by Law360 as a Cybersecurity & Privacy MVP (in 2022 and 2024). He has repeatedly been recognized by Cybersecurity Docket as one of the top data breach response lawyers in the industry and is Chambers-ranked in both Cybersecurity and Privacy & Data Security Litigation.

Serrin joined Latham following six years as an Assistant US Attorney for the Southern District of New York, where he served as the Office’s lead cybercrime prosecutor. In that role, Serrin handled numerous cutting-edge cybercrime investigations and prosecutions, including matters involving computer hacking, data breaches, trade-secret theft, black-market websites, trafficking in stolen payment card and personal identity information, and money laundering through digital currencies. Serrin also handled high-profile litigation involving US electronic surveillance statutes, including Amnesty International v. Clapper, a constitutional challenge to a key foreign-intelligence surveillance statute, as well In re Microsoft Search Warrant, a challenge brought by a leading email provider to a search warrant for data stored overseas.

Prior to his service at the US Attorney’s Office, Serrin served in the Civil Division of the US Department of Justice. He is a two-time recipient of the Attorney General’s Award for Distinguished Service, the Justice Department’s second-highest award, and he has also received the John Marshall Award for Trial of Litigation, the Justice Department's highest award for trial litigators.

Serrin's experience includes representing:

Litigation

  • SolarWinds in a closely watched enforcement action brought by the SEC. Obtained a landmark decision largely dismissing the SEC’s case and rejecting legal theories key to the SEC’s cybersecurity enforcement agenda.
  • Meta (formerly Facebook) in consolidated consumer class action arising out of a criminal attack on Facebook’s web platform affecting approximately 29 million users globally. Defeated class certification of plaintiffs’ damages claims and successfully negotiated no-damages settlement.
  • Temu in multiple class actions relating to data privacy practices. Successfully moved to compel arbitration and defeated challenges to Temu’s Terms of Service.
  • Zynga, a leading gaming developer, in putative class action litigation related to a data breach allegedly affecting over 200 million users. Won dismissal of all claims with prejudice.
  • Accellion, a leading developer of secure file-transfer software, in consumer class action litigation and B2B litigation over indemnification stemming from attacks exploiting a vulnerability in a legacy Accellion offering. Obtained dismissal of nearly all claims, including all statutory damages claims.
  • Meta in class action litigation alleging wiretapping violations related to alleged tracking of user browsing activity in Meta’s in-app web browser. Won dismissal of entire case at the pleading stage.
  • Gen Digital in class action litigation alleging wiretapping violations related to the alleged collection of user browsing data through a browser extension. Won dismissal of all statutory damages claims and subsequently obtained voluntary dismissal of all remaining claims.

Government Investigations

  • A leading social media company in multiple privacy-related investigations brought by the FTC, state attorneys general, and data protection authorities in the EU and Asia
  • A leading online shopping app in privacy-related investigations by multiple state attorneys general
  • A leading entertainment company in data security investigations by multiple state attorneys general
  • A data analytics provider in an FTC investigation into collection of mobile device user information
  • A leading live-entertainment company in a criminal investigation into alleged computer hacking of competitor website by company employees

Incident Response

Serrin has advised a broad range of clients — including public companies with global operations and emerging companies at early stages of development — on navigating various types of data security incidents, including:

  • Ransomware or cyber-extortion attacks
  • Business email compromise (BEC) incidents
  • Malicious insider activity
  • Theft of trade secrets or confidential information
  • Intrusions by state-sponsored advanced persistent threat (APT) actors
  • Supply-chain attacks on vendors
  • Exploitation of zero-day software vulnerabilities
  • Reports from bug-bounty or "white hat" security researchers

Serrin’s incident response practice includes:  

  • Leading forensic investigations into the facts 
  • Developing notification and communications strategy
  • Liaising with law enforcement
  • Managing responses to regulator and customer inquiries
  • Coordinating with insurance brokers and carriers
  • Preparing companies for potential litigation and sustained regulatory investigations

Bar Qualification

  • Massachusetts
  • New York

Education

  • JD, Harvard Law School, 2000
    magna cum laude
  • BA, Amherst College, 1995
    summa cum laude, Phi Beta Kappa
Turner, Serrin
November 4, 2024 Recognition

MVP: Serrin Turner

Partner Serrin Turner earned Cybersecurity and Privacy MVP recognition from Law360 for representing clients on data security and privacy matters, including data privacy class-action litigation and regulatory inquiries into data security and privacy incidents.