Craig A. Hoffman

Partner

Cincinnati
T 513.929.3491  |  F 513.929.0303

Craig Hoffman is a leading member of the firm's Chambers USA-ranked Privacy and Data Protection team. He provides proactive counsel on the complex regulatory issues that arise from data collection and use, including customer communications, data analytics, emerging payments, cross border transfers, and security incident response preparedness. He uses his experience as a litigator and work with hundreds of companies who have faced security incidents to help clients develop a practical approach to meet their business goals in a way that minimizes regulatory risk. For example, Craig conducts incident response workshops—built upon applicable notification laws and guidelines, "good" and "bad" examples from other incidents, and a tabletop exercise—to prepare companies to respond to security incidents quickly, efficiently, and in a manner that complies with applicable law while mitigating risk and preserving customer relationships.

Trusted for his knowledge, experience, and client service, Craig is engaged by clients as soon as they learn of a potential data security incident. He immediately begins to work with their internal team and third parties to identify and contain the incident, remediate issues to maintain business operations, and develop information needed to deliver effective public communications designed to preserve customer relationships and minimize the likelihood and consequences of litigation and regulatory investigations. Craig works to favorably position clients to face the card networks' revalidation, fines, and assessment rules in incidents involving payment card data. Craig also guides clients through informal and formal regulatory investigations brought by state attorneys general and the Federal Trade Commission (FTC). When putative class actions are filed, Craig uses his years of litigation experience and comprehensive knowledge of the incident response to ensure that the litigation strategy is consistent with the client's customer relations and regulatory defense efforts. Craig serves as the editor of BakerHostetler's Data Privacy Monitor blog, providing commentary on developments in data privacy, security, social media, and behavioral advertising.

Select Experience

Privacy & Data Security Compliance | Information Governance Experience
  • Providing proactive privacy and security advice to emerging companies related to data collection, use, sharing, and marketing, as well as establishing payment systems. Recent transactions include the purchase of a word-of-mouth marketing company. 
  • Conducting incident response workshops.
  • Developing and implementing policies, including website and app privacy and terms of use, BYOD, social media, incident response, and information security plans.
Security Incident Response & Litigation Experience
  • Leading the incident response teams of national and international retailers following attacks on their card present and e-commerce payment systems.  Clients include grocers, gaming, eye care, sporting goods, tool and equipment, clothing, cosmetics, restaurants, hospitality, luxury goods, and electronics. Engagements involve:
    • Overseeing the forensic investigation,
    • Interacting with the FBI, Secret Service, and other law enforcement officials,
    • Ensuring a response in compliance with state breach notification laws and contractual notice obligations,
    • Managing significant customer relations issues,
    • Responding to state attorneys general and FTC inquiries,
    • Addressing card network fines and assessments, and
    • Defending multiple putative class actions.
More »

Experience

Privacy & Data Security Compliance | Information Governance Experience
  • Providing proactive privacy and security advice to emerging companies related to data collection, use, sharing, and marketing, as well as establishing payment systems. Recent transactions include the purchase of a word-of-mouth marketing company.
  • Conducting incident response workshops.
  • Developing and implementing policies, including website and app privacy and terms of use, BYOD, social media, incident response, and information security plans.  
  • Preparing for U.S.-EU Safe Harbor certification.
  • Consulting on emerging payment issues, including assessing tokenization and point-to-point encryption technologies, planning for EMV liability shift, and mobile payments.
  • Providing due diligence and contract drafting to M&A teams, including the acquisition of a social media company and payment processing companies.
Security Incident Response & Litigation Experience
  • Leading the incident response teams of national and international retailers following attacks on their card present and e-commerce payment systems.  Clients include grocers, gaming, eye care, sporting goods, tool and equipment, clothing, cosmetics, restaurants, hospitality, luxury goods, and electronics. Engagements involve:
    • Overseeing the forensic investigation,
    • Interacting with the FBI, Secret Service, and other law enforcement officials,
    • Ensuring a response in compliance with state breach notification laws and contractual notice obligations,
    • Managing significant customer relations issues,
    • Responding to state attorneys general and FTC inquiries,
    • Addressing card network fines and assessments, and
    • Defending multiple putative class actions.
  • Advising technology service providers on issues relating to product security vulnerabilities.  Clients include cloud service providers, identity management, data centers, and software companies.
  • Representing financial institutions, banks, and credit unions responding to events of unauthorized access to sensitive customer information.  Incidents have included malware infections, network intrusions, denial of service attacks, employee carelessness, and malicious employees. Engagements often involve interaction with financial regulatory authorities.
  • Advising companies on investigations related to theft of trade secrets by departing employees.
  • Filing and arguing appeals of card network fines and assessments against merchants arising from payment card breach incidents.
  • Pursued claims on behalf of a buyer against the seller for breach of representations and warranties when a cyber-attack that exploited long-standing security deficiencies occurred just after the sale.
  • Member of trial team that pursued delay damages against a subcontractor on behalf of a commercial developer and general contractor.
  • Member of trial team that obtained a $163 million settlement of False Claims Act and fraud claims against a pharmacy benefit manager.
CLE/Webinars/Seminars
  • "The Lurking Menace: Cybercrime, Data Security, and Privacy Rights," Money2020 (October 2013)
  • "Examining the Payment Card Industry (PCI) Adjudication Process," Net Diligence CyberWest (October 2013)
  • "Preventing and Responding to Data Security Incidents," State Risk and Insurance Management Association (September 2013)
  • "Preparing for and Mitigating Account Data Compromise Events," Vantiv Partnership Forum (September 2013)
  • "Effective Data Breach Incident Response," Ohio CISO Executive Summit (June 2012)
  • "Network Security and Privacy Law: A Rapidly Developing Liability Landscape," Webinar (March 2012)
  • "Data Security and Cyber Liability Update," LexisNexis Webinar (November 2011)
  • "Are You Ready for a Data Breach?" BakerHostetler CLE (October 2011)

Recognitions

  • Ohio Super Lawyers "Rising Star" (2009 to 2012)
  • Dayton Business Journal's "Forty Under 40" (2008)

Memberships

  • Ohio State Bar Association
  • Cincinnati Bar Association
  • Kentucky Bar Association
  • Cincinnati Academy of Leadership for Lawyers: Member of Class XIV (2010)

News

Press Releases

Services

Prior Positions

  • Clerk for the U.S. Department of Labor Administrative Law Judge Thomas F. Phalen

Admissions

  • U.S. Court of Appeals, Sixth Circuit
  • U.S. District Court, Southern District of Ohio
  • Kentucky, 2008
  • Ohio, 2002

Education

  • J.D., University of Cincinnati College of Law, 2002
  • B.A., University of Cincinnati, 1999

Blog

In The Blogs

Previous Next
Data Privacy Monitor
2014 Information Governance Year in Review
December 19, 2014
2014 has been perhaps the biggest year Information Governance (“IG”) has seen. A relatively small and, if not unknown, at least undefined field only a few years ago has grown into an area of interest—and concern—to many organizations. The...
Read More ->
Data Privacy Monitor
FTC $19 Million Settlement with Google: Unauthorized In-App Charges Are Not Child’s Play
By Jenna N. Felz
December 18, 2014
The FTC recently approved a final Order resolving allegations that Google unfairly billed customers millions of dollars for unauthorized charges made by children using mobile apps downloaded from the Google Play app store. Under the...
Read More ->
Data Privacy Monitor
What’s on the Horizon in the Golden State?
December 16, 2014
As we near the turn of the year into 2015, organizations should keep an eye on laws taking effect on the West Coast. This year, the crop of new privacy statutes includes a few without precedent anywhere in the country. The focus? Kids and...
Read More ->
Data Privacy Monitor
Malware Incident at Mental Health Nonprofit Leads to $150K Settlement with OCR
December 12, 2014
As cyberattacks targeting the healthcare industry continue to escalate, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published its first-ever resolution agreement stemming from an incident involving...
Read More ->
Data Privacy Monitor
Managing Your Health Information Risks Should Not Begin After a Breach Is Reported
December 4, 2014
Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. Our attorneys have written about specific examples of those services. Healthcare is plagued by a high frequency of reported breaches. Although...
Read More ->