Theodore J. Kobus III

Partner

New York
T 212.271.1504  |  F 212.589.4201

Featured Video

Ted Kobus: Data Security Incidents: Regulatory Investigations
Play Video
BakerHostetler Partner and National Leader of the Privacy and Data Protection practice discusses what questions regulators ask following an incident, what their expectations are, and the future of these investigations.

Ted Kobus focuses his practice in the area of privacy, data security, and intellectual property. He advises clients, trade groups, and organizations regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions, and defense of class action litigation. Ted counsels clients involved in breaches implicating domestic and international laws, as well as other regulations and requirements. Having led more than 750 data breach responses, Ted has respected relationships with regulators involved in privacy concerns as well as deep experience to help clients confront privacy issues during the compliance risk management stages. He is invested in his client relationships and approaches engagements practically and thoughtfully.

Ted is national leader of the firm's Privacy and Data Protection team. He is ranked in Chambers USA: America’s Leading Lawyers for Business and was one of only three attorneys named an MVP by Law360 for Privacy & Consumer Protection in 2013. Ted is a regular contributor to BakerHostetler's Data Privacy Monitor blog and regularly speaks at major industry events regarding data breach response, risk management, and litigation issues affecting privacy, including being the only private attorney to speak at the National Association of Attorneys General on data security issues.

Select Experience

  • Leading breach response, regulatory defense, and class action defense of massive credit card breach on behalf of large, privately held retailer. Guided client through initial investigation of criminal attack on payment processing network, including engagement of forensic team and collaboration with governmental entities to pursue attackers. Led the defense against six putative class actions, a single plaintiff lawsuit, and inquiries from state attorneys general and the Federal Trade Commission, convincing regulator not only to close investigation against client, but to establish client as victim in the breach. Developed strategic plan to defend against lawsuits and actions filed in six different state and federal jurisdictions and negotiated settlement with putative plaintiffs. Continues to defend client against demands by issuing banks alleging losses related to fraudulent charges and card reissuance costs and provides guidance to client regarding obligations held to payment processor under specific regulations.
  • Leads engagement with health system, providing advice on breach analysis, notification obligations, crisis management, investigation of incident, and regulatory compliance following theft of computers containing information of approximately four million patients. Coordinates breach investigation, including forensic team, and leads breach response, crisis management, and notification of all patients and physicians affected. Leads post-breach response as well, involving resolution of patient complaints and regulatory investigations. Assisting and advising client in responses to investigations initiated by governmental agencies. Ted has led the response to nearly half of the 12 largest HIPAA breaches announced to date.
More »

Experience

  • Leading breach response, regulatory defense, and class action defense of massive credit card breach on behalf of large, privately held retailer. Guided client through initial investigation of criminal attack on payment processing network, including engagement of forensic team and collaboration with governmental entities to pursue attackers. Led the defense against six putative class actions, a single plaintiff lawsuit, and inquiries from state attorneys general and the Federal Trade Commission, convincing regulator not only to close investigation against client, but to establish client as victim in the breach. Developed strategic plan to defend against lawsuits and actions filed in six different state and federal jurisdictions and negotiated settlement with putative plaintiffs. Continues to defend client against demands by issuing banks alleging losses related to fraudulent charges and card reissuance costs and provides guidance to client regarding obligations held to payment processor under specific regulations.
  • Leads engagement with health system, providing advice on breach analysis, notification obligations, crisis management, investigation of incident, and regulatory compliance following theft of computers containing information of approximately four million patients. Coordinates breach investigation, including forensic team, and leads breach response, crisis management, and notification of all patients and physicians affected. Leads post-breach response as well, involving resolution of patient complaints and regulatory investigations. Assisting and advising client in responses to investigations initiated by governmental agencies. Ted has led the response to nearly half of the 12 largest HIPAA breaches announced to date.
  • Develops incident response plans and privacy policies, provides proactive incident response training, and counsels on privacy and security issues globally.
  • Has defended more than 50 investigations brought by all Regional Offices the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
  • Defending several Civil Investigative Demands (CIDs) brought by state Attorneys General regarding his client's data security practices and compliance with federal and state laws.
  • Defending clients in statutory damage claims brought regarding the collection, use and sharing of customer information.
  • Representing financial institution following discovery of malicious software on employee workstation computer possibly capturing confidential customer information. Coordinates breach investigation, response strategy, and post-breach response, including resolution of customer complaints and defense of investigation by banking regulators.
  • Leading defense of putative class action seeking damage for technology client's use of cookies on its website. Filed Notice of Removal and motion to transfer venue in state court to preserve client rights if case is ultimately remanded.

Recognitions

  • Chambers Global: Privacy & Data Protection (USA) (2014, 2015)
  • Chambers USA: Nationwide Privacy and Data Security (2013 to 2015)
  • The Best Lawyers in America© (2016)
    • New York: Privacy and Data Security Law
  • Law360: MVP in Privacy & Consumer Protection (2013)
  • Certified Information Privacy Manager

News

Press Releases

Services

Admissions

  • U.S. Court of Appeals, Federal Circuit, 2002
  • U.S. Court of Appeals, Third Circuit, 2002
  • U.S. District Court, District of Colorado, 2009
  • U.S. District Court, Middle District of Pennsylvania, 2004
  • U.S. District Court, Western District of Pennsylvania, 1998
  • U.S. District Court, Eastern District of Pennsylvania, 1995
  • U.S. District Court, District of New Jersey, 1995
  • Pennsylvania, 1994

Education

  • J.D., Widener University School of Law, 1994, cum laude
  • B.S., Purdue University, 1987

Blog

In The Blogs

Previous Next
Data Privacy Monitor
2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents
August 27, 2015
There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should...
Read More ->
Data Privacy Monitor
Federal Trade Commission Joins with Industry Experts to Provide Start-Ups and Developers with Practical Advice at “Start with Security” Conference
August 24, 2015
The FTC has a history of offering practical advice to organizations and consumers to protect against security threats and related concerns, and is continuing this practice with the upcoming – and very first – “Start with Security”...
Read More ->
Data Privacy Monitor
EMV Liability Shift Update – What Liability Actually Shifts?
August 20, 2015
With the October 1, 2015 liability shift deadline looming, merchants who have not yet made the change continue to evaluate the cost of accepting EMV cards versus the liability that will shift from the issuer to the merchant if they do not...
Read More ->
Data Privacy Monitor
Federal Trade Commission Continues Its Enforcement Campaign Against False Safe Harbor Claims
August 20, 2015
Reiterating its commitment to enforcing the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, the Federal Trade Commission announced on Monday that it has reached settlements with 13 companies alleged to have misled consumers either by...
Read More ->
Data Privacy Monitor
A Deeper Dive: Data Security Incident? Don’t Panic
August 17, 2015
It’s 6 p.m. on a Friday and you get a call from your IT department. They have detected that an intruder has gained access to your company’s network. At this point, the headlines from the major data breaches of recent years may be flashing...
Read More ->