Andreas T. Kaltsounis

Partner

Seattle
T +1.206.566.7080
F +1.206.624.7317

Overview

Andreas Kaltsounis focuses on helping clients anticipate, manage, and respond to complex privacy and security issues in connected, data-driven organizations. He brings a unique perspective to his work with clients, developed from his experience as an attorney, a certified information-security professional, a leader at an international information-security consultancy, and a federal agent investigating criminal, regulatory, and national-security cyber matters. Able to operate from the trenches to the board room, Andreas advises key stakeholders across an organization, from its individual legal, security, and compliance teams, to its executives, officers, and directors.

As a strategic advisor, Andreas helps clients anticipate, understand and comply with current and emerging global data protection obligations, including advising clients and colleagues on the nuances of international breach notification obligations. Focused on more than merely checking regulatory boxes, he works with his clients to find and address their real legal, business, and reputational risks.

Reactively, Andreas has led more than 100 data breach and privacy-related investigations, including in some of the largest publicly reported breaches. His investigative experience and deep technical background make him a go-to advisor for incidents involving widespread network intrusions, technically complex issues, and potential insider threats. In the wake of these incidents he has successfully defended clients in regulatory inquiries by the FTC, global supervisory authorities, and multi-state attorneys general, and he partners with BakerHostetler’s award-winning litigation team to defend against consumer class actions and shareholder actions.

Andreas speaks frequently to industry groups and boards of directors on privacy, data protection, and incident response, and combines his extensive on-the-ground experience with leading industry credentials in privacy law (CIPP/US),* information security (CISSP), critical controls auditing and implementation (GCCC), penetration testing (GPEN), and computer forensics (EnCE and SCERS). He is also a member of the Sedona Conference’s Working Group 11 on Data Security and Privacy.

Andreas co-leads the firm’s national Digital Risk Advisory and Cybersecurity Team and serves as the Seattle Digital Assets and Data Management Leader.

*The Washington Supreme Court does not recognize certifications and certifications are not a requirement to practice law in the state of Washington.

Select Experience

Advisory and Assessment Services
  • Develop and implement strategies to comply with domestic U.S. and international data protection regulations, including the California Consumer Privacy Act, New York SHIELD Act, and EU General Data Protection Regulation. Advise on transfer mechanisms, consent mechanisms, implementing “reasonable security,” breach response programs, breach preparedness, and employee training.
Incident Response
  • Advise companies on all phases of data breach preparation and response under U.S. and international law, including incident preparation and testing, employee education, incident investigation, analysis of notice obligations, and regulatory defense.
Fraud, Identity Theft and Internal Investigations
  • Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
More »

Experience

Advisory and Assessment Services
  • Develop and implement strategies to comply with domestic U.S. and international data protection regulations, including the California Consumer Privacy Act, New York SHIELD Act, and EU General Data Protection Regulation. Advise on transfer mechanisms, consent mechanisms, implementing “reasonable security,” breach response programs, breach preparedness, and employee training.
  • Advise on compliance with international data transfer restrictions and data localization requirements, including cross-border transfer mechanisms such as standard contractual clauses, intercompany agreements, and binding corporate rules. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
  • Advise on response to domestic and cross-border law enforcement and government agency data requests.
Incident Response
  • Advise companies on all phases of data breach preparation and response under U.S. and international law, including incident preparation and testing, employee education, incident investigation, analysis of notice obligations, and regulatory defense.
  • Address responses under U.S. sectoral laws including HIPAA, GLBA, the New York Department of Financial Services Cybersecurity Requirements and similar state laws.
  • Coordinate international breach response efforts, including evaluating scope and notice obligations under the EU GDPR, Canadian PIPEDA, and emerging data protection regulations in the APAC region and South America.
  • Managed the forensic investigation of a data breach involving the theft of more than 1 billion customer records from a technology company by actors affiliated with a nation state. Provided daily briefings and security advisory services to the victim organization’s CEO, Chief Information Security Officer (CISO) and other executives; prepared reports; and coordinated with counsel and public relations on breach notifications and regulatory inquiries.
  • Led the investigation of a major payment card industry (PCI) network breach at a large national retailer. The breach affected millions of customer card numbers during a multimonth intrusion. Coordinated investigative activities with, and oversight of, an external PCI Forensic Investigator (PFI), resulting in the correction of several inaccurate and overly broad findings the PFI proposed. Provided ongoing CISO advisory and remediation services to the organization following the intrusion incident.
  • Led the investigation into a network intrusion at a healthcare facility by a disgruntled former employee who accessed systems without authorization and destroyed data. Coordinated the recovery of deleted data and completed a risk assessment pursuant to the Health and Human Services (HHS) Breach Notification Rule.
  • Managed a code review and advised on investigative efforts related to the unauthorized decryption and theft of intellectual property from a software developer.
  • Directed a significant PCI network breach investigation involving a Fortune 500 retailer, including coordination with and monitoring of an external PFI.
  • Led the investigation into a breach of personally identifiable information involving millions of customer records at a Fortune 500 company.
  • Directed an incident response involving brute-force and web-application attacks that compromised customer accounts at a Fortune 1000 transportation company.
Fraud, Identity Theft and Internal Investigations
  • Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
  • Served as a member of the Financial Investigations Review Team at the U.S. Attorney’s Office for the Western District of Washington, responsible for reviewing and investigating Suspicious Activity Reports filed under the Bank Secrecy Act for potential money-laundering violations.
  • Managed an investigation and digital forensics involving the theft of intellectual property by a former developer at a technology firm, resulting in referral to the FBI and the employee's arrest on federal charges.
  • Conducted an internal investigation, on behalf of a credit union’s board of directors, into allegations that the credit union’s president improperly accessed and manipulated data in the credit union’s financial systems. Briefed the board and credit union’s regulator on the results of the investigation and a high-level assessment of the credit union’s security controls.
  • Managed an investigation into a significant embezzlement by an employee of a Fortune 500 company, including controlled purchases of stolen equipment sold on the Internet. Coordinated referral to law enforcement resulting in employee’s arrest and conviction.

Recognitions and Memberships

Recognitions

  • International Association of Privacy Professionals (IAPP)
    • Certified Information Privacy Professional (CIPP/US)*
  • International Information System Security Certification Consortium (ISC2)
    • Certified Information Systems Security Professional (CISSP) (valid through September 2020)
  • Global Information Assurance Certification (GIAC)
    • Certified Penetration Tester (GPEN) (valid through 2021)
    • Critical Controls Certification (GCCC) (valid through February 2020)
    • Information Security Professional (GISP) (valid through June 2018)
  • Guidance Software
    • EnCase Certified Examiner (EnCE) (2006 to 2010)
  • U.S. Department of Homeland Security, Federal Law Enforcement Training Center
    • Certified as a Seized Computer Evidence Recovery Specialist (SCERS)
  • U.S. Department of Justice
    • Certificate of Appreciation for Investigative Efforts (2008, 2015)
  • U.S. Federal Bureau of Investigation: Recognition in Priority Investigation (2008)
  • King County Sheriff’s Office, Seattle, Washington
    • Detective of the Year, department-wide (2005)
    • Detective of the Year, north precinct (2007)
  • City of Sammamish: Officer of the Year (2004)
  • Washington State Police Academy
    • Highest Academic Achievement (1999)
    • Highest Overall Achievement (1999)

*The Supreme Court of Washington does not recognize certification of specialties and the certificate is not required to practice law in the state of Washington.

Memberships

  • Washington State Bar Association
  • SANS Institute: Advisory Board Member
  • High Technology Crime Investigation Association, Washington Chapter
  • International Association of Privacy Professionals

Community

  • American Radio Relay League

Pro Bono

  • Consulted as a member of the plaintiff’s team in a pro bono “cyber civil rights” project that assists victims of “revenge porn.” Testified at jury trial as the plaintiff’s expert witness on internet traffic, Tor anonymization, and internet communication tracing to establish that the defendant was responsible for anonymized internet traffic targeting the plaintiff. The plaintiff was awarded an $8 million verdict.

Industries

Prior Positions

  • Stroz Friedberg, LLC, an Aon Company
    • Managing Director (2017)
    • Vice President (2015 to 2017)
  • United States Department of Defense, Office of the Inspector General, Defense Criminal Investigative Service
    • National Cyber Field Office and Seattle FBI Cyber Task Force: Special Agent (2012 to 2015)
    • Seattle Resident Agency: Special Agent (2008 to 2012)
  • King County Sheriff’s Office, Seattle, Washington
    • Detective (2004 to 2008)
    • Deputy Sheriff (1999 to 2004)
  • United States Attorney’s Office, Western District of Washington: Law Clerk (1997)

Admissions

  • U.S. District Court, Western District of Washington
  • U.S. Bankruptcy Court, Western District of Washington
  • Washington

Education

  • M.P.M., Georgetown University McCourt School of Public Policy, 2014; Capstone Project Faculty Award
  • J.D., University of Washington School of Law, 1999
  • B.A., University of Washington, 1996

Blog

In The Blogs

Previous Next
Data Counsel
California AG Begins CCPA Enforcement
By Stanton P. Burke, Andreas T. Kaltsounis, Jeewon K. Serrato
July 16, 2020
Last week, the International Association of Privacy Professionals hosted a keynote session with Stacey Schesser, supervising deputy attorney general (AG) of the California Department of Justice, to discuss the July 1 start of the AG’s...
Read More ->
Data Counsel
5 Key Things to Know about the Landmark Schrems II Decision
By Andreas T. Kaltsounis, Melinda L. McLellan, Jeewon K. Serrato, Nichole L. Sterling
July 16, 2020
Quick Links CJEU Press Release CJEU Decision Press Releases from the Parties Irish Data Protection Commission Max Schrems U.S. Department of Commerce Electronic Privacy Information Center (EPIC) BSA The Software Alliance DIGITALEUROPE 1...
Read More ->
Data Counsel
Belgian Authority Raises Red Flag for DPOs with Multiple Roles
By Andreas T. Kaltsounis, Melinda L. McLellan, Nichole L. Sterling
May 29, 2020
Following its investigation of a personal data breach, the Belgian Data Protection Authority (DPA) issued a ruling on April 28, 2020, imposing a €50,000 fine on an organization for negligence in having appointed the company’s head of...
Read More ->
Data Counsel
COVID-19 Cybersecurity Exposure
By Andreas T. Kaltsounis
March 18, 2020
Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting...
Read More ->
Data Counsel
Key takeaways for app development and data protection by design from recent enforcement action
By Andreas T. Kaltsounis
February 25, 2020
The Norwegian Data Protection Authority (DPA) recently announced a €200,000 fine against Oslo’s municipal education agency for several security flaws associated with an app the agency developed for communications between school employees...
Read More ->