Careers

Diversity

With 18 offices, from New York to Los Angeles and Seattle to Orlando, we live and work in communities all over the U.S., collaborating across locations, disciplines and even borders. Our experienced, highly ranked lawyers serve businesses wherever they are and wherever they want to go.

Offices

About Us

Pages

Professionals

Thought leadership: blogs, podcasts, videos, publications, events and news

Insights

Services

Pro Bono

Am Law 100 firm with practices in Business, Digital Assets and Data Management, Intellectual Property, Labor & Employment, Litigation and Tax.

Home | BakerHostetler

BakerHostetler Florida Attorneys Selected as Super Lawyers, Rising Stars

BakerHostetler Alumni Newsletter – Summer 2025

Justice Department’s New Policy on Prosecutions to Focus on Bad Actors, Not the Digital Asset Industry (The Journal of Robotics, Artificial Intelligence & Law)

Rev Up!

Rev Up! What to Know BEFORE You Use that AI Tool

Andreas works with clients in three keys areas. First, as a strategic advisor, he helps clients anticipate, understand and comply with the rapidly evolving patchwork of global privacy, cybersecurity and data protection laws. He provides comprehensive advice on the California Consumer Privacy Act and other general state privacy laws, consumer health data laws such as the Washington My Health My Data Act, state and federal cybersecurity laws (including how to achieve “reasonable security”) and global data protection laws such as the EU’s GDPR. Focused on more than merely checking regulatory boxes, Andreas works with his clients to identify and operationalize practical solutions to comply with these laws that address risk while supporting an organization's growth.

Second, drawing on his technical and law enforcement background and experience advising clients through some of the largest publicly reported data breaches and privacy incidents, Andreas is a go-to advisor on complex security and privacy incidents, such as those involving widespread network intrusions and technically complex issues.

Third, Andreas defends clients in privacy and cybersecurity regulatory inquiries brought by the FTC, global supervisory authorities and state attorneys general and privacy regulators, including the California Privacy Protection Agency. Andreas also partners with BakerHostetler’s award-winning litigation team to defend against consumer class actions and shareholder actions.

Andreas speaks frequently to industry groups and boards of directors on privacy, data protection and incident response, and combines his extensive on-the-ground experience with leading industry credentials in privacy (FIP, CIPP/US/E, CIPM), information security (CISSP), critical controls auditing and implementation (GCCC), penetration testing (GPEN) and computer forensics (EnCE and SCERS).

Andreas co-leads BakerHostetler’s national Digital Risk Advisory and Cybersecurity team, is a member of the Privacy Governance and Technology Transactions team and serves as the Seattle office's Digital Assets and Data Management Leader.

core/freeform

M.P.M., Georgetown University McCourt School of Public Policy, 2014, 

J.D., University of Washington School of Law, 1999

B.A., University of Washington, 1996

<ul>
<li>Chambers USA: Privacy and Data Security: Cybersecurity, Nationwide
<ul>
<li>Band 5 (2024 to 2025)</li>
</ul>
</li>
<li>Chambers Global: Privacy and Data Security: Cybersecurity
<ul>
<li>Band 5 (2025)</li>
</ul>
</li>
<li>The Legal 500 United States
<ul>
<li>Media, Technology and Telecoms: Cyber Law (including data privacy and data protection) (2023 to 2024)</li>
</ul>
</li>
<li>BTI Client Service All-Star (2022)</li>
<li>International Association of Privacy Professionals (IAPP)
<ul>
<li>Certified Information Privacy Manager (CIPM)</li>
<li>Certified Information Privacy Professional (CIPP/US/Europe)</li>
<li>Fellow of Information Privacy (FIP)</li>
</ul>
</li>
<li>International Information System Security Certification Consortium (ISC2)
<ul>
<li>Certified Information Systems Security Professional (CISSP) (valid through September 2020)</li>
</ul>
</li>
<li>Global Information Assurance Certification (GIAC)
<ul>
<li>Certified Penetration Tester (GPEN) (valid through 2024)</li>
<li>Critical Controls Certification (GCCC) (valid through 2024)</li>
<li>Information Security Professional (GISP) (valid through June 2018)</li>
</ul>
</li>
<li>Guidance Software
<ul>
<li>EnCase Certified Examiner (EnCE) (2006 to 2010)</li>
</ul>
</li>
<li>U.S. Department of Homeland Security, Federal Law Enforcement Training Center
<ul>
<li>Certified as a Seized Computer Evidence Recovery Specialist (SCERS)</li>
</ul>
</li>
<li>U.S. Department of Justice
<ul>
<li>Certificate of Appreciation for Investigative Efforts (2008, 2015)</li>
</ul>
</li>
<li>U.S. Federal Bureau of Investigation: Recognition in Priority Investigation (2008)</li>
<li>King County Sheriff’s Office, Seattle, Washington
<ul>
<li>Detective of the Year, department-wide (2005)</li>
<li>Detective of the Year, north precinct (2007)</li>
</ul>
</li>
<li>City of Sammamish: Officer of the Year (2004)</li>
<li>Washington State Police Academy
<ul>
<li>Highest Academic Achievement (1999)</li>
<li>Highest Overall Achievement (1999)</li>
</ul>
</li>
</ul>

Seattle

Data Counsel

Australia’s New Ransomware Payment Reporting Law Takes Effect, Covering Both Critical Infrastructure and Other Entities

Chambers USA Guide 2025 Recognizes 171 BakerHostetler Attorneys and 73 Practice Areas

Webinar: The Privacy Strategist 2025 – Mind the Gap: Avoiding the Privacy Pitfalls of Overlooked Personal Data

BakerHostetler Expands International Recognition with 2025 Rankings from Chambers Global

Andreas Kaltsounis recommends data privacy compliance to avoid penalties after a breach

Andreas Kaltsounis Comments on Dismissal of Some SEC Charges Against SolarWinds

Webinar: The Privacy Strategist: Loper Bright, Chevron Deference and Data Regulation

BakerHostetler attorneys, practice areas stand out in The Legal 500 annual guide

Chambers USA Guide 2024 Recognizes 155 BakerHostetler Attorneys and ­66 Practice Areas

Andreas Kaltsounis Offers Guidance for Companies Affected by the FCC’s New Breach-Reporting Rules

Webinar: The Privacy Strategist – Consumer Health Data

Examining the Likely Impact of Washington’s My Health, My Data Act on Class Action Litigation Involving Biometric Data

Webinar: Artificial Intelligence: Hot Topics and Emerging Issues for Legal Professionals

BakerHosts

Examining the Private Right of Action in Washington’s My Health My Data Act

State laws limiting geolocation tech around health centers pose compliance challenges

The New EU-U.S. Data Privacy Framework in Half a Dozen FAQs

BakerHostetler Attorneys and Practice Areas Recognized in The Legal 500 2023 Guide

New York State Adds Health Care Geofencing Prohibition, Taking a More Measured Approach Than Washington’s Similar Ban

Andreas Kaltsounis Says Federal Agencies Are Becoming More Aggressive in Cybersecurity Oversight

BakerHostetler Seattle Attorneys Discuss Information Security in the Context of U.S. Privacy Law

An Introduction to Washington’s My Health My Data Act

Washington State’s New Shield Law, Part of Washington’s ‘Choice-Defending Agenda,’ Modifies Obligations Related to Other States’ Criminal and Civil Process

My Health My Data: New Proposed Washington Law Aims to Protect Consumer Health Data

Former Uber Chief Security Officer Convicted of Federal Obstruction and  Concealment Crimes in Connection with Extortionate Data Breach

Andreas Kaltsounis and Jeewon Serrato Speak at National Institute on Cybersecurity and Data Risk

Andreas Kaltsounis to Speak at Trial Practice Seminar

2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents

Andreas Kaltsounis Speaks at Incident Response Forum Master Class

International Data Protection Update

Nine BakerHostetler Attorneys Named 2022 BTI Client Service All-Stars

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

Are More European Standard Contractual Clauses Coming?

Webinar:  The EU’s New Standard Contractual Clauses: Key Requirements & Practical Guidance

Colorado’s Privacy Act: A Curve Ball on Consent and Targeted Ads

The Brave New World of Cybersecurity Compliance—Key Takeaways from Recent Government Action on Cybersecurity

BakerHostetler Boosts High Marks in the Legal 500 2018 Annual Guide

Digital Assets and Data Management

IncuBaker – Emerging Technologies

Privacy Governance and Technology Transactions

Digital Risk Advisory and Cybersecurity

Telehealth

Industries

Aerospace and Defense

Interactive Entertainment and Videogames

Privacy and Security Advisory
<ul>
<li>Advise global clients on practical strategies to comply with and implement U.S. and international data protection regulations, including U.S. state privacy laws such as the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR) and U.S. consumer health data laws, such as Washington&#8217;s My Health My Data Act. Defend clients in regulatory investigations related to these laws.</li>
<li>Advise on international data transfer restrictions and localization requirements, including cross-border transfer mechanisms, transfer impact assessments and analysis of government access to data under U.S. criminal and national security laws. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.</li>
<li>Advise on compliance with information security and cybersecurity requirements under domestic and international law, including the EU’s General Data Protection Regulation, U.S. state security requirements and sectoral requirements such as the New York Department of Financial Services Cybersecurity Requirements and U.S. critical infrastructure security directives.</li>
</ul>
Incident Response
<ul>
<li>Advise clients on all phases of data breach preparation and response under U.S. and international law, including incident preparation and testing, employee education, incident investigation, analysis of notice obligations and regulatory defense.</li>
<li>Advise on response requirements under U.S. sectoral laws including HIPAA, GLBA, critical infrastructure security directives, the New York Department of Financial Services Cybersecurity Requirements and similar state laws.</li>
<li>Coordinate international breach response efforts, including evaluating scope and notice obligations under the EU GDPR, Canada&#8217;s PIPEDA and other emerging global data protection regulations.</li>
<li>Led the response to a major ransomware attack at a global, publicly traded company, including incident investigation, crisis communications, analysis and coordination of notice obligations under more than two dozen global data protection regulations, and coordination with law enforcement and other government agencies.</li>
<li>Managed the forensic investigation of a data breach involving the theft of more than one billion customer records from a technology company by actors affiliated with a nation state. Provided daily briefings and security advisory services to the victim organization’s CEO, Chief Information Security Officer (CISO) and other executives; prepared reports; and coordinated with counsel and public relations on breach notifications and regulatory inquiries.</li>
<li>Led the response to a major payment card industry (PCI) breach at a large international retailer, including oversight of two forensic investigations, crisis communications, analysis and coordination of international notice obligations and response to regulatory inquiries. Successfully appealed proposed card brand penalties, resulting in a reduced penalty, and achieved withdrawal of a state AG’s proposed enforcement action.</li>
</ul>
Fraud, Identity Theft and Internal Investigations
<ul>
<li>Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)</li>
<li>Served as a member of the Financial Investigations Review Team at the U.S. Attorney’s Office for the Western District of Washington, responsible for reviewing and investigating Suspicious Activity Reports filed under the Bank Secrecy Act for potential money-laundering violations.</li>
<li>Managed an investigation and digital forensics involving the theft of intellectual property by a former developer at a technology firm, resulting in referral to the FBI and the employee’s arrest on federal charges.</li>
<li>Conducted an internal investigation, on behalf of a credit union’s board of directors, into allegations that the credit union’s president improperly accessed and manipulated data in the credit union’s financial systems. Briefed the board and credit union’s regulator on the results of the investigation and a high-level assessment of the credit union’s security controls.</li>
<li>Managed an investigation into insider trading by a company’s IT staff, who traded on non-public information obtained through their privileged access to information on the company’s network.</li>
</ul>

Andreas T. Kaltsounis

Andreas T. Kaltsounis

Experience

Recognitions and Memberships

Insights and News

Prior Positions

Credentials

Community and Pro Bono

Areas of Focus

Industries

Services

Featured Insights