Andreas T. Kaltsounis

He | Him | His

Partner

Seattle
T +1.206.566.7080
F +1.206.624.7317

Overview

Andreas Kaltsounis focuses on helping clients anticipate, manage and respond to complex privacy and security issues in connected, data-driven organizations. Recognized as a BTI Client Service All-Star, his clients appreciate his practical advice and ability to anticipate issues, thanks to his nearly 25 years of legal and technical experience as an attorney, an information security and privacy professional, a leader at an international information security consultancy and a federal agent investigating criminal, regulatory and national security cyber matters.

As a strategic advisor, Andreas helps clients anticipate, understand and comply with the rapidly evolving patchwork of global privacy and data protection laws, including U.S. privacy laws, the European Union’s General Data Protection Regulation and other international data protection laws. Focused on more than merely checking regulatory boxes, he works with his clients to identify and operationalize practical solutions that address risk while supporting an organization's growth.

Reactively, Andreas has advised clients through hundreds of data breach and privacy-related investigations, including in some of the largest publicly reported breaches. His investigative experience and deep technical background make him a go-to advisor for incidents involving widespread network intrusions, technically complex issues and potential insider threats. In the wake of these incidents, he has successfully defended clients in regulatory inquiries by the FTC, global supervisory authorities and multistate attorneys general, and he partners with BakerHostetler’s award-winning litigation team to defend against consumer class actions and shareholder actions.

Andreas speaks frequently to industry groups and boards of directors on privacy, data protection and incident response, and combines his extensive on-the-ground experience with leading industry credentials in privacy law (CIPP/US/Europe),* information security (CISSP), critical controls auditing and implementation (GCCC), penetration testing (GPEN) and computer forensics (EnCE and SCERS). He is also a member of the Sedona Conference’s Working Group 11 on Data Security and Privacy.

Andreas co-leads the firm’s national Digital Risk Advisory and Cybersecurity team, is a member of the firm's Privacy Governance and Technology Transactions team and serves as the Seattle Digital Assets and Data Management Leader.

*The Washington Supreme Court does not recognize certifications and certifications are not a requirement to practice law in the state of Washington.

Select Experience

Privacy and Security Advisory
  • Develop and implement strategies, programs and policies and procedures to comply with domestic U.S. and international data protection regulations, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), New York SHIELD Act and EU General Data Protection Regulation.
Incident Response
  • Advise clients on all phases of data breach preparation and response under U.S. and international law, including incident preparation and testing, employee education, incident investigation, analysis of notice obligations and regulatory defense.
Fraud, Identity Theft and Internal Investigations
  • Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
More »

Experience

Privacy and Security Advisory
  • Develop and implement strategies, programs and policies and procedures to comply with domestic U.S. and international data protection regulations, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), New York SHIELD Act and EU General Data Protection Regulation.
  • Advise on international data transfer restrictions and localization requirements, including cross-border transfer mechanisms, transfer impact assessments and analysis of government access to data under U.S. criminal and national security laws. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
  • Advise on compliance with information security and cybersecurity requirements under domestic and international law, including the EU’s General Data Protection Regulation, U.S. state security requirements and sectoral requirements such as the New York Department of Financial Services Cybersecurity Requirements and U.S. critical infrastructure security directives.
Incident Response
  • Advise clients on all phases of data breach preparation and response under U.S. and international law, including incident preparation and testing, employee education, incident investigation, analysis of notice obligations and regulatory defense.
  • Advise on response requirements under U.S. sectoral laws including HIPAA, GLBA, critical infrastructure security directives, the New York Department of Financial Services Cybersecurity Requirements and similar state laws.
  • Coordinate international breach response efforts, including evaluating scope and notice obligations under the EU GDPR, Canada's PIPEDA and other emerging global data protection regulations.
  • Led the response to a major ransomware attack at a global, publicly traded company, including incident investigation, crisis communications, analysis and coordination of notice obligations under more than two dozen global data protection regulations, and coordination with law enforcement and other government agencies.
  • Managed the forensic investigation of a data breach involving the theft of more than one billion customer records from a technology company by actors affiliated with a nation state. Provided daily briefings and security advisory services to the victim organization’s CEO, Chief Information Security Officer (CISO) and other executives; prepared reports; and coordinated with counsel and public relations on breach notifications and regulatory inquiries.
  • Led the response to a major payment card industry (PCI) breach at a large international retailer, including oversight of two forensic investigations, crisis communications, analysis and coordination of international notice obligations and response to regulatory inquiries. Successfully appealed proposed card brand penalties, resulting in a reduced penalty, and achieved withdrawal of a state AG’s proposed enforcement action.
Fraud, Identity Theft and Internal Investigations
  • Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
  • Served as a member of the Financial Investigations Review Team at the U.S. Attorney’s Office for the Western District of Washington, responsible for reviewing and investigating Suspicious Activity Reports filed under the Bank Secrecy Act for potential money-laundering violations.
  • Managed an investigation and digital forensics involving the theft of intellectual property by a former developer at a technology firm, resulting in referral to the FBI and the employee’s arrest on federal charges.
  • Conducted an internal investigation, on behalf of a credit union’s board of directors, into allegations that the credit union’s president improperly accessed and manipulated data in the credit union’s financial systems. Briefed the board and credit union’s regulator on the results of the investigation and a high-level assessment of the credit union’s security controls.
  • Managed an investigation into insider trading by a company’s IT staff, who traded on non-public information obtained through their privileged access to information on the company’s network.

Recognitions and Memberships

Recognitions

  • BTI Client Service All-Star (2022)
  • International Association of Privacy Professionals (IAPP)
    • Certified Information Privacy Professional (CIPP/US/Europe)*
  • International Information System Security Certification Consortium (ISC2)
    • Certified Information Systems Security Professional (CISSP) (valid through September 2020)
  • Global Information Assurance Certification (GIAC)
    • Certified Penetration Tester (GPEN) (valid through 2024)
    • Critical Controls Certification (GCCC) (valid through 2024)
    • Information Security Professional (GISP) (valid through June 2018)
  • Guidance Software
    • EnCase Certified Examiner (EnCE) (2006 to 2010)
  • U.S. Department of Homeland Security, Federal Law Enforcement Training Center
    • Certified as a Seized Computer Evidence Recovery Specialist (SCERS)
  • U.S. Department of Justice
    • Certificate of Appreciation for Investigative Efforts (2008, 2015)
  • U.S. Federal Bureau of Investigation: Recognition in Priority Investigation (2008)
  • King County Sheriff’s Office, Seattle, Washington
    • Detective of the Year, department-wide (2005)
    • Detective of the Year, north precinct (2007)
  • City of Sammamish: Officer of the Year (2004)
  • Washington State Police Academy
    • Highest Academic Achievement (1999)
    • Highest Overall Achievement (1999)

*The Supreme Court of Washington does not recognize certification of specialties and the certificate is not required to practice law in the state of Washington.

Memberships

  • Washington State Bar Association
  • SANS Institute: Advisory Board Member
  • High Technology Crime Investigation Association, Washington Chapter
  • International Association of Privacy Professionals

Community

  • American Radio Relay League

Pro Bono

  • Consulted as a member of the plaintiff’s team in a pro bono “cyber civil rights” project that assists victims of “revenge porn.” Testified at jury trial as the plaintiff’s expert witness on internet traffic, Tor anonymization, and internet communication tracing to establish that the defendant was responsible for anonymized internet traffic targeting the plaintiff. The plaintiff was awarded an $8 million verdict.

Prior Positions

  • Stroz Friedberg, LLC, an Aon Company
    • Managing Director (2017)
    • Vice President (2015 to 2017)
  • United States Department of Defense, Office of the Inspector General, Defense Criminal Investigative Service
    • National Cyber Field Office and Seattle FBI Cyber Task Force: Special Agent (2012 to 2015)
    • Seattle Resident Agency: Special Agent (2008 to 2012)
  • King County Sheriff’s Office, Seattle, Washington
    • Detective (2004 to 2008)
    • Deputy Sheriff (1999 to 2004)
  • United States Attorney’s Office, Western District of Washington: Law Clerk (1997)

Admissions

  • U.S. District Court, Western District of Washington
  • U.S. Bankruptcy Court, Western District of Washington
  • Washington

Education

  • M.P.M., Georgetown University McCourt School of Public Policy, 2014; Capstone Project Faculty Award
  • J.D., University of Washington School of Law, 1999
  • B.A., University of Washington, 1996

Blog

In The Blogs

Previous Next
Data Counsel
2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents
By Teresa Goody Guillén, Andreas T. Kaltsounis
May 17, 2022
Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage...
Read More ->
Data Counsel
International Data Protection Update
By Andreas T. Kaltsounis, Melinda L. McLellan, Nichole L. Sterling
March 14, 2022
This Update highlights some of the international data protection issues that caught our attention and the attention of our clients over the winter, including updates on European data transfers and cookie compliance, regulatory enforcement...
Read More ->
Data Counsel
Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement
By Shruti Bhutani Arora, Adam I. Cohen, Andreas T. Kaltsounis, Jeewon K. Serrato
December 14, 2021
As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance...
Read More ->
Data Counsel
Are More European Standard Contractual Clauses Coming?
By Andreas T. Kaltsounis, Nichole L. Sterling
November 22, 2021
On November 18, 2021, the European Data Protection Board (EDPB) adopted its new draft guidance on the interplay between Article 3 of the European Union’s General Data Protection Regulation (GDPR) and Chapter V of the same law. This new...
Read More ->
Data Counsel
International Data Protection Update – Summer 2021
By Andreas T. Kaltsounis, Melinda L. McLellan, Nichole L. Sterling
September 21, 2021
This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer. Asia-Pacific China’s Data Security Law and Personal Information Protection Law – This...
Read More ->