Andreas T. Kaltsounis

Partner

Seattle
T +1.206.566.7080
F +1.206.624.7317

Overview

Andreas Kaltsounis focuses on helping clients anticipate, manage, and respond to complex privacy and security issues in connected, data-driven organizations, and co-leads the firm’s national Digital Risk Advisory and Cybersecurity Team. He brings a unique perspective to his work with clients, developed from his experience as an attorney, a certified information-security professional, a leader at an international information-security consultancy, and a federal agent investigating criminal, regulatory, and national-security cyber matters. Able to operate from the trenches to the board room, Andreas advises key stakeholders across an organization, from its individual legal, security, and compliance teams, to its executives, officers, and directors.

As a strategic advisor, Andreas helps clients anticipate, understand and comply with current and emerging global data protection obligations, including advising clients and colleagues on the nuances of international breach notification obligations. Focused on more than merely checking regulatory boxes, he works with his clients to find and address their real legal, business, and reputational risks.

Reactively, Andreas has led more than 100 data breach and privacy-related investigations, including in some of the largest publicly reported breaches. His investigative experience and deep technical background make him a go-to advisor for incidents involving widespread network intrusions, technically complex issues, and potential insider threats. In the wake of these incidents he has successfully defended clients in regulatory inquiries by the FTC, global supervisory authorities, and multi-state attorneys general, and he partners with BakerHostetler’s award-winning litigation team to defend against consumer class actions and shareholder actions.

Andreas speaks frequently to industry groups and boards of directors on privacy, data protection, and incident response, and combines his extensive on-the-ground experience with leading industry credentials in privacy law (CIPP/US),* information security (CISSP), critical controls auditing and implementation (GCCC), penetration testing (GPEN), and computer forensics (EnCE and SCERS). He is also a member of the Sedona Conference’s Working Group 11 on Data Security and Privacy.

*The Washington Supreme Court does not recognize certifications and certifications are not a requirement to practice law in the state of Washington.

Select Experience

Incident Response
  • Managed the forensic investigation of a data breach involving the theft of more than 1 billion customer records from a technology company by actors affiliated with a nation state. Provided daily briefings and security advisory services to the victim organization’s CEO, Chief Information Security Officer (CISO) and other executives; prepared reports; and coordinated with counsel and public relations on breach notifications and regulatory inquiries.
Advisory and Assessment Services
  • Managed an in-depth technical investigation and security assessment of a major Software-as-a-Service (SaaS) company. Prepared technical findings and prioritized recommendations mapped to ISO27001 standards.
  • Provided ongoing forensic, investigative and risk advisory services to senior managers and C-suite executives at a Fortune 500 company.
Fraud, Identity Theft and Internal Investigations
  • Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
More »

Experience

Incident Response
  • Managed the forensic investigation of a data breach involving the theft of more than 1 billion customer records from a technology company by actors affiliated with a nation state. Provided daily briefings and security advisory services to the victim organization’s CEO, Chief Information Security Officer (CISO) and other executives; prepared reports; and coordinated with counsel and public relations on breach notifications and regulatory inquiries.
  • Led the investigation of a major payment card industry (PCI) network breach at a large national retailer. The breach affected millions of customer card numbers during a multimonth intrusion. Coordinated investigative activities with, and oversight of, an external PCI Forensic Investigator (PFI), resulting in the correction of several inaccurate and overly broad findings the PFI proposed. Provided ongoing CISO advisory and remediation services to the organization following the intrusion incident.
  • Led the investigation into a network intrusion at a healthcare facility by a disgruntled former employee who accessed systems without authorization and destroyed data. Coordinated the recovery of deleted data and completed a risk assessment pursuant to the Health and Human Services (HHS) Breach Notification Rule.
  • Managed a code review and advised on investigative efforts related to the unauthorized decryption and theft of intellectual property from a software developer.
  • Directed a significant PCI network breach investigation involving a Fortune 500 retailer, including coordination with and monitoring of an external PFI.
  • Led the investigation into a breach of personally identifiable information involving millions of customer records at a Fortune 500 company.
  • Directed an incident response involving brute-force and web-application attacks that compromised customer accounts at a Fortune 1000 transportation company.
Advisory and Assessment Services
  • Managed an in-depth technical investigation and security assessment of a major Software-as-a-Service (SaaS) company. Prepared technical findings and prioritized recommendations mapped to ISO27001 standards.
  • Provided ongoing forensic, investigative and risk advisory services to senior managers and C-suite executives at a Fortune 500 company.
  • Provided ongoing network security and incident response advisory services for a biotechnology firm.
  • Managed a security risk assessment at a technology startup in connection with ongoing litigation concerning the corporation's network-security posture.
  • Managed a technical risk assessment, including a comprehensive vulnerability assessment and network modeling exercise, for a Fortune 1000 transportation company.
  • Reviewed search protocols and technical controls implemented by a client organization to identify and block employees’ use of an unwanted application in response to a regulatory inquiry.
Fraud, Identity Theft and Internal Investigations
  • Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
  • Served as a member of the Financial Investigations Review Team at the U.S. Attorney’s Office for the Western District of Washington, responsible for reviewing and investigating Suspicious Activity Reports filed under the Bank Secrecy Act for potential money-laundering violations.
  • Managed an investigation and digital forensics involving the theft of intellectual property by a former developer at a technology firm, resulting in referral to the FBI and the employee's arrest on federal charges.
  • Conducted an internal investigation, on behalf of a credit union’s board of directors, into allegations that the credit union’s president improperly accessed and manipulated data in the credit union’s financial systems. Briefed the board and credit union’s regulator on the results of the investigation and a high-level assessment of the credit union’s security controls.
  • Managed an investigation into a significant embezzlement by an employee of a Fortune 500 company, including controlled purchases of stolen equipment sold on the Internet. Coordinated referral to law enforcement resulting in employee’s arrest and conviction.

Recognitions and Memberships

Recognitions

  • International Association of Privacy Professionals (IAPP)
    • Certified Information Privacy Professional (CIPP/US)*
  • International Information System Security Certification Consortium (ISC2)
    • Certified Information Systems Security Professional (CISSP) (valid through September 2020)
  • Global Information Assurance Certification (GIAC)
    • Certified Penetration Tester (GPEN) (valid through 2021)
    • Critical Controls Certification (GCCC) (valid through February 2020)
    • Information Security Professional (GISP) (valid through June 2018)
  • Guidance Software
    • EnCase Certified Examiner (EnCE) (2006 to 2010)
  • U.S. Department of Homeland Security, Federal Law Enforcement Training Center
    • Certified as a Seized Computer Evidence Recovery Specialist (SCERS)
  • U.S. Department of Justice
    • Certificate of Appreciation for Investigative Efforts (2008, 2015)
  • U.S. Federal Bureau of Investigation: Recognition in Priority Investigation (2008)
  • King County Sheriff’s Office, Seattle, Washington
    • Detective of the Year, department-wide (2005)
    • Detective of the Year, north precinct (2007)
  • City of Sammamish: Officer of the Year (2004)
  • Washington State Police Academy
    • Highest Academic Achievement (1999)
    • Highest Overall Achievement (1999)

*The Supreme Court of Washington does not recognize certification of specialties and the certificate is not required to practice law in the state of Washington.

Memberships

  • Washington State Bar Association
  • SANS Institute: Advisory Board Member
  • High Technology Crime Investigation Association, Washington Chapter
  • International Association of Privacy Professionals

Community

  • American Radio Relay League

Pro Bono

  • Consulted as a member of the plaintiff’s team in a pro bono “cyber civil rights” project that assists victims of “revenge porn.” Testified at jury trial as the plaintiff’s expert witness on internet traffic, Tor anonymization, and internet communication tracing to establish that the defendant was responsible for anonymized internet traffic targeting the plaintiff. The plaintiff was awarded an $8 million verdict.

Industries

Prior Positions

  • Stroz Friedberg, LLC, an Aon Company
    • Managing Director (2017)
    • Vice President (2015 to 2017)
  • United States Department of Defense, Office of the Inspector General, Defense Criminal Investigative Service
    • National Cyber Field Office and Seattle FBI Cyber Task Force: Special Agent (2012 to 2015)
    • Seattle Resident Agency: Special Agent (2008 to 2012)
  • King County Sheriff’s Office, Seattle, Washington
    • Detective (2004 to 2008)
    • Deputy Sheriff (1999 to 2004)
  • United States Attorney’s Office, Western District of Washington: Law Clerk (1997)

Admissions

  • U.S. District Court, Western District of Washington
  • U.S. Bankruptcy Court, Western District of Washington
  • Washington

Education

  • M.P.M., Georgetown University McCourt School of Public Policy, 2014; Capstone Project Faculty Award
  • J.D., University of Washington School of Law, 1999
  • B.A., University of Washington, 1996

Blog

In The Blogs

Previous Next
Data Privacy Monitor
COVID-19 Cybersecurity Exposure
By Andreas T. Kaltsounis
March 18, 2020
Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting...
Read More ->
Data Privacy Monitor
Key takeaways for app development and data protection by design from recent enforcement action
By Andreas T. Kaltsounis
February 25, 2020
The Norwegian Data Protection Authority (DPA) recently announced a €200,000 fine against Oslo’s municipal education agency for several security flaws associated with an app the agency developed for communications between school employees...
Read More ->
Data Privacy Monitor
Reexamining the GDPR's Territorial Scope
By Andreas T. Kaltsounis
January 24, 2020
Key Takeaways From the European Data Protection Board’s New Guidance In November 2019, the European Data Protection Board (EDPB) issued its final guidance on territorial scope of the General Data Protection Regulation (GDPR), following...
Read More ->
Data Privacy Monitor
New Year Brings Trio of U.S. Breach Notification Amendments
By Andreas T. Kaltsounis
January 7, 2020
Along with the California Consumer Privacy Act, the new year brought us a trio of updated breach notification laws, in Oregon, Texas and Illinois. The Oregon law is of the most interest because it is the first to require that vendors...
Read More ->
Data Privacy Monitor
Deeper Dive: GDPR a Game-Changer for Data Breach Notification
By Andreas T. Kaltsounis
April 8, 2019
When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to...
Read More ->