Andreas T. Kaltsounis

Experience

Privacy and Security Advisory

• Develop and implement strategies, programs and policies and procedures to comply with domestic U.S. and international data protection regulations, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), New York SHIELD Act and EU General Data Protection Regulation.
• Advise on international data transfer restrictions and localization requirements, including cross-border transfer mechanisms, transfer impact assessments and analysis of government access to data under U.S. criminal and national security laws. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
• Advise on compliance with information security and cybersecurity requirements under domestic and international law, including the EU’s General Data Protection Regulation, U.S. state security requirements and sectoral requirements such as the New York Department of Financial Services Cybersecurity Requirements and U.S. critical infrastructure security directives.

Incident Response

• Advise clients on all phases of data breach preparation and response under U.S. and international law, including incident preparation and testing, employee education, incident investigation, analysis of notice obligations and regulatory defense.
• Advise on response requirements under U.S. sectoral laws including HIPAA, GLBA, critical infrastructure security directives, the New York Department of Financial Services Cybersecurity Requirements and similar state laws.
• Coordinate international breach response efforts, including evaluating scope and notice obligations under the EU GDPR, Canada's PIPEDA and other emerging global data protection regulations.
• Led the response to a major ransomware attack at a global, publicly traded company, including incident investigation, crisis communications, analysis and coordination of notice obligations under more than two dozen global data protection regulations, and coordination with law enforcement and other government agencies.
• Managed the forensic investigation of a data breach involving the theft of more than one billion customer records from a technology company by actors affiliated with a nation state. Provided daily briefings and security advisory services to the victim organization’s CEO, Chief Information Security Officer (CISO) and other executives; prepared reports; and coordinated with counsel and public relations on breach notifications and regulatory inquiries.
• Led the response to a major payment card industry (PCI) breach at a large international retailer, including oversight of two forensic investigations, crisis communications, analysis and coordination of international notice obligations and response to regulatory inquiries. Successfully appealed proposed card brand penalties, resulting in a reduced penalty, and achieved withdrawal of a state AG’s proposed enforcement action.

Fraud, Identity Theft and Internal Investigations

• Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
• Served as a member of the Financial Investigations Review Team at the U.S. Attorney’s Office for the Western District of Washington, responsible for reviewing and investigating Suspicious Activity Reports filed under the Bank Secrecy Act for potential money-laundering violations.
• Managed an investigation and digital forensics involving the theft of intellectual property by a former developer at a technology firm, resulting in referral to the FBI and the employee’s arrest on federal charges.
• Conducted an internal investigation, on behalf of a credit union’s board of directors, into allegations that the credit union’s president improperly accessed and manipulated data in the credit union’s financial systems. Briefed the board and credit union’s regulator on the results of the investigation and a high-level assessment of the credit union’s security controls.
• Managed an investigation into insider trading by a company’s IT staff, who traded on non-public information obtained through their privileged access to information on the company’s network.

Memberships

• Washington State Bar Association
• SANS Institute: Advisory Board Member
• High Technology Crime Investigation Association, Washington Chapter
• International Association of Privacy Professionals

Community

• American Radio Relay League

Pro Bono

• Consulted as a member of the plaintiff’s team in a pro bono “cyber civil rights” project that assists victims of “revenge porn.” Testified at jury trial as the plaintiff’s expert witness on internet traffic, Tor anonymization, and internet communication tracing to establish that the defendant was responsible for anonymized internet traffic targeting the plaintiff. The plaintiff was awarded an $8 million verdict.