Andreas T. Kaltsounis

Experience

Advisory and Assessment Services

• Develop and implement strategies to comply with domestic U.S. and international data protection regulations, including the California Consumer Privacy Act, New York SHIELD Act, and EU General Data Protection Regulation. Advise on transfer mechanisms, consent mechanisms, implementing “reasonable security,” breach response programs, breach preparedness, and employee training.
• Advise on compliance with international data transfer restrictions and data localization requirements, including cross-border transfer mechanisms such as standard contractual clauses, intercompany agreements, and binding corporate rules. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
• Advise on response to domestic and cross-border law enforcement and government agency data requests.

Incident Response

• Advise companies on all phases of data breach preparation and response under U.S. and international law, including incident preparation and testing, employee education, incident investigation, analysis of notice obligations, and regulatory defense.
• Address responses under U.S. sectoral laws including HIPAA, GLBA, the New York Department of Financial Services Cybersecurity Requirements and similar state laws.
• Coordinate international breach response efforts, including evaluating scope and notice obligations under the EU GDPR, Canadian PIPEDA, and emerging data protection regulations in the APAC region and South America.
• Managed the forensic investigation of a data breach involving the theft of more than 1 billion customer records from a technology company by actors affiliated with a nation state. Provided daily briefings and security advisory services to the victim organization’s CEO, Chief Information Security Officer (CISO) and other executives; prepared reports; and coordinated with counsel and public relations on breach notifications and regulatory inquiries.
• Led the investigation of a major payment card industry (PCI) network breach at a large national retailer. The breach affected millions of customer card numbers during a multimonth intrusion. Coordinated investigative activities with, and oversight of, an external PCI Forensic Investigator (PFI), resulting in the correction of several inaccurate and overly broad findings the PFI proposed. Provided ongoing CISO advisory and remediation services to the organization following the intrusion incident.
• Led the investigation into a network intrusion at a healthcare facility by a disgruntled former employee who accessed systems without authorization and destroyed data. Coordinated the recovery of deleted data and completed a risk assessment pursuant to the Health and Human Services (HHS) Breach Notification Rule.
• Managed a code review and advised on investigative efforts related to the unauthorized decryption and theft of intellectual property from a software developer.
• Directed a significant PCI network breach investigation involving a Fortune 500 retailer, including coordination with and monitoring of an external PFI.
• Led the investigation into a breach of personally identifiable information involving millions of customer records at a Fortune 500 company.
• Directed an incident response involving brute-force and web-application attacks that compromised customer accounts at a Fortune 1000 transportation company.

Fraud, Identity Theft and Internal Investigations

• Served on a federal identity-theft working group at the U.S. Attorney’s Office for the Western District of Washington and developed priority cases involving organized criminal groups. Led two complex, multijurisdictional investigations that resulted in the convictions of nine defendants who conspired to commit significant and repeated aggravated identify thefts and bank fraud through the use of malicious insiders at victim businesses and counterfeit identification documents. (United States v. Charles Griffen et al. and United States v. Scott Putnam)
• Served as a member of the Financial Investigations Review Team at the U.S. Attorney’s Office for the Western District of Washington, responsible for reviewing and investigating Suspicious Activity Reports filed under the Bank Secrecy Act for potential money-laundering violations.
• Managed an investigation and digital forensics involving the theft of intellectual property by a former developer at a technology firm, resulting in referral to the FBI and the employee's arrest on federal charges.
• Conducted an internal investigation, on behalf of a credit union’s board of directors, into allegations that the credit union’s president improperly accessed and manipulated data in the credit union’s financial systems. Briefed the board and credit union’s regulator on the results of the investigation and a high-level assessment of the credit union’s security controls.
• Managed an investigation into a significant embezzlement by an employee of a Fortune 500 company, including controlled purchases of stolen equipment sold on the Internet. Coordinated referral to law enforcement resulting in employee’s arrest and conviction.

Memberships

• Washington State Bar Association
• SANS Institute: Advisory Board Member
• High Technology Crime Investigation Association, Washington Chapter
• International Association of Privacy Professionals

Community

• American Radio Relay League

Pro Bono

• Consulted as a member of the plaintiff’s team in a pro bono “cyber civil rights” project that assists victims of “revenge porn.” Testified at jury trial as the plaintiff’s expert witness on internet traffic, Tor anonymization, and internet communication tracing to establish that the defendant was responsible for anonymized internet traffic targeting the plaintiff. The plaintiff was awarded an $8 million verdict.