Craig Hoffman is a sought-after digital risk advisor who co-leads the Digital Risk Advisory and Cybersecurity team of BakerHostetler’s Digital Assets and Data Management group. Entities turn to Craig to address the privacy compliance, operational, and security related enterprise risks generated by their use of technology – data security incidents, post-incident regulatory defense and litigation, payment card network assessments, post-incident security enhancements, incident response preparedness, security and risk assessments, technology contracts, and due diligence related to transactions. Craig leverages his experience as a litigator and insights generated from thousands of incidents to generate solutions designed to meet organizational goals, minimize risk, and protect key relationships.
In particular, Craig is internationally known as a go-to attorney for payment card security incidents after leading over 200 entities through payment card security incidents and the resulting PCI DSS revalidation process and payment card network liability assessments. Additionally, he has extensive experience with retail, restaurant, hospitality, financial services, and technology companies.
Craig is ranked in Chambers USA: America's Leading Lawyers for Business and the Legal 500, was chosen for the Cybersecurity Docket “Incident Response 30,” and has been selected multiple times as an Acritas Star and BTI Client Service All-Star. He is a featured speaker on topics such as reasonable security, incident response, and other digital risk areas.
Incident Response
Craig has led entities through thousands of data security incidents, including some of the largest matters affecting entities in the retail, restaurant, hospitality, financial services, and technology industries.
Incident Response Preparedness
Craig has worked with hundreds of entities to create or enhance existing incident response plans. He works with incident response teams, executive management teams, and board members to test incident response plans and enhance response capabilities by conducting interactive incident response training sessions and tabletop exercises. He also helps organizations vet and engage forensic firms prior to an incident.
Digital Risk Advisory
Craig has led entities through investigations by US state attorneys general, multi-state attorneys general groups, the FTC, EU supervisory authorities, and other international data protection regulatory authorities.
Cybersecurity Advisory
Craig leverages the experience he has gained through managing thousands of incidents to help entities:
- Identify, develop, prioritize, and implement risk-based security enhancements, which may include leveraging analysis from external security firms (e.g., red team exercises, security assessments, penetration tests).
- Address third-party exploitation and misuse of technology, such online account credential stuffing and account takeovers.
- Conduct due diligence in corporate transactions, including evaluating the target’s privacy and security risk posture, negotiating appropriate representations and warranties, and conducting pre-acquisition compromise assessments. After closing Craig works with the acquiring entity to develop an appropriate plan to integrate the target.
- Develop vendor management and technology contract programs, as well as to negotiate significant agreements, such as key cloud-based services and new payment card security technology.
- Develop cybersecurity enterprise risk management programs by working with entities, executive management teams, audit committees, and boards of directors, including implementing components of reasonable security, building a cybersecurity roadmap, and cybersecurity maturity assessments.