Craig A. Hoffman

Partner

Cincinnati
T +1.513.929.3491
F +1.513.929.0303

"Craig is distinguished by his wealth of experience in responding to information and data incidents. 'He can cut through the jargon in a way that is clear and makes problems more tangible'."

— Chambers Global (USA) 2021

Overview

Craig Hoffman is a sought-after digital risk advisor who co-leads the Digital Risk Advisory and Cybersecurity team and serves as the Ohio Digital Assets and Data Management Leader. Entities turn to Craig to address the privacy compliance, operational, and security related enterprise risks generated by their use of technology – data security incidents, post-incident regulatory defense and litigation, payment card network assessments, post-incident security enhancements, incident response preparedness, security and risk assessments, technology contracts, and due diligence related to transactions. Craig leverages his experience as a litigator and insights generated from thousands of incidents to generate solutions designed to meet organizational goals, minimize risk, and protect key relationships.

In particular, Craig is internationally known as a go-to attorney for payment card security incidents after leading over 200 entities through payment card security incidents and the resulting PCI DSS revalidation process and payment card network liability assessments. Additionally, he has extensive experience with retail, restaurant, hospitality, financial services, and technology companies.

Craig is ranked in Chambers USA: America's Leading Lawyers for Business and the Legal 500, was chosen for the Cybersecurity Docket “Incident Response 30,” and has been selected multiple times as an Acritas Star and BTI Client Service All-Star. He is a featured speaker on topics such as reasonable security, incident response, and other digital risk areas.

Select Experience

Incident Response

Craig has led entities through thousands of data security incidents, including some of the largest matters affecting entities in the retail, restaurant, hospitality, financial services, and technology industries.

Incident Response Preparedness

Craig has worked with hundreds of entities to create or enhance existing incident response plans. He works with incident response teams, executive management teams, and board members to test incident response plans and enhance response capabilities by conducting interactive incident response training sessions and tabletop exercises. He also helps organizations vet and engage forensic firms prior to an incident.

Digital Risk Advisory

Craig has led entities through investigations by US state attorneys general, multi-state attorneys general groups, the FTC, EU supervisory authorities, and other international data protection regulatory authorities.

Cybersecurity Advisory

Craig leverages the experience he has gained through managing thousands of incidents to help entities:

  • Identify, develop, prioritize, and implement risk-based security enhancements, which may include leveraging analysis from external security firms (e.g., red team exercises, security assessments, penetration tests).
  • Address third-party exploitation and misuse of technology, such online account credential stuffing and account takeovers.
  • Conduct due diligence in corporate transactions, including evaluating the target’s privacy and security risk posture, negotiating appropriate representations and warranties, and conducting pre-acquisition compromise assessments. After closing Craig works with the acquiring entity to develop an appropriate plan to integrate the target.
  • Develop vendor management and technology contract programs, as well as to negotiate significant agreements, such as key cloud-based services and new payment card security technology.
  • Develop cybersecurity enterprise risk management programs by working with entities, executive management teams, audit committees, and boards of directors, including implementing components of reasonable security, building a cybersecurity roadmap, and cybersecurity maturity assessments.
More »

Experience

  • Incident response counsel to restaurant and hotel franchisors involving matters where the franchisor worked with hundreds of its franchisees to identify, investigate, and provide notification of payment card security incidents, as well as any resulting litigation, payment card network liability assessments, regulatory inquiries, and post-incident payment technology security enhancement efforts with franchisees.
  • Incident response counsel and post-disclosure counsel for Marriott regarding the Starwood security incident that was disclosed on November 30, 2018.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
  • Preparing incident response plans and conducting incident response training and tabletop exercises for response teams, executives and board members. Craig has conducted more than 150 different sessions and exercises for companies in the U.S. and internationally.
  • Advising restaurants, hotels, and retailers on authentication measures, payment acceptance, and loyalty programs for their web and mobile apps.
  • Conducting pre- and post-acquisition due diligence and compromise assessments of hotels, restaurants, and technology service providers.
  • Engaging security firms to conduct red team exercises, penetration test, compromise assessments, security risk assessments, and cybersecurity maturing assessments.

Recognitions and Memberships

Recognitions

  • Chambers Global
    • Privacy & Data Security (USA) (2014 to 2021) – Band 2
  • Chambers USA
    • Nationwide Privacy & Data Security: Band 3 (2019, 2020); Recognized Practitioner (2017, 2018)
  • The Legal 500 United States (2016 to 2017, 2020)
    • Leading Lawyer in Media, Technology and Telecoms - Cyber Law (including data privacy and protection) (2020)
    • Recommended in Cyber law (including data protection and privacy) (2017)
    • Recommended in Data Protection and Privacy (2016)
  • Cybersecurity Docket "Incident Response 30" (2016)
  • Acritas Star (2015 to 2019)
  • Law360 "Rising Star" in Privacy (2015)
  • BTI Client Service All-Star (2016, 2017, 2019, 2020)
  • Ohio Super Lawyers "Rising Star" (2009 to 2012)
  • Dayton Business Journal: "Forty Under 40" (2008)
  • International Association of Privacy Professionals (IAPP): Certified Information Privacy Manager (CIPM)

Memberships

  • Ohio State Bar Association
  • Cincinnati Bar Association
  • Kentucky Bar Association
  • Cincinnati Academy of Leadership for Lawyers: Member of Class XIV (2010)

News

News

Press Releases

Prior Positions

  • Law Clerk for the U.S. Department of Labor Administrative Law Judge Thomas F. Phalen

Admissions

  • U.S. District Court, Southern District of Ohio
  • U.S. Court of Appeals, Sixth Circuit
  • Kentucky, 2008
  • Ohio, 2002

Education

  • J.D., University of Cincinnati College of Law, 2002
  • B.A., University of Cincinnati, 1999

Blog

In The Blogs

Previous Next
Data Counsel
Responding to Supply-Chain Risk—It's Not Just About Vendor Management
By Andreas T. Kaltsounis
April 14, 2021
Organizations around the globe began 2021 grappling with two significant supply-chain attacks. First, the SVR, Russia’s foreign intelligence service, planted malicious code in Orion, SolarWinds’ flagship network management suite. When...
Read More ->
Data Counsel
Highly-Anticipated SCOTUS Ruling Upends TCPA Landscape
By Shea M. Leitch, Melinda L. McLellan
April 13, 2021
In a landmark decision issued April 1, 2021, the Supreme Court settled a hotly-contested debate over the definition of “automatic telephone dialing system” (or “autodialer”) under the 1991 Telephone Consumer Privacy Act (“TCPA”). The...
Read More ->
Data Counsel
Podcast: AD-ttorneys@law: Marketing a Subscription-Based Service? Beware
April 7, 2021
We used to think of subscriptions as mostly for newspapers and magazines, but today you can subscribe to get cosmetics, cars, clothes, mental health counseling – even a curated selection of cat toys and treats that will show up on your...
Read More ->
Data Counsel
The Destruction of Privilege and Work Product Protection for Data Breach Investigations?
By Joseph L. Bruemmer, David A. Carney, Casie D. Collignon, Craig A. Hoffman, Thomas E. Hogan, Theodore J. Kobus III, Aleksandra Vold
June 17, 2020
Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships...
Read More ->
Data Counsel
DSIR Deeper Dive: Using Compromise Threat Intelligence
By Craig A. Hoffman
May 7, 2020
Organizations are under tremendous pressure to be agile and resilient. A key part of building a mature cybersecurity posture to enable the goals of the organization is conducting ongoing risk assessments and then implementing...
Read More ->