Craig A. Hoffman

Experience

Privacy & Data Security Compliance | Information Governance 

• Provides proactive privacy and security advice to emerging companies related to data collection, use, sharing and marketing, as well as to establishing payment systems. Transactions include the purchase of a word-of-mouth marketing company.
• Conducts incident response workshops.
• Develops and implements policies, including website and app privacy and terms of use, BYOD, social media, incident response, and information security plans.  
• Consults on emerging payment issues, including assessing tokenization and point-to-point encryption technologies, planning for EMV liability shift, and mobile payments.
• Provides due diligence and contract drafting to M&A teams, including acquisition of a social media company and payment processing companies.

Security Incident Response & Litigation 

• Has led incident response teams for national and international retailers (including  grocers, gaming, eye care, sporting goods, tools and equipment, clothing, cosmetics, restaurants, hospitality, luxury goods, and electronics) following attacks on their card-present and e-commerce payment systems. Engagements involve the following activities: 
  • Overseeing the forensic investigation.
  • Interacting with FBI, Secret Service and other law enforcement officials.
  • Ensuring a response in compliance with state breach notification laws and contractual notice obligations.
  • Managing significant customer relations issues.
  • Responding to state attorneys general and FTC inquiries.
  • Addressing card network fines and assessments.
  • Defending multiple putative class actions.
• Advises technology service providers (including cloud service providers, identity management, data centers and software companies) on issues relating to product security vulnerabilities.
• Represents financial institutions, banks and credit unions responding to events of unauthorized access to sensitive customer information. Incidents have included malware infections, network intrusions, denial of service attacks, employee carelessness and malicious employees. Engagements often involve interaction with financial regulatory authorities.
• Advises companies on investigations related to theft of trade secrets by departing employees.
• Files and argues appeals of card network fines and assessments against merchants arising from payment card breach incidents.
• Pursued claims on behalf of buyer against seller for breach of representations and warranties when a cyber-attack that exploited long-standing security deficiencies occurred just after the sale.
• As member of trial team, pursued delay damages against subcontractor on behalf of commercial developer and general contractor.
• As member of trial team, obtained $163 million settlement of False Claims Act and fraud claims against pharmacy benefit manager.

CLE/Webinars/Seminars

• “Be Compromise Ready: Go Back to the Basics.” BakerHostetler webinar (May 2017)
• “Emerging Litigation Matters, Mitigating Risk as In-House Counsel,” Grange Audubon Society (October 2016)
• "The Lurking Menace: Cybercrime, Data Security, and Privacy Rights," Money2020 (October 2013)
• "Examining the Payment Card Industry (PCI) Adjudication Process," Net Diligence CyberWest (October 2013)
• "Preventing and Responding to Data Security Incidents," State Risk and Insurance Management Association (September 2013)
• "Preparing for and Mitigating Account Data Compromise Events," Vantiv Partnership Forum (September 2013)
• "Effective Data Breach Incident Response," Ohio CISO Executive Summit (June 2012)
• "Network Security and Privacy Law: A Rapidly Developing Liability Landscape," Webinar (March 2012)
• "Data Security and Cyber Liability Update," LexisNexis Webinar (November 2011)
• "Are You Ready for a Data Breach?" BakerHostetler CLE (October 2011)

Memberships

• Ohio State Bar Association
• Cincinnati Bar Association
• Kentucky Bar Association
• Cincinnati Academy of Leadership for Lawyers: Member of Class XIV (2010)