Careers

Diversity

With 18 offices, from New York to Los Angeles and Seattle to Orlando, we live and work in communities all over the U.S., collaborating across locations, disciplines and even borders. Our experienced, highly ranked lawyers serve businesses wherever they are and wherever they want to go.

Offices

About Us

Pages

Professionals

Thought leadership: blogs, podcasts, videos, publications, events and news

Insights

Services

Pro Bono

Am Law 100 firm with practices in Business, Digital Assets and Data Management, Intellectual Property, Labor & Employment, Litigation and Tax.

Home | BakerHostetler

Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher

DOJ and HHS Launch New False Claims Act Working Group to Target Healthcare Fraud

Sports

BakerHostetler Services

Raj Bandla, Cynthia Bast Present at 2025 Texas Housing Conference

Craig co-leads the Digital Risk Advisory and Cybersecurity team, which helps entities address hundreds of security incidents a year and the resulting regulatory and litigation matters that follow. Clients turn to Craig to address the privacy compliance, operational and security related enterprise risks generated by their use of technology, such as data security incidents, post-incident regulatory defense and litigation, payment card network assessments, post-incident security enhancements, incident response preparedness, security and risk assessments, technology contracts and due diligence related to transactions.

In particular, Craig is internationally known as a go-to attorney for payment card security incidents after leading over 200 entities through payment card security incidents and the resulting PCI DSS revalidation process and payment card network liability assessments. Additionally, he has extensive experience with retail, restaurant, hospitality, financial services&nbsp;and technology companies.

Craig has conducted hundreds of incident response training and cybersecurity exercises for incident response teams, executive teams&nbsp;and boards of directors. These sessions help clients contextualize the critical issues and decisions they will face in an incident so they can identity how to build plans that will allow them to respond in a way that meets organizational goals, minimizes risk&nbsp;and protects key relationships.

Craig is ranked in Chambers USA: America’s Leading Lawyers for Business and the Legal 500, was twice chosen for the Cybersecurity Docket “Incident Response” list and has been selected multiple times as an Acritas Star and BTI Client Service All-Star. He is a featured speaker on topics such as reasonable security, incident response and other digital risk areas.

core/freeform

J.D., University of Cincinnati College of Law, 2002

B.A., University of Cincinnati, 1999

<ul>
<li>Chambers Global
<ul>
<li>Privacy &amp; Data Security: Cybersecurity (2025) – Band 3 </li>
<li>Privacy &amp; Data Security (USA) (2014 to 2024) – Band 3</li>
<li>Privacy &amp; Data Security: Incident Response (USA) (2022 to 2023) &#8211; Spotlight Table</li>
<li>Privacy &amp; Data Security: Incident Response (USA) (2024) &#8211; Band 1</li>
</ul>
</li>
<li>Chambers USA
<ul>
<li>Privacy and Data Security: Cybersecurity, Nationwide
<ul>
<li>Band 3 (2024 to 2025)</li>
</ul>
</li>
<li>Privacy and Data Security, Nationwide
<ul>
<li>Band 3 (2019, 2020 to 2023), Recognized Practitioner (2017 to 2018)</li>
</ul>
</li>
<li>Privacy and Data Security: Incident Response, Nationwide
<ul>
<li>Band 1 (2023), Spotlight Table (2021 to 2022)</li>
</ul>
</li>
</ul>
</li>
<li>The Legal 500 United States
<ul>
<li>Leading Lawyer in Media, Technology and Telecoms: Cyber Law (including data privacy and protection) (2020 to 2025)</li>
<li>Recommended in Cyber Law (including data protection and privacy) (2017)</li>
<li>Recommended in Data Protection and Privacy (2016)</li>
</ul>
</li>
<li>Cybersecurity Docket
<ul>
<li>&#8220;Incident Response 30&#8221; (2016)</li>
<li>&#8220;Incident Response 50&#8221; (2024)</li>
<li>&#8220;Incident Response 50&#8221; (2025)</li>
</ul>
</li>
<li>Acritas Star (2015 to 2019)</li>
<li>Law360 &#8220;Rising Star&#8221; in Privacy (2015)</li>
<li>BTI Client Service All-Star (2016, 2017, 2019, 2020, 2022, 2024)</li>
<li>Ohio Super Lawyers &#8220;Rising Star&#8221; (2009 to 2012)</li>
<li>Dayton Business Journal: &#8220;Forty Under 40&#8221; (2008)</li>
<li>International Association of Privacy Professionals (IAPP): Certified Information Privacy Manager (CIPM)</li>
</ul>

Cincinnati

BakerHostetler attorneys and practice areas spotlighted in the 2025 Legal 500 annual guide

Chambers USA Guide 2025 Recognizes 171 BakerHostetler Attorneys and 73 Practice Areas

Craig Hoffman Comments on Cybersecurity and Startups in Wall Street Journal

Theodore Kobus, Craig Hoffman Named to Cybersecurity Docket’s Incident Response 50 for 7th and 3rd Time, Respectively

BakerHostetler launches 2025 Data Security Incident Response Report

Craig Hoffman Takes Part in Panel During 2025 Incident Response Forum Masterclass

BakerHostetler Expands International Recognition with 2025 Rankings from Chambers Global

Preparing for the 2025 Proxy and Annual Reporting Season: Key Issues and Considerations

2024 SEC Cybersecurity Rule Updates

BakerHostetler Columbus Office Hosts Roundtable on AI

Craig Hoffman Moderates Panel, Casie Collignon Speaks at 2024 NetDiligence Cyber Risk Summit

Craig Hoffman Participates in Regulatory Readiness Webinar with Marsh and CrowdStrike

Data Counsel

The SEC’s Regulation of Cybersecurity Continues

BakerHostetler attorneys, practice areas stand out in The Legal 500 annual guide

Chambers USA Guide 2024 Recognizes 155 BakerHostetler Attorneys and ­66 Practice Areas

Six BakerHostetler attorneys named 2024 BTI Client Service All-Stars

BakerHostetler launches 2024 Data Security Incident Response Report, ‘Persistent Threats, New Challenges’

Craig Hoffman Presents During Cybersecurity Incident Response Forum Masterclass 2024

Theodore Kobus, Craig Hoffman Named to Cybersecurity Docket’s Incident Response 50

Craig Hoffman Discusses Current Ransomware Landscape 

BakerHostetler Continues to Collect Accolades with 2024 Rankings from Chambers Global

Preparing for the 2024 Proxy and Annual Reporting Season: Key Issues and Considerations

Harrington, Hoffman and Gyasi discuss new cybersecurity rules in Beazley webinar

Hoffman and Elam address impact and implications of enhanced cybersecurity disclosure rules

Addressing the SEC’s New Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Requirements

The SEC’s Proposed Cybersecurity Rules: Regulatory Delay Does Not Bless Standing By

BakerHostetler Attorneys and Practice Areas Recognized in The Legal 500 2023 Guide

Chambers USA Guide 2023 Honors 147 BakerHostetler Attorneys and Recognizes 64 Practice Areas

BakerHostetler Launches 2023 Data Security Incident Response Report

Thirteen BakerHostetler Attorneys, Eight Practice Areas Ranked in 2023 Edition of Chambers Global

David Carney and Craig Hoffman Speak at Sedona Conference Working Group Meeting

Craig Hoffman Addresses Sanctions Risks Associated with Ransomware Payments

Craig Hoffman Presents on Best Practices in Dealing with Ransomware Attacks

BakerHostetler Attorneys, Practice Areas Shine in The Legal 500 2022 Guide

Chambers USA Guide 2022 Honors 145 BakerHostetler Attorneys and Recognizes 62 Practice Areas

Craig Hoffman on Digital Detectives Podcast

BakerHostetler Launches 2022 Data Security Incident Response Report – Resilience and Perseverance

Webinar: 2022: Trends and Issues in a Digital World

SEC Proposes Rules on Disclosure of Material Cyber Incidents and Cybersecurity Practices for Public Companies

Eleven BakerHostetler Attorneys, Seven Practice Areas Ranked in 2022 Edition of Chambers Global

Nine BakerHostetler Attorneys Named 2022 BTI Client Service All-Stars

Look Back, Look Ahead: Advertising and Marketing Law in 2021 & 2022

Craig Hoffman a Speaker at NetDiligence Cyber Risk Summit

Sara Goldstein, Craig Hoffman Speak at American Council of Life Insurers Conference

Craig Hoffman Comments on Proposed Federal Breach Reporting Laws

BakerHostetler Attorneys Make Significant Gains in The Legal 500 Annual Guide

Chambers and Partners USA Honors 127 Attorneys and 43 Practice Areas in 2019 Guide

Chambers and Partners USA Honors 118 Attorneys and 45 Practice Areas in 2018 Guide

Attorneys from Five Practice Areas Present Legislative Update to Brand Activation Association

BakerHostetler’s work recovering more than half of the losses in the Madoff Ponzi scheme featured on WNYC in interview on The Brian Lehrer Show

Press Release: Second Interim Distribution of Recovered Funds to Madoff Claim Holders

Press Release: United States Supreme Court Denies Certiorari, Upholding Net Equity Decision in BLMIS Liquidation

Commercial Litigation

Digital Assets and Data Management

Information Governance

Emerging Companies and Venture Capital

Industries

Financial Services: Technology

Compliance

Web3 and Digital Assets

Digital Risk Advisory and Cybersecurity

Retail

Financial Services

<ul>
<li>Incident response counsel to restaurant and hotel franchisors involving matters where the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents, as well as any resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.</li>
<li>Incident response counsel and post-disclosure counsel for Marriott regarding the Starwood security incident that was disclosed on November 30, 2018.</li>
<li>Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.</li>
<li>Preparing incident response plans and conducting incident response training and tabletop exercises for response teams, executives and board members. Craig has conducted more than 150 different sessions and exercises for companies in the U.S. and internationally.</li>
<li>Advising restaurants, hotels and retailers on authentication measures, payment acceptance and loyalty programs for their web and mobile apps.</li>
<li>Conducting pre- and post-acquisition due diligence and compromise assessments of hotels, restaurants and technology service providers.</li>
<li>Engaging security firms to conduct red team exercises, penetration test, compromise assessments, security risk assessments and cybersecurity maturing assessments.</li>
</ul>

Craig A. Hoffman

Craig A. Hoffman

Experience

Recognitions and Memberships

Insights and News

Prior Positions

Credentials

Areas of Focus

Industries

Services

Featured Insights