Craig A. Hoffman

Experience

Privacy & Data Security Compliance | Information Governance 

• Provides proactive privacy and security advice to emerging companies related to data collection, use, sharing and marketing, as well as to establishing payment systems. Transactions include the purchase of a word-of-mouth marketing company.
• Conducts incident response workshops.
• Develops and implements policies, including website and app privacy and terms of use, BYOD, social media, incident response, and information security plans.  
• Consults on emerging payment issues, including assessing tokenization and point-to-point encryption technologies, planning for EMV liability shift, and mobile payments.
• Provides due diligence and contract drafting to M&A teams, including acquisition of a social media company and payment processing companies.

Security Incident Response & Litigation 

• Has led incident response teams for national and international retailers (including  grocers, gaming, eye care, sporting goods, tools and equipment, clothing, cosmetics, restaurants, hospitality, luxury goods, and electronics) following attacks on their card-present and e-commerce payment systems. Engagements involve the following activities: 
  • Overseeing the forensic investigation.
  • Interacting with FBI, Secret Service and other law enforcement officials.
  • Ensuring a response in compliance with state breach notification laws and contractual notice obligations.
  • Managing significant customer relations issues.
  • Responding to state attorneys general and FTC inquiries.
  • Addressing card network fines and assessments.
  • Defending multiple putative class actions.
• Advises technology service providers (including cloud service providers, identity management, data centers and software companies) on issues relating to product security vulnerabilities.
• Represents financial institutions, banks and credit unions responding to events of unauthorized access to sensitive customer information. Incidents have included malware infections, network intrusions, denial of service attacks, employee carelessness and malicious employees. Engagements often involve interaction with financial regulatory authorities.
• Advises companies on investigations related to theft of trade secrets by departing employees.
• Files and argues appeals of card network fines and assessments against merchants arising from payment card breach incidents.
• Pursued claims on behalf of buyer against seller for breach of representations and warranties when a cyber-attack that exploited long-standing security deficiencies occurred just after the sale.
• As member of trial team, pursued delay damages against subcontractor on behalf of commercial developer and general contractor.
• As member of trial team, obtained $163 million settlement of False Claims Act and fraud claims against pharmacy benefit manager.

Memberships

• Ohio State Bar Association
• Cincinnati Bar Association
• Kentucky Bar Association
• Cincinnati Academy of Leadership for Lawyers: Member of Class XIV (2010)