Daniel A. Pepper

Partner

Philadelphia
T +1.215.564.2456
F +1.215.568.3439

Overview

With over 25 years of in-depth experience in data privacy, cybersecurity and information technology law, including leadership roles at Fortune 50 public companies, Dan Pepper advises clients on proactive data privacy and security practices, data breach incident response and regulatory compliance.

Dan frequently leads BakerHostetler’s response to large, high-profile security incidents and interacts with federal and state agencies and forensic service providers, oversees investigations and designs post-incident response notification and remediation plans. In addition to his incident response work, Dan supports clients on compliance with domestic and international security laws, regulations and standards, including PCI-DSS, the NIST and ISO. He also facilitates in-depth security incident simulations and performs cybersecurity risk assessments.

Serving as BakerHostetler’s Philadelphia Digital Assets and Data Management Leader, Dan is highly knowledgeable in identifying, evaluating and managing risks associated with privacy and information security practices. Additionally, he guides clients with industry trends and compliance with state, federal and international privacy and data security laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), New Year SHIELD Act, California Online Privacy Protection Act (CalOPPA), and China’s Cybersecurity and Data Security Laws.

Dan also has significant experience handling complex technology transactions, primarily working with clients in the telecommunications and software sectors. He is proficient at structuring technology acquisitions, licensing and distribution arrangements, as well as cloud-based/SaaS transactions. With his substantial industry knowledge, Dan has drafted and negotiated thousands of technology and intellectual property-based transactions.

Drawing from his time in senior in-house counsel roles at multinational telecommunications conglomerates, Dan provides clients with comprehensive legal and business advice while assisting in developing data security procedures, protections and breach response governance that fit their unique goals.

Select Experience

Privacy & Data Security Compliance | Information Governance
  • Advises on compliance with international data transfer restrictions and data localization requirements, including through the implementation of cross-border transfer mechanisms such as the standard contractual clauses, intercompany agreements and binding corporate rules. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
Security Incident Response
  • Prepares cyber incident response plans for potential breaches, including protocols for managing investor relations, press releases, communications with regulators/law enforcement, and public disclosures following a cyber incident.
Information Technology and Transactions
  • Manages complex technology transactions on both the vendor side and the customer side, drafting and negotiating multiparty contracts and outsourcing agreements from the RFP through follow-up compliance assessments.
More »

Experience

Privacy & Data Security Compliance | Information Governance
  • Advises on compliance with international data transfer restrictions and data localization requirements, including through the implementation of cross-border transfer mechanisms such as the standard contractual clauses, intercompany agreements and binding corporate rules. Counsels both importers and exporters of EU personal data on strategies to address potential compliance gaps resulting from the July 2020 invalidation of the EU-U.S. Privacy Shield Framework.
  • Reviews products, applications, and business initiatives and practices (including, data use, big data, social media, marketing and advertising campaigns) to identify potential privacy and security issues, recommending solutions for compliance with policy and legal requirements across all business unit operations.
  • Designs, implements and maintains data governance and compliance programs and drafts supporting materials (including policies, privacy impact assessments, standards, consumer messaging, guidance materials and awareness and training materials) relating to privacy, data use and consumer protection.
  • Devises privacy and information security awareness programs and training modules for personnel, typically deploying a multi-tiered, risk-based approach to account for varying degrees of employee access to, and responsibility for, sensitive data.
  • Advises on IP, data privacy and protection and industry-specific issues on M&A, financing and other corporate transactions (e.g., due diligence, issue identification, the drafting of APA/merger agreement provisions and counseling on warranty and indemnity issues).
  • Develops and implements CCPA and EU GDPR compliance programs for U.S. and international organizations, which includes advising clients on data mapping, data transfer mechanisms, data subject request response and procedures, data protection impact assessments/privacy impact assessments, recordkeeping, the appointment of privacy officers and representatives and employee training.
  • Develops and implements third party cyber risk management programs to help clients identify compliance and control gaps with third parties that access sensitive and personal information, and to incorporate comprehensive contractual information security provisions and assessment mechanisms.
  • Conducts data and risk assessments to help clients establish “reasonable security” and appropriate “technical and organizational measures” pursuant to the CCPA, EU GDPR, FTC regulations and other federal and state regulatory requirements.
Security Incident Response
  • Prepares cyber incident response plans for potential breaches, including protocols for managing investor relations, press releases, communications with regulators/law enforcement and public disclosures following a cyber incident.
  • Manages cross-functional legal and business groups within client organizations to determine privacy and security objectives, and advises on the impact of the clients’ data privacy and security legal and operational strategies.
  • Conducts in-house security training and tabletop exercises to build awareness and help companies prepare to effectively and efficiently manage data security threats and incidents.
Information Technology and Transactions
  • Manages complex technology transactions on both the vendor side and the customer side, drafting and negotiating multiparty contracts and outsourcing agreements from the RFP through follow-up compliance assessments.
  • Negotiates information privacy and security based commercial transactions and counsel in the areas of business intelligence, advanced advertising, intellectual property and e-commerce for telecommunications and entertainment technologies, as well as businesses and product development.
  • Represented a telecommunications and cable provider in its multimillion-dollar, multi-party, cloud and software services agreements.
  • Represented several technology product and service start-ups as sole outside counsel, helping to grow them from inception to over $100 million in annual revenue.
  • Develops standard services agreements for IT service providers (e.g., cloud, SaaS, platform usage, data analytics, advertising technologies and payment processing, and website, mobile app and video game development) and negotiates such agreements on both vendor and customer sides.
  • Negotiated over-the-top television channel deals for content and commerce companies on various streaming and smart TV platforms.

Recognitions and Memberships

Recognitions

  • Certified Information Privacy Professional/US (CIPP/US)
  • U.S. Technical Advisory Group formulating consensus positions for development of the global ISO "Consumer Protection: Privacy by Design for Consumer Goods & Services" standard (ISO/PC 317): Member
  • The Legal 500 United States (2020)
    • Recommended in Cyber Law (Including Data Privacy and Data Protection)
  • Martindale-Hubbell: AV Preeminent

Memberships

  • International Association of Privacy Professionals: Board Member
  • Rutgers University Big Data Advisory Board: Board Member
  • Superior Court of New Jersey: New Jersey Rule 1:40 Qualified Mediator
  • Association of Technology Procurement Professionals
    • CAUCUS: Senior Advisor
  • American Corporate Counsel Association
  • New Jersey Corporate Counsel Association

News

News

Press Releases

Community

  • Philadelphia Lawyers for the Arts: Volunteer Attorney
  • Street Law: Volunteer Attorney

Prior Positions

  • University of Pennsylvania Law School: Adjunct Professor (2017 to 2019)
  • Comcast: Vice President, Deputy General Counsel, Deputy Privacy Officer (2016 to 2019)
  • Verizon Communications: Assistant General Counsel, Information Technology, Information Security, Global Clearance and Compliance (2014 to 2016)
  • Pepper Law Group LLC: Founder, Managing Member (2006 to 2014)
  • BEA Systems, Inc.: Regional Counsel (2000 to 2006)
  • Oracle Corporation: Corporate Counsel (1999 to 2000)

Admissions

  • U.S. District Court, District of New Jersey
  • U.S. District Court, Western District of Pennsylvania
  • New Jersey
  • New York
  • Pennsylvania

Education

  • The Tuck School of Business, Dartmouth College, SCTE Executive Leadership Program, 2018
  • J.D., Duquesne University School of Law, 1994
  • B.A., Political Science, Rutgers University, 1991

Blog

In The Blogs

Previous Next
Data Counsel
China Issues Draft Measures on Security Assessment of Cross-Border Data Transfer
By Daniel A. Pepper
November 5, 2021
On Oct. 29, 2021, the Cyberspace Administration of China (CAC) published the “Draft Measures on Security Assessment of Cross-Border Data Transfer” (Draft Measures) for comment through Nov. 28. The Draft Measures follow and are based on...
Read More ->
Data Counsel
The New China Data Security Law and the Impact on Multinational Companies
By Daniel A. Pepper
July 13, 2021
On June 10, 2021, the National People’s Congress of the People’s Republic of China (PRC) approved the passage of the Data Security Law (DSL), which will take effect on Sept. 1, 2021. Overview Unlike the PRC’s Cybersecurity Law of 2016...
Read More ->
Data Counsel
The New IoT Cybersecurity Act Is Here
By Adam I. Cohen, Daniel A. Pepper
December 11, 2020
Background Growing awareness regarding cybersecurity concerns with the Internet of Things (IoT) has achieved a milestone with the promulgation of the IoT Cybersecurity Improvement Act (the Act), which was signed into law by President...
Read More ->
Data Counsel
Steps to Develop a Mature Third-Party Risk Management Program with High-Risk Third Parties (Part 2)
By Daniel A. Pepper
January 27, 2020
This blog is the second in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls, such as assessing...
Read More ->
Data Counsel
Steps to Develop a Mature Third-Party Risk Management Program With High-Risk Third Parties
By Daniel A. Pepper
January 10, 2020
This blog is the first in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls such as assessing...
Read More ->