David Sherman

Experience

Advisory and Assessment Services

• Negotiates and drafts vendor and service provider agreements to mitigate potential exposure arising from a data security incident by clearly defining a client’s relationship with the service provider; requiring the service provider to adhere to delineated information security practices molded to the specific service offering; setting forth expectations as to when, how and under what circumstances a service provider must report a potential or suspected data security incident, and preserving the client’s right to conduct an independent forensic investigation; incorporating optimal indemnification and limitation of liability language to shift liability and defense exposure to the service provider; leveraging a service provider’s insurance coverage; incorporating warranties that hold the service provider accountable for rendering services in accordance with the agreement and applicable law; applying a favorable choice of law provision governing disputes under the contract; and avoiding potential pitfalls such as waivers of subrogation that may preclude clients or their insurers from recovering damages attributable to a service provider’s conduct.
• Counsels clients on regulatory compliance, including compliance with Payment Card Industry Data Security Standards (PCI-DSS), NYS Department of Financial Services regulations, the California Consumer Privacy Act (CCPA) and E.U. General Data Protection Regulation (GDPR). Compliance counseling services often involve guidance on data mapping, data transfer mechanisms, data subject request response and procedures, data protection impact assessments/privacy impact assessments, recordkeeping, the appointment of privacy officers and representatives, and employee training.
• Helps clients prepare incident response plans, including "table top" exercises practicing breach response procedures, and training key personnel in all aspects of cyber risk management and response.
• Develops and implements website, app and other privacy policies, terms of service, terms of use, and ancillary policies that address appropriate data collection, use, sharing and marketing practices.
• Manages technical investigations and security assessments, including technical findings and prioritized recommendations, mapped to security standards that include appropriate NIST Special Publications, ISO27001/ 27002.
• Offers transactional counseling, including compliance assessment during due diligence

Incident Response

• Coordinated incident response services for clients of all market sizes and across multiple business sectors including financial services, retail, manufacturing, healthcare, hospitality, municipal government, energy and construction.
• Provides breach risk assessment and regulatory reporting, including response to enforcement actions.
• Provides PCI Account Data Compromise assessment response and appeal for all major card brands.

Memberships

• International Association of Privacy Professionals (IAPP)

Community

• Hamilton Alumni Recruitment Team: Alumni Admission Volunteer