David Sherman

Partner

Philadelphia
T +1.215.564.8380
F +1.215.568.3439

Overview

David Sherman is a member of the firm's Digital Assets and Data Management group. He works closely with clients to proactively assess and mitigate cyber risk, facilitate incident response preparedness, and develop privacy and information security policies that comply with state, federal and international privacy and cybersecurity laws, including the California Consumer Privacy Act (CCPA) and E.U. General Data Protection Regulation (GDPR). He also works with clients to enhance enterprise security posture and manage responses to any digital crisis that may be present.

David also has substantial experience experience drafting and negotiating service provider agreements on behalf of customers and vendors and analyzing clients' existing agreements to evaluate and optimize contractual allocation of risks, rights and obligations in the event of a security incident.

If a security incident occurs, David draws upon his experience counseling hundreds of clients through incident response investigations, often in partnership with digital forensic investigation firms, to identify and contain the incident; remediate any impact upon operations; develop sufficient information to implement a tailored crisis communications strategy; perform a comprehensive evaluation of notification obligations under applicable state, federal and international laws; facilitate required notification to consumers and/or regulatory authorities; and respond to any regulatory inquiries.

Utilizing his broad knowledge of data privacy and cybersecurity, David is able to counsel and aide clients across a variety of industries on their distinct, complex digital security matters.

Select Experience

Advisory and Assessment Services
  • Negotiates and drafts vendor and service provider agreements to mitigate potential exposure arising from a data security incident by clearly defining a client’s relationship with the service provider; requiring the service provider to adhere to delineated information security practices molded to the specific service offering; setting forth expectations as to when, how and under what circumstances a service provider must report a potential or suspected data security incident, and preserving the client’s right to conduct an independent forensic investigation; incorporating optimal indemnification and limitation of liability language to shift liability and defense exposure to the service provider; leveraging a service provider’s insurance coverage; incorporating warranties that hold the service provider accountable for rendering services in accordance with the agreement and applicable law; applying a favorable choice of law provision governing disputes under the contract; and avoiding potential pitfalls such as waivers of subrogation that may preclude clients or their insurers from recovering damages attributable to a service provider’s conduct.
  • Counsels clients on regulatory compliance, including compliance with Payment Card Industry Data Security Standards (PCI-DSS), NYS Department of Financial Services regulations, the California Consumer Privacy Act (CCPA) and E.U. General Data Protection Regulation (GDPR). Compliance counseling services often involve guidance on data mapping, data transfer mechanisms, data subject request response and procedures, data protection impact assessments/privacy impact assessments, recordkeeping, the appointment of privacy officers and representatives, and employee training.
Incident Response
  • Coordinated incident response services for clients of all market sizes and across multiple business sectors including financial services, retail, manufacturing, healthcare, hospitality, municipal government, energy and construction.
More »

Experience

Advisory and Assessment Services
  • Negotiates and drafts vendor and service provider agreements to mitigate potential exposure arising from a data security incident by clearly defining a client’s relationship with the service provider; requiring the service provider to adhere to delineated information security practices molded to the specific service offering; setting forth expectations as to when, how and under what circumstances a service provider must report a potential or suspected data security incident, and preserving the client’s right to conduct an independent forensic investigation; incorporating optimal indemnification and limitation of liability language to shift liability and defense exposure to the service provider; leveraging a service provider’s insurance coverage; incorporating warranties that hold the service provider accountable for rendering services in accordance with the agreement and applicable law; applying a favorable choice of law provision governing disputes under the contract; and avoiding potential pitfalls such as waivers of subrogation that may preclude clients or their insurers from recovering damages attributable to a service provider’s conduct.
  • Counsels clients on regulatory compliance, including compliance with Payment Card Industry Data Security Standards (PCI-DSS), NYS Department of Financial Services regulations, the California Consumer Privacy Act (CCPA) and E.U. General Data Protection Regulation (GDPR). Compliance counseling services often involve guidance on data mapping, data transfer mechanisms, data subject request response and procedures, data protection impact assessments/privacy impact assessments, recordkeeping, the appointment of privacy officers and representatives, and employee training.
  • Helps clients prepare incident response plans, including "table top" exercises practicing breach response procedures, and training key personnel in all aspects of cyber risk management and response.
  • Develops and implements website, app and other privacy policies, terms of service, terms of use, and ancillary policies that address appropriate data collection, use, sharing and marketing practices.
  • Manages technical investigations and security assessments, including technical findings and prioritized recommendations, mapped to security standards that include appropriate NIST Special Publications, ISO27001/ 27002.
  • Offers transactional counseling, including compliance assessment during due diligence
Incident Response
  • Coordinated incident response services for clients of all market sizes and across multiple business sectors including financial services, retail, manufacturing, healthcare, hospitality, municipal government, energy and construction.
  • Provides breach risk assessment and regulatory reporting, including response to enforcement actions.
  • Provides PCI Account Data Compromise assessment response and appeal for all major card brands.

Recognitions and Memberships

Recognitions

  • Certified Information Privacy Professional (CIPP/US)

Memberships

  • International Association of Privacy Professionals (IAPP)

Community

  • Hamilton Alumni Recruitment Team: Alumni Admission Volunteer

Prior Positions

  • Kings County District Attorneys Office: Legal Intern
  • NYSE, Office of the General Counsel: Legal Intern
  • U.S. Commodity Futures Trading Commission: Legal Intern
  • U.S. Attorneys Office, Eastern District of New York, Criminal Division: Legal Intern
  • The Honorable Timothy S. Driscoll, Supreme Court of the State of New York: Judicial Intern
  • Suffolk County Attorneys Office, General Litigation Bureau: Intern

Admissions

  • U.S. District Court, Southern District of New York
  • U.S. District Court, Eastern District of New York
  • U.S. District Court, Eastern District of Pennsylvania
  • New York
  • Pennsylvania

Education

  • J.D., Brooklyn Law School, 2010; CALI Award for Excellence in Legal Writing
  • B.A., Hamilton College, 2007