Digital Risk Advisory and Cybersecurity

Overview

Our attorneys draw upon technical knowledge, unrivaled incident response experience, and outcomes from remediations of incidents, regulatory investigations and lawsuits (what we call “cyber response intelligence”) to help organizations generate and implement solutions for realizing the value of data and technology, reducing the risk of significant events, becoming “compromise ready,” and responding effectively to incidents.

Organizations face two primary cybersecurity risks – theft of data and operational disruptions. These dynamic risks can become reality because of an issue at the organization, a vendor or both. The need to implement and maintain “reasonable security” is understood, yet most organizations struggle to do so and find themselves unprepared to tell a persuasive cybersecurity story to defend their practices in the wake of an incident. Failing to leverage data and technology to meet organizational goals; the revenue and reputational impact of downtime; and the disruption, regulatory investigations and lawsuits that follow the disclosure of a security incident are material risks. Effective management of these risks requires an enterprise-wide approach. We supply the guidance to help organizations prioritize, develop and implement risk-based solutions to address these dynamic risks.

Incident Response

Our incident response experience is unmatched; we have helped companies respond to more than 5,000 potential incidents. This experience enables us to triage the underlying issue, provide recommendations for a preliminary response and project what the organization is going to face in the coming days, weeks and months so informed decisions can be made. Because we work with forensic firms, ransom payment firms, crisis communications firms, mailing and call center vendors, brokers, and insurance carriers, we are able to streamline the engagement and deploy resources to manage the critical path of the response to an incident. An effective incident response involves more than knowing what the law requires ‒ getting key stakeholder relationship issues right is equally important. We quarterback the efforts to develop and continuously fine-tune strategic plans to identify, contain, assess, communicate about and remediate the issue. For organizations with which we have not yet worked, we operate a 24/7 incident response hotline that sends our team into action immediately in the event an incident is suspected.

More »
Incident Response Preparedness

We help companies establish and revise incident response plans, conduct tabletop exercises featuring realistic data breach simulations, and partner with forensic and crisis communications firms to provide focused training to incident response teams.

The annual BakerHostetler Data Security Incident Response Report is regarded as one of the industry’s most credible analyses of data security incidents faced by companies. The report helps companies understand potential threats, protect their data and fine-tune their incident response plans.

Digital Risk Advisory

We lead entities through investigations by state attorneys general, multistate attorneys general groups, the Federal Trade Commission, EU supervisory authorities and other international data protection regulatory authorities. When lawsuits are filed after a security incident is disclosed, we are the liaison for our clients to our litigation team to ensure that the facts that were identified and the strategy developed during the incident response phase are leveraged to support the execution of an effective defense strategy.

Cybersecurity Advisory

We help organizations develop risk-based and prioritized strategies to use data, leverage technology and become “compromise ready” by combining our technical capabilities, lessons learned from observing the causes of thousands of incidents and practical experience from time spent on-site with organizations. We help organizations improve the people, processes and technology they use by doing the following:

  • Identifying, developing, prioritizing and implementing risk-based security enhancements, which may include leveraging analysis from external security firms (e.g., red team exercises, security assessments, penetration tests).
  • Conducting “reasonable security” assessments with the complex litigation and regulatory landscape in mind to help defend against regulatory inquiries or private actions alleging unreasonable security.
  • Addressing third-party exploitation and misuse of technology, such as online account credential stuffing and account takeovers.
  • Conducting due diligence in corporate transactions, including evaluating the target’s privacy and security risk posture, negotiating appropriate representations and warranties, and conducting pre-acquisition compromise assessments. After closing, we work with the acquiring entity to develop an appropriate plan to integrate the target.
  • Developing vendor management and technology contract programs, as well as negotiating significant agreements, such as those involving cloud-based services and new payment card security technology.
  • Developing cybersecurity enterprise risk management programs by working with entities, executive management teams, audit committees and boards of directors. These programs include implementing components of reasonable security, building a cybersecurity road map and conducting cybersecurity maturity assessments.
Industries
  • Hospitality
  • Restaurants
  • Retail
  • Education
  • Insurance
  • Technology
  • Financial services
  • Community banks
  • Credit unions
  • Professional services
  • Energy and utilities
     

Select Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
More »

Professionals

Name Title Office Email
Staff Attorney Columbus
Counsel Cleveland
Associate Houston
Counsel Cincinnati
Counsel Houston
Associate Columbus
Associate Cincinnati
Partner New York
Partner New York
Associate Philadelphia
Partner New York
Associate Houston
Partner Cincinnati
Associate Chicago
Partner Cincinnati
Partner Seattle
Partner Cleveland
Partner New York
Partner Los Angeles
Associate Seattle
Associate Los Angeles
Associate Los Angeles
Associate Costa Mesa
Associate Washington, D.C.
Partner Philadelphia
Partner Philadelphia
Associate Chicago
Associate Atlanta
Partner San Francisco
Partner New York
Associate Houston
Partner Washington, D.C.
Associate New York
Associate Seattle
Counsel Philadelphia
Counsel Chicago
Associate Los Angeles
Counsel Philadelphia
Associate Houston
Associate Washington, D.C.

Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
  • Preparing incident response plans and conducting incident response training and tabletop exercises for response teams, executives and board members.
  • Advising restaurants, hotels and retailers on authentication measures, payment acceptance and loyalty programs for their web and mobile apps.
  • Conducting pre- and post-acquisition due diligence and compromise assessments of hotels, restaurants and technology service providers.
  • Engaging security firms to conduct red team exercises, penetration tests, compromise assessments, security risk assessments and cybersecurity maturing assessments.

Recognition

  • BTI Cybersecurity Powerhouse (2020)
  • BTI CyberSavvy Law Firm (2020)
  • Chambers Global
    • Privacy & Data Security (USA) (2014 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2020)
  • Chambers Fintech
    • Legal – USA (2018 to 2020)
  • Chambers USA
    • Advertising: Transactional & Regulatory – Nationwide (2018 to 2020)
    • Privacy & Data Security – Nationwide (2013 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2020)
  • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • The Legal 500 United States
    • Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2020)
    • Media, Technology and Telecoms: Cyber Law (2016 to 2020)
    • Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)

News

News

Press Releases

Blog

In The Blogs

Previous Next
Data Counsel
The Destruction of Privilege and Work Product Protection for Data Breach Investigations?
By Joseph L. Bruemmer, David A. Carney, Casie D. Collignon, Joseph P. Collins, Craig A. Hoffman, Thomas E. Hogan, Theodore J. Kobus III, Aleksandra Vold
June 17, 2020
Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships...
Read More ->
Data Counsel
Welcome to Data Counsel
By Theodore J. Kobus III
June 14, 2020
Dear Friends, In January, we announced the creation of the firm’s 6th practice group—Digital Assets and Data Management. Since September 2010, members of our group have been covering privacy and security topics through our Data Privacy...
Read More ->
Data Counsel
Key Changes to New York Breach Notification and Data Security Protection Requirements from the New York SHIELD Act
By Damon C. Barhorst, David E. Kitchen
June 9, 2020
The New York SHIELD Act,[1] officially titled the Stop Hacks and Improve Electronic Data Security Act, amends New York’s existing data breach notification law in several significant ways and adds a number of data security protection...
Read More ->
Data Counsel
Fraudulent Wire Transfer Instruction Changes on the Rise (Again)
By Anthony P. Valach, Aleksandra Vold
June 2, 2020
Phishing and social engineering attacks to divert wire transfers or invoice payments are not new fraud techniques, but they have recently taken a back seat to ransomware as posing the greatest cyberthreat to businesses. However, over the...
Read More ->
Data Counsel
DSIR Deeper Dive: The Ransomware Epidemic
By David E. Kitchen, Anthony P. Valach
May 18, 2020
Ransomware is among the most common and persistent threats faced by organizations of all sizes. In 2019, the ransomware threat landscape worsened in several significant ways: (1) average demands increased more than tenfold; (2) all...
Read More ->