Digital Risk Advisory and Cybersecurity

Overview

“BakerHostetler's statistics provide a platform and negotiator-independent look at how enterprises with high-end legal advice handle breaches. All single-company-based statistics are biased toward a customer base.”

SC Magazine, April 7, 2022

Our attorneys draw upon technical knowledge, unrivaled incident response experience, and outcomes from remediations of incidents, regulatory investigations and lawsuits (what we call “cyber response intelligence”) to help organizations generate and implement solutions for realizing the value of data and technology, reducing the risk of significant events, becoming “compromise ready,” and responding effectively to incidents.

Organizations face two primary cybersecurity risks – theft of data and operational disruptions. These dynamic risks can become reality because of an issue at the organization, a vendor or both. The need to implement and maintain “reasonable security” is understood, yet most organizations struggle to do so and find themselves unprepared to tell a persuasive cybersecurity story to defend their practices in the wake of an incident. Failing to leverage data and technology to meet organizational goals; the revenue and reputational impact of downtime; and the disruption, regulatory investigations and lawsuits that follow the disclosure of a security incident are material risks. Effective management of these risks requires an enterprise-wide approach. We supply the guidance to help organizations prioritize, develop and implement risk-based solutions to address these dynamic risks.

Incident Response

Our incident response experience is unmatched; we have helped companies respond to more than 10,000 potential incidents. This experience enables us to triage the underlying issue, provide recommendations for a preliminary response and project what the organization is going to face in the coming days, weeks and months so informed decisions can be made. Because we work with forensic firms, ransom payment firms, crisis communications firms, mailing and call center vendors, brokers, and insurance carriers, we are able to streamline the engagement and deploy resources to manage the critical path of the response to an incident. An effective incident response involves more than knowing what the law requires ‒ getting key stakeholder relationship issues right is equally important. We quarterback the efforts to develop and continuously fine-tune strategic plans to identify, contain, assess, communicate about and remediate the issue. For organizations with which we have not yet worked, we operate a 24/7 incident response hotline that sends our team into action immediately in the event an incident is suspected.

More »
Incident Response Preparedness

We help companies establish and revise incident response plans, conduct tabletop exercises featuring realistic data breach simulations, and partner with forensic and crisis communications firms to provide focused training to incident response teams.

The annual BakerHostetler Data Security Incident Response Report is regarded as one of the industry’s most credible analyses of data security incidents faced by companies. The report helps companies understand potential threats, protect their data and fine-tune their incident response plans.

Digital Risk Advisory

We lead entities through investigations by state attorneys general, multistate attorneys general groups, the Federal Trade Commission, EU supervisory authorities and other international data protection regulatory authorities. When lawsuits are filed after a security incident is disclosed, we are the liaison for our clients to our litigation team to ensure that the facts that were identified and the strategy developed during the incident response phase are leveraged to support the execution of an effective defense strategy.

Cybersecurity Advisory

We help organizations develop risk-based and prioritized strategies to use data, leverage technology and become “compromise ready” by combining our technical capabilities, lessons learned from observing the causes of thousands of incidents and practical experience from time spent on-site with organizations. We help organizations improve the people, processes and technology they use by doing the following:

  • Identifying, developing, prioritizing and implementing risk-based security enhancements, which may include leveraging analysis from external security firms (e.g., red team exercises, security assessments, penetration tests).
  • Conducting “reasonable security” assessments with the complex litigation and regulatory landscape in mind to help defend against regulatory inquiries or private actions alleging unreasonable security.
  • Addressing third-party exploitation and misuse of technology, such as online account credential stuffing and account takeovers.
  • Conducting due diligence in corporate transactions, including evaluating the target’s privacy and security risk posture, negotiating appropriate representations and warranties, and conducting pre-acquisition compromise assessments. After closing, we work with the acquiring entity to develop an appropriate plan to integrate the target.
  • Developing vendor management and technology contract programs, as well as negotiating significant agreements, such as those involving cloud-based services and new payment card security technology.
  • Developing cybersecurity enterprise risk management programs by working with entities, executive management teams, audit committees and boards of directors. These programs include implementing components of reasonable security, building a cybersecurity road map and conducting cybersecurity maturity assessments.
Industries
  • Hospitality
  • Restaurants
  • Retail
  • Education
  • Insurance
  • Technology
  • Financial services
  • Community banks
  • Credit unions
  • Professional services
  • Energy and utilities
     

Select Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
More »

Professionals

Name Title Office Email
Partner Cincinnati
Partner Dallas
Counsel Atlanta
Associate Dallas
Counsel New York
Associate Houston
Associate Cincinnati
Associate Philadelphia
Partner New York
Associate Philadelphia
Partner New York
Partner Philadelphia
Partner New York
Partner Houston
Associate Atlanta
Partner Cincinnati
Counsel Seattle
Partner Cincinnati
Partner Seattle
Associate Dallas
Partner New York
Partner Los Angeles
Associate Chicago
Associate Chicago
Associate Houston
Partner Philadelphia
Counsel Costa Mesa
Associate Cleveland
Partner Philadelphia
Associate Chicago
Associate Houston
Partner San Francisco
Partner Houston
Partner New York
Partner Philadelphia
Partner Houston
Partner New York
Associate Cincinnati
Partner Chicago
Associate Seattle
Counsel Philadelphia
Associate Philadelphia
Associate Washington, D.C.
Associate Los Angeles

Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
  • Preparing incident response plans and conducting incident response training and tabletop exercises for response teams, executives and board members.
  • Advising restaurants, hotels and retailers on authentication measures, payment acceptance and loyalty programs for their web and mobile apps.
  • Conducting pre- and post-acquisition due diligence and compromise assessments of hotels, restaurants and technology service providers.
  • Engaging security firms to conduct red team exercises, penetration tests, compromise assessments, security risk assessments and cybersecurity maturing assessments.

Recognition

  • Selected as a 2020-2021 “Pacesetter” in Cybersecurity Services by ALM Intelligence Pacesetter Research
  • BTI Powerhouse for Cybersecurity Litigation (2022)
  • BTI Cybersecurity Powerhouse (2020)
  • BTI CyberSavvy Law Firm (2020)
  • Chambers Global
    • Privacy & Data Security: The Elite (USA) (2022)
    • Privacy & Data Security (USA) (2014 to 2021)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2022)
  • Chambers Fintech
    • Legal – USA (2018 to 2021)
  • Chambers USA
    • Advertising: Transactional & Regulatory – Nationwide (2018 to 2021)
    • Privacy & Data Security: The Elite – Nationwide (2021)
    • Privacy & Data Security – Nationwide (2013 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2021)
  • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • The Legal 500 United States
    • Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2021)
    • Media, Technology and Telecoms: Cyber law (including data privacy and data protection) (2021)
    • Media, Technology and Telecoms: Cyber Law (2016 to 2020)
    • Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)
  • Selected for Vault’s Guide to Legal Practice Areas
    • Privacy and Data Security (2017 to 2021)

News

News

Press Releases

Blog Posts

Blog

In The Blogs

Previous Next
Data Counsel
2023 DSIR Report Deeper Dive: U.S. Employee Privacy Developments
By Frederick C. Bingham, Jennifer L. Mitchell, Justin T. Yedor
May 30, 2023
Among the many developments in data privacy regulation that took place over the past year, new requirements relating to employee personal information in California and New York have deservedly received a lot of attention. Meanwhile...
Read More ->
Data Counsel
New York State Adds Health Care Geofencing Prohibition, Taking a More Measured Approach Than Washington's Similar Ban
By Andreas T. Kaltsounis, Nichole L. Sterling
May 25, 2023
As part of the health budget bill signed by Governor Hochul in early May, New York has amended its General Business Law, introducing a prohibition on geofencing of health care facilities that goes into effect on July 2, 2023 – just three...
Read More ->
Data Counsel
Deeper Dive into the Data
By Elise R. Elam
May 23, 2023
Every year, BakerHostetler collects and analyzes various metrics about the incident response matters we handle. In 2022, we handled over 1,160 incidents. The most striking trends we saw across those incidents were an overall increase in...
Read More ->
Data Counsel
FTC Issues Warning on Use of Biometric Information
By Bonnie Keane DelGobbo, Joel Griswold
May 19, 2023
On May 18, 2023, the Federal Trade Commission (FTC) issued a Policy Statement on Biometric Information and Section 5 of the FTC Act (Policy Statement). Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits “unfair or deceptive practices in...
Read More ->
Data Counsel
Welcome to our 9th annual Data Security Incident Response Report!
By Theodore J. Kobus III
April 27, 2023
We are now three years post pandemic, and while a lot has changed, some things remain the same. Last year, I talked about resilience—the uncertainties of the pandemic were still present, the war in Ukraine had just begun, and businesses...
Read More ->