Digital Risk Advisory and Cybersecurity

Overview

Our attorneys draw upon technical knowledge, unrivaled incident response experience, and outcomes from remediations of incidents, regulatory investigations and lawsuits (what we call “cyber response intelligence”) to help organizations generate and implement solutions for realizing the value of data and technology, reducing the risk of significant events, becoming “compromise ready,” and responding effectively to incidents.

Organizations face two primary cybersecurity risks – theft of data and operational disruptions. These dynamic risks can become reality because of an issue at the organization, a vendor or both. The need to implement and maintain “reasonable security” is understood, yet most organizations struggle to do so and find themselves unprepared to tell a persuasive cybersecurity story to defend their practices in the wake of an incident. Failing to leverage data and technology to meet organizational goals; the revenue and reputational impact of downtime; and the disruption, regulatory investigations and lawsuits that follow the disclosure of a security incident are material risks. Effective management of these risks requires an enterprise-wide approach. We supply the guidance to help organizations prioritize, develop and implement risk-based solutions to address these dynamic risks.

Incident Response

Our incident response experience is unmatched; we have helped companies respond to more than 10,000 potential incidents. This experience enables us to triage the underlying issue, provide recommendations for a preliminary response and project what the organization is going to face in the coming days, weeks and months so informed decisions can be made. Because we work with forensic firms, ransom payment firms, crisis communications firms, mailing and call center vendors, brokers, and insurance carriers, we are able to streamline the engagement and deploy resources to manage the critical path of the response to an incident. An effective incident response involves more than knowing what the law requires ‒ getting key stakeholder relationship issues right is equally important. We quarterback the efforts to develop and continuously fine-tune strategic plans to identify, contain, assess, communicate about and remediate the issue. For organizations with which we have not yet worked, we operate a 24/7 incident response hotline that sends our team into action immediately in the event an incident is suspected.

More »
Incident Response Preparedness

We help companies establish and revise incident response plans, conduct tabletop exercises featuring realistic data breach simulations, and partner with forensic and crisis communications firms to provide focused training to incident response teams.

The annual BakerHostetler Data Security Incident Response Report is regarded as one of the industry’s most credible analyses of data security incidents faced by companies. The report helps companies understand potential threats, protect their data and fine-tune their incident response plans.

Digital Risk Advisory

We lead entities through investigations by state attorneys general, multistate attorneys general groups, the Federal Trade Commission, EU supervisory authorities and other international data protection regulatory authorities. When lawsuits are filed after a security incident is disclosed, we are the liaison for our clients to our litigation team to ensure that the facts that were identified and the strategy developed during the incident response phase are leveraged to support the execution of an effective defense strategy.

Cybersecurity Advisory

We help organizations develop risk-based and prioritized strategies to use data, leverage technology and become “compromise ready” by combining our technical capabilities, lessons learned from observing the causes of thousands of incidents and practical experience from time spent on-site with organizations. We help organizations improve the people, processes and technology they use by doing the following:

  • Identifying, developing, prioritizing and implementing risk-based security enhancements, which may include leveraging analysis from external security firms (e.g., red team exercises, security assessments, penetration tests).
  • Conducting “reasonable security” assessments with the complex litigation and regulatory landscape in mind to help defend against regulatory inquiries or private actions alleging unreasonable security.
  • Addressing third-party exploitation and misuse of technology, such as online account credential stuffing and account takeovers.
  • Conducting due diligence in corporate transactions, including evaluating the target’s privacy and security risk posture, negotiating appropriate representations and warranties, and conducting pre-acquisition compromise assessments. After closing, we work with the acquiring entity to develop an appropriate plan to integrate the target.
  • Developing vendor management and technology contract programs, as well as negotiating significant agreements, such as those involving cloud-based services and new payment card security technology.
  • Developing cybersecurity enterprise risk management programs by working with entities, executive management teams, audit committees and boards of directors. These programs include implementing components of reasonable security, building a cybersecurity road map and conducting cybersecurity maturity assessments.
Industries
  • Hospitality
  • Restaurants
  • Retail
  • Education
  • Insurance
  • Technology
  • Financial services
  • Community banks
  • Credit unions
  • Professional services
  • Energy and utilities
     

Select Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
More »

Professionals

Name Title Office Email
Partner Cincinnati
Partner Dallas
Counsel Atlanta
Associate Dallas
Counsel New York
Counsel Houston
Associate Houston
Counsel Washington, D.C.
Associate Cincinnati
Partner New York
Associate Philadelphia
Partner New York
Partner Philadelphia
Partner New York
Partner Houston
Associate Atlanta
Partner Cincinnati
Counsel Seattle
Partner Cincinnati
Associate Chicago
Partner Seattle
Associate Dallas
Partner New York
Partner Los Angeles
Associate Chicago
Associate Chicago
Associate Houston
Counsel Costa Mesa
Associate Cleveland
Partner Philadelphia
Partner Philadelphia
Associate Chicago
Associate Houston
Partner San Francisco
Partner Houston
Partner New York
Partner Philadelphia
Partner Houston
Associate New York
Associate Cincinnati
Partner Chicago
Counsel Philadelphia
Associate Philadelphia
Associate Washington, D.C.
Associate Los Angeles

Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
  • Preparing incident response plans and conducting incident response training and tabletop exercises for response teams, executives and board members.
  • Advising restaurants, hotels and retailers on authentication measures, payment acceptance and loyalty programs for their web and mobile apps.
  • Conducting pre- and post-acquisition due diligence and compromise assessments of hotels, restaurants and technology service providers.
  • Engaging security firms to conduct red team exercises, penetration tests, compromise assessments, security risk assessments and cybersecurity maturing assessments.

Recognition

  • Selected as a 2020-2021 “Pacesetter” in Cybersecurity Services by ALM Intelligence Pacesetter Research
  • BTI Powerhouse for Cybersecurity Litigation (2022)
  • BTI Cybersecurity Powerhouse (2020)
  • BTI CyberSavvy Law Firm (2020)
  • Chambers Global
    • Privacy & Data Security: The Elite (USA) (2022)
    • Privacy & Data Security (USA) (2014 to 2021)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2022)
  • Chambers Fintech
    • Legal – USA (2018 to 2021)
  • Chambers USA
    • Advertising: Transactional & Regulatory – Nationwide (2018 to 2021)
    • Privacy & Data Security: The Elite – Nationwide (2021)
    • Privacy & Data Security – Nationwide (2013 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2021)
  • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • The Legal 500 United States
    • Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2021)
    • Media, Technology and Telecoms: Cyber law (including data privacy and data protection) (2021)
    • Media, Technology and Telecoms: Cyber Law (2016 to 2020)
    • Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)
  • Selected for Vault’s Guide to Legal Practice Areas
    • Privacy and Data Security (2017 to 2021)

News

News

Press Releases

Blog Posts

Blog

In The Blogs

Previous Next
Data Counsel
North Carolina is the First State to Prohibit Public Entities from Paying Ransoms: What Does This Mean for North Carolina Public Schools and Universities?
By Elise R. Elam, Benjamin D. Wanger
May 19, 2022
On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms...
Read More ->
Data Counsel
2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents
By Teresa Goody Guillén, Andreas T. Kaltsounis
May 17, 2022
Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage...
Read More ->
Data Counsel
2022 DSIR Deeper Dive: Vendor Incidents
By Stefanie L. Ferrari
May 6, 2022
Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing...
Read More ->
Data Counsel
It's Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks Part 3
By Allison R. Clark, Benjamin D. Wanger
April 19, 2022
PART 3 In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated. Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired. In this...
Read More ->
Data Counsel
Forensics Deep Dive: The Importance of Proper Configuration and Monitoring
By Joseph L. Bruemmer
April 14, 2022
Many of the trends we observed in 2020 continued in 2021. Network intrusions and ransomware continued in full force, representing more than half the incidents we handled last year. Threat actors continued their tried-and-true tactics of...
Read More ->