Careers

Diversity

With 18 offices, from New York to Los Angeles and Seattle to Orlando, we live and work in communities all over the U.S., collaborating across locations, disciplines and even borders. Our experienced, highly ranked lawyers serve businesses wherever they are and wherever they want to go.

Offices

About Us

Pages

Professionals

Thought leadership: blogs, podcasts, videos, publications, events and news

Insights

Services

Pro Bono

Am Law 100 firm with practices in Business, Digital Assets and Data Management, Intellectual Property, Labor & Employment, Litigation and Tax.

Home | BakerHostetler

ADventures in Law

COPPA Is Back in the Saddle: FTC Publishes Final Rule for Children’s Privacy

BakerHostetler Team Supports Enzo Biochem, Inc. in Exploration of Transaction Options

Leif Sigmond Serves as Faculty for Sandpiper Partners’ Trade Secrets Conference

White House Increases Scrutiny on Foreign Investors: Why FOCI is a Concern for International Businesses (The Global Trade Law Journal)

Organizations face two primary cybersecurity risks – theft of data and operational disruptions. These dynamic risks can become reality because of an issue at the organization, a vendor or both. The need to implement and maintain “reasonable security” is understood, yet most organizations struggle to do so and find themselves unprepared to tell a persuasive cybersecurity story to defend their practices in the wake of an incident. Failing to leverage data and technology to meet organizational goals; the revenue and reputational impact of downtime; and the disruption, regulatory investigations and lawsuits that follow the disclosure of a security incident are material risks. Effective management of these risks requires an enterprise-wide approach. We supply the guidance to help organizations prioritize, develop and implement risk-based solutions to address these dynamic risks.

core/paragraph

core/heading

Our incident response experience is unmatched; each year we help companies respond to more than 1,000 potential incidents. This experience enables us to triage the underlying issue, provide recommendations for a preliminary response and project what the organization is going to face in the coming days, weeks and months so informed decisions can be made. Because we work with forensic firms, ransom payment firms, crisis communications firms, mailing and call center vendors, brokers, and insurance carriers, we are able to streamline the engagement and deploy resources to manage the critical path of the response to an incident. An effective incident response involves more than knowing what the law requires ‒ getting key stakeholder relationship issues right is equally important. We quarterback the efforts to develop and continuously fine-tune strategic plans to identify, contain, assess, communicate about and remediate the issue. For organizations with which we have not yet worked, we operate a 24/7 incident response hotline that sends our team into action immediately in the event an incident is suspected (+1.855.217.5204)

core/image

We help companies establish and revise incident response plans, conduct tabletop exercises featuring realistic data breach simulations, and partner with forensic and crisis communications firms to provide focused training to incident response teams.

The annual BakerHostetler Data Security Incident Response Report is regarded as one of the industry’s most credible analyses of data security incidents faced by companies. The report helps companies understand potential threats, protect their data and fine-tune their incident response plans.

We lead entities through investigations by state attorneys general, multistate attorneys general groups, the Federal Trade Commission, EU supervisory authorities and other international data protection regulatory authorities. When lawsuits are filed after a security incident is disclosed, we are the liaison for our clients to our litigation team to ensure that the facts that were identified and the strategy developed during the incident response phase are leveraged to support the execution of an effective defense strategy.

We help organizations develop risk-based and prioritized strategies to use data, leverage technology and become “compromise ready” by combining our technical capabilities, lessons learned from observing the causes of thousands of incidents and practical experience from time spent on-site with organizations. We help organizations improve the people, processes and technology they use by doing the following:

Identifying, developing, prioritizing and implementing risk-based security enhancements, which may include leveraging analysis from external security firms (e.g., red team exercises, security assessments, penetration tests).

core/list-item

Conducting “reasonable security” assessments with the complex litigation and regulatory landscape in mind to help defend against regulatory inquiries or private actions alleging unreasonable security.

Addressing third-party exploitation and misuse of technology, such as online account credential stuffing and account takeovers.

Conducting due diligence in corporate transactions, including evaluating the target’s privacy and security risk posture, negotiating appropriate representations and warranties, and conducting pre-acquisition compromise assessments. After closing, we work with the acquiring entity to develop an appropriate plan to integrate the target.

Developing vendor management and technology contract programs, as well as negotiating significant agreements, such as those involving cloud-based services and new payment card security technology.

Developing cybersecurity enterprise risk management programs by working with entities, executive management teams, audit committees and boards of directors. These programs include implementing components of reasonable security, building a cybersecurity road map and conducting cybersecurity maturity assessments.

core/list

contentpilot/expand-more

<ul>
<li>BTI Litigation Outlook 2025 has recognized BakerHostetler as a Cybersecurity Litigation Powerhouse for four years in a row.</li>
<li>BTI Cybersecurity Powerhouse and BTI CyberSavvy Law Firm (2020)</li>
<li>Chambers Global
<ul>
<li>Privacy &amp; Data Security: The Elite (USA) (2022 to 2024)</li>
<li>Privacy &amp; Data Security (USA) (2014 to 2021)</li>
<li>Privacy &amp; Data Security: Healthcare (USA) (2018 to 2024)</li>
<li>Privacy &amp; Data Security: Litigation (USA) (2024)</li>
</ul>
</li>
<li>Chambers Fintech
<ul>
<li>Legal – USA (2018 to 2025)</li>
<li>Legal – Blockchain &amp; Cryptocurrencies (2023 to 2025)</li>
<li>2024 and 2025 Band #1 ranking in Legal – Data Protection &amp; Cyber Security (2023 to 2025)</li>
</ul>
</li>
<li>Chambers USA
<ul>
<li>Advertising: NAD Proceedings – Nationwide (2022, 2023)</li>
<li>Advertising: Transactional &amp; Regulatory – Nationwide (2018 to 2023)</li>
<li>Privacy &amp; Data Security: The Elite – Nationwide (2021-2023)</li>
<li>Privacy &amp; Data Security: Litigation – Nationwide (2023)</li>
<li>Privacy &amp; Data Security – Nationwide (2013 to 2020)</li>
<li>Privacy &amp; Data Security: Healthcare – Nationwide (2018 to 2023)</li>
</ul>
</li>
<li>Chambers USA Award: “Privacy &amp; Data Security Team of the Year” finalist (2015, 2017)</li>
<li>The Legal 500 United States
<ul>
<li>Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2023)</li>
<li>Media, Technology and Telecoms: Cyber law (including data privacy and data protection) (2021-2023)</li>
<li>Media, Technology and Telecoms: Cyber Law (2016 to 2020)</li>
<li>Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)</li>
</ul>
</li>
<li>Law360: Privacy &#8220;Practice Group of the Year&#8221; (2013 to 2015, 2018)</li>
<li>Selected for Vault’s Guide to Legal Practice Areas
<ul>
<li>Privacy and Data Security (2017 to 2021)</li>
</ul>
</li>
<li><em>U.S. News – Best Lawyers </em>“Best Law Firms” – National Rankings
<ul>
<li>Advertising Law (2018 to 2025)</li>
<li>Information Technology Law (2013 to 2025)</li>
<li>Technology Law (2012 to 2025)</li>
</ul>
</li>
<li>Selected as a 2020-2021 “Pacesetter” in Cybersecurity Services by ALM Intelligence Pacesetter Research</li>
</ul>


Eric A. Packel

Gerald J. Ferguson

Craig A. Hoffman

Lynn Sessions

Theodore J. Kobus III

Marcus McCutcheon

Elise R. Elam

Jonathan A. Forman

Patrick H. Haggerty

James A. Sherer

Nichole L. Sterling

May Tal Gongolevsky

Brittany  A. Yantis

Sara M. Goldstein

Andreas T. Kaltsounis

Aleksandra Vold

Kiley C. Keefe

Kimberly C. Gordy

Courtney L. Litchfield

Joseph L. Bruemmer

David Sherman

David H. Potter

Benjamin D. Wanger

Allison R. Clark

Adam I. Cohen

Jessica S. Johnson

Craig C. Carpenter

Elana Weinblatt

Ryan M. Christian Sr.

Pierce T. Cox

Sherman G. Helenese

Vaughn Stupart

Jacob T. Wall

Edward J. McAndrew

Eric B. Gyasi

Eric M. Manski

Reem  Y. Chehade

Sharnell S. Bostick

Jon R. Knight

Raymond O. Aghaian

Nickoli X. Miguel

Luke Zavoli

Phillip K. Short

Jason W. Chastang

Henry Carbajal III

Michael John Christopher

Cincinnati

Partner

Seattle

Craig Hoffman Comments on Cybersecurity and Startups in Wall Street Journal

Sara Goldstein Speaks on “Fireside Chat with a Cybersecurity Defense Attorney” at GPSEC

Theodore Kobus, Craig Hoffman Named to Cybersecurity Docket’s Incident Response 50 for 7th and 3rd Time, Respectively

DOJ Implements Bulk Personal Data Transfer Restrictions

BakerHostetler launches 2025 Data Security Incident Response Report

Craig Hoffman Takes Part in Panel During 2025 Incident Response Forum Masterclass

Kimberly Gordy Explains Health Fitness Corporation HIPAA Case Under New OCR Initiative in Cosmos Article

Reasonable Cybersecurity: The Evolving Role of Board and Executive Management (CXOTech Magazine)

Artie McConnell, Eric Gyasi Participate in Cyber Risks to National Security Panel

David Sherman Participates in Inaugural MOXFIVE Cyber Roundtable

David Sherman, Nichole Sterling Present at NYCBA 16-Hour Bridge-the-Gap

James Sherer Takes Part in “Bridge-the-Gap II: Ethics and Skills for Newly Admitted New York Attorneys 2025”

Data Counsel

FTC Signals Heightened Scrutiny on the Security of APIs

Andreas Kaltsounis recommends data privacy compliance to avoid penalties after a breach

Sara Goldstein Comments on UnitedHealth Group’s Data Breach Numbers in Healthcare Info Security Article

Eric Gyasi Urges Pre-Incident Cybersecurity Governance in Cybersecurity Law Report Article

Inside Regulators’ View of ‘Reasonable Security’ (Corporate Compliance Insights)

Eric Gyasi, Daryl Leon Comment on Potential Rule Changes Under New Administration

New York’s Newest Data Breach Notification Law Changes

2024 SEC Cybersecurity Rule Updates

Kimberly Gordy Comments on Federal Rules Affecting Tribal Governments

BakerHostetler Earns Kudos in the 2025 Chambers FinTech USA Ranking

Potential Risks to Financial Stability: The Financial Stability Oversight Council’s 2024 Annual Report

Elise Elam Speaks on Panels and at Breakfast for Cincy Cyberweek

Kimberly Gordy Contributes Cybersecurity Article to TribalHub Magazine

Ryan Christian, Vaughn Stupart Participate on Incident Response Panel at The Masters Conference

James Sherer Participates in Practising Law Institute’s Bridge-the-Gap II Webinar

Lynn Sessions Participates in Crum & Forster/Lockton Companies Joint Event

Lynn Sessions Takes Part in University of Maryland Medical System Compliance Summit

Sara Goldstein Comments on New Administration’s Impact on Health Sector Regs

Navigating Cyber and Legal Challenges During the M&A Process: Quick Considerations for Federal Contractors

David Potter Speaks on Cybersecurity in Food & Beverage for Chicagoland Food & Beverage Network

Joseph Bruemmer Speaks to Young Presidents Organization’s Family Office Section

Lynn Sessions Participates in Panel at WCAS Technology Executives Summit

BakerHostetler Columbus Office Hosts Roundtable on AI

Lynn Sessions Presents at TBA’s 36th Annual Health Law Forum

Jon Knight Presents Cyber Mitigation Case Study at ACI’s 7th National Forum on FOCI

Craig Hoffman Moderates Panel, Casie Collignon Speaks at 2024 NetDiligence Cyber Risk Summit

(Cyber)Security Theater 101 – Georgia Tech, a Teachable Moment

BakerHostetler Ranked Among the Leaders in Litigation by Nation’s Top Legal Decision Makers in Annual BTI Survey

CMMC Barrels Closer to Implementation with Latest Proposed Rule Establishing DFARS Contract Clauses

David Potter Speaks at The Masters Conference: Cyber Risk, Data Breach, Privacy – Chicago

David Sherman Takes Part on Panel at FS-ISAC Washington, DC, Member Forum

Andreas Kaltsounis Comments on Dismissal of Some SEC Charges Against SolarWinds

Kimberly Gordy Presents at 2024 Native American Risk Management Conference

Ryan Christian Participates in Panel on Data Breach Notification Strategy for Epiq

Webinar: The Privacy Strategist: Loper Bright, Chevron Deference and Data Regulation

Elise Elam Moderates Panel at ACLI Compliance and Legal Sections Annual Meeting

Eric Gyasi Provides Commentary on Statements Regarding Determination of Materiality

The SEC’s Regulation of Cybersecurity Continues

Benjamin Wanger Speaks at CCBOA Spring 2024 Professional Development Conference

Gerald Ferguson and Eric Gyasi Lead Discussion on Privacy and Data Protection Challenges

Six BakerHostetler attorneys named 2024 BTI Client Service All-Stars

Deeper Dive into the Data

Lynn Sessions, Paul Karlsgodt Present at American Hospital Association CCO 2024 Spring Roundtable

Nichole Sterling, Eric Gyasi Lead Discussions at The Sedona Conference Working Group 11 Annual Meeting 2024

Lynn Sessions Discusses DSIR Report on Healthcare Info Security Podcast

Jonathan Forman Serves as Instructor for Seminar on Designing and Implementing an Information Security Program

Aleksandra Vold Comments on FTC’s Health Breach Notification Rule

Sara Goldstein Comments on Change Healthcare Breach in Wall Street Journal Article

BakerHostetler a Finalist for Chambers USA’s Privacy & Data Security Law Firm of the Year Award

David Sherman Guests on WTW Webinar About Cybersecurity for Technology Companies

Eric Gyasi Comments on Proposed Expansion of CISA Enforcement Powers in Bloomberg Article

Andreas Kaltsounis Offers Guidance for Companies Affected by the FCC’s New Breach-Reporting Rules

Sara Goldstein Discusses Significant Impact of the Change Healthcare Mega Hack on Podcast and in Several Articles

Theodore Kobus, Sara Goldstein, Lynn Sessions Weigh in On Change Healthcare’s Data Security Incident

Craig Hoffman Discusses Current Ransomware Landscape 

The ‘Long Arm’ of CIPA and Its Newfound Pen-Trap Claims

Eric Packel Offers Tips on Protecting Patient Privacy in DermWorld Article

Elise Elam Discusses Incident Response Trends at Kentuckiana ISACA February Meeting

Eric Gyasi Comments on Expanding Interpretation of Materiality in Wall Street Journal Article

David Sherman Speaks at Cyber Risk & Data Privacy Virtual Summit

Kimberly Gordy Comments on New Cybersecurity Compliance Goals for Health Care Facilities

Eric Gyasi Explores Regulatory Trends Tied to Ransomware Attacks at Virtual Incident Response Conference

Katherine Lowry, James Sherer Comment on Five Issues that Shaped Legal Tech in 2023

Katherine Lowry, James Scherer and Ariana Dindiyal Quoted in Thomson Reuters Article on AI

Eric Gyasi Quoted in Wall Street Journal Regarding Ransomware Attack, Holiday Deliveries

Eric Gyasi Explains Latest SEC Cybersecurity Mandate

Breaking Down the Anatomy of Ransomware Attacks

BakerHostetler Attorneys Author Article on New Safe Harbor Policy in Business Crimes Bulletin

James Sherer Quoted in Bloomberg Article on AI Rules from the U.S. Government

Ben Wanger Presents During Cybersecurity Incident Response Webinar

Threat Actors Target Academic Researchers in Phishing Schemes

Sterling addresses compliance obligations in light of new EU-US Data Privacy Framework

Harrington, Hoffman and Gyasi discuss new cybersecurity rules in Beazley webinar

Hoffman and Elam address impact and implications of enhanced cybersecurity disclosure rules

New cybersecurity rules for nonbank firms raise ‘potential litigation and regulatory exposure’

Allow Me To Introduce Myself

With new advisory committee, FDA signals increased focus on digital health, Vold says

Eric Gyasi appears on podcast about new SEC cybersecurity disclosure rules

BakerHostetler Continues to Stand Out With National Recognition in BTI’s Annual Litigation Outlook

Gyasi arrival prompts Law360 profile

California Unveils New Draft Requirements for Privacy Risk Assessments, Cybersecurity Audits and AI

DSIR Deeper Dive: How International and Domestic Regulatory Enforcement Spotlights the Information Governance Tensions Between ‘There’ and ‘Here’ and Between ‘Keep’ and ‘Delete’

DSIR Deeper Dive: Tribal Privacy Codes: Establishing Self-Governance in the Post-Internet Age

Dubai International Financial Centre Issues Adequacy Decision Approving Cross-Border Transfers of Personal Information to California

DSIR Deeper Dive: Plaintiffs’ Attorneys Are Trying to Assert a New Cause of Action Against Universities Based on an Old Law Regulating Videotape Service Providers

2023 DSIR Report Deeper Dive: U.S. Employee Privacy Developments

New York State Adds Health Care Geofencing Prohibition, Taking a More Measured Approach Than Washington’s Similar Ban

Digital Risk Advisory and Cybersecurity

Experience

Recognitions

Insights and News

Featured Insights

Experience

Related Services

Recognitions

Insights and News

Featured Insights