Digital Risk Advisory and Cybersecurity

Overview

Our attorneys draw upon technical knowledge, unrivaled incident response experience, and outcomes from remediations of incidents, regulatory investigations and lawsuits (what we call “cyber response intelligence”) to help organizations generate and implement solutions for realizing the value of data and technology, reducing the risk of significant events, becoming “compromise ready,” and responding effectively to incidents.

Organizations face two primary cybersecurity risks – theft of data and operational disruptions. These dynamic risks can become reality because of an issue at the organization, a vendor or both. The need to implement and maintain “reasonable security” is understood, yet most organizations struggle to do so and find themselves unprepared to tell a persuasive cybersecurity story to defend their practices in the wake of an incident. Failing to leverage data and technology to meet organizational goals; the revenue and reputational impact of downtime; and the disruption, regulatory investigations and lawsuits that follow the disclosure of a security incident are material risks. Effective management of these risks requires an enterprise-wide approach. We supply the guidance to help organizations prioritize, develop and implement risk-based solutions to address these dynamic risks.

Incident Response

Our incident response experience is unmatched; we have helped companies respond to more than 5,000 potential incidents. This experience enables us to triage the underlying issue, provide recommendations for a preliminary response and project what the organization is going to face in the coming days, weeks and months so informed decisions can be made. Because we work with forensic firms, ransom payment firms, crisis communications firms, mailing and call center vendors, brokers, and insurance carriers, we are able to streamline the engagement and deploy resources to manage the critical path of the response to an incident. An effective incident response involves more than knowing what the law requires ‒ getting key stakeholder relationship issues right is equally important. We quarterback the efforts to develop and continuously fine-tune strategic plans to identify, contain, assess, communicate about and remediate the issue. For organizations with which we have not yet worked, we operate a 24/7 incident response hotline that sends our team into action immediately in the event an incident is suspected.

More »
Incident Response Preparedness

We help companies establish and revise incident response plans, conduct tabletop exercises featuring realistic data breach simulations, and partner with forensic and crisis communications firms to provide focused training to incident response teams.

The annual BakerHostetler Data Security Incident Response Report is regarded as one of the industry’s most credible analyses of data security incidents faced by companies. The report helps companies understand potential threats, protect their data and fine-tune their incident response plans.

Digital Risk Advisory

We lead entities through investigations by state attorneys general, multistate attorneys general groups, the Federal Trade Commission, EU supervisory authorities and other international data protection regulatory authorities. When lawsuits are filed after a security incident is disclosed, we are the liaison for our clients to our litigation team to ensure that the facts that were identified and the strategy developed during the incident response phase are leveraged to support the execution of an effective defense strategy.

Cybersecurity Advisory

We help organizations develop risk-based and prioritized strategies to use data, leverage technology and become “compromise ready” by combining our technical capabilities, lessons learned from observing the causes of thousands of incidents and practical experience from time spent on-site with organizations. We help organizations improve the people, processes and technology they use by doing the following:

  • Identifying, developing, prioritizing and implementing risk-based security enhancements, which may include leveraging analysis from external security firms (e.g., red team exercises, security assessments, penetration tests).
  • Conducting “reasonable security” assessments with the complex litigation and regulatory landscape in mind to help defend against regulatory inquiries or private actions alleging unreasonable security.
  • Addressing third-party exploitation and misuse of technology, such as online account credential stuffing and account takeovers.
  • Conducting due diligence in corporate transactions, including evaluating the target’s privacy and security risk posture, negotiating appropriate representations and warranties, and conducting pre-acquisition compromise assessments. After closing, we work with the acquiring entity to develop an appropriate plan to integrate the target.
  • Developing vendor management and technology contract programs, as well as negotiating significant agreements, such as those involving cloud-based services and new payment card security technology.
  • Developing cybersecurity enterprise risk management programs by working with entities, executive management teams, audit committees and boards of directors. These programs include implementing components of reasonable security, building a cybersecurity road map and conducting cybersecurity maturity assessments.
Industries
  • Hospitality
  • Restaurants
  • Retail
  • Education
  • Insurance
  • Technology
  • Financial services
  • Community banks
  • Credit unions
  • Professional services
  • Energy and utilities
     

Select Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
More »

Professionals

Name Title Office Email
Staff Attorney Columbus
Counsel Cleveland
Associate Houston
Counsel Cincinnati
Counsel Houston
Partner Houston
Associate Columbus
Associate Cincinnati
Partner New York
Partner New York
Associate Philadelphia
Partner New York
Associate Houston
Partner Cincinnati
Associate Chicago
Partner Cincinnati
Partner Seattle
Partner Cleveland
Partner New York
Partner Los Angeles
Associate Seattle
Associate Los Angeles
Associate Los Angeles
Associate Washington, D.C.
Partner Philadelphia
Partner Philadelphia
Associate Chicago
Associate Atlanta
Associate Costa Mesa
Partner New York
Associate Houston
Partner Washington, D.C.
Associate New York
Associate Seattle
Counsel Philadelphia
Counsel Chicago
Associate Los Angeles
Counsel Philadelphia
Associate Houston
Associate Washington, D.C.

Experience

  • Incident response and post-disclosure counsel for Marriott Hotels regarding the Starwood Hotels guest record security incident that was disclosed in 2018.
  • Incident response counsel to restaurant and hotel franchisors involving matters in which the franchisor worked with hundreds of its franchisees to identify, investigate and provide notification of payment card security incidents. We advised in resulting litigation, payment card network liability assessments, regulatory inquiries and post-incident payment technology security enhancement efforts with franchisees.
  • Engaged by a credit reporting agency in September 2017 to provide legal advice regarding aspects of its response to a significant security incident.
  • Preparing incident response plans and conducting incident response training and tabletop exercises for response teams, executives and board members.
  • Advising restaurants, hotels and retailers on authentication measures, payment acceptance and loyalty programs for their web and mobile apps.
  • Conducting pre- and post-acquisition due diligence and compromise assessments of hotels, restaurants and technology service providers.
  • Engaging security firms to conduct red team exercises, penetration tests, compromise assessments, security risk assessments and cybersecurity maturing assessments.

Recognition

  • Chambers Global: Privacy & Data Protection (USA) (2014 to 2019)
  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2019)
    • Chambers USA Privacy and Data Security - Healthcare Spotlight Table (2018 to 2019)
    • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • Chambers Fintech: Legal – USA (2018 to 2019)
  • The Legal 500 United States (2016 to 2019)
    • Media, Technology and Telecoms: Data Privacy and Data Protection, Tier 1
    • Media, Technology and Telecoms: Cyber Law, Tier 2
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2020 BTI Client Service 30 for the sixth consecutive year.

News

News

Press Releases

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Due to the COVID-19 Pandemic, HHS Eases Restrictions on the Use and Disclosure of PHI by Business Associates
April 3, 2020
The COVID-19 public health emergency already has caused the U.S. Health and Human Services (HHS) Office for Civil Rights to announce various enforcement changes and waivers. On April 2, HHS issued another notification of enforcement...
Read More ->
Data Privacy Monitor
CARES Act Significantly Revises Part 2 Rules to Better Align with HIPAA
April 2, 2020
On March 27, 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) into law. While the focus of the CARES Act has been on direct financial aid to Americans, the Act also contains a number of...
Read More ->
Data Privacy Monitor
Healthcare Providers Remain Targets for Ransomware Attacks in the Midst of COVID-19 Pandemic
April 1, 2020
Although it was widely reported that several ransomware threat actor groups have pledged to not target healthcare providers until the COVID-19 pandemic is over, BakerHostetler’s Digital Assets and Data Management Practice Group and...
Read More ->
Data Privacy Monitor
COVID-19 Cybersecurity Exposure
By Andreas T. Kaltsounis
March 18, 2020
Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting...
Read More ->
Data Privacy Monitor
Key takeaways for app development and data protection by design from recent enforcement action
By Andreas T. Kaltsounis
February 25, 2020
The Norwegian Data Protection Authority (DPA) recently announced a €200,000 fine against Oslo’s municipal education agency for several security flaws associated with an app the agency developed for communications between school employees...
Read More ->