Privacy and Data Protection

"A collection of very smart and conscientious lawyers who think things through in a very meticulous way."

– Chambers USA 2015

Privacy and data security are enterprise-wide issues that impact nearly every area of a company’s operations. ­Clients of our ranked and award-winning BakerHostetler Privacy and Data Protection team count on us to continue to learn, grow and adapt to meet their needs in this constantly evolving area. Our core team of attorneys are not generalists, but rather focus on serving specific industries or issues so that we can deliver practical and service-oriented counseling.

We serve clients from all tiers of the Fortune 500, as well as health systems, universities, small and midsize businesses, emerging technology companies, and state and municipal entities. Our team members are located in key cities across the United States and have global reach by maintaining strategic partnerships with lawyers, security firms and risk management companies around the world.

Where does our competitive difference come from? It is our experience and our approach. Our attorneys are on-site at client locations hundreds of days a year proactively training incident response teams, conducting security and risk assessments, working through incidents, advising executive leadership teams and boards, preparing witnesses for depositions and regulatory investigations, and providing advice on new initiatives and transactions. We lead clients through the response to hundreds of potential security incidents a year. We respond to dozens of regulatory inquiries and defend dozens of lawsuits. Insights generated from our experience in incident response are set forth in our annual BakerHostetler Data Security Incident Response Report.

In a practice area where experience truly matters and clients expect efficient, tailored and clear advice, our depth of experience is difficult to match. We deliver comprehensive and trusted guidance across six key areas of service:

Deep Experience, Comprehensive Service >>

Industry Focus

We work with clients across a broad range of industries and have particular experience with the following:

More »
Recognition

Chambers USA ranks us in its 2016 edition, recognizing our “standout breach response practice” and “wide-ranging compliance advice.” According to the guide, clients say we are “super responsive, cost-efficient and don’t over-staff matters, which [they] appreciate.” And they note that we are “a very good law firm and I have enjoyed working with them.” Clients tell Chambers that our team’s national leader, Ted Kobus, is “one of the best around and has a great and expanding team.” Chambers also nominated us with a select group of firms for a 2015 Chambers USA Award as “Privacy and Data Security Team of the Year” for our outstanding work, strategic growth and client service excellence.

Law360 recognized our team as one of the nation’s best practices when it selected us as one of its Practice Groups of the Year for Privacy in three consecutive years: 2013, 2014 and 2015. In addition, Law360 selected partner Craig Hoffman as one of three 2015 Privacy Rising Stars and partner David Carney as a rising star in 2015 for Privacy Litigation. Our team’s leader, Ted Kobus, was named a Law360 MVP for Privacy and Consumer Protection in 2013, and our Class Action Defense team leader, Paul Karlsgodt, was named a Law360 MVP for Privacy and Consumer Protection in 2014 and 2015.

The Legal 500 included our team as one of the top practices in cyber law and data protection and privacy, noting that “the well-regarded Theodore Kobus leads BakerHostetler’s team and is recommended for his ‘attentiveness, knowledge of the regulators and ability to provide guidance through all stages of an incident, from discovery to litigation – and everything in between.’ Craig Hoffman’s knowledge of the payment card industry is ‘incredible’ and overall the team is praised for its ability to ‘offer immediate and practical advice, including from the most senior partners on the team.’”

Select Experience

  • Premera Blue Cross, handling its incident response and regulatory and class action defense with regard to the largest incident involving medical information ever reported.
  • Schnuck Markets, Inc. as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • Eisenhower Medical Center, acting as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the California Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, leading to a voluntary dismissal by the plaintiffs, with no payment by Eisenhower, after the California Supreme Court denied review and remanded the case to the trial court.
  • A Fortune 500 electric and natural gas utility on privacy and data security issues, including Identity Theft Red Flags Rule, Telephone Consumer Protection Act, and Fair Credit Reporting Act compliance, state data security regulations and incident response.
More »

Professionals

Name Title Office Email
Brian P. Bartish Associate Cincinnati
Fernando A. Bohorquez Jr. Partner New York
David M. Brown Associate Philadelphia
Jessica Captain Novick Partner Orlando
David A. Carney Partner Cleveland
Teresa C. Chow Partner Los Angeles
Casie D. Collignon Partner Denver
Barry J. Cutler Of Counsel Washington, D.C.
William R. Daugherty Counsel Houston
Zachariah J. DeMeola Associate Denver
Carrie Dettmer Slye Associate Cincinnati
Vimala Devassy Counsel Atlanta
Erich M. Falke Partner Philadelphia
Emily R. Fedeles Associate New York
Gerald J. Ferguson Partner New York
Amy E. Fouts Partner Atlanta
Alan L. Friel Partner Los Angeles
Randal L. Gainer Partner Seattle
Lisa M. Ghannoum Partner Cleveland
Linda A. Goldstein Partner New York
May Tal Gongolevsky Counsel New York
Daniel J. Guttman Partner Columbus
Patrick H. Haggerty Partner Cincinnati
Mark Hatcher Partner Columbus
Craig A. Hoffman Partner Cincinnati
Lindsay P. Holmes Associate Washington, D.C.
Lavonne Burke Hopkins Associate Houston
Paul G. Karlsgodt Partner Denver
Gilbert S. Keteltas Partner Washington, D.C.
Theodore J. Kobus III Partner New York
M. Scott Koller Counsel Los Angeles
Michael R. Matthias Partner Los Angeles
Melinda L. McLellan Partner New York
Kathryn C. Mellinger Associate Philadelphia
Holly A. Melton Partner New York
Jennifer A. Mills Partner Cleveland
Jonathan B. New Partner New York
Eric A. Packel Partner Philadelphia
Matthew D. Pearson Associate Los Angeles
F. Paul Pittman Associate Cincinnati
Frank A. Pugliese Partner New York
Robert T. Razzano Partner Cincinnati
Chad A. Rutkowski Partner Philadelphia
Lynn Sessions Partner Houston
James A. Sherer Partner New York
Douglas L. Shively Associate Cleveland
James A. Slater Partner Cleveland
Paulette M. Thomas Counsel Cincinnati
Sammantha J. Tillotson Associate Denver
Carol R. Van Cleef Partner Washington, D.C.
Daniel R. Warren Partner Cleveland
Robert M. Wolin Partner Houston
Gonzalo S. Zeballos Partner New York

Experience

  • Premera Blue Cross, handling its incident response and regulatory and class action defense with regard to the largest incident involving medical information ever reported.
  • Schnuck Markets, Inc. as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • Eisenhower Medical Center, acting as lead counsel in a California Confidentiality of Medical Information Act (CMIA) case arising out of thefts of computers, one of which contained index information for more than 500,000 patients, obtaining a favorable ruling from the California Court of Appeal that the patient index information is not “medical information” as defined under the CMIA, leading to a voluntary dismissal by the plaintiffs, with no payment by Eisenhower, after the California Supreme Court denied review and remanded the case to the trial court.
  • A Fortune 500 electric and natural gas utility on privacy and data security issues, including Identity Theft Red Flags Rule, Telephone Consumer Protection Act, and Fair Credit Reporting Act compliance, state data security regulations and incident response.
  • A multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers and working with the incident response team to investigate and resolve suspected data breaches.
  • Both cloud service providers and enterprise purchasers, including Software as Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), conducting due diligence and negotiating more than 100 cloud computing transactions.

Recognition

  • Chambers Global: Privacy & Data Protection (USA) (2014 to 2017)
  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2016)
  • The Legal 500 United States (2016)
    • Media, Technology and Telecoms: Cyber law
    • Media, Technology and Telecoms: Data protection and privacy
  • Law 360: Privacy "Practice Group of the Year" (2013 to 2015)
  • BTI Client Service 30: BakerHostetler advanced 19 positions to #9 (2016)

News

Press Releases

Alerts

Articles

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
New Mexico passes data breach notification and protection bill
By Erich M. Falke
March 20, 2017
Then there were two. On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature...
Read More ->
Data Privacy Monitor
Unexpected Consumer Data Collection Concerns FTC
March 15, 2017
The Federal Trade Commission (FTC) has been turning its attention to consumer data collection and use that consumers may not expect, such as tracking of TV viewing by smart TVs, and use of cross-device technologies and techniques to try to...
Read More ->
Data Privacy Monitor
Australia’s New Breach Notification Law Set to Take Effect February 2018
By Melinda L. McLellan
March 7, 2017
On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of “eligible” data breaches. The Privacy Amendment (Notifiable Data Breaches) Act...
Read More ->
Data Privacy Monitor
FCC Broadband Privacy Rule On Hold, Likely Dead
March 2, 2017
The new Federal Communications Commission (FCC) Privacy and Data Security Rule for broadband internet access service (BIAS) providers (Privacy Rule) was set to start phased implementation on March 2, 2017. We have previously detailed what...
Read More ->
Data Privacy Monitor
FTC's $2.2m Smart TV Settlement Signals Continued IoT Enforcement Focus
By Alan L. Friel, Melinda L. McLellan
March 1, 2017
On February 6, 2017, the Federal Trade Commission announced that it had settled charges against VIZIO, Inc., a consumer electronics manufacturer of Internet-connected televisions. The FTC alleged that VIZIO unfairly tracked sensitive TV...
Read More ->