Craig A. Hoffman

Partner

Cincinnati
T +1.513.929.3491
F +1.513.929.0303

Overview

Craig Hoffman is a leading member of the firm's Chambers USA-ranked privacy and data protection team. He provides proactive counsel on the complex regulatory issues that arise from data collection and use, including customer communications, data analytics, emerging payments, cross-border transfers and security incident response preparedness. He uses his experience as a litigator and work with hundreds of companies facing security incidents to help clients develop a practical approach to meeting their business goals in a way that minimizes regulatory risk. For example, Craig conducts incident response workshops – built upon applicable notification laws and guidelines, "good" and "bad" examples from other incidents, and a tabletop exercise – to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable law while mitigating risk and preserving customer relationships.

Trusted for his knowledge, experience and client service, Craig is engaged by clients as soon as they learn of a potential data security incident. He immediately begins to work with the client’s internal team and third parties to identify and contain the incident, remediate issues to maintain business operations, and develop information needed to deliver effective public communications designed to preserve customer relationships and minimize the likelihood and consequences of litigation and regulatory investigations. In incidents involving payment card data, Craig works to favorably position clients to face the card networks' revalidation, fines and assessment rules. He also guides clients through informal and formal regulatory investigations brought by state attorneys general and the Federal Trade Commission (FTC). When putative class actions are filed, Craig uses his years of litigation experience and comprehensive knowledge of incident response to ensure that the litigation strategy is consistent with the client's customer relations and regulatory defense efforts. Craig serves as the editor of BakerHostetler's Data Privacy Monitor blog, providing commentary on developments in data privacy, security, social media and behavioral advertising.

Select Experience

Privacy & Data Security Compliance | Information Governance Experience
  • Provides proactive privacy and security advice to emerging companies related to data collection, use, sharing and marketing, as well as to establishing payment systems. Transactions include the purchase of a word-of-mouth marketing company.
  • Conducts incident response workshops.
  • Develops and implements policies, including website and app privacy and terms of use, BYOD, social media, incident response, and information security plans.  
Security Incident Response & Litigation Experience
  • Has led incident response teams for national and international retailers (including  grocers, gaming, eye care, sporting goods, tools and equipment, clothing, cosmetics, restaurants, hospitality, luxury goods, and electronics) following attacks on their card-present and e-commerce payment systems. Engagements involve the following activities: 
    • Overseeing the forensic investigation.
    • Interacting with FBI, Secret Service and other law enforcement officials.
    • Ensuring a response in compliance with state breach notification laws and contractual notice obligations.
    • Managing significant customer relations issues.
    • Responding to state attorneys general and FTC inquiries.
    • Addressing card network fines and assessments.
    • Defending multiple putative class actions.
More »

Experience

Privacy & Data Security Compliance | Information Governance 

  • Provides proactive privacy and security advice to emerging companies related to data collection, use, sharing and marketing, as well as to establishing payment systems. Transactions include the purchase of a word-of-mouth marketing company.
  • Conducts incident response workshops.
  • Develops and implements policies, including website and app privacy and terms of use, BYOD, social media, incident response, and information security plans.  
  • Consults on emerging payment issues, including assessing tokenization and point-to-point encryption technologies, planning for EMV liability shift, and mobile payments.
  • Provides due diligence and contract drafting to M&A teams, including acquisition of a social media company and payment processing companies.
Security Incident Response & Litigation 
  • Has led incident response teams for national and international retailers (including  grocers, gaming, eye care, sporting goods, tools and equipment, clothing, cosmetics, restaurants, hospitality, luxury goods, and electronics) following attacks on their card-present and e-commerce payment systems. Engagements involve the following activities: 
    • Overseeing the forensic investigation.
    • Interacting with FBI, Secret Service and other law enforcement officials.
    • Ensuring a response in compliance with state breach notification laws and contractual notice obligations.
    • Managing significant customer relations issues.
    • Responding to state attorneys general and FTC inquiries.
    • Addressing card network fines and assessments.
    • Defending multiple putative class actions.
  • Advises technology service providers (including cloud service providers, identity management, data centers and software companies) on issues relating to product security vulnerabilities.
  • Represents financial institutions, banks and credit unions responding to events of unauthorized access to sensitive customer information. Incidents have included malware infections, network intrusions, denial of service attacks, employee carelessness and malicious employees. Engagements often involve interaction with financial regulatory authorities.
  • Advises companies on investigations related to theft of trade secrets by departing employees.
  • Files and argues appeals of card network fines and assessments against merchants arising from payment card breach incidents.
  • Pursued claims on behalf of buyer against seller for breach of representations and warranties when a cyber-attack that exploited long-standing security deficiencies occurred just after the sale.
  • As member of trial team, pursued delay damages against subcontractor on behalf of commercial developer and general contractor.
  • As member of trial team, obtained $163 million settlement of False Claims Act and fraud claims against pharmacy benefit manager.
CLE/Webinars/Seminars
  • “Be Compromise Ready: Go Back to the Basics.” BakerHostetler webinar (May 2017)
  • “Emerging Litigation Matters, Mitigating Risk as In-House Counsel,” Grange Audubon Society (October 2016)
  • "The Lurking Menace: Cybercrime, Data Security, and Privacy Rights," Money2020 (October 2013)
  • "Examining the Payment Card Industry (PCI) Adjudication Process," Net Diligence CyberWest (October 2013)
  • "Preventing and Responding to Data Security Incidents," State Risk and Insurance Management Association (September 2013)
  • "Preparing for and Mitigating Account Data Compromise Events," Vantiv Partnership Forum (September 2013)
  • "Effective Data Breach Incident Response," Ohio CISO Executive Summit (June 2012)
  • "Network Security and Privacy Law: A Rapidly Developing Liability Landscape," Webinar (March 2012)
  • "Data Security and Cyber Liability Update," LexisNexis Webinar (November 2011)
  • "Are You Ready for a Data Breach?" BakerHostetler CLE (October 2011)

Recognitions and Memberships

Recognitions

  • Chambers USA: Nationwide Privacy & Data Security (2017 to 2018)
    • Recognized Practitioner (2017 to 2018)
  • The Legal 500 United States
    • Recommended in Cyber law (including data protection and privacy) (2017)
    • Recommended in Data Protection and Privacy (2016)
  • Cybersecurity Docket "Incident Response 30" (2016)
  • Acritas Star (2016 and 2017)
  • Law360 "Rising Star" in Privacy (2015)
  • BTI Client Service All-Star (2016, 2017)
  • Ohio Super Lawyers "Rising Star" (2009 to 2012)
  • Dayton Business Journal: "Forty Under 40" (2008)
  • International Association of Privacy Professionals (IAPP): Certified Information Privacy Manager (CIPM)

Memberships

  • Ohio State Bar Association
  • Cincinnati Bar Association
  • Kentucky Bar Association
  • Cincinnati Academy of Leadership for Lawyers: Member of Class XIV (2010)

News

News

Press Releases

Featured Video

Craig Hoffman: Data Security and the Retail Industry
Play Video

BakerHostetler's Craig Hoffman discusses credit card breaches EMV, and what retailers should do after an incident.

Prior Positions

  • Law Clerk for the U.S. Department of Labor Administrative Law Judge Thomas F. Phalen

Admissions

  • U.S. District Court, Southern District of Ohio
  • U.S. Court of Appeals, Sixth Circuit
  • Kentucky, 2008
  • Ohio, 2002

Education

  • J.D., University of Cincinnati College of Law, 2002
  • B.A., University of Cincinnati, 1999

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Department of Justice Releases Attorney General's First Cyber-Digital Task Force Report
By John W. Busch
August 17, 2018
The Department of Justice recently released its comprehensive assessment of cyber threats in the United States, titled “Report of the Attorney General’s Cyber-Digital Task Force.” The Report is the result of the establishment of the...
Read More ->
Data Privacy Monitor
Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards
By Brian P. Bartish, Craig A. Hoffman
August 13, 2018
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity...
Read More ->
Data Privacy Monitor
Do You Need a Chief Digital Risk Officer (or Digital Risk Working Group)?
By Craig A. Hoffman
August 6, 2018
Axioms are common in the privacy and security space. One that has been popping up with more frequency is “privacy and security is an enterprise risk that requires an enterprise-wide effort to appropriately address.” It is easy to say, hard...
Read More ->
Data Privacy Monitor
Deeper Dive: Using Response Time Metrics to Drive Incident Response Preparedness & Response Improvement
By Craig A. Hoffman
May 1, 2018
One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The...
Read More ->
Data Privacy Monitor
SEC Clarifies Existing Cybersecurity Disclosure Guidance
By John W. Busch, Jonathan A. Forman, Craig A. Hoffman
February 28, 2018
On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division...
Read More ->