Privacy and Data Protection

Overview

"The team's strengths are responsiveness and the quality of their work product. They have a deep bench of expertise in incident-response globally.”

– Chambers USA 2018

Privacy and data security are enterprise-wide issues that impact nearly every area of a company’s operations. ­Clients of our ranked and award-winning BakerHostetler Privacy and Data Protection team count on us to continue to learn, grow and adapt to meet their needs in this constantly evolving area. Our core team of attorneys are not generalists, but rather focus on serving specific industries or issues so that we can deliver practical and service-oriented counseling.

We serve clients from all tiers of the Fortune 500, as well as health systems, universities, small and midsize businesses, emerging technology companies, and state and municipal entities. Our team members are located in key cities across the United States and have global reach by maintaining strategic partnerships with lawyers, security firms and risk management companies around the world.

Where does our competitive difference come from? It is our experience and our approach. Our attorneys are on-site at client locations hundreds of days a year proactively training incident response teams, conducting security and risk assessments, working through incidents, advising executive leadership teams and boards, preparing witnesses for depositions and regulatory investigations, and providing advice on new initiatives and transactions. We lead clients through the response to hundreds of potential security incidents a year. We respond to dozens of regulatory inquiries and defend dozens of lawsuits. Insights generated from our experience in incident response are set forth in our annual BakerHostetler Data Security Incident Response Report.

In a practice area where experience truly matters and clients expect efficient, tailored and clear advice, our depth of experience is difficult to match. We deliver comprehensive and trusted guidance across six key areas of service:

Deep Experience, Comprehensive Service >>

Industry Focus

We work with clients across a broad range of industries and have particular experience with the following:

More »
Recognition

Chambers USA ranks us in its 2016 edition, recognizing our “standout breach response practice” and “wide-ranging compliance advice.” According to the guide, clients say we are “super responsive, cost-efficient and don’t over-staff matters, which [they] appreciate.” And they note that we are “a very good law firm and I have enjoyed working with them.” Clients tell Chambers that our team’s national leader, Ted Kobus, is “one of the best around and has a great and expanding team.” Chambers also nominated us with a select group of firms for a 2015 Chambers USA Award as “Privacy and Data Security Team of the Year” for our outstanding work, strategic growth and client service excellence.

Law360 recognized our team as one of the nation’s best practices when it selected us as one of its Practice Groups of the Year for Privacy in three consecutive years: 2013, 2014 and 2015. In addition, Law360 selected partner Craig Hoffman as one of three 2015 Privacy Rising Stars and partner David Carney as a rising star in 2015 for Privacy Litigation. Our team’s leader, Ted Kobus, was named a Law360 MVP for Privacy and Consumer Protection in 2013, and our Class Action Defense team leader, Paul Karlsgodt, was named a Law360 MVP for Privacy and Consumer Protection in 2014 and 2015.

The Legal 500 included our team as one of the top practices in cyber law and data protection and privacy, noting that “the well-regarded Theodore Kobus leads BakerHostetler’s team and is recommended for his ‘attentiveness, knowledge of the regulators and ability to provide guidance through all stages of an incident, from discovery to litigation – and everything in between.’ Craig Hoffman’s knowledge of the payment card industry is ‘incredible’ and overall the team is praised for its ability to ‘offer immediate and practical advice, including from the most senior partners on the team.’”

Select Experience

  • Defending a major casual dining restaurant chain with more than 400 locations and franchises around the world in a class action brought under the Illinois Biometric Information Privacy Act (BIPA). Plaintiffs allege employee fingerprints were improperly collected and stored.
  • Representing a leading worldwide consumer credit reporting agency regarding payment card exposure issues following a data breach.
  • Advising an international hotel chain after a payment card security incident that affected more than 300 properties worldwide.
  • Defending an auto company in a consumer class action involving potential violations of the Telephone Consumer Protection Acts.
  • Advising a leading United States airline and the world’s largest low-cost carrier regarding the potential effect of the General Data Protection Regulation (GDPR) on European ticket purchasers.
More »

Professionals

Name Title Office Email
Associate New York
Staff Attorney New York
Associate Cincinnati
Partner New York
Partner Atlanta
Associate Denver
Associate Philadelphia
Associate Houston
Partner Orlando
Associate Houston
Partner Cleveland
Associate New York
Partner Los Angeles
Partner Denver
Of Counsel Washington, D.C.
Partner Houston
Associate Cincinnati
Counsel Atlanta
Associate New York
Associate New York
Partner New York
Counsel New York
Partner Atlanta
Partner Los Angeles
Partner Seattle
Partner Cleveland
Partner New York
Associate Philadelphia
Counsel New York
Partner Chicago
Partner Cincinnati
Associate Cincinnati
Partner Cincinnati
Partner Atlanta
Partner Washington, D.C.
Partner Seattle
Partner Denver
Partner Cleveland
Partner New York
Counsel Los Angeles
Counsel Washington, D.C.
Associate Los Angeles
Associate Washington, D.C.
Associate Washington, D.C.
Partner New York
Partner New York
Partner Cleveland
Counsel Chicago
Partner Philadelphia
Counsel Philadelphia
Partner New York
Partner Cleveland
Partner Houston
Partner New York
Associate Cleveland
Partner Cleveland
Associate New York
Counsel Cincinnati
Associate Denver
Counsel Philadelphia
Counsel Chicago
Partner Cleveland
Partner Atlanta
Partner Houston

Experience

  • Defending a major casual dining restaurant chain with more than 400 locations and franchises around the world in a class action brought under the Illinois Biometric Information Privacy Act (BIPA). Plaintiffs allege employee fingerprints were improperly collected and stored.
  • Representing a leading worldwide consumer credit reporting agency regarding payment card exposure issues following a data breach.
  • Advising an international hotel chain after a payment card security incident that affected more than 300 properties worldwide.
  • Defending an auto company in a consumer class action involving potential violations of the Telephone Consumer Protection Acts.
  • Advising a leading United States airline and the world’s largest low-cost carrier regarding the potential effect of the General Data Protection Regulation (GDPR) on European ticket purchasers.
  • Advising a casual dining restaurant chain based in the United States and with operations worldwide, on GDPR issues in connection with potential expansion to United Kingdom.
  • Representing an American movie theater chain in an investigation by the Office of the Attorney General of the State of New York involving a mobile application that was potentially vulnerable to eavesdropping, which could have resulted in user information being intercepted, viewed or modified.
  • Secured complete dismissal in putative class action alleging Cleveland Clinic Foundation and MD Anderson Cancer Center violated state and federal laws by transmitting information about consumers’ browsing history to Facebook. Handled incident response and regulatory and class action defense for Premera Blue Cross, after the largest cybersecurity incident involving medical information ever reported.
  • Represented Schnuck Markets in all matters arising from a cybersecurity breach involving as many as 2.4 million credit cards. We obtained a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, are defending Schnuck in multiple class actions and have sued Schnuck’s acquiring bank and payment processor to enforce the merchant services agreement.
  • On behalf of Eisenhower Medical Center, obtained a favorable ruling from the California Courts of Appeal that patient index data is not “medical information” as defined under the California Confidentiality of Medical Information Act (CMIA), after a theft of computers containing index data for more than 500,000 patients. Plaintiffs subsequently withdrew their lawsuit, with no payment by the medical center.

Recognition

  • Chambers Global: Privacy & Data Protection (USA) (2014 to 2017)
  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
    • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • Chambers USA: Intellectual Property:
    • Trademark & Copyright in New York (2014 to 2017)
    • Georgia Intellectual Property (2018)
      • Band 4
    • Ohio Intellectual Property (2018)
      • Band 2
    • Pennsylvania Intellectual Property (2018)
      • Band 1
    • Recognized Practitioner: Intellectual Property Litigation in District of Columbia (2018).
    • Recognized Practitioner: Intellectual Property Patent Prosecution in District of Columbia (2018).
    • Recognized Practitioner: Intellectual Property Trademark, Copyright & Trade Secrets in New York (2018). 
    • Recognized Practitioner: Trademark, Copyright & Trade Secrets in the District of Columbia (2015 to 2017)
  • The Legal 500 United States (2016, 2018)
    • Media, Technology and Telecoms: Cyber law
    • Media, Technology and Telecoms: Data protection and privacy
  • Law 360: Privacy "Practice Group of the Year" (2013 to 2015)
  • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

News

News

Press Releases

Publications

Alerts

Articles

Key Contacts

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Department of Justice Releases Attorney General's First Cyber-Digital Task Force Report
By John W. Busch
August 17, 2018
The Department of Justice recently released its comprehensive assessment of cyber threats in the United States, titled “Report of the Attorney General’s Cyber-Digital Task Force.” The Report is the result of the establishment of the...
Read More ->
Data Privacy Monitor
Not Too Early to Start to Prepare for New California Privacy Law
By Alan L. Friel, Niloufar Massachi
August 14, 2018
In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the U.S., that grants California residents a broad range of...
Read More ->
Data Privacy Monitor
Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards
By Brian P. Bartish, Craig A. Hoffman
August 13, 2018
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity...
Read More ->
Data Privacy Monitor
Do You Need a Chief Digital Risk Officer (or Digital Risk Working Group)?
By Craig A. Hoffman
August 6, 2018
Axioms are common in the privacy and security space. One that has been popping up with more frequency is “privacy and security is an enterprise risk that requires an enterprise-wide effort to appropriately address.” It is easy to say, hard...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
By Aaron R. Lancaster
July 24, 2018
Federal Trade Commission Federal Trade Commission Asks for Ability to Fine Companies for Privacy Violations • Speaking before the U.S. House of Representatives’ Subcommittee on Digital Commerce and Consumer Protection, the commissioners of...
Read More ->