Theodore J. Kobus III

Partner

New York
T +1.212.271.1504
F +1.212.589.4201

"Ted is very responsive. He strikes the right balance between urgency and the rationality of calm."

— Chambers USA 2017

Overview

Ted Kobus focuses his practice in the areas of privacy, data security and intellectual property. He advises clients, trade groups and organizations regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory actions and defense of class action litigation. Ted counsels clients involved in breaches implicating domestic and international laws, as well as other regulations and requirements. Having led more than 2,000 data breach responses, Ted has respected relationships with regulators involved in privacy concerns as well as deep experience to help clients confront privacy issues during the compliance risk management stages. He is invested in his client relationships and approaches engagements practically and thoughtfully.

Ted is the national leader of the firm's Privacy and Data Protection team and currently serves on the Policy Committee. He is ranked in Chambers USA: America's Leading Lawyers for Business and was one of only three attorneys named an MVP by Law360 for Privacy and Consumer Protection in 2013. Ted is a regular contributor to BakerHostetler's Data Privacy Monitor blog and regularly speaks at major industry events regarding data breach response, risk management and litigation issues affecting privacy, including being the only private attorney to speak at the National Association of Attorneys General on data security issues.

Select Experience

  • Leading the breach response, regulatory defense and class action defense of a massive credit card breach on behalf of a large, privately held retailer. Guided the client through the initial investigation of a criminal attack and a payment processing network, including the engagement of a forensics team and collaboration with government entities to pursue the attackers. Led the defense against six putative class actions, a single plaintiff lawsuit and inquiries from state attorneys general and the Federal Trade Commission, convincing the regulator not only to close the investigation against the client but to establish the client as a victim in the breach. Developed a strategic plan to defend against lawsuits and actions filed in six different state and federal jurisdictions and negotiated settlements with putative plaintiffs. Continues to defend the client against demands by issuing banks alleging losses related to fraudulent charges and card reissuance costs, and provides guidance to the client regarding obligations held to the payment processor under specific regulations.

  • Leads an engagement with a health system providing advice on breach analysis, notification obligations, crisis management, investigation of incident and regulatory compliance following the theft of computers containing information of approximately 4 million patients. Coordinates the breach investigation, including a forensics team, and leads the breach response, crisis management and the notification of all patients and physicians affected. Leads the post-breach response as well, involving the resolution of patient complaints and regulatory investigations. Assisting and advising the client in responses to investigations initiated by government agencies. Has led the response to nearly half of the 12 largest Health Insurance Portability and Accountability Act breaches announced to date.

  • Develops incident response plans and privacy policies, provides proactive incident response training

More »

Experience

  • Leading the breach response, regulatory defense and class action defense of a massive credit card breach on behalf of a large, privately held retailer. Guided the client through the initial investigation of a criminal attack and a payment processing network, including the engagement of a forensics team and collaboration with government entities to pursue the attackers. Led the defense against six putative class actions, a single plaintiff lawsuit and inquiries from state attorneys general and the Federal Trade Commission, convincing the regulator not only to close the investigation against the client but to establish the client as a victim in the breach. Developed a strategic plan to defend against lawsuits and actions filed in six different state and federal jurisdictions and negotiated settlements with putative plaintiffs. Continues to defend the client against demands by issuing banks alleging losses related to fraudulent charges and card reissuance costs, and provides guidance to the client regarding obligations held to the payment processor under specific regulations.

  • Leads an engagement with a health system providing advice on breach analysis, notification obligations, crisis management, investigation of incident and regulatory compliance following the theft of computers containing information of approximately 4 million patients. Coordinates the breach investigation, including a forensics team, and leads the breach response, crisis management and the notification of all patients and physicians affected. Leads the post-breach response as well, involving the resolution of patient complaints and regulatory investigations. Assisting and advising the client in responses to investigations initiated by government agencies. Has led the response to nearly half of the 12 largest Health Insurance Portability and Accountability Act breaches announced to date.

  • Develops incident response plans and privacy policies, provides proactive incident response training, and counsels on privacy and security issues globally.

  • Has defended more than 50 investigations brought by all regional offices of the Department of Health and Human Services Office for Civil Rights.

  • Defending several Civil Investigative Demands brought by state attorneys general regarding a client's data security practices and compliance with federal and state laws.

  • Defending clients in statutory damage claims brought regarding the collection, use and sharing of customer information.

  • Representing a financial institution following the discovery of malicious software on an employee workstation computer possibly capturing confidential customer information. Coordinating the breach investigation, response strategy and post-breach response, including the resolution of customer complaints and defense of the investigation by banking regulators.

  • Leading the defense of a putative class action seeking damage for a technology client's use of cookies on its website. Filed a Notice of Removal and motion to transfer the venue in state court to preserve the client's rights if the case is ultimately remanded.

Recognitions and Memberships

Recognitions

  • Chambers Global: Privacy & Data Protection (USA) (2014 to 2017)
  • Chambers USA: Nationwide Privacy and Data Security (2013 to 2017)
  • The Legal 500 United States (2016, 2017)
    • Recommended in Media, Technology and Telecoms: Cyber law
    • Recommended in Media, Technology and Telecoms: Data protection and privacy
  • National Law Journal "Cybersecurity Trailblazer" (2016)
  • Cybersecurity Docket "Incident Response 30" (2016)
  • The Best Lawyers in America© (2016 to 2018)
    • New York: Privacy and Data Security Law
  • Law360: MVP in Privacy & Consumer Protection (2013)
  • Certified Information Privacy Manager

News

News

Press Releases

Featured Video

Ted Kobus: Data Security Incidents: Regulatory Investigations
Play Video
BakerHostetler Partner and National Leader of the Privacy and Data Protection practice discusses what questions regulators ask following an incident, what their expectations are, and the future of these investigations.

Admissions

  • U.S. Court of Appeals, Federal Circuit, 2002
  • U.S. Court of Appeals, Third Circuit, 2002
  • U.S. District Court, District of Colorado, 2009
  • U.S. District Court, Middle District of Pennsylvania, 2004
  • U.S. District Court, Western District of Pennsylvania, 1998
  • U.S. District Court, Eastern District of Pennsylvania, 1995
  • U.S. District Court, District of New Jersey, 1995
  • Pennsylvania
  • New York

Education

  • J.D., Widener University School of Law, 1994, cum laude
  • B.S., Purdue University, 1987

Blog

In The Blogs

Previous Next
Data Privacy Monitor
European Court Provides Further Clarity on Employee Monitoring
By Emily R. Fedeles, Nichole L. Sterling
September 20, 2017
The September 5, 2017, decision of the Grand Chamber of the European Court of Human Rights (ECHR) in Barbulescu v Romania (Barbulescu) has interrupted a recent trend toward limiting privacy in the European workplace. The Barbulescu...
Read More ->
Data Privacy Monitor
Privacy Shield Update: Ahead of First Joint Review, Europeans Remain Skeptical as FTC Announces Enforcement Actions
By Emily R. Fedeles, Melinda L. McLellan
September 12, 2017
On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of...
Read More ->
Data Privacy Monitor
Industry Watchdog Reminds Digital Advertisers of the Importance of Providing Consumers With Transparency and Choice in Latest Enforcement Actions
By Alan L. Friel
August 28, 2017
Two digital advertising companies, Adbrain and Exponential Interactive, were cited in recent decisions by the Better Business Bureau’s Online Interest-Based Advertising Accountability Program (OIBAAP) for not complying with the online...
Read More ->
Data Privacy Monitor
Uber Settles With FTC Over Allegedly Deceptive Privacy And Data Security Practices
August 25, 2017
Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not...
Read More ->
Data Privacy Monitor
Delaware Revamps Its State Data Breach Notification Statute
August 23, 2017
On Aug. 17, 2017, Delaware revamped its existing data breach notification statute. In doing so, Delaware became the second state (joining Connecticut) to mandate offering individuals affected by a breach of security involving Social...
Read More ->