Focus Areas
Data Privacy & Cybersecurity Compliance
- Advised clients on drafting policies and procedures and developing internal compliance programs with respect to a broad range of data protection laws, statutes and regulations, including consumer privacy requirements; employee data privacy notices and policies; data breach preparation and response; data subject requests; digital marketing and targeted advertising; medical data, clinical trials, and healthcare privacy laws; vendor management and data processing agreements; international data transfers and localizations; written information security plans; WCAG compliance; and biometric data processing.
- Prepared data incident response plans and programs and assisted small, midsize, and large companies in responding to serious data events, including ransomware attacks and other incidents involving the unauthorized access, acquisition, or disclosure of personal data or confidential information.
- Drafted online terms and conditions and privacy policies for domestic and global companies.
- Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
- Assisted government contractors with adhering to the NIST standards and other federal regulations and rules on the safeguarding of controlled unclassified information.
- Assisted organizations in establishing and maintaining insider threat programs to ensure the confidentiality and integrity of classified and other sensitive data.
- Advised clients on a broad range of data protection laws, including the FTC Act, GLBA, HIPAA, CAN-SPAM, TCPA, COPPA, CFAA, ECPA, CCPA, CPRA, VCDPA, BIPA, and other privacy legislation.
Data Breach Response Matters
- Assisted logistics and shipping company with operations across North America in assessing and responding to BlackCat ransomware attack, including through engaging digital forensic and incident response consulting agency, undertaking dark web monitoring, engaging with regulatory agencies to reinstate access to federal import and export control system, and advising on potential CTPAT and other incident notification obligations.
- Assisted U.S. chemical and manufacturing company in responding to Akira ransomware, including leading investigation under the attorney-client privilege, retaining digital forensic and IT consultant firm, undertaking data mining and threat actor communications, and notifying impacted data subjects and regulatory authorities.
- Counseled and assisted global organization in the specialty chemical sector in responding to domain controller compromise and compromise of company files likely attributable to Volt Typhoon, including advising on U.S. state personal data breach notification requirements and cyber incident reporting obligations pursuant to the Chemical Facility Anti-Terrorism Standards (CFATS) and U.S. Coast Guard Policy on Reporting Suspicious Activity and Breaches of Security (CG-5P Policy Letter, No. 08-16).
- Provided assistance to city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case, including retaining third-party forensic firm under the attorney-client privilege, consulting on threat actor communications and law enforcement engagement in light of active communications with threat actor, addressing data breach notification obligations, and advising on communications to impacted constituents.
- Engaged with global welding company and helped respond to a business email compromise arising from unauthorized intrusion into email account based in Austria and coordinated with EU legal counsel with respect to data breach reporting obligations pursuant to EU, U.S., and UK data protection law, investigating nature and scope of the incident through independent IT security consultant, and drafting incident notification communications to impacted data subjects.
- Assisted global manufacturing company in responding to network intrusion based on SIM hijacking and provided guidance with respect to data mining and security incident notification.
- Assisted global manufacturing company in responding to cyberattack involving service account compromise and use of RDAT backdoor to exfiltrate certain data from company’s IT environment and provided legal guidance regarding requirements applicable to publicly traded companies and pursuant to state data breach notification obligations.
- Advised a global manufacturer in responding to ransomware attack by Black Basta that encrypted its VMware ESXi; representation included retaining an IT consultant to restore data from backups and analyze logs derived from third-party security tool to identify compromised data sets and rendering legal counsel on complying with data breach notification obligations.
- Assisted a global manufacturing client in responding to use of compromised credentials to access third-party HR data platform, including retaining third-party IT consultant to undertake log analysis, engaging platform host to assess liability and responsibility, advising on data breach notification obligations and helping client raise Computer Fraud and Abuse Act (CFAA) and Stored Communications Act (SCA) claims against former employee responsible for the attack.
- Assisted global manufacturing company in responding to a Lockbit 3.0 ransomware and extortion attack, including by retaining a third-party incident response team and ransomware negotiator, conducting OFAC checks, issuing litigation holds, and providing formal notification to data subjects, regulators and credit monitoring agencies.
- Helped managed service provider respond to Conti ransomware attack that targeted third-party client’s IT environment, including by issuing litigation hold, engaging Digital Forensics and Incident Response (DFIR) vendor, analyzing export control laws related to use of DFIR vendor’s proprietary software, and drafting litigation risk assessment.
- Helped global manufacturing company respond to a Royal ransomware and extortion attack, including retaining an independent incident response and digital forensic consultant, retaining a separate ransomware negotiator, leading data mining efforts, issuing litigation holds, and coordinating with foreign counsel to ensure proper data incident notifications to data subjects and regulatory officials in the United States, European Economic Area, United Kingdom, and Australia.
- Counseled multiple clients on responding to incident notification letters received from third-party service providers in connection with CL0P ransomware group intrusion into MOVEit’s managed file transfer program, including advising on breach response and potential litigation.
- Represented an EU-based client in its response to Akira ransomware attack; engagement included retaining digital forensic firm, assessing publicly available decryption tools, engaging in external and internal notifications, and addressing threat actor communications and engagement with federal law enforcement.
- Assisted a manufacturer client in responding to insider threat issue in connection with former remote-only employee making threats concerning misuse of data after termination; representation included retaining third-party IT consultant to undertake security review; drafting affidavits related to the confidentiality, integrity and security of client data and IT systems; and addressing engagement with local law enforcement.
- Advised client on intrusion into HR system that resulted in payroll diversion scams involving fraudulent direct deposit information; representation included working with HR system provider to assist client throughout technical remediation and business loss recovery process.
- Assisted a city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case; representation included retaining third-party forensic firm under the attorney-client privilege, addressing data breach notification obligations, and advising on communications to impacted constituents.
- Assisted nationally recognized business associate in responding to business email compromise, including retaining third-party digital forensic and incident response consultant, assessing breadth of compromise including to personal data, and counseling on data breach notification process under federal and state law.
- Advised national restaurant chain client on responding to security compromise wherein threat actor gained unauthorized access to loyalty program and made unauthorized purchases from consumer accounts, including providing legal analysis of data breach notification obligations and advising on third-party digital forensic consultant to undertake independent investigation.
- Advised U.S.-based publicly traded multinational corporation on whether inclusion of social security numbers on health plan communications transmitted via mail from business associate would be considered a data breach for purposes of federal and state data breach notification laws.
- Assisted consumer goods company in investigating and responding to data breach arising from unauthorized access to, and exfiltration of, customer data from the company’s third-party e-commerce platform due to compromise of an employee’s account credentials.
- Counseled services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from spoofed Internet domain.
- Represented defense contractor in joint investigation by the Department of Defense and Federal Bureau of Investigation arising from Maze ransomware attack that potentially exposed controlled unclassified information, which resulted in the closure of the case without adverse action to client.
- Assisted global manufacturing company in responding to ransomware attack that compromised sensitive employee and customer data, partnering with European Union counsel to facilitate notifications to supervisory authorities pursuant to the European Union (EU) General Data Protection Regulation and EU Member State law.
- Counseled healthcare business associate regarding technical anomaly within its online patient portal that resulted in unauthorized disclosure of medical records and protected health information and drafted formal data breach notification communications and reports.
- Advised private sector company with respect to an incident involving the unauthorized disclosure of sensitive employee data and invoking the “good faith” exception within certain U.S. state data breach notification laws.
- Assisted global manufacturing company with response to the inadvertent disclosure of export-controlled data to foreign nationals, and drafting, preparing and submitting voluntary disclosures to federal department arising from the same.
- Assisted employee health plan in investigating and responding to data breach that occurred within business associate’s information technology environment that resulted in unauthorized access to employees’ protected health information.
- Assisted supply chain defense contractor with response to ransomware attack that compromised the confidentiality of sensitive employee data and controlled unclassified information, including drafting and submitting formal data breach notices to impacted individuals and government agencies.
Biometrics, CIPA, TCPA & Other Privacy Litigation Defense
- Defended Fortune 100 personal healthcare goods provider in lawsuit alleging that its ecommerce platform violated Title III of the ADA because plaintiff with visual impairment was unable to identify promotional items on client’s website because of improper screen readers.
- Assisted private sector entity furnishing “white labeled” online property tax platform to California state agencies comply with California Assembly Bill No. 434 and WCAG 2.0.
- Represented a broad range of businesses in arbitration, litigation and settlement negotiations with respect to claims that their corporate website tracking technologies violate the Pen Register and Trap and Trace Device provisions of the California Invasion of Privacy Act (CIPA).
- Defended dozens of companies in various sectors in arbitration, litigation and settlement negotiations with respect to allegations that their website configurations, such as their use of third-party advertising cookies and pixels, violate the CIPA and similar federal and state laws governing wiretapping, eavesdropping and data privacy.
- Defended a Fortune 100 consumer and personal goods company in class action where plaintiff alleged client’s SMS/text marketing program violated certain provisions of Florida’s Telephone Solicitation Act.
- Represented a defense contractor in nationwide class action litigation arising from alleged data security breach impacting employees’ personal data, including claims that plaintiffs incurred or would immediately incur physical harm, emotional distress and identity theft.
- Represented a global airline in responding to data security event arising from its third-party healthcare benefit provider’s use of MOVEit software, including with respect to client’s formal notification obligations and litigation risk assessments, and represented client with respect to its potential indemnification claims arising from the third-party provider’s breach of its legal obligations and contractually mandated security requirements.
- Assisted a global logistics and storage business in responding to a data security breach impacting an employee analytics software application; representation included assisting client with drafting and submission of formal data breach notification to employees and regulatory authorities, and representing client with respect to legal and indemnification claims against third-party software provider.
- Represented a global manufacturer and provider of reusable textiles in arbitration arising from claims that client unlawfully aided a third-party service provider in intercepting and collecting communications transmitted to client’s website through the use of the third-party’s pixel in violation of the California Invasion of Privacy Act (CIPA) and other state privacy laws.
- Defended U.S. defense contractor in class action litigation in the Southern District of Ohio alleging that a recently disclosed data security incident potentially impacting plaintiffs resulted from client’s negligence, and similar common law and contractual violations.
- Advised a Fortune 50 company on implementing Windows Hello and PingID on employer-provided devices in a manner consistent with U.S. biometric data processing laws and regulations.
- Counseled a global manufacturing firm on federal telecommunications law (TCPA) with respect to implementing company-wide SMS communications, including opt-in and opt-out processes.
- Assisted a national financial institution in responding to complaint filed in California state court that its website violated the Video Privacy Protection Act of 1998 for implementing certain third-party pixels, cookies, and tags without proper notice and consent.
- Counseled a national real estate marketing firm on responding to complaint that its website violated federal and state wiretapping laws for implementing certain third-party pixels, cookies, and tags on its website without proper notice and consent.
- Advised a globally recognized museum on responding to a complaint and demand that its website violated the Video Privacy Protection Act of 1998 for implementing a social media pixel on its public and private websites.
- Counseled a national manufacturing company on responding to formal complaint that its website violated federal and state wiretapping laws with respect to its data processing activities.
- Assisted an international manufacturing company in implementing biometric processing compliance program in the employment context for its operations in the United States and Canada, including advising on implementing biometric privacy policies, obtaining employee consent for biometric collection, and publishing public notices.
- Advised a Fortune 100 company on implementing Windows Hello on employer-provided devices and updating its privacy notices and obtaining employee consent related to the same.
California Consumer Privacy Act (CCPA)
- Performed data mapping to identify whether an organization’s data processing activities implicate California residents and the CCPA.
- Assessed and identified the current state of an organization’s policies and procedures to determine its compliance with the CCPA.
- Drafted privacy notices and statements to address the CCPA’s notice requirement, including drafting website privacy policies, employee privacy statements, and job candidate privacy notices.
- Drafted new, or supplement existing, internal policies and procedures to address how an organization will intake, process, and respond to CCPA data requests (e.g., access, portability, erasure).
- Identified whether an organization “sells” personal information within the meaning of the CCPA, and, if so, developed mechanisms for customers to “opt in” or “opt out” of the sale of their personal information.
- Provided contractual terms for an organization to use with its third-party vendors to ensure they address each party’s obligations pursuant to the CCPA and responsibilities related to data processing, assistance, and security.
- Identified whether an organization offers financial incentives related to data processing and, if so, ensured such incentives align with the CCPA’s anti-discrimination requirements.
- Drafted new, or reviewed existing, data incident response plans to ensure they align with California’s legal requirements and best practices.
The General Data Protection Regulation (GDPR)
- Appointed by state attorney general to assist public university assess its compliance with the GDPR and UK Data Protection Act 2018; retained and led local counsel with respect to the same.
- Assisted global enterprises in designing and implementing EU GDPR compliance programs, policies, and procedures.
- Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).
- Counseled clients on establishing and implementing procedures for exporting personal data from the EEA into the United States and other third countries.
- Assisted companies in conducting data mapping exercises to identify the purpose, scope, and legal authorization for their data processing activities.
- Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
- Drafted employee data privacy notices for global companies that have staff or contractors in the EEA.
- Assisted multiple U.S.-based companies in evaluating whether they are legally required to appoint a Data Protection Officer (DPO) in accordance with the GDPR.
- Provided legal analysis to several global companies on whether they need to undertake a data protection impact assessment (DPIA) when implementing routine and common business practices, such as network/employee monitoring.
- Assisted businesses in responding to data subjects invoking rights under the GDPR, including a data subject’s requests for access and/or erasure.
M&A Due Diligence & Cybersecurity Risk
- Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
- Assisted in identifying a target company’s data processing activities, including how it collects, retains, and disseminates personal information.
- Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations, and industry standards.
- Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.
Health & Medical Data Privacy
- Appointed by state attorney general to counsel public university undertaking clinical trials in the European Union and the United Kingdom with respect to its legal obligations under data protection and pharmaceutical regulations and directives and, in conjunction with local counsel, develop and implement data protection and clinical trials compliance checklist.
- Assisted covered entities in determining whether the unauthorized disclosure of protected health information constitutes a breach that warrants, in accordance with federal regulations, notification to the data subject and the Secretary of Health and Human Services.
- Assisted covered entities and business associates in determining whether their encryption protocols satisfy certain technical safeguard requirements within the HIPAA Security Rule.
- Drafted master contracts, including provisions governing data privacy and information security, for a global biopharmaceutical companies and their third-party contract research organizations.
- Provided legal analysis to a late-stage drug testing firm on leveraging exemptions set forth in the GDPR to permit it to legally retain personal information concerning drug testing.
- Determined whether a company’s notice and consent forms issued during medical clinical trial testing satisfy the EU Clinical Trials Regulation (No 536/2014) and other legal requirements.
Third Party IT Contracting
- Drafted and negotiated a wide range of technology and data protection agreements and statements of work, including end user license agreements for software and embedded technology solutions; master service agreements with IT services providers; contracts and statements of work for cloud storage, penetration testing and vulnerability scanning, and managed IT services; and personal data processing, transfer, and security agreements.
- Routinely advised clients on third-party data security standards, data confidentiality and protection obligations, limited use and ‘do not sell’ clauses, third-party data assistance, cross-border data transfers and data localization, cyber insurance, and data breach response investigation, notification, and indemnification.
- “Opting In to CIPA Risk Mitigation After New Precedent,” Thompson Hine Business Law Update, September 2024
- Co-author, “Pennsylvania Amends Data Breach Reporting Law; Requires Credit Monitoring for Victims,” Pratt’s Privacy & Cybersecurity Law Report, September 2024
- “Huge data breach involving social security numbers could impact millions of Americans,” ABC News 5 Cleveland, September 7, 2024
- “DOD Proposes Rule for Implementing Cybersecurity Maturity Model Certification 2.0 Program,” Thompson Hine Government Contracts and Privacy & Cybersecurity Update, September 2024
- “Opting In To CIPA Risk Mitigation After New Precedent,” Law360, August 2024
- Quoted in “Google’s Cookie Pivot Eases Ad Concerns, Fuels Privacy Dilemma,” Bloomberg Law, August 2024
- “Judge Reverses Ruling on Punitive Damages in California Invasion of Privacy Act (CIPA) Case,” Thompson Hine Privacy & Cybersecurity Update, July 2024
- “New Ruling on Punitive Damages and Attorney Fees in California Invasion of Privacy Act (CIPA) Case,” Thompson Hine Privacy & Cybersecurity Update, July 2024
- “The Microsoft Outage, Cyber Disruptions, and Force Majeure Events,” Thompson Hine Privacy & Cybersecurity Update, July 2024
- “Recent Holdings on the California Invasion of Privacy Act (CIPA),” Thompson Hine Privacy & Cybersecurity Update, July 2024
- “Rhode Island Enacts Consumer Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, July 2024
- “Pennsylvania Amends Data Breach Reporting Law; Requires Credit Monitoring for Victims,” Thompson Hine Privacy & Cybersecurity Update, July 2024
- Thompson Hine Securities Quarterly Update, Summer 2024
- Quoted in “How Your Driving Behavior Could Be Affecting Your Car Insurance Premiums — Without You Realizing It,” Money, June 2024
- “California Has a Duty to Curtail Frivolous CIPA Suits,” Law360, June 2024
- “Colorado Adds Biometric Data Requirements to Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, June 2024
- “Minnesota Legislature Passes Consumer Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, May 2024
- “Tennessee Enacts Data Breach Class Action Safe Harbor,” Thompson Hine Privacy & Cybersecurity Update, May 2024
- “SEC Amends Regulation S-P to Address Information Security and Data Breach Response,” Thompson Hine Privacy & Cybersecurity Update, May 2024
- “SEC Issues Update on Cybersecurity Incident Report,” Thompson Hine Privacy & Cybersecurity Update, May 2024
- “Illinois Legislature Amends BIPA to Limit Damages and Expand Consent Options,” Thompson Hine Privacy & Cybersecurity Update, May 2024
- “Banking Regulators Publish Third-Party Risk Management Guide,” Thompson Hine Privacy & Cybersecurity Update, May 2024
- Quoted in “Raft Of Privacy Suits Ignites Abuse Concerns Over NJ Law,” Law360, April 25, 2024
- “Nebraska Enacts Consumer Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, April 2024
- “Maryland Poised to Enact Privacy Law; Sets New Standard for Targeted Advertising,” Thompson Hine Privacy & Cybersecurity Update, April 2024
- “Tips For Orgs Defending Against Daniel’s Law Claims,” Law360, April 10, 2024
- “Virginia Creates New Requirements for B2C and B2B Auto-Renewal Contracts,” Thompson Hine Privacy & Cybersecurity Update, April 2024
- “CPPA Releases First Enforcement Advisory,” Thompson Hine Privacy & Cybersecurity Update, April 2024
- “Kentucky Poised to Enact Consumer Data Protection Law,” Thompson Hine Privacy & Cybersecurity Update, April 2024
- “Utah Creates New Consumer Protection Model for Auto-Renewal and Trial-Period Contracts,” Thompson Hine Privacy & Cybersecurity Update, March 2024
- “Florida and West Virginia Create New Cybersecurity Safe Harbor Laws,” Thompson Hine Privacy & Cybersecurity Update, March 2024
- “Companies Facing New Text Marketing Claims in Florida,” Thompson Hine Privacy & Cybersecurity Update, March 2024
- “Daniel’s Law and the Explosion of Privacy Claims Impacting Real Estate and Tech Platforms,” Thompson Hine Privacy & Cybersecurity Update, March 2024
- “No Cause of Action: California’s Pen/Trap Law Inapplicable to Web Ad Cookies and Pixels,” Washington Legal Foundation, March 2024
- Quoted in “Stressed at Work? Your Office Phone Booth Could Tell Your Boss,” Bloomberg Law, March 2024
- “FCC Issues Order on Consent-Revocation Processes for Robocalls and Robotexts,” Thompson Hine Business Litigation Update, March 2024
- “California Pen/Trap Law and Website Privacy Litigation,” Thompson Hine Privacy & Cybersecurity Update, March 2024
- “Effective Immediately: California Privacy Protection Agency Resumes Authority to Enforce Privacy Regulations,” Thompson Hine Privacy & Cybersecurity Update, February 2024
- Quoted in “The EU Is Pushing Tech Titans to Help Preserve Fair and Free Elections. Can the U.S. Do the Same?” Inc., February 2024
- Co-author, “California Announces Privacy Audits of Connected Vehicles and Related Technologies,” The Journal of Robotics, Artificial Intelligence & Law, Volume 7, No. 2, March-April 2024
- Co-author, “Adverse event reporting and preparing for the next wave of privacy litigation,” IAPP’s The Privacy Advisor, February 6, 2024
- “New Jersey Enacts Consumer Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, January 2024
- Author, The Data Protection Guidebook, Thompson Hine LLP, January 2024
- “Federal Trade Commission Amends Safeguards Rule and Data Breach Notification Obligations,” The Computer & Internet Lawyer, January 2024
- Co-author, “5 Privacy And Cybersecurity Resolutions For 2024,” Law360, January 4, 2024
- “New Guidance on SEC Cybersecurity Reporting Regulations,” Thompson Hine Privacy & Cybersecurity Update, December 2023
- “Preparing for SEC Cybersecurity Incident Reporting,” Insights, The Corporate & Securities Law Advisor, December 2023
- “Significant Changes to Florida’s Privacy Breach Notification and Telemarketing Laws,” Pratt’s Privacy and Cybersecurity Law Report, November 2023
- “NYDFS Amends Data Breach and Cybersecurity Regulations,” Thompson Hine Privacy & Cybersecurity Update, November 2023
- “FTC Amends Safeguards Rule and Data Breach Notification Obligations,” Thompson Hine Privacy & Cybersecurity Update, November 2023
- “Major Changes to California Privacy Laws,” Thompson Hine Privacy & Cybersecurity Update, October 2023
- “Delaware Personal Data Privacy Act Signed Into Law With 2025 Effective Date,” Thompson Hine Privacy & Cybersecurity Update, September 2023
- “Preparing for Connecticut’s New Telemarketing Law,” Thompson Hine Privacy & Cybersecurity Update, August 2023
- “California Announces Privacy Audits of Connected Vehicles and Related Technologies,” Thompson Hine Privacy & Cybersecurity Update, August 2023
- “SEC Finalizes Rules Requiring Mandatory Cybersecurity Disclosure,” Thompson Hine Securities Law Update, July 27, 2023
- Featured on the NewsNation program “Morning in America” to discuss a recent data security incident involving the unauthorized disclosure of Defense Department records and other federal government documents to Mali, a close ally to Russia, July 18, 2023
- “New Data Security and Breach Notification Obligation for DHS Contractors,” Thompson Hine Privacy & Cybersecurity Update, July 2023
- “California Investigates Employee/HR Data Processing in Privacy Enforcement Actions,” Thompson Hine Privacy & Cybersecurity Update, July 2023
- Quoted in “Typo sends millions of US military emails to Russian ally Mali,” BBC News, July 17, 2023
- “Oregon Legislature Passes Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, July 2023
- “California Privacy Law Enforcement Delayed Until 2024,” Thompson Hine Privacy & Cybersecurity Update, July 2023
- “FBI Issues Business Email Compromise Alert,” Thompson Hine Privacy & Cybersecurity Update, June 2023
- Co-author, “Proposed NIST Updates and Data Incident Response Planning,” Lawfare, June 15, 2023
- “Texas Enacts Privacy Law; Amends Data Breach Notification Law,” Thompson Hine Privacy & Cybersecurity Update, June 2023
- “Significant Changes to Florida’s Privacy, Breach Notification, and Telemarketing Laws,” Thompson Hine Privacy & Cybersecurity Update, June 2023
- Featured in “Navigating Cybersecurity Regulations: An In-Depth Look at SP 800-171,” NetDiligence Blog, June 8, 2023
- Co-author, “Unlawful data processing claims: An insurance perspective,” IAPP Privacy Advisor, May 23, 2023
- “Washington State Enacts My Health, My Data Act,” Thompson Hine Privacy & Cybersecurity Update, May 2023
- “Data Privacy Update: Several U.S. States Enact Privacy Legislation in 2023,” Thompson Hine Privacy & Cybersecurity Update, May 2023
- Quoted in “Jack Teixeira: How are US security clearances handled?,” BBC News, April 28, 2023
- Fox News, “Pentagon Leak: Former intelligence attorney on leaked documents,” April 2023
- Quoted in “What punishment could the US leaker face?,” BBC News, April 14, 2023
- “Takeaways from Ohio court ruling on ransomware and insurance exclusions,” IAPP’s The Privacy Advisor, February 7, 2023
- “California Consumer Privacy Act Enforcement and Preparing for 2023 Data Privacy Rules,” Pratt’s Privacy and Cybersecurity Report, January 2023
- “U.S. Government Issues Software Security Procurement Guidance,” Pratt’s Government Contracting Law Report, December 2022
- Quoted in “3 Questions As Feds Flesh Out New Breach Reporting Rules,” Law360, September 23, 2022
- “U.S. Government Issues Software Security Procurement Guidance,” Thompson Hine Government Contracts and Privacy & Cybersecurity Update, September 2022
- “CCPA Enforcement and Preparing for 2023 Data Privacy Rules,” Thompson Hine Privacy & Cybersecurity Update, September 2022
- Quoted in “Here’s how the Twitter whistleblower may impact Big Tech: ‘The danger is real’,” New York Post, August 23, 2022
- “California Issues New Draft Privacy Regulations,” Thompson Hine Privacy & Cybersecurity Update, June 2022
- Quoted in “Facial Recognition Industry Could Face a Reset,” Lifewire, May 26, 2022
- Author, The Data Protection Guidebook, Thompson Hine LLP, January 2022
- “EU/UK Data Transfer Developments: In-House Counsel FAQ,” Thompson Hine Privacy & Cybersecurity Update, May 2022
- “Connecticut Enacts New Consumer Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, May 2022
- “New York Enacts Employee Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, May 2022
- Co-author, “Preparing For New Mandatory Cyber Reporting Rules,” Law360, March 25, 2022
- Quoted in “Rare Trial Over Law Firm Hack To Shed Light On Industry Risk,” Law360, March 25, 2022
- “The 2022 Cyber Incident Reporting Law: Key Issues to Watch,” Lawfare, March 25, 2022
- “Utah Enacts New Consumer Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, March 2022
- “SEC Issues Proposed Rules on Mandatory Cybersecurity Disclosure,” Thompson Hine ESG Collaborative Update, March 10, 2022, republished by Daily Securities News, March 2022
- Co-author, “Anticipating Cyberinsurance Wartime Exclusion Questions,” Law360, March 8, 2022
- Co-author, “Cyber Reporting Proposals: Assessing Liability Protections and Legal Privileges,” Lawfare, February 2022
- Quoted in “Your Webcam May Get a Whole Lot Smarter,” Lifewire, January 13, 2022
- “U.S. Government Defines “Critical Software” for Supply Chain Security Purposes,” Pratt’s Government Contracting Law Report, November 2021
- “DoD Announces (New) CMMC 2.0,” Thompson Hine Cybersecurity & Government Contracts Update, November 2021
- “Issues for Government Contractors and the Private Sector Under the Cybersecurity Executive Order,” Pratt’s Government Contracting Law Report, October 2021
- “Treasury Department Issues Updated Advisory on Ransomware Payments,” Thompson Hine International Trade Update, September 2021
- “Ohio Introduces Consumer Data Privacy Bill,” Thompson Hine Privacy & Cybersecurity Update, July 15, 2021
- Quoted in “6 Cybersecurity Events That Have Defined 2021,” Law360, July 12, 2021
- “NYC biometric law enters into force,” IAPP Privacy Tracker, July 9, 2021
- “Colorado Enacts New Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, June 2021
- “EU Approves New Standard Contractual Clauses for Cross-Border Data Transfers,” Thompson Hine Privacy & Cybersecurity Update, June 2021
- “New Cyber EO: Issues for Government Contractors and the Private Sector,” Thompson Hine Government Contracts Update, May 2021
- “New CCPA regulatory provisions seek to clarify business requirements,” IAPP, March 17, 2021
- “How Cos. Can Build Effective Data Privacy Appeals Processes,” Law360, March 2021
- Quoted in “In-House Counsel Face Growing Privacy, Cybersecurity To-Do Lists,” Bloomberg Law, March 2021
- Quoted in “Virginia’s New Privacy Law Is Just Different Enough to Give Compliance Headaches,” Law.com, March 9, 2021
- Quoted in “Water Plant Hack Underscores Utilities’ Glaring IT Risks,” Law360, March 5, 2021
- “Virginia Enacts New Data Privacy and Cybersecurity Law,” Thompson Hine Privacy & Cybersecurity Update, March 2021
- “Responding to the SolarWinds Breach: Compliance and Oversight Considerations,” Thompson Hine Privacy & Cybersecurity Update, December 2020
- “White House enacts IoT cybersecurity law for federal agencies,” IAPP, December 8, 2020
- Quoted in “Cyber Consulting Firms Get Tied Up in Post-Breach Lawsuits,” Bloomberg Law, November 10, 2020
- “California Voters Approve New Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, November 2020
- “DoD Publishes Interim Cybersecurity Rule on CMMC and DoD Assessments,” Thompson Hine Government Contracts Update, October 2020
- “California Legislature Extends CCPA’s Exemptions for Personal Information in the Employment and Business-to-Business Context,” Thompson Hine Privacy & Cybersecurity Update, September 2020
- “Final CCPA Regulations Approved, Effective Immediately,” Thompson Hine Privacy & Cybersecurity Update, August 2020
- “European Court Invalidates Privacy Shield; Upholds Model Clauses (For Now),” Thompson Hine Privacy & Cybersecurity Update, July 2020
- “CCPA Draft Regulations: Privacy Notices and Accessibility in the Employment Context” IAPP’s Privacy Tracker, July 2020
- “The new CCPA draft regulations: Identity verification,” IAPP’s Privacy Tracker, June 2020
- “From Contact Tracing to Virtual Temperature Taking: Privacy Considerations for Employers,” The Computer & Internet Lawyer, Volume 37, Number 7, July/August 2020
- “California Releases Final CCPA Regulations Ahead of July 1 Enforcement Deadline,” Thompson Hine Privacy & Cybersecurity Update, June 2020
- Co-author, “Cybersecurity Considerations for Retirement Plan Fiduciaries,” Thompson Hine ERISA Litigation Trends & Insights blog, May 28, 2020
- “The new CCPA draft regulations: Defining the scope of personal information,” IAPP’s Privacy Tracker, May 2020
- “From Contact Tracing to Virtual Temperature Taking: Privacy Considerations for Employers,” Thompson Hine Privacy & Cybersecurity Update, May 2020
- “Recent Executive Actions Focus on Bulk-Power System Grid Security and Supply Chain,” Thompson Hine International Trade Update, May 2020
- “New York’s SHIELD Act Now Effective – Take Steps to Ensure Compliance,” Thompson Hine Privacy & Cybersecurity Update, April 2020
- “COVID-19 Giveaways: Avoiding the Pitfalls of Charitable Promotions and Marketing,” Thompson Hine COVID-19 Update, April 2020
- “From Employers to Homeschooling to Healthcare: Federal Government Provides Guidance Clarifying Data Privacy Requirements During COVID-19,” Thompson Hine COVID-19 Update, April 2020
- “When Your Critical Service Providers Telecommute: Risks and Tips,” Thompson Hine COVID-19 Update, March 2020
- “Review Teleworking Cybersecurity Policies and Practices,” Thompson Hine COVID-19 Update, March 2020
- “Frequently Asked Questions About COVID-19 and Employment Privacy,” Thompson Hine COVID-19 Update, March 2020
- “California Attorney General Publishes Modifications to CCPA Regulations,” Thompson Hine Privacy & Cybersecurity Update, March 2020
- “Cyber Attackers Are Exploiting Coronavirus Fears,” Lawfare, March 2020
- “DHS issues cybersecurity warning to businesses,” IAPP’s The Privacy Advisor January 31, 2020
- Quoted in “Execs On Notice After Report of Saudi Bezos Cellphone Hack,” Law360, January 22, 2020
- “Are you prepped for the influx of IoT security laws? It starts in Calif.,” IAPP’s The Privacy Advisor, November 2019
- “California’s New Data Privacy Law Coming into Focus,” Thompson Hine Privacy & Cybersecurity Update, October 2019
- “‘Pre-Ticked’ Boxes to Obtain Cookie Use Consent Fail Under EU Law,” Thompson Hine Privacy & Cybersecurity Update, October 2019
- “Nevada’s ‘Opt-Out’ Privacy Law and the Future of Data Protection,” Thompson Hine Privacy & Cybersecurity Update, October 2019
- “California’s New Privacy Law: Recent Amendments and Approaching Compliance Deadlines,” Thompson Hine Privacy & Cybersecurity Update, September 2019
- “DOD’s Cybersecurity Maturity Model Certification and Draft CMMC Model Framework,” Thompson Hine Government Contracts Update, September 2019
- “State Biometric Privacy Legislation: What You Need to Know,” Thompson Hine Privacy & Cybersecurity Update, September 2019
- “Applying EU Guidance on Real-Time Bidding Beyond the GDPR,” Thompson Hine Business Law Update, Summer 2019
- Thompson Hine Compliance Check 2020: Data Privacy, August 2019
- “New York SHIELD Act Expands Privacy and Cybersecurity Obligations,” Thompson Hine Privacy and Cybersecurity Update, July 2019
- “Applying EU Guidance on Real-Time Bidding Beyond the GDPR,” Thompson Hine Privacy & Cybersecurity Update, July 2019
- “Washington’s New Data Breach Law Follows Enhanced Privacy Protection Trends,” Thompson Hine Privacy & Cybersecurity Update, May 2019
- “Cybersecurity, Compliance and Culture in M&A Transactions,” Thompson Hine Business Law Update, Spring 2019
- “Learning From the Past in Addressing Domestic Terrorism,” Lawfare, April 12, 2019
- “Accessing Personal Data in European Criminal Investigations,” Pratt’s Privacy and Cybersecurity Law Report, April 2019
- “Intel Chiefs Testify on Global Threats, Cybersecurity and Elections,” Lawfare, January 30, 2019
- Quoted in “‘Dark Overlord’ Hack Another Cautionary Tale For Law Firms,” Law360, January 2019
- “Preparing for Ohio’s Cybersecurity Safe Harbor Law,” Pratt’s Privacy and Cybersecurity Law Report, January 2019
- “Canada’s New Data Breach Law Creates Unique Obligations for Businesses,” Thompson Hine Privacy & Cybersecurity Update, November 2018
- Co-author, “Border searches of your e-device: encryption may be of limited value in protecting client data,” The Law for Lawyers Today, October 2018
- “California Becomes First State to Regulate Internet-Connected Devices,” Thompson Hine Privacy & Cybersecurity Update, October 2018
- “The National Cyber Strategy and Legal Reform,” Lawfare, October 8, 2018
- Quoted in “New WH Cyber Strategy Talks Big Game, But Has Big Holes,” Law360, October 3, 2018
- “Amendments to California Privacy Law Will Impact Businesses,” Thompson Hine Privacy & Cybersecurity Update, October 2018
- “Border Searches and the Limits of Encryption in Protecting Privileged Information,” American Bar Association Litigation Magazine, Summer 2018
- “Enhancing Cyber Threat Information Sharing,” Pratt’s Privacy & Cybersecurity Law Report, July/August 2018
- “California Expands Consumer Privacy Protections,” Thompson Hine Privacy & Cybersecurity Update, July 2018
- Quoted in “Data privacy at work,” Crain’s Cleveland Business, May 2018
- “Adviser: Strengthen Your Data Mapping in the Era of GDPR,” Crain’s Cleveland Business, May 2018
- “CEA Report: Cost of Malicious Cyber Activity to the U.S. Economy,” Thompson Hine Privacy & Cybersecurity Update, February 2018
- “The Uber Hack, State Enforcement and Strategic Planning,” Thompson Hine Business Law Update, Winter 2018
- “FERC Proposes Cybersecurity Incident Reporting Rule,” Thompson Hine Privacy & Cybersecurity Update, January 2018
- “Telephone Metadata and the Fourth Amendment: An Overview of Recent Case Law,” 35 St. Louis U. Pub. L. Rev 3, Fall 2015
- Co-author, “Regulating Classified and Controlled Unclassified Information,” Whistleblowers, Leaks, and the Media: The First Amendment and National Security, American Bar Association, 2014
- “Re-Examining the Falkland Islands War: The Necessity for Multi-Level Deterrence in Preventing Wars of Aggression,” 39 Ga. J. Int’l & Comp. L. 2, Fall 2012
- “The Nuclear Nonproliferation Treaty and Pakistan: Interpreting Nuclear Security Assistance Prohibitions,” 23 Fla. J. Int’l L. 2, Spring 2011
- “Sanchez-Llamas v. Oregon: A Missed Opportunity in Treaty Interpretation,” 20 St. Thomas L. Rev. 25, 2007
- Co-presenter, “Privacy Law Developments,” Legal Issues in Museum Administration 2024, ALI CLE program, May 1, 2024
- The SEC’s Cybersecurity Disclosure Rule and Its Impact on Businesses,” Northern Ohio Security Awareness Summit with InfraGard and ISC2, April 19, 2024
- Panel Discussion, “Data Breach Reporting Obligations,” Cybersecurity & Privacy Protection Conference 2024, Cleveland State University College of Law, April 18, 2024
- Panel Discussion, “The New Axis of Evil Exposed: A Global Threat TTX,” The Ohio Information Security Summit, Cleveland, Ohio, October 23, 2023
- Panel Discussion, “Succeeding in Your CMMC Journey,” Northeast Ohio CyberConsortium, Cleveland State University, April 27, 2023
- “Achieving Cyber Wellness Amidst Third-Party Risk,” Webinar, Fortress Security Risk Management, April 24, 2023
- “Startups Streamlined – Protecting Assets in a Digital World,” Thompson Hine LLP, August 2022
- “Data Privacy Laws & How They Apply,” Northern Ohio Security Awareness Summit, Wadsworth, Ohio, June 10, 2022
- Panel Discussion, “Managing High Risk Cyber Security Regions,” Northeast Ohio CyberConsortium, Lorain County Community College, April 22, 2022
- Co-presenter, “Responding to a Cybersecurity Incident: Reporting and Disclosure Obligations,” Thompson Hine Investment Management Coffee Chat, March 2, 2022
- “From California to New York – Complying with the Data Privacy Patchwork,” Information Security Summit, Cleveland, October 28, 2021
- Panel Discussion, “Ethics in the Digital Age,” Webinar, Baldwin Wallace University School of Business, April 22, 2021
- Panel Discussion, “Global Issues Related to Arbitrating Data Breaches and Privacy Rights,” ASIL Midyear Meeting, Case Western Reserve University School of Law, Cleveland, Ohio, October 29, 2020
- “Cyber Risk Mitigation in the Chemical Sector,” SOCMA Power Hour: A Fall Webinar Series, October 1, 2020
- “New Frontiers in Export & Technology Controls,” July 29, 2020
- “Data Privacy Trends – How to Satisfy Privacy Notification Obligations in the Employment Arena,” Association of Corporate Counsel, February 27, 2020
- “Building an Incident Response Program,” Information Security Summit, Cleveland, October 23, 2019
- “The California Consumer Privacy Act: Implementing Sustainable Compliance Solutions,” Information Security Summit, Cleveland, October 23, 2019
- Panel Discussion, “Comparing International Terrorism and Domestic Violent Extremism,” The Center for Strategic and International Studies, Washington, DC, September 16, 2019
- “The Intersection of Legal and Cyber,” CSO Xchange, Cleveland, August 7, 2019
- “Cyber Security – Are You Ready?” SOCMA Executive Forum, University of Houston, May 23, 2019
- “Staying Ahead of the Cybersecurity Curve: Practical Tips From the Experts,” Thompson Hine LLP, Cleveland, May 16, 2019
- “Data Privacy, the CCPA and Contracts: What You Need to Know,” Association of Corporate Counsel, April 24, 2019
- “What You Need to Know about Data Privacy Laws: International, Federal, State and Local,” The Association of Test Publishers, the Innovations in Testing Conference, Featured Speaker Session, March 18, 2019
- “Meeting the Data Privacy Challenge: Complying with Multiple Laws in a Global Testing Environment,” The Association of Test Publishers, the Innovations in Testing Conference, March 19, 2019
- “Reconciling the EU GDPR and US Discovery Obligations,” The William B. Bryant American Inn of Court, January 8, 2019
- “GDPR: From Anticipation to Implementation,” Information Security Summit, October 25, 2018
- “GDPR and Privacy Law,” Information Security Summit, October 23, 2018
- “Understanding GDPR & Cyber Law,” BusinessTECH18 2018, October 18, 2018
- “Privacy & Cybersecurity Compliance,” Thompson Hine Chief Compliance Officer Forum, October 4, 2018
- “Strategies to Assess and Mitigate Cybersecurity Risks,” Ohio Electric Cooperatives, October 3, 2018
- “Cybersecurity and Private-Public Partnerships,” Society for Corporate Governance, Cleveland, June 13, 2018
- “Cybersecurity and Private-Public Partnerships,” USLFG Corporate and Securities Committee Meeting, Cleveland, May 15, 2018
- “Cyber Threats & Public Private Partnerships,” Chemistry Council of New Jersey 34th Annual Spring Conference, Princeton, New Jersey, May 1, 2018
- “Managing Tomorrow’s Cyber Threats Today,” Thompson Hine LLP, Cleveland, April 26, 2018
- Cleveland-Marshall College of Law 2018 Cybersecurity and Privacy Protection Conference, Cleveland, March 22, 2018
- “Cybersecurity Risks and Employee Benefit Plans,” WEB National Webinar, February 28, 2018
- Named a Thomson Reuters Stand-out Lawyer, 2023 & 2024
Professional Associations
- Bar Association of the District of Columbia
- International Association of Privacy Professionals, Certified Information Privacy Professional/Government (CIPP/G), Certified Information Privacy Professional/United States (CIPP/US)
- Northern Ohio InfraGard Members Alliance Board of Directors
- Ohio State Bar Association
Education
- Georgetown University Law Center, LL.M., 2011
- University of Akron School of Law, J.D., 2007,
editor, Akron Law Review
- The Ohio State University, B.A., 2004
Bar Admissions
- Ohio
- District of Columbia
Court Admissions
- U.S. District Court for the Northern District of Ohio
- U.S. District Court for the Southern District of Ohio
- U.S. Court of Appeals for the Sixth Circuit
Select a filter
- Business Law Update – September 2024,
Thompson Hine Newsletter
, September 29, 2024 - Opting In to CIPA Risk Mitigation After New Precedent,
Business Law Update
, September 29, 2024 - Pennsylvania Amends Data Breach Reporting Law; Requires Credit Monitoring for Victims,
Pratt’s Privacy and Cybersecurity Report
, September 23, 2024 - DOD Proposes Rule for Implementing Cybersecurity Maturity Model Certification 2.0 Program,
Government Contracts and Privacy & Cybersecurity Update
, September 4, 2024 - Opting In To CIPA Risk Mitigation After New Precedent,
Law360
, August 21, 2024 - Judge Reverses Ruling on Punitive Damages in California Invasion of Privacy Act (CIPA) Case,
Privacy & Cybersecurity Update
, July 29, 2024 - New Ruling on Punitive Damages and Attorney Fees in California Invasion of Privacy Act (CIPA) Case,
Privacy & Cybersecurity Update
, July 23, 2024 - The Microsoft Outage, Cyber Disruptions, and Force Majeure Events,
Privacy & Cybersecurity Update
, July 19, 2024 - Recent Holdings on the California Invasion of Privacy Act (CIPA),
Privacy & Cybersecurity Update
, July 10, 2024 - Rhode Island Enacts Consumer Data Privacy Law,
Privacy & Cybersecurity Update
, July 5, 2024