Skip to main content
Professional background
Biography image

Steven G.Stransky

PartnerCo-Chair, Privacy & Cybersecuritymoc.eniHnospmohT@yksnartS.evetS
Cleveland

O 216.566.5646

M 216.905.7883

Washington, D.C.

O 202.263.4126

Steven G.Stransky

Partner
Co-Chair, Privacy & Cybersecuritymoc.eniHnospmohT@yksnartS.evetS
Cleveland

O 216.566.5646

M 216.905.7883

Washington, D.C.

O 202.263.4126

Focus Areas

Data Privacy & Cybersecurity Compliance

  • Advised clients on drafting policies and procedures and developing internal compliance programs with respect to a broad range of data protection laws, statutes and regulations, including consumer privacy requirements; employee data privacy notices and policies; data breach preparation and response; data subject requests; digital marketing and targeted advertising; medical data, clinical trials, and healthcare privacy laws; vendor management and data processing agreements; international data transfers and localizations; written information security plans; WCAG compliance; and biometric data processing.
  • Prepared data incident response plans and programs and assisted small, midsize, and large companies in responding to serious data events, including ransomware attacks and other incidents involving the unauthorized access, acquisition, or disclosure of personal data or confidential information.
  • Drafted online terms and conditions and privacy policies for domestic and global companies.
  • Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
  • Assisted government contractors with adhering to the NIST standards and other federal regulations and rules on the safeguarding of controlled unclassified information.
  • Assisted organizations in establishing and maintaining insider threat programs to ensure the confidentiality and integrity of classified and other sensitive data.
  • Advised clients on a broad range of data protection laws, including the FTC Act, GLBA, HIPAA, CAN-SPAM, TCPA, COPPA, CFAA, ECPA, CCPA, CPRA, VCDPA, BIPA, and other privacy legislation.

Data Breach Response Matters

  • Assisted logistics and shipping company with operations across North America in assessing and responding to BlackCat ransomware attack, including through engaging digital forensic and incident response consulting agency, undertaking dark web monitoring, engaging with regulatory agencies to reinstate access to federal import and export control system, and advising on potential CTPAT and other incident notification obligations.
  • Assisted U.S. chemical and manufacturing company in responding to Akira ransomware, including leading investigation under the attorney-client privilege, retaining digital forensic and IT consultant firm, undertaking data mining and threat actor communications, and notifying impacted data subjects and regulatory authorities.
  • Counseled and assisted global organization in the specialty chemical sector in responding to domain controller compromise and compromise of company files likely attributable to Volt Typhoon, including advising on U.S. state personal data breach notification requirements and cyber incident reporting obligations pursuant to the Chemical Facility Anti-Terrorism Standards (CFATS) and U.S. Coast Guard Policy on Reporting Suspicious Activity and Breaches of Security (CG-5P Policy Letter, No. 08-16).
  • Provided assistance to city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case, including retaining third-party forensic firm under the attorney-client privilege, consulting on threat actor communications and law enforcement engagement in light of active communications with threat actor, addressing data breach notification obligations, and advising on communications to impacted constituents.
  • Engaged with global welding company and helped respond to a business email compromise arising from unauthorized intrusion into email account based in Austria and coordinated with EU legal counsel with respect to data breach reporting obligations pursuant to EU, U.S., and UK data protection law, investigating nature and scope of the incident through independent IT security consultant, and drafting incident notification communications to impacted data subjects.
  • Assisted global manufacturing company in responding to network intrusion based on SIM hijacking and provided guidance with respect to data mining and security incident notification.
  • Assisted global manufacturing company in responding to cyberattack involving service account compromise and use of RDAT backdoor to exfiltrate certain data from company’s IT environment and provided legal guidance regarding requirements applicable to publicly traded companies and pursuant to state data breach notification obligations.
  • Advised a global manufacturer in responding to ransomware attack by Black Basta that encrypted its VMware ESXi; representation included retaining an IT consultant to restore data from backups and analyze logs derived from third-party security tool to identify compromised data sets and rendering legal counsel on complying with data breach notification obligations.
  • Assisted a global manufacturing client in responding to use of compromised credentials to access third-party HR data platform, including retaining third-party IT consultant to undertake log analysis, engaging platform host to assess liability and responsibility, advising on data breach notification obligations and helping client raise Computer Fraud and Abuse Act (CFAA) and Stored Communications Act (SCA) claims against former employee responsible for the attack.
  • Assisted global manufacturing company in responding to a Lockbit 3.0 ransomware and extortion attack, including by retaining a third-party incident response team and ransomware negotiator, conducting OFAC checks, issuing litigation holds, and providing formal notification to data subjects, regulators and credit monitoring agencies.
  • Helped managed service provider respond to Conti ransomware attack that targeted third-party client’s IT environment, including by issuing litigation hold, engaging Digital Forensics and Incident Response (DFIR) vendor, analyzing export control laws related to use of DFIR vendor’s proprietary software, and drafting litigation risk assessment.
  • Helped global manufacturing company respond to a Royal ransomware and extortion attack, including retaining an independent incident response and digital forensic consultant, retaining a separate ransomware negotiator, leading data mining efforts, issuing litigation holds, and coordinating with foreign counsel to ensure proper data incident notifications to data subjects and regulatory officials in the United States, European Economic Area, United Kingdom, and Australia.
  • Counseled multiple clients on responding to incident notification letters received from third-party service providers in connection with CL0P ransomware group intrusion into MOVEit’s managed file transfer program, including advising on breach response and potential litigation.
  • Represented an EU-based client in its response to Akira ransomware attack; engagement included retaining digital forensic firm, assessing publicly available decryption tools, engaging in external and internal notifications, and addressing threat actor communications and engagement with federal law enforcement.
  • Assisted a manufacturer client in responding to insider threat issue in connection with former remote-only employee making threats concerning misuse of data after termination; representation included retaining third-party IT consultant to undertake security review; drafting affidavits related to the confidentiality, integrity and security of client data and IT systems; and addressing engagement with local law enforcement.
  • Advised client on intrusion into HR system that resulted in payroll diversion scams involving fraudulent direct deposit information; representation included working with HR system provider to assist client throughout technical remediation and business loss recovery process.
  • Assisted a city government in responding to business email compromise that resulted in government funds lost as part of wire fund transfer case; representation included retaining third-party forensic firm under the attorney-client privilege, addressing data breach notification obligations, and advising on communications to impacted constituents.
  • Assisted nationally recognized business associate in responding to business email compromise, including retaining third-party digital forensic and incident response consultant, assessing breadth of compromise including to personal data, and counseling on data breach notification process under federal and state law.
  • Advised national restaurant chain client on responding to security compromise wherein threat actor gained unauthorized access to loyalty program and made unauthorized purchases from consumer accounts, including providing legal analysis of data breach notification obligations and advising on third-party digital forensic consultant to undertake independent investigation.
  • Advised U.S.-based publicly traded multinational corporation on whether inclusion of social security numbers on health plan communications transmitted via mail from business associate would be considered a data breach for purposes of federal and state data breach notification laws.
  • Assisted consumer goods company in investigating and responding to data breach arising from unauthorized access to, and exfiltration of, customer data from the company’s third-party e-commerce platform due to compromise of an employee’s account credentials.
  • Counseled services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from spoofed Internet domain.
  • Represented defense contractor in joint investigation by the Department of Defense and Federal Bureau of Investigation arising from Maze ransomware attack that potentially exposed controlled unclassified information, which resulted in the closure of the case without adverse action to client.
  • Assisted global manufacturing company in responding to ransomware attack that compromised sensitive employee and customer data, partnering with European Union counsel to facilitate notifications to supervisory authorities pursuant to the European Union (EU) General Data Protection Regulation and EU Member State law.
  • Counseled healthcare business associate regarding technical anomaly within its online patient portal that resulted in unauthorized disclosure of medical records and protected health information and drafted formal data breach notification communications and reports.
  • Advised private sector company with respect to an incident involving the unauthorized disclosure of sensitive employee data and invoking the “good faith” exception within certain U.S. state data breach notification laws.
  • Assisted global manufacturing company with response to the inadvertent disclosure of export-controlled data to foreign nationals, and drafting, preparing and submitting voluntary disclosures to federal department arising from the same.
  • Assisted employee health plan in investigating and responding to data breach that occurred within business associate’s information technology environment that resulted in unauthorized access to employees’ protected health information.
  • Assisted supply chain defense contractor with response to ransomware attack that compromised the confidentiality of sensitive employee data and controlled unclassified information, including drafting and submitting formal data breach notices to impacted individuals and government agencies.

Biometrics, TCPA & Privacy Litigation Defense

  • Represented a defense contractor in nationwide class action litigation arising from alleged data security breach impacting employees’ personal data, including claims that plaintiffs incurred or would immediately incur physical harm, emotional distress and identity theft.
  • Represented a global airline in responding to data security event arising from its third-party healthcare benefit provider’s use of MOVEit software, including with respect to client’s formal notification obligations and litigation risk assessments, and represented client with respect to its potential indemnification claims arising from the third-party provider’s breach of its legal obligations and contractually mandated security requirements.
  • Assisted a global logistics and storage business in responding to a data security breach impacting an employee analytics software application; representation included assisting client with drafting and submission of formal data breach notification to employees and regulatory authorities, and representing client with respect to legal and indemnification claims against third-party software provider.
  • Advised a Fortune 50 company on implementing Windows Hello and PingID on employer-provided devices in a manner consistent with U.S. biometric data processing laws and regulations.
  • Counseled a global manufacturing firm on federal telecommunications law (TCPA) with respect to implementing company-wide SMS communications, including opt-in and opt-out processes.
  • Assisted a national financial institution in responding to complaint filed in California state court that its website violated the Video Privacy Protection Act of 1998 for implementing certain third-party pixels, cookies, and tags without proper notice and consent.
  • Counseled a national real estate marketing firm on responding to complaint that its website violated federal and state wiretapping laws for implementing certain third-party pixels, cookies, and tags on its website without proper notice and consent.
  • Advised a globally recognized museum on responding to a complaint and demand that its website violated the Video Privacy Protection Act of 1998 for implementing a social media pixel on its public and private websites.
  • Counseled a national manufacturing company on responding to formal complaint that its website violated federal and state wiretapping laws with respect to its data processing activities.
  • Assisted an international manufacturing company in implementing biometric processing compliance program in the employment context for its operations in the United States and Canada, including advising on implementing biometric privacy policies, obtaining employee consent for biometric collection, and publishing public notices.
  • Advised a Fortune 100 company on implementing Windows Hello on employer-provided devices and updating its privacy notices and obtaining employee consent related to the same.

California Consumer Privacy Act (CCPA)

  • Performed data mapping to identify whether an organization’s data processing activities implicate California residents and the CCPA.
  • Assessed and identified the current state of an organization’s policies and procedures to determine its compliance with the CCPA.
  • Drafted privacy notices and statements to address the CCPA’s notice requirement, including drafting website privacy policies, employee privacy statements, and job candidate privacy notices.
  • Drafted new, or supplement existing, internal policies and procedures to address how an organization will intake, process, and respond to CCPA data requests (e.g., access, portability, erasure).
  • Identified whether an organization “sells” personal information within the meaning of the CCPA, and, if so, developed mechanisms for customers to “opt in” or “opt out” of the sale of their personal information.
  • Provided contractual terms for an organization to use with its third-party vendors to ensure they address each party’s obligations pursuant to the CCPA and responsibilities related to data processing, assistance, and security.
  • Identified whether an organization offers financial incentives related to data processing and, if so, ensured such incentives align with the CCPA’s anti-discrimination requirements.
  • Drafted new, or reviewed existing, data incident response plans to ensure they align with California’s legal requirements and best practices.

The General Data Protection Regulation (GDPR)

  • Appointed by state attorney general to assist public university assess its compliance with the GDPR and UK Data Protection Act 2018; retained and led local counsel with respect to the same.
  • Assisted global enterprises in designing and implementing EU GDPR compliance programs, policies, and procedures.
  • Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).
  • Counseled clients on establishing and implementing procedures for exporting personal data from the EEA into the United States and other third countries.
  • Assisted companies in conducting data mapping exercises to identify the purpose, scope, and legal authorization for their data processing activities.
  • Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
  • Drafted employee data privacy notices for global companies that have staff or contractors in the EEA.
  • Assisted multiple U.S.-based companies in evaluating whether they are legally required to appoint a Data Protection Officer (DPO) in accordance with the GDPR.
  • Provided legal analysis to several global companies on whether they need to undertake a data protection impact assessment (DPIA) when implementing routine and common business practices, such as network/employee monitoring.
  • Assisted businesses in responding to data subjects invoking rights under the GDPR, including a data subject’s requests for access and/or erasure.

M&A Due Diligence & Cybersecurity Risk

  • Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
  • Assisted in identifying a target company’s data processing activities, including how it collects, retains, and disseminates personal information.
  • Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations, and industry standards.
  • Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.

Health & Medical Data Privacy

  • Appointed by state attorney general to counsel public university undertaking clinical trials in the European Union and the United Kingdom with respect to its legal obligations under data protection and pharmaceutical regulations and directives and, in conjunction with local counsel, develop and implement data protection and clinical trials compliance checklist.
  • Assisted covered entities in determining whether the unauthorized disclosure of protected health information constitutes a breach that warrants, in accordance with federal regulations, notification to the data subject and the Secretary of Health and Human Services.
  • Assisted covered entities and business associates in determining whether their encryption protocols satisfy certain technical safeguard requirements within the HIPAA Security Rule.
  • Drafted master contracts, including provisions governing data privacy and information security, for a global biopharmaceutical companies and their third-party contract research organizations.
  • Provided legal analysis to a late-stage drug testing firm on leveraging exemptions set forth in the GDPR to permit it to legally retain personal information concerning drug testing.
  • Determined whether a company’s notice and consent forms issued during medical clinical trial testing satisfy the EU Clinical Trials Regulation (No 536/2014) and other legal requirements.

Third Party IT Contracting

  • Drafted and negotiated a wide range of technology and data protection agreements and statements of work, including end user license agreements for software and embedded technology solutions; master service agreements with IT services providers; contracts and statements of work for cloud storage, penetration testing and vulnerability scanning, and managed IT services; and personal data processing, transfer, and security agreements.
  • Routinely advised clients on third-party data security standards, data confidentiality and protection obligations, limited use and ‘do not sell’ clauses, third-party data assistance, cross-border data transfers and data localization, cyber insurance, and data breach response investigation, notification, and indemnification.
  • Panel Discussion, “The New Axis of Evil Exposed: A Global Threat TTX,” The Ohio Information Security Summit, Cleveland, Ohio, October 23, 2023
  • Panel Discussion, “Succeeding in Your CMMC Journey,” Northeast Ohio CyberConsortium, Cleveland State University, April 27, 2023
  • “Achieving Cyber Wellness Amidst Third-Party Risk,” Webinar, Fortress Security Risk Management, April 24, 2023
  • “Startups Streamlined – Protecting Assets in a Digital World,” Thompson Hine LLP, August 2022
  • “Data Privacy Laws & How They Apply,” Northern Ohio Security Awareness Summit, Wadsworth, Ohio, June 10, 2022
  • Panel Discussion, “Managing High Risk Cyber Security Regions,” Northeast Ohio CyberConsortium, Lorain County Community College, April 22, 2022
  • Co-presenter, “Responding to a Cybersecurity Incident: Reporting and Disclosure Obligations,” Thompson Hine Investment Management Coffee Chat, March 2, 2022
  • “From California to New York – Complying with the Data Privacy Patchwork,” Information Security Summit, Cleveland, October 28, 2021
  • Panel Discussion, “Ethics in the Digital Age,” Webinar, Baldwin Wallace University School of Business, April 22, 2021
  • Panel Discussion, “Global Issues Related to Arbitrating Data Breaches and Privacy Rights,” ASIL Midyear Meeting, Case Western Reserve University School of Law, Cleveland, Ohio, October 29, 2020
  • “Cyber Risk Mitigation in the Chemical Sector,” SOCMA Power Hour: A Fall Webinar Series, October 1, 2020
  • “New Frontiers in Export & Technology Controls,” July 29, 2020
  • “Data Privacy Trends – How to Satisfy Privacy Notification Obligations in the Employment Arena,” Association of Corporate Counsel, February 27, 2020
  • “Building an Incident Response Program,” Information Security Summit, Cleveland, October 23, 2019
  • “The California Consumer Privacy Act: Implementing Sustainable Compliance Solutions,” Information Security Summit, Cleveland, October 23, 2019
  • Panel Discussion, “Comparing International Terrorism and Domestic Violent Extremism,” The Center for Strategic and International Studies, Washington, DC, September 16, 2019
  • “The Intersection of Legal and Cyber,” CSO Xchange, Cleveland, August 7, 2019
  • “Cyber Security – Are You Ready?,” SOCMA Executive Forum, University of Houston, May 23, 2019
  • “Staying Ahead of the Cybersecurity Curve: Practical Tips From the Experts,” Thompson Hine LLP, Cleveland, May 16, 2019
  • “Data Privacy, the CCPA and Contracts: What You Need to Know,” Association of Corporate Counsel, April 24, 2019
  • “What You Need to Know about Data Privacy Laws: International, Federal, State and Local,” The Association of Test Publishers, the Innovations in Testing Conference, Featured Speaker Session, March 18, 2019
  • “Meeting the Data Privacy Challenge: Complying with Multiple Laws in a Global Testing Environment,” The Association of Test Publishers, the Innovations in Testing Conference, March 19, 2019
  • “Reconciling the EU GDPR and US Discovery Obligations,” The William B. Bryant American Inn of Court, January 8, 2019
  • “GDPR: From Anticipation to Implementation,” Information Security Summit, October 25, 2018
  • “GDPR and Privacy Law,” Information Security Summit, October 23, 2018
  • “Understanding GDPR & Cyber Law,” BusinessTECH18 2018, October 18, 2018
  • “Privacy & Cybersecurity Compliance,” Thompson Hine Chief Compliance Officer Forum, October 4, 2018
  • “Strategies to Assess and Mitigate Cybersecurity Risks,” Ohio Electric Cooperatives, October 3, 2018
  • “Cybersecurity and Private-Public Partnerships,” Society for Corporate Governance, Cleveland, June 13, 2018
  • “Cybersecurity and Private-Public Partnerships,” USLFG Corporate and Securities Committee Meeting, Cleveland, May 15, 2018
  • “Cyber Threats & Public Private Partnerships,” Chemistry Council of New Jersey 34th Annual Spring Conference, Princeton, New Jersey, May 1, 2018
  • “Managing Tomorrow’s Cyber Threats Today,” Thompson Hine LLP, Cleveland, April 26, 2018
  • Cleveland-Marshall College of Law 2018 Cybersecurity and Privacy Protection Conference, Cleveland, March 22, 2018
  • “Cybersecurity Risks and Employee Benefit Plans,” WEB National Webinar, February 28, 2018
  • Named a Thomson Reuters Stand-out Lawyer, 2023 & 2024

Professional Associations

  • Bar Association of the District of Columbia
  • International Association of Privacy Professionals, Certified Information Privacy Professional/Government (CIPP/G), Certified Information Privacy Professional/United States (CIPP/US)
  • Northern Ohio InfraGard Members Alliance
  • Ohio State Bar Association

Education

  • Georgetown University Law Center, LL.M., 2011
  • University of Akron School of Law, J.D., 2007,

    editor, Akron Law Review

  • The Ohio State University, B.A., 2004

Bar Admissions

  • Ohio
  • District of Columbia

Court Admissions

  • U.S. District Court for the Northern District of Ohio
  • U.S. District Court for the Southern District of Ohio
  • U.S. Court of Appeals for the Sixth Circuit
Select a filter