Overview

As senior counsel in the firm’s Business Litigation, Privacy & Cybersecurity, and Government Contracts groups, Steve primarily focuses on advising clients on complex national and international privacy and information security issues. He assists clients in devising strategies to assess and mitigate cybersecurity risks and with maintaining compliance with federal, state, and foreign laws and regulations governing data privacy and security. He provides guidance on regulatory compliance and defends clients’ interests in litigation and government enforcement actions in the areas of data privacy and cybersecurity. In addition, Steve assists defense contractors and other private-sector businesses in satisfying cybersecurity standards issued by the federal government and in developing and maintaining insider threat programs.

Prior to joining Thompson Hine, Steve spent a total of 10 years serving in the federal government, including seven years with the U.S. Department of Homeland Security (DHS). While at DHS, he served as senior counsel in the Department’s Intelligence Law Division in Washington, D.C., where he oversaw the Department’s foreign intelligence, counterintelligence, and cybersecurity intelligence activities, including the production of cybersecurity threat assessments and data breach response recommendations for the private sector. Steve also provided guidance to DHS officials on designing and implementing programs and policies regulating the storage and safeguarding of classified and unclassified information and assisted DHS in designing and implementing an insider threat program in compliance with Executive Order 13587 and other national policies and standards.

In addition, Steve was selected to serve as a deputy legal adviser to the president’s National Security Council. In this role, he counseled White House officials on developing and coordinating a broad range of national security policies and programs, including on cybersecurity, intelligence and surveillance, and information sharing with foreign partners and the private sector.

Also an adjunct law professor, Steve teaches courses on topics related to foreign affairs, international law, and national and international security.

Experience
Data Privacy & Cybersecurity Compliance
  • Assisted government contractors with adhering to the NIST standards and other federal regulations and rules regulating the safeguarding of sensitive information.
  • Prepared data incident response plans and programs and assisted small, midsize, and large companies in responding to serious data incidents, including ransomware attacks, by providing data breach notifications to victims, law enforcement, and other government entities in accordance with federal, state, and foreign laws and regulations.
  • Assisted energy sector companies with adhering to federal, state, and industry cybersecurity regulations and standards on the protection of operational control systems and customer personal information.
  • Drafted online terms and conditions and privacy policies for domestic and global companies.
  • Assisted government contractors and private businesses in establishing and maintaining insider threat programs to ensure the confidentiality and integrity of classified and other sensitive information.
  • Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
  • Advised clients regarding compliance with the FTC Act, GLBA, HIPAA, CAN-SPAM, COPPA, and other privacy legislation.
The General Data Protection Regulation (GDPR)
  • Assisted global enterprises in designing and implementing EU GDPR compliance programs, policies, and procedures.
  • Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).
  • Counseled clients on establishing and implementing procedures for exporting personal data from the EEA into the United States and other third countries.
  • Assisted companies in conducting data mapping exercises to identify the purpose, scope, and legal authorization for their data processing activities.
  • Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
  • Drafted employee data privacy notices for global companies that have staff or contractors in the EEA.
  • Assisted multiple U.S.-based companies in evaluating whether they are legally required to appoint a Data Protection Officer (DPO) in accordance with the GDPR.
  • Provided legal analysis to several global companies on whether they need to undertake a data protection impact assessment (DPIA) when implementing routine and common business practices, such as network/employee monitoring.
  • Assisted businesses in responding to data subjects invoking rights under the GDPR, including a data subject’s requests for access and/or erasure.
M&A Due Diligence & Cybersecurity Risk
  • Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
  • Assisted in identifying a target company’s data processing activities, including how it collects, retains, and disseminates personal information.
  • Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations, and industry standards.
  • Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.
Health & Medical Data Privacy
  • Assisted covered entities in determining whether the unauthorized disclosure of protected health information constitutes a breach that warrants, in accordance with federal regulations, notification to the data subject and the Secretary of Health and Human Services.
  • Assisted covered entities and business associates in determining whether their encryption protocols satisfy certain technical safeguard requirements within the HIPAA Security Rule.
  • Drafted master contracts, including provisions governing data privacy and information security, for a global biopharmaceutical companies and their third-party contract research organizations.
  • Provided legal analysis to a late-stage drug testing firm on leveraging exemptions set forth in the GDPR to permit it to legally retain personal information concerning drug testing.
  • Determined whether a company’s notice and consent forms issued during medical clinical trial testing satisfy the EU Clinical Trials Regulation (No 536/2014) and other legal requirements.

Publications
Presentations
  • “Privacy & Cybersecurity Compliance,” Thompson Hine Chief Compliance Officer Forum, October 04, 2018
  • “Strategies to Assess and Mitigate Cybersecurity Risks,” Ohio Electric Cooperatives, October 3, 2018
  • “Cybersecurity and Private-Public Partnerships,” Society for Corporate Governance, Cleveland, June 13, 2018
  • “Cybersecurity and Private-Public Partnerships,” USLFG Corporate and Securities Committee Meeting, Cleveland, May 15, 2018
  • "Cyber Threats & Public Private Partnerships," Chemistry Council of New Jersey 34th Annual Spring Conference, Princeton, New Jersey, May 1, 2018
  • “Managing Tomorrow’s Cyber Threats Today,” Thompson Hine LLP, Cleveland, April 26, 2018
  • Cleveland-Marshall College of Law 2018 Cybersecurity and Privacy Protection Conference, Cleveland, March 22, 2018
  • "Cybersecurity Risks and Employee Benefit Plans," WEB National Webinar, February 28, 2018
Professional and Civic

Professional Associations

  • Bar Association of the District of Columbia
  • International Association of Privacy Professionals, Certified Information Privacy Professional/Government (CIPP/G)
  • Ohio State Bar Association
Events