Steven G. Stransky
Vice Chair, Privacy & Cybersecurity
As a partner in the firm’s Business Litigation, Privacy & Cybersecurity, and Government Contracts groups, Steve primarily focuses on advising clients on complex national and international privacy and information security issues. He assists clients in devising strategies to assess and mitigate cybersecurity risks and with maintaining compliance with federal, state, and foreign laws and regulations governing data privacy and security. He provides guidance on regulatory compliance and defends clients’ interests in litigation and government enforcement actions in the areas of data privacy and cybersecurity. In addition, Steve assists defense contractors and other private-sector businesses in satisfying cybersecurity standards issued by the federal government and in developing and maintaining insider threat programs.
Prior to joining Thompson Hine, Steve spent a total of 10 years serving in the federal government, including seven years with the U.S. Department of Homeland Security (DHS). While at DHS, he served as senior counsel in the Department’s Intelligence Law Division in Washington, D.C., where he oversaw the Department’s foreign intelligence, counterintelligence, and cybersecurity intelligence activities, including the production of cybersecurity threat assessments and data breach response recommendations for the private sector. Steve also provided guidance to DHS officials on designing and implementing programs and policies regulating the storage and safeguarding of classified and unclassified information and assisted DHS in designing and implementing an insider threat program in compliance with Executive Order 13587 and other national policies and standards.
In addition, Steve was selected to serve as a deputy legal adviser to the president’s National Security Council. In this role, he counseled White House officials on developing and coordinating a broad range of national security policies and programs, including on cybersecurity, intelligence and surveillance, and information sharing with foreign partners and the private sector.
Steve has obtained multiple credentials from the International Association of Privacy Professionals related to government and private sector data protection laws, statutes, regulations, and industry standards.
Also an adjunct law professor, Steve teaches courses on topics related to foreign affairs, intelligence activities, and national security law at the Frederick K. Cox International Law Center at Case Western Reserve University School of Law.
Data Privacy & Cybersecurity Compliance
- Assisted government contractors with adhering to the NIST standards and other federal regulations and rules regulating the safeguarding of sensitive information.
- Prepared data incident response plans and programs and assisted small, midsize, and large companies in responding to serious data incidents, including ransomware attacks, by providing data breach notifications to victims, law enforcement, and other government entities in accordance with federal, state, and foreign laws and regulations.
- Assisted energy sector companies with adhering to federal, state, and industry cybersecurity regulations and standards on the protection of operational control systems and customer personal information.
- Drafted online terms and conditions and privacy policies for domestic and global companies.
- Assisted government contractors and private businesses in establishing and maintaining insider threat programs to ensure the confidentiality and integrity of classified and other sensitive information.
- Prepared and negotiated third-party service provider agreements to address data privacy and information security, data breach liability, and confidentiality.
- Advised clients regarding compliance with the FTC Act, GLBA, HIPAA, CAN-SPAM, COPPA, and other privacy legislation.
California Consumer Privacy Act (CCPA)
- Performed data mapping to identify whether an organization’s data processing activities implicate California residents and the CCPA.
- Assessed and identified the current state of an organization’s policies and procedures to determine its compliance with the CCPA.
- Drafted privacy notices and statements to address the CCPA’s notice requirement, including drafting website privacy policies, employee privacy statements, and job candidate privacy notices.
- Drafted new, or supplement existing, internal policies and procedures to address how an organization will intake, process, and respond to CCPA data requests (e.g., access, portability, erasure).
- Identified whether an organization “sells” personal information within the meaning of the CCPA, and, if so, developed mechanisms for customers to “opt in” or “opt out” of the sale of their personal information.
- Provided contractual terms for an organization to use with its third-party vendors to ensure they address each party’s obligations pursuant to the CCPA and responsibilities related to data processing, assistance, and security.
- Identified whether an organization offers financial incentives related to data processing and, if so, ensured such incentives align with the CCPA’s anti-discrimination requirements.
- Drafted new, or reviewed existing, data incident response plans to ensure they align with California’s legal requirements and best practices.
Data Breach Response Matters
- Assisted consumer goods company investigate and respond to data breach arising from unauthorized access to, and exfiltration of, customer data from the company’s third-party e-commerce platform due to compromise of an employee’s account credentials.
- Counseled services industry business regarding Office 365 intrusion that resulted in malicious actor disseminating fraudulent invoices to customers from spoofed Internet domain.
- Represented defense contractor in joint investigation by the Department of Defense and Federal Bureau of Investigation arising from Maze ransomware attack that potentially exposed controlled unclassified information, which resulted in the closure of the case without adverse action to client.
- Assisted global manufacturing company in responding to ransomware attack that compromised sensitive employee and customer data, partnering with European Union counsel to facilitate notifications to supervisory authorities pursuant to the European Union (EU) General Data Protection Regulation and EU Member State law.
- Counseled healthcare business associate regarding technical anomaly within its online patient portal that resulted in unauthorized disclosure of medical records and protected health information and drafted formal data breach notification communications and reports.
- Advised private sector company with respect to an incident involving the unauthorized disclosure of sensitive employee data and invoking the “good faith” exception within certain U.S. state data breach notification laws.
- Assisted global manufacturing company with response to the inadvertent disclosure of export-controlled data to foreign nationals, and drafting, preparing and submitting voluntary disclosures to federal department arising from the same.
- Assisted employee health plan in investigating and responding to data breach that occurred within business associate’s information technology environment that resulted in unauthorized access to employees’ protected health information.
- Assisted supply chain defense contractor with response to ransomware attack that compromised the confidentiality of sensitive employee data and controlled unclassified information, including drafting and submitting formal data breach notices to impacted individuals and government agencies.
The General Data Protection Regulation (GDPR)
- Assisted global enterprises in designing and implementing EU GDPR compliance programs, policies, and procedures.
- Drafted webpage privacy policies for companies marketing and selling goods, services, and products in the European Economic Area (EEA).
- Counseled clients on establishing and implementing procedures for exporting personal data from the EEA into the United States and other third countries.
- Assisted companies in conducting data mapping exercises to identify the purpose, scope, and legal authorization for their data processing activities.
- Drafted multiple joint controller and controller-to-processor data processing agreements for global corporations and their third-party service providers and contractors.
- Drafted employee data privacy notices for global companies that have staff or contractors in the EEA.
- Assisted multiple U.S.-based companies in evaluating whether they are legally required to appoint a Data Protection Officer (DPO) in accordance with the GDPR.
- Provided legal analysis to several global companies on whether they need to undertake a data protection impact assessment (DPIA) when implementing routine and common business practices, such as network/employee monitoring.
- Assisted businesses in responding to data subjects invoking rights under the GDPR, including a data subject’s requests for access and/or erasure.
M&A Due Diligence & Cybersecurity Risk
- Provided businesses, including private investment firms, with data privacy and cybersecurity due diligence risk assessments in the M&A context.
- Assisted in identifying a target company’s data processing activities, including how it collects, retains, and disseminates personal information.
- Assessed whether a business’s data processing and cybersecurity measures satisfy federal, state, and foreign laws and regulations, and industry standards.
- Provided recommendations, including representations and warranties, to purchasing companies to mitigate data privacy and cybersecurity risks when purchasing target companies.
Health & Medical Data Privacy
- Assisted covered entities in determining whether the unauthorized disclosure of protected health information constitutes a breach that warrants, in accordance with federal regulations, notification to the data subject and the Secretary of Health and Human Services.
- Assisted covered entities and business associates in determining whether their encryption protocols satisfy certain technical safeguard requirements within the HIPAA Security Rule.
- Drafted master contracts, including provisions governing data privacy and information security, for a global biopharmaceutical companies and their third-party contract research organizations.
- Provided legal analysis to a late-stage drug testing firm on leveraging exemptions set forth in the GDPR to permit it to legally retain personal information concerning drug testing.
- Determined whether a company’s notice and consent forms issued during medical clinical trial testing satisfy the EU Clinical Trials Regulation (No 536/2014) and other legal requirements.
Third Party IT Contracting
- Drafted and negotiated a wide range of technology and data protection agreements and statements of work, including end user license agreements for software and embedded technology solutions; master service agreements with IT services providers; contracts and statements of work for cloud storage, penetration testing and vulnerability scanning, and managed IT services; and, personal data processing, transfer, and security agreements.
- Routinely advised clients on third-party data security standards, data confidentiality and protection obligations, limited use and ‘do not sell’ clauses, third-party data assistance, cross-border data transfers and data localization, cyber insurance, and data breach response investigation, notification, and indemnification.
- "New CCPA regulatory provisions seek to clarify business requirements," IAPP, March 17, 2021
- “How Cos. Can Build Effective Data Privacy Appeals Processes,” Law360, March 2021
- Quoted in “In-House Counsel Face Growing Privacy, Cybersecurity To-Do Lists,” Bloomberg Law, March 2021
- Quoted in "Virginia's New Privacy Law Is Just Different Enough to Give Compliance Headaches," Law.com, March 9, 2021
- Quoted in "Water Plant Hack Underscores Utilities' Glaring IT Risks," Law360, March 5, 2021
- “Virginia Enacts New Data Privacy and Cybersecurity Law,” Thompson Hine Privacy & Cybersecurity Update, March 2021
- “Responding to the SolarWinds Breach: Compliance and Oversight Considerations,” Thompson Hine Privacy & Cybersecurity Update, December 2020
- "White House enacts IoT cybersecurity law for federal agencies," IAAP, December 8, 2020
- Quoted in "Cyber Consulting Firms Get Tied Up in Post-Breach Lawsuits," Bloomberg Law, November 10, 2020
- “California Voters Approve New Data Privacy Law,” Thompson Hine Privacy & Cybersecurity Update, November 2020
- “DoD Publishes Interim Cybersecurity Rule on CMMC and DoD Assessments,” Thompson Hine Government Contracts Update, October 2020
- "California Legislature Extends CCPA's Exemptions for Personal Information in the Employment and Business-to-Business Context," Thompson Hine Privacy & Cybersecurity Update, September 2020
- “Final CCPA Regulations Approved, Effective Immediately,” Thompson Hine Privacy & Cybersecurity Update, August 2020
- “European Court Invalidates Privacy Shield; Upholds Model Clauses (For Now),” Thompson Hine Privacy & Cybersecurity Update, July 2020
- “CCPA Draft Regulations: Privacy Notices and Accessibility in the Employment Context” IAPP's Privacy Tracker, July 2020
- “The new CCPA draft regulations: Identity verification,” IAPP's Privacy Tracker, June 2020
- “From Contact Tracing to Virtual Temperature Taking: Privacy Considerations for Employers,” The Computer & Internet Lawyer, Volume 37, Number 7, July/August 2020
- “California Releases Final CCPA Regulations Ahead of July 1 Enforcement Deadline,” Thompson Hine Privacy & Cybersecurity Update, June 2020
- Co-author, "Cybersecurity Considerations for Retirement Plan Fiduciaries," Thompson Hine ERISA Litigation Trends & Insights blog, May 28, 2020
- "The new CCPA draft regulations: Defining the scope of personal information," IAPP's Privacy Tracker, May 2020
- "From Contact Tracing to Virtual Temperature Taking: Privacy Considerations for Employers," Thompson Hine Privacy & Cybersecurity Update, May 2020
- “Recent Executive Actions Focus on Bulk-Power System Grid Security and Supply Chain,” Thompson Hine International Trade Update, May 2020
- “New York’s SHIELD Act Now Effective – Take Steps to Ensure Compliance,” Thompson Hine Privacy & Cybersecurity Update, April 2020
- “COVID-19 Giveaways: Avoiding the Pitfalls of Charitable Promotions and Marketing,” Thompson Hine COVID-19 Update, April 2020
- "From Employers to Homeschooling to Healthcare: Federal Government Provides Guidance Clarifying Data Privacy Requirements During COVID-19," Thompson Hine COVID-19 Update, April 2020
- "When Your Critical Service Providers Telecommute: Risks and Tips," Thompson Hine COVID-19 Update, March 2020
- “Review Teleworking Cybersecurity Policies and Practices,” Thompson Hine COVID-19 Update, March 2020
- "Frequently Asked Questions About COVID-19 and Employment Privacy," Thompson Hine COVID-19 Update, March 2020
- "California Attorney General Publishes Modifications to CCPA Regulations," Thompson Hine Privacy & Cybersecurity Update, March 2020
- “Cyber Attackers Are Exploiting Coronavirus Fears,” Lawfare, March 2020
- "DHS issues cybersecurity warning to businesses," IAPP's The Privacy Advisor January 31, 2020
- Quoted in "Execs On Notice After Report of Saudi Bezos Cellphone Hack," Law360, January 22, 2020
- “Are you prepped for the influx of IoT security laws? It starts in Calif.,” IAPP’s The Privacy Advisor, November 2019
- "California’s New Data Privacy Law Coming into Focus," Thompson Hine Privacy & Cybersecurity Update, October 2019
- “‘Pre-Ticked’ Boxes to Obtain Cookie Use Consent Fail Under EU Law,” Thompson Hine Privacy & Cybersecurity Update, October 2019
- "Nevada's 'Opt-Out' Privacy Law and the Future of Data Protection," Thompson Hine Privacy & Cybersecurity Update, October 2019
- “California’s New Privacy Law: Recent Amendments and Approaching Compliance Deadlines,” Thompson Hine Privacy & Cybersecurity Update, September 2019
- “DOD’s Cybersecurity Maturity Model Certification and Draft CMMC Model Framework,” Thompson Hine Government Contracts Update, September 2019
- “State Biometric Privacy Legislation: What You Need to Know,” Thompson Hine Privacy & Cybersecurity Update, September 2019
- “Applying EU Guidance on Real-Time Bidding Beyond the GDPR,” Thompson Hine Business Law Update, Summer 2019
- Thompson Hine Compliance Check 2020: Data Privacy, August 2019
- “New York SHIELD Act Expands Privacy and Cybersecurity Obligations,” Thompson Hine Privacy and Cybersecurity Update, July 2019
- “Applying EU Guidance on Real-Time Bidding Beyond the GDPR,” Thompson Hine Privacy & Cybersecurity Update, July 2019
- “Washington’s New Data Breach Law Follows Enhanced Privacy Protection Trends,” Thompson Hine Privacy & Cybersecurity Update, May 2019
- “Cybersecurity, Compliance and Culture in M&A Transactions,” Thompson Hine Business Law Update, Spring 2019
- "Learning From the Past in Addressing Domestic Terrorism," Lawfare, April 12, 2019
- "Accessing Personal Data in European Criminal Investigations," Pratt's Privacy and Cybersecurity Law Report, April 2019
- “Intel Chiefs Testify on Global Threats, Cybersecurity and Elections,” Lawfare, January 30, 2019
- Quoted in "'Dark Overlord' Hack Another Cautionary Tale For Law Firms," Law360, January 2019
- “Preparing for Ohio’s Cybersecurity Safe Harbor Law,” Pratt's Privacy and Cybersecurity Law Report, January 2019
- “Canada’s New Data Breach Law Creates Unique Obligations for Businesses,” Thompson Hine Privacy & Cybersecurity Update, November 2018
- Co-author, “Border searches of your e-device: encryption may be of limited value in protecting client data,” The Law for Lawyers Today, October 2018
- “California Becomes First State to Regulate Internet-Connected Devices,” Thompson Hine Privacy & Cybersecurity Update, October 2018
- "The National Cyber Strategy and Legal Reform," Lawfare, October 8, 2018
- Quoted in “New WH Cyber Strategy Talks Big Game, But Has Big Holes,” Law360, October 3, 2018
- “Amendments to California Privacy Law Will Impact Businesses,” Thompson Hine Privacy & Cybersecurity Update, October 2018
- “Border Searches and the Limits of Encryption in Protecting Privileged Information,” American Bar Association Litigation Magazine, Summer 2018
- “Enhancing Cyber Threat Information Sharing,” Pratt's Privacy & Cybersecurity Law Report, July/August 2018
- “California Expands Consumer Privacy Protections,” Thompson Hine Privacy & Cybersecurity Update, July 2018
- Quoted in "Data privacy at work," Crain's Cleveland Business, May 2018
- "Adviser: Strengthen Your Data Mapping in the Era of GDPR," Crain's Cleveland Business, May 2018
- “CEA Report: Cost of Malicious Cyber Activity to the U.S. Economy,” Thompson Hine Privacy & Cybersecurity Update, February 2018
- “The Uber Hack, State Enforcement and Strategic Planning,” Thompson Hine Business Law Update, Winter 2018
- “FERC Proposes Cybersecurity Incident Reporting Rule,” Thompson Hine Privacy & Cybersecurity Update, January 2018
- “Telephone Metadata and the Fourth Amendment: An Overview of Recent Case Law,” 35 St. Louis U. Pub. L. Rev 3, Fall 2015
- Co-author, “Regulating Classified and Controlled Unclassified Information,” Whistleblowers, Leaks, and the Media: The First Amendment and National Security, American Bar Association, 2014
- “Re-Examining the Falkland Islands War: The Necessity for Multi-Level Deterrence in Preventing Wars of Aggression,” 39 Ga. J. Int’l & Comp. L. 2, Fall 2012
- “The Nuclear Nonproliferation Treaty and Pakistan: Interpreting Nuclear Security Assistance Prohibitions,” 23 Fla. J. Int’l L. 2, Spring 2011
- “Sanchez-Llamas v. Oregon: A Missed Opportunity in Treaty Interpretation,” 20 St. Thomas L. Rev. 25, 2007
- Panel Discussion, "Global Issues Related to Arbitrating Data Breaches and Privacy Rights," ASIL Midyear Meeting, Case Western Reserve University School of Law, Cleveland, Ohio, October 29, 2020
- "Cyber Risk Mitigation in the Chemical Sector," SOCMA Power Hour: A Fall Webinar Series, October 1, 2020
- "New Frontiers in Export & Technology Controls," July 29, 2020
- "Data Privacy Trends - How to Satisfy Privacy Notification Obligations in the Employment Arena," Association of Corporate Counsel, February 27, 2020
- "Building an Incident Response Program," Information Security Summit, Cleveland, October 23, 2019
- "The California Consumer Privacy Act: Implementing Sustainable Compliance Solutions," Information Security Summit, Cleveland, October 23, 2019
- Panel Discussion, "Comparing International Terrorism and Domestic Violent Extremism," The Center for Strategic and International Studies, Washington, DC, September 16, 2019
- "The Intersection of Legal and Cyber," CSO Xchange, Cleveland, August 7, 2019
- "Cyber Security - Are You Ready?", SOCMA Executive Forum, University of Houston, May 23, 2019
- "Staying Ahead of the Cybersecurity Curve: Practical Tips From the Experts," Thompson Hine LLP, Cleveland, May 16, 2019
- "Data Privacy, the CCPA and Contracts: What You Need to Know," Association of Corporate Counsel, April 24, 2019
- “What You Need to Know about Data Privacy Laws: International, Federal, State and Local,” The Association of Test Publishers, the Innovations in Testing Conference, Featured Speaker Session, March 18, 2019
- “Meeting the Data Privacy Challenge: Complying with Multiple Laws in a Global Testing Environment,” The Association of Test Publishers, the Innovations in Testing Conference, March 19, 2019
- “Reconciling the EU GDPR and US Discovery Obligations,” The William B. Bryant American Inn of Court, January 8, 2019
- “GDPR: From Anticipation to Implementation,” Information Security Summit, October 25, 2018
- “GDPR and Privacy Law,” Information Security Summit, October 23, 2018
- “Understanding GDPR & Cyber Law,” BusinessTECH18 2018, October 18, 2018
- “Privacy & Cybersecurity Compliance,” Thompson Hine Chief Compliance Officer Forum, October 4, 2018
- “Strategies to Assess and Mitigate Cybersecurity Risks,” Ohio Electric Cooperatives, October 3, 2018
- “Cybersecurity and Private-Public Partnerships,” Society for Corporate Governance, Cleveland, June 13, 2018
- “Cybersecurity and Private-Public Partnerships,” USLFG Corporate and Securities Committee Meeting, Cleveland, May 15, 2018
- "Cyber Threats & Public Private Partnerships," Chemistry Council of New Jersey 34th Annual Spring Conference, Princeton, New Jersey, May 1, 2018
- “Managing Tomorrow’s Cyber Threats Today,” Thompson Hine LLP, Cleveland, April 26, 2018
- Cleveland-Marshall College of Law 2018 Cybersecurity and Privacy Protection Conference, Cleveland, March 22, 2018
- "Cybersecurity Risks and Employee Benefit Plans," WEB National Webinar, February 28, 2018
- Bar Association of the District of Columbia
- International Association of Privacy Professionals, Certified Information Privacy Professional/Government (CIPP/G), Certified Information Privacy Professional/United States (CIPP/US)
- Ohio State Bar Association