Experience

• • The Home Depot in an internal investigation following a data breach that exposed the personal information of tens of millions of individuals.
  • A global, publicly traded financial technology company in responding to and investigating security vulnerabilities in one of its newly acquired subsidiaries, as well as addressing inquiries from multiple state regulators.
  • Viacom in securing dismissal of a nationwide privacy lawsuit that alleged it illegally shared data regarding the Internet activity of children who visited Nickelodeon websites.
  • Royal Bank of Canada in responding to a significant data breach at one of its vendors.
  • Capital One in responding to a significant data breach that resulted in the apprehension and federal prosecution of the hacker, Paige Thompson.
  • A leading financial institution in resolving a dispute with a service provider concerning its complex method of accessing our client’s customer data.
  • BMO Financial Group in litigation concerning a large-scale breach of Hilton Hotels.
  • A Fortune 100 global financial institution in responding to an issue that exposed data relating to more than half a million customers and raised international issues involving a recent data security law.
  • A major domain registrar and web hosting company as cybersecurity counsel in the corporate defense of a European subsidiary facing a publicized data breach of personal data of more than 200k customers.
  • Led investigation for global, public company to root out national security APT hacking group and address numerous regulatory considerations.
  • Edward Jones Trust Company on a wide range of cybersecurity matters, from advisory work to incident response.
  • A major banking institution in an investigation of fraudulent wire transfers made by a third-party service provider.
  • A major banking institution in responding to an insider cyber threat to its systems.
  • A public utility company in an internal investigation into the cybersecurity and data privacy threats posed by an insider threat.
  • A Fortune 100 financial services entity in an internal investigation following a widespread business continuity event triggered by a large-scale data center outage.
  • A global Fortune 500 company in a $9 million cyber-enabled fraud involving one of its merchants.
  • A prominent retail chain in neutralizing a significant ransomware attack that disrupted company operations.
  • A media client in interdicting a fraudulent wire initiated by a cybercrime group.
  • A technology-enabled healthcare company in responding to and containing a significant ransomware attack that disrupted certain company operations.
  • A leading private equity firm in investigating and responding to a cybersecurity incident involving diverted wire transfers.
  • A publicly traded multinational professional services company in successfully averting a potentially catastrophic ransomware attack by a well-known and sophisticated ransomware group.
  • A multinational data networking and telecommunications equipment company on a cybersecurity incident involving the company’s operations in Russia.
  • A leading professional services firm in the investigation of a malware incident affecting their computer network.
  • An accounting firm in an internal investigation in response to a data misuse incident.
  • A publicly traded technology company to assist in investigating and responding to apparent malicious behavior by a former employee.
  • A leading e-commerce consumer products company in responding to a cyber incident at one of the company’s subsidiaries.
  • A world-leading blockchain company following a cybersecurity incident, resulting in efforts by the hacker to defraud investors.
  • A foreign government in the investigation of a cyber attack alleged to have been part of a major geopolitical dispute involving multiple other countries.
  • A financial services company in incident response efforts following a potential compromise of one of its vendor’s systems.
  • A major online retailer in the healthcare space in responding to a “credential stuffing” cyberattack.
  • An internal cyber and data privacy investigation for a global client of the firm concerning operations in Eastern Europe.
  • A leading private equity firm in responding to an incident in which a fraudster created a website that was a near duplicate of the firm's as part of a scheme to defraud individuals.
  • A major financial institution in conducting incident response planning.
  • Several media and technology companies in responding to ransomware attacks.
  • A major mining company in responding to a data breach that exposed confidential internal documents and the personal identification information of employees.
  • A major insurance company in responding to a data security incident that exposed customers’ data.
  • A prominent Internet service provider in regulatory investigations regarding online child safety, and an investigation regarding its delivery of marketing messages to its users.
  • A major U.S. banking organization in a U.S. regulatory inquiry as to its cross-border data safeguarding practices and its customer privacy notices.
  • A major multinational bank in data privacy and use issues arising out of its sale of certain businesses to another firm.
  • A major electronic gaming company in all aspects of its response to a remote hacking incident that exposed certain personal information of consumers, triggering data breach disclosure obligations under state laws.
  • A major U.S.-based bank in its internal investigation relating to its loss of back-up tapes containing the non-public personal information of millions of consumers.
  • A major sports league in privacy issues relating to the collection, transfer and use of personal data, as well as protection of data about children.
  • Multiple publicly traded companies in their cybersecurity risk disclosures in SEC filings.
  • A major consumer electronics company with respect to allegations that its external storage devices created security risks on personal computers.
  • Two UK-based video game developers in a consumer fraud class-action lawsuit arising out of their use of copy-protection software on their game DVDs.
  • A leading Russian bank on the personal data protection and banking secrecy issues related to the transfer of the credit portfolio and integration of IT systems.
  • A software company in consumer class actions alleging that malicious third parties could obtain personally identifiable information from computers without consultation and that the defendant violated state and federal consumer fraud and anti-spyware laws.
  • A consulting firm that experienced a series of data breaches due to deficiencies in its web-based interface and technology.
  • Sony BMG Music Entertainment in consumer class actions and government investigations alleging that software distributed by the company created security vulnerabilities in violation of state and federal consumer fraud laws and a state anti-spyware law.
  • ABC, ESPN, Hulu, MTV Networks, MySpace and NBC Universal in a consumer fraud and electronic privacy putative class action relating to the use of Adobe Flash “zombie cookies” by the co-defendant, a web analytics company.
  • MySpace in an electronic privacy putative class action concerning its response to out-of-state search warrants.
  • Metacafe in an electronic privacy putative class action concerning its use of Flash cookies and other aspects of its stated privacy policies.
  • JSTOR, the leading database of scholarly materials, in the criminal case, U.S. v. Swartz, 11 CR 10260 (D. Mass.) and in related civil matters arising out of the unauthorized downloading by Aaron Swartz of most of the JSTOR database.
  • Major global companies such as Siemens AG, Ferrostaal AG (both headquartered in Germany) and several U.S. domiciled enterprises, in several investigations where we established methodologies that permitted sharing of results from the investigations with public authorities in several countries, including the U.S., in compliance with data protection laws of EU member states including Austria, France, the United Kingdom and Italy.
  • Prudential Financial in cybersecurity and data privacy due diligence in connection with its $2.35 billion acquisition of Assurance IQ.
  • John Hancock, Guardian Life, PayPal and numerous other clients in conducting the risk assessment required by the New York Department of Financial Services Cybersecurity Regulation.
  • The Financial System Analysis and Resilience Center (FSARC) as cybersecurity and national security counsel.
  • A large insurance company on a broad range of cybersecurity and data privacy issues including related to the DFS cybersecurity regulation, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.
  • A major auto manufacturer in updating their cyber incident response program and assisting in response to a cybersecurity matter affecting the company.
  • A large financial services company in a global, enterprise-wide cybersecurity risk assessment.
  • Two major sports leagues in designing privacy compliance programs to respond to the California Consumer Privacy Act. 
  • A large vitamins and supplement manufacturer in ongoing privacy and cybersecurity advice on the company’s compliance with U.S. privacy laws as well as international law, particularly GDPR.
  • A professional sports league on a wide range of data privacy and security issues, including compliance with US privacy laws, obligations under GDPR, and privacy architecture for global expansion.
  • Several financial, media and entertainment companies in creating incident response plans and tabletop exercises.
  • Several private equity firms in cybersecurity reviews in connection with technical forensic vendors.
  • Several publicly traded companies regarding cybersecurity disclosures in SEC and other regulatory filings.
  • An investment trade association regarding its data privacy agreement and policy.
  • A risk management company with respect to Fair Credit Reporting Act matters.
  • Numerous financial services and media companies and other clients with respect to their privacy policies and website terms of service, particularly regarding their right to merge, mine and transfer data and to market products and services to their consumers using data collected online.
  • Two major professional sports leagues in inquiries by the Children’s Advertising Review Unit of the Council of Better Business Bureaus concerning children’s online privacy.