CISO and Other Personal Cyber Liability Pitfalls

Joseph Santiesteban is a trusted cyber law advisor. He regularly advises clients regarding incident response, as well as litigation and government enforcement that commonly arise from privacy and cybersecurity incidents.
He uses this experience to offer clients practical advice regarding their data innovation and incident preparedness strategies. He also provides strategic advice to cybersecurity companies, including those looking to push technological boundaries in cyber defense, incident response, and threat intelligence.
Joseph regularly advises companies regarding privacy and cybersecurity incident response, including directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations, and advising regarding communications strategies. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.
Joseph uses his experience to help clients leverage the value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs, and solidify brand and consumer trust. This includes guiding clients through the complexity of federal privacy and cybersecurity laws and regulations, including the Electronic Communications Privacy Act (ECPA), the Federal Trade Commission Act (FTC Act), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA), state privacy and cybersecurity laws, including the California’s Consumer Privacy Act (CCPA), international laws such as the European Union General Data Protection Regulation (GDPR), and self-regulatory frameworks, including those covering online advertising and payment card processing. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle.
Joseph also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Edward R. McNicholas is a co-leader of Ropes & Gray privacy & cybersecurity practice. He represents technologically sophisticated clients facing complex data, privacy, and cybersecurity issues in litigation, investigative, and counseling matters. His clients include financial institutions, technology companies, insurance companies, branded pharma companies, healthcare providers, and e-commerce and other retailers. Ed has significant experience with investigations and class action litigation related to cybersecurity incidents, as well as enforcement actions by the FTC, state Attorneys General, the SEC, OCR, Data Protection Authorities outside of the U.S., and other government agencies. He leads internal investigation and litigation matters that frequently involve complex, multi-jurisdictional, and multi-national litigation issues, particularly federal court jurisdictional and constitutional concerns related to the First and Fourth Amendments. Ed has experience dealing with Internet and information law matters involving data breaches, ransomware, online brand protection, trade secrets, social media, e-commerce, and national security issues. Ed also advises clients on the full range of federal, state and foreign privacy and data security requirements including in the areas of financial privacy, health care privacy, communications privacy, ad-tech, cybersecurity, and national security. Ed’s counseling practice also includes other areas of technology law, such as electronic surveillance, cloud computing, the Internet of Things, trade secrets, online advertising, social media and big data/data science. He frequently helps companies design global data governance programs to allow for efficient data transfers across corporate entities governed by multiple privacy regimes, such as US privacy laws, including the Gramm Leach Bliley Act, HIPAA, and the California Consumer Privacy Act (CCPA), as well as the EU’s General Data Protection Regulation (GDPR) and the various privacy and cybersecurity regimes in China and across Asia. Ed previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. Ed has developed unique experience representing clients in the midst of media-driven legal challenges. His crisis management skills are particularly useful in coordinating the swirl of complex litigation, congressional hearings, and federal and state investigations that can follow from major privacy and cybersecurity incidents. Ed is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He is the lead editor of the PLI treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk.

Maneesha Mithal is a partner in the privacy and cybersecurity practice in the Washington, D.C., office of Wilson Sonsini Goodrich & Rosati, where she advises clients on privacy, cybersecurity, and consumer protection matters and represents companies in regulatory investigations. She is also one of the founding members of Wilson Sonsini’s AI group.
Maneesha is an internationally recognized expert on privacy and data security, having led the Federal Trade Commission’s (FTC’s) Division of Privacy and Identity Protection prior to joining the firm. In this capacity, Maneesha oversaw a team of 40 lawyers responsible for the enforcement of privacy and security laws and the development of policy positions in areas such as artificial intelligence, facial recognition, biometrics, and connected cars, as well as health privacy, children’s privacy, ransomware, and the intersection of privacy and competition. She was also responsible for enforcing the Fair Credit Reporting and Gramm-Leach-Bliley Act Safeguards Rule. She led the negotiation of numerous privacy and data security settlements and managed the first litigated FTC decisions on cybersecurity issues. Maneesha also worked with congressional staff on federal privacy legislation, with state attorney general offices on joint investigations, and with other federal and international agencies on a variety of initiatives.
Earlier in her career, as a manager with the FTC’s International Consumer Protection Division, Maneesha worked on European privacy issues and served as a U.S. delegate to the privacy committees of the OECD and APEC.
Maneesha previously served as Chief of Staff and Senior Counsel in the Bureau of Consumer Protection (BCP), where she reviewed advertising cases and financial consumer protection matters, and held various positions in BCP’s International Division, including as Acting Associate Director. She began her legal career as a litigator at Covington & Burling.
Maneesha is a frequent speaker at industry events, including IAPP- and ABA-led panels.

David Lashway is acknowledged as one of the leading lawyers for crisis management, cybersecurity, data security incidents, misinformation, trade secret theft, and related investigation matters.
He has advised private and public organizations on significant and material cybersecurity incidents across almost every critical infrastructure sector, including financial services, energy, manufacturing, technology, water, defense, municipal government, retail, transportation, and hospitality industries. He has significant experience in addressing election security and misinformation-related issues, and was deeply involved in the investigations into the 2016 and 2020 actions targeting various U.S. political parties. He has served as the lead lawyer advising on the legal response to operationally impactful malware for a number of Fortune 500 entities, and led the incident response, associated investigations and litigations for several companies impacted by the NotPetya malware incident. He routinely leads responses to ransomware-related matters.
David has been regularly named as one of leading attorneys in surveys of the best attorneys for cybersecurity globally. In a recent ranking, _The Legal 500_ noted that clients describe him as “a brilliant lawyer and strategist. He is very intelligent and his performance in front of boards and management teams have been some of the best I have ever seen.” Another client noted that “David Lashway is exceptionally knowledgeable and conversant in cyber incident response, cyber threat intelligence, legislation and authorities’ issues, and national security matters.” He is recognized as a leading lawyer in incident response in the 2021 edition of _Chambers USA: America’s Leading Lawyers in Business_, receiving a Tier One ranking in Cyber Incident Response.
He has been included on the list of leading Incident Response Lawyers since its inception, and is a sought-after speaker related to cybersecurity and national security matters. Mr. Lashway has led due diligence on some of the largest recent corporate transactions, and regularly advises companies through complex CFIUS issues. He has also served as lead counsel on matters for organizations facing difficult regulatory, congressional, and public policy issues across a range of industry sectors and subjects. Mr. Lashway is fluent in multiple languages and regularly handles matters involving the global intelligence community and law enforcement.