Ransomware Attacks - CISO and Other Personal Liability Pitfalls

Edward R. McNicholas is a co-leader of Ropes & Gray privacy & cybersecurity practice. He represents technologically sophisticated clients facing complex data, privacy, and cybersecurity issues in litigation, investigative, and counseling matters. His clients include financial institutions, technology companies, insurance companies, branded pharma companies, healthcare providers, and e-commerce and other retailers. Ed has significant experience with investigations and class action litigation related to cybersecurity incidents, as well as enforcement actions by the FTC, state Attorneys General, the SEC, OCR, Data Protection Authorities outside of the U.S., and other government agencies. He leads internal investigation and litigation matters that frequently involve complex, multi-jurisdictional, and multi-national litigation issues, particularly federal court jurisdictional and constitutional concerns related to the First and Fourth Amendments. Ed has experience dealing with Internet and information law matters involving data breaches, ransomware, online brand protection, trade secrets, social media, e-commerce, and national security issues. Ed also advises clients on the full range of federal, state and foreign privacy and data security requirements including in the areas of financial privacy, health care privacy, communications privacy, ad-tech, cybersecurity, and national security. Ed’s counseling practice also includes other areas of technology law, such as electronic surveillance, cloud computing, the Internet of Things, trade secrets, online advertising, social media and big data/data science. He frequently helps companies design global data governance programs to allow for efficient data transfers across corporate entities governed by multiple privacy regimes, such as US privacy laws, including the Gramm Leach Bliley Act, HIPAA, and the California Consumer Privacy Act (CCPA), as well as the EU’s General Data Protection Regulation (GDPR) and the various privacy and cybersecurity regimes in China and across Asia. Ed previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations. Ed has developed unique experience representing clients in the midst of media-driven legal challenges. His crisis management skills are particularly useful in coordinating the swirl of complex litigation, congressional hearings, and federal and state investigations that can follow from major privacy and cybersecurity incidents. Ed is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He is the lead editor of the PLI treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk.

Tim Howard is a partner in the New York office, where his practice focuses on white collar and government regulatory investigations, with special attention to cybersecurity, data breaches, and cryptocurrency. Tim is an accomplished trial lawyer and investigator, having managed significant white-collar cases across a wide range of disciplines, including securities and investment fraud, tax fraud, Foreign Corrupt Practices Act (FCPA) violations, cyber intrusions, health care fraud, consumer fraud, and government contracting fraud. At Freshfields, Tim has advised a variety of clients on complex cross-border data breach incidents including managing incident response, forensic investigation and engagement with US and international regulators, DOJ and SEC white collar investigations, and advising companies on artificial intelligence, ephemeral messaging, cyber governance, and other data security risks.
Tim joined Freshfields from the United States Attorney’s Office for the Southern District of New York, where he spent nearly 12 years in varied roles, most recently as Chief of the Complex Frauds and Cybercrime Unit. At SDNY, Tim tried and supervised 17 trials to verdict. Tim also spent a year on detail to the Department of Justice's National Security Division, where he served as National Coordinator for the National Security Cyber Specialist Network, through which he coordinated the national program of investigations into nation state-sponsored cyberattacks across all 94 U.S. Attorney's Offices.

John P. Carlin is co-head of Paul Weiss’s Cybersecurity & Data Protection practice and a deeply accomplished litigator who advises industry-leading organizations on matters involving privacy and cybersecurity, crisis management, Committee on Foreign Investment in the United States (CFIUS), sanctions and export control, white collar defense and internal investigations. He has served as a top-level official in both Republican and Democratic administrations, including as the Acting Deputy Attorney General of the United States, as the top national security official for the U.S. Department of Justice, as the Chief of Staff of the FBI and as an experienced Assistant United States Attorney. Mr. Carlin has been featured or cited as a leading authority on cyber and economic espionage matters by numerous major media outlets, including The New York Times, The Washington Post, The Wall Street Journal, The Los Angeles Times, USA Today, CBS’s 60 Minutes, NBC’s Meet the Press, PBS’s Newshour, ABC’s Nightline and Good Morning America, NPR, CNN and Vanity Fair, among others.
Appointed Acting Deputy Attorney General and then Principal Associate Deputy Attorney General to Deputy Attorney General Lisa Monaco (January 2021-July 2022), John occupied “one of the most powerful and under-the-radar posts in the Justice Department,” according to The New York Times, advising on major prosecutions, such as the January 6 investigation, and other top DOJ priorities, including FBI oversight, cryptocurrency theft and investigations of actors known to have helped Russia evade sanctions. He also played a pivotal role in instituting the DOJ’s current approach to cybersecurity, national security and corporate criminal enforcement.

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E is a former tech business owner, former public company executive over tech products, recognized for the last six years as one of the Top 50 Data Breach Lawyers in the US, a Best Lawyer in America?, multiple year recipient of SuperLawyer? designation for technology and litigation, and counsel to some of the globe’s largest organizations, brands, not-for-profits, celebrities, high-net-worth individuals, and Fortune 100 companies. As noted in a recent feature on her in SuperLawyers, Beckage's career trajectory is a testament to reinvention and innovation, which she leverages to help her clients also reinvent and innovate within their own organizations. Law firm founder Beckage focuses her law practice on innovation and technology, with a recognized focus on data security and privacy and incident response. Throughout her legal career, she has responded to numerous headline-making, national and international cybersecurity incidents and counseled organizations of all sizes. Beckage is a frequent contributor to the global conversation surrounding crisis response, speaking at several legal and cybersecurity industry events. She also is interviewed by global media on topics related to technology, crisis response, and data security. Beckage is a Certified Information Privacy Professional, United States (CIPP/US) and Certified Information Privacy Professional, Europe (CIPP/E). She also received MIT "Artificial Intelligence: Implications for Business Strategy" Certification in 2020. Prior to her legal career, Beckage owned and led technology companies, one of which she helped lead to the sale to a publicly traded company. That telecommunications company retained her as an executive overseeing cutting-edge technical products and services and operations.

David Aaron is a former federal prosecutor with the U.S. Department of Justice (DOJ), National Security Division and a former Manhattan Assistant District Attorney. His experience includes investigating and litigating cases involving Espionage Act violations, malicious cyber activity such as data breaches and destructive attacks, economic espionage, insider threats, undisclosed foreign government influence, and export control violations.
In addition to the Espionage Act and Economic Espionage Act, David possesses deep knowledge of the Computer Fraud and Abuse Act (CFAA), Electronic Communication Privacy Act (ECPA), and related data security and privacy authorities including the Foreign Intelligence Surveillance Act (FISA). David has substantial experience working with the Federal Bureau of Investigation (FBI), the U.S. Department of Defense (DoD), and the U.S. Intelligence Community.
While serving as a national security attorney, David advised senior leadership on security threats and developed and implemented data privacy compliance programs.
Among other distinctions, David was the recipient of multiple Assistant Attorney General’s Awards and two Attorney General’s Awards for Distinguished Service. He holds a Certified Information Privacy Professional/United States (CIPP/US) certification, was a fellow in Advanced Cyber Studies at the Center for Strategic and International Studies and in the Center for Biosecurity’s Emerging Leaders in Biosecurity Initiative, and earned a master’s degree in cybersecurity from Brown University, where he received the Master’s Award for Professional Excellence.