Skip to main content

Cybersecurity 2019: Managing Cybersecurity Incidents


Speaker(s): Adam Fletcher, Brittany M. Bacon, Clark Russell, Dave Wong, Douglas Bloom, Emily Stapf, Eric M. Friedberg, Erika Brown Lee, Jay Leek, Katherine E. McCarron, Lisa J. Sotto, Mark Seifert, Matthew W. Van Hise, Michele S. Lucan, Panagiotis (Pete) Balias, Perry Lee, Robert Lord, William E. Min
Recorded on: Sep. 13, 2019
PLI Program #: 252400

Doug is an Executive Director and Head of Cybersecurity and North American Data Protection & Privacy for Morgan Stanley's Legal & Compliance Division. In that role, he is responsible for the Firm's legal response to cybersecurity matters—including incident response, regulatory affairs and new legislation affecting the Firm. Doug is also responsible for privacy matters affecting the Firm’s U.S. and Canadian clients, its largest client base.  Doug has over 20 years’ experience investigating all aspect of financial and computer crimes—having served as a federal prosecutor, criminal defense lawyer and software developer.

Prior to joining Morgan Stanley, Doug was a Director in PwC’s Cybercrime and Breach Response practice, the leader of the Firm’s Cybersecurity Risk & Regulatory Practice, and a member of the Firm’s Financial Crimes Unit.  At PwC, Doug assisted clients across the globe, responding to regulatory changes, conducting cybercrime, fraud and economic espionage investigations, corporate internal investigations and handling breaches of PwC’s clients’ computer networks.  In addition, as a leader of the Firm’s cybersecurity Board governance program, Doug regularly advised clients and their Boards on proper governance of cybersecurity programs and assisted clients in the development of their cybersecurity Board reporting programs.

Prior to joining the PwC, Doug was a federal prosecutor in the United States Attorney’s Office for the Southern District of New York, where he investigated and prosecuted national security cyber offenses, including economic espionage, hacking of national defense and government systems, and the theft of trade secrets.  In addition to his cyber work, Doug investigated and prosecuted several high profile public corruption and accounting fraud cases, and convicted the former majority leader of the New York State Senate and acting Lieutenant Governor of New York State of bribery and extortion.  Doug is a 2015 recipient of the Attorney General’s John Marshal Award, the highest attorney honor granted by the Department of Justice, and a 2013 recipient of the Federal Law Enforcement Foundation’s Prosecutor of the Year award.  Prior to joining the U.S. Attorney’s Office, Doug was an associate in Covington & Burling’s white collar criminal defense and intellectual property practices where he investigated and litigated criminal and civil accounting fraud, tax fraud, and patent infringement cases.

Doug brings deep technical expertise to his legal role, having served as a software engineer and program manager for Xerox’s Palo Alto Research Center, Microsoft and Hewlett Packard.  In those roles, Doug designed and developed artificial intelligence algorithms for natural language processing software and drivers for network management systems. 

Doug is an Adjunct Professor of Law at Fordham University, where he teaches a course on computer crimes.  He is also a published author—whose articles on cybercrime and insider threats regularly appear in the New York Law Journal—and frequent speaker on cybersecurity, fraud, and information management.  He has presented to and taught courses for the Department of Justice, FINRA, the Association of Corporate Counsel, the National Association of Corporate Directors and various universities, businesses and industry participants. 

He received a Bachelor’s degree in Symbolic Systems and a Master’s degree in Linguistics from Stanford University.  He received a Juris Doctor, cum laude, from Harvard Law School.  He is admitted to the New York bar, the U.S. District Courts for the Southern and Eastern Districts of New York, and the U.S. Court of Appeals for the Second Circuit, and is an active member of the Federal Bar Council where he serves on both the Criminal Practice and Westchester County Committees. 



Adam Fletcher, CISM, is a Managing Director and the Chief Information Security Officer for Blackstone. As a security professional for 20 years, Adam has worked with global security organizations large and small including Internet Security Systems, VeriSign, McAfee, Nokia, and Accuvant. Adam has a strong technical foundation, developed from roles in security architecture design and implementation, complemented by management experience gained from roles leading consulting engagements and global teams of information security professionals. Prior to joining Blackstone, Adam led the International Security team for Equifax, coordinating a global security program across 14 countries, each with different business, regulatory, and privacy requirements.


Bill Min is Deputy General Counsel & Chief Privacy and Data Governance Officer for Western Union where he leads the company’s global privacy and information governance organization. 

Prior to Western Union, Bill was Senior Vice President, Legal and Chief Privacy Officer at Live Nation Entertainment, Inc.  He also worked for 16+ years at Starwood Hotels & Resorts Worldwide, Inc. where he led several global functions, including privacy, enterprise risk management, and operational compliance.  Among his accomplishments, Bill is acknowledged as an expert in the area of data privacy, and established the global privacy function at both Live Nation and Starwood.  Earlier in his career, Bill held in-house legal positions at Sara Lee Corporation and at Sunkyong America, Inc., the US subsidiary of one of the largest Korean conglomerates.  Prior to working as in-house counsel, Bill was a mergers and acquisitions attorney at two New York City law firms.  

Bill earned his Bachelor of Arts degree from the University of Pennsylvania, his Master of Arts degree from the State University of New York at Stony Brook, and his Juris Doctor degree from Fordham University School of Law. 


Bob Lord is the Chief Security Officer at the Democratic National Committee, bringing more than twenty years of experience in the information security space to the Committee, state parties, and campaigns. Previously he was Yahoo’s CISO, covering areas such as risk management, product security, security software development, e-crimes, and APT programs. Before that he acted as the CISO in Residence at Rapid 7, and before that headed up Twitter’s information security program as its first security hire. You can see some of his hobbies at https://www.ilord.com.


Brittany Bacon is a partner in Hunton Andrews Kurth’s top-ranked Global Privacy and Cybersecurity practice. She has national recognition for her work in the areas of privacy and data security. In 2018 and 2019, Brittany was ranked in Chambers USA and was named a New York Law Journal “Rising Star,” a Law360 “Rising Star” in privacy and cybersecurity, and one of Global Data Review’s 40 Under 40 data lawyers. Legal 500 also lists Brittany as a “Next Generation Lawyer” for cyber law. 

Brittany served as a lead attorney on the two largest reported breaches in history (affecting over three billion user accounts) and has managed hundreds more. Her cybersecurity practice includes advising clients on data breach notification responsibilities, counseling them on responding to multi-jurisdictional regulatory investigations, and providing strategic advice in the breach context for managing inquiries from Boards of Directors, consumers, media and potential acquiring companies in a deal setting. Brittany also helps companies design and build privacy and data security governance programs and conduct proactive breach preparedness activities, including developing workable incident response plans and legal breach notification procedures, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts (such as forensic investigation firms, credit monitoring services, PR firms and call centers) in advance of an incident.

In relation to her privacy compliance practice, Brittany has extensive experience in advising clients on state, federal and international privacy laws, including the EU General Data Protection Regulation and the California Consumer Privacy Act. She routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use. She also regularly negotiates privacy and data security provisions of complex commercial and technology-related contracts and helps companies design robust vendor management programs.

Brittany volunteers as a welfare advocacy attorney for the City Bar Justice Center’s Legal Clinic for the Homeless and assists pro bono clients with securing public benefits.  She was awarded the City Bar Justice Center’s 2016 Jeremy G. Epstein Award for Pro Bono Service. Brittany is a frequent speaker and author on privacy and cybersecurity topics. She received her JD from the Washington University in St. Louis School of Law, and her BA from the University of Notre Dame, cum laude. She is admitted to practice in the state of New York.


Clark Russell is the Deputy Bureau Chief of the Bureau of Internet and Technology at the New York State Attorney General’s Office.  The Bureau is committed to protecting consumers from online threats and has brought a number of ground-breaking cases involving internet and technology issues, including privacy, online fraud and data security.  Clark’s investigations included Secure Our Smartphones, where the office convinced smartphone manufacturers to install a “kill switch” in their smartphones; and Operation Clean Turf, the largest investigation into companies flooding the Internet with fake positive reviews; Operation Child Tracker, the largest state AG investigation of violations of the Children’s Online Privacy Protection Act (“COPPA”) by major child brand websites, and a well-known ad network.  Clark oversees the office’s data breach notification program, and secured numerous record-setting results in data breach cases.  He is also the principal draftsperson of the office’s proposed overhaul of New York State’s data security law to require new and unprecedented safeguards of personal data.


Dave Wong is a Managing Director at FireEye Mandiant. Mr. Wong manages the FireEye Mandiant cybersecurity consulting practice in North America. In this capacity, he leads and oversees projects to help organizations respond to cybersecurity incidents and make them more resilient to attack.

Mr. Wong has extensive experience in cybersecurity and investigating cybercrime. Over the past 10 years, he has investigated some of the largest cybersecurity incidents and provided evidence to help law enforcement arrest cybercriminals. Dave brings true front-line experience as he has visibility in the effectiveness of cybersecurity programs across many industries, and specifically what went wrong when companies suffer a cyber security incident. He uses this experience to help guide companies to secure their systems, data, and intellectual property.

Prior to joining FireEye, Mr. Wong was the Chief Operating Officer of the Intrepidus Group, a boutique cybersecurity firm that focused on mobile application and device security. Dave also worked at Bridgewater Associates, the world’s largest hedge fund, as head of cybersecurity for the trading floor.

Mr. Wong is a Certified Information Systems Security Professional (CISSP) and holds a degree in Engineering from the Cooper Union for the Advancement of Science and Art.

 


Emily Stapf is a Principal in PwC’s Cybersecurity & Privacy practice focused on incident response, threat management and cybersecurity strategy.  She is the human capital leader for PwC’s national Incident and Threat Management team, and leads the Denver market for PwC’s Cybersecurity & Privacy services. 

With 20 years of consulting experience, Ms. Stapf has helped hundreds of commercial clients prepare for, respond to, and mitigate the impact of unplanned events involving sensitive information.  For 15 years she has lead investigations, assessments and strategy projects related to data breaches, cybercrime events, privacy matters, information security strategy, and insider threat using computer forensics, data analytics and cybersecurity techniques.  She helps clients navigate public and B2B notification, regulatory inquiry and litigation, and regularly briefs senior leaders about cybersecurity risk.

Ms. Stapf has advised hundreds of corporate, private and law firm clients across healthcare, retail, financial services, insurance, aerospace, technology, manufacturing, analytics and energy industries on a global scale, and is well connected across PwC's global network.

Ms. Stapf is a frequent speaker on the topics of cybercrime, data breach investigations and information risk management at ABA, IAPP, PLI, CSO and other forums.

Ms. Stapf is a Certified Information Security Manager and a Certified Fraud Examiner, and is an IAPP and ISACA member, and held a Federal Top Secret Clearance.

Expert testimony experience

  • Led forensic investigation of a large PHI data breach, including deposition in support of a health industry client’s litigation with a third party business partner in 2010
  • Wrote a technical opinion about a cybersecurity technology in support of a health industry client’s litigation against a technology provider in 2017


Mark Seifert has worked at the center of critical telecommunications, cybersecurity, and technology policy debates in Washington for more than 25 years. A partner at the Brunswick Group, Mark is a co-founder of the global Cybersecurity and Privacy practice. Mark brings a unique understanding of the relationship between government and the private sector based on his extensive experience at the Federal Communications Commission, as well as his service in all three branches of the federal government. At Brunswick he advises major multinational corporations on the communications issues surrounding data, cybersecurity, and privacy, including extensive experience helping companies prepare for, respond to, and recover from cybersecurity incidents. Mark has led retained accounts, projects, and transactions with both public and privately-owned clients including AT&T, Facebook, GE, Visa, Abbott, Southwest Airlines, Novo Nordisk, Blue Cross Blue Shield Association and Cisco. He also serves as a board member for the Center for Democracy and Technology and is an IAPP certified privacy professional.

Before joining Brunswick, Mark oversaw a $5 billion dollar broadband infrastructure program at the U.S. Department of Commerce, where he served as Senior Advisor to the Deputy Secretary.  Mark has also served as Counsel to the House Committee on Energy and Commerce, working on telecommunications and internet issues. He began his government career at the FCC, where he worked for over a decade in various management and policy positions. Mark has previously served as a national constituency Director for the Kerry-Edwards presidential campaign, and after earning his J.D. from University of Virginia School of Law, he clerked on the U.S. Court of Appeals for the Sixth Circuit and worked as a commercial litigator in private practice for five years.


Michele S. Lucan is an Assistant Attorney General at the Connecticut Attorney General's Office in its Privacy and Data Security Department. In this role, Michele handles all matters involving consumer privacy and information security. Most notably, Michele is currently leading and/or co-leading multistate investigations of several massive data breaches involving sensitive personal information.

Michele joined the Attorney General's Office in 2008 and first served in its Consumer Protection Division, where she investigated and pursued enforcement actions against a variety of unfair and deceptive business practices under the Connecticut Unfair Trade Practices Act. In 2013, Michele was appointed to a multidisciplinary Privacy Task Force that was created to focus the Office's response to privacy concerns and data breaches, and educate the public and Connecticut businesses about data protection responsibilities under state and federal law. In early 2015, a dedicated Privacy and Data Security Department was formed and Michele was assigned full-time to the Department from its inception. Michele has spent the past several years working exclusively on privacy-related matters.

Michele is a Certified Information Privacy Professional (CIPP)/ U.S.  She received her B.A. from Loyola University in Maryland and her J.D. from the Quinnipiac University School of Law. Michele speaks regularly on privacy-related topics to government, bar and industry groups.


Perry Lee, Cyber Risk Consultant, is based in New York City. He offers a practiced and successful approach to client interaction, as well as technical depth gained from operational experience helping organizations succeed in meeting their technology goals. Perry’s commitment to servicing clients and ability to communicate and understand client goals is a significant asset to AIG insureds navigating the cyber risk environment.

Prior to joining AIG, Perry was the Director of Professional Services for Precision IT Group, managing a team of senior engineers and overseeing the project management practice at the firm. In his account executive role, he assisted clients with technology planning and execution with a focus on security-forward implementation.

Perry earned his B.A. from Rutgers University in NJ.


Mr. Friedberg is a seasoned executive with 30 years of public and private sector experience in law, cyber-crime response, IT security, forensics, investigations and e-discovery. His expertise is sought by boards, audit committees, law firms, and the courts. He has helped many Fortune 500 companies improve their governance and technology initiatives and their cyber regulatory compliance. He led Stroz Friedberg for over 16 years, from a start-up into a $150m, 550-person consulting and technical services firm with nine U.S. and four foreign offices. While always a principal business developer and leader of major client assignments, he oversaw geographic and service line growth, M&A, infusions of $150m in private equity capital, board interactions and, in late 2016, the sale of the company to Aon plc.

Before building Stroz Friedberg, Mr. Friedberg was for 11 years a federal prosecutor in Brooklyn, where he led the Computer Crime and Narcotics Units. He began his career as an intellectual property and securities litigator at Skadden, Arps.

Mr. Friedberg is national leader in all forms of computer crime, including attacks by state-sponsored agents, organized crime, hacktivists, and malicious insiders. He has led responses to some of the most serious attacks on the nation’s companies and has conducted enterprise security risk assessments in many sectors, including financial services, media and entertainment, Internet, sports, health care, law, consulting, oil and gas, and engineering. He is an expert in incident response governance, technologies, policies, and procedures. He has been quoted extensively on cyber-crime and IT security issues in print, digital and television media, including the Wall Street Journal, the Financial Times, The New York Times, cnbc.com, and Fox Business News.

Mr. Friedberg is also a leader in the fields of e-discovery, forensics and privacy, having managed hundreds of high-profile assignments in those areas, testified as an expert, been appointed by courts as a Special Master, and led the development of methodologies for forensic and privacy investigations. He has lectured extensively and has published book chapters and articles on managing risk and conducting investigations in e-discovery and forensics. He is a member of the International Association of Privacy Professionals.

Mr. Friedberg holds a J.D. from Brooklyn Law School and a B.A. from Brandeis University.


Named among The National Law Journal’s “100 Most Influential Lawyers,” Lisa Sotto chairs Hunton Andrews Kurth’s top-ranked Global Privacy and Cybersecurity practice and is the managing partner of the firm’s New York office.  She also serves on the firm’s Executive Committee.  Lisa has received widespread recognition for her work in the areas of privacy and cybersecurity.  She was voted the world’s leading privacy advisor in all surveys by Computerworld magazine and has received top rankings for privacy and data security by Chambers and Partners and The Legal 500.  Lisa serves as the Chairperson of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. 

Featured as “The Queen of Breach” in an article by New York Super Lawyers Magazine, Lisa provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness.  Since 2005, she has advised clients on more than 1,600 cybersecurity and data breach incidents in the U.S. and abroad, including many of the seminal events.  Lisa is the editor and lead author of the legal treatise entitled Privacy and Cybersecurity Law Deskbook, published by Aspen Publishers, Wolters Kluwer Law & Business. 

Lisa assists clients in identifying, evaluating and managing risks associated with privacy and data security practices.  She advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA, VPPA, security breach notification laws, and other U.S. state and federal privacy and data security requirements (including HR rules), and global data protection laws (including those in the EU, Asia and Latin America).  More recently, Lisa’s work includes assisting dozens of clients in developing strategies for complying with the California Consumer Privacy Act of 2018.

Lisa is chair of the New York Privacy Officers’ Forum and a former member of the Board of Directors of IAPP.  She received her J.D. from the University of Pennsylvania Law School, where she was an editor of the Law Review.  She received her B.A. from Cornell University, with Distinction in All Subjects.  Lisa is admitted to practice in New York.


 


Matthew W. Van Hise is an Assistant Attorney General and Chief of the Privacy Unit at the Illinois Attorney General’s Office.  AAG Van Hise has been with the Attorney General’s Office working in the Consumer Fraud Bureau since 2011.  He enforces the Illinois Consumer Fraud and Deceptive Business Practices Act and spends the majority of his time focusing on privacy, data security, and data breach related investigations and litigation.  AAG Van Hise functions as both the lead and co-lead attorney for many national multistate investigations into several of the largest data breach incidents to date.

As Chief of the Privacy Unit, he serves as the point person within the Illinois Attorney General’s Office on matters such as privacy, data security, technology, and the secure handling of consumers’ personal information.  AAG Van Hise also oversees the Illinois Attorney General’s Identity Theft Unit, which was created in 2006 and has assisted over forty-five thousand consumers with complaints covering a wide variety of identity theft issues and privacy areas. 

Matthew leads the National Association of Attorneys General Privacy Working Group, on both privacy and identity theft.  He also co-leads the NAAG medical privacy discussions. 

Prior to this, he worked at the Michigan Attorney General’s Office, on both privacy and identity theft.  Matthew received a B.A. from Bradley University and a J.D. from the Thomas M. Cooley Law School in Lansing, Michigan.  Matthew has served as panelist and as guest speaker at numerous data security and privacy conferences throughout the country.  He is an active member in the International Association of Privacy Professionals, holding the CIPP/US certification, as well as a member in many local, state, and national Bar Associations.


Katherine E. McCarron is an attorney with the Bureau of Consumer Protection, Division of Privacy and Identity Protection, at the Federal Trade Commission in Washington, D.C.  This division of the Commission has responsibility for enforcing federal statutes and regulations that pertain to information security and consumer privacy.  Ms. McCarron investigates and prosecutes violations of U.S. federal laws governing the privacy and security of consumer information and has worked on FTC enforcement actions under Section 5 of the Federal Trade Commission Act.  She received her J.D., from Stanford Law School, her M.A. from the London School of Economics and Political Science, and her B.A. from Yale University.


Erika Brown Lee is a Senior Vice President and Assistant General Counsel at Mastercard.  Ms. Brown Lee leads the team that develops policies, provides guidance, and ensures compliance with privacy and data protection laws across the company’s products and services, including payment processing, data analytics, and fraud-related activities.  Ms. Brown Lee also works closely with the company’s cybersecurity teams to develop policies and manage regulatory interactions.  Ms. Brown Lee is the former Chief Privacy and Civil Liberties Officer of the U.S. Department of Justice, where she served as the principal advisor to the Attorney General on privacy and civil liberties matters.  Ms. Brown Lee co-chaired the DOJ breach response team, played a leadership role among agencies working to develop privacy-related legislation, and provided regular briefings to Capitol Hill.  She received an Attorney General Award for Exceptional Contributions in Negotiating a Data Protection and Privacy Agreement with the E.U.  Ms. Brown Lee also served in the Division of Privacy & Identity Protection at the Federal Trade Commission, and chaired the ABA’s Privacy & Information Security Committee.  Ms. Brown Lee is a Certified Information Privacy Professional (CIPP) for Europe and the U.S.


Jay Leek, CISM, CISA, CISSP, is a Managing Director and Co-founder of ClearSky Security.  He also consults with Blackstone on various areas of cyber security strategy and investing, and he is currently co-leading Blackstone’s portfolio company CISO community. Prior to joining ClearSky, Leek was the Chief Information Security Officer for Blackstone, where he also worked with their information security investments and portfolio companies.  Over the past 20 years, Leek built and headed up global information risk and security programs for Equifax and Nokia and also worked as a Product Manager as well as a Consultant to telecom companies, government agencies and financial institutions assisting them with strategic planning and architectural design required to meet their information risk and security objectives. Leek currently serves as a member of the boards of directors for BigID, BlueLava, Capsule8, CloudKnox, CyberGRX, IntSights and Respond, and the NY Metro ISSA Chapter. He was also formerly a member of the board of directors of Carbon Black, Demisto, Optiv, ProtectWise, RedOwl, Verodin, a Board Observer for Cylance and Phantom and a member of the advisory boards of Accuvant and iSIGHT Partners.


Supervisory Special Agent Panagiotis (Pete) Balias entered on to duty with the FBI in 2007.  After completing initial training in Quantico, Virginia, SSA Balias was assigned to the FBI’s New York City field office, where he participated in a wide range of investigations to include counterterrorism, white color, and narcotics.  SSA Balias has also investigated intellectual property rights, child pornography, and cyber violations.  SSA Balias currently supervises a cyber squad and Task Force responsible for investigating criminal cyber threats.