PLI PLUS 2.0 is now available – click here to test drive the new platform.
Skip to main content

Cybersecurity Best Practices for Legal Services Providers 2020

Speaker(s): Douglas Bloom, Duncan Campbell, E.J. Yerzak, Jason Lally, Josh Stabiner, Karen Brooks, Larry Marks, Mark Melodia, Mark H. Francis, Michael R. Graif, Rhonda Barnat
Recorded on: Feb. 3, 2020
PLI Program #: 277566

Doug is an Executive Director and Co-Head of Cybersecurity & Privacy for Morgan Stanley's Legal & Compliance Division. In that role, he is responsible for the Firm's legal response to cybersecurity matters—including incident response, regulatory affairs and new legislation affecting the Firm. Doug is also responsible for privacy matters affecting the Firm’s personnel and client base.  Doug has over 20 years’ experience investigating all aspect of financial and computer crimes—having served as a federal prosecutor, criminal defense lawyer and software developer.

Prior to joining Morgan Stanley, Doug was a Director in PwC’s Cybercrime and Breach Response practice, the leader of the Firm’s Cybersecurity Risk & Regulatory Practice, and a member of the Firm’s Financial Crimes Unit.  At PwC, Doug assisted clients across the globe, responding to regulatory changes, conducting cybercrime, fraud and economic espionage investigations, corporate internal investigations and handling breaches of PwC’s clients’ computer networks.  In addition, as a leader of the Firm’s cybersecurity Board governance program, Doug regularly advised clients and their Boards on proper governance of cybersecurity programs and assisted clients in the development of their cybersecurity Board reporting programs.

Prior to joining the PwC, Doug was a federal prosecutor in the United States Attorney’s Office for the Southern District of New York, where he investigated and prosecuted national security cyber offenses, including economic espionage, hacking of national defense and government systems, and the theft of trade secrets.  In addition to his cyber work, Doug investigated and prosecuted several high profile public corruption and accounting fraud cases, and convicted the former majority leader of the New York State Senate and acting Lieutenant Governor of New York State of bribery and extortion.  Doug is a 2015 recipient of the Attorney General’s John Marshal Award, the highest attorney honor granted by the Department of Justice, and a 2013 recipient of the Federal Law Enforcement Foundation’s Prosecutor of the Year award.  Prior to joining the U.S. Attorney’s Office, Doug was an associate in Covington & Burling’s white collar criminal defense and intellectual property practices where he investigated and litigated criminal and civil accounting fraud, tax fraud, and patent infringement cases.

Doug brings deep technical expertise to his legal role, having served as a software engineer and program manager for Xerox’s Palo Alto Research Center, Microsoft and Hewlett Packard.  In those roles, Doug designed and developed artificial intelligence algorithms for natural language processing software and drivers for network management systems. 

Doug is an Adjunct Professor of Law at Fordham University, where he teaches a course on computer crimes.  He is also a published author—whose articles on cybercrime and insider threats regularly appear in the New York Law Journal—and frequent speaker on cybersecurity, fraud, and information management.  He has presented to and taught courses for the Department of Justice, FINRA, the Association of Corporate Counsel, the National Association of Corporate Directors and various universities, businesses and industry participants. 

He received a Bachelor’s degree in Symbolic Systems and a Master’s degree in Linguistics from Stanford University.  He received a Juris Doctor, cum laude, from Harvard Law School.  He is admitted to the New York bar, the U.S. District Courts for the Southern and Eastern Districts of New York, and the U.S. Court of Appeals for the Second Circuit, and is an active member of the Federal Bar Council where he serves on both the Criminal Practice and Westchester County Committees.

Mark H. Francis is a leading cybersecurity, data privacy and intellectual property attorney who leverages extensive technical skill and experience to provide clients with pragmatic legal guidance across a wide array of counseling, transactional and litigation matters.

In connection with his practice, Mark advises clients on information governance, cybersecurity and privacy laws, third party risk management, intellectual property, artificial intelligence, adtech and data strategy. He frequently counsels clients in response to data breaches and other incidents, guiding them through internal investigations, regulatory inquiries, and legal disputes.

Mark has received significant recognition for his practice, and was appointed to the U.S. Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee (DPIAC), which provides advice at the request of the Secretary of Homeland Security and the DHS Chief Privacy Officer on programmatic, policy, operational, administrative and technological issues within the DHS that relate to personally identifiable information, as well as data integrity and other privacy-related matters. He is also an active member of the International Association of Privacy Professionals (IAPP), and currently chairs the IAPP Exam Development Board for the CIPP/US certification.

Mark has a background in computer science and telecommunications, and received his JD/MBA from Fordham University. He is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH), as well as an IAPP CIPP/US, CIPT, Privacy Law Specialist and Fellow of Information Privacy. 


Larry Marks is a senior manager in the firm’s Technology & Business Transformation Services practice. 

Prior to joining BDO, Larry was a Principal subject matter expert for Technology and Security supporting implementation of Cyber and Operational risk frameworks ensuring that regulatory compliance such as FFIEC, NYDFS, SEC and ISO and SOX compliance assessments, controls and compliance are effective. He has been a program manager  planning strategy and executing projects while helping firms mitigate risks. He has led Cyber/Information Security RCSA and programs/projects, while mentoring team and business to implement policies and procedures aligned with regulatory and compliance requirements.  As a business advisor, he has performed other responsibilities as Internal/IT Audit, developer, QA/QC Professional and Risk Manager.

Larry has extensive experience in designing, managing, auditing and implementing IT - processes, policies and controls, such as cyber, security. Larry has managed teams, priorities and expectations across business and IT leadership while delivering fit-for-purpose services.

Larry is a thought leader publishing regularly on subjects related to security, risk, regulatory compliance, governance, leadership and program/project management for ISACA, ISC2 and PMI.  Larry currently is volunteering with the Cloud Security Alliance (CSA) collaborating on the development of a Cloud Infrastructure Incident Framework. Larry regularly publishes for ISACA and ISC2 Information Professional Magazine and is a member of the Editorial Review Committee for ISACA and ACFEs Fraud Magazine. Larry is a volunteer for PMI for both their 2018 and 2020 Preliminary Proposal Review Committee.  Larry writes a blog for the PMI on Leadership best practices.  Larry is one of the ISACA Whitepaper Developers for COBIT 5, Security as a Service, Devops and database security. He has authored/coauthored audit programs for ISACA. Larry has served ISACA as part of their CRISC Exam Review Team and PMI’s ISO Committee.

Larry has several certifications – CISA, CISSP, CGEIT, CISM, CRISC, CRVPM II, PMP, ITIL, and CFE.


ISACA, ISC2, PMI, Ponemon Institute


 New York University

 Masters of Business Administration, New York, NY

 Bachelors of Arts, New York, NY


Mark Melodia is a privacy, data security and consumer class action defense lawyer in Holland & Knight's New York office. Mr. Melodia focuses his practice on governmental and internal investigations, putative class actions and other "bet-the-company" suits in the following areas: data security/privacy, mortgage/financial services and other complex business litigation, including defamation.

Mr. Melodia has defended more than 80 putative class actions – including as lead defense counsel in multiple multidistrict litigations (MDLs) – arising from alleged consumer privacy violations, data incidents and allegations of data misuse. He routinely represents clients responding to government privacy investigations before the Federal Trade Commission (FTC), Office for Civil Rights, state attorneys general and the U.S. Department of Justice (DOJ). He has guided clients in a wide range of industries through several hundred data incidents over the past dozen years. He advises clients on their obligations and helps them operationalize the requirements of General Data Protection Regulation (GDPR) as well as federal and state laws in the U.S. He consults with boards and executive teams on these issues.

Mr. Melodia has been an instructor of Information Security Law in the Chief Information Security Officer (CISO) Executive Education and Certification Program at Carnegie Mellon University's Heinz College, as well as a guest lecturer at Seton Hall Law School and New York University School of Law.

Mr. Melodia served as a law clerk for the Honorable Timothy K. Lewis of the U.S. District Court for the Western District of Pennsylvania.

Duncan Campbell is a Director and Senior Counsel, IP/IT at BNP Paribas in New York. In this role, he provides privacy and cybersecurity legal advice to all businesses of the bank.  He works closely with internal stakeholders to support the North American and Global Data Protection programs.  Mr. Campbell is formerly Head of US Data Privacy Compliance at Barclays.  Mr. Campbell was responsible to build and maintain Investment Bank, Corporate Bank, and Barclaycard privacy compliance programs.  He developed compliance programs for these unique businesses while maintaining consistency of enterprise privacy controls.  Mr. Campbell was a former litigator before moving into the Citigroup Data Privacy Office where he advised projects and applications created within the Institutional Clients Group.  He then joined the Data Protection office at EY where he managed asset loss breach response, owned vendor data privacy due diligence, and supervised the EY Safe Harbor program participation before moving to Barclays.

E.J. Yerzak is Director of Cyber IT Services at Compliance Solutions Strategies (CSS), a global regulatory compliance consultancy and regtech software provider for the financial services space. E.J. assists hedge funds, private equity funds, funds of funds, pension advisers, and retail investment advisers in cybersecurity risk assessments, from network vulnerability scanning and penetration testing to policy and control assessments and helping firms implement the NIST cybersecurity framework.  He has authored articles and alerts on emerging regulatory and technology issues, and speaks regularly as a cybersecurity expert at industry conferences and events throughout the country. He is a Certified Information Systems Auditor (CISA®), Certified Information Security Manager (CISM®), and Certified in Risk and Information Systems Control (CRISC™).

Jason Lally is a Vice President and Team Lead for the New York based Home Office Team which supports AIG management liability regions on a national basis as a resource for underwriting, coverage expertise, client engagement and product strategy.  Jason has 25 years of insurance experience with 8 years in contract surety and 17 in public commercial management liability.  Jason has been with AIG for 17 years and received a B.S. in Finance from Siena College in 1993 and an M.B.A. from Northeastern University in 2009.

Michael is an intellectual property attorney whose practice encompasses trademark and copyright enforcement, technology and licensing transactions, patent and trademark portfolio management, and counseling clients on intellectual property issues that arise in business deals. He also has extensive experience in cybersecurity, privacy, and social media law. His clients range from start-ups to Fortune 500 companies in a broad range of industries, including technology, manufacturing, sports & entertainment, and digital & social media.

The rights enforcement side of Michael’s practice includes trademark, copyright, and patent matters, domain name proceedings, and advising clients on publicity and privacy rights.

Michael’s IP transactional work includes drafting licensing, joint venture, and other agreements involving trademarks and technology. He also frequently conducts due diligence on intellectual property issues related to mergers and acquisitions, securitizations, loans, securities offerings, and other transactions.

Michael has been interviewed on television and quoted in national media outlets on file-sharing and copyright issues. Along with appearing on Bloomberg Television and Reuters Television, he has been quoted in the Washington Post, San Francisco Chronicle, Above the Law, The Guardian of London and The Daily Deal, and other news outlets. He teaches social media law as a lecturer in law at the University of Pennsylvania Law School and an adjunct professor at Benjamin N. Cardozo School of Law.

Prior to joining Mintz, Michael was chair of the intellectual property group at a New York-based international law firm, where he was a partner for a decade. Earlier, he was a partner at a Washington, DC-based national law firm; a counsel and associate at another New York-based global law firm; and an associate at a New York-based intellectual property law firm.

Rhonda Barnat

As one of the country’s leading crisis management advisers, and head of the firm’s crisis management practice, Rhonda Barnat has been involved in helping corporations and non-profits through some of their most defining moments and some of the most visible issues of our time.

Rhonda is an expert in helping companies and non-profits move through an issue and return to normal with their reputations intact.  She is often called upon to assemble the specialized teams that are required when a major crisis befalls an institution.

She is a frequent speaker on crisis communications and crisis management throughout the United States and Europe. In addition, Rhonda also works with clients in complex mergers and acquisition situations, including proxy contests. Other clients look to her for specialized media and presentation training as part of an overall strategic program. Many national and international insurance companies have selected her and the firm for crisis communications and management in complex situations on behalf of their policyholders.