Performed Privacy Impact Assessments and Data Protection Impact Assessments under GDPR to implement network and endpoint-based log monitoring controls that process employee data. Developed and implemented privacy and data security management programs under GDPR, HIPAA, FTC Act, and state privacy laws. Developed information security management and data privacy programs under the ISO 27000, ISO 27017, and ISO 27701 frameworks. Acted as product counsel for implementing privacy controls and social media integration policies on IoT software and apps (PbD) processing consumer health and geolocation data. Acted as product counsel for an online travel agency to implement privacy controls for the secondary use and analysis of de-identified consumer data. Drafted and negotiated data ownership, aggregation, and secondary usage terms in SaaS agreements. Advised on privacy breaches resulting from incorrect privacy settings for the AWS S3 bucket. Created and performed data privacy and data security training programs. Drafted and negotiated DPAs under GDPR, CCPA, and CPRA for controllers, processors, and service providers. Acted as project counsel to perform an information security risk assessment under the NIST Risk Management Framework. Advised global businesses on cross-border data transfers, data sovereignty, localization, and government surveillance. Advised on deidentification of non-public PII shared with product teams: hash & salt of user ID; abstracting geo location; converting device ID to product name; partition and encryption of event fields; and partition of databases together with access controls. Applied privacy requirements to app development models and app interfaces based on security, information type, and provenance requirements under data utility, risk appetite, acceptable risk, control cost, and privacy risk considerations. Represented a global energy company as its incident response counsel. Performed cybersecurity maturity and insider threat assessment. Provided counsel to a U.S. manufacturing company victimized by a business email compromise. Worked with forensic teams to discover the breach’s root cause. Represented a global hotel chain against its vendor that suffered from a breach exposing customers' credit card and PII at over 32,000 hotels across 120 countries. Counseled a nationwide retailer on the breach of consumer PII caused by the injection of keylogger malware. Advised a foreign financial institution in responding to the Equifax data breach for customer communications, contractual obligations, regulatory notifications, and indemnification claims. Designed and played APT ransomware simulation tabletops for a Fortune 500 client. Performed vulnerability assessments; implemented vertically and horizontally interacting multi-regional incident response teams operating on segmented communications platforms. Provided training based on a retail network attack simulation tabletop for a U.S.-based client to assess its compliance with PCI DSS, FTC, and CFPB regulatory framework. Simulated a supply-chain attack for a U.S.-based industrial manufacturer based on Shadowpad and Kingslayer cyberattacks targeting cyber espionage on protected intellectual property. Developed an APT-attack monitoring policy for a U.S.-based client built on indicators of threat analysis. Developed a simplified but comprehensive incident response plan based on various attack vectors. Provided counsel for pen-testing on a U.S.-based smart grid for compliance with the Homeland Security Guidelines on critical infrastructure. Created a risk analysis report for a U.S.-based energy company assessing its zero-trust vulnerabilities. Recommended tailored SIEM technologies based on threat intelligence and geopolitical threat vectors analysis.
