Chris Cwalina is the Global Co-Head of Norton Rose Fulbright’s Data Protection, Privacy and Cybersecurity and concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations, primarily involving sophisticated threat actor groups and advanced persistent threats focused on critical infrastructure entities. Having been in-house for a decade, Chris understands clients’ challenges, priorities, and concerns, and knows what clients expect from their outside counsel.
Chris has managed some of the largest data breaches that have occurred. He began his career in privacy as vice president and assistant general counsel at ChoicePoint Inc., where he ran the company’s Privacy, Compliance, Ethics and Credentialing Department and helped lead the company’s response to the first publicly-reported data breach. This occurred at a time when only one state breach notification law had been enacted. While at ChoicePoint, Chris helped the company respond to a Federal Trade Commission (FTC) investigation and complaint, Congressional inquiry, a U.S. Securities and Exchange Commission (SEC) investigation, an investigation and complaint brought by a coalition of state attorneys general offices, as well as managed a number of class-action complaints.
Since the inception of state breach notification statutes, Chris has helped companies respond to countless cybersecurity events, incidents, and data breaches, on an international scale, involving external and internal threats and sophisticated threat actors with a variety of motives. He has handled theft of credit card data, intellectual property, trade secrets and confidential company information, health information, employee information, personal data and personally identifiable information.
Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing appropriate governance and organizational structures, incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.
As soon as a security incident occurs, Chris serves as “breach coach” and works closely with CISOs and SIRTs assisting his clients with leading the investigation, containment and remediation of the incident, and developing effective communications, which are designed to preserve customer relationships and minimize the likelihood and consequences of litigation and regulatory investigations. Chris also helps companies deal with the fallout of an incident by responding to resulting state, federal and international regulatory inquiries and investigations. He also defends clients in related litigation, including actions brought by consumers, shareholders, employees, and others.
Chris has represented companies in a wide range of industries, including a number of companies in critical infrastructure sectors, energy, oil & gas, communications, retail, transportation, hospitality, life sciences and healthcare, insurance, financial services, technology, advertising and marketing, entertainment, and education.
Chris brings his years of experience to provide proactive counsel on the complex regulatory issues pertaining to cybersecurity and privacy programs and data collection, use, maintenance, transfer, and sharing. He regularly presents to boards of directors and advises on governance and cybersecurity risk disclosure obligations. He advises clients on regulatory issues and legislative affairs pertaining to the full range of cybersecurity, data governance, data privacy and cross-border transfer issues with a focus on technology, mobile and online practices. Chris also provides counsel on compliance with COPPA, GLBA, HIPAA, FCRA, ECPA, CPNI Rules, TCPA, and other state and federal privacy and security laws as well as international privacy laws, regulations and directives, including the EU General Data Protection Regulation (GDPR).