- Advising a large Fortune 10 health care organization through a ransomware attack, helping to lead the incident response efforts.
- Advised a prominent telecommunications provider in developing a comprehensive cyber crisis response plan to address the evolving cyber threat landscape.
- Representing multiple financial services organizations in regulatory investigations and examinations related to the company’s cybersecurity program, including the New York state attorney general and New York Department of Financial Services.
- Advised various public companies in navigating recent SEC cybersecurity disclosure rules.
- Advised multiple Fortune 500 companies experiencing cybersecurity incidents, including ransomware attacks, requiring complex forensic investigation, and extensive data review and restoration processes, as well as in follow-on regulatory inquiries.
- Advised a large, franchised restaurant group in developing a comprehensive written information security program.
- Advised multiple premier private equity companies in connection with cyber, web scraping and data privacy diligence for M&A transactions.
- Assisted a national auto lender in evaluating its cybersecurity maturity and prepare for multistate financial examination, assessing its IT infrastructure and practices against the New York State Department of Financial Services cybersecurity requirements.
- Advised various companies, including companies in the fintech, social media, and retail spaces on compliance with CCPA.
- Advised an identity access provider on the implementation of biometric identification for authentication and use of data for machine learning.
- Advised multiple SEC-registered investment advisers, broker-dealers, and public companies on their cybersecurity policies and procedures, including their cyber disclosures.
- Assisted large retail, telecommunications, and financial services companies in tabletop exercises of clients’ incident response plans.
- Phone: +1 212 905 9301
- Email: lance.taubin@alston.com
Lance Taubin advises clients on cybersecurity and data privacy issues, including cybersecurity breach preparedness and response, cybersecurity and privacy compliance and enforcement, managing cyber risk, technology transactions, and M&A diligence. Lance’s work includes working with companies to proactively plan for a crisis and develop strategies to improve cyber resiliency, responding to cybersecurity incidents effectively, providing privacy, cybersecurity and artificial intelligence product counseling, assisting organizations in building and operationalizing privacy and cybersecurity programs, and various privacy, cyber, and IT issues in technology transactions and M&A. Lance provides counsel to a variety of companies, from startups to large multinational public companies, in various industries, including financial services, health care, telecommunications, retail, and technology.
Before joining private practice, Lance served as the Senior Vice President – Assistant General Counsel & Data Security Officer at a global business travel group where he was responsible for advising the company on the ever-changing data privacy and cybersecurity legal and regulatory landscape, including the GDPR and the CCPA. Additionally, Lance managed various matters relating to M&A diligence and technology transactions. Lance also fielded and managed a wide range of legal issues and projects, working closely with IT, information security, product/engineering team, and other key internal departments.
Lance is a Certified Information Privacy Professional, United States (CIPP/US and CIPM).
-
Blog Posts May 6, 2025DOJ Settles False Claims Act Case with MORSECORP Over Cybersecurity Program
On March 26, 2025, the United States Department of Justice (DOJ) announced that it had reached an agreement with MORSECORP Inc. (MORSE) to settle alleged violations of the False Claims Act (FCA), specifically regarding MORSE’s cybersecurity program. The DOJ and MORSE—a government contractor that provides services to both the Departments of the Army and Air […]
The post DOJ Settles False Claims Act Case with MORSECORP Over Cybersecurity Program appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
Blog Posts May 6, 2025DOJ Settles False Claims Act Case with MORSECORP Over Cybersecurity ProgramOn March 26, 2025, the United States Department of Justice (DOJ) announced that it had reached an agreement with MORSECORP Inc. (MORSE) to settle alleged violations of the False Claims Act (FCA), specifically regarding MORSE’s cybersecurity program. The DOJ and MORSE—a government contractor that provides services to both the Departments of the Army and Air […]
The post DOJ Settles False Claims Act Case with MORSECORP Over Cybersecurity Program appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
-
Blog Posts May 1, 2025Additional Cybersecurity Requirements of NYDFS Part 500 Take Effect Today
Today, on May 1, 2025, additional enhanced cybersecurity controls required by the Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) (the “Second Amendment”) take effect. Although the Second Amendment was originally adopted in November of 2023, NYDFS established a multi-year rollout of the Second Amendment’s requirements, […]
The post Additional Cybersecurity Requirements of NYDFS Part 500 Take Effect Today appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
Blog Posts May 1, 2025Additional Cybersecurity Requirements of NYDFS Part 500 Take Effect TodayToday, on May 1, 2025, additional enhanced cybersecurity controls required by the Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) (the “Second Amendment”) take effect. Although the Second Amendment was originally adopted in November of 2023, NYDFS established a multi-year rollout of the Second Amendment’s requirements, […]
The post Additional Cybersecurity Requirements of NYDFS Part 500 Take Effect Today appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
-
Advisories April 16, 2025Privacy, Cyber & Data Strategy Advisory | Cybersecurity Controls: What Do Regulators Expect Nowadays?Our Privacy, Cyber & Data Strategy Team highlights the increasingly specific cybersecurity controls identified by regulators, explains why these enhanced cybersecurity controls have become the focus of regulators, and shares practical tips for companies navigating this rapidly evolving territory.Advisories April 16, 2025Privacy, Cyber & Data Strategy Advisory | Cybersecurity Controls: What Do Regulators Expect Nowadays?Our Privacy, Cyber & Data Strategy Team highlights the increasingly specific cybersecurity controls identified by regulators, explains why these enhanced cybersecurity controls have become the focus of regulators, and shares practical tips for companies navigating this rapidly evolving territory.
-
In the News March 3, 2025JD Supra | 2025 Readers Choice AwardsKirk Bradley, Kim Peretti, Rob Stone, Tim Trysla, and Lance Taubin are noted as top authors in JD Supra’s 2025 “Readers Choice Awards.”In the News March 3, 2025JD Supra | 2025 Readers Choice AwardsKirk Bradley, Kim Peretti, Rob Stone, Tim Trysla, and Lance Taubin are noted as top authors in JD Supra’s 2025 “Readers Choice Awards.”
-
Blog Posts January 21, 2025FTC Announces Proposed Settlement with GoDaddy Incorporating Prescriptive Cybersecurity Requirements
On January 15, 2025, the Federal Trade Commission (FTC) announced a proposed settlement with GoDaddy Inc. (GoDaddy) for making false or misleading representations about their security practices in violation of Section 5 of the FTC Act. GoDaddy, a website hosting company, serves approximately 5 million customers. In the complaint, the FTC indicated that although GoDaddy […]
The post FTC Announces Proposed Settlement with GoDaddy Incorporating Prescriptive Cybersecurity Requirements appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
Blog Posts January 21, 2025FTC Announces Proposed Settlement with GoDaddy Incorporating Prescriptive Cybersecurity RequirementsOn January 15, 2025, the Federal Trade Commission (FTC) announced a proposed settlement with GoDaddy Inc. (GoDaddy) for making false or misleading representations about their security practices in violation of Section 5 of the FTC Act. GoDaddy, a website hosting company, serves approximately 5 million customers. In the complaint, the FTC indicated that although GoDaddy […]
The post FTC Announces Proposed Settlement with GoDaddy Incorporating Prescriptive Cybersecurity Requirements appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
-
General Publications January 15, 2025“Five Steps for Effective Board Oversight on Cybersecurity Breach Response,” Cybersecurity Law Report, January 15, 2024.This article discusses the evolving regulatory and litigation landscape impacting cybersecurity risk governance for corporate boards.General Publications January 15, 2025“Five Steps for Effective Board Oversight on Cybersecurity Breach Response,” Cybersecurity Law Report, January 15, 2024.This article discusses the evolving regulatory and litigation landscape impacting cybersecurity risk governance for corporate boards.
-
Advisories January 7, 2025Health Care / Privacy, Cyber & Data Strategy Advisory | New Year, New HIPAA Security Rule: OCR Adds to Health Care Entities’ New Year’s ResolutionsThe Biden Administration’s Office for Civil Rights delivered on its promise to propose an update to the HIPAA Security Rule. Our Health Care and Privacy, Cyber & Data Strategy groups summarize key points from the new rule and consider the rule’s future in the incoming Trump Administration.Advisories January 7, 2025Health Care / Privacy, Cyber & Data Strategy Advisory | New Year, New HIPAA Security Rule: OCR Adds to Health Care Entities’ New Year’s ResolutionsThe Biden Administration’s Office for Civil Rights delivered on its promise to propose an update to the HIPAA Security Rule. Our Health Care and Privacy, Cyber & Data Strategy groups summarize key points from the new rule and consider the rule’s future in the incoming Trump Administration.
-
Blog Posts October 29, 2024Summary of Changes from DoD CMMC Proposed Rule to Final Rule
On October 11, 2024, the Department of Defense (“DoD”) issued its Final Program Rule for the Cybersecurity Maturity Model Certification (“CMMC”) Program. The Final Rule is a signal to federal contractors to develop compliance programs pertaining to CMMC in advance of the implementation of CMMC (likely next year). The CMMC program is designed to ensure […]
The post Summary of Changes from DoD CMMC Proposed Rule to Final Rule appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
Blog Posts October 29, 2024Summary of Changes from DoD CMMC Proposed Rule to Final RuleOn October 11, 2024, the Department of Defense (“DoD”) issued its Final Program Rule for the Cybersecurity Maturity Model Certification (“CMMC”) Program. The Final Rule is a signal to federal contractors to develop compliance programs pertaining to CMMC in advance of the implementation of CMMC (likely next year). The CMMC program is designed to ensure […]
The post Summary of Changes from DoD CMMC Proposed Rule to Final Rule appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
-
Advisories October 24, 2024Privacy, Cyber & Data Strategy Advisory: NYDFS Issues Guidance on Artificial-Intelligence-Related Cybersecurity Risks
Our Privacy, Cyber & Data Strategy Team explores new guidance from the New York Department of Financial Services for covered entities to combat what it considers the most pressing cybersecurity risks of artificial intelligence (AI).
Advisories October 24, 2024Privacy, Cyber & Data Strategy Advisory: NYDFS Issues Guidance on Artificial-Intelligence-Related Cybersecurity RisksOur Privacy, Cyber & Data Strategy Team explores new guidance from the New York Department of Financial Services for covered entities to combat what it considers the most pressing cybersecurity risks of artificial intelligence (AI).
-
Blog Posts October 17, 2024NYDFS Issues Guidance on Artificial Intelligence-related Cybersecurity Risks
On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an industry letter covering Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks (the “Industry Letter”). The Industry Letter contains guidance for entities regulated by NYDFS (“Covered Entities”) in assessing and responding to cybersecurity risks related to the use […]
The post NYDFS Issues Guidance on Artificial Intelligence-related Cybersecurity Risks appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
Blog Posts October 17, 2024NYDFS Issues Guidance on Artificial Intelligence-related Cybersecurity RisksOn October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an industry letter covering Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks (the “Industry Letter”). The Industry Letter contains guidance for entities regulated by NYDFS (“Covered Entities”) in assessing and responding to cybersecurity risks related to the use […]
The post NYDFS Issues Guidance on Artificial Intelligence-related Cybersecurity Risks appeared first on Alston & Bird Privacy, Cyber & Data Strategy Blog.
Bar Admissions
- New York
- District of Columbia
Education
- Yeshiva University (J.D., 2013)
- University of Rochester (B.A., 2010)
Memberships
- International Association of Privacy Professionals
- Certified Information Privacy Professional (CIPP/US)
- Certified Information Privacy Manager (CIPM)
- Ethical Culture Fieldston School, board of trustees (2023–current)
- Read Ahead Junior Board (2022–2023)
- Privacy, Cyber & Data Strategy
- Technology
- Cybersecurity & Risk Management
- Crisis & Data Breach Response
- Privacy & Cybersecurity Litigation
- California Privacy & the CCPA
- Emerging Technologies & Innovation
- HIPAA/Health Information Privacy, Security & Breach Response
- National Security & Digital Crimes
- Privacy & Cyber Regulatory Enforcement
- Ransomware Fusion Center
- Artificial Intelligence (AI)