Chris Cwalina

Global Head of Cybersecurity and Privacy
Norton Rose Fulbright US LLP

Chris Cwalina

Chris Cwalina



Chris Cwalina is the Global Head of Cybersecurity and Privacy at Norton Rose Fulbright.  He concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations, primarily involving sophisticated threat actor groups and advanced persistent threats focused on critical infrastructure entities. Having been in-house for a decade, Chris understands clients' challenges, priorities, and concerns, and knows what clients expect from their outside counsel. 

Chris has managed some of the largest data breaches that have occurred. He began his career in privacy as vice president and assistant general counsel at ChoicePoint Inc., where he ran the company's Privacy, Compliance, Ethics and Credentialing Department and helped lead the company's response to the first publicly-reported data breach. This occurred at a time when only one state breach notification law had been enacted. While at ChoicePoint, Chris helped the company respond to a Federal Trade Commission (FTC) investigation and complaint, Congressional inquiry, a U.S. Securities and Exchange Commission (SEC) investigation, an investigation and complaint brought by a coalition of state attorneys general offices, as well as managed a number of class-action complaints.

Since the inception of state breach notification statutes, Chris has helped companies respond to countless cybersecurity events, incidents, and data breaches, on an international scale, involving external and internal threats and sophisticated threat actors with a variety of motives. He has handled theft of credit card data, intellectual property, trade secrets and confidential company information, health information, employee information, personal data and personally identifiable information.

Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing appropriate governance and organizational structures, incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.

As soon as a security incident occurs, Chris serves as "breach coach" and works closely with CISOs and SIRTs assisting his clients with leading the investigation, containment and remediation of the incident, and developing effective communications, which are designed to preserve customer relationships and minimize the likelihood and consequences of litigation and regulatory investigations. Chris also helps companies deal with the fallout of an incident by responding to resulting state, federal and international regulatory inquiries and investigations. He also defends clients in related litigation, including actions brought by consumers, shareholders, employees, and others.

Chris has represented companies in a wide range of industries, including a number of companies in critical infrastructure sectors, energy, oil & gas, communications, retail, transportation, hospitality, life sciences and healthcare, insurance, financial services, technology, advertising and marketing, entertainment, and education.

 Chris brings his years of experience to provide proactive counsel on the complex regulatory issues pertaining to cybersecurity and privacy programs and data collection, use, maintenance, transfer, and sharing. He regularly presents to boards of directors and advises on governance and cybersecurity risk disclosure obligations. He advises clients on regulatory issues and legislative affairs pertaining to the full range of cybersecurity, data governance, data privacy and cross-border transfer issues with a focus on technology, mobile and online practices. Chris also provides counsel on compliance with COPPA, GLBA, HIPAA, FCRA, ECPA, CPNI Rules, TCPA, and other state and federal privacy and security laws as well as international privacy laws, regulations and directives, including the EU General Data Protection Regulation (GDPR).

Professional experience

Expand all Collapse all

JD, University of Baltimore School of Law
BA, Gettysburg College

  • District of Columbia Bar
  • Maryland State Bar

Data Breach and Security:

  • Helped develop and lead incident response for a number of transportation companies in responding to global security incidents involving nation state actors and sophisticated financially motivated attack groups. 
  • Managed incident response for one of the largest generator of electricity from natural gas and geothermal resources in the United States, as well as one of the largest retail providers of power.
  • Assisted oil and gas exploration and development company and oil and gas upstream, midstream, and downstream services company  in evaluating cybersecurity program maturity and conducting penetration and vulnerability assessments.  
  • Successfully closed U.S. federal investigation and investigations brought by international data protection authorities related to one of the largest ever publicly reported data breaches.
  • Assisted companies in developing incident response and preparedness programs, including conducting exercises and simulations.
  • Lead variety of  investigations pertaining to internal and external threat actors, including nation state sponsored attacks. 
  • Assisted numerous companies, in a variety of industries, with responding to and mitigating data breaches and requirements under state, federal, and international data breach notifications laws.
  • Represented companies responding to state attorneys general, federal regulators, and international data protection authorities, following security incidents.

Privacy-Related Class Action Litigation Defense and Regulatory Defense:

  • Represented companies in relation to state attorneys general inquiries, federal and international regulator inquiries, including Civil Investigative Demands (CIDs), subpoenas and investigations.
  • Represented several companies in class action litigation related to internet tracking, the use of cookies and flash cookies.
  • Represented companies in litigation resulting from data breach and security incidents.
  • Represented companies in relation to FTC inquiries, Civil Investigative Demands (CIDs), subpoenas and investigations
  • Represented mobile app companies in relation to privacy-related class action.

General Compliance and Corporate Governance:

  • Provided advice to Boards on corporate governance obligations pertaining to cybersecurity.
  • Provided advice to numerous companies with respect to the use of personally identifiable information including geo-location information and persistent identifiers..
  • Provided counseling for large communication provider, software companies and mobile app developers with respect to issues pertaining to security, encryption and authentication.
  • Provided strategic advice and counsel on local, national and international privacy and data protection and data transfer laws for numerous companies.
  • Assisted numerous companies in drafting, design and implementation of internal company policies, including information security, data and records management and retention, data classification and handling, device management and Bring Your Own Device policies, codes of conduct, white papers, marketing materials, vendor white lists and internal policies on Internet tracking.
  • Drafted, developed and assisted drafting disclosures pertaining to privacy and data security, including privacy policies, privacy statements, terms of use and end-user license agreements.
  • Conducted internal investigations related to security breach incidents.
  • Advised large retailers with respect to geo-fencing projects.


  • Represented health care entities in responding to OCR investigations relating to allegations of privacy and security violations.

Technical and Specialized Engagements:

  • Conducted quarterly website reviews, analyzing network traffic and assist in developing controls and revising disclosures, for large communications companies.
  • Conducted deep-dive mobile app privacy reviews, analyzing network traffic and assisted in developing controls and disclosures, for numerous companies including mobile app developers.

Contracting and Due Diligence:

  • Conducted due diligence in relation to numerous merger and acquisition transactions that presented privacy and cybersecurity-related risks including when data was primary asset in the deal and in data transfer situations.
  • Negotiated service level agreements in a range of privacy and security-related circumstances, including those related to data centers, cloud computing services, IT outsourcing and PCI-DSS compliance, for numerous companies.

Legislative and Regulatory:

  • Revised proposed legislation pertaining to privacy and cybersecurity issues.
  • Represented numerous companies on Capitol Hill with respect to issues pertaining to cybersecurity, mobile privacy, data brokers, online privacy and children's privacy
  • BTI Client Service All-Star Most Viewed by Clients, The BTI Consulting Group, Inc., 2023
  • Chambers USA, Nationwide: Privacy and Data Security, Chambers and Partners, 2023
  • BTI Client Service All-Star, The BTI Consulting Group, Inc., 2022
  • The Legal 500 USA, Recommended Lawyer, General Commercial Disputes, The Legal 500, 2019, 2021
  • The Legal 500 USA, Recommended Lawyer, Cyber Law (Data Privacy and Data Protection), The Legal 500, 2021-2023
  • The Legal 500 USA, Media, Technology and Telecoms - Technology: Data Protection and Privacy, 2011
  • ABA Privacy Law Specialist designation, American Bar Association, IAPP, 2018
  • Co-author, "How to navigate Advanced Persistent Threat (APT) intrusions," New York Law Journal, March 2020
  • Co-author, "CCPA:  'Wait and see' is not the right approach," Norton Rose Fulbright Data Protection Report, August 29, 2019
  • "A Necessary Paradigm: Leveraging Legal Counsel to Mitigate Cyber Risk," Insurance Law Committee Update of the International Bar Association Legal Practice Division, March 2017
  • "CFPB Expands UDAAP Jurisdiction in First Foray into Data Security Enforcement," The Banking Law Journal, May 2016
  • "How to Avoid Choosing the Wrong Cybersecurity Firm," JD Supra Perspectives, JD Supra,  June 2, 2015
  • "Views on Data Security Readiness," Bloomberg BNA Privacy and Security Law Report, Bloomberg, December 15, 2014
  • Co-author, "Mobile Apps Targeted That Don't Have Privacy Policies," Daily Business Review, December 21, 2012
  • Co-author, "Study Criticizing Android Apps Was Pretty Lame," Law360, December 3, 2012
  • Co-author, "FTC Publishes New Privacy Guidelines for Mobile Apps," Digital Technology & E-Commerce Blog, November 15, 2012
  • Co-author, "The New Corporate Approach To Privacy Compliance," Law360, July 31, 2012
  •  "Making Your Privacy Policy Comprehensive and Comprehensible," Corporate Counsel, September 2011
  • "Preparing for and Responding to Cyber Incidents and Breaches," Florida Education Law Committee, April 20, 2018
  • "Navigating A Cyber Attack Scenario," FireEye, November 29, 2017
  •  "Scenario Discussion," National Defense Industrial Association InCyber DFARS Workshop, November 1, 2017 
  • "Threat Actor Hunting: Tools, Techniques, and Procedures and How to Counter," Privacy & Security Forum, October 4-6, 2017
  •  "APT Actor Hunting & Evolution of Techniques and Importance of Advanced Analytics in Incident Response," Cybertech Fairfax, June 13, 2017
  •  "Compliant, Resilient and Confident: Creating and Managing a CS-IRP That You Can Count On," Webinar, Coalfire, June 7, 2017
  • "Intersection of Forensics and Legal Risk: Conducting a Forensic Investigation with Attorneys: Lessons Learned," FireEye Cyber Defense Summit 2016, November 28-30, 2016
  • "Perfecting the Art of Crafting Privacy Notices," International Association of Privacy Professionals (IAPP), March 17, 2016
  • "Federal Trade Commission Up Close: Practical Considerations Related to Data Privacy, Security and Other Priorities," Implementing a Data Privacy and Security Program in Your Company; Data Privacy and Security and Other Issues Related to Mergers and Acquisitions (M&As), Association of Corporate Counsel Central Florida, February 9, 2016
  • "Data Breach - When to Bring in the Experts," IAPP Practical Privacy Series, November 17, 2015
  •  "Cyber Danger in the Retail World: Data Security Breaches and How Best to be Ready," ICSC Law Conference, October 29, 2015
  •  Moderator, "Florida Chamber International Days," Cyber Security Panel, April 7-9, 2015
  • Speaker, "2015 Food Marketing Institute (FMI)," March 22-23, 2015
  • "Managing Data Security Risks: Hoping for the Best is Not a Strategy," Ethics and Compliance Association Annual Meeting, Dallas, March 18, 2015
  • Speaker, "Data Breach Preparedness: What You Should Be Doing Before the Next Breach Happens," February 11, 2015
  • "Top Mistakes Learned from IT, PR, and Legal Perspective - If Everyone Knows Them, Why Do Companies Keep Making Them?", 2nd Annual Caribbean Corporate Counsel Summit 2014, November 6-7, 2014
  • "Insider Abuse of Its Systems," Bank Security Conference CELAES 2014, September 22, 2014
  • "When the Regulators Come Knocking or Other Bad Stuff Happens," IAPP Privacy Academy and CSA Congress 2014, September 19, 2014
  • "The New Privacy Threat Model," SCCE East Coast Regional Compliance & Ethics Conference, May 9, 2014
  •  "Consumer Privacy, Data Security and Cyber Liability," D.C. Bar, February 26, 2014
  •  "Top 10 Mistakes in Responding to Cyber Breaches," Florida International Bankers Association (FIBA) Program, February 20, 2014
  •  "Cybersecurity and Data Breaches: Protect Your Company and Its Reputation from Threat Actors and Regulators," Economic Forum of Palm Beach County, February 18, 2014
  • "The FTC's 100th Year: Commissioner Ohlhausen on the Future of the Federal Trade Commission," TechFreedom and the International Center for Law Economics Event, September 27, 2013
  • "COPPA: The Past, Present & Future of Children's Privacy & Media," TechFreedom Livestream event, July 8, 2013
  • Israeli Ministry of Economy/BIRD Foundation Cybersecurity Delegation Networking Seminar, May 30, 2013
  • "Recent Enforcement Actions and Current Enforcement Priorities of the FTC," International Association of Privacy Professionals (IAPP), April 25, 2013
  • "Mobile Privacy and Security: The Current Regulatory Landscape and New Risk Threat Model," April 16, 2013
  •  "Privacy: The Large Scale Issues, Advertising Trends in Consumer Class Actions," Institute for Information Law & Policy, New York, NY, April 2, 2013
  • "Business Access to Information – What Bargains Have Employees and Consumers Struck?", ABA Forum on Communications Law and FCBA Privacy & Date Security Symposium, March 20, 2013
  • "PHI Protection Network Forum on PHI Security," The Evolving Legal Landscape, March 12, 2013
  • "A Side-by-Side Comparison of EU-U.S. Data Transfer Options," IAPP Global Privacy Summit, March 8, 2013
  • "Mobile Privacy Policy or Lawsuit?" Digital Kids Safety Summit, February 11, 2013
  • "Launching a Career in Privacy," IAPP KnowledgeNet, February 6, 2013
  • "COPPA Boot Camp - Practical Steps Towards Compliance," January 28, 2013
  • "Final Amendments to the FTC's COPPA Rule," Law Seminars International Teleconference, January 18, 2013
  • "Online and Mobile Privacy," Chief Privacy Officer Council, The Conference Board, May 2012
  • "Designing Privacy for the Mobile Environment," IAPP Web Conference, April 2012
  • "Mobile Data Protection - The Call for Privacy and Security for Wireless PII," IAPP Global Summit, March 2012
  • "Data Breach Compliance and Response: Lessons Learned," IAPP Web Conference, January 2012
  • "The Race Between Technology and Legal Departments' Ability to Deliver on Consumers' (and Regulators') Privacy Expectations," National Retail Federation, General Counsel Forum, January 2012
  • "How to Craft Plain Language Privacy Notices," IAPP Web Conference, October 2012
  • "Privacy by Design," IAPP Global Summit, Pre-Conference Workshop, March 2011
  • "Consumer Data Transactions: What Happened in 2010 and What is Likely in 2011?", IAPP Practical Privacy Series, December 2010
  • Privacy & Cybersecurity Law Report, Board of Editors
  • International Association of Privacy Professionals, Privacy Law Bar Section Advisory Board Member
  • International Association of Privacy Professionals, Certified Information Privacy Professional (CIPP)
  • IAPP KnowledgeNet, Washington, D.C., Co-Chair