Will Daugherty
Head of Cybersecurity, United States
Norton Rose Fulbright US LLP
Related services and key industries
Biography
Will Daugherty is a nationally recognized leader in data protection and privacy and is a partner in the Norton Rose Fulbright's data protection, privacy and cybersecurity group. Clients in a broad-range of industries turn to Will for his experience, practical solutions, and thought leadership on managing risks associated with data and technology, including assessing organizations' security postures; developing information security programs; privacy and cybersecurity training for boards, executives and employees; privacy compliance; incident response preparedness; and leading organizations through data security incidents.
Incident Response
Will has led organizations through hundreds of data security incidents, including many of the largest and most complex incidents in the world. Drawing on his prior experience in information technology, Will works closely with incident response teams and CISO's immediately after discovering a potential security incident to develop an effective strategy to understand what happened, contain and remediate the incident, address regulatory requirements, and build an effective communication strategy designed to preserve customer relationships and minimize the likelihood and consequences of regulatory investigations and litigation. In particular, Will is highly sought for his expertise in Payment Card Industry matters, including managing payment card incident investigations, minimizing fees and assessments from the card networks, and counselling on compliance with PCI DSS. Will also specializes in data security counselling of airlines, financial institutions, energy companies, retailers, hospitality and gaming companies, technology companies, and universities.
Disputes & Resolution
Leveraging his experience as a securities regulatory and class-action defense attorney, Will has led entities through investigations by the FTC, SEC, FINRA, US state attorneys general, EU supervisory authorities, and other international data protection regulatory authorities. When class actions arise in connection with data security incidents, Will is an integral part of the class-action defense team providing invaluable insight into the technical and strategic aspects of the incident and developing an efficient and effective defense.
Privacy & Cybersecurity Risk Advisory
Will has also worked with hundreds of organizations to create and enhance existing incident response plans and procedures. Will works with incident response teams, executives, and boards to conduct interactive workshops and tabletop exercises to educate and coach organizations on best-practices for handling incidents and improving incident response plans and procedures. With his unique mix of experience in information technology and privacy law, Will works closely with both legal and information technology departments to measure and enhance the organization's security posture, including working with internal and external teams to conduct risk assessments and penetration tests, prioritize security projects and mitigation controls, and continuously measure the organization privacy and security posture. He also advises clients on a wide range of privacy and data security issues, including issues arising under the Gramm-Leach-Bliley Act, the Electronic Communications Privacy Act, the Critical Infrastructure Protection Reliability Standards, FERPA, CISA, PCI-DSS, the FTC Act, state data protection laws, international data privacy laws, and self-regulatory rules.
A frequent speaker and writer on the privacy and data security issues, Will is known as a recognized leader in the field. Additionally, he has earned the designation of Certified Information Privacy Professional through the International Association of Privacy Professionals.
Professional experience
Collapse allJD, cum laude, Tulane University Law School, 2005
BS, International Trade and Finance, Louisiana State University, 2001
- Texas State Bar
- Represented publicly-traded manufacturer in ransomware attack impacting national operations and distribution-chains, including coordinating the forensic investigation, developing internal and external communications plans, coordinating with federal law enforcement, advising and updating executives on a wide-range of issues, and guiding the company through containment and remediation of the incident.
- Represented publicly-traded midstream oil and gas company in connection with an advanced persistent threat group attack into the network, including coordinating the forensic investigation of IT and OT systems, coordinating with law enforcement, updating and advising executives and the board of directors on the incident, and developing and implementing a containment strategy.
- Represented global retailer in connection with a payment card incident involving card-present transactions on point-to-point encryption devices, including all aspects of the internal forensic investigation, Payment Card Industry Forensic Investigation, communications strategy, resolving regulatory inquiries and investigations, and class-action defense.
- Represented publicly-traded global electronics manufacturer in a sophisticated ransomware attack impacting operations world-wide, including coordinating the forensic investigation, developing and implementing internal and external communications plans, coordinating with law enforcement agencies, advising on Department of Defense DFARS obligations, and resolving U.S. and international regulatory inquiries.
- Advised international mid-stream oil and gas company on conducting a risk assessment of IT and OT environments, providing recommendations for prioritizing and mitigating risks, and presenting findings to executive and technology teams.
- Represented international, multi-brand dining, hospitality, gaming and entertainment organization in connection with a payment card incident, including coordinating the forensic investigation, advising on card network rules, coordinating with numerous law enforcement agencies, developing and implementing a broad communications plan, and resolving regulatory inquiries.
- Represented global hospitality company in a payment card security incident involving properties all over the world, including all aspects of the internal forensic investigation, Payment Card Industry Forensic Investigation, communications strategy, and notifying and responding to state and international regulators.
- Represented global silicon-chip developer and manufacturer in connection with an advanced persistent threat actor's attack of their network, including all aspects of the incident response, such as interactions with federal law enforcement, coordinating the forensic investigation and advising on global regulatory and compliance issues.
- Advised international retailer on conducting a risk assessment of its IT environments alongside an external security vendor, including assisting with the selection and engagement of the vendor, coordinating interviews and assessment documentation, and presenting findings to the general counsel and chief technology officer.
- Represented major international airline in all aspects of privacy and data protection matters, including drafting incident response plans, conducting tabletop exercises, novel privacy and technology issues, and responding to data security incidents.
- Represented payment processing company in connection with an investigation by the Federal Trade Commission related to a data security incident that was successfully resolved with no action by the FTC.
- Advised national manufacturer of delicatessen foods in connection with a data security incident affecting thousands of employees, including coordinating an investigation with law enforcement, coordinating a forensic investigation, developing communications plans and addressing regulatory issues.
- Advised global automaker in connection with privacy and data security issues involved with development of semi- and fully-autonomous driving program. Represented insurance administrator in connection with an incident involving unauthorized access to client databases.
- Advised global oil and gas services company in connection with privacy and data security issues raised in the development of autonomous and semi-autonomous drilling technologies.
- Counseling on the legal risks associated with third-party vendors, global supply chain contracts and customer agreements, including mitigation of risk through contractual protections and ongoing governance.
- Advise public electric utility companies on developing incident response plans, negotiating agreements with incident response vendors, conducting tabletop exercises and responding to data security incidents.
- Advise broker-dealers, investment advisers and investment companies in connection with all aspects of incident responses preparedness, compliance with GLBA, and responding to data security incidents.
- Regularly conducts in-house security training and tabletop exercises for companies in a wide-variety of industries to build awareness and help companies prepare to effectively and efficiently manage data security threats and incidents.
- Lawdragon 500 Leading Global Cyber Lawyers, Lawdragon, Inc., 2024
- Legal 500 US, Next Generation Partner, Cyber law (including data protection and privacy), The Legal 500, 2020
- Legal 500 US, Recommended Lawyer, Cyber law (including data protection and privacy), The Legal 500, 2016 –2017, 2022 – 2024
- Legal 500 US, Recommended Lawyer, E-discovery, The Legal 500, 2021
- Certified Information Privacy Professional (CIPP/US)
- Speaker, "Protecting Client Information-Cyber Protection Duties as an Attorney," 18th Annual Gas and Power Institute, Houston, Texas, September 27, 2019
- Speaker, "Cyber Losses: Coverage, Trends and Lessons Learned." 2019 Houston Marine & Energy Insurance Conference, September 15-17, 2019
- Panelist, Alliant Energy and Marine Client Forum, Denver, Colorado, February 22, 2019
- Speaker, "Cyber Network Infrastructure & Resiliency," Lloyd's Day at Rice University in Houston, Texas, October. 4, 2018
- Speaker, "Blockchain Technology," seminars held by the Professional Liability Underwriting Society in Dallas, Texas, September 12, 2018, and Houston, Texas, September 13, 2018
- Speaker, "Cybersecurity: Building a Comprehensive Incident Response Program." Association of Corporate Counsel (ACC) Houston Symposium, August 30, 2018
- Speaker, "Incident Response and Breach Disclosure," 2018 University of Texas Essential Cybersecurity Law Conference, Houston, Texas, July 25, 2018
- Panelist, FireEye Cyber Response Seminar in Dallas, Texas, June 20, 2018
- Speaker, "Cybersecurity Measures: The Evolution of a Standard," Institute for Law and Technology's Second Annual Cybersecurity and Data Privacy Law Conference, at The Center for American and International Law, Plano, TX, April 3, 2018
- Speaker, "Security of IOT in Critical Infrastructure," Software Information and Industry Association's Deciphering the Internet of Things Program, Houston, TX, November 13, 2017
- Speaker, "Cybersecurity Incident Response Planning," the Leo Cybersecurity Law Conference, Oklahoma City, OK, November 9, 2017
- Speaker, "Cybersecurity Internal Controls and Compliance," University of Texas Essential Cybersecurity Law Conference, Austin, TX, July 27, 2017
- Speaker, "Cybersecurity for Oil & Gas Attorneys: Understanding the Ethical and Legal Obligations," University of Texas Law's Ernest E. Smith Oil, Gas and Mineral Law Conference, April 14, 2017
- Speaker, "Incident Response Planning" at the IAPP Data Protection Intensive, London, UK, March 15, 2017
- Speaker, "Cybersecurity Internal Controls and Compliance," University of Texas Law School's First Annual Cybersecurity Conference, Austin, TX, August 19, 2016
- American Bar Association
- Texas Bar Association
- International Association of Privacy Professionals (IAPP)
- InfraGuard Houston Alliance
Insights
2024 Technology, privacy and cybersecurity summit
Webinar | Monday, November 25 - Thursday, November 28, 2024
SEC statement clarifies material cybersecurity incident disclosure requirement
Blog | June 12, 2024
The path to cyber resilience for insurers
Publication | April 18, 2024