F. Paul Pittman

Counsel, Washington, DC



Paul Pittman specializes in data privacy and cybersecurity, providing strategic legal and business advice for a variety of commercial and financial clients.

As counsel in the Data, Privacy & Cybersecurity Practice, Paul advises and represents clients on a multitude of privacy and security issues that arise in the handling of consumer and business data, and the management of information and operational systems under state, federal and international laws and standards. His practice includes guiding companies in responding to data breaches by managing internal forensic investigations, addressing legal obligations and engaging with regulators. Paul also collaborates with clients to identify data privacy and security issues that may arise in their business operations and products, including connected devices (IoT), and assists them with the development of compliant data privacy and cybersecurity programs. In addition, he counsels clients on the permissible handling of data consistent with online and mobile data privacy and security standards.

Paul also advises global clients on all data privacy and cybersecurity matters that arise in corporate transactions, including mergers, acquisitions, financings and securities offerings.

Paul offers his clients extensive experience defending against complex commercial and state attorney general litigation. Paul has represented Global Fortune 10 companies and other entities in diverse actions, including privacy, digital media, intellectual property, and product liability actions, in state and federal courts.

A knowledgeable and engaged advocate, Paul works to understand his client's business and develop creative strategies to protect client interests and minimize risks. Clients benefit from Paul's ability to apply his technical understanding to overcome challenges associated with implementing compliant privacy and security processes while reducing potential legal exposure.

He is a Certified Information Privacy Professional (CIPP/US) and a member of the International Association of Privacy Professionals (IAPP).

Bars and Courts
District of Columbia Bar
New York State Bar
Washington and Lee University School of Law
Allegheny College


Some representative matters include:

  • Guided over 50 companies in the financial, e-commerce healthcare, retail and banking industries on data security incident and breach response and their notification obligations under state and federal laws following cyberattacks or unauthorized access to sensitive customer and business information, including: 
    • a global cybersecurity company through incident response efforts, including law enforcement interface, to successfully resolve software supply chain attack that resulted in the infection of millions of customer computers with malware.
    • a global hotelier through a data breach involving millions of potentially impacted individuals at hundreds of locations spanning 50 countries.  
    • an online retailer through responding to, and investigating, a data breach involving the alteration of webpage code that enabled the collection of credentials and other personal information entered into the webpage.
    • a historic entertainment complex through data breach impacting the payment card information of half a million visitors.
  • Advised over a dozen businesses in the hospitality, retail, device manufacturing, e-commerce industries on applicability, compliance considerations and implementation of the California Consumer Privacy Act.
  • Conducted "tabletop" exercises with company executives and information technology teams to assess preparedness, and advise on implementation of incident response plan.
  • Counseled entities in the online advertising space regarding the permissible data collection and usage, compliance with online and mobile data industry standards such as DAA and NAI.
  • Represented companies on privacy and data security matters in corporate transactions, including mergers, acquisitions, securitizations, financings and securities offerings, including:
    • Saudi Arabian Oil Company (Saudi Aramco) on its US$25.6 billion IPO—the world's largest IPO to date. 
    • I Squared Capital, through its portfolio company American Intermodal Management (AIM), a US-based marine chassis lessor, on is merger with FlexiVan Leasing, the third-largest marine chassis provider in the US. 
    • Jack in the Box, in connection with a US$1.3 billion initial issuance and sale of asset backed notes under a whole business securitization. 
    • Hg, the specialist private equity investor focused on software and service businesses, on its investment in Intelerad Medical Systems, a leading global provider of medical imaging software and enterprise workflow solutions. 
    • Guggenheim Securities, in its US$1.9 billion initial issuance and sale of asset back certificates of Domino’s under a whole business securitization.
    • Tufin Software Technologies Ltd. (NYSE: TUFN), a provider of policy management software, in its US$108 million initial public offering on the New York Stock Exchange.
    • Brookfield Infrastructure, a global infrastructure company, in connection with the US$8.4 billion acquisition of Genesee & Wyoming, Inc.
    • Guggenheim Securities, in its US$1.2 billion initial issuance and sale of asset-backed notes of Planet Fitness under a whole business securitization.
    • CVC Capital Partners in its US$1.8 billion acquisition of ConvergeOne Holdings, Inc. (Nasdaq: CVON), a leading global IT and managed services provider of collaboration and technology solutions.

International Comparative Legal Guide to Data Protection 2019 published, 2020

Cyber-Security Legal Handbook (Rechtshandbuch Cyber-Security), Gabel/Heinrich/Kiefner (Eds.), Frankfurt am Main, 2019

Awards and Recognition

Certified Information Privacy Professional (US), International Association of Privacy Professionals