F. Paul Pittman

Partner, Washington, DC



Paul Pittman specializes in data privacy and cybersecurity, providing strategic legal and business advice for a variety of commercial and financial clients.

As a partner in the Data, Privacy & Cybersecurity Practice, Paul represents clients in the financial, consumer and technology space on a multitude of privacy and security issues that arise in the collection and processing of consumer and business data, and the management of information and operational systems under state, federal and international laws and standards.  Paul advises his clients on compliance with data privacy and cybersecurity laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the New York Department of Financial Services Cybersecurity Regulation, the Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), the Children’s Online Privacy Protection Act (COPPA) and the EU General Data Protection Regulation (GDPR).  His practice also includes guiding companies in responding to security incidents and data breaches by managing internal forensic investigations, addressing legal obligations and engaging with regulators.  Paul collaborates with clients to identify data privacy and security issues that may arise in their business operations and products, including connected devices (IoT) and FinTech, and assists them with the development of compliant data privacy and cybersecurity programs.  In addition, he counsels clients on the permissible handling of data consistent with online and mobile data privacy and security standards.

Paul also advises global clients on all data privacy and cybersecurity matters that arise in corporate transactions, including mergers, acquisitions, financings and securities offerings.

Paul offers his clients extensive experience defending against complex commercial and state attorney general litigation.  Paul has represented Global Fortune 10 companies and other entities in diverse actions, including privacy, digital media, intellectual property, and product liability actions, in state and federal courts.

A knowledgeable and engaged advocate, Paul works to understand his client’s business and develops creative strategies to protect client interests and minimize risks.  Clients benefit from Paul’s ability to apply his technical understanding to overcome challenges associated with implementing compliant privacy and security processes while reducing potential legal exposure.

He is a Certified Information Privacy Professional (CIPP/US) and a member of the International Association of Privacy Professionals (IAPP).

Bars and Courts
District of Columbia
New York
Washington and Lee University School of Law
Allegheny College


Some representative matters include:

  • Advise industry leading global e-commerce technology company on developing data privacy, advertising and marketing strategy and compliance program under applicable data privacy laws including the California Privacy Rights Act.
  • Guided over a dozen companies, including retail, technology, social media, hospitality and electronic device companies through assessing applicability and compliance obligations, and directing implementation activities, under the California Consumer Privacy Action.
  • Advised global social media company on data privacy issues relating to the development and introduction of virtual wallet.
  • Advised global online marketplace on permissible collection, use and disclosure of personal health information pursuant to HIPAA in emerging business line.
  • Counseled an online advertising provider on permissible data collection and usage, and on development of a privacy notice to comply with online and mobile data industry standards such as DAA and NAI.
  • Guided over 50 companies in the financial, e-commerce healthcare, retail and banking industries in responding to data security incidents and data breaches, including directing forensic investigations and navigating notification obligations under state, federal and international laws following cyberattacks, including:
    • a global cybersecurity company through incident response efforts, including law enforcement interface, to successfully resolve software supply chain attack that resulted in the infection of millions of customer computers with malware.
    • a global hotelier through a data breach involving millions of potentially impacted individuals at hundreds of locations spanning 50 countries.
    • an online retailer through responding to, and investigating, a data breach involving the alteration of webpage code that enabled the collection of credentials and other personal information entered into the webpage.
    • a historic entertainment complex through data breach impacting the payment card information of half a million visitors.
  • Conducted numerous “tabletop” exercises with company executives and information technology teams to assess preparedness, and advise on implementation of incident response plan.
  • Represented companies on privacy and data security matters in corporate transactions, including mergers, acquisitions, securitizations, financings and securities offerings, including:
    • Saudi Arabian Oil Company (Saudi Aramco) on its US$25.6 billion IPO—the world’s largest IPO to date.
    • Jack in the Box, in connection with a US$1.3 billion initial issuance and sale of asset-backed notes under a whole business securitization.
    • Guggenheim Securities, in its US$1.9 billion initial issuance and sale of asset-back certificates of Domino’s under a whole business securitization.
    • Brookfield Infrastructure, a global infrastructure company, in connection with the US$2.6 billion acquisition of Cincinnati Bell Inc. (CBB).
    • Tufin Software Technologies Ltd. (NYSE:  TUFN), a provider of policy management software, in its US$108 million initial public offering on the New York Stock Exchange.
    • Brookfield Infrastructure, a global infrastructure company, in connection with the US$8.4 billion acquisition of Genesee & Wyoming, Inc.
    • Guggenheim Securities, in its US$1.2 billion initial issuance and sale of asset-backed notes of Planet Fitness under a whole business securitization.

International Comparative Legal Guide to Data Protection 2019 published, 2020

Cyber-Security Legal Handbook (Rechtshandbuch Cyber-Security), Gabel/Heinrich/Kiefner (Eds.), Frankfurt am Main, 2019

White & Case Technology Bulletin

  • Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law, November 13, 2020
  • Building a Robust Biometric Compliance Program in the US: A Five-Step Checklist, November 9, 2020
  • US Treasury Advises on Potential Sanctions Risks Raised by Ransomware Attacks, October 12, 2020
  • US Cybersecurity Standards to Get Tougher and More Specific: FTC and NYDFS Lead the Way, September 9, 2020
  • The California Consumer Privacy Act Regulations Are Finally Here, But Wait There’s More, August 17, 2020
  • COVID-19 and Data Protection Compliance in the US, April 15, 2020
  • Ensuing an Effective Cybersecurity Program: Best Practices from the SEC and OCIE, March 30, 2020
  • UK Business Exposure To The California Consumer Privacy Act 2018 ("CCPA"), January 31, 2020
  • Navigating Privacy and Cyber Incident Notification and Disclosure Requirements, November 4, 2019
  • CCPA 100-Day Compliance Checklist: It's Not Just About the Privacy Policy, September 23, 2019
  • New York Continues State's Charge to Protect Consumer’s Personal Information, August 2, 2019
  • Nevada Imposes October 2019 Deadline to Implement New Privacy Restrictions on the Sale of Personal Data, June 7, 2019
  • A Slice of GDPR in California?, May 1, 2019
  • Cybersecurity and the UK Legal Landscape, May 1, 2019
  • Sign and Submit by February 15, 2018: NYDFS Cybersecurity Certification Due Date Nears as Additional Compliance Requirements Close In, January 4, 2018
  • SEC Extends Cybersecurity Enforcement in $1 Million Settlement With Investment Advisor, October 4, 2018
  • Cybersecurity: Regulators Show Their Teeth, September 20, 2017
Awards and Recognition

Certified Information Privacy Professional (US), International Association of Privacy Professionals