Randy Sabett

Randy V. Sabett, CISSP, counsels clients on a wide range of cutting-edge cybersecurity, privacy, IoT, IT licensing and intellectual property issues. Randy helps clients develop strategies to protect their information, including advising companies on developing and maintaining appropriate internal controls to meet privacy and cybersecurity requirements. He also drafts and negotiates a wide variety of technology transaction agreements. Having previously served as an in-house counsel to a Silicon Valley startup, Randy employs a pragmatic approach when structuring and negotiating such agreements. He has also counseled numerous clients on a variety of data breach scenarios, including running incident response for major commercial retailers, large financial institutions, on-line service providers and healthcare organizations.

Randy served as a commissioner for the Commission on Enhancing National Cybersecurity for the 44th Presidency. He has been recognized as a leader in Privacy & Data Security in the 2007 – 2023 editions of Chambers USA: America's Leading Lawyers for Business and is listed in the International Who's Who of Business Lawyers. He also was named the Information Security Professional of the Year by the Information Systems Security Association (ISSA) for 2013 and was previously named as one of the "Top 50 Under 45" by the American Lawyer's IP Law & Business magazine. Randy was also recognized as a leading lawyer by Legal 500 US for Media, Technology and Telecoms - Technology Transactions in 2015 and for Cyber Law (Including Data Privacy and Data Protection in 2016 - 2020, and as a "Top Lawyer" in the area of cybersecurity by Washingtonian Magazine in 2016.

Some of Randy’s specific experience includes counseling clients on:

• Compliance with relevant international, federal and state laws, regulations and guidance (such as the NIST Cybersecurity Framework and the PCI Data Security Standard)
• Risk assessment and corporate liability for privacy and data security
• Identity management, authentication, Public Key Infrastructure (PKI), and federated identity
• Active defense and issues involving the Computer Fraud and Abuse Act (CFAA), Electronic Communications Privacy Act (ECPA), Digital Millennium Copyright Act (DMCA), and other related cybersecurity laws
• EU data privacy issues
• Identity theft and security breaches

Randy previously served as senior technology counsel for a Silicon Valley information security company. Additionally, he has several years of engineering experience in the information security marketplace and has worked in active noise cancellation, as well as having served with the National Security Agency as a crypto engineer. Randy holds two US patents, one in the area of information security (US Patent No. 6,981,149) and the other in the area of active noise cancellation (US Patent No. 5,440,642).

Selected publications & media appearances:

• Cyber Insiders Series: Podcast on Cyber Risk Management for iHeartRadio (February 2020)

• Author, "Sabett's Brief," ISSA Journal monthly column (2008-present).
• Co-author, "CSA and ISACs: Offering Renewed Hope for Information Sharing in the Oil and Gas Industries", 67th Annual Institute on Oil and Gas Law (2016).
• Co-author, "Adequate Attribution: A Framework for Developing a National Policy for Private Sector Use of Active Defense," University of Maryland, Francis King Carey School of Law, Journal of Business and Technology Law, Vol. 8, Issue 1 (2013).
• Co-author, "The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals," American Bar Association (2013).
• Appearance on C-SPAN's "Washington Journal," Cyber Security and Federal Policy (April 2011).
• Co-author, "The Third-Party Assurance Model: A Legal Framework for Federated Identity Management," Jurimetrics, Vol. 50, No. 4 (Summer 2010).
• Appearance on "PBS NewsHour" with Jim Lehrer, "Cyber Attacks on U.S. Government Put Digital Security in Spotlight" (July 2009).
• Author, "Widgets, Gadgets, and Badges: Oh My! The New Privacy Concern," BNA Privacy and Security Report (2008).
• Author, "Metadata: Savior or Pariah?" Council of Bars and Law Societies of Europe (2006).
• Contributing author, "Encyclopedia of Cryptography and Security," Springer Publishing (2005).
• Author, "If You Build It, They Will Come: Secure Federated Identity," Colorado Lawyer, Vol. 33, No. 10; p. 41 (2004).
• Co-author, "X.509 PKI Certificate Policy and Certification Practices Framework," [RFC 3647] (2003). 

Selected activities and speaking engagements:

• Information Security Media Group, Fraud and Breach Summit NYC (November 2019)
• Financial Markets Association Legal and Legislative Conference, “Data Privacy and Security in Today’s Financial World” (October 2019)
• Privacy+Security Forum, “M&A 2019-2020: Cyber/Privacy Diligence After Verizon and Marriott” (October 2019)
• Information Security Media Group, Fraud and Breach Summit Toronto (September 2019)
• International Information Sharing Conference, “A View from the Trenches: How a Grass Roots Industry Effort Turned into an ISAO” (August 2019)
• ISMG Summit, "GDPR, PIPEDA, and Security in the New Privacy World" (June 2019)
• Private Briefing, FBI and Private Industry, Collaborative Information Sharing (June 2019)
• Information Security Media Group, Fraud and Breach Summit (May 2019)
• Georgetown Cyber Security Law Institute (CSLI), “Information Sharing: Three Years After CISA, What’s Working (or Not)” (May 2019)
• International Conference on Cyber Engagement 2019, "The Challenge of Balancing Privacy & Security in a Rapidly Changing World" (April 2019)
• General Data Protection Regulation - GDPR At (Almost) One-Year-Old: A Quick Overview For BioPharma (March 2019)
• RSA Security Conference, “Ransom: A Real-World Case Study in Data Theft, Forensics and the Law” (March 2019)
• Association of Corporate Counsel, “Privacy Forum Year in Review” (January 2019)
• Privacy + Security Forum, “Privacy and Security by Design in the IoT” (October 2018)
• DHS/NSTAC Cybersecurity Moonshot Briefing (September 2018)
• ABA Webinar, “Cybersecurity Is Not One Size Fits All” (September 2018)
• ISSA Webinar, “ISSA International Series: Regulation and Legislation” (September 2018)
• ISMG Security Summit, “Know Your Attacker: Lessons Learned from Cybercrime Investigations” (August 2018)
• Black Hat, Industry Association Speaker (August 2018)
• National Charter Schools Conference, “Is Your Charter School Protecting Its Student Data?” (June 2018)
• ISSA-NOVA, “What’s All the Hype About GDPR and Why Should I Care?” (May 2018)
• Georgetown Cybersecurity Law Institute, “Incident Response Planning: Are You Ready?” (May 2018)
• RSA Conference, “Data Integrity: The Elephant Threat in the Room” and “Customer Losses: Who’s Going to Sue You (and What You Can Do About It)” (April 2018)
• New Paradigms in Cybersecurity & Data Privacy for Law Firms, “Leveraging Artificial Intelligence and Advanced Data Analytics to Combat Data Breaches” (November 2017)
• IoT Tech Expo North America, “Preparing for the Future of IoT Security” and “An E2E Approach to Tackling Data Security Challenges of the IoT” (November 2017)
• Privacy + Security Forum, "What Lies at the Intersection of AI and Cybersecurity?" October 2017
• ACC National Capital Region Data Privacy & Security Conference, “Ethics in Big Data” (September 2017)
• Black Hat, Industry Association Speaker (July 2017)
• The Cipher Brief Threat Conference, “Cyber Threats: Information Operations, Security and Privacy: A Cipher Speed-Round Briefing” (June 2017)
• Media Financial Managers Association, “Cybersecurity” (May 2017)
• Georgetown Cybersecurity Law Institute, “Internet of Things: Emerging Trends and Threats” (May 2017)
• ISMG Fraud & Breach Prevention Summit, “Artificial Intelligence and Machine Learning: How They Both Intersect with Cybersecurity" (April 2017)
• InfoSec World 2017, "Watch Out! Yet Another Regulator Is Asking Questions!" (April 2017)
• ACI 15th Advanced Forum on Cyber & Data Risk Insurance, "Handling of the PCI and Payment Card -Type Breaches" (March 2017)
• ACC Technology and IP Forum Boot Camp: Cloud Services and Vendor Management, "Doing Business in the Cloud in 2017 – Key Contract and Security Tips for the Practitioner" (March 2017)
• ACI 14th Advanced Forum on Cyber & Data Risk Insurance, “The Cyber Extortion Plight: Dealing with the Uptick in Ransomware, Spear Phishing, and Social Engineering Events – Which Way to Go When It Happens, the Extent to Which It Is Covered, and Some Practical Guidance on Mitigating the Effects and Potentially Preventing These Types of Attacks?” (November 2016)
• Bar Foundation of Montgomery County, “Cyber Security 101 for Lawyers: What You Need to Know Now to Protect Yourself and Your Clients” (October 2016)
• ANSI Legal Issues Forum 2016, “Cybersecurity Discussion” panel (October 2016)
• ACC National Capital Region, “’BYOD’ - Practical Guidance on Developing BYOD Strategies and Policies That Mitigate Risks” (October 2016)
• Privacy + Security Forum 2016, “Active Cyber Response: Not Your Grandfathers Self-Defense” (October 2016)
• First Annual Cooley Cybersecurity Colloquium, “My Entire Network Just Got Encrypted!: Ransomware and Bitcoin Explained, with Avoidance Strategies” and “Increasing Regulatory Oversight of Cybersecurity: Is Your Company Complying With Evolving Standards?” (October 2016)
• ISSA Mid-Atlantic Information Security Conference (October 2016)
• ACC National Capital Region 2016 Data Privacy and Security Conference, "Building a 'Defensible' Privacy Program" panel (September 2016)
• ISMG Fraud & Breach Prevention Summit - Toronto, "When Government Oversight Goes Wrong" (September 2016)
• ACI 13th National Forum on Cyber & Data Risk Insurance, "Negotiating and Drafting Cyber Risk Provisions and Policies" (July 2016)
• Georgetown Cybersecurity Law Institute, "10 Things You Need to Know About Cybersecurity Law" panel (May 2016)
• Fraud & Breach Prevention Summit, "When Government Oversight Goes Wrong" case study during Information Security Media Group's Fraud & Breach Prevention Summit (May 2016)
• Association of Corporate Counsel (ACC), “Best Practices for Avoiding Getting Speared Like a Phish” (May 2016)
• Higher Education Privacy Conference, moderator of data security panel (May 2016)
• The 5th Annual BCLT Privacy Law Forum: Silicon Valley, "False Ads, Tracking Ads, and Privacy" panel (March 2016)
• RSA Conference 2016, "Any Bugs in That Pacemaker? Effective Medical Device Security Testing" (February 2016)
• 67th Annual Oil & Gas Law Conference, panels on “Cybersecurity for the Oil & Gas Industry” and “Reasonable and Appropriate Security in the Information Age” (February 2016)
• Suits & Spooks DC 2016, “When a Backdoor Isn’t a Backdoor: Is This Time Different?” (February 2016)
• Cyber Security World 2015, “Top Ten Cybersecurity Considerations for You and Your Board” (October 2015)
• Privacy + Security Forum, “Information Privacy Law: Foundations Workshop” (October 2015)
• MACH37 / AOL / Marsh & McLennan Joint Panel, "Cyber Risk and the Insurance Challenge" (October 2015)
• AALA Annual Meeting, "Advanced Technologies and Telematics: Legal and Legislative Challenges for Commercial Fleets" (September 2015)
• CTBT: Science and Technology 2015, "Citizen Networks: The Promise of Technological Innovation" (June 2015)
• AHIP 2015 Institute, "Cyber Security and Privacy: Creating a Secure Environment in a Big Data World" (June 2015)
• PLI 16th Annual Institute on Privacy and Data Security Law, "The Latest Developments in Cybersecurity Law" (May 2015)
• NACD Strategy & Risk Forum, "Detecting & Deterring Fraud: The Next Generation of Risks and Responses" (May 2015)
• 2015 RSA Conference, "Managing Expectations: The S.E.C. & F.T.C. Target InfoSEC Compliance" (April 2015)
• 4th Annual BCLT Privacy Law Forum, "Data Security: Are There (Legal) Solutions?" (March 2015)
• TTP Workshop, "Technology Transfer to Practice (TTP) in NSF and DHS Funded Cybersecurity Research" (February 2015)
• 2015 ISSA CISO Forum, "Top Ten Things Management and Boards Need to Know About Cybersecurity" (January 2015)
• ACUTA Winter Seminar, "FERPA & Beyond: Privacy & Data Security Issues for Distance Learning" (January 2015)
• Internet of Things World, "IoT Market Lab 1 – Health & Wellness" (June 2014)
• Practising Law Institute's Privacy and Data Security Law Institute, "The Latest Developments in Cybersecurity" (May 2014)
• Georgetown Cybersecurity Law Institute, "Offensive Cyber Operations or Cyber Self-Defense: A Simulation" panel (May 2014)
• Law Seminars International's The Cloud and Big Data 2014, "Big Data: Current Legal Issues in Data Collection and Analytics" (April 2014)
• 2014 RSA Conference, "Hackback? Claptrap! – An Active Defense Continuum for the Private Sector" (February 2014)
• Suits & Spooks, "Security Town Hall: A Debate on Balancing National Security Versus Privacy Rights" panel (February 2014)
• Annual Guest Lecturer, "Intellectual Property and Information Security," for Avi Rubin's course Security and Privacy in Computing, Information Security Institute, Johns Hopkins University, Baltimore, Maryland    
• AFCEA International Conference, "Pushing the Active Defense Barrier – How Far Can We Go?" (June 2013)
• Georgetown Cybersecurity Law Institute, "Legislative & Case Law Update" panel (May 2013)
• Keynote: University of Maryland Cybersecurity Center Symposium 2013, "Electronic Countermeasures – The Controversy Over Active Cyber Defense" (May 2013)
• 2013 RSA Conference, "Tracking Employees via Mobile Devices – Legal...or Not?" (February 2013)
• Bisnow Cybersecurity Event (with Rep. Dan Lundgren) (June 2012)
• University of Maryland Law School, "Cybersecurity: Safeguarding Information in a Digital Age" (March 2012)
• 2012 RSA Conference, "Fraud and Data Exfiltration: Defending Against the Mobile Explosion" (February 2012)
• Transglobal Secure Collaboration Program (TSCP), Presentation at the Hague (October 2011)
• NACHA MEGA Conference, "For Payments, Best Offense is a Multi-Tiered Defense" (October 2011)    
• ITSEF/SINET, "Other Transactions (OT) Authority: Use of Technology Investment Agreements to Accelerate Cyber Technology into the U.S. Government" (March 2011)