Michael Borgia

Mike leads DWT's information security practice within the firm's technology, communications, privacy and security practice group. He draws on his years of experience as outside counsel, in-house counsel at a global technology consultancy, and a cybersecurity consultant to deliver solutions that are practical, business-forward and tech-savvy.

A veteran incident response professional, Mike has led investigations of and responses to hundreds of security incidents, from ransomware attacks to trade secret theft to sophisticated nation-state hacking campaigns. He has represented clients in complex investigations by federal and state authorities, including the Federal Communications Commission (FCC), federal banking regulators, the Department of Health and Human Services (HHS), Office of Civil Rights (OCR), the New York Department of Financial Services (NYDFS), and multistate attorneys general following data breaches and other types of cybersecurity and data privacy incidents.

Mike is a trusted advisor to companies operating in many sectors, including telecommunications, financial services, cloud computing and information technology. He regularly advises on compliance with generally applicable and sector-specific information security and data privacy laws and frameworks in the United States and abroad, including the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and implementing regulations issued by the Cybersecurity & Infrastructure Security Agency (CISA), the California Consumer Privacy Act (CCPA) and its cybersecurity audit regulations, the Gramm-Leach-Bliley Act (GLBA), including the Consumer Financial Protection Bureau's (CFPB) Regulation P and the Federal Trade Commission's (FTC) Safeguards Rule, the Communications Act and regulations issued by the FCC, the Cable Communications Policy Act, the Health Insurance Portability and Accountability Act (HIPAA) and its implementing rules, Executive Order 14028 (Improving the Nation's Cybersecurity), the NYDFS Cybersecurity Regulation, the Payment Card Industry Data Security Standard (PCI DSS), the European Union's NIS2 Directive, Digital Operational Resilience Act (DORA) and Cyber Resilience Act (CRA), and state privacy, data breach and data security laws.

Mike also has extensive experience advising federal and state contractors on information security and privacy requirements for procurement, including requirements of the Federal Risk and Authorization Management Program (FedRAMP), StateRAMP, the Cybersecurity Maturity Model (CMMC), the Federal Acquisition Regulation (FAR), the Defense Federal Acquisition Regulation Supplement (DFARS), and special publications by the National Institute of Standards and Technology (NIST).

Mike regularly serves as data strategy subject matter expert on mergers and acquisitions as well as on commercial agreements, including co-branded credit card arrangements and bank-fintech partnerships. In this capacity, he advises on data privacy, information security, confidentiality, data licensing and other issues to help clients collect and use data to meet their business goals.