Paul Luehr

With three decades of experience across law, government and consulting, Paul Luehr is a respected technology leader who has handled some of the largest data security and privacy incidents in history. Throughout his career, Paul has been a trusted partner for organizations looking to optimize their privacy and data security practices. His work advising a wide range of clients—including national retailers, global financial institutions, digital health care organizations, web hosting companies, universities and manufacturers—gives him a unique understanding of the complex cybersecurity challenges and opportunities organizations face, as well as how to implement effective policies to mitigate crises and meet legal, technology and business needs. In the privacy arena, and drawing on his notable consulting and regulatory experience, Paul advises companies on the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), new U.S. state privacy laws, and Federal Trade Commission (FTC) regulations. He draws on his roles as a regulator and litigator with the FTC, where he led the first cross-agency Internet team, and he provides a practical perspective on how to operationalize compliance obligations to clients across the nation. On the cybersecurity side, Paul is consistently recognized as a top incident response attorney, and he spent over a decade with a global consulting firm where he led security experts into some of the largest breaches on record. He also prosecuted major cybercrimes for the U.S. Department of Justice and has unique experience providing advice related to ransomware gangs, wire fraud and business email compromises (BECs), distributed denial of service (DDoS) attacks, credential stuffing, structured query language (SQL) injections, and other digital hacks. Over his career, Paul has managed complex digital forensics matters, led numerous investigations, argued cases at trial and on appeal, and represented clients before many regulators (e.g., HHS OCR, State Attorneys General, state Insurance Commissioners, the SEC, CISA and foreign data protection authorities (DPAs)). He has created robust compliance programs and frequently advised Board Directors and officers on new privacy and cybersecurity risks and obligations. He also has broad experience addressing artificial intelligence (AI), including performing cyber due diligence on mergers involving robotics and medical devices, and addressing new AI uses in financial services.