Amy S. Mushahwar is an experienced data privacy, security, and management attorney with more than 20 years of experience in the technology industry in both legal and technical capacities. She focuses on data security, cyber risk, and privacy issues. As both a lawyer and former technologist, Amy is adept at helping clients unravel complex systems to fully understand legal and regulatory risk.
Data Security: Amy advises clients regarding proactive data security measures, data breach incident response, and regulatory inquiries. She provides security guidance advice to clients in the following industries: financial services, energy, telecommunications, health care, retailers, and e-commerce companies. As a frequent incident response counsel, Amy has interacted with federal and state agencies, overseen forensics services and grey hat intelligence providers, prepared consumer notifications, and helped companies with remediation efforts after incidents. In addition to the incident response work, Amy provides compliance advice on applicable security laws, payment card brand security standards (the PCIDSS), and security audit standards (i.e., the SANS Institute Center for Internet Security Critical Information Security Controls, SSAE-16, ISO, COBIT and NIST 800-53). Amy has also prepared and facilitated in-depth security incident simulations for her clients.
Cyber Risk: She regularly provides advice on how to conduct practical assessments of cyber risk when contracting with vendors, clients, and business partners. Amy continually drafts security clauses for a wide variety of services that address how companies can appropriately shift risk, monitor grey areas, or subject a party to ongoing due diligence. Amy’s contractual and risk management program guidance is also informed by her understanding of applicable insurance policies, such as those covering data breach incidents, cyber liability, and technical errors and omissions, as well as common insurance riders.
Privacy: Amy has assisted clients with complying with a number of privacy laws, such as the Telephone Consumer Protection Act (TCPA), Consumer Proprietary Network Information (CPNI) regulations, the Children’s Online Privacy Protection Act (COPPA), the Graham Leach Bliley Act (GLB), and the Fair Credit Reporting Act (FCRA), as well as in federal and state unfair and deceptive trade practices laws pertaining to privacy.
Amy’s data security and privacy advice is informed by her experience negotiating for businesses on privacy, cybersecurity, and Internet governance issues within international bodies, including the World Wide Web Consortium (WC3) and the Internet Corporation for Assigned Names and Numbers (ICANN). She has attended past ICANN meetings in Prague, Toronto, Beijing, and Durban. Before entering the law, Amy spent several years as a technology consultant, performing network security design and implementation. From 1997 to 2001, she owned and operated a technology consulting company.