Jason Straight is a Senior Managing Director and Chief Privacy Officer at Ankura, based in New York. Jason is a leader in the cybersecurity and privacy consulting practice and oversees Ankura’s internal data privacy program. He has extensive experience managing complex cybersecurity investigations and data breach events in a wide variety of industries involving a range of threat actors including malicious insiders, organized criminal operations, and state sponsored groups. In addition, Jason has overseen and led large data risk and privacy compliance consulting matters for global companies facing regulatory challenges arising from the General Data Protection Regulation, the California Consumer Privacy Act, HIPAA, federal and state financial services regulations and other frameworks. Jason also founded and led a Gartner-recognized managed detection and response business providing continuous network security monitoring and threat detection to companies in the financial services, healthcare, manufacturing, legal, and technology sectors. Jason has also served as the Chief Privacy Officer for an international technology services firm.
Jason’s professional experience includes:
- Insider Threat – Engaged by outside legal counsel to lead a six-month intensive investigation into a blackmail scheme targeting a publicly traded manufacturing customer. Collaborated closely with law enforcement to assist with efforts to identify the attacker and neutralize the threat.
- Data Protection Officer – Led team that served as external data protection officer for a large international technology firm with dozens of global offices subject to the General Data Protection Regulation. Efforts included the implementation of a privacy program management platform, sensitive data and business process mapping, security controls review, data subject request responses, data breach notification to data protection regulators, and other tasks.
- Third-Party Risk – Oversaw team engaged to deploy technology and implement a third-party cybersecurity risk management program for a major US insurance company.
- Targeted Attack Simulation – Led team engaged by large pharmaceutical company to conduct technical and executive-level attack simulations to identify process gaps and prepare key stakeholders to make the challenging decisions required by an actual cybersecurity incident. Prepared report of findings to be shared with board of directors
- GDPR Readiness – Engaged by a major international publishing company to build from scratch a defensible data protection program in preparation for the General Data Protection Regulation. Team mapped processing activities and sensitive data, reviewed, and/or drafted policies and procedures, secured data protection agreements with third parties for more than 50 offices and businesses in under four months.
- Anti-Counterfeiting Action – Oversaw team of forensic professionals engaged by outside legal counsel to participate in a law-enforcement led raid of multiple facilities linked to the counterfeiting of pharmaceutical products. Team imaged hard drives, collected media and conducted analysis to deliver to counsel and law enforcement.
- Data Breach Response – Led investigative team engaged by an international government contractor to identify the cause of a major data breach incident and neutralize the vulnerability exploited by the breach. Generated an expert report documenting the event, its timeline, and the full scope of consequences to be shared with federal regulators who inquired about the event.
- Intellectual Property Protection – Designed and led engagement with a leading energy industry company concerned with protecting highly sensitive intellectual property in conjunction with a multi-billion dollar industrial project in the Middle East. Supervised team of physical and information security professionals to create and implement a strict data protection protocol during the course of the project.
- Website Hacking Investigation – Oversaw an investigation into the cause and impact of an alleged hacker attack that resulted in the exposure of user log-in credentials and other personal information. Led an incident response team to identify the attack vector used by the attacker, made sure that the client’s websites were free of malicious code and helped the client bring its sites back online as quickly as possible.
- Intellectual Property Loss Event – Co-led an investigation into the cause of a leak of sensitive intellectual property belonging to a US-based public company to a China-based competitor. Interviewed key witnesses and reviewed electronic evidence to confirm the suspected scope of the leak and identify the likely cause of the incident. Worked with company’s general counsel to prepare and deliver a report to the company’s board of directors.
- Attempted Extortion Investigation – Led an investigation in response to an attempted extortion scheme involving an alleged vulnerability identified in the network infrastructure of a major US law firm. Assisted the firm in identifying the vulnerability and assisted the client in communicating with the adversary to successfully recover the potentially compromised information.
- Leak of Trade Secrets – Led an investigation into the unauthorized pre-release of trade secrets belonging to a major international advertising firm. Helped the client establish whether it was an inherent vulnerability in its website architecture or simple user error that caused the sensitive information to be released publicly before the company had authorized its disclosure.
- News & events
- RSA Conference, 3/2019, “Ransom: A Real-World Case Study in data Theft, Forensics and the Law,” San Francisco, CA
- Practicing Law Institute 2019 Current Developments in Federal Civil Practice, 2/2019, “Cybersecurity and Privacy Issues in Electronic Discovery,” New York, NY
- PrivacyTech Summit, 10/2018, “Living with GDPR: Kew lessons learned and practical tips for success,” London, UK with Claire Walsh
- SANS Data Breach Summit, 8/2018, “Global DFIR in a Fractured World: Challenges in Managing International Cyber Incidents,” New York, NY
- ABA Science & Technology Committee Webinar, 5/2018, “Navigating User Behavior Analytics: Balancing Protection vs. Privacy,” Webinar
- Dark Reading Cybersecurity Crash Course, 5/2018, “Understanding and Managing the Legal and Financial Risks of Cyber attack,” Las Vegas, NV
- RSA Conference, 4/2018, “Rethinking Employee Surveillance in a New Digital Era,” San Francisco, CA with Natalie Pierce
- SANS DFIR Cyber Threat Intelligence Summit, 1/2018, “Legal Implications of Threat Intelligence Sharing,” Bethesda, MD
- IAPP Privacy, Security and Risk, 10/2017, “The Privacy Advisor Podcast Live: Lessons from the Equifax Breach and Response,” San Diego, CA
- ILTA LegalSEC, 6/2017, “Anatomy of a Ransomware Attack,” Arlington, VA
- Association of Corporate Counsel Annual Meeting, 10/2015, “Legal Jeopardy: Whose Risk Is It?” Boston, MA
Insights & innovation
- “Should a GC Take on the Role of Data Protection Officer?,” CyberInsecurity News, 12/1/2018
- “Face-Off: Harmonising Data Protection Across the Atlantic Remains Critical,” Intercontinental Finance & Law, 11/2017
- “Locking it Down and Keeping Watch: A 2017 Corporate and Law Firm Protection Guide,” Corporate Counsel, 10/2017
- “GDPR Gets Real: A procrastinator’s guide to overcoming technical challenges in GDPR compliance,” LegalTech News, 7/2017
- “Can User Behavior Analytics Do a Better Job of Protecting Your Data?,” Today’s General Counsel, 2/2017
- “The Role of the Board in Cybersecurity: Learn, Ensure, Inspect,” Dark Reading, 7/2015
- “Get a Handle on Third-Party Cybersecurity Risks,” The Recorder, 7/2015
- “What In-House Counsel Want in Law Firm Cybersecurity,” Corporate Counsel, 4/2015
- “Spring Cleaning in the SOC: Focus on the Inside Threat,” Dark Reading, 4/2015