With experience in government and the private sector, Paul brings in-depth knowledge of cyber and physical security, internal investigations, law enforcement and national security to every client matter.

Paul is a partner in the firm’s Washington office. He co-chairs the firm’s national security practice, its multidisciplinary cyber and physical security task force and its energy sector security team. Paul assists clients from a wide range of sectors with security, law enforcement, electronic surveillance and privacy issues. He regularly advises companies on risk management, preparedness, cyber incident response, national security issues, compliance, litigation, policy and legislation. 

Prior to joining Hunton Andrews Kurth LLP, Paul served as special counsel and then senior counselor for cybersecurity and technology to the Director of the Federal Bureau of Investigation, Robert S. Mueller. In that position, he advised the FBI Director on programmatic, policy and legal issues relating to cyber, counterintelligence and counter-terrorism. He also represented the FBI in senior-level discussions with other agencies, the White House, Congress and industry.

Paul previously served on the US Senate Judiciary Committee as counsel to the Senate Assistant Majority Leader, Richard J. Durbin, where he wrote legislation and provided advice on criminal and national security issues. He is a former Assistant US Attorney in the District of Maryland, where he prosecuted all manner of criminal violations and oversaw cyber crime and IP cases. 

Paul began his career as a law clerk for the Honorable Mary Schroeder of the US Court of Appeals for the Ninth Circuit, and then served as a trial lawyer in the honors program of the Department of Justice Civil Rights Division. In between stints in the government, he was in private practice at a large law firm handling civil and criminal litigation matters involving complex technology.

Paul has been an adjunct professor of cybersecurity law and policy at George Washington University, a guest lecturer on cybersecurity and privacy at various universities, and an instructor at the National Institute for Trial Advocacy. He served on the Virginia Cyber Security Commission, appointed by the Governor; and is currently a member of the Maryland Cybersecurity Council, appointed by the State Attorney General; and a member of the Montgomery County Criminal Justice Coordinating Commission, appointed by the County Executive (Chair in 2015). 

Relevant Experience

• Assist energy, communications, financial, healthcare, retail, defense contractor and other companies in responding to cyber incidents, including leading the internal investigation, supervising the digital forensics analysis, analyzing state and federal notification obligations, engaging with the FBI, US Secret Service, Department of Homeland Security (DHS), Department of Energy (DOE), and other federal and state agencies, communicating and preparing notice letters to affected individuals and state regulators, issuing public announcements, and responding to congressional inquiries.
• Assist energy, transportation, communications, financial, health care, and other companies in managing cybersecurity risk by updating their incident response plans and toolkits, leading table top exercises, strengthening third party contracts, improving insurance policies, updating network security policies and practices; entering into collaborative information-sharing arrangements with private and public entities, improving insider risk preparedness, and conducting inventories of sensitive data and networks;.
• Represent companies seeking a public Certification or Designation from DHS under the Supporting Anti-Terrorism by Fostering Effective Technologies Act, or “SAFETY Act,” that protects their reputation and limits their legal liability. Represented a major energy company obtaining the country’s first ever SAFETY Act certification for an enterprise-wide cybersecurity risk management program. No company in any sector had previously obtained certification or designation for its cybersecurity program.
• Assisted one of the country’s largest utility electric utilities in responding to a security researcher who publicly disclosed data exposure regarding the utility’s operational assets, including negotiating with the hacker, engaging and overseeing digital forensics experts, and assisting with interviews; and advising on notifications and communications to employees, board members, state and federal agencies and the media.
• Assisted a major electric utility company with the response to a ransomware attack on a generation facility.
• Assisted major power grid company with the response to a significant insider threat, including engaging with the FBI, DHS, DOE, FERC, state regulatory agencies, and affected third parties; supervising the digital forensics analysis; leading the internal investigation; and managing communications with the public.
• Assisted a major gas utility company in responding a data breach involving customer information, including overseeing the internal investigation, advising on legal obligations, preparing individual notification letters, and reporting to regulators and other government entities.
• Assisted a major midstream oil and natural gas company with the response to a nation-state cyber attack, including overseeing the forensics analysis, leading the internal investigation, engaging with the FBI, and addressing legal obligations.
• Assisted numerous financial, retail, and communications companies with all aspects of breach response, including internal investigations, forensics analysis, internal communications, individual breach notifications, contractual obligations, and PCI compliance.
• Advised major energy, financial, transportation, and communications companies on cybersecurity information-sharing and collaboration opportunities with private sector groups such as ISACs and the NCFTA, and with public entities such as the FBI, Department of Homeland Security, Department of Defense, National Security Agency, Department of Energy and NERC.
• Assisted in negotiating confidentiality agreements with private and public entities from various industries.
• Assisted energy and financial companies in negotiating the cybersecurity and privacy terms in contracts with major cloud and communications providers.
• Advised leading financial institution on updates to information security policies, structure and content of table-top exercise, and improvements to security incident response plan.
• Advised a transportation company on the government’s law enforcement and counter-terrorism authorities relating to the protection of physical infrastructure.
• Advised major pipeline company on a physical security issue before the Pipeline and Hazardous Materials Safety Administration.
• Advised major critical infrastructure company on reducing the potential legal liability associated with a terrorist attack by obtaining a certification or designation for a physical or cyber security system under the SAFETY Act.
• Advised manufacturer on regulatory compliance with the Chemical Facilities Anti-Terrorism Standards (CFATS).
• Assisted major critical infrastructure companies on various aspects of state and federal Freedom of Information Acts (FOIA), including the applicability of exemptions to disclosure based on trade secrets, confidential commercial or financial information, law enforcement proceedings, statutory nondisclosure requirements, personal privacy and other grounds.
• Represented companies in negotiations with various federal agencies over the applicability of certain FOIA exemptions, and prepared extensive redactions and legal objections to an agency’s proposed release of documents under FOIA.
• Advised critical infrastructure and other companies on requirements relating to obtaining security clearance, handling classified information and reporting security issues to the government.
• Assisted Fortune 100 companies in preparing language for login banners, employee manuals, privacy notices and website terms of use that meet privacy requirements in the federal Wiretap Act, Stored Communications Act, and Pen Register Act, state surveillance and pen register laws, and foreign data transfer, database registration and labor laws.
• Advised companies and government agencies on privacy requirements and government investigative authorities under the Patriot Act, the Foreign Intelligence Surveillance Act, the FISA Amendments Act, and the Electronic Communications Privacy Act, and the implications of corporate structure, contractual relationships, and data control arrangements on the government’s exercise of jurisdiction.
• Advised Fortune 100 companies on policy, regulatory and legislative developments relating to cybersecurity and national security.
• Assisted public and private entities in addressing congressional inquiries regarding cybersecurity and other sensitive incidents.
• Successfully tried a dozen federal jury trials involving white collar fraud, organized crime, narcotics trafficking and violent crimes, and defended the results in appearances before the US Courts of Appeals.
• Provided representation in negotiations relating to cybersecurity and electronic surveillance legislation, executive orders on cyber and physical security; presidential policy directives concerning cybersecurity, weapons of mass destruction, and other technology issues; federal cybersecurity programs; and the coordination of the government's response to major cyber intrusions.
• Wrote bills in the US Senate concerning criminal law and online fraud, and provided advice on the FISA Amendments Act during committee consideration and floor debate.
• Handled complex civil cases involving a national financial institution, and a worldwide pharmaceutical company.
• Prosecuted intellectual property and computer hacking cases at the US Attorney’s Office in Maryland.

Bar Admissions

Education
JD, Columbia Law School, Harlan Fiske Stone Scholar, 1995

MPA, Woodrow Wilson School for Public and International Affairs, Princeton University, Herman Somers Award, 1995

BS, Electrical Engineering and Premed, Massachusetts Institute of Technology, 1989