DOUGLAS SCOTT KNEHR

CISSP, FIP, CIPM, CIPP, Esq.,MBA

609-***-**** adb88e@r.postjobfree.com https://www.linkedin.com/in/dougknehr/

Portfolio Site: https://dougknehr.wordpress.com/

INFORMATION SECURITY PRIVACY COUNSEL

INFORMATION SECURITY - DATA PROTECTION - PRIVACY - GOVERNANCE

My hyper focused interest is advising within and operationalizing digital security and privacy thru privacy and data protection law, information security frameworks and thru related tooling. With expert level knowledge of privacy law, information security tooling and frameworks as well as international data protection law, I have deep technical and heavy lift operational expertise, in addition to legal counsel. I have built entire written information security programs, privacy programs, incident response and information security governance operations from greenfields across international environments (24 countries for three multi-billion organizations). With an analytical creative mind, I am an operational and technical expert within the use of Archer, Metric Stream, UCF, Info Sec GRC, OneTrust, Nymity, DPOrganizer, and a variety of data protection mapping, privacy and information security tools. I possess deep, expert level legal and operational knowledge of NIST 800-53, ISO 270**-*****, 27701:2019, GDPR, CCPA, PCI, CAN-SPAM, CCPA, TCPA, PIPEDA, CASL, Privacy Shield, NERC’s CIP Reliability Standards, HIPAA and international data protection and privacy regulations.

CERTIFICATIONS & LICENSES

Certified Information Security System Professional (CISSP) 2015

Fellow of Information Privacy (FIP) 2017

Certified Information Privacy Manager (CIPM) 2014

Certified Information Privacy Professional (CIPP /US) 2014

Attorney Licensure to Practice: District of Columbia (2019); New Jersey (1999)

EDUCATION

JD, Juris Doctor, Stetson

MBA, Rutgers Graduate School of Management, NJ

BS, Rutgers University Cook College, NJ

IoT technical security implementation

Complete list of security & privacy trainings at: https://dougknehr.wordpress.com/tying-it-together/

AREAS OF EXPERTISE

PRIVACY:

Global Law Compliance & Tooling (Operational Expert with Nymity Attestor, OneTrust and a variety data protection enhancing technologies)

General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)

Building programs and policy, standards, controls, metrics to ingest evidence of accountability across 153 activity areas

Data Masking, Encryption, Privacy & Security GRC

Expert in Privacy & Cyber Regulations

MSA, BCR, SCCs modifications affecting procurement, CISO, CPO, GC and DPO groups

Advising cross functionally from HR, Procurement, Marketing to DPO

INFORMATION SECURITY & CYBER SECURITY:

Capable of building and managing a technically complete WISP (Written Information Security Program)

Deep security engineer level expertise

Domain expertise in NIST 800-53, ISO 270**-***** and international data protection regulation

GRC operational expert (Metric Stream, Archer, UCF, ZenGrc)

Builder of Incident Response Platforms

Deep knowledge with Monitoring Oversight Committees for security tool implementation

Works Council approvals of security monitoring tools

GOVERNANCE

Microsoft Azure rights management.

O365 Microsoft Safety & Compliance Center tooling to effect data protection.

Data Retention & Classification programs across 23 countries

RECENT HIGHILGHTS

DTCC: SME Consultant: Redesign of the DTCC data protection privacy department across 18 countries

Avanade: SME Consultant & FT: Built from green fields Avanade's international 23-country 30,000 employee data protection

and GDPR/ CCPA program accounting for GDPR, ISO 27001, NIST 800-53. Effected information security & privacy GRC while daily resolving international security and privacy incidents.

Santander: Dual Interim Chief Information Security Officer and Interim Director Information Security Governance

Designed an information security governance program. Trained Board of Directors for holding company.

EXPERIENCE & ACHIEVEMENTS

Privacy Information Security Counsel

Avanade Inc. Dates: 02-2018 to 12-13-2019 Location: Remote

Expert development of 23 country GRC information security program

Expert development of 23 country GRC privacy program

Resolved privacy and organizational cyber risk incidents internationally for incident / breach response

Approved crisis management escalation handling

Directly advised DPO, GC and CISO groups daily in a CPO/CISO like capacity

Expert in GDPR, CCPA privacy and data protection program (Onetrust, Nymity, TrustArc, SME)

Designed privacy and information security by design control sets

Leveraged Microsoft expertise to design jurisdictionally relevant governance rules including the use of Azure rights management and O365 Safety & Compliance Center controls to effect international data protection governance across 23 countries.

Drafted consents, privacy notices, data transfer agreements and other documents for lawful transmission of data.

Built Legitimate Interest Tests, PIAs, DPIAs (including multi country implementing law compliance)

Privacy and data protection expert across EU and Americas in particular

Built WISP (written Information Security Program) and data protection plans globally

Expert in information security GRC and Privacy GRC (ZenGRC, Archer, Metric Stream, UCF)

Expertise within insider threat and detection/deterrents

Advised on penetration testing standards

Created regular flow-down assessments within privacy and information security domains to hold processors and sub-processors in compliance against negotiated terms, and served as data privacy expert to ensure flow-downs are current against global regulatory requirements.

Filtered the present state of data protection capabilities with the development of data protection protocols to baseline capabilities and rationalize the same against operating jurisdictions to enhance the speed of the contracting process and reduce compliance risk.

Advised on BCR (Binding Corporate Rules), SCC (Std Contractual Clauses), security monitoring tools, security tools legal requirements, privacy regulations and cyber regulatory regulations and rationalizing same against works council requirements, international and domestic laws and operational requirements.

Recommending technology and technology revisions based on operational, legal and contractual requirements to meet international cyber security and data privacy GRC needs

Guiding the CISO, GC and DPO to integrate GDPR data protection, privacy and cyber security regulatory operational and risk framework requirements into operations.

Provided expert advice across all major departments regarding cyber regulatory risk

Guiding Data Protection and GDPR (General Data Protection Regulation) strategy implementation teams

Advising on and implemented data protection regulations and information security frameworks as a SME and counsel for subsidiary entities across 23 countries

Implementing technologies as SME (Data Protection, Consent, Encryption, Privacy Tracking) as well as modifying legal agreements (DTAs, Model Clauses, Contract Addendums, Notices, Policy)

Contract drafting of data protection protocols, MSA clauses with focus on privacy and security

Creating technologies internally to effect compliance and data protection regulation globally within the organization

Key Achievements:

Awards: 2019 Data Protection Officer Rockstar Award

2019 CISO Incident Response Superhero Award

Privacy: Created jurisdictionally relevant trigger factors to weigh against GDPR, CCPA, to effect PIA, DPIA, DPbD

while creating a methodology to account for local country regulation, and the latest jurisdictionally relevant regulatory guidance

Information

Security : Resolved international data protection incidents across 23 countries

Interim Director Information Security Governance - for Santander Holdings

Interim CISO Chief Information Security Officer for Santander Securities LLC

Santander Holdings USA Dates: 08/2017 to 01/2018 Location: Holmdel, NJ

Santander Securities LLC Dates: 08/2017 to 01/2018 Location: Holmdel, NJ

•Educating Board of Directors at all entities under the holding company on information security, data protection, data privacy

Embedding Privacy By Design and Data Protection Regulatory into the 1st Line of Defense

•Liason to GC, Chief Privacy Officer, 2nd line Risk, 3rd line Audit to operationalize lawful data protection efforts within the 1st line.

•Advising on GDPR, GLBA, PbD, State Data Protection, Breach, Destruction, Notice, Financial Health, and Industry security and privacy regs to the 1st line in advance of Legal and Privacy

•Guiding CIO/CISOs/ Chief Privacy Officer across 6+ entities on data protection regulatory to ensure IT and CISO operations can meet regulatory requirements relative to the operationalizing the GRC landscape within 1st line tooling

•Designed and operationalized an information security program as CISO with both a 50 state touchpoint (and European Union) for a nationwide securities broker dealer

•Designed an information security governance program embedded into the 1st Line of Defense for 6 entities across the United States of America

Privacy Information Security Counsel (Consultant)

Avanade Inc. Dates: 05-2016 to 08/2017 Location: Remote

•Built from green fields a GDPR and International Data Protection privacy program across 23 countries

•Led CISO audits across ISO 270**-*****, NIST 800-53 and various NIST control docs, Sans CSC, HIPAA security and privacy controls

•Acting in both a privacy counsel and senior information security officer capacity for the CISO and GC depts across 23 countries

•Advised on technology, privacy and information security aspects for contract matters including Master Services Agreements, Vendor Agreements, Professional Services Agreements, Work Orders / SOW's, Software Licensing Agreements, Non-Disclosure Agreements

•Reviewing and reducing cyber risk internationally across WISP (written Information Security Program) including but not limited to SOC, breach management, pen testing procedure review, Disaster Recovery, NIST/ISO framework audit and cyber risk review of broad CISO activities

•Designed 23 country GDPR program

•Advised on Penetration testing standards

•Assessed privacy and information security controls - BCR (Binding Corporate Rules), SCC (Std Contractual Clauses), security monitoring tools, security tools legal requirements, privacy regulations and cyber regulatory regulations and rationalizing same against works council requirements, international and domestic laws and operational requirements.

•Implementing international privacy and cyber regulatory requirements for international incident and breach response

•Recommending based on operational, legal and contractual requirements the technology to meet international cyber security and data privacy

•Guiding the CISO and GC suite to integrate GDPR privacy and cyber security regulatory operational and framework requirements into operations.

•Provided expert advice across all major departments regarding cyber regulatory risk

Key Achievements:

Built an incident response platform to integrate privacy and information security.

Built a functioning GRC platform

Assessed a WISP

Designed a program based in GDPR but capable of meeting international data privacy regulatory changes across 23 countries.

Privacy Information Security Counsel (Consultant)

Company: DTCC Dates: 07/15 to 12/18/2015 Location: Jersey City, NJ

•Consultant and counsel advising on information security, data privacy and cyber risk across 18+ foreign jurisdictions (European Union, USA and others) advising on technical cyber risk and information security metrics, KPI reports, risk data and cyber security enterprise wide cyber risk reduction

•Consultant providing counsel on cyber IT control and data privacy controls (advising on a diverse information security and data privacy spectrum of issues)

•Supported the development of a data privacy strategy, data transformation roadmap and long-term strategic priorities for cyber risk reduction thru information security and data privacy data transfer initiatives

•Consulted for revamp of a multi-organization, multi-country information protection –data privacy department from the ground up – vendor management, privacy policy, charter, thru daily privacy counseling

•Advanced global cyber security governance, conduct security risk assessments to identify threats, establish global reporting systems and procedures on risk, create training/awareness plan, integrate risk reporting matrix

•Contributed on cyber investigations, forensics, risk trends, vulnerability exercises – addressing SOC – security operations center issues filtering into GC’s office, security awareness, encryption concerns, network security, vendor protection data protection and privacy

•Significant international cyber security and data privacy work for numerous business units from framework thru risk assessment ranging up to board level recommendations

Sr. Corporate Counsel – Corporate Generalist-Trial Counsel, Information Security, Privacy & Risk Management

CLOUDEEVA INC. Dates: 04/14- 05/15 Location: East Windsor, NJ

•Managed extremely busy 2 coast litigation docket for 400+ person multinational corporation as well as managing outside counsel - use of E-Discovery overseeing strategy, drafting and arguing motions involving shareholder litigation, SEC investigatory matters, state and federal litigation, privacy controls, employment litigation, corporate governance matters, workers compensation,, H1B issues, debt and contract litigation and all manners of commercial and general civil litigation

•Advised on security infrastructure, data privacy regulation, security and risk management,

•Deep understanding of US and Global employee privacy laws and regulations, security vulnerabilities and EU/US Safe Harbor and other cross-border frameworks

•Guided action / response to suspected breaches and recommended corrective actions

•Advised on contract matters including Master Services Agreements, Vendor Agreements, Professional Services Agreements, Work Orders / SOW's, Software Licensing Agreements, Non-Disclosure Agreements, Letters of intent

•Ensured versions of products / services comply with data privacy, FIPS, regulatory and security requirements (legal, contractual or otherwise) including risk assessments and business impact analysis on operating procedures, systems, networks, databases, middleware and devices.

•Advised on organizational policy, security principles, security & risk governance, interrelationship of security & risk management, common business issues affecting security risk management, governance committee issues, security roles and responsibilities, compliance, global legal and regulatory issues affecting information security, developing and implementing security policy, business continuity (BC) & disaster recovery (DR) requirements, personnel security, and risk management concepts

• Developed templates to assist in the regulatory negotiation of data privacy and security provisions of contracts/agreements for rapid deployment.

• Established functional privacy and corporate risk programs throughout the organization to drive compliance with applicable privacy laws and regulations, contractual obligations, internal policies and procedures, and breach investigation, mitigation and notification responsibilities.

•Insourced $300,000 per quarter litigation expense by myself

•Offered C-Level suite legal and business advice and action planning on information security, PCI-DSS, SOX, ISO 27001, NIST corporate governance, information privacy, corporate risk within GLBA Graham Leach Bliley Act, Financial Services Modernization Act, COPPA Children’s Online Privacy Act, FTC, Privacy Act, FOIA, HIPAA and FTC regulations

Managing Attorney (Civil Trial Attorney with niche expertise in data privacy, cyber security and related GRC)

Company: DOUGLAS S. KNEHR LLC Dates: 1/01 – 4/14 Location: NJ

•600 + litigated/resolved matters since 2001 – all as 1st Chair Trial Counsel. Highly engaged, competent & ethically aggressive representation

•Numerous Civil Jury Trials. Financial Fraud Trials. Corporate and Litigation practice involving: Consumer protection, Securities Arbitration & Securities litigation, Personal Injury, Medical Malpractice, Workers Compensation, Financial Fraud, Employment Discrimination, Civil Litigation and Privacy

•Deep experience in legal regulatory and technology risk compliance in: GLBA, HIPAA, risk management and risk governance, client vulnerability issues – physical, logical and network based.

•Policy guidance relative to risk analysis and mitigation

•Network security for the law firm– vulnerability, identity and access management and data flow engineering and security

•Extensive Securities Legislative and Regulatory experience as a trial attorney.

•Highly skilled with State and Federal Securities compliance matters including Commodities, ERISA, Securities Act of 1933, Securities Exchange Act of 1934, SMA manipulation, securities fraud and various churning and other deceptive acts.

•Working knowledge of CAN-SPAM, HIPAA/HITECH, medical information privacy laws, laws and regulations related to employee privacy.

•Provide leadership and oversight over cross-functional privacy matters and committees including, but not limited to marketing, sales, human resources, clinical trial operations, medical affairs, IT, and corporate communications

MEMBERSHIPS / ASSOCIATIONS: ISC, IAPP, RUTGERS MBA ALUMNI, STETSON LAW ALUMNI

Further Expertise:

Privacy: Privacy Compliance, Privacy Laws, Data Privacy, Privacy Policies, Privacy Protection, Privacy Software, EU Data Privacy, HIPAA Privacy Rule, Privacy Impact Assessments

Information Security: Information Security Technology, Information Security Auditing, Information Security Governance, Cyber Security Management, IT Security Management, Information Security Standards, Information Assurance, Information Security Policy, Information Security Consulting, Information Risk Management, IT Security policies, Information Security Awareness, Information Security Services, Information Security Management, Crisis Management

Data Protection: Data Protection, Data Privacy, Information Protection, Data Protection Laws, Data Security, Personal Data Protection,EU Data Protection, Data Loss Protection, Data Compliance, Data Protection Manager, Microsoft Data Protection Manager, Data Protection Act, Virtualization Security, Information Governance

Doug Knehr adb88e@r.postjobfree.com 609-***-****

Compensation: (negotiable)

LinkedIn: https://www.linkedin.com/in/dougknehr

Portfolio Site: https://dougknehr.wordpress.com/

Interview Availability: 24 Hours Notice

Candidate Location: Central NJ Relocation: Preference is No

EXPERIENCE HIGHLIGHTS:

Possessing deep experience in both legal and the technical operational aspects of Security, Privacy, Risk and Compliance (CISSP, FIP, CIPM, CIPP,Esq.,MBA), I come at security and privacy risk from an assurance GRC angle. Having operational SME level expertise from building an ISMS/WISP and GRC program, Privacy program and DPO program from greenfields, all as counsel, I have expertise advising enterprise wide across privacy and security risks. I also possess deep sme level expertise operationalizing Archer, Metric Stream, ZenGRC, Unified Compliance Framework, OneTrust, Nymity, DPOrganizer, Clarip, Integris, BigID, Splunk, QRadar, Radarfirst, Microsoft O365 Safety & Compliance Center, Azure Rights Management and AI contracting technologies. My belief is that if you do not understand the full data life cycle from contract negotiation to supervisory authority reporting and remediation of breach, that silo based technology knowledge as counsel will not truly reduce enterprise privacy and security risk. Without a broad contextual knowledge of technical applications, risk mitigation thru privacy pia, dpia, and security risk assessment (as well as msa, dpp and conract drafting) are incomplete at best and both business units and data subjects are left open to privacy and security risk. I have for 6 years had a truly contextual enterprise view of security and privacy risk.

International exposure as Data Protection - Data Privacy counsel to CISOs, DPOs and GCs, has given me the ability to strategically view risk management from an enterprise level and provide a full perspective on the various elements of technical security and privacy risk. This of course includes GDPR, CCPA, LGPD, ISO, NIST, Cobit, Cloud Matrix, a variety of cyber exercises and more importantly extends deep into international jurisdictional prescriptive data privacy and data protection requirements on a local country level. This can be translated well beyond threat matrices, attack surface determinations and moves into enterprise data risks across jurisdictions providing for a lens on risk unattainable by counsel and security personnel operating in silos.

With deep privacy, data protection and information security expertise, I would be helping to create the foundation of a global privacy and information security advisory and operational tower. In my previous roles I served the entirety of the data life cycle, from contract MSA and policy, through operational security and privacy grc tooling and assessment, presentation before works councils, to supervision of incident response, resolving forensic monitoring oversight committee concerns, building risk assessments, pias, dpia, lits and informing board of directors on enterprise level information security and privacy risk.

SPECIALIZED SKILLS & EXPERTISE

· Information Security Management: Certified Information Systems Security Professional (CISSP)

· Privacy: Fellowship In Privacy (FIP)

Certified Information Privacy Manager (CIPM)

Certified Information Privacy Professional (CIPP)

· Legal: NJ Licensed Attorney

DC Licensed Attorney

RECENT AWARDS

· DPO: 2019 Data Protection Officer Rockstar Award

· CISO 2019 CISO Incident Response Superhero Award

RECENT HIGHLIGHTS

·DTCC: SME Consultant: Redesign of the DTCC data protection privacy department across 18 countries

·Avanade: SME Consultant & FT: Built from green fields Avanade's international 24-country 36,000 employee

data protection and GDPR/ CCPA program accounting for GDPR, CCPA, ISO 27001, ISO 27018, ISO 29151, ISO 27701, and NIST 800-53. Effected information security & privacy GRC while resolving daily international security and privacy incidents.

·Santander: Dual Roles

Interim Chief Information Security Officer AND Interim Director Information Security Governance

Designed an information security governance program for the holding company.

Education and Certification:

JD: Stetson Law FL

MBA: Rutgers Graduate School of Management, NJ

BS: Rutgers University Cook College, NJ

Information Security: Certified Information Security System Professional (CISSP) 2015

Privacy: Fellow of Information Privacy (FIP) 2017

Certified Information Privacy Manager (CIPM) 2014

Certified Information Privacy Professional (CIPP /US) 2014

Legal: Attorney Licensure to Practice: District of Columbia (2019) and New Jersey (1999)

Area Discussion Sheet

RECENT DATA PROTECTION EFFORTS = INFORMATION SECURITY + DATA PRIVACY + INFO SEC GOVERNANCE

Data Privacy - People Process Technology Data Privacy Regulation – Privacy Regulatory Advisory

1.GDPR: Designed a complete GDPR privacy program for a 30,000 person, 23 country $2 billion organization. Expert on :Consent, Processing Purpose, Legitimate Interest technology & Process, Subject Access Rights Management and technologies, Information Security Measures, NPPI,PII Scanning, Cross Border Transfer Process

2.Chief Privacy Officer: Served in similar capacity to design and implement a GRC and data privacy program to lawfully effect GDPR, country privacy compliance and information security across 23+ countries

3.Technology solutions: Identified and implemented technology privacy & info sec

4.Subject Access Rights (SARs): Implemented SARs technology

5.ERA/PIAs -Enterprise wide privacy gap analysis and privacy risk assessments. Implemented ERAs/ PIAs and DPIAs across a 23 country enterprise.

1.PIAs: Drafted and operationalized PIAs (Privacy Impact Assessments)

2.BCRs/ SCCs: Drafted Binding Corporate Rules and Standard Contractual Clauses.

3.Data Regulation: Advised on Data Localization, data transfer regulation across 23 countries

4.Drafting: Drafted contract clauses

5.International Privacy Supervisory Authorities: Obtained Data Protection Authority Registration and Approval

6.Cross Border Transfer: Resolved legal cross border data transfer issues across 23 countries

7.HIPAA/ HR: Operationalized HIPAA privacy and security audit protocols

8.PbD: Implemented Privacy By Design across 3 international organizations

Information Security - People Process Technology Information Security - Cyber Regulatory Legal Advisory

1.CISO: Led CISO efforts in MSSP environment

2.Gap Analysis :Led Information security cyber gap analysis across 23 countries for CISO group to identify country cased prescriptive cyber regulatory gaps against NIST 800-53, CIS CSC Top 20, PCI, ISO 270**-*****, FFIEC, NYDFS and Cloud Security Alliance Matrix

3.Cyber Risk : Engaged in enterprise wide cyber risk assessment studies for enterprise risk

4.Vendor Mgmnt:Implemented vendor risk management

5.GRC:Implemented latest GRC technology solutions to operationalize regulatory environment on 1st line of defense

6.Testing: Guided multi-billion dollar orgs on proper penetration testing standards and practices, as well as vulnerability threat management

7.WISP:Designed and analyzed gaps across a full WISP Written Information Security Programs, incident response plans and Target operating model standards Operations

8.Operationalized the cyber regulatory requirements of 23 countries into a privacy and separate information security program

1.Monitoring Tools - Lawfully operationalized cyber security monitoring tools across 23 countries (including before works councils) for CISO Chief Information Security Officer group and GC office

2.Incident Response: Guided legal and cyber operational international incident response from and thru SOC (security operations centers) for resolution of breach thru legal and reporting to Data Protection Authorities. Advised on PII and cyber regulatory breach response for CISO security operations center and privacy office

3.Country Regulation: Reviewed data protection laws across 23 countries to operationalize data

4.International Data Protection Efforts. Advised on the exploding cyber regulatory requirements globally but focused on 23 countries, identifying cyber security and information security program and control requirements on a country basis well beyond ISO 27001 and NIST 800-53.

5.Industry Regulation: Legal Advisory on NYDFS NY Dept Banking & Finance cyber regulatory requirements, FFIEC. Deep expertise in PCI DSS, HIPAA, COPPA, CANSPAM, GLBA, NIST and ISO (See mappings on portfolio site)

Breach Analysis & Reporting: Developed breach analysis

Data Protection -Risk/Governance - People Process Technology Data Protection Governance - Legal Advisory

1.Board Education / Training:Advised C-Level execs how to reduce cyber risk across multiple departments

2.Metrics - KRI, KPI indicator development above the SOC, and within CISO and CPO offices

3.Integrating mechanisms -Created integrating mechanisms between 1st line CIO/CISO and Legal, Privacy and Chief Data Officers. Provided leadership and oversight over cross-functional privacy and information security matters and committees including, but not limited to those involving CISO, CPO, CDO, human resources, and legal

1.Expertise within international and USA data privacy and data ptotection

2.Insider Threat :Privilege protected legal advisory on employee and systems monitoring, adv threat detection and insider threat domestically and international

3.Intnl Data Protection -Privilege protected legal advisory for Privacy by Design, Privacy Shield, privacy regulatory advisory and GDPR as well as international data protection concerns

Breach:Privilege protected special advising expert counsel on pre and post breach litigation

Contact this candidate