Bess Hinson-Greenspan
Partner
Overview
Elizabeth "Bess" Hinson-Greenspan is an accomplished cybersecurity and privacy attorney in Holland & Knight's Atlanta office. Focusing exclusively on complex cybersecurity and privacy issues, she has established a reputation as a "go-to" attorney for strategic legal guidance on cyber and data risk management and governance, breach preparedness and response, crisis management and global data privacy compliance. Known for her practical and efficient advice, clients in the recent The Legal 500 rankings noted that Ms. Hinson-Greenspan's "experience and legal knowledge is top-notch" and praised her client service: "[Bess] is responsive, creative and diligent."
Ms. Hinson-Greenspan has cultivated a client base across a broad range of industries, such as technology, financial services, hospitality, education, retail and manufacturing. She has extensive experience advising on wide-ranging cyberattacks and cyber extortion events, helping clients to manage prolonged disruption to business operations, understand cybercriminal tactics and communicate with a range of stakeholders, including the board of directors and executive management. Ms. Hinson-Greenspan advises her clients on critical stages of incident response, including investigation, remediation, notification, law enforcement and threat actor interactions, regulatory inquiries, and litigation risk management and defense.
In addition, Ms. Hinson-Greenspan guides organizations on the implementation of tailored solutions to address their cybersecurity and privacy risks, including advice on data collection, storage and usage; cross-border data transfers; online advertising, website and mobile application policies; vendor management; blockchain issues; mergers and acquisitions (M&A), technology transactions and data-driven commercial services agreements. She frequently assists clients to build and mature enterprise-wide data protection and privacy compliance programs to address varying requirements in the European Union (EU) General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), other domestic and international privacy laws, as well as industry standards and frameworks.
Ms. Hinson-Greenspan advises on a variety of federal laws, including the Federal Trade Commission (FTC) Section 5 requirements (unfair and deceptive practices), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act of 1974 (FERPA), Children's Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA) and the Telephone Consumer Protection Act (TCPA).
As the founder and executive director of the long-running Atlanta Women in Cybersecurity Roundtable, Ms. Hinson-Greenspan continues to serve as a thought leader in the privacy community, bringing together cybersecurity and privacy executives to consult on the latest developments and share best practices in this ever-changing area of business and the law.
Alongside her busy practice, Ms. Hinson-Greenspan uses her experience to provide pro bono services. She has worked with nonprofits that help individuals improve their social and economic well-being and has advised nonprofits on incident response plans and privacy disclosures.
Before entering private practice, Ms. Hinson-Greenspan served as a law clerk to the Honorable Eugene E. Siler Jr. on the U.S. Court of Appeals for the Sixth Circuit.
Representative Experience
Hospitality
- Advised the general counsel and senior management of a casino and resort hotel on ransomware attack, including advising on cyber forensic investigation, threat actor negotiations, data mining and e-discovery, and consumer and regulatory notifications
- Advised the general counsel of a multinational food company through a ransomware attack with direct operational impact on the country's largest grocers and food chains; directed forensic investigation and disclosures to external auditors
- Directed the response to a ransomware incident for a hospitality management company, also owning private clubs, hotels and restaurants through attack impacting daily operations and data of multiple business lines; coordinated and led responses to multiple regulatory investigations regarding the attack
- Counseled a restaurant franchise regarding response to breach of point of sale (POS) system, employee theft of confidential information and post-breach litigation
Financial Services
- Advised the chief legal officer and C-suite of a consumer financial services company through a ransomware attack that impacted lending operations; provided strategic direction regarding the investigation, customer and employee communications, and notices to millions of individuals
- Led a team of professionals in response to a ransomware attack on an employee benefits company, including advising on cyber forensic investigation, threat actor negotiations and e-discovery process for purpose of satisfying customer contractual notification obligations
- Advised the CEO of an insurance company regarding ransomware attack impacting operations and financial position; directed response to regulatory inquiries and employee and investor communication strategy to mitigate legal risks
Technology
- Coached a global software as a service (SaaS) web content management and optimization solution through Office 365 data breach forensic investigation and compliance with Canadian, European and U.S. reporting requirements
- For an open source analytics and monitoring solution, assessed legal and contractual notification obligations related to coding errors resulting in data disclosures and advised on customer notifications
Manufacturers
- Advised a global product design and technology company in investigating, responding to, and defending response strategy to wide-ranging cybersecurity events
- Advised a beverage co-packer for leading beverage brands on a ransomware attack and regulatory notifications
Education
- Advised an educational accreditation association through all stages of a third-party vendor data breach impacting member school confidential and student personal information, including notifications and enhancing information security controls and policies
- Counseled a private university on a ransomware attack, including advising on cyber forensic investigation, threat actor negotiations, data mining and e-discovery, individual and regulatory notifications, and cyber liability insurance claim
- Advised a luxury yacht cruise line in the development of its privacy and cybersecurity program, including drafting and negotiating data processing addendums (DPAs) for vendor agreements and privacy policy implementation
- Assisted an underwear manufacturer in assessment of information security and data protection policies and procedures and enhancement of existing compliance program to conform to European, Canadian and U.S. laws
- Counseled a social media network on the integration of facial recognition technology and risks associated with the processing of biometric information
- Advised a global consumer goods company on ecommerce privacy compliance strategy and negotiated data protection agreement with a global dropship supplier
- Counseled an internet-based delivery service regarding data monetization strategy
- Led and coordinated response to European Data Protection Authority inquiry on behalf of a digital experience intelligence platform
- Assisted a global pasta company on U.S. and Canadian privacy disclosures, cross-border data transfers and email marketing campaigns
- Counseled an electronic billing and payment company on privacy and data security compliance program, including data retention policy and procedures, incident response plan, vendor agreements and privacy disclosures
- Advised an international auto manufacturer regarding privacy and data security employee training, including the preparation of training materials
- Counseled a toy manufacturer on Children's Online Privacy Protection Act (COPPA) requirements related to producing children's content on streaming channels
- Assisted a global hotel management company on the development and implementation of General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance programs
- Advised administration of a private liberal arts college on data protection requirements for student and employee personal information when contracting with third-party vendors to support operational services
- Assisted the chief information officer of a private college regarding cybersecurity management, information security policies and standards and enhancement of data risk management program
- For a corporate travel management services company, drafted a data protection addendum (DPA) to address global data protection requirements in customer agreements
- For a luxury hotel brand, negotiated data sharing and selling partnership agreements for various marketing initiatives; drafted and negotiated DPA for back-end technology services
- In preparation for mergers and acquisitions (M&A) auction process, advised a health and life science company on the development and implementation of data protection and privacy compliance program
- Prepared data sharing agreements for practice management, electronic health records (EHR) and electronic medical records (EMR) software platform company
- For a regional children's hospital, assessed data protection risks associated with imaging vendor engagement and negotiated a DPA to services agreement
- Advised an international auto manufacturer in the revision and renegotiation of vendor services and data protection agreements
- For multiple clients, conducted pre- and post-acquisition due diligence and assessments of data security and privacy compliance and security incidents at target companies
Credentials
- University of Michigan Law School, J.D.
- Oxford University, M.St., English and American Studies
- Yale College, B.A., English
- Georgia
- Michigan
- South Carolina
- U.S. Court of Appeals for the Sixth Circuit
- U.S. District Court for the Northern District of Georgia
- U.S. District Court for the Eastern District of Michigan
- U.S. District Court for the Western District of Michigan
- The Atlanta Women's Foundation, Board Member, 2021-Present
- Atlanta Women in Cybersecurity Roundtable, Founder and Executive Director, 2017-Present
- Georgia Chamber of Commerce, Innovation and Technology Committee, 2018-Present; Cyber Security Working Group, 2018-Present
- Technology Association of Georgia (TAG), Corporate Development Society Board of Directors, 2021-2022
- The Best Lawyers in America guide, Privacy and Data Security Law, 2023-2025
- The Legal 500 USA, Media, Technology and Telecoms – Cyber Law (Including Data Privacy and Data Protection), 2024
- On the Rise Award, Georgia Legal Awards, 2020
- Georgia Trailblazers, Daily Report, 2019
- 50 on Fire, Cybersecurity, Atlanta Inno, 2019