Katherine (Kate) Hanniford

Biography

Katherine (Kate) Hanniford is a partner in the Commercial Practice Group in Baker McKenzie’s Washington, DC office. Kate advises multinational companies on privacy and security issues across the data life cycle, including designing and implementing enterprise-wide privacy and security programs, compliance strategies, transactional privacy matters and regulatory enforcement. Kate has led large-scale incident responses involving public issuers, financial institutions, healthcare companies, broker-dealers and investment advisers, and has handled major breaches, including one of the largest attacks on US critical infrastructure in recent history.

Prior to becoming a cyber and privacy attorney, Kate practiced as a securities compliance and enforcement attorney, focusing on investment advisers, investment companies, and broker-dealer matters.

Practice Focus

Kate focuses her practice on cybersecurity, privacy, and regulatory compliance, advising clients in highly regulated industries on governance, risk management, and incident response. Her work includes cybersecurity compliance, enterprise-wide risk management, cybersecurity governance, and responding to complex security incidents, as well as advising on emerging federal and state legislative and regulatory developments. She also advises securities industry clients on SEC and FINRA compliance, including SEC (OCIE) examination preparation and enforcement matters, Regulation SCI, and cybersecurity preparedness.

Representative Legal Matters

Prior to joining Baker McKenzie, Kate advised on the following matters:

Led incident responses for several critical infrastructure companies, including in the energy, healthcare, retail, manufacturing sectors, as well as a major county government entity, including extensive coordination with federal and state law enforcement.
Advised multiple Fortune 500 and 1000 companies during complex, privileged computer crime investigations requiring a crisis response and legal analysis under state, federal, and international laws. Specific engagements included multinational data breaches, cyber-enabled fraud, nation-state actors, business email compromise, and ransomware.
Advised multiple SEC-registered investment advisers, broker-dealers, and public companies on their cybersecurity policies and procedures, including their incident response plans. Conducted tabletop exercises of clients’ incident response plans.
Represented multiple healthcare clients involved in ransomware attacks, requiring complex forensic investigation and extensive data review and restoration processes, as well as in follow-on regulatory inquiries.
Provided ongoing analysis and advice to a global logistics and supply chain management company on privacy and security incident response.
Assisted healthcare plans and insurance companies in their incident response efforts and follow-on federal and state regulatory investigations.
Advised an insurance broker and risk management firm with multiple affiliates and covered entities in the development and implementation of its cybersecurity program in compliance with the New York Department of Financial Services cybersecurity requirements.
Advised a major retailer in developing a comprehensive information security program for all levels of the enterprise.
Advised a systemically important financial market utility on a range of corporate governance, regulatory compliance, and examination matters.
Advised a broker-dealer and electronic trading platform’s crisis management and response team as lead outside counsel.
Advised a Fortune 500 public company in the design and implementation of updated data governance policies and procedures, with particular focus on data retention and secure disposal.
Advised multiple banking and financial institutions regarding privacy policy compliance under the Gramm-Leach-Bliley Act, other federal standards, and state law.
Served as primary outside privacy counsel to a Fortune 500, publicly listed insurance company, including for federal and state law privacy compliance, the application of AI and machine learning capabilities, and related consumer protection issues.

Professional Honors

Recognized, “Ones to Watch” for Technology Law and Privacy and Data Security Law, The Best Lawyers in America®
Recognized, “Incident Response Elite,” Cybersecurity Docket

Professional Associations and Memberships

Certified Information Privacy Professional (CIPP-US)
Artificial Intelligence Governance Professional (AIGP)
Board Member, Everybody Wins DC (2024-present)

Admissions

District of Columbia~United States
New York~United States

Education

University of Texas (J.D.) (2009)
Swarthmore College (B.A.) (2000)

Languages

English

Publications

Co-author, "Strategies for Addressing Cybersecurity Threats to a Prime Critical Infrastructure Target – Data Centers," Cybersecurity Law Report, September 2025
Author, “10 Ransomware Issues GCs Should Have On Their Radar,” Law360, April 1, 2024
Co-author, "How to Comply with the CPRA’s Data Minimization Standards," Cybersecurity Law Report, February 2023
Author, “FTC Revises the Safeguards Rule and Proposes Mandatory Reporting of Cybersecurity Events,” Westlaw Today, November 15, 2021
Author, “Top 7 Issues All General Counsel Need To Know About Ransomware,” The Computer & Internet Lawyer, Vol. 38, No.9, October 2021
Author, “Insight: SEC Expects Key Safety Steps for Remote Workforce,” Bloomberg Law, September 2020

Author, “Tips for Broker-Dealers to Avoid Scams during COVID-19,” Law360, June 10, 2020
Author, "Insight: SEC 2020 Compliance, Examination Priorities Aim at IT Security, FinTech Industry,” Bloomberg Law, February 7, 2020
Author, “Calif. Privacy Law Compliance Strategy for In-House Counsel,” Law360, December 19, 2019
Author, “FINRA Exams Show Greater Cybersecurity Comms Focus,” Law360, November 7, 2019
Author, "Insight: Your Data in the Hands of a ‘Fourth Party’: Cybersecurity Considerations in Discovery,” Bloomberg Law, September 21, 2018
Author, “The SEC, DOJ, and Investment Advisers: The Examination and Enforcement Regime,” Securities Practice Portfolio Series No. 283, Bloomberg BNA, 2014-2017

Presentations

Presenter, “Life After Lock Up: After your Data is Taken and Your Systems Encrypted,” Privacy + Security Forum, Spring Academy, Washington DC, May 8, 2024
Presenter, “Ransomware Attack Best Practices,” Incident Forum Masterclass 2024, webinar, April 18, 2024
Presenter, “2024 Privacy & Technology Law Forum,” State Bar of Georgia, Atlanta, Georgia, March 2024
Presenter, "Privacy + Security Forum 2023," Fall Academy, Washington DC, November 2023
Speaker, "The Lawfare Podcast: Kate Hanniford on the SEC’s New Cyber Disclosure Rule," LawFare, September 2023
Presenter, “Data Disposal: You Can Really Hit Delete,” Privacy + Security Forum 2023, Washington DC, May 2023
Presenter, “Cybersecurity, Privacy and Data Protection Ethics Issues in Private Equity,” PLI 24th Annual Private Equity Forum, New York, New York, April 2023
Presenter, “Ransomware Attack Response: Best Practices,” Incident Response Forum Masterclass 2023, webinar, April 20, 2023
Presenter, “Do We Pay the Ransom,” Levick, podcast, June 21, 2021
Presenter, “Mandates Beyond the Advisers Act: Data Protection: Privacy, Identity Theft and Cybersecurity,” National Regulatory Services and Investment Adviser Association, webinar, April 8, 2021