Expertise

Senior Privacy, Data and Cybersecurity lawyer focussed on contentious data protection issues, managing large scale multi-jurisdiction data and cyber incidents with experience across the full lifecycle of investigations—from pre-incident planning and training to crisis response, regulatory enforcement, and litigation strategy.

A core part of his background includes his senior leadership role at the UK Information Commissioner’s Office (ICO), where he served as Director of Enforcement and General Counsel to Commissioner Elizabeth Denham CBE. During his time there, he led on all major enforcement actions and played a key role in shaping the UK’s regulatory response to cyber and data issues.

Prior to his time at the ICO, James spent more than a decade in private practice at DLA Piper, advising on a wide range of white-collar crime and regulatory matters.  

Key cases & projects include:

• Co-leading a very large-scale data breach incident for a US tech company caused by a credential stuffing attack targeting multiple API calls over an extended period.  Co-ordinating and reporting in over 30 jurisdictions globally involving close to 1M affected users.  Drafting detailed risk analysis on legal requirements to notify affected individuals in order to support position with regulators to ensure a consistent approach whilst minimizing legal risk 
• Advising a major UK retail client on a business-critical cyber incident, engaging cyber security experts and forensic accountants to ensure systems were securely back online as quickly as possible whilst managing associated data security and litigation risks and liaising with cyber insurers.  Managing complex issues of cross-jurisdictional privilege between UK and US entities, assessing necessity to report the incident to the ICO on an ongoing basis
• Advising a major UK public sector healthcare organisation in relation to the provision of evidence to the ICO for a potential prosecution of a staff member for unlawful access to data and managing legal and reputational risks in relation to linked medical regulatory investigations.  Dealing in parallel with the reporting of historic data breach incidents and associated legal risks and managing notification of multiple affected individuals and associated comms planning
• Legal Director and Lead lawyer for the ICO’s investigation into the Cambridge Analytica affair (aka Operation Cederberg) their largest ever investigation.  Managing a team of ICO lawyers and investigators, secondees and external Counsel to run multiple workstreams including securing the maximum penalty then available in law against Facebook imposed for breach of data protection law, including contested appeal proceedings and subsequent settlement, the successful criminal prosecution of SCL Elections Limited whilst the company was in administration, instigating and managing a document review process for 700+ Terabytes of data, using systems and processes new to the regulator, managing international engagement with multiple DPAs and other regulators across the UK, EU and globally to lawfully share and obtain information for the purposes of the investigation
• Leading and managing successful enforcement action by the ICO against British Airways plc and Marriott International Inc., resulting from cyber incidents both cases being run in parallel and involving the largest monetary penalties ever imposed by the regulator at that time.