Randy Sabett

Special Counsel
Full contact info

As an attorney and former crypto engineer, I approach cybersecurity and privacy from all angles; I don't just talk the talk – I also walk the walk.

About Randy

Randy, a Certified Information Systems Security Professional (CISSP), has spent his entire career studying and helping resolve complex technical and legal issues involving cybersecurity, privacy and national security – first as a crypto engineer at the National Security Agency (NSA) and in private industry, then as an attorney with Cooley. A veteran cyberlaw practitioner and pioneer in the areas of incident response, public key cryptography, and active defense, Randy has a national reputation for combining his deep cybersecurity technical experience with practical advice to his clients on a broad range of cutting-edge cybersecurity, privacy, artificial intelligence, IT licensing and intellectual property issues. Having previously served as in-house counsel to a Silicon Valley startup, Randy employs a pragmatic approach when working with clients. He also has handled a wide variety of data breach and cyber incidents, including for major commercial retailers, large financial institutions, online service providers and healthcare organizations.

Randy counsels clients on cyber risk and helps develop strategies to protect their information, including advising companies on how to develop and maintain appropriate internal controls to meet privacy and cybersecurity requirements. His representation has included a diverse group of organizations spanning numerous industry and technology verticals. Example clients include financial services organizations, technology platform providers, cybersecurity service and technology providers, healthcare companies, industrial manufacturing companies, critical infrastructure organizations, industry associations, nonprofits, insurance companies, various entities in the education sector, and numerous other organizations. Randy also advises on liability related to network security and coordinates investigations with a variety of entities following client cyber incidents (including the client’s legal and technical teams, one or more forensic services providers, crisis communications companies and ransom negotiators).

Randy served as a commissioner for the Commission on Cybersecurity for the 44th Presidency. He was recognized as a leader in Privacy & Data Security in the 2007 – 2023 editions of Chambers USA: America’s Leading Lawyers for Business and is listed in the International Who’s Who of Business Lawyers. He also was named the Information Security Professional of the Year by the Information Systems Security Association (ISSA) and was recognized as one of the Top 50 Under 45 by The American Lawyer’s IP Law & Business magazine. Randy also was highlighted as a leading lawyer by The Legal 500 US for Media, Technology and Telecoms – Technology Transactions and for Cyber Law (including Data Privacy and Data Protection), as well as a Top Lawyer in the area of cybersecurity by Washingtonian magazine. He currently serves on the RSA Conference Program Selection Committee, the MissionLink Next advisory board, and the SPLICE (www.splice.org) advisory board and has served on numerous other company and industry association advisory boards.

Randy previously worked as senior technology counsel for a Silicon Valley information security company. Additionally, he has several years of engineering experience in the information security marketplace and has worked in active noise cancellation, along with having served at the NSA as a crypto engineer. Randy holds two US patents – one in the area of information security (US Patent No. 6,981,149) and the other in the area of active noise cancellation (US Patent No. 5,440,642).

Selected publications and media appearances:

  • Author, Sabett’s Brief, ISSA Journal monthly column, 2008 – 2019
  • Co-author, USA: NIST’s AI Risk Management Framework – Key Takeaways, OneTrust DataGuidance, October 2023
  • Guest, The Business of Cybersecurity – Legal & Compliance, “Cyber Insiders” podcast, August 2023
  • Co-author, SEC Proposes Sweeping Cybersecurity Disclosure Framework, Cooley alert, March 2022
  • Guest, “Compliance & Legal Risk Podcast,” July 2021
  • Co-author, FTC Expects Board-Level Cybersecurity Oversight, Cooley alert, May 2021
  • Author, What Happens if I Pay the Ransom?, The Cipher Brief, November 2020
  • Guest, Discussion on cyber risk management, “Cyber Insiders” podcast, February 2020
  • Quoted, Understanding the Cyberthreat, San Diego Business Journal, June 2019
  • Co-author, CSA and ISACs: Offering Renewed Hope for Information Sharing in the Oil and Gas Industries, 67th Annual Institute on Oil and Gas Law, February 2016
  • Co-author, Adequate Attribution: A Framework for Developing a National Policy for Private Sector Use of Active Defense, University of Maryland, Francis King Carey School of Law, Journal of Business & Technology Law, January 2013
  • Co-author, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals, American Bar Association (ABA), June 2013

Selected activities and speaking engagements:

  • Moderator, AI: Hot Topics … Transforming Cybersecurity, SentinelOne’s Charleston CyberLaw Forum: The State of Cyber Law, January 2024
  • Presenter, Vendor Security and Information Security Program Basics, Practising Law Institute’s Fundamentals of Privacy Law 2023, December 2023
  • Panelist, Threats Unveiled: Legal Round Table, Nisos, October 2023
  • Presenter, AI & Privacy: Training and Use of Generative AI Tools, 2023 TechGC AI Conference – Navigating the AI Frontier: Law at the Crossroads of Innovation, October 2023
  • Panelist, Winning the Board Room: Strategies for Partnering With Boards for Optimum Security Outcomes, Fal.Con 2023, September 2023
  • Moderator, “Information Sharing and Mandatory Disclosure”, Domestic Security Alliance Council briefing in conjunction with the Federal Bureau of Investigation (FBI), June 2023.
  • Speaker, The Coming SEC Cybersecurity Rules, Privacy + Security Forum, May 2023
  • Speaker, IR: Optimizing Communications and Action Between Legal and Tech Leaders, RSA Conference 2023, April 2023
  • Moderator, Hot Topics in Cyber and Privacy Law: Looking at the Landscape for 2023, SentinelOne’s Charleston CyberLaw Forum, January 2023
  • Moderator, Out of the Quagmire: Updating Your Privacy and Security Program for 2023, Association for Corporate Counsel (ACC) National Capital Region webinar, November 2022
  • Speaker, There’s a Bug in My System! Now What?, ABA National Institute on Cybersecurity and Data Protection, September 2022
  • Speaker, Practical Effects of AI/ML on Cybersecurity and Privacy, Data in Cyber-Physical Systems Symposium, June 2022
  • Moderator, Cybersecurity and Privacy Issue-Spotting in Vendor Agreements and Standard Contractual Clauses Post-Schrems and CCPA, ACC National Capital Region webinar, December 2021
  • Speaker, IoT Cybersecurity Legislation Under the Microscope, ABA Internet of Things (IoT) National Institute 2021, June 2021
  • Speaker, Keeping Up With the Latest Cybersecurity Challenges, Practising Law Institute’s 22nd Annual Institute on Privacy and Cybersecurity Law, June 2021
  • Panelist, Defend Forward: Moving Toward Coordinated Active Cyber Response, RSA Conference 2021, May 2021
  • Speaker, What Comes After Privacy Shield: Negotiating Cross-Border Data Transfers With Vendors and Service Providers, ACC National Capital Region webinar, October 2020
  • Speaker, Cybersecurity in IoT, ABA Internet of Things (IoT) Virtual National Institute 2020, August 2020
  • Panelist, Defend Forward: Legal and Policy Considerations for Enabling Active Cyber Response, Georgetown Law & Technology Forum, July 2020
  • Speaker, Cooley’s HR Network 2019 – Mid-Atlantic, October 2019
  • Presenter, Privacy Forum: OK, GDPR is Out of the Way, Now What? The Cybersecurity and Privacy Year in Review for 2018, ACC National Capital Region webinar, January 2019
  • Speaker, Information Security Media Group (ISMG) Fraud and Breach Prevention Summit, New York City, August 2019
  • Speaker, Data Privacy and Security in Today’s Financial World, Financial Markets Association’s Legal & Legislative Conference, October 2019
  • Speaker, M&A 2019 – 2020: Cyber/Privacy Diligence, Privacy + Security Forum, October 2019
  • Speaker, A View from the Trenches: How a Grass Roots Industry Effort Turned into an ISAO, ISAO Standards Organization’s International Information Sharing Conference, August 2019
  • Moderator, GDPR, PIPEDA and Security in the New Privacy World, ISMG Cybersecurity Summit Toronto, September 2019
  • Participant, Private Briefing, FBI and Private Industry, Collaborative Information Sharing, June 2019
  • Moderator, Information Sharing: Three Years After CISA, What’s Working (or Not), Georgetown Cybersecurity Law Institute, May 2019
  • Speaker, Ransom: A Real-World Case Study in Data Theft, Forensics and the Law, RSA Security Conference, March 2019
  • Speaker, Privacy Forum Year in Review, Association of Corporate Counsel, January 2019
  • Speaker, Privacy/Security by Design in the IoT, Privacy + Security Forum, October 2018
  • Expert Briefer, Cybersecurity Moonshot Briefing, Department of Homeland Security/National Security Telecommunications Advisory Committee, September 2018
  • Panelist, Cybersecurity Is Not One Size Fits All, ABA webinar, September 2018
  • Speaker, ISSA International Series: Regulation and Legislation, ISSA webinar, September 2018
  • Panelist, Know Your Attacker: Lessons Learned From Cybercrime Investigations, ISMG Security Summit, August 2018
  • Speaker, Black Hat, Unattributed Industry Association, August 2018
  • Panelist, Is Your Charter School Protecting Its Student Data?, National Charter Schools Conference, June 2018
  • Speaker, What’s All the Hype About GDPR and Why Should I Care?, ISSA-NOVA, May 2018
  • Moderator, Incident Response Planning: Are You Ready?, Georgetown Cybersecurity Law Institute, May 2018
  • Panelist, Data Integrity: The Elephant Threat in the Room and Customer Losses: Who’s Going to Sue You (and What You Can Do About It), RSA Conference, April 2018

Education

University of Baltimore School of Law
JD, 1996

Syracuse University
BS, 1985

Rankings and accolades

Chambers USA: Privacy & Data Security – Nationwide (2007 – 2024)

Eight-time Law360: Cybersecurity & Privacy Practice Group of the Year (2024)

The Legal 500 US: Technology – Data Protection and Privacy (2016 – 2023) and Media, Technology and Telecoms – Technology Transactions (2015)

Information Systems Security Association: Information Security Professional of the Year (2013)

Information Systems Security Association: Distinguished Fellow (2018)

Washingtonian magazine: Top Lawyer in Cybersecurity (2015)

The American Lawyer’s IP Law & Business magazine: Top 50 Under 45 (2007)

Memberships and affiliations

American Bar Association - Section of Science and Technology Law

FBI Citizens Academy

FBI Infragard

Georgetown Cybersecurity Law Institute

International Association of Privacy Professionals

Information Systems Security Association

MissionLink Next

RSA Conference Program Committee