We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

Paul Otto

Senior Associate
Washington, D.C.

Paul Otto
English, Spanish
Practice Group

Paul Otto understands the regulatory environment surrounding cybersecurity risk management and incident response. Leveraging his technical background and capabilities in computer science and engineering, Paul brings insight to clients as a compliance counselor who understands hardware, software, and technological innovation.

Paul has coordinated and managed dozens of cybersecurity assessments — including risk analyses, penetration tests, and other technical and nontechnical security evaluations — as well as associated remediation plans.

Paul works with legal counsel and security officers throughout the lifecycle of cybersecurity risk management and incident response. Because many organizations have limited in-house cybersecurity legal capacity, Paul embraces the role of outside counsel by working alongside executive and information security teams to manage risk, oversee corporate governance, and help identify and capitalize on risk-reducing opportunities for enhanced data protection.

Paul regularly advises clients on security-related risks in mergers and acquisitions and governance matters, as well as advising on appropriate contractual language for safeguarding sensitive data such as health and financial information. Paul also assists clients in evaluating the data security practices of vendors and other strategic partners.

Paul's cybersecurity legal representation includes organizations across a wide range of industries, primarily in the technology, life sciences and healthcare, education, and financial sectors. Whether it is cloud computing, mobile technology, critical infrastructure, the Internet of Things, or any number of technology-related areas, Paul regularly advises clients on compliance with various data security laws, regulations, and standards.

Paul has a master's degree in computer science and a bachelor's degree in electrical and computer engineering. He clerked for Chief Justice Christine M. Durham of the Utah Supreme Court.

Representative experience

Cybersecurity counsel in largest health-related cyberattacks in U.S. history, supporting incident response, forensic analysis, and risk management.

Assisted several Fortune 100 companies with strengthening their cybersecurity posture, including incident preparedness and compliance measures.

Cybersecurity counsel for one of the largest global technology companies involved in developing health-related mobile and wearable devices.

Advised clients on privacy- and cybersecurity-related FTC, HHS, state Attorney General, and Insurance Commission investigations & enforcement actions.

Assisted several major U.S. universities in responding to cybersecurity incidents, including forensic review, notification analysis, and remediation.

Cybersecurity counsel for one of the largest U.S. telecommunications companies, coordinating and overseeing in-depth legal security assessments.

Conducted privacy- and cybersecurity-related diligence for numerous mergers & acquisitions by two of the seven largest U.S. healthcare companies.

Led internal investigation of a sophisticated cyberattack for a major insurance company.

Education and admissions


  • J.D., Order of the Coif, Duke University School of Law, 2010
  • M.S., North Carolina State University, 2007
  • B.S., with distinction, University of Virginia, 2004


  • American Bar Association
  • Association for Computing Machinery
  • Institute of Electrical and Electronics Engineers
  • International Association of Privacy Professionals

Bar admissions and qualifications

  • District of Columbia
  • Virginia
Loading data