Paul is a partner in the firm’s Washington office. He co-chairs the firm’s multi-disciplinary Cyber and Physical Security Task Force and its Energy Sector Security Team. He assists clients from a wide range of sectors with security, law enforcement, electronic surveillance and privacy issues. Paul regularly advises companies on risk management, preparedness, cyber incident response, compliance, litigation, policy and legislation.
Prior to joining Hunton & Williams, Paul served as Special Counsel and then Senior Counselor for Cybersecurity and Technology to the Director of the Federal Bureau of Investigation. In that position, he advised the FBI Director on programmatic, policy and legal issues relating to cyber, counterintelligence and counter-terrorism. He also represented the FBI in senior-level discussions with other agencies, the White House, Congress, and industry.
Paul previously served on the US Senate Judiciary Committee as Counsel to the Senate Assistant Majority Leader, where he wrote legislation and provided advice on criminal and national security issues. He is a former Assistant US Attorney in the District of Maryland. At the US Attorney's Office, Paul investigated and prosecuted cyber intrusions, intellectual property violations, white collar fraud, organized crime, drug trafficking, and violent crimes. He also served as the coordinator of computer hacking and intellectual property cases.
Paul began his career as a law clerk for the Honorable Mary Schroeder of the US Court of Appeals for the Ninth Circuit, and then served as a trial lawyer in the honors program of the Department of Justice Civil Rights Division. In between stints in the government, he was in private practice at a large law firm handling civil and criminal litigation matters involving complex technology.
Paul is an adjunct professor of cybersecurity law and policy at George Washington University, a guest lecturer on cybersecurity and privacy at various universities, and an instructor at the National Institute for Trial Advocacy. He is a member of the Virginia Cyber Security Commission, appointed by Governor Terry McAuliffe; a member of the Maryland Cybersecurity Council, appointed by Attorney General Brian Frosh; and Chair of the Montgomery County Criminal Justice Coordinating Commission, appointed by County Executive Ike Leggett.
- Assisted energy, transportation, communications, financial, healthcare, and other companies in managing cybersecurity risk by restructuring the board of directors and executive committee to address cybersecurity, conducting inventories of sensitive data and networks, strengthening network security policies and practices, entering into collaborative information-sharing arrangements with private and public entities, strengthening the cybersecurity provisions in contracts with third-party vendors, updating incident response plans and toolkits, conducting table-top exercises, and reducing financial risk through insurance and the SAFETY Act.
- Assisted critical infrastructure companies and defense contractors in responding to data breaches and cyber incidents, including supervising the digital forensics analysis, leading the internal investigation, analyzing state and federal breach notification obligations nationwide, engaging with the FBI, US Secret Service and other agencies, communicating with affected employees, preparing notice letters to affected individuals and state regulators, issuing public announcements, and responding to congressional inquiries.
- Assisted one of the country’s largest utility electric utilities in responding to a white hat hacker that publicly disclosed a third party data exposure involving data regarding the utility’s operational assets, including negotiating with the hacker, engaging and overseeing digital forensics experts, taking action against the third party, assisting with interviews of employees and contractors; and advising on notifications and communications to employees, board members, state and federal agencies, the media, and pertinent industry partners.
- Assisted a major electric utility company with the response to a ransomware attack on a generation facility.
- Assisted major power grid company with the response to a significant insider threat, including engaging with the FBI, DHS, DOE, FERC, state regulatory agencies, and affected third parties, supervising the digital forensics analysis, leading the internal investigation, and managing communications with the public.
- Provided extensive legal and operational advice to major energy, financial, transportation, and communications companies on cybersecurity information-sharing and collaboration opportunities with private sector groups such as ISACs and the NCFTA, and with public entities such as the FBI, Department of Homeland Security, Department of Energy, and NERC. Assisted in negotiating confidentiality agreements with these private and public entities.
- Assisted energy and financial companies in negotiating the cybersecurity and privacy terms in contracts with major cloud and communications providers.
- Advised leading financial institution on updates to information security policies, structure and content of table-top exercise, and improvements to security incident response plan.
- Assisted major energy company in reorganizing its board of directors, executive committee, and management committee to address threats to cyber physical security.
- Advised transportation company on the government’s law enforcement and counter-terrorism authorities relating to the protection of physical infrastructure.
- Advised major pipeline company on a physical security issue before the Pipeline and Hazardous Materials Safety Administration.
- Advised major critical infrastructure company on reducing the potential legal liability associated with a terrorist attack by obtaining a certification or designation for a physical or cyber security system under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act.
- Advised manufacturer on regulatory compliance with the Chemical Facilities Anti-Terrorism Standards (CFATS).
- Assisted major critical infrastructure companies on various aspects of state and federal Freedom of Information Acts (FOIA), including the applicability of exemptions to disclosure based on trade secrets, confidential commercial or financial information, law enforcement proceedings, statutory non-disclosure requirements, personal privacy, and other grounds. Represented companies in negotiations with various federal agencies over the applicability of certain FOIA exemptions, and prepared extensive redactions and legal objections to an agency’s proposed release of documents under FOIA. Successfully persuaded agency to adopt requested redactions to documents prior to release.
- Advised critical infrastructure and other companies on requirements relating to obtaining security clearance, handling classified information, and reporting security issues to the government.
- Advised companies and government agencies on privacy requirements and government investigative authorities under the Patriot Act, the Foreign Intelligence Surveillance Act, the FISA Amendments Act, and the Electronic Communications Privacy Act, and the implications of corporate structure, contractual relationships, and data control arrangements on the government’s exercise of jurisdiction.
- Advised Fortune 100 companies on policy, regulatory and legislative developments relating to cybersecurity and national security.
- Assisted public and private entities in addressing congressional inquiries regarding cybersecurity and other sensitive incidents.
- Successfully tried a dozen federal jury trials involving white collar fraud, organized crime, narcotics trafficking and violent crimes, and defended the results in appearances before the US Courts of Appeals.