Overview
John Michels is a Data Privacy and Cybersecurity associate at Paul Hastings, where he leverages nearly a decade of experience and a deep understanding of digital ecosystems to deliver practical guidance to clients worldwide. His practice spans the full spectrum of data privacy and cybersecurity issues, including developing multijurisdictional compliance programs under regulations such as the GDPR, GLBA, HIPAA and state consumer privacy laws; leading incident response for high-stakes data security incidents that have garnered international media attention; and playing a pivotal role in securing favorable outcomes in regulatory investigations and enforcement actions led by state, federal and international data privacy regulators.
John represents a wide range of clients, from disruptive startups to Fortune 500 companies. He routinely advises clients at the intersection between emerging technologies and the rapidly evolving contours of data privacy and cybersecurity law and is recognized for his pragmatic approach to addressing complex and dynamic legal issues. His ability to anticipate risks and align legal strategies with business objectives has resonated with cloud and SaaS providers; companies operating in fintech, blockchain and other financial markets; healthcare innovators; and industry-leading e-commerce platforms, among others.
A frequent co-author of articles on emerging privacy trends, John has been published by Law360 for his analysis of the biometric privacy landscape and is a core contributor to thought leadership pieces related to data security incidents, cybersecurity regulations and privacy governance. John has also presented for the U.C. Berkely Center for Law and Technology alongside leading privacy scholars and practitioners on topics including privilege in data breach investigations; developments in ransomware tactics; technology supply chain risks; and landmark privacy litigation. John is an active member of the International Association of Privacy Professionals and previously held a leadership role for the Chicago chapter.
John earned his J.D. cum laude from Northwestern Pritzker School of Law, where he served as an associate editor of the Northwestern University Law Review. Prior to law school, John served eight years in the U.S. Air Force as a combat survival, enemy evasion, interrogation resistance and captivity escape specialist. During his military tenure, he held a variety of leadership roles focused on risk assessment, strategic planning and asymmetric threat response — skills which he now leverages to develop proactive cybersecurity strategies; respond to cyber-attacks from sophisticated adversaries; and navigate the complex and often dynamic contours of data privacy and cybersecurity law.
Education
- Northwestern Pritzker School of Law, J.D. (cum laude), 2018
- American Military University, B.A. (with honors), 2014
Representations
- A Fortune 500 manufacturing company in the investigation of website cyberattacks targeting consumer payment card data.
- A Fortune 500 public company in investigating a large-scale data security incident and responding to regulatory inquiries related to the same.
- A cryptocurrency payments company in a cybersecurity enforcement action brought by the New York Department of Financial Services.
- An international semiconductor manufacturer in connection with a data security incident and provided counsel regarding jurisdiction and industry-specific notification requirements.
- Fortune Global 500 company in multiple putative consumer class actions brought under the Illinois Biometric Information Privacy Act (BIPA).
- A global internet services company in negotiating data privacy and cybersecurity requirements in agreement for white labelled crypto wallet solution.
- Consumer-facing payments company on compliance with NYDFS Cybersecurity Regulation compliance and developed related policies and procedures.
- Industry-leading pharmaceutical company in conducting an internal investigation involving alleged employee misuse of personal information.
- A telecommunications company regarding data privacy-related inquiries from Federal Communications Commission (FCC).
- Crypto payments startup in developing a bug bounty program.
- A Fortune 500 cloud services company in developing a ransomware response program.
- Social media platform on Computer Fraud and Abuse Act compliance and attendant third-party vendor risks.
- An industry-leading cybersecurity firm on response to congressional subpoena involving cybersecurity incident response and intelligence-gathering practices.
- A global e-commerce retailed in conducting an investigation into a data breach and in a related Federal Trade Commission (FTC) investigation.
- A multinational financial services company on compliance with biometric information protection statutes.
- A national credit reporting bureau in federal litigation related to alleged violations of the Fair Credit Reporting Act (FCRA).
- A global access solutions and products company on the development of its privacy and data protection program, including compliance with the European Union’s General Data Protection Regulation (GDPR).
- A computer hardware company in response to an alleged supply chain cybersecurity attack, and in a related investigation by the Securities and Exchange Commission (SEC).
- U.S. military veterans in actions brought against predatory lenders under the Racketeer Influenced and Corrupt Organizations Act (RICO).