Education

J.D., (summa cum laude) Regent University School of Law, 1999
B.A., (cum laude), Political Science, Northwestern State University, 1994

Awards
2016 Cybersecurity Trailblazer, National Law Journal

  • Named "Texas Super Lawyer" by
    Thomson Reuters, 2015 - 2017

 

  • Recognized as "Best Lawyers in Dallas"
    by D Magazine, 2015-2017
  • College of the State Bar of Texas

 

Biography

“Almost any attorney can run a data breach notification, but it takes an attorney with a lot more experience to understand when cyber incidents are not reportable data breaches.” – Shawn E. Tuma

Shawn Tuma is an experienced cybersecurity and data privacy attorney and partner at Scheef & Stone. He is widely recognized as in international thought-leader and subject matter expert in cybersecurity and data privacy law. Having practiced in this area of law since 1999, he is one of the most experienced and well-respected cybersecurity and data privacy law attorneys in the United States. 

Shawn devotes his practice exclusively to cybersecurity and data privacy law and views his role as helping businesses protect their information and protect themselves from their information. He represents a wide range of clients, from small to midsize companies to Fortune 100 companies, across the United States and globally in dealing with cybersecurity, data privacy, data breach and incident response, regulatory compliance, computer fraud related legal issues, and cyber-related litigation. He is frequently sought out and hired by other lawyers and law firms as a consulting expert to advise them when these issues arise in cases for their own clients.

While this area of the law has evolved greatly in the nearly 20 years while Shawn has been practicing, he continues to evolve with it as a practitioner representing his clients, academically as an author and instructor, and as an expert analyst for the national media.

In recognition of his experience, Tuma has received many professional awards and honors including these select accolades:

  • The National Law Journal has named him as a “Cybersecurity and Data Privacy Law Trailblazer.” 
  • SuperLawyers has listed him as one of the “100 Best Attorneys in Dallas-Fort Worth.” 
  • D Magazine as one of the “Best Lawyers in Dallas.”
  • Lawyer Monthly and Finance Monthly has named Shawn as “Cybersecurity – Lawyer of the Year – USA.” 
  • Lawyer Monthly and Finance Monthly has named Scheef & Stone’s Cybersecurity and Data Privacy Law practice, which Tuma leads, as “Cybersecurity – Law Firm of the Year – USA.”

Throughout his career Shawn has helped his clients with a vast array of different cybersecurity and data privacy cases that are as unique as this ever-evolving area of law. His practice has developed into three distinct areas over the years:

  • Proactively helping companies assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk and meet regulatory compliance requirements.
  • Leading companies through the cyber incident response and data breach response process (e.g., as a “breach guide” or “breach quarterback”),  crisis management, and regulatory compliance investigations and enforcement actions (e.g., by regulators such as various states’ Attorneys General, Department of Health and Human Services / Office of Civil Rights (HHS/OCR), Federal Trade Commission (FTC), and Securities and Exchange Commission (SEC). Tuma serves as a breach guide for insurance companies’ panel of approved counsel.
  • Representing clients in litigation involving cyber-related claims like computer and data misuse, computer hacking, data loss, data theft, and business to business disputes concerning responsibility for cyber incidents.

Cyber Risk Management

With his extensive experience over nearly two decades of helping clients with their cybersecurity and data privacy problems— litigation, incidents, data breaches, and regulatory investigations and enforcement actions— he has learned a lot of lessons about what companies could and should have done to prevent many of those problems from occurring. Through many case post-mortem discussions with clients he began to see a pattern of clients regularly saying things such as: 

“If only we would have done [fill in the blank] a year or two ago, this incident would not have happened, and the cost of doing [fill in the blank] would have been much cheaper than the cost of dealing with this incident, especially considering the disruption of our business.”

Using the process of evaluating real-life incidents and then working backward to analyze what could have been done to prevent them, Tuma began to develop a practical framework for clients to implement to help minimize the risk of such events before they occurred. This was the beginning of his proprietary CyberGard™ Cyber Risk Management Program which he uses to help companies of all sizes assess the specific risks they face. Such risks can range from the nature of the data they control or process to the laws of the jurisdictions they are subject to, such as the Texas Identity Theft Enforcement and Protection Act (ITEPA) and New York Department of Financial Services Cybersecurity Regulation (NYDFS), the federal Securities and Exchange Commission guidance, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and internationally such as the European Union’s Privacy Shield and General Data Protection Regulation (GDPR). 

The next step is to audit their existing preparation and defenses, develop a strategy to minimize the identified risks based on threat level, and then execute the plan by developing and implementing protocols, policies and procedures, training, incident response planning, and coordinating third party assistance needed to effectively protect the company through a program that is continuously maturing to meet the evolving threats they face. 

An important part of this Program is counseling clients on cyber risk insurance which often includes examining clients’ existing cyber risk insurance vis-à-vis their needs and making recommendations for such coverage where appropriate.

Cybersecurity and Data Breach Incident Response (“Breach Guide” or “Breach Quarterback”)

Throughout his career, Shawn has counseled companies on responding to hundreds of cyber incidents in all 50 states and numerous countries around the world. Given the substantial number of companies that are having cybersecurity incidents and data breaches, he currently focuses much of his practice on guiding companies through the process of understanding, managing, and responding to these incidents. He does this by conducting internal investigations into the events that gave rise to the incident, counseling clients on the findings, options, and impact on the companies, performing risk assessments, and using his experience to determine whether the incident rises to the level of finding that the company has actually had a breach requiring reporting and notification, or whether it is really a non-reportable incident.

When there has been a breach, he serves as companies’ “breach guide” (or “breach quarterback”) and leads the company through the breach response and notification and reporting process. Unfortunately for many companies, the cases do not end with the response and reporting, and results in regulatory investigations and regulatory enforcement proceedings by agencies such as the state’s Attorneys General, HHS/OCR, FTC, and SEC; and Shawn is well-versed in guiding clients through this process as well.

Shawn has been assisting companies through incident and breach response for many years and has handled data breach responses that range from small healthcare cases involving only a few patients up to large corporate breaches involving millions of data subjects that require notification in numerous countries, on numerous continents world-wide. Given Shawn’s extensive experience and the structure of his Cybersecurity and Data Privacy Practice Group at Scheef & Stone, he is well-equipped to scale his services up or down to serve every client’s needs in an efficient and cost-effective manner.

Cybersecurity, Data Breach, Hacking Litigation

As a litigation attorney, examples of cases Shawn has handled for clients cover a broad spectrum. From federal court litigation that involved claims of computer hacking among celebrities that received national media attention (and was favorably resolved within a few months), on the one hand, to concurrent litigation in federal and state court over a business enterprise worth potentially billions of dollars that took years to resolve as it involved claims of business espionage, intellectual property theft, computer hacking among competitors, computer hacking by insiders, and a data breach of sensitive personal information and protected health information.

Shawn Tuma’s Ideal Role—Helping Companies Prepare for and Manage Cyber Risks

Shawn's ideal role is to serve as a member of companies’ risk management team as outside cybersecurity counsel to help the company proactively prepare for and minimize its risks of doing business in today’s digital business world. Then, if a problem does arise, he is there to guide them through resolving those issues as well.

His unique experience throughout his career has prepared him for this role. Prior to devoting his practice exclusively to cybersecurity and data privacy law, Tuma worked for much of his career as both a cyber lawyer and a complex business litigation lawyer. His cyber law, business law, and litigation experience equip him with unique skills for helping businesses assess, avoid, and resolve problems in a very expeditious manner.

Representative Experience

  • Assisted numerous national and international companies with assessing their cyber risk and developing, implementing, and maturing cyber risk management programs.
  • Assisted numerous national and international companies with evaluating and procuring appropriate cyber risk insurance coverage.
  • Served as subject matter consulting expert to multiple law firms on cases involving claims under the federal Computer Fraud and Abuse Act, Texas Harmful Access to Computers Act, Texas Breach of Computer Security Act, and federal and state Wiretap and Stored Communications Acts.
  • Served as incident response guide and lead crisis manager for numerous companies and healthcare organizations for ransomware attacks, successfully obtaining decryption and restoration of networks and data and assisting clients in obtaining evidence needed for risk assessments finding incidents as non-reportable events.
  • Served as breach guide for multiple national and international companies responding to a data breaches spanning multiple countries and all US jurisdictions that were timely and effective, resulting in no fines or penalties by regulators and no claims by data subjects. 
  • Served as litigation counsel for multiple companies following data breach reporting and notification and successfully resolving claims by data subjects without payment or media attention.
  • Served as incident response guide and lead crisis manager for numerous companies and healthcare organizations leading internal investigations and obtaining evidence needed for risk assessments finding incidents as non-reportable events.
  • Served as counsel for numerous companies and healthcare organizations responding to investigations by federal and state regulators resulting in no fines or penalties and no payments to data subjects.
  • Obtained complete dismissal of Computer Fraud and Abuse Act, Wiretap Act, and Stored Communications Act lawsuit against celebrity client within three months from filing of lawsuit.
  • Obtained seven-figure judgment for client on Computer Fraud and Abuse Act claim on successful motion for summary judgment.
  • Hired by law firm to prepare response to motion seeking dismissal of its client’s Computer Fraud and Abuse Act claim that resulted in court’s denial of motion against client.
  • Hired by law firm to prepare Computer Fraud and Abuse Act claim in parallel proceeding, ultimately resulting in a favorable settlement for law firm’s client.
  • Successfully obtained injunctive relief under Computer Fraud and Abuse Act against employee who had taken employer’s data for use in a competing business.
  • Within six hours of being hired, obtained complete capitulation by defendant who had misused computer access to misappropriate highly confidential and proprietary trade secrets source code for internationally recognizable technology company’s service and threatened public disclosure.
  • Within three days of being hired, obtained complete capitulation by defendant who had misused computer access to misappropriate company’s confidential data to use in a competing business.
  • Obtained complete dismissal of seven-figure trade secrets lawsuit against client for $0.
  • Successfully defended against injunctive actions in eight-figure trade secrets, patent, copyright, and trade mark litigation against clients.
  • Successfully obtained favorable confidential settlement for client of patent inventorship lawsuit.
  • Successfully defended clients against claims for damages and injunctive relief for misappropriation of trade secrets resulting in confidential settlement requiring no payment by clients.
  • Obtained confidential settlement of client’s copyright claims that resulted payment that more than doubled client’s actual damages.
  • Successfully protected non-party client’s trade secrets from disclosure during litigation where plaintiff sought disclosure of the information to establish jurisdiction.

Professional Involvement and Thought Leadership

Shawn takes his responsibility as a professional very seriously and devotes a substantial amount of his time and efforts to serving the legal, cybersecurity, and business communities.

Select professional leadership activities, publications, presentations, and news media appearances are listed below.

Professional Leadership

  • Board of Directors & General Counsel, Cyber Future Foundation
  • Board of Advisors, University of North Texas Cyber Forensics Lab
  • Practitioner Editor, Bloomberg BNA Texas Privacy & Data Security Law
  • Policy Council, National Technology Security Coalition
  • Board of Advisors, Cyber Law Consortium
  • Cybersecurity Task Force, Intelligent Transportation Society of America
  • Secretary, Computer and Technology Section, State Bar of Texas
  • Privacy and Data Security Committee, State Bar of Texas
  • Cybercrime Committee, North Texas Crime Commission
  • InfraGard (FBI)
  • Information Systems Security Association (ISSA)
  • International Association of Privacy Professionals (IAPP)

View More

Select Publications

View More

Select Presentations

  • Cybersecurity: How to Protect Your Firm from a Cyber Attack, Texas Bar CLE Cybersecurity Law Workshop, Houston, Texas,  (2/7/18)
  • Data Breach Incident Response – Recovering from a Cyber Attack, Texas Bar CLE Cybersecurity Law Workshop (presented with Todd Hindman), Houston, Texas,  (2/7/18)
  • Countdown to GDPR – Compliance for Non-EU Companies, Mackrell International Webinar,  (12/7/17)
  • Contracting for Better Cybersecurity, Texas Bar CLE, (12/5/17)
  • Artificial Intelligence in the Legal and Regulatory Realm — Practical Cybersecurity Risk Management Strategies (with Paul Ferrillo), New Jersey State Bar Association (NJSBA) Cybersecurity Institute, (11/17/17)
  • Cybersecurity Fundamentals for Legal Professionals, 55th Annual Conference on Intellectual Property Law, The Institute for Law and Technology,  (11/13/17)
  • The Essentials of Cyber Insurance: A Panel of Industry Experts (Moderator, Shawn Tuma; Panelists were Patrick Florer, Mark Knepshield, and John Southrey), North Texas ISSA Conference, Plano, Texas, (11/10/17)
  • What Litigators Need to Know About Cybersecurity & Data Privacy (with Elizabeth Rogers), 41st Annual Page Keeton Civil Litigation Conference (Austin, TX),  (11/03/17)
  • The Legal Case for Cybersecurity, SecureWorld – Denver,  (11/02/17)
  • Why Your Organization Must Have a Cyber Risk Management Program and How to Develop It, Association of Continuity Professionals, North Texas,  (10/19/17)
  • The Legal Case for Cybersecurity, Lunch Keynote, SecureWorld – Dallas,  (10/18/17),  (video)
  • Legal Issues Associated with Third-Party Cyber Risk, ISACA CSX North America 2017 (Washington D.C.),  (10/03/17)
  • How Cybersecurity is Impacting People’s Rights, Regent University School of Law Symposium on The Expansion of Technology in the 21st Century (Virginia Beach, VA),  (9/30/17)
  • Cybersecurity: What to Do After the Breach, Advanced In-House Counsel,  (8/17/17)
  • Cybersecurity Fundamentals for All Organizations, Advanced In-House Counsel 101,  (8/16/17)
  • Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm, and Your Law License, State Bar of Texas Annual Meeting 2017 , (6/22/17)
  • The Constitution, Cybersecurity & Staying Safe Online, Fifth Grade Class @ Morningside Elementary,  (5/24/17)
  • New York Department of Financial Services Cybersecurity Regulations, Webinar Available Online,  (5/23/17)
  • National Data Breach Notification Laws Panel Discussion, National Technology Security Coalition (NTSC) Inaugural DC Fly-In,  (Washington, DC, 5/16/17)
  • Guest Lecturer, Cybersecurity & Data Privacy Law, UNT College of Law, (4/22/17)
  • National Data Breach Notification Laws Panel Discussion, National Technology Security Coalition (NTSC),  (4/3/17)
  • Cyber Liability Insurance Counseling and Breach Response, 8th Annual Course Essentials of Business Law by State Bar of Texas’ Texas Bar CLE,  (3/10/17)
  • Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know — (ISC)² Dallas/Fort Worth Chapter, (1/27/17)
  • Let’s Get This Third Party Started: Cybersecurity Compliance & Third Party Supply Chain Risk Management, Co-presented with Elizabeth Rogers at the Cybersecurity and Data Privacy Law Conference presented by the Institute for Law and Technology,  (1/15/17)
  • Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know, Joint Meeting of Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors (IIA),  (1/12/17)
  • Cyber Law 2016 & Beyond, International Conference on Cyberlaw, Cybercrime & Cybersecurity 2016,  (New Delhi, India)
  • Cyber Policy and its Impact on the Global Economy, Cyber Future Summit 2016 (panel with Brian Engle, Executive Director of the Retail Cyber Intelligence Sharing Center (R-CISC), Shamoil Shipchandler, Regional Director, U.S. Securities and Exchange Commission, Richard Murray, Asst. Special Agent in Charge, Cyber Leader, FBI – Dallas, and David Grubbs, Regulatory & Compliance Director of Garland Power & Light),  (10/28/16)
  • Get the FUD Out of Cybersecurity!, ISACA CSX North America 2016  (Las Vegas) , (10/18/16)
  • Federal Computer Fraud and Abuse Act & Texas Computer Hacking Laws, State Bar of Texas Annual Meeting (Intellectual Property Track),  (6/17/16)
  • Corporate Governance Meets Cyber Risk: Not Just the IT Department’s Problem, Questions for Board Members to Ask and Actions to Take, Board Dynamics Breakfast Program Panel Discussion (with John Ansbach, Jarrett Kolthoff, Jack Pfeffer, and Shawn Tuma),  (5/4/2016)
  • Emerging Cyber Threats and Worldwide Cybersecurity Trends, 5th Annual Cyber Liabilities Insurance ExecuSummit, Uncasville, Connecticut,  (4/19/16)
  • Cybersecurity Threat Intelligence Sharing Panel Discussion with Congressman Michael McCaul, Chair of Homeland Security Committee, Panelist, University of Texas,  (4/9/15)

View More

Select News Media & Press

View More

Business Cyber Risk Blog

Shawn is a blogger and manager of the Business Cyber Risk Blog.

Court Admissions

  • State Bar of Texas
  • United States Court of Appeals for the Fifth Circuit
  • United States Court of Appeals for the Federal Circuit
  • United States District Courts for the Northern, Eastern, Southern, and Western Districts of Texas
  • United States District Court for the Eastern District of Pennsylvania (pro hac vice)
  • United States District Court for the Middle District of North Carolina (pro hac vice)

Education

  • Regent University School of Law, JD, 1999, Magna Cum Laude
  • Northwestern State University, BA, 1994, with Honors
T:(214) 472-2135

Frisco Office

Ph (214) 472-2100
Fx (214) 472-2150
2600 Network Boulevard
Suite 400
Frisco, Texas 75034

Share