As a member of the Constangy Cyber Team, Todd leads the investigation and evaluation of potential breaches of data security, such as those caused by ransomware, social engineering, or the compromise of business email accounts. He provides clients with the forensic and/or remediation services necessary to contain, analyze, investigate, and remediate the incident after the initial response has concluded. After the threat has been mitigated, Todd helps clients with external communications and notifications by evaluating the client's obligations to consumers and regulators under applicable state, federal, and international laws and industry standards.  Todd also takes the time to explain to his clients the steps and precautions needed to be taken in this unique area of the law. 

From pre-breach consultation to breach response and cyber insurance, Todd has extensive experience in cyber/privacy matters. Todd was one of the earliest litigators to address privacy concerns in state and federal courts created by Illinois’ Biometric Information Privacy Act, or BIPA.  Todd has also been called on to draft one of the earliest versions of cyber insurance policy form.  Todd has helped clients in nearly every industry and at every level of government develop policies regarding privacy and data issues over the years.

Todd leverages the knowledge gained from his twenty years working as a litigator and his prior work on privacy concerns within the insurance sector. Throughout his career, Todd has been tapped by insurance companies to analyze privacy claims made by policyholders under cyber and traditional lines of insurance and to keep tabs on how their private counsel handles breaches after they have been reported. Todd's expertise allows him to advise clients on liability, insurance, and business issues arising from privacy risks, giving them the "full picture" when responding to privacy incidents. 

Todd frequently publishes articles and provides presentations on the emerging privacy issues in the legal, insurance, government, and business communities.

Professional & Civic Associations


  • Illinois State Bar Association, Member
  • Michigan State Bar Association, Member
  • Member Wisconsin State Bar Association, Member

News & Analysis

Client Presentations & Firm Publications

Speaking Engagements & Industry Publications


  • "Unplugged Cyber: A Common-Sense Approach to Cybersecurity," 2019 IAPD/IPRA Soaring To New Heights, January 26, 2019
  • "Avoiding Cyber Information Overload to Create a Risk Management Strategy for Your District," 2017 IAPD/IPRA Soaring To New Heights, January 20, 2018
  • "Hackers At The Gate - What Should Keep Your Attorney Up All Night," Onshore Security, September 20, 2017
  • "Indemnity And Insurance Contract Requirements," STICO Mutual, July 2018
  • "Anatomy Of A Cyber Attack: Risks And Threat Mitigation," The Horton Group Workshop, April 5-6, 2017
  • "The Claims Process," Advisen Cyber Risk Insights Conference, May 11, 2016
  • "Cyber Insurance Underwriters: Your Country Needs You, Chicago Northwest Suburban," CPCU Society, April 13, 2016
  • "Cyber Security Concerns for Your Agency," IPRA IT Networking Group Meeting, March 10, 2016
  • "Cyber Security - Protecting Your Agency and Your Patrons," Illinois Association of Park Districts Soaring to New Heights Conference, January 30, 2016
  • "The Changing Face of Cyber Risk, Webinar," Cyber Risk Network, April 7, 2015
  • "Why Government Entities Should Care About Cyber Security," Tressler’s Governing With Confidence, Chicago, May 28, 2015
  • "The Changing Face of Cyber Risk," Advisen Cyber Risk Network, Webinar, April 7, 2015


  • "Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year?," Privacy Risk Report, September 23, 2021
  • "Fifth Circuit Rejects Insurance Carrier’s Arguments As “Salami- Slicing Distinctions” In Finding Coverage For Breach Of Contract Claims Related To Data Breach," Privacy Risk Report, July 27, 2021
  • "The Illinois Legislature and the Illinois Supreme Court Take Steps to Bring Balance to BIPA," Privacy Risk Report, March 15, 2021
  • "No Harm, No Foul: Delaware Court Dismisses Privacy Case When Plaintiffs Cannot Show Harm," Privacy Risk Report, February 23, 2021
  • "Hackers See Opportunity In Attacking Schools As They Teach Through A Pandemic, Privacy Risk Report, November 17, 2020
  • "We Are Just Beginning To Understand The Privacy Threats Created By Working From Home," Privacy Risk Report, October 9, 2020
  • "Missed Opportunity? Illinois Court Issues Limited Finding That Workers’ Compensation Act Does Not Preempt Claims For Statutory Damages Under BIPA But Does Not Address How Actual Damages Should Be Addressed Under BIPA," Privacy Risk Report, September 24, 2020
  • "Courts Continue To Find Third-Party Reports Generated Before And After Privacy Incidents Are Not Protected From Discovery," Privacy Risk Report, July 7, 2020
  • "White Castle’s Motion To Dismiss Denied In BIPA Litigation," Privacy Risk Report, June 22, 2020
  • "New Decision Provides Reminder Of Privacy Law Before The Pandemic," Privacy Risk Report, May 26, 2020
  • "Seventh Circuit Court Of Appeals Reopens Doors To Federal Courts For BIPA Plaintiffs," Privacy Risk Report, May 6, 2020
  • "This Summer Provides A Unique Opportunity For Student Data Privacy," Privacy Risk Report, April 28, 2020
  • "The ABC’s Of Privacy Law: New Lawsuit Provides Glimpse Of Privacy Issues For “E-Learning” In Schools Under COPPA, BIPA And SOPPA," Privacy Risk Report, April 10, 2020
  • "Where Do We Begin? Two Immediate Threats to Cyber Security During the Coronavirus Pandemic" Privacy Risk Report, March 26, 2020
  • "The Next Wave Of Biometric Cases: BIPA Customer Lawsuits," Privacy Risk Report, February 11, 2020
  • "The Internet Of Things Gets More Dangerous And More Regulated In 2020," Privacy Risk Report, January 13, 2020
  • "District Court Punts On Threshold Questions In BIPA Workplace Claims," Privacy Risk Report, December 18, 2019
  • "Courts Are Still Picking Over The Bones From The 2013 Target Data Breach," Privacy Risk Report, November 19, 2019
  • "Federal Court Shreds Illinois’ Biometric Statute Before Remanding Case Back To State Court," Privacy Risk Report, October 31, 2019
  • "The Adoption Of SOPPA May Provide A Tough Lesson For Schools That Fail To Comply," Privacy Risk Report, October 25, 2019
  • "A Rock And A Hard Place: Recent Decision Addresses Competing Regulations For The Same Private Information," Privacy Risk Report, September 20, 2019
  • "More Than Just A Confusing Law? Defendant Argues Illinois’ Biometric Law Is Unconstitutional," Privacy Risk Report, August 23, 2019
  • "Ninth Circuit’s Recent BIPA Decision Must Be Kept In Context With Well-Settled Illinois Law," Privacy Risk Report, August 9, 2019"
  • No Need To Get Hysterical Over The Compliance Deadline For The California Consumer Privacy Act," Privacy Risk Report, July 23, 2019
  • "Are “Deepfakes” The Next Privacy Threat Facing Insurers And Insureds?," Privacy Risk Report, May 29, 2019
  • "Arbitrate Or Litigate: U.S. Supreme Court Decision Sheds Light On Consequences Of Lamp Seller’s Data Breach," Privacy Risk Report, April 26, 2019
  • "Industry Cyber Regulations Fill The Gaps Left By Federal And State Law," Privacy Risk Report, April 11, 2019
  • "Illinois’ Biometric Information Protection Act Gets More Tangled With Employment Law," Privacy Risk Report, March 11, 2019
  • "Premera Breach Shows What Happens When Litigants Cross Each Other by Trying to Shield Documents from Discovery in Breach Litigation," Privacy Risk Report, February 22, 2019
  • "Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach," Privacy Risk Report, January 28, 2019
  • "Illinois Court To Determine If NotPetya Malware Is Excluded As War Under Insurance Policy," Privacy Risk Report, January 15, 2019
  • "Illinois Supreme Court Set to Address Amusement Park’s Use of Biometric Data," Privacy Risk Report, January 9, 2019"
  • Shake It Off! Even Taylor Swift Is Collecting Your Biometric Data,"Privacy Risk Report, December 13, 2018
  • "Pennsylvania Supreme Court Finds Collecting and Storing Employee Data Gives Rise To Duty: Is the Pendulum Swinging Back In Favor Of Data Breach Plaintiffs?," Privacy Risk Report, November 30, 2018
  • "Can We Talk? “Discussion Draft” of U.S. Privacy Protection Bill Sheds Light on the Future of American Privacy Law," Privacy Risk Report, November 5, 2018
  • "New ABA Formal Opinion Indicates Data Breach May Present Ethical Issue for Lawyers," Privacy Risk Report, October 18, 2018
  • "Another Court Finds No Coverage Under CGL Insurance Policy forData Breach," Privacy Risk Report, October 4, 2018
  • "The Neiman Marcus Case is Back and is Causing “Class Warfare," Privacy Risk Report, September 20, 2018
  • "New Decision Takes “Accounting” of Expert Witness Findings Related to Data Breach Damages," Privacy Risk Report, September 6, 2018
  • "Are Cyber Insurance Policies Being “Spoofed” by Recent Computer Fraud Decisions?," Privacy Risk Report, August 23, 2018
  • "Recent Slate Article Demonstrates How Cyber Insurance Coverage Litigation May Contribute To Confusion In Cyber Insurance Markets," Privacy Risk Report, August 10, 2018
  • "Sixth Circuit Decision Shows Limitations Of Computer Crime Policies For Cyber Events," Privacy Risk Report, July 18, 2018
  • "Tesla Lawsuit Demonstrates Need To Take Closer Look At “Disruptive” Employees," Privacy Risk Report, June 21, 2018
  • "No Breach Required: Illinois Court Finds Providing Biometric Data To Vendor Without Proper Consent May Give Rise To Injury," Privacy Risk Report, June 5, 2018
  • "Tick Tock: A GDPR Primer To Meet The Deadline Next Week," Privacy Risk Report, May 18, 2018
  • "Uber Claims Municipal Cyber Security Regulations Run Over State Attorney General’s Authority," Privacy Risk Report, May 4, 2018
  • "Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach," Privacy Risk Report, March 29, 2018
  • "Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data," Privacy Risk Report, March 27, 2018
  • "Court Finds Virtual Currencies Are “Commodities” Subject To Existing Laws," Privacy Risk Report, March 8, 2018
  • "Ironing Out The Wrinkles In Data Legislation: A Case Study," Privacy Risk Report, January 26, 2018
  • "California Court Finds Misuse Of Information Is Not A Data Breach," Privacy Risk Report, February 26, 2018
  • "One-Size Does Not Fit All: Court Finds Not Every Crime Involving A Computer Is A Cyber Crime," Privacy Risk Report, January 2, 2018
  • "A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors," Privacy Risk Report, December 20, 2017
  • Claims Against Uber In New Lawsuit Show The Potential For Liability Beyond Not Protecting Data," Privacy Risk Report, November 30, 2017
  • "Court Refuses To “Bail Out” Data Breach Plaintiffs By Dismissing Bailment Claim," Privacy Risk Report, November 2, 2017
  • "It May Be Time To Admit That Criminals Will Outpace Privacy Laws," Privacy Risk Report, October 26, 2017
  • "Even Though Court Finds No Liability For Monitoring Customers,New Products Show Technology Presents Many Thorny Issues,"Privacy Risk Report, October 10, 2017
  • "The Line Between Obligations To Disclose Information And Obligations To Protect Private Information," Privacy Risk Report September 29, 2017
  • "Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In “Phases” By Data Collectors," Privacy Risk Report, September 14, 2017
  • "New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data," Privacy Risk Report, September 6, 2017
  • "Law Firm Cyber Attack Is Involved In A “Series Of Mistaken Assumptions,” Privacy Risk Report, August 17, 2017
  • "Class Action Lawsuit Asks Whether Free Apps Were “Goofy” When They Collected Children’s Data," Privacy Risk Report, August 8, 2017
  • "2015 Data Breach At Toy Manufacturer VTech Continues To Provide Insight In 2017," Privacy Risk Report, July 18, 2017
  • "Square Pegs: Recent Case Shows Problems With Fitting Cyber Liability Claims Into Law That Is “A Bit Dated”, Privacy Risk Report, July 7, 2017
  • "Through Thick And Thin: Anthem Breach Shows Lasting Commitment For Data Breach Cases," Privacy Risk Report, June 26, 2017
  • "Data Breach Litigation Presents Novel Questions Concerning Federal Civil Procedure," Privacy Risk Report, June 14, 2017
  • "App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data," Privacy Risk Report, June 1, 2017
  • "Schnucks Market Decision Discounts Argument That Breach Notification Law Gives Rise To Private Cause Of Action," Privacy Risk Report, May 12, 2017
  • "P.F. Chang’s Leftovers: District Court Refuses To Address MotionTo Dismiss Again After Seventh Circuit Finds Plaintiffs Have Standing In Data Breach Case," Privacy Risk Report, May 3, 2017
  • "Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?," Privacy Risk Report, April 20, 2017
  • "Neiman Marcus Case Settles After Years Of Haggling Over Price Of Data Breach Cases," Privacy Risk Report, April 4, 2017
  • "Rowe In Advisen: The WikiLeak’s Data Dump Cannot Be Undervalued By The Insurance Industry," Privacy Risk Report, March 17, 2017
  • "Illinois Court Struggles With Biometric Information Stored On The“Cloud”, Privacy Risk Report, March, 10, 2017
  • "Face It, We Are Going To See A Lot Of The Illinois’ Biometric Information Protection Act In Courts," Privacy Risk Report, March 3, 2017
  • "Use of Biometric Data Enters the Courts," Privacy Risk Report, February 14, 2017
  • "Recent Litigation Provides Example of Password Being Possibly Too Safe," Privacy Risk Report, February 3, 2017
  • "Court Finds Whistleblower Protection Act Offers No Protection for Auditor That Reports Data Security Issues," Privacy Risk Report, January 26, 2017
  • "Recent Case Sheds Light on What Courts May Find Makes Security Measures Reasonable," Privacy Risk Report, January 19, 2017
  • "Connecting the Alleged Russian Hacks to Practical Hacktivism Concerns," Privacy Risk Report, January 9, 2017
  • "A Safe Prediction for 2017: Cyber Security Laws Will Change on January 1, 2017," Privacy Risk Report, December 15, 2016
  • "Recent Court Opinion Provides Insight Into Presidential Vote Recount Efforts," Privacy Risk Report, November 28, 2016
  • "First Class Hack: Researcher Claims Airplane In-Flight Entertainment Systems Give Path to Flight Controls," Privacy Risk Report, December 22, 2016
  • "Data Breach Litigation Evolves, Allows the Breaching Entity and the Breaching Entity’s Data Security Vendors to be Named as Defendants," Privacy Risk Report, November 14, 2016
  • "Industrial Internet of Things: The Good, The Bad And The Ugly," Privacy Risk Report, November 8, 2016
  • "Court Rejects Insured’s Attempt at “Selectively Reading” Property Policy to Cover Data Breach," Privacy Risk Report, October 28, 2016
  • "Court Rejects Insured’s Attempt at “Selectively Reading” Property Policy to Cover Data Breach, The Property Line, October 28, 2016
  • "Failure to Redact Personal Information from Court Document Does Not Result in Private Cause of Action," Privacy Risk Report, October 24, 2016
  • "Casino’s Lawsuit Shows High Stakes for Breach Response," Privacy Risk Report, October 11, 2016
  • "Proposed Legislation Provides Tax Cuts for Cyber Insurance and Preparation," Privacy Risk Report, September 28, 2016
  • "Understanding Issues Related to “Standing” in Data Breach Litigation Provides Insight to Insurers," Specialty Lines Advisory, September 21, 2016
  • "Barbie (Still) Can’t Keep a Secret: Toy Makers Enter Settlement Related to “Smart Toys," Privacy Risk Report, September 16, 2016
  • "Understanding Issues Related to “Standing” in Data Breach Litigation Provides Insight to Insurers," Privacy Risk Report, September 15, 2016
  • "Cyber Insurance Can Develop Without Centralized Cyber Law," Privacy Risk Report, September 2, 2016
  • "Step By Step Analysis of a Response to Recent Ransomware Attack," Privacy Risk Report, August 18, 2016
  • "Walk the Plank: Court Finds Pirated Cable Programming Not “Data” in Multimedia Liability Policy," Privacy Risk Report, August 11, 2016
  • "Expert Witness Testimony Must Be Accounted for While Valuing Damages in Cyber Cases," Privacy Risk Report, August 1, 2016
  • "Courts Begin to Struggle With Issues Presented by the Internet of Things," Privacy Risk Report, July 22, 2016
  • "Pokémon Go Provides Opportunity for Insurers to Start Considering New Technology," Privacy Risk Report, July 11, 2016
  • "Nothing to See Here: Underreporting Cyber Security Incidents Impacts Cyber Insurance," Privacy Risk Report, July 8, 2016
  • "Claims Handling Does Not Have to Be Perfect to Avoid Bad Faith Claim," Bad Faith Bulletin, June 29, 2016
  • "Brexit Vote Not Expected to Immediately Impact US Cyber Insurance Marketplace," Privacy Risk Report, June 28, 2016
  • "Home Is Where the Hacker Is: Cyber Coverage Becoming Necessary for Homeowners, Privacy Risk Report, June 16, 2016
  • "The Future Is Now: Court Finds No Coverage Under Cyber Policy for P.F. Chang’s Data Breach," Privacy Risk Report, June 9, 2016
  • "Spokeo Decision Already Having “Concrete” Impact on Data Breach Class Action Litigation," Privacy Risk Report, June 1, 2016
  • "Something Old, Something New: Well-Established First-Party Property Concepts Used in Computer Hacking Coverage Case," The Property Line, May 25, 2016
  • "Something Old, Something New: Well-Established First-Party Property Concepts Used in Computer Hacking Coverage Case," Privacy Risk Report, May 24, 2016
  • "New Study Shows How the Collection of Metadata Poses Cyber Security Risk," Privacy Risk Report, May 20, 2016
  • "Mozilla’s Firefox Browser Code Creates Privacy Issues in Criminal Proceeding," Privacy Risk Report, May 13, 2016
  • "Highway Robbery: Michigan Legislature Debates Penalties for Hacking Motor Vehicles," Privacy Risk Report, May 2016
  • "Law Firms’ Work Product Has No Privileges Against Hackers," Privacy Risk Report, April 25, 2016
  • "Early Observations in Portal Healthcare Decision: CGL Coveragefor Cyber Claims?," Privacy Risk Report, April 12, 2016
  • "Data Security Gets “Thumbs Down” in New Study Involving Lost Thumb Drives," Privacy Risk Report, April 11, 2016
  • "The Rise of Ransomware and Cyberbullying Insurance," Privacy Risk Report, April 6, 2016
  • "Still A Lot to Learn From Numerous Healthcare Breaches," Privacy Risk Report, March 28, 2016
  • "Low-Tech Solutions To High-Tech Cyber Security Problems," Privacy Risk Report, March 17, 2016
  • "Marijuana Covered Under Property Policy: Insurers Must Consider Other Factors in Claims Adjusting," The Property Line, March 4, 2016
  • "Apple’s Privacy Battle – Early Observations for Litigation and Insurance," Privacy Risk Report, March 1, 2016
  • "Auto Insurers Must Stay on Course With Driverless Vehicle Developments," Privacy Risk Report, February 23, 2016
  • "Anatomy of a Cyber Fraud Incident: Recent Fraud Impacts Company’s Bottom Line Within a Few Weeks," Privacy Risk Report,February 10, 2016
  • "First-Party Insurance Claims Related to the “Internet of Things” an Emerging Issue for 2016," The Property Line, February 3, 2016
  • "Cyber Risk: Hackers May Score Big at Super Bowl," Privacy Risk Report, February 3, 2016
  • "First-Party Insurance Claims Related to the “Internet of Things” an Emerging Issue for 2016," Privacy Risk Report, January 27, 2016
  • "Place Your Bets: Casino Sues Data Security Investigator After Breach," Privacy Risk Report, January 20, 2016
  • "District Court Examines Cyber Insurer’s Obligation to Investigate Claims Prior to Suit," Privacy Risk Report, January 14, 2016
  • "Cyber Insurance Lawsuit Demonstrates Need to Coordinate on Cyber Risks," Privacy Risk Report, January 8, 2016

Blogs, Videos & Podcasts

Blog Posts


Marquette University Law School

  • J.D., 2000

Eastern Michigan University

  • B.S., 1997

Bar & Court Admissions

  • Wisconsin, 2000
  • Michigan, 2003
  • Illinois, 2005
Back to Page