David Simon co-leads Global Cyber Incident Response at Mayer Brown. He is a member of the Cybersecurity & Data Privacy, National Security, and Government Contracts practices. A former special counsel at the US Department of Defense and chief cyber counsel to the US Cyberspace Solarium Commission, David has deep experience advising victims of nation-state sponsored cyber attacks, ransomware, and other extortion attacks, and helping to draft more than 30 recently enacted cybersecurity and privacy laws. Named as a Cybersecurity Trailblazer by he National Law Journal, David has also been named to Cybersecurity Docket’s “Incident Response 40,” a collection of 40 of the “best and brightest” incident response attorneys in the country. Dual qualified to practice law in both the European Union (EU) and the United States, David regularly supports clients as the lead investigator and crisis manager for cross-border cyber incidents, including data breaches involving personal data, nation-state threats targeting intellectual property, state-sponsored theft of sensitive US government information, and destructive attacks. David has directed and advised on dozens of complex cyber incident and data breach investigations in the last few years alone, including several implicating notification obligations under the EU General Data Protection Regulation (GDPR) and investigations by European data protection authorities. He has counseled companies on major cyber incidents and incident preparedness across virtually every sector of the economy. David represents financial institutions, automotive manufacturers and self-driving car companies, tech companies, telecommunications companies, healthcare companies, insurance companies, as well as defense and aerospace companies.
David is a trusted cyber incident response counsel for leading global private equity sponsors and their portfolio companies, stepping in to serve as cyber counsel and incident commander when portfolio companies face ransomware or other disruptive cyber attacks. He regularly counsels management teams and boards of directors, as they address cyber vulnerabilities and breaches, as well as associated legal, regulatory, and reputational consequences. In addition, he has significant expertise regarding the evolving cybersecurity and privacy legal framework applicable to the Internet of Things (IoT) and product cybersecurity. David helps companies structure, negotiate and protect their commercial and compliance relationships with key national security government agencies.
Clients appreciate that David, who has experience as special counsel in the Pentagon (2011-2015) and chief cyber counsel to a congressional cyber commission (2019-2021), can provide a practical insider perspective, pointed advice on their matters, and is able to quickly engage the appropriate government actors in the event of a cyberattack or other crisis affecting their business. During his time at DoD, David advised on the development of a legal and policy framework to address cyber threats, including one of the most destructive cyber attacks against the United States: North Korea’s 2014 cyber attack of Sony Pictures Entertainment. In addition, he advised on broader matters involving cyber policy, plans and operations, as well as autonomous technologies, the use of force, counterterrorism, treaties, sensitive investigations, and regional matters involving China, the Korean Peninsula, Russia, Ukraine, Syria, Iran, and Israel.
David is widely recognized for his experience regarding the legal and policy issues at the intersection of cybersecurity, AI, and national security. He was recommended by his clients in 2020 as a “stellar” cybersecurity expert (Legal 500), named a “2017 Cybersecurity & Data Privacy Trailblazer” by the National Law Journal for helping to “make a difference in the fight against criminal cyber activity and towards adding much needed layers of data security in an increasingly digital world of commerce.” David served on a pro bono basis as Chief Counsel for Cybersecurity and National Security to the US Cyberspace Solarium Commission, a bipartisan commission established by Congress to develop a comprehensive strategy to defend the US, including the private sector, from significant attacks in cyberspace. He is an Adjunct Fellow in Cybersecurity and International Law at the Center for Strategic and International Studies (CSIS), where he served as a member of a Cyber Policy Task Force that developed cybersecurity recommendations for the 45th presidential administration Previously, David served as a Visiting Research Fellow with the College of Information and Cyberspace at the US National Defense University, an independent expert on cybersecurity and international law to the United Nations (UN), a peer reviewer of the second edition of the “Tallinn Manual on the International Law Applicable to Cyber Warfare,” and a term member of the Council on Foreign Relations.
A Rhodes Scholar and Truman Scholar, David graduated from Harvard Law School, where he was an executive editor of the Harvard Civil Rights-Civil Liberties Law Review and a Heyman Fellow. Prior to attending law school, he received an M.Phil. in International Relations from Trinity College, Oxford, where he debated for the Oxford Union and was the managing editor of the Oxford International Review. David graduated summa cum laude and Phi Beta Kappa from the University of Minnesota, where he received a BA in Russian Area Studies.
As Special Counsel at DoD, David operated at the right hand of the chief legal officer of an organization of 3,000,000 people, including more than 6,000 lawyers, and an annual budget of more than $600 billion. David advised on the US domestic and international legal issues related to the worldwide activities and operations of the US armed forces, as well as DoD policy and planning. Those matters involved cyber policy, plans and operations, as well as social media, autonomous technologies, the use of force, counterterrorism, treaties and sensitive investigations. David also served as a lead counsel for the DoD working group that drafted the DoD Directive on Autonomy in Weapons Systems, which established the Department’s policies on the development, acquisition, and employment of unmanned, semi-autonomous, and fully autonomous weapons technologies. The Directive represents the first policy announcement by any country regarding fully autonomous weapons.
In addition, David handled regional matters involving China, the Korean Peninsula, Syria, Russia, Ukraine and other countries in Asia and the Middle East. David also advised the General Counsel on high-stakes litigation facing the Department, including Supreme Court and appellate matters, such as Kiobel v. Royal Dutch Petroleum and Samantar v. Yousuf.
As a member of the DoD Office of General Counsel senior leadership team, David represented the Department regularly with senior officials at the White House, Department of State, Department of Justice, Department of the Treasury, Department of Homeland Security, Department of Commerce, Central Intelligence Agency and Federal Bureau of Investigation. In recognition of his national security work at DoD, David received the Office of the Secretary of Defense Award for Excellence.
Prior to serving at DoD, David was a lawyer in private practice at a national law firm. In addition, he taught courses in national security law, cybersecurity and international litigation as an adjunct professor of law at the University of Minnesota Law School.
A Rhodes Scholar and Truman Scholar, David graduated from Harvard Law School, where he was an executive editor of the Harvard Civil Rights-Civil Liberties Law Review and a Heyman Fellow. Prior to attending law school, he received an M.Phil. in International Relations from Trinity College, Oxford, where he debated for the Oxford Union and was the managing editor of the Oxford International Review. David graduated summa cum laude and Phi Beta Kappa from the University of Minnesota where he received a B.A. in Russian Area Studies.
The breadth of David’s practice is reflected in the following sampling of his experience:
Cybersecurity, Espionage, Electronic Surveillance and Privacy
Crisis Management and Cyber Incident Response
- Counseled companies on major cybersecurity incidents and incident preparedness across virtually every sector of the economy, including the banking, investment management, tech, automotive, healthcare, hospitality, defense and intelligence, and telecom sectors.
- Represented global companies in connection with cyber incidents that required analysis of breach reporting obligations under US law, the UK and EU GDPR, and data protection laws on four continents.
- Advise private equity firms and their portfolio companies on cyber incident preparation and response, compliance with key data privacy laws, such as the California Consumer Privacy Act (CCPA), the California Consumer Privacy Act (CPRA), and the EU GDPR, and the legal and regulatory issues related to AI and machine learning.
- Conduct tailored cyber and privacy legal assessments for private equity firms and their portfolio companies.
- Counsel companies on cybersecurity incidents involving foreign governments, insider threats, and non-state actors, including malicious hacking and cyber terrorism.
Ransomware and Cyber Extortion Attacks
- Regularly counsel senior management and boards of directors, seeking to prevent, plan for and respond to cyber incidents, including sophisticated, cross-border extortion and ransomware attacks, threat actor demands for payment, and law enforcement engagement.
- Counsel for Fortune 500 companies facing ransomware and extortion attacks from malicious hackers and cyber criminals involving extensive regulatory, law enforcement, and intelligence investigations on multiple continents.
- Direct cross-border forensic investigations spanning North America, Europe, and Asia. Advise on negotiation and engagement with cyber threat actors.
- Advise on proactive legal options to deter malicious cyber extortionists.
- Advise on innovative cyber legal options to locate, seize and prevent the dissemination of stolen client data.
Nation-State-Sponsored Cyber Attacks
- Lead counsel for national security investigation involving nation-state sponsored intrusion affecting an entire consuming facing sector. Matter involved global forensic investigation, extensive engagement with law enforcement and security services. Advised board of directors and senior management regarding fiduciary duties in the context of cyber incident response and related investigation.
- Lead counsel for national security investigation involving nation-state-sponsored cyber attack on a global technology company. Also lead counsel for associated grand jury proceeding.
- Investigation of one of the largest cybersecurity incidents in US history involving nation-state cyber and information operations on two continents. Matter involved law enforcement, intelligence, and congressional inquiries, as well as other proceedings.
- Advised a major US technology company with respect to the legal response to notice by FBI of a nation-state sponsored cyber-campaign allegedly targeting the company.
- Lead counsel for national security investigation involving a nation-state-sponsored cyber attack on a US defense contractor involving controlled unclassified information (CUI) and covered defense networks. Directed forensic investigation and remediation efforts. Extensive engagement with DoD, including the DoD Cyber Crimes Center (DC3) and affected military departments and defense agencies.
Private Equity Sponsors and Portfolio Companies
- Over recent years, David has become a Go-To cyber incident response counsel for leading global private equity sponsors and their portfolio companies, stepping in to serve as cyber counsel and incident commander when portfolio companies face ransomware or other disruptive cyber attacks.
- Regularly guide boards of directors, management teams, and deal teams as they prepare for and respond to complex cyber incidents and supply chain attacks.
- Lead portfolio wide cyber compromise and cyber resilience assessments under privilege with a clear-eyed focus on business objectives and legal risk management.
- Respond to cyber audits conducted during or in the aftermath of cyber incidents.
- Lead the boards and senior management teams of PE sponsors and their portfolio companies through cyber tabletop exercises focused on ransomware, insider threats, supply chain attacks, and nation-state attacks.
- Routinely gather with CISOs and in-house counsel of leading private equity firms to discuss key global cyber incident trends and developments involving ransomeware, insider threats, artificial intelligence, and the rapidly evolving global cyber and data privacy regulatory landscape.
Cars and other Connected and AI-Enabled Products
- Advise several automobile manufacturers and self-driving car companies on legal, regulatory, and legislative developments, and litigation related to emerging cyber threats and autonomous technologies.
- Counsel global automakers and suppliers of Internet-connected products – such as semi-autonomous and fully autonomous cars, implanted medical devices, connected-home products, mobile devices, and telecommunications devices – regarding cyber vulnerability management and disclosure programs, bug bounty programs, how to conduct product cybersecurity assessments under privilege, and product cybersecurity risk management.
- Counsel automotive manufacturers regarding applicability of the Computer Fraud and Abuse Act to over-the-air updates and vulnerability management.
Cyber Counseling, Cyber Legal Risk Assessments, and Vulnerability Management
- Provide strategic counsel to companies in a wide range of industries as they assess their cybersecurity posture and engage with their boards of directors.
- Counseled companies on liability protections, as well as authorized monitoring, defensive measures and cyber threat information sharing under the Cybersecurity Act of 2015.
- Counseled software services company on the applicability of the Computer Fraud and Abuse and related statutes in connection with a proposed service offerings.
- Counseled companies seeking to improve the legal defensibility of their cybersecurity and privacy policies and procedures.
- Advised companies on sensitive cybersecurity matters, including internal investigations, forensics, securities law disclosure obligations and corporate governance. Representations have included major companies in the software, social media, healthcare, energy and defense sectors.
- Advise global technology companies regarding management and mitigation of alleged cybersecurity vulnerabilities, including regarding bug bounty programs.
- Advise companies regarding cybersecurity vulnerability disclosure policy and related coordination processes involving cybersecurity researchers, DHS, and computer emergency response teams, including US-CERT, ICS-CERT, and CERT/CC.
Public International Law and Cybersecurity
- Counsel companies regarding the application of domestic and international law in the context of international cybersecurity, involving cyber norms, sovereignty, critical infrastructure, jurisdiction, attribution standards, international humanitarian law, human rights law, espionage and the conduct of cyber activities.
- Advise the United Nations regarding international legal issues related to the prevention of cyber warfare, cyber threats to critical infrastructure, preventing terrorists from exploiting the Internet and social media, and data privacy law applicable to cross-border data sharing for law enforcement and counterterrorism purposes.
- Counseled Internet and social media companies regarding cross-border government requests for consumer data, and compliance with Mutual Legal Assistance Treaties (MLAT).
- Counseled global tech companies on public policy issues, including encryption, privacy and MLAT reform.
Cybersecurity and Foreign Relations Litigation
- Represent cybersecurity company in litigation regarding whether a software application constitutes malware.
- Appellate litigation on behalf of certain victims of the September 11, 2001, attacks, addressing foreign sovereign immunity and counter-terrorism laws in In re Terrorist Attacks of September 11th, 2001.
National Security, Government Contracts and International Investment
- Counsel leading defense and aerospace company regarding cybersecurity and data privacy matters involving supply chain risk management.
- Counsel leading defense and aerospace company regarding cybersecurity and data privacy matters involving supply chain risk management.
- Counseled leading commercial cloud services provider regarding contracts with the US Department of Defense and the US Intelligence Community.
- Represented Fortune 10 company before CFIUS in filings with respect to an acquisition of one of its businesses.
- Involved in numerous other transactions involving CFIUS and due diligence matters, including transactions in telecommunications, software, financial services, electronics manufacturing, energy and industrial equipment sectors.
- Counseled companies and individuals on facility security clearance and personnel security clearance matters, including compliance with NISPOM requirements, assessment and mitigation of Foreign Ownership, Control and Influence (FOCI).
- Advised defense and intelligence contractors on export control compliance matters relating to the performance of classified contracts.
- Counseled large private equity firm on due diligence for transactions involving government contracting, export control, CFIUS and the Defense Security Service (DSS).
Economic Sanctions and Export Controls
- Counseled companies regarding export controls related to encryption and cybersecurity.
- Advised major financial institutions and emerging technology companies on sanctions and export control compliance issues.
- Counseled major e-commerce company on compliance on US economic sanctions.
Harvard Law School, JD
Oxford University, MPhil
University of Minnesota, BA, summa cum laude
Phi Beta Kappa, Truman Scholar
- Brussels, Belgium (B List)
- Senior Advisor, CSC 2.0 Project: Preserving the Legacy and Continuing the Work of the Cyberspace Solarium Commission
- Chief Counsel for Cybersecurity and National Security, US Cyberspace Solarium Commission
- Adjunct Fellow in Cybersecurity and International Law, Technology Policy Program, Center for Strategic and International Studies
- Visiting Research Fellow, College of Information and Cyberspace, National Defense University
- Experts Committee Member, UN Security Council Counter-Terrorism Committee Executive Directorate, United Nations
- Term Member, Council on Foreign Relations