skip to main content
Experience List
  • Email Page
  • Create PDF
  • Print Page

Courtney K. Stout

Courtney Stout has extensive experience advising clients on how to comply with state, federal and industry privacy and security requirements. With over 20 years’ experience, she has represented a diverse range of clients in the technology, data security, health care, retail, restaurant, travel, manufacturing, and financial services industries. She counsels on a multitude of privacy and data security matters, including breach response, consumer disclosure and protection, data ownership and use restrictions, PCI DSS compliance, third-party vendor requirements, cyber security, and data security marketing compliance. Courtney routinely advises clients regarding “best practices” to reduce the risks associated with data security in both traditional commercial contracts and strategic m-commerce and e-commerce initiatives.

Courtney is the Co-Chair of DWT’s Blockchain Initiative, which focuses on how blockchain technology intersects with the creative industries, and is also part of DWT’s Breach Response Team which advises clients on compliance and mitigating risk before, during, and after a breach, including incident response plans, insurance coverage, and information security policies, as well as tabletop exercises.

Representative Experience

Data security and incident response

Assisting multiple companies in responding to data security incidents and breaches, including leading department store chain and retailers with multiple locations and franchises. Counseling clients on identifying, evaluating, and confirming the incident; consulting with strategy for containment; whether an incident rises to the level of a breach under a variety of state and federal laws, and on issues such as whether consumer, regulatory, or other notifications are required or recommended. Assisting clients with engaging third-party service providers, assessing forensic reports, and responding to regulatory, law enforcement, and payment card network requests. (Ongoing)

Data security incident risk mitigation

Advising clients in a wide variety of industries, including financial services, health care, energy, retail, and technology among others regarding pre-breach risk mitigation. Preparing and conducting tabletop exercises in conjunction with technical and forensic consultants to test and train the incident response team to improve efficiency and effectiveness in the event of a data incident. Advising clients on legal and regulatory compliance, as well as mitigating risk in key vendor technology agreements. (Ongoing)

Privacy and data security compliance

Counseling clients’ compliance with general privacy and security laws, including the the FTC Act, GLBA, the Fair Credit Reporting Act (FCRA), the California Online Privacy Protection Act (CalOPPA) and the Massachusetts data security standards among others. Counseling clients on privacy and information security risks associated with online advertising, including online behavioral advertising and compliance with self-regulatory programs such as the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising and the Network Advertising Initiative’s Code of Conduct. Drafting and negotiating agreements related to marketing and advertising initiatives such as Cross Device Tracking. (Ongoing)

Security assessments and compliance

Conducting security assessments and risk assessments for a number of clients, including reviewing information security practices with key information technology personnel, facilitating interviews, analyzing and triaging areas of non-compliance, preparing reports protected by the attorney-client privilege to the fullest extent possible, and providing recommendations for remediation. (Ongoing)

Incident response for PCI data security incident

Represented an international retailer in a data security incident involving over 300 store locations throughout the U.S. and Canada and over 1.5 million consumer credit/debit cards. Counseled client regarding identifying, evaluating, and confirming the incident and advised senior management regarding analysis and strategy for containment. (2016) Read more

Cloud-based data security and payments for leading rental industry company*

Advised on risk, liability, and contractual issues with respect to data security and related liability issues in the development, implementation, and launch of cloud-based digital commerce and card present payment system. (2015)

Data breach preparedness assessment for leading payment processor*

Advised on risk, liability, and best practices regarding privacy, data security, and PCI DSS compliance with senior management of a payment processor, including providing consulting services for mock data incident response with representatives of senior management, risk, technology, business continuity, marketing, finance, and affiliated entities. (2015)

Launch of tabletop restaurant point of sale system*

Negotiated card processing agreement for a company in the restaurant industry to develop, implement, launch, and roll out a new technology consumer ordering and entertainment system, including advice on data security, data incident obligations, PCI DSS, intellectual property, service level, disaster recovery, reserve, indemnification, limitation of liability, and other issues. (2015)

Payment, m-commerce, and e-commerce initiatives for luxury retailers*

Provided consulting, drafting, and negotiation advice for the design, structure, development, and implementation of digital commerce initiatives involving credit/debit cards, e-wallets, mobile apps, image recognition software, virtual currencies, and emerging payment methods. (2015)

PCI compliance for airline industry company*

Advised on contractual, legal, and industry obligations regarding PCI non-compliance in POS devices throughout investigation and remediation. (2015)

Information technology outsourcing for financial services company*

Advised on a domestic information technology outsourcing agreement in excess of $100 million regarding enterprise-wide financial reporting services for an international pension fund. (2014)

E-commerce initiative for prominent U.S. casino*

Provided consulting, drafting, and negotiation advice for numerous third-party vendors located in the U.S., U.K., and Canada to assemble the payments and technology platforms for the launch of an online gaming site for a U.S. casino. (2013)
* Denotes experience completed at a prior firm

Additional Qualifications

  • Attorney, Bryan Cave LLP, Washington, D.C., 2010-2016
  • Associate, Hunton & Williams LLP, Atlanta, 1998-2004
  • Legal Consultant, Hesketh Henry, Auckland, New Zealand, 1997-1998
  • Counsel, Turner Broadcasting System, Inc., Atlanta, 1996-1997
  • Associate, Powell, Goldstein, Frazer & Murphy LLP, Atlanta, 1992-1995

Professional & Community Activities

  • Den Leader, Boy Scouts of America, 2010-2015
  • Diversity Committee, St. Anne’s Belfield, 2012-2013
  • Board Member, Virginia Discovery Museum, 2005-2007
  • Pro bono cybersecurity work, Jewish Community Federation
  • Served on numerous volunteer committees or consulted in a pro bono capacity for a variety of charities, including the University of Virginia Art Museum, March of Dimes, Recording for the Blind and Dyslexic, and other entities.
Blog for insight and commentary on information management and protection
View State Data Breach Notice Statues