Kristen Bertch, CIPP/US, leverages her technical experience and knowledge of the data security and privacy legal landscape to help clients across a spectrum of industries on cybersecurity and privacy issues and related regulatory compliance matters. Kristen advises clients on complex and cutting-edge technologies used for the collection, processing, and storage of data.
As part of the Privacy and Security team, Kristen advises clients on matters related to responding to data security incidents, compliance with security standards, HIPAA Security Rule compliance, drafting security policies, and assessing data security compliance obligations.
She advises clients on security standards including FedRAMP, StateRAMP, HITRUST, and ISO 27001. Her practice includes discussing clients' current systems and security posture and drafting policies and procedures to provide appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of information.
Kristen also assists clients with data-security incidents, including incidents spanning multiple states and involving multiple types of data such as personal information, protected health information, and customer proprietary network information.
Kristen works with clients to assess their business and suggest next steps to improve their security posture, including compliance with HIPAA, the GLBA Safeguards Rule, state law security requirements such as Massachusetts' WISP requirement, and data retention and destruction policies.
Security standard compliance and data breach response
Assessed clients' current policies and procedures against relevant security standard requirements. Worked with clients to address and recover from a range of data incidents including ransomware attacks, business email compromise incidents and inadvertent disclosures of personal information.
Advised clients on compliance with privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California Consumer Protection Act (CCPA), General Data Protection Regulation (GDPR), Children's Online Privacy Protection Act (COPPA), and Family Educational Rights and Privacy Act (FERPA).
Privacy and data security provisions
Drafted appropriate privacy and data security provisions in contracts with third parties by working with clients to better understand their business, data handling practice, privacy and data security needs, and how third parties will access and handle any client data.
Admitted to Practice
District of Columbia, 2017
J.D., University of Maryland School of Law, 2016
- University of Maryland Law Journal of Race, Religion, Gender, and Class
- Research Assistant
B.A., Criminal Justice, University of Pittsburgh, 2012, magna cum laude
Memberships & Affiliations
- CIPP/US, International Association of Privacy Professionals
- Selected to a list of "Ones to Watch" in Privacy and Data Security Law (Washington, D.C.), Best Lawyers, 2023
- Associate, Whiteford, Taylor, & Preston LLP, Baltimore, 2019-2021
- Attorney, Eversheds Sutherland (US) LLP, Washington, D.C., 2016-2019
- Contract Attorney, FHLBanks Office of Finance, Reston, Va., 2016
- Legal Intern, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C., 2015
- Legal Intern, Future of Privacy Forum, Washington, D.C., 2015