Catherine R. Castaldo

Partner / New York

Catherine R. Castaldo is a Partner in Privacy and Cybersecurity Practice of Smith, Gambrell & Russell, LLP.

  • Full Bio

    Catherine Castaldo advises clients on cybersecurity and privacy risk management, including incident preparedness and response, data privacy and protection strategy, information security, data governance, internal investigations, and regulatory matters involving sensitive business and technology information. Her experience also includes advising on emerging technologies and enterprise data risk initiatives, including data and technology related issues for clients in major industry sectors such as fintech and financial services, energy, healthcare, supply chain, and many others.

    Catherine brings more than 15 years of experience as a trusted advisor to senior leadership and key stakeholders in complex, global operating environments. She is known for providing practical, business-oriented guidance at the intersection of law and technology, with experience supporting organizations in the technology and financial sectors.

    Before joining Smith, Gambrell & Russell, Catherine served in senior in-house privacy and data protection roles, including as Vice President, Global Chief Privacy Officer, and Global Data Protection Officer at Nuance Communications in Boston, and previously as Global Chief Privacy and Data Protection Counsel at GE Capital.

    Catherine earned her J.D., cum laude, from Pace University School of Law, where she earned an Environmental Law Certificate and made it a semi-finalist to the Wilem C. Vis International Moot Court Competition in Vienna, Austria. She earned her B.S. in Biology from Kansas State University.

  • Representative Experience

    • Lead counsel managing response to NotPetya cyberattack, which resulted in loss of 30k servers impacting corporate and divisional systems for multinational company. Key lead in award-winning resolution.
    • Lead counsel managing various cyber incidents including: nation state attacks, rogue employee data theft and misuse, ransomware, malware, DDOS, email compromise, wire fraud, phishing, and others for companies of all sizes and industries, including highly-regulated entities in financial services, healthcare, energy, technology, supply chain, and others.
    • Lead counsel to liaise with various privacy and security regulators under US state and federal law (including: GLBA, HIPAA, FTC-COPPA, NY DFS, CCPA etc.) and EU/UK supervisory authorities to manage information and audit requests, investigations, and resolutions to issues raised and reconciled.
    • Designed and implemented multijurisdictional compliance programs, including policy suite, risk assessments, and remediation plans for privacy, cyber, data use, and AI.
    • Provide assessment of current privacy and security compliance. Develop and deliver tabletops to challenge weaknesses uncovered in assessments and recommend remediation strategies.
    • Draft and customize risk assessments for companies in many sectors and for compliance under various regulations including HIPAA and NY DFS.

  • Bar Admissions

    New York
    Massachusetts

  • Education

    Undergraduate
    • Kansas State University

    Law School
    • Elisabeth Haub School of Law at Pace University

  • Recognitions


    The Legal 500 US, Cyber Law Team Member (2021); Media, Technology, and Telecoms Team (2020); Cyber Law and Data Privacy and Data Protections Team (2020)
    PrivSec 200 East coast USA (2019)
    Nuance focal Award (2017, 2018)
    GE Leadership Development, nominated (2013, 2015, 2017)
    GE Above & Beyond Awards (2011-2016)

  • SGR Publications

  • Press