Overview
Christian Auty advises clients on the full lifecycle of data privacy and cybersecurity matters, from regulatory compliance and risk management to breach response and cross-border data governance, as well as on data privacy and governance considerations in emerging technologies such as artificial intelligence and blockchain.
Christian works with clients across a range of industries, including healthcare, financial services, insurance, and retail, to develop practical, business-aligned strategies for managing data-related risk.
Christian counsels clients on compliance with a broad spectrum of U.S. and international privacy laws. His work includes advising on the Health Insurance Portability and Accountability Act (HIPAA), state law, and interoperability and information sharing issues for healthcare data, the Gramm-Leach-Bliley Act (GLBA) for financial institutions, and the Children’s Online Privacy Protection Act (COPPA) for online services directed at children. He also helps multinational organizations navigate the European Union's General Data Protection Regulation (GDPR), as well as emerging U.S. state-level laws.
In addition to regulatory compliance, Christian has extensive experience guiding clients through cybersecurity incidents and breach response. He regularly serves as breach coach for global organizations, leading responses to dozens of data breaches each year and advising on regulatory investigations and enforcement actions. His litigation background informs a pragmatic, risk-aware approach to incident response and regulatory scrutiny.
- Illinois
- J.D., University of Michigan, cum laude
- B.A., Boston College
Representative Matters
Data Privacy – Select Matters
- Represented a health insurer in matters related to privacy and data security compliance including advice related to privacy representations, cookies and digital marketing issues, data subject access and deletion requests, contracting compliance, marketing strategies and related privacy compliance issues
- Represented a HIPAA covered entity and public company in matters relating to security incident and data breach notification, including SEC notification procedures and materiality analysis
- Advised a HIPAA covered entity in use and disclosure restrictions, exceptions and deidentification standards
- Acted as lead counsel in response to dozens of data breaches and security incidents ranging from business email compromises, spear phishing and social engineering, wire fraud, and ransomware
- Advised a GLBA financial institution on all matters related to compliance with the GLBA Privacy and Safeguards Rules, compliance with interagency guidance related to data breach notification and risk of harm, and related issues
- Advised a financial institution and exchange on all matters related to privacy representations, cookies and digital marketing issues, data subject access and deletion requests, contracting compliance, marketing strategies and related privacy compliance issues
- Advised multiple clients on potential liabilities and risks associated with CIPA, the VPPA, session replay software, trackers and related analytics
- Advised multiple clients on data offshoring and data transfer strategies, adequacy considerations, standard contractual clauses and Privacy Framework issues, and other related restrictions on offshore transfers including the DOJ’s Bulk Data Transfer restrictions
- Acted as lead counsel advising a client in all matters relating to a data breach requiring reporting in 15 international jurisdictions resulting in a declination of further investigation in all jurisdictions
- Advised an insurance producer on all matters related to privacy and data security compliance including advice related to privacy representations, cookies and digital marketing issues, data subject access and deletion requests, contracting compliance, marketing strategies and related privacy compliance issues
- Advised multiple clients on procurement and supplier auditing and compliance strategies
- Represented a financial institution concerning development of AI protocols, policies and procedures including creation of risk assessment parameters
Speaking Engagements
- "Introduction to Data Subject Access Requests: Purpose, Examples, Responding to Requests, Navigating Compliance," Strafford Webinar, July 16, 2025
News & Publications
Client Alerts
The Trump Administration's AI Action Plan: Deregulation and Global Dominance
July 24, 2025
By: Christian M. Auty, Evan T. Abrams, Michelle Castaline, Tyler Evans, Elizabeth Goodwin, Michelle Kallen, William M. Keyser, Michele Nellenbach, Michel Paradis, Marlon Paz, Claire Rajan, Alexandra C. Scheibe, Christopher Suarez, Jack R. Hayes, Peyton Thomas, Ross Weingarten
Press Releases
July 16, 2025
Professional Affiliations
- International Association of Privacy Professionals (IAPP)
- Illinois Association of Health Care Attorneys
- American Bar Association