John has extensive experience representing clients in the review, negotiation, and structuring of technology and data-related agreements across a wide range of industries. His transactional work includes master services agreements (MSAs), software as a service (SaaS) agreements, data processing and transfer agreements (DPAs and DTAs), business associate agreements (BAAs), nondisclosure agreements (NDAs), and other commercial contracts involving the creation, use, and transfer of sensitive data. He routinely advises on key risk allocation provisions—including indemnification, limitation of liability, and data breach responsibility—helping clients align contractual terms with their broader risk management strategies. In addition, John develops customized template agreements, privacy policies, terms of use, and data protection frameworks that enable clients to scale efficiently while maintaining consistency and control across their contracting processes.
Complementing his transactional practice, John counsels clients on a full spectrum of privacy and cybersecurity matters. He conducts information security risk assessments, privacy impact assessments, and data transfer impact assessments, and advises on privacy program development and maturity. He regularly assists clients in drafting and implementing policies and procedures designed to comply with a complex web of laws and regulations, including state consumer privacy laws, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and international frameworks such as the General Data Protection Regulation (GDPR), UK GDPR, and PIPEDA. John is also frequently engaged to guide clients through data breach response and incident management, working closely with executive leadership to navigate legal, operational, and reputational considerations.
Before entering private practice, John served in multiple leadership roles at a large R1 public university, including Director of the HIPAA Privacy Program, HIPAA Privacy Officer, and HIPAA Security Officer. In these roles, he was the institution’s primary advisor on privacy and cybersecurity matters and was deeply embedded in enterprise contracting processes, advising on agreements involving data use, technology procurement, and regulatory compliance. He also partnered with the university’s procurement office to train contract attorneys on privacy and data security issues and developed standardized, annotated contract templates to streamline negotiations and improve risk consistency across the institution.
John began his career in information technology, spending more than a decade at an academic medical center and medical school in roles including systems analyst and risk assessment manager. This technical foundation enables him to translate complex legal and regulatory requirements into practical, business-oriented solutions.
A Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Manager (CIPM), John brings both legal and operational insight to his clients’ most critical data challenges. He currently teaches Data Privacy and Cybersecurity in Healthcare at the James E. Rogers College of Law and serves as a guest lecturer at Northern Arizona University.
