Elizabeth Burgin Waller

As chair of the Cybersecurity & Data Privacy practice at Woods Rogers, Beth’s practice is fully devoted to cybersecurity, data privacy, and artificial intelligence (AI). Clients ranging from local government and state agencies to mid-market firms and Fortune 200 companies depend on Beth for advice and counsel. Her clients span industries such as banking, healthcare, manufacturing, high-tech, and energy. She has deep experience counseling clients pioneering new technologies, including in the intersection of artificial intelligence (AI) with privacy regulatory concerns.

Beth’s credentials in the field are extensive. She is a certified Privacy Law Specialist by the International Association of Privacy Professionals (IAPP), which is accredited by the American Bar Association. In addition, she is a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E) and a Certified Information Privacy Manager (CIPM), also from the IAPP.

In addition to client work, Beth contributes thought leadership across the cybersecurity and data privacy communities. In 2022, Beth was appointed by the Governor of Virginia to the Commonwealth’s first Cybersecurity Planning Committee for local and state governmental entities. In 2024, she was named one of Virginia Business magazine's "100 People to Meet" and was featured in as an innovator in the Commonwealth. Beth writes extensively for OneTrust Data Guidance on the nuances of Virginia’s new data privacy law as a OneTrust Data Privacy Expert. Beth is also a frequent contributor to the national cybersecurity journal Dark Reading, where she writes about the intersection of law, privacy, cybersecurity, and technology.

Beth has been recognized repeatedly in lawyer-ranking publications including Best Lawyers in America, Virginia Super Lawyers, and Virginia Business. Virginia Lawyers Weekly has named her among its “Up & Coming Lawyers” and “Influential Women in Law.” She has been featured as a data privacy expert by OneTrust Data Guidance in their international magazine spotlighting global privacy professionals. Most recently, Beth was named among the 2024 Lawdragon 500 Leading Global Cyber Lawyers list. 

Cybersecurity Experience

• Beth specializes in high stakes critical infrastructure incident response. This experience has made her adept at guiding rapid recoveries after ransomware incidents, having served as lead counsel in over 50 ransomware recoveries across a broad range of industries and in the critical governmental sector. Beth has successfully led major multi-national incidents from initial encryption to notification to regulatory review.
• She has deep experience in counseling public traded companies on cybersecurity incident “materiality” determinations under the Securities and Exchange Commission (SEC) guidance and has assisted in the rapid drafting of 8-K and 10-Q publications. She also guides public boards and audit committees directly on cybersecurity risk mitigation and strategy, including through direct engagement by a company’s Board of Directors.
• Beth has managed incidents in specialized industry fields including finance, healthcare, local government/state agency, and energy. She knows firsthand the nuanced interplay of industry-specific regulations such as GLBA, FERPA, HIPAA, and NERC CIP on incident response.
• Beth’s work includes helping those in the government and defense contracting space, including reporting considerations for incidents involving confidential or controlled unclassified information and counseling clients on proposed CMMC considerations.

Privacy Experience

• Beth has helped companies build global privacy programs from the ground up and led major regulatory compliance rollouts including those under GDPR, UK GDPR, PIPEDA, CIPL, LGPB, CCPA, and the ever-emerging field of state-to-state privacy regulations.
• She has drafted data impact assessments, privacy impact assessments, privacy policies, cookie compliance, transfer impact assessments (and SCCs), and has built programs applying “privacy by design.” She works with her clients daily to spot privacy risks associated with their business’ privacy programs at the local, national, and global levels.

Cybersecurity & Privacy Contract Drafting and Review

• Beth has negotiated countless information security addendums, data privacy supplements, and both vendor and customer-facing security and privacy contracts on both the customer and supplier side. She also has assisted clients on privacy-related M&A issue spotting, deal terms, and due diligence.
• With the rise of third-party vendor risk, Beth has developed third-party vendor / supplier vetting programs including by building out vetting programs for large-scale procurement departments and streamlining those programs to capture risk without creating a bottleneck.
• Beth is a strong proponent of cyber resilience efforts and often advises on cyber insurance on behalf of her private clients. She counsels clients on the protective measures they can take before a cybersecurity crisis strikes, often providing advice to the C-Suite, Audit Committees, and Board of Directors. In this way, she is truly a “CISO’s lawyer.”

Recognition

Education

William & Mary School of Law, J.D.

Hollins University, B.A., magna cum laude, academic honors in creative writing, student body president

Sorensen Institute, University of Virginia

Admissions

Virginia

U.S. Court of Appeals, Federal Circuit

U.S. Court of Appeals, Fourth Circuit

U.S. Court of Federal Claims

U.S. District Court, Eastern District of Virginia

U.S. District Court, Western District of Virginia

• American Bar Association
• Privacy Law Specialist (IAPP/ABA)
• Certified Information Privacy Manager (CIPM)
• Certified Information Privacy Professional with a European designation (CIPP-E)
• Certified Information Privacy Professional with a U.S. designation (CIPP-US)
• Virginia Bar Association
  • Task Force on Artificial Intelligence (AI) 
  • Intellectual Property and Information Technology Section Council, Vice Chair (2023)

• with Elaine McCafferty, "Comment: The Necessary Evolution of State Data Breach Notification Laws: Keeping Pace with New Cyber Threats, Quantum Decryption, and the Rapid Expansion of Technology," Washington and Lee Law Review, Winter 2022.
• "Cyber Insurance and War Exclusions," Dark Reading, March 23, 2022.
• "Mission Critical: What Really Matters in a Cybersecurity Incident," Dark Reading, June 17, 2021.
• "Virginia Takes Different Tack Than California With Data Privacy Law," Dark Reading, February 18, 2021.
• "To Pay or Not to Pay: Responding to Ransomware From a Lawyer’s Perspective," Dark Reading, November 17, 2020.
• "Ransomware from Your Lawyer’s Perspective," Dark Reading, June 16, 2020.
• "SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit," Dark Reading, December 5, 2019.
• "How Network Logging Mitigates Legal Risk," Dark Reading, September 23, 2019.
• "The California Consumer Privacy Act’s Hidden Surprise Has Big Legal Consequences," Dark Reading, August 13, 2019.
• "Attack of the Zombie Fitbit," Lynchburg Business Magazine, June/July 2019.
• "A Lawyer’s Guide to Cyber Insurance: 4 Basic Tips," Dark Reading, July 12, 2019.
• "Incident Response: 3 Easy Traps & How to Avoid Them," Dark Reading, May 23, 2019.
• "How to Help Your Board Navigate Cybersecurity’s Legal Risks," Dark Reading, April 30, 2019.
• "Data in Danger," Lynchburg Business Magazine, August/September 2018.
• "Fire Where There is No Flame: The Constitutionality of Single-Sex Education in the Commonwealth," William & Mary Journal of Women and the Law.