Privacy + Security Advisors

Brian leads AI governance and regulatory strategy for Fortune 100 technology, financial services, and platform clients. He advises companies navigating the most complex AI and privacy regulatory challenges in the market: active DOJ and multistate attorney general investigations into algorithmic pricing, EU AI Act compliance for high-risk AI systems, DSA transparency obligations for platforms operating in Europe, and Colorado AI Act implementation for automated decision-making at scale.

Representative matters include building the AI and ADMT compliance program for one of the largest property management platforms in the U.S. (24 million+ rental units); advising ad-tech and social media platforms on DSA researcher data access and transparency reporting; counseling financial institutions on EU AI Act extraterritorial reach for credit decisioning, fraud detection, and automated underwriting models; and advising global insurers and reinsurers on AI governance for claims automation and risk scoring. His practice spans AI governance, state comprehensive privacy laws (CCPA and others), HIPAA, GLBA, COPPA, DSA, and cross-border data transfers.

Before joining the firm, Brian served as assistant general counsel, global privacy product, at Meta, where he built the legal framework for Privacy Review — the FTC Consent Order mandated pre-launch gate governing every product change across Instagram, Reality Labs, Payments, Threads, and core Facebook, products serving 3.6 billion users. He developed the compliance architecture that translated FTC requirements into product decisions at scale, including frameworks for evaluating content risks and requiring appropriate safeguards such as detection systems for child safety, hate speech, and fraud.

At Meta, Brian served as primary legal contact for DPC Ireland and the European Commission on Privacy Review matters and led weekly sessions with the FTC’s independent assessor supporting compliance reporting. He advised on 30+ multistate attorney general investigations involving content moderation, recommendation algorithms, AI systems, and data practices across California, Arizona, Utah, New York, and other jurisdictions. He prepared briefing materials for CEO congressional testimony and chief privacy officer depositions with the FTC on platform safety and privacy practices. His scope also included advising on recommendation algorithm changes for Threads viral content distribution, supporting the Meta Oversight Board on systems design and case reviews, and setting Meta’s positions on the DSA and UK Online Safety Act.

Beyond Privacy Review, Brian led legal guidance for Meta’s Data Lifecycle Management program, overhauling global data storage, retention, and deletion processes with a focus on programmatic issues and risk-based strategy. He also led legal guidance for Security for Privacy, covering incident response, emerging threats, and regulatory engagement with the FTC, state attorneys general, and international regulators.

At a previous firm, Brian led the West Coast privacy practice and was named a National Law Review “Go-To Thought Leader” in Cybersecurity for his CCPA analysis. He counseled social media, dating app, and platform clients on CDA Section 230, DMCA notice-and-takedown, and intermediary liability including algorithmic matching and user verification. He also served as lead incident response counsel, managing breach remediation with third-party security professionals and coordinating with state attorneys general on notification obligations for major SaaS providers, a nationwide landlord-tenant platform, and a major ecommerce provider. His practice spanned life sciences, advertising, fintech, edtech, social media, telemedicine, and e-sports, and he led privacy compliance for multiple public companies. Brian also has handled intellectual property, technology transactions, and privacy issues.

Brian holds a computer science degree and CISSP certification, and he began his career as a software engineer at Accenture, where he built identity and access management systems for Fortune 500 financial services clients, customizing enterprise security platforms and leading offshore development teams. This technical foundation allows him to partner effectively with engineering teams on how systems actually work — not just how they should be regulated.

Brian has served as a civilian advisor to the U.S. Marine Corps on cybersecurity and informational technology infrastructure and as a member of former California Governor Brown’s Cybersecurity Taskforce. He is a Fellow of Information Privacy and holds CIPP/US and CIPM certifications.

Education

• University of Southern California Law School, J.D.
• University of Colorado at Boulder, M.S., interdisciplinary telecommunications, specialization: applied network security
• University of Colorado at Boulder, B.S., computer science

Marc has over 25 years of experience in providing consulting, legal, and audit services on privacy and cybersecurity matters, including senior-level positions at PricewaterhouseCoopers, Varo Money, Promontory Financial Group, and LPL Financial. He leads many of our FTC audits, develops information security and privacy policies and procedures, and advises on vendor management/business process outsourcing functions, anti-money laundering and anti-fraud, business continuity and disaster recovery. Marc also has experience in creating and overseeing enterprise risk management programs, including inaugurating corporate-wide risk assessments, managing state and federal government relations, and managing mortgage compliance. He has created asset management programs for distressed financial institutions. Marc is licensed to practice in Ohio and Texas.

Publications

• Co-author, “FTC Releases 2023 Privacy and Data Security Update,” Troutman Pepper, April 4, 2024.
• Co-author, “Cookies and Online Tracking of Health Signals: An OCR Prescription for Potential Peril,” Troutman Pepper, May 4, 2023.

Education

• Case Western Reserve University School of Law, J.D.
• Franklin and Marshall College, AB

Michael “Mac” McCullough is an innovative and entrepreneurial GRC advisor, data strategist, ethicist, and risk and privacy leader. Mac has over 25 years of experience in data risk, governance, privacy, and project management. He is particularly adept at building and aligning people, processes, and technologies to deliver world-class, risk-based, business-oriented compliance frameworks. Mac has a long history helping companies navigate and respond to regulator inquiries globally, including consent order compliance and assessments. Mac is a recognized thought leader in the privacy and tech communities, often networking with and advising peers, senior leaders, directors, trade organizations, civil society, and civil service leaders. Before joining the firm, he was chief privacy officer and GRC leader at Macy’s, and before that helped lead IBM’s privacy, data breach response, and other business models. He is a Certified Data Privacy Solutions Engineer.

Publications

• Co-author, “2023 Privacy Year in Review,” Troutman Pepper, February 1, 2024.

Speaking Engagements

• Speaker, “International Privacy Law – India, China, Japan, Brazil,” Georgia Bar Association 38th Annual Privacy & Technology Law Conference, March 4, 2024.

Education

• George Washington University Law School, J.D.

Jean Pawluk
Senior Privacy & Security Advisor
New York | 212.704.6239
jean.pawluk@troutman.com

Jean has extensive experience in the high tech, telecom, and financial industries with a career in cybersecurity spanning more than 35 years. She served as the Chief Architect at Visa International from 2003-2010, where she focused on security, as well as Chief Enterprise Architect at Equifax. Jean is a co-founder of both the Bace Cybersecurity Institute and the Cloud Security Alliance. She has been a software and hardware developer, one of the first chief architects in Silicon Valley, a Chief Information Security Officer several times over, and is now an executive consultant and business advisor.

Jean is a speaker, college lecturer, researcher on various emerging technologies, and active in several standards working groups. Her current research is centered around the intersection of emerging technologies and security, specifically examining their utilization and potential misuse. She has earned professional certifications as a Certified Information Systems Security Professional from ISC2 and Certified Information Security Manager from ISACA.

Ruki Smith
Senior Privacy & Security Advisor
New York | 212.704.6149
ruki.smith@troutman.com

Ruki focuses her practice on privacy and cybersecurity with an emphasis on global compliance. She has conducted global privacy and security program assessments across multiple industries, including high-tech, social media, retail, education, pharmaceutical, health, real estate and financial services; and advises clients on a broad spectrum of regulatory, transactional, and compliance issues.

Previously, Ruki served as Meta’s Associate General Counsel for Legal Privacy Compliance. In this role, she built Meta’s privacy program to comply with applicable law, advised stakeholders on FTC order compliance, and advised on incidents, FTC certifications, internal and external privacy complaints, Privacy Red Team initiatives, change management, privacy risk assessments, and privacy issues.

Prior to joining Meta, Ruki was the Global Head of Privacy at WeWork and worked on the privacy and cybersecurity teams at Paul Hastings and Booz Allen Hamilton. Ruki is licensed to practice in New York, California, Texas, and the District of Columbia.

Education

• SMU Dedman School of Law, J.D.
• Southern Methodist University, BBA