Photo of Stephen Lilley

Stephen Lilley is a partner in the Washington DC office of Mayer Brown. He focuses his practice on helping clients navigate cutting-edge and interrelated litigation, regulatory, and policy challenges. A member of the firm’s Litigation and Cybersecurity & Data Privacy practices, Stephen develops strategies to manage legal risks and to shape regulatory policy across a broad range of substantive areas.

Stephen has significant experience working with clients to identify, evaluate, and manage cybersecurity and data privacy risks; responding to cyber incidents and vulnerability disclosures; and defending businesses in related litigation. Stephen is regularly called upon to advise senior executives and board members on their most challenging cybersecurity risks, to help companies develop governance programs to mitigate those risks, and to lead training exercises to implement and refine those programs. Stephen has particular experience advising on cybersecurity and national security issues relating to the Internet of Things, including vehicles and medical devices, and to manufacturing, critical infrastructure, and other industrial systems. Widely recognized for his cybersecurity law and policy experience, Stephen previously served as Chief Counsel to the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism, where he focused on cybersecurity issues.

Read Stephen's full bio.

Software security is a critical issue for multinational businesses. Highlighted as a top priority by the Biden administration and other governments worldwide, software security is a central pillar of effective cybersecurity—and managing associated legal risk. But developing and maintaining secure software is challenging, including to the extent that companies manage complex software development lifecycles, face

On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,1 which is intended to implement U.S. commitments under the Trans-Atlantic Data Privacy Framework (DPF) announced in March 2022. With the new executive order, the Biden administration aims to strengthen the legal foundation for trans-Atlantic

On September 14, 2022, the US Office of Management and Budget (OMB) published a memorandum, M-22-18, requiring federal agencies to comply with previously announced guidelines for ensuring the integrity of third-party software on an agency’s information systems or that otherwise affects government information. Applicable to firmware, operating systems, applications, and application services (e.g., cloud-based

Software security is a critical issue for multinational businesses. Highlighted as a top priority by the Biden administration and other governments worldwide, software security is a central pillar of effective cybersecurity—and managing associated legal risk. But developing and maintaining secure software is challenging, including to the extent that companies manage complex software development lifecycles, face

Strengthening the nation’s cybersecurity has been a top priority for the Biden administration, as reflected in its collaboration with industry, regulatory actions, and the legislation it has supported in Congress, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Executive action has been a key tool in the Biden administration’s cyber policymaking toolkit.

On March 15, 2022, President Biden signed into law the Consolidated Appropriations Act, 2022, H.R. 2471. Division Y of this omnibus appropriations legislation—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—will create significant new rules requiring US critical infrastructure entities to report cybersecurity incidents and ransom payments to the US government. This legislation marks

After months of diplomatic engagement, the early morning of February 24, 2022 saw what President Biden called an “unprovoked and unjustified attack by Russian military forces” on Ukraine. Numerous news reports also have described significant cyber attacks against Ukrainian systems. According to those reports, these attacks follow multiple waves of cyber attacks in the past

  • On October 27, 2021, the Federal Trade Commission issued a final rule (“Final Rule”) implementing most of the revisions it proposed in 2019, with some important modifications, to its Gramm-Leach-Bliley Act safeguards rule.
  • Financial institutions covered by the Final Rule include finders, finance companies, mortgage companies, motor vehicle dealerships, payday lenders and other non-banks involved

2020 and 2021 saw sophisticated, coordinated cyber attacks affect some of the largest companies in the world. In the wake of these attacks, the Biden Administration and federal regulators—as well as businesses within the financial sector—are highly focused on cybersecurity. With a rapidly changing landscape, financial services companies are working hard to prepare for cyber