Paul H. Luehr

Paul Luehr co-leads Manatt’s AI practice and has handled some of the largest data security and privacy incidents in history. With three decades of experience across law, government and consulting, he works with a variety of clients in retail, health care, financial services, technology, higher education and manufacturing, and Paul has earned a reputation as a “go to” advisor in high-stakes cybersecurity, privacy and AI matters.

The Cybersecurity Docket has named Paul a top incident response attorney for the past seven years, and previously as a consultant, he led forensic teams responding to some of the largest cyber breaches on record. As a federal prosecutor, he also pursued major cybercrimes for the U.S. Department of Justice and oversaw searches of the “20th hijacker’s” laptop after 9/11. Therefore, Paul has unique experience responding to ransomware attacks, state actor threats, phishing and other digital hacks.

In privacy, Paul advised the America Law Institute (ALI) on its Principles of the Law - Data Privacy, and he regularly counsels companies on the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Europe’s General Data Protection Regulation (GDPR) and new U.S. state privacy laws. He also advises clients on Federal Trade Commission (FTC) matters, drawing on his experience as a former FTC manager who led the agency’s first internet team.

On AI matters, Paul is a member of the National Institute of Standards and Technology (NIST) AI Safety Institute Consortium formed under a White House Executive Order. Paul has performed cyber due diligence on several mergers and led AI panels for cybersecurity experts and national healthcare leaders. He also has created policies and assessments for firms seeking to launch or expand their AI programs.

Overall, Paul frequently represents clients before federal and state regulators and foreign data protection authorities. He has responded to hundreds of cyber attacks, guided large teams of experts, created robust compliance programs, supervised enterprise-wide privacy and cybersecurity assessments, led cyber-threat tabletop exercises and advised board directors on new data risks. He has given over 180 lectures at universities and trade organizations, and his insights have been featured on national television and radio and in publications such as The Wall Street Journal and The New York Times.

Partner

Paul H. Luehr

Washington, D.C.

202.585.6555

Services

Privacy and Data Security

Office

Washington, D.C.

On This Page

Bio

Paul H. Luehr

Paul Luehr co-leads Manatt’s AI practice and has handled some of the largest data security and privacy incidents in history. With three decades of experience across law, government and consulting, he works with a variety of clients in retail, health care, financial services, technology, higher education and manufacturing, and Paul has earned a reputation as a “go to” advisor in high-stakes cybersecurity, privacy and AI matters.

The Cybersecurity Docket has named Paul a top incident response attorney for the past seven years, and previously as a consultant, he led forensic teams responding to some of the largest cyber breaches on record. As a federal prosecutor, he also pursued major cybercrimes for the U.S. Department of Justice and oversaw searches of the “20th hijacker’s” laptop after 9/11. Therefore, Paul has unique experience responding to ransomware attacks, state actor threats, phishing and other digital hacks.

In privacy, Paul advised the America Law Institute (ALI) on its Principles of the Law - Data Privacy, and he regularly counsels companies on the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Europe’s General Data Protection Regulation (GDPR) and new U.S. state privacy laws. He also advises clients on Federal Trade Commission (FTC) matters, drawing on his experience as a former FTC manager who led the agency’s first internet team.

On AI matters, Paul is a member of the National Institute of Standards and Technology (NIST) AI Safety Institute Consortium formed under a White House Executive Order. Paul has performed cyber due diligence on several mergers and led AI panels for cybersecurity experts and national healthcare leaders. He also has created policies and assessments for firms seeking to launch or expand their AI programs.

Overall, Paul frequently represents clients before federal and state regulators and foreign data protection authorities. He has responded to hundreds of cyber attacks, guided large teams of experts, created robust compliance programs, supervised enterprise-wide privacy and cybersecurity assessments, led cyber-threat tabletop exercises and advised board directors on new data risks. He has given over 180 lectures at universities and trade organizations, and his insights have been featured on national television and radio and in publications such as The Wall Street Journal and The New York Times.

Accomplishments

Panelist, “Sleeping Giant of Privacy, Security & E-Discovery: Data Deletion,” Exterro and IAPP, February 19, 2025

Moderator, “Artificial Intelligence – A Holistic Approach to Managing Interconnected Risks,” Midwest Legal Conference on Data Privacy and Cybersecurity, Minneapolis, MN, February 7, 2025

Panelist, “Detecting Bias in Your AI,” Pharmaceutical and Medical Device Ethics and Compliance Congress, Washington, D.C., October 2024

Panelist, “Just What the Doctor Ordered: Regulations Affecting the Administrative and Back-Office Use of AI in Healthcare,” Privacy + Security Academy, Washington, D.C., October 24, 2024

Panelist, “Private Equity and Due Diligence Technical Session” and “Privacy and Regulatory Technical Session,” Lockton Cyber & Technology Summit, September 25, 2024.

Panelist, “Data Deletion Jeopardy: Minimizing Risk in a Data-Driven World,” International Association of Privacy Professionals (IAPP) Privacy. Security. Risk. 2024, Los Angeles, CA, September 23, 2024

Speaker, “Stay Ahead of the Latest Privacy Trends: Unlocking the Power of ROPA, Why It Matters and How It Protects Your Business,” Electronic Discovery Reference Model (EDRM), August 2024.

Panelist, “A.I. and Incident Response: The Latest Network Defenses, Monitoring and Countermeasures,” Incident Response Forum Masterclass, Cybersecurity Docket, April 2024.

Speaker, “AI-in-Healthcare,” Healthcare Chief Legal Officer Roundtable, September 2023.

Speaker, “Decoding the National Cyber Security Strategy: A Guide for Lawyers,” Legal Cyber Academy, June 2023.

Panelist, “Legal Issues to Consider at the Board Level – Parts 1 & 2,” Thomson Reuters (WestLegalEd), Global Cyber Institute and Lexeprint Webinar, January 2023 and December 2022.

Panelist, “What Every E&C Leader Needs to Know About Supply Chain Cybersecurity Risk,” National Fellows Meeting of the Ethics and Compliance Initiative (ECI), January 2023.

Panelist, “Ransomware Attacks,” Incident Response Forum – Masterclass, April 2022.

Panelist, “Cyber Crimes, Ransomware & National Security,” Interface Webinar, April 2022.

Speaker, “Managing Incident Responses – Navigating the Technical, Strategic and Legal Issues in a Rapidly Changing Environment,” Midwest Legal Conference on Privacy and Data Security, February 2022.

Moderator and Panelist, “Retail Data Breaches,” Incident Response Forum, April 2021.

Speaker, “Privacy, Cybersecurity, and New Technology,” American Health Law Association (AHLA), March 2021.

Speaker and Moderator, “Reasonable Security” (with FTC and CIS representatives), Midwest Legal Conference on Privacy and Data Security, February 2021.

Speaker, “IT for Lawyers: Bridging the Gulf Between Lawyers and IT/Security Professionals,” Midwest Legal Conference on Privacy and Data Security, February 2021.

Speaker, “Vendor Management During a Data Breach,” Defense Research Institute, January 2021.

BTI Client Service All-Star, BTI Consulting Group, 2022

Incident Response 40, Cybersecurity Docket, 2018–22

Selected to tour Southeast Asia and lecture on cybercrime and e-commerce, U.S. State Department Speaker

FTC Outstanding Team Award for Privacy initiative and first Privacy “Surf”

FTC Stephen Nye Award: Young Attorney of the Year

Admitted to practice in Washington, D.C.

Admitted to practice in Minnesota

Adviser, American Law Institute (ALI), Restatement 3rd, Information Privacy Principles

Member, Certified Information Privacy Professional (CIPP/US), International Association of Privacy Professionals (IAPP)

Co-author, “Data Minimization: A Crucial Pillar of Cyber Security,” Cyber Security: A Peer-Reviewed Journal, February 11, 2025.

Quoted, “Big Law Firms, Seeking 'Seat at the Table,' Join AI Safety Consortium,” The American Lawyer, June 25, 2024.

Quoted, “Colo. AI Bias Law Brings Little Certainty for Insurance,” Law360, May 23, 2024.

Quoted, “Antitrust Enforcers Race to Stay Ahead of AI's Skynet Problem,” Corporate Counsel, February 16, 2024.

Quoted, “Antitrust Regulators Poised to Pounce as AI Firms Jostle for Dominance,” Corporate Counsel, November 21, 2023.

Quoted, “CSRB Report on Lapsus$ Attacks: Key Takeaways and Law Enforcement Cooperation,” Cybersecurity Law Report, September 20, 2023.

Featured, “Can Deleted [Secret Service] Text Messages Actually Be Retrieved?,” National Public Radio, All Things Considered, July 21, 2022.

Quoted, “Facebook Data Release to Cops Evades Fourth Amendment Limits,” Bloomberg Law, April 29, 2022.

Quoted, “Water Cybersecurity Plan From EPA Inadequate, State Group Says,” Bloomberg Law, February 15, 2022.

Washington, D.C.

Minnesota

UCLA School of Law, J.D., 1992

Harvard University, B.A., magna cum laude, 1986

Related Practices

Services

Privacy and Data Security

Industries

Artificial Intelligence

Join our newsletter to stay up to date on features and releases.

ATTORNEY ADVERTISING, pursuant to New York DR 2-101(f)

© 2025 Manatt, Phelps & Phillips, LLP. All rights reserved.

Newsletter Subscription