Leah Schloss

Senior Associate

Schloss, Leah

Leah Schloss advises clients on cybersecurity, government contracts, and export control investigative, regulatory, and compliance issues.

Ms. Schloss has extensive experience coordinating data breach investigations for clients in the retail, professional services, government contracts and technology industries. Her experience includes overseeing third-party forensic investigators; synthesizing forensic fact development for briefings to client management, officers, boards and third parties; interfacing with various third parties, including Payment Card Industry Forensic Investigators, payment card brands, law enforcement and regulators, as well as breached entities' customers, insurance providers, auditors and vendors; assessing obligations under state and federal data breach notification laws; and drafting breach notification letters, media statements and securities disclosures. 

Ms. Schloss counsels clients ranging from financial services companies to clients in the healthcare, government contracts and defense sectors on cybersecurity legislative, compliance and governance matters, including legislative and regulatory developments, regulator investigations, state and federal data security guidelines and requirements (including sector-specific guidance such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act), and risk and governance assessments. 

Her experience also includes conducting internal investigations for defense contractors, counseling clients on export control and surveillance law matters, and bringing and defending bid protests and Small Business Administration size challenges, including successfully defending a small business against a size challenge involving the client's largest award in company history. 

Past Experience

Prior to joining the firm, Ms. Schloss served as a law clerk at the Senate Judiciary Committee for Senator Leahy, where she conducted research on issues arising out of the reauthorization of the USA PATRIOT Act, as well as judicial and executive nominations. As a member of Georgetown's Federal Legislation and Administrative Law Clinic, Ms. Schloss researched a variety of legal issues related to cybersecurity, including evaluating various proposed cybersecurity information-sharing and liability protection bills. 

Ms. Schloss was also an intern in the Office of the Assistant General Counsel for General Law of the US Department of Energy and a research assistant for Professor David Cole at the Georgetown University Law Center.

Publications & News


March 26, 2018

Board Oversight of Cybersecurity

Cybersecurity is one of the highest priority issues for public company executives and directors. This note shares our views—developed over our involvement in the aftermath of many cybersecurity events as well as counseling on cyber-preparedness—on how boards can properly oversee cybersecurity risks. This client alert was also published by Law360.

January 4, 2018

Compliance Deadline Reached for DoD Contractor Security Controls Requirements

Under the Department of Defense (DoD) final Defense Federal Acquisition Regulation Supplement rule on Network Penetration Reporting and Contracting for Cloud Services, DoD contractors maintaining, processing, or otherwise possessing “covered defense information” on their own systems must now be compliant with the technical, physical, and administrative security controls outlined in National Institute of Standards and Technology Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,  as the “grace period” for compliance ended on December 31, 2017.

May 12, 2017

President Trump Issues Cybersecurity Executive Order

On May 11, President Trump signed his long-awaited Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” Much of the Order mandates efforts to improve the government's own information technology (IT) and cybersecurity practices, but several directives focus on the private sector.

February 21, 2017

New York Finalizes Cybersecurity Regulations for Financial Institutions

On February 16, the New York State Department of Financial Services (NYDFS) issued cybersecurity regulations for banks, insurance companies and other financial institutions subject to NYDFS jurisdiction. This WilmerHale Client Alert was republished by the Journal of Investment Compliance, Vol. 18, No. 2, 2017.

November 1, 2016

Department of Defense Issues Final Version of Key Cybersecurity Rule

On October 21, 2016, the Department of Defense (DoD) issued its final rule on Network Penetration Reporting and Contracting for Cloud Services, amending an interim version issued on August 26, 2015, and revised on December 30, 2015. This WilmerHale Client Alert was also published by Bloomberg BNA's Privacy and Security Law Report on December 19, 2016.

October 20, 2016

Banking Regulators Release Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards

The agencies are considering establishing two tiers of enhanced standards—basic enhanced standards for all covered firms and even more stringent enhanced standards for systems that are "sector-critical."

June 16, 2016

The CFPB And Data Security Enforcement

In this article published in BNA's Banking Report, Michael Gordon, Leah Schloss and former Counsel Elijah Alper examine the Consumer Financial Protection Bureau's foray into data security enforcement by assessing how the bureau's data security authority compares with that of other federal regulators.

May 17, 2016

Final Government Contractor Basic Data Security Rule Issued

On May 16, the Federal Acquisition Regulations (FAR) Council published the final FAR rule on Basic Safeguarding of Contractor Information Systems. The rule is intended to prescribe “the most basic level” of safeguards, “reflective of actions a prudent business person would employ.”

April 14, 2016

Department of Defense Revises Landmark Cybersecurity Rule, Extends Deadline for Some Compliance Requirements

An article by Benjamin A. Powell, Barry J. Hurewitz, Jonathan G. Cedarbaum, Jason C. Chipman and Leah Schloss, published in the May 2016 issue of Privacy & Cybersecurity Law Report, explores the new, amended Department of Defense interim cybersecurity rule that prescribes cybersecurity requirements, including mandatory cybersecurity-related contract clauses in all DoD contracts subject to the Defense Federal Acquisition Regulations Supplement.

January 31, 2016

Getting the Deal Through: Cybersecurity 2016

Benjamin A. Powell and Jason C. Chipman were contributing editors for Getting the Deal Through: Cybersecurity 2016 (published in January 2016). Powell and Chipman also co-authored the chapter “Global Overview” (p. 5) with Marik String, and “United States” (pp. 72-77) with Leah Schloss. Reproduced with permission from Law Business Research Ltd. For further information please visit


Skip Navigation Links.


JD, magna cum laude, Georgetown University Law Center, 2012, Notes Editor, Georgetown Journal of International Law, Order of the Coif

BA, International Affairs and Political Science, magna cum laude, The George Washington University, 2009, Phi Beta Kappa

Bar Admissions

District of Columbia


Skip Navigation Links.