Hanna Hewitt



Hanna focuses on cybersecurity and data protection, helping clients navigate an increasingly regulated area in the UK, EU and beyond.

Hanna has a knack for tracking the detail, which proves to be invaluable for clients when managing cyber incidents. Whilst working with a range of clients from FTSE100 to early-stage companies, Hanna oversees and helps keep multiple workstreams on track, seamlessly integrating with client’s internal incident response teams.

She assists clients throughout the lifecycle of a cyber incident: helping with immediate response, working with forensic providers to eradicate and contain cyber threats, and advising them on their regulatory and contractual obligations in respect of notification. Both pre- and post-cyber incident, Hanna also supports clients with ongoing cyber-risk management, to help mitigate regulatory and third-party risk. This includes helping clients navigate post-cyber incident litigation to the extent required.

When cyber incidents aren’t keeping her busy, Hanna also provides privacy advisory support, advising clients on the GDPR and other international data protection laws, including data retention, processing and transfer.

Hanna trained at Orrick and during her training contract also gained experience in litigation, corporate (Technology Companies Group) and competition.

  • Cyber security engagements

    • Advised a Fortune 500 company in the manufacturing sector, following a social engineering attack which halted all global production, including internationally notifying law enforcement, regulators and individuals.
    • Advised a Fortune 500 company in respect of multiple cyber security incidents, including an incident following the MOVEit vulnerability in 2023.
    • Advised a German manufacturing company following a spear-phishing attack, including coordinating regulator and individual notifications and advising on cyber insurance cover.
    • Advised a FTSE100 company in connection with an Office 365 compromise.
    • Advised a pharmaceutical company following a ransomware incident by a prevalent threat actor including notifying regulators following data encryption and exfiltration and subsequently advising on a privacy compliance uplift programme.
    • Advised a professional services company following a ransomware incident including notifying data subjects following data publication.
    • Advised a global payments provider on a potential data breach following disclosure of information by a former employee.

    Data protection engagements

    • Advised an education charity on its privacy compliance programme and implemented the necessary compliance documentation.
    • Advised an international social media company in relation to ongoing updates to their compliance programme, which included advising on privacy and cyber security compliance.
    • Advises both domestic and international clients on the implementation of privacy compliance strategies and documentation including in relation to international data transfers, cookie and tracking technologies and statutory transparency obligations.


    • Successfully obtained a High Court injunction for a global payment services provider following theft by and ex-employee of over 400 company records containing confidential information and personal data.
    • Advising an international online dating application in respect of a threatened group litigation claim.