Romaine helps organizations navigate legal obligations relating to data innovation, privacy, and security, and Artificial Intelligence. 

Romaine’s risk management approach is informed by his experience as a business litigation and trial lawyer, and as legal counsel in response to hundreds of cybersecurity and data privacy incidents which, in some cases, involved litigation and regulatory investigations. He has been lead-counsel in multiple jury and bench trials in Utah state and federal courts, and against government agencies nationwide. 

As organizations embrace digital transformation, Romaine helps them manage legal risks by tailoring incident response plans and risk assessments, and co-developing written information security and AI risk management programs. He also advises on the application of cybersecurity and AI governance frameworks, and related data privacy considerations, and has recently represented clients in relation to:

  • AI governance including assisting organizations with implementing AI literacy and AI risk management policies and programs, and conducting assessments required by states (e.g., UAIPA, CAIA, and TRAIGA) and overseas (e.g., EU AI Act).  
  • Cybersecurity and data privacy litigation involving botnets and man-in-the-middle attacks against end users and business executives, a cryptocurrency exchange, nonfungible token (NFT) platforms and digital art creators, and web tracking.
  • Regulatory investigations by the US Federal Trade Commission, US Securities and Exchange Commission and US Department of Health and Human Services into cybersecurity and data privacy practices, and blockchain and digital assets. 
  • International cybersecurity regulations including the European Union’s NIS2 Directive, Digital Operational Resilience Act, and Cyber Resilience Act, and China and Canada’s Personal Information Protection (PIPL and PIPEDA) laws.
  • Critical infrastructure and regulatory changes to cybersecurity alignment, readiness, and maturity requirements for the energy, financial, food and agriculture, information technology, emergency services and transportation sectors.
  • Ransomware attacks involving the Ryuk, CryLock, Conti, MAZE, THT v2, RagnarLocker, LockBit, CLOP, NoEscape, and ALPHV/Blackcat variants, and led teams that analyzed and applied notification obligations.

Romaine is also a frequent author and presenter on digital transformation and related legal obligations, is co-chair of the National Asian Pacific American Bar Association’s Emerging Technologies Committee, vice chair of the Utah Bar’s Cyberlaw Section, a member of the Utah Bar’s Innovation in Law Practice Committee, and a host for the Utah Chapter of the CISO Executive Network

Education

  • Brigham Young University, J. Reuben Clark Law School (J.D.)
    • Waikato University School of Law, New Zealand
      • Visiting Law Student
    • Brigham Young University (B.S.)

      Bar Admission

      • Utah

      Professional Affiliations

      • Utah Bar Association, Innovation in Law Practice Committee, 2019-present
      • National Asian Pacific American Bar Association
        • Data Security and Privacy Committee, 2019-present
        • Co-chair of Emerging Technologies Committee, 2024-present
      • Utah Bar Association Office of Professional Conduct, Ethics and Disciplinary Committee, 2015–2018

      Recognition

      • Recognized as a Stellar Performance Lawyer by Thomson Reuters, 2026
      • Mountain States Super Lawyers® Rising Stars, Business Litigation, 2008 and 2011
      • Selected for inclusion in Best Lawyers in America® for Commercial Litigation, 2022, 2024-2026
      • Utah Business Legal Elite in 2005-2009 and Civil Litigation, 2015-2021
      • Pro Bono Award, Utah Federal Bar Association, 2009

      Languages

      • Māori
      Publications
      All Publications
      U.S. and Allies Release “Careful Adoption” Guidance for Agentic AI
      Key Takeaways AI is accelerating cybersecurity threats by expanding the attack surface and enabling more sophisticated, scalable attacks, even as it offers potential defensive benefits. Last month, the limited release of new AI systems designed for cybersecurity underscored how new and fast-emerging risks are an inherent part of AI’s potential. Last week, the U.S. and its allies released guidance on how AI security risks for agentic AI systems can and should be addressed within established cybersecurity frameworks.  Industry standards for AI cybersecurity are evolving rapidly, and signals included in this guidance will shape the establishment of duties of care and legal obligations. AI is rapidly reshaping cybersecurity risk, not just as a defensive tool, but as a force multiplier for threat actors. When AI moved
      Read More
      AI's Evolution and the Essential Role of AI Literacy
      Romaine Marshall explores the rapid evolution of artificial intelligence and emphasizes the growing importance of AI literacy as both a professional competency and an emerging legal requirement. He highlights how new laws, including Utah’s Artificial Intelligence Policy Act and the EU AI Act, are shaping governance frameworks that require transparency, risk management and a deeper understanding of AI systems across industries. He concludes that as AI becomes more embedded in everyday work and introduces new risks, from bias to misinformation, lawyers and organizations must prioritize AI literacy to ensure responsible use, regulatory compliance and effective client service.
      Read More