David Navetta

(p) 303.325.3528 (e) dnavetta@infolawgroup.com

David Navetta is one of the Founding Partners of the Information Law Group. David has practiced law for over twelve years, including technology, privacy, information security and intellectual property law. He is also a Certified Information Privacy Professional through the International Association of Privacy Professionals.

David has enjoyed a wide variety of legal experiences over his career that have provided him with a unique perspective and legal skill set, including work at a large international law firm, in-house experience at a multinational financial institution, and an entrepreneurial endeavor running his own law firm.

Information technology, privacy and data security transactions
Privacy and data security compliance and policies
Privacy breach notice and incident response
Intellectual property and licensing
E-commerce, outsourcing, cloud computing, software as a service
Litigation
Insurance law, including “cyber” and technology liability policy analysis and drafting

Professional Associations

American Bar Association: Information Security Committee; Electronic Discovery and Digital Evidence Committee
International Association of Privacy Professionals (IAPP)

Education

John Marshall Law School, Information Technology LLM (pending)
DePaul University College of Law, JD (top 16% of class)
Michigan State University, BA Accounting

Bar Admissions

Illinois
Colorado

Authored Works

“Cloud Computing Customers’ ‘Bill of Rights’” ISSA Journal, January 2011
“Data Breach in the Clouds” Hiscox Global Technology News, January 2011
“The Legal Defensibility Era” ISSA Journal, August 2010
“The PCI Compliance and Encryption Requirements of Nevada’s Security of Personal Information Law” DataGuidance, April 2010
“Potential Changes to the US Breach Notice Risk Landscape” dataprotectionlaw&policy, February 2010
“Interpreting ‘Risk’ in the Massachusetts Data Protection Law.” SearchSecurity.com, November 2009
“Who is Minding the Legal Risks around PCI?” ISSA Journal, April 2009
“Legally Mandated Encryption – Two New State Laws Mandate Encryption of Personal Information.” BNA Privacy & Security Law Reporter, November 2008
“PCI Liability Theories – Minnesota’s Plastic Card Protection Law and a New Third Circuit Case Could Open the Door to Potential Liability for Merchants.” IAPP Privacy Tracker, November 2008
“The Legal Implications and Risks of the Payment Card Industry (PCI) Data Security Standard.” ABA SciTech Lawyer, June 2008.
“The Legal Implications of the PCI Data Security Standard.” SC Magazine Online, April 2008
“The New Privacy Insurance Coverage.” ABA SciTech Lawyer, Summer 2006.

Select Speaking Engagements

“Cloud Computing Legal, Security and Contracting Issues.” IAOP Risk Management & Data Security in an Outsourced World, Denver, CO, January 11, 2011
“The Tension Between New Technologies and Privacy: Does America Really Believe in Privacy? If Not, Why Care?” The 19th Annual Conference on Current Developments in Technology Law, Seattle, WA December 9-10, 2010
“Emerging Cyber & Privacy Exposures and Insurance Solutions.” Cyber Liability Workshop, Denver, CO, November 4, 2010
“Assessing the Impact of Recent Litigation over Privacy/Security Breaches: Current Theories of Liability and Claims.” 4th Annual Advanced Forum on Cyber and Data Risk Insurance, New York, NY, September 27 – 28, 2010
“Legally Defensible, Proactively Protected.” ISSA International Conference, Atlanta, GA, September 15 -17, 2010
“Privacy and Security Regulatory Trends.” The NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, June 7-8, 2010
“Fraud Prevention: Protect Your Customers and Your Institution from Web Vulnerabilities”, Bank Information Security Webinars, May 2010
“Negotiating and Preparing Cloud Contracts.” IAPP Web Conference, May 3, 2010
“Electronic Identity: Who Are You…and When Does it Matter.” RSA Security Conference, San Francisco, CA March 2010
“Hot Topics in Information Security Law.” RSA Security Conference, San Francisco, CA, March 2010
“Information Security Standards and the Law.” RSA Security Conference, San Francisco, CA, March 2010
Hot Topics in InfoSec & Privacy Law 2009, IAPP Knowledgenet, Denver, CO May 2010
“When Big, Bad Things Happen to Small Companies: Data Security and the Small-to-Mid-size Business.” PLUS Professional Risk Symposium, April 2009
“PCI in 2009: A Look at the Legal and Practical Aspects of the PCI-DSS”, RSA Security Conference, San Francisco, CA, April 2009
“Hot Topics” in InfoSec Law”, RSA Security Conference, San Francisco, CA, April 2009
“Bridging the Communications Divide Between IT, Risk and Legal.” 2009 Hospitality Law Conference, Houston, TX, February 2009
“Information Security and Privacy Legal Compliance.” Public Agency Risk Management Association 2009 Conference, Rancho Mirage, CA, February 2009
“Information Security and Privacy Legal Compliance.” Hiscox Privacy Seminar, Chicago, IL, October 2008
“Overview of the Legal Implications of the Payment Card Industry Data Security Standard.” Colorado Information Management Association’s 2008 Fall Conference, Vail, CO, October 2008
“Risk Transfer: Fitting Information Security Insurance into the Risk Management Puzzle.” Information Security Compliance and Risk Management Institute, Seattle, WA, September 2008.
“The Integration of Information Security and the Law.” Symantec Denver Seminar, Denver, CO, June 2008
“Integrated Security and Privacy Risk Management” Lockton Cyber Seminar, Denver, CO, May 2008
“The Legal Implications and Risks of the Payment Card Industry (PCI) Data Security Standard.” American Bar Association Continuing Legal Education (CLE) Webinar, April 2008
“Hot Topics” in InfoSec Law.” RSA Security Conference, San Francisco, CA, April 2008
“Technology Solutions for Integrated Role-based Information Security Risk Management.” SC Magazine IT Security Executive Forum 2007, Oakland, CA, October 2007.
“Emerging Security and Privacy Risks and Solutions for the Retail Industry.” Webinar series for the Retail Industry Leaders Association, October 2007 and November 2007.
“Public Policies and Enterprise Risks.” Information Security Compliance and Risk Management Institute, Seattle, WA, September 2007.
“PCI and Service Provider Contracting Briefing.” Fishnet Security Client Briefing Series, Kansas City, MO, September 2007.
“Concurrent Educational Session: Emerging Privacy Issues – Challenges and Opportunities for the Insurance Industry.” PLUS International Conference, Chicago, IL, November 2006.
“Contractor Cyber Liability and Risk Mitigation.” The Virginia Technology Alliance Tech Events, Norfolk, VA, November 2006.
“Contracting for Information Security & Privacy Risks
“ What Every General Counsel and Transactional Attorney Need to Know about Information Security.” American Bar Association Continuing Legal Education (CLE) Webinar, June 2006
“Business & Technology Solutions that Promote Privacy and Data Security.” National Forum on Privacy Information & Security in the Insurance Industry, New York, NY June 2005.
“Data Protection – The Convergence of Privacy & Security.” Practicing Law Institute’s 6th Annual Institute on Privacy Law, New York, NY June 2005.
“Law and Policy Panel.” RSA Security Conference, San Francisco, CA, February 2005.

Posts by David Navetta

The Privacy Legal Implications of Big Data: A Primer

By David Navetta on February 12, 2013 Posted in Big Data

By now many lawyers and business managers have heard of the term “Big Data,” but many may not understand exactly what it refers to, and still more likely do not know how it will impact their clients and business (or perhaps it already is). Big Data is everywhere (quite literally). We see it drive the… Continue Reading

HHS Release Final Omnibus Rule Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

By David Navetta on January 18, 2013 Posted in Health Care, HIPAA, HITECH

Yesterday, the U.S. Department of Health and Human Services (HHS) released the long awaited final omnibus rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The full text of the Final Rule can be found HERE. The InfoLawGroup is analyzing the 500+ page document and will be posting on the changes in… Continue Reading

VISA Phases Out the Account Data Compromise Recovery (ADCR) Process and Implements the Global Compromised Account Recovery (GCAR) Program

By David Navetta on January 9, 2013 Posted in PCI, Regulations, Uncategorized

In October 2012, VISA quietly released new operating regulations which retroactively phased out VISA’s Account Data Compromise Recovery (ADCR) Process, and replaced it with the Global Compromised Account Recovery (GCAR) Program (see page 802 of VISA’s operating regulations for a full description of GCAR). For those that have not dealt with the ADCR, it is… Continue Reading

Eleventh Circuit Rules “Damages” Properly Alleged in Data Breach-Identity Theft Lawsuit

By David Navetta on September 17, 2012 Posted in Damages, Identity Theft, Lawsuit, Motion to Dismiss

InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft. The Court’s opinion, decided… Continue Reading

Fourth Circuit Holds CFAA Does Not Bar Employee’s Misappropriation of Business Information When Employee Was Authorized to Access Information Initially

By David Navetta on August 9, 2012 Posted in Computer Fraud and Abuse Act (CFAA)

InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. The Fourth Circuit recently joined the Ninth Circuit in concluding that the Computer Fraud and Abuse Act (“CFAA”) does not permit a civil claim by an employer against a former employee for misappropriating information that the employee was initially allowed to access. See WEC Carolina Energy Solutions LLC… Continue Reading

The Legal Implications of BYOD (Part II) – Preparing Personal Device Use Policies

By David Navetta on June 11, 2012 Posted in BYOD

In our last “bring your own device” post we explored some of the key security, privacy and incident response issues related to BYOD. These issues are often important drivers in a company’s decision to pursue a BYOD strategy and set the scope of personal device use within their organization. If the risks and costs associated with BYOD outstrip the benefits, a BYOD strategy may be abandoned altogether. One of the primary tools (if not the most important tool) for addressing such risks are BYOD-related policies. Sometimes these policies are embedded within an organization’s existing security and privacy policy framework. More frequently, however, companies are creating separate personal device use policies that stand alone or work with/cross-reference existing company security, privacy and incident response polices. This post lays out the key considerations company lawyers and compliance personnel should take into account when creating personal device use policies and outlines some of the important provisions that are often found in such policies.

The Duty to Authenticate Identity: the Online Banking Breach Lawsuits

By David Navetta on April 17, 2012 Posted in Reasonable Security

We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance.
To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate. This blogpost post looks at two online banking breach cases to examine what courts are saying about authentication and commercially reasonable security.

Acai of Relief? Marketers’ Recent Settlement of FTC Charges Serves as a Reminder for Online Advertisers and Affiliate Marketers.

By David Navetta on April 4, 2012 Posted in Marketing

Two online marketers of acai berry products recently settled the FTC’s charges that the marketers engaged in deceptive practices by operating “fake news” sites directly and through affiliates to promote acai berry products. Although these cases are extreme examples of deceptive practices, they should serve as an important reminder for companies engaging in affiliate marketing that the FTC actively enforces in this area using the FTC Act, and that companies marketing through affiliates and affiliate marketers must understand and address the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising, which were updated in 2009 (“Guides”). As discussed further below, this can pose a challenge for companies of all types advertising through affiliate marketing programs

The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device)

By David Navetta on March 28, 2012 Posted in BYOD

Employees are increasingly using (and demanding to use) their personal devices to store and process their employer’s data, and connect to their networks. This “Bring Your Own Device” trend is in full swing, whether companies like it or not. Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable.
Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including “reasonable” BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.

Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?

By David Navetta on February 1, 2012 Posted in Cloud Computing, Cyber Insurance

As organizations of all stripes increasingly rely on cloud computing services to conduct their business, the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. However, most Cloud customers find it very difficult to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.

The Legal Implications of Social Networking Part Three: Data Security

By David Navetta on January 9, 2012 Posted in Social Networking

In 2011, InfoLawGroup began its “Legal Implications” series for social media by posting Part One (The Basics) and Part Two (Privacy). In this post (Part Three), we explore how security concerns and legal risk arise and interact in the social media environment.
There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computers connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.

David Navetta Offers Insight Concerning Behaviorial Analytics and Online Banking

By David Navetta on January 9, 2012 Posted in In The News

In the last quarter of 2011, InfoLawGroup partner, David Navetta, was quoted in Bank Director Magazine concerning two recent court cases involving online banking breaches. David provided insight concerning the use of behavioral analytics and commercially reasonable security in this context. David will be speaking on a panel at the upcoming RSA Conference on the same… Continue Reading

Upcoming ILG Speaking Engagements (01.01.12 — 03.31.12)

By David Navetta on January 5, 2012 Posted in Events

Here are some of our upcoming speaking engagements. Please let us know if you would like to attend – we may be able to arrange a discount or complimentary registration: Social Media Workshop, American Bankers Association Insurance Risk Management Annual Forum – Miami, January 24, 2012 (David Navetta) Social Networking and Professional Responsibility: Can They… Continue Reading

“I’ll Be Watching You”

By David Navetta on November 7, 2011 Posted in In The News

David Navetta weaves some movie trivia into his conversation with COMPUTERWORLD reporter Karen Kroll in an attempt to explain the significance of the SEC’s recent guidance document on cyber security incident reporting.

Is Your Company Prepared for Cyber Risk?

By David Navetta on October 31, 2011 Posted in In The News

InfoLawGroup Partner, David Navetta, weighs in on the issue of cyber risk in an article published by Boardmember magazine: The growing complexity of the law and the wide range of possible litigants make protecting against cyber risks all the more difficult. “For a big breach, you can have litigants coming at you from multiple angles,”… Continue Reading

Federal Appeals Court Holds Identity Theft Insurance/Credit Monitoring Costs Constitute “Damages” in Hannaford Breach Case

By David Navetta on October 24, 2011 Posted in Damages, Motion to Dismiss

In a significant development that could materially increase the liability risk associated with payment card security breaches (and personal data security breaches, in general), the U.S. Court of Appeals 1st Circuit (the “Court of Appeals”) held that payment card replacement fees and identity theft insurance/credit monitoring costs are adequately alleged as mitigation damages for purposes of negligence and an implied breach of contract claim. The decision in Hannaford could be a game changer in terms of the legal risk environment related to personal data breaches, and especially payment card breaches where fraud has been perpetrated. In this post, we summarize the key issues and holdings of the Court of Appeals.

David Navetta Weighs in on Recent SEC Breach

By David Navetta on October 21, 2011 Posted in In The News

InfoLawGroup Partner, David Navetta, was recently quoted by Business Insider in an article concerning an emplolyee personal data breach of a subcontractor, of a service provider, of the SEC. This story highlights the difficulties of outsourcing personal information data processing, and the risk that subcontractors of service providers often will be the entities actually processing… Continue Reading

The Legal Implications of Social Networking Part Two: Privacy

By David Navetta on October 17, 2011 Posted in Social Networking

As social media and networking continue to revolutionize modern-day marketing and become the norm for organizations of all types, shapes and sizes, it is even more important to adequately address the legal risks associated with social media use. In Part One of our Legal Implications series, we laid out some background and identified key areas of legal risk. In the next few posts InfoLawGroup is going to look deeper at some of these risks. In this post we explore some of the privacy legal issues that companies should address if they want to leverage social media.

SEC Issues Guidance Concerning Cyber Security Incident Disclosure

By David Navetta on October 14, 2011 Posted in Breach Notice, Heartland

Publicly traded businesses now have yet another set of guidelines to follow regarding security risks and incidents. On October 13, 2011 the Securities and Exchange Commission (SEC) Division of Corporation Finance released a guidance document that assists registrants in assessing what disclosures should be made in the face of cyber security risks and incidents. The guidance provides an overview of disclosure obligations under current securities laws – some of which, according to the guidance, may require a disclosure of cyber security risks and incidents in financial statements.

InfoLawGroup’s David Navetta Cited in Online Banking Breach News

By David Navetta on June 17, 2011 Posted in In The News

In the past two weeks, two significant court decisions came down ruling on issues related to "commercially reasonable security." Information security attorneys have been waiting a long time for courts to provide some guidance on this issue. However, the PATCO court and the Comerica court actually came to different conclusions. InfoLawGroup Founding Partner David Navetta… Continue Reading

David Navetta Discusses Cyber Insurance on FOX News Live

By David Navetta on June 17, 2011 Posted in In The News

David Navetta recently spoke to FOX News Live concerning cyber insurance and risk transfer. You can watch the interview HERE.

The Legal Implications of Social Networking: The Basics (Part One)

By David Navetta on June 11, 2011 Posted in ECPA, Social Networking

Much like the “Cloud computing revolution” there is an almost frenzied excitement around social media, and many companies are stampeding to exploit social networking. The promise of increased intimate customer interactions, input and loyalty, and enhanced sales and expanded market share can result in some organizations overlooking the thorny issues arising out of social networking. Many of these issues are legal in nature and could increase the legal risk and liability potential of an organization employing a social media strategy.
In this multi-part series the InfoLawGroup will identify and explore the legal implications of social media. This series will help organizations begin to identify some of the legal risks associated with social media so that they may start addressing and mitigating these risks while maximizing their social media strategy.
In Part One of the series, we will provide a high level overview of the legal risks and issues associated with an organization’s use of social media. In subsequent parts members of the InfoLawGroup team will take a deeper dive into these matters, and provide some practical insight and strategic direction for addressing these issues. As always, we view our series as the beginning of a broader conversation between ourselves and the larger community, and we welcome and strongly encourage comments, concerns, corrections and criticisms.

“Privacy by Design”: A Key Concern for VCs and Start-Ups

By David Navetta on May 23, 2011 Posted in Privacy Law, Regulations

(co-authored by Nicole Friess, Esq.) The privacy landscape appears to be shifting toward a model that promotes greater consumer awareness of and control over data. Reflecting its consumer protection mission, the FTC’s Protecting Consumer Privacy in an Era of Rapid Change issued December 1, 2010 urges companies to adopt a "privacy by design" approach. Senators… Continue Reading