Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

David Navetta

(p) 303.325.3528 (e)

David Navetta is one of the Founding Partners of the Information Law Group. David has practiced law since 1996, including technology, privacy, information security and intellectual property law. He is also a Certified Information Privacy Professional through the International Association of Privacy Professionals.

David has enjoyed a wide variety of legal experiences over his career that have provided him with a unique perspective and legal skill set, including work at a large international law firm, in-house experience at a multinational financial institution, and an entrepreneurial endeavor running his own law firm.

Prior to co-founding the Information Law Group, David established InfoSecCompliance LLC (“ISC”), a law firm focusing on information technology-related law. ISC successfully served a wide assortment of U.S. and foreign clients from Fortune 500 companies to small start-ups and service providers. Mr. Navetta previously worked for over three years in New York as assistant general counsel for AIG’s eBusiness Risk Solutions Group. While there David analyzed and forecast information security, privacy and technology risks, drafted policies to cover such risks, and worked on sophisticated technology transfer transactions. David engaged in commercial litigation for several years prior to going in-house, including working at the Chicago office of Sedgwick, Detert, Moran and Arnold, a large international law firm.David currently serves as a Co-Chair of the American Bar Association’s Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. Mr. Navetta previously served as the Chairman of the ABA’s Information Security Committee’s Information Security Contracting & Risk Management Working Group. He has spoken and written frequently concerning technology, privacy and data security legal issues.David has worked on transactions and licensing, privacy and security compliance issues, litigation, and breach notice and incident response.
Practice Areas
  • Information technology, privacy and data security transactions
  • Privacy and data security compliance and policies
  • Privacy breach notice and incident response
  • Intellectual property and licensing
  • E-commerce, outsourcing, cloud computing, software as a service
  • Litigation
  • Insurance law, including “cyber” and technology liability policy analysis and drafting

Professional Associations

  • American Bar Association: Information Security Committee; Electronic Discovery and Digital Evidence Committee
  • International Association of Privacy Professionals (IAPP)


  • John Marshall Law School, Information Technology LLM (pending)
  • DePaul University College of Law, JD (top 16% of class)
  • Michigan State University, BA Accounting

Bar Admissions

  • Illinois
  • Colorado

Authored Works

  • “Cloud Computing Customers’ ‘Bill of Rights’” ISSA Journal, January 2011
  • “Data Breach in the Clouds” Hiscox Global Technology News, January 2011
  • “The Legal Defensibility Era” ISSA Journal, August 2010
  • “The PCI Compliance and Encryption Requirements of Nevada’s Security of Personal Information Law” DataGuidance, April 2010
  • “Potential Changes to the US Breach Notice Risk Landscape” dataprotectionlaw&policy, February 2010
  • “Interpreting ‘Risk’ in the Massachusetts Data Protection Law.”, November 2009
  • “Who is Minding the Legal Risks around PCI?” ISSA Journal, April 2009
  • “Legally Mandated Encryption – Two New State Laws Mandate Encryption of Personal Information.” BNA Privacy & Security Law Reporter, November 2008
  • “PCI Liability Theories – Minnesota’s Plastic Card Protection Law and a New Third Circuit Case Could Open the Door to Potential Liability for Merchants.” IAPP Privacy Tracker, November 2008
  • “The Legal Implications and Risks of the Payment Card Industry (PCI) Data Security Standard.” ABA SciTech Lawyer, June 2008.
  • “The Legal Implications of the PCI Data Security Standard.” SC Magazine Online, April 2008
  • “The New Privacy Insurance Coverage.” ABA SciTech Lawyer, Summer 2006.

Select Speaking Engagements

  • “Cloud Computing Legal, Security and Contracting Issues.” IAOP Risk Management & Data Security in an Outsourced World, Denver, CO, January 11, 2011
  • “The Tension Between New Technologies and Privacy: Does America Really Believe in Privacy? If Not, Why Care?” The 19th Annual Conference on Current Developments in Technology Law, Seattle, WA December 9-10, 2010
  • “Emerging Cyber & Privacy Exposures and Insurance Solutions.” Cyber Liability Workshop, Denver, CO, November 4, 2010
  • “Assessing the Impact of Recent Litigation over Privacy/Security Breaches: Current Theories of Liability and Claims.” 4th Annual Advanced Forum on Cyber and Data Risk Insurance, New York, NY, September 27 – 28, 2010
  • “Legally Defensible, Proactively Protected.” ISSA International Conference, Atlanta, GA, September 15 -17, 2010
  • “Privacy and Security Regulatory Trends.” The NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, June 7-8, 2010
  • “Fraud Prevention: Protect Your Customers and Your Institution from Web Vulnerabilities”, Bank Information Security Webinars, May 2010
  • “Negotiating and Preparing Cloud Contracts.” IAPP Web Conference, May 3, 2010
  • “Electronic Identity: Who Are You…and When Does it Matter.” RSA Security Conference, San Francisco, CA March 2010
  • “Hot Topics in Information Security Law.” RSA Security Conference, San Francisco, CA, March 2010
  • “Information Security Standards and the Law.” RSA Security Conference, San Francisco, CA, March 2010
  • Hot Topics in InfoSec & Privacy Law 2009, IAPP Knowledgenet, Denver, CO May 2010
  • “When Big, Bad Things Happen to Small Companies: Data Security and the Small-to-Mid-size Business.” PLUS Professional Risk Symposium, April 2009
  • “PCI in 2009: A Look at the Legal and Practical Aspects of the PCI-DSS”, RSA Security Conference, San Francisco, CA, April 2009
  • “Hot Topics” in InfoSec Law”, RSA Security Conference, San Francisco, CA, April 2009
  • “Bridging the Communications Divide Between IT, Risk and Legal.” 2009 Hospitality Law Conference, Houston, TX, February 2009
  • “Information Security and Privacy Legal Compliance.” Public Agency Risk Management Association 2009 Conference, Rancho Mirage, CA, February 2009
  • “Information Security and Privacy Legal Compliance.” Hiscox Privacy Seminar, Chicago, IL, October 2008
  • “Overview of the Legal Implications of the Payment Card Industry Data Security Standard.” Colorado Information Management Association’s 2008 Fall Conference, Vail, CO, October 2008
  • “Risk Transfer: Fitting Information Security Insurance into the Risk Management Puzzle.” Information Security Compliance and Risk Management Institute, Seattle, WA, September 2008.
  • “The Integration of Information Security and the Law.” Symantec Denver Seminar, Denver, CO, June 2008
  • “Integrated Security and Privacy Risk Management” Lockton Cyber Seminar, Denver, CO, May 2008
  • “The Legal Implications and Risks of the Payment Card Industry (PCI) Data Security Standard.” American Bar Association Continuing Legal Education (CLE) Webinar, April 2008
  • “Hot Topics” in InfoSec Law.” RSA Security Conference, San Francisco, CA, April 2008
  • “Technology Solutions for Integrated Role-based Information Security Risk Management.” SC Magazine IT Security Executive Forum 2007, Oakland, CA, October 2007.
  • “Emerging Security and Privacy Risks and Solutions for the Retail Industry.” Webinar series for the Retail Industry Leaders Association, October 2007 and November 2007.
  • “Public Policies and Enterprise Risks.” Information Security Compliance and Risk Management Institute, Seattle, WA, September 2007.
  • “PCI and Service Provider Contracting Briefing.” Fishnet Security Client Briefing Series, Kansas City, MO, September 2007.
  • “Concurrent Educational Session: Emerging Privacy Issues – Challenges and Opportunities for the Insurance Industry.” PLUS International Conference, Chicago, IL, November 2006.
  • “Contractor Cyber Liability and Risk Mitigation.” The Virginia Technology Alliance Tech Events, Norfolk, VA, November 2006.
  • “Contracting for Information Security & Privacy Risks
  • “ What Every General Counsel and Transactional Attorney Need to Know about Information Security.” American Bar Association Continuing Legal Education (CLE) Webinar, June 2006
  • “Business & Technology Solutions that Promote Privacy and Data Security.” National Forum on Privacy Information & Security in the Insurance Industry, New York, NY June 2005.
  • “Data Protection – The Convergence of Privacy & Security.” Practicing Law Institute’s 6th Annual Institute on Privacy Law, New York, NY June 2005.
  • “Law and Policy Panel.” RSA Security Conference, San Francisco, CA, February 2005.
Read More
Posts by David Navetta

Twist in the Target Lawsuit!

Posted in In The News

Partner, Dave Navetta, is quoted in an article, discussing  the class action lawsuits filed (and now withdrawn)   by two banks against Trustwave Holdings Inc. (the PCI Qualified Security Assessor for Target, Inc.) arising out of the Target breach.  Additionally, he is quoted analyzing the reasonable basis for the allegations against Trustwave Holdings Inc.    

Payment Card Breaches: Time to Spread the Risk with Mandatory Cyber Insurance

Posted in Cyber Insurance

The BIG 2014 security stories concerning the Target,  Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space.  Of course, it was not so long ago that the Heartland Payment Systems breach (2008;  100 million cards exposed) and the… Continue Reading

Breaches: Avoiding Legal Woes

Posted in In The News

Partner Dave Navetta was interviewed by Healthcare Info Security regarding the managing of responses by organizations who have experienced data breeches. He discusses that they should have breech response plans and ensure compliance with the HIPPA security rule.

California Attorney General Files Lawsuit Based on Late Breach Notification

Posted in Breach Notice, Breach Notification, California, Lawsuit

In the first case of its kind (that I am aware of), the California Attorney General’s office filed a complaint against the Kaiser Foundation Health Plan, Inc. (“Kaiser”) alleging a violation of California’s “unfair competition law” (Business and Professions Code sections 17200-17210) arising out of a personal information security breach and delayed notification.  This lawsuit… Continue Reading

“Big Data” for Educational Institutions: A Framework for Addressing Privacy Compliance and Legal Considerations

Posted in Big Data

Educational institutions at all levels have begun to realize that they hold a treasure trove of student-related information, that if analyzed using “Big Data” techniques, could yield valuable insights to further their educational missions.  Educational institutions hold a broad variety of student-related information that may be analyzed, including grades, financial information, health information, location-related information… Continue Reading

HHS Release Final Omnibus Rule Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Posted in Health Care, HIPAA, HITECH

Yesterday, the U.S. Department of Health and Human Services (HHS) released the long awaited final omnibus rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).   The full text of the  Final Rule can be found HERE.  The InfoLawGroup is analyzing the 500+ page document and will be posting on the changes in… Continue Reading

Eleventh Circuit Rules “Damages” Properly Alleged in Data Breach-Identity Theft Lawsuit

Posted in Damages, Identity Theft, Lawsuit, Motion to Dismiss

InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft.  The Court’s opinion, decided… Continue Reading

Fourth Circuit Holds CFAA Does Not Bar Employee’s Misappropriation of Business Information When Employee Was Authorized to Access Information Initially

Posted in Computer Fraud and Abuse Act (CFAA)

InfoLawGroup Counsel Andrew L. Hoffman contributed to this post. The Fourth Circuit recently joined the Ninth Circuit in concluding that the Computer Fraud and Abuse Act (“CFAA”) does not permit a civil claim by an employer against a former employee for misappropriating information that the employee was initially allowed to access.  See WEC Carolina Energy Solutions LLC… Continue Reading

The Legal Implications of BYOD (Part II) – Preparing Personal Device Use Policies

Posted in BYOD

In our last “bring your own device” post we explored some of the key security, privacy and incident response issues related to BYOD. These issues are often important drivers in a company’s decision to pursue a BYOD strategy and set the scope of personal device use within their organization. If the risks and costs associated with BYOD outstrip the benefits, a BYOD strategy may be abandoned altogether. One of the primary tools (if not the most important tool) for addressing such risks are BYOD-related policies. Sometimes these policies are embedded within an organization’s existing security and privacy policy framework. More frequently, however, companies are creating separate personal device use policies that stand alone or work with/cross-reference existing company security, privacy and incident response polices. This post lays out the key considerations company lawyers and compliance personnel should take into account when creating personal device use policies and outlines some of the important provisions that are often found in such policies.

The Duty to Authenticate Identity: the Online Banking Breach Lawsuits

Posted in Reasonable Security

We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance.
To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate. This blogpost post looks at two online banking breach cases to examine what courts are saying about authentication and commercially reasonable security.

Acai of Relief? Marketers’ Recent Settlement of FTC Charges Serves as a Reminder for Online Advertisers and Affiliate Marketers.

Posted in Marketing

Two online marketers of acai berry products recently settled the FTC’s charges that the marketers engaged in deceptive practices by operating “fake news” sites directly and through affiliates to promote acai berry products. Although these cases are extreme examples of deceptive practices, they should serve as an important reminder for companies engaging in affiliate marketing that the FTC actively enforces in this area using the FTC Act, and that companies marketing through affiliates and affiliate marketers must understand and address the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising, which were updated in 2009 (“Guides”). As discussed further below, this can pose a challenge for companies of all types advertising through affiliate marketing programs

The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device)

Posted in BYOD

Employees are increasingly using (and demanding to use) their personal devices to store and process their employer’s data, and connect to their networks. This “Bring Your Own Device” trend is in full swing, whether companies like it or not. Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable.
Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including “reasonable” BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.

Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?

Posted in Cloud Computing, Cyber Insurance

As organizations of all stripes increasingly rely on cloud computing services to conduct their business, the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. However, most Cloud customers find it very difficult to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.

The Legal Implications of Social Networking Part Three: Data Security

Posted in Social Networking

In 2011, InfoLawGroup began its “Legal Implications” series for social media by posting Part One (The Basics) and Part Two (Privacy). In this post (Part Three), we explore how security concerns and legal risk arise and interact in the social media environment.
There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computers connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.

David Navetta Offers Insight Concerning Behaviorial Analytics and Online Banking

Posted in In The News

In the last quarter of 2011, InfoLawGroup partner, David Navetta, was quoted in Bank Director Magazine concerning two recent court cases involving online banking breaches.  David provided insight concerning the use of behavioral analytics and commercially reasonable security in this context.  David will be speaking on a panel at the upcoming RSA Conference on the same… Continue Reading

Upcoming ILG Speaking Engagements (01.01.12 — 03.31.12)

Posted in Events

Here are some of our upcoming speaking engagements. Please let us know if you would like to attend – we may be able to arrange a discount or complimentary registration:  Social Media Workshop, American Bankers Association Insurance Risk Management Annual Forum – Miami, January 24, 2012 (David Navetta) Social Networking and Professional Responsibility: Can They… Continue Reading

“I’ll Be Watching You”

Posted in In The News

David Navetta weaves some movie trivia into his conversation with COMPUTERWORLD reporter Karen Kroll in an attempt to explain the significance of the SEC’s recent guidance document on cyber security incident reporting.

Is Your Company Prepared for Cyber Risk?

Posted in In The News

InfoLawGroup Partner, David Navetta, weighs in on the issue of cyber risk in an article published by Boardmember magazine: The growing complexity of the law and the wide range of possible litigants make protecting against cyber risks all the more difficult. “For a big breach, you can have litigants coming at you from multiple angles,”… Continue Reading

David Navetta Talks About Service Provider Liability

Posted in In The News

In an article at Dark Reading, David Navetta is quoted concerning vendor limitations of liability and the importance of vendor contracts for managing risk.  InfoLawGroup has written extensively concerning vendor liability and managing risk contractually, especially in the cloud computing context.