David Navetta
David Navetta is one of the Founding Partners of the Information Law Group. David has practiced law for over twelve years, including technology, privacy, information security and intellectual property law. He is also a Certified Information Privacy Professional through the International Association of Privacy Professionals.
David has enjoyed a wide variety of legal experiences over his career that have provided him with a unique perspective and legal skill set, including work at a large international law firm, in-house experience at a multinational financial institution, and an entrepreneurial endeavor running his own law firm.
Prior to co-founding the Information Law Group, David established InfoSecCompliance LLC (“ISC”), a law firm focusing on information technology-related law. ISC successfully served a wide assortment of U.S. and foreign clients from Fortune 500 companies to small start-ups and service providers. Mr. Navetta previously worked for over three years in New York as assistant general counsel for a major insurer’s eBusiness Risk Solutions Group. While there David analyzed and forecasted information security, privacy and technology risks, drafted policies to cover such risks, and worked on sophisticated technology transfer transactions. David engaged in commercial litigation for several years prior to going in-house, including working at the Chicago office of Sedgwick, Detert, Moran and Arnold, a large international law firm.
David currently serves as a Co-Chair of the American Bar Association’s Information Security Committee, and is also Co-Chair of the PCI Legal Risk and Liability Working Group. Mr. Navetta previously served as the Chairman of the ABA’s Information Security Committee’s Information Security Contracting & Risk Management Working Group. He has spoken and written frequently concerning technology, privacy and data security legal issues.
David has worked on transactions and licensing, privacy and security compliance issues, litigation, and breach notice and incident response.
Practice Areas.- Information technology, privacy and data security transactions
- Privacy and data security compliance and policies
- Privacy breach notice and incident response
- Intellectual property and licensing
- E-commerce, outsourcing, cloud computing, software as a service
- Litigation
- Insurance law, including “cyber” and technology liability policy analysis and drafting
- American Bar Association: Information Security Committee; Electronic Discovery and Digital Evidence Committee
- International Association of Privacy Professionals (IAPP)
- John Marshall Law School, Information Technology LLM (pending)
- DePaul University College of Law, JD (top 16% of class)
- Michigan State University, BA Accounting
- Illinois
- Colorado
A Closer Look at the PCI Compliance and Encryption Requirements of Nevada's Security of Personal Information Law
Since approximately 2005, the state of Nevada has had a fairly comprehensive data privacy law on its books: the Nevada Security of Personal Information Law (the “Law”). Prior to 2009, the Law imposed various requirements concerning the protection of personal information of Nevada residents, including requirements concerning security breach notice, the implementation of reasonable security measures and the destruction of records containing personal information. In 2009, the Nevada legislature materially amended the law by passing Nevada Senate Bill 227 (“SB 227” or “SB 227 Amendment”). The SB 227 Amendment added two significant (but mutually exclusive) data security obligations: (1) a requirement to comply with the Payment Card Industry Data Security Standard (“PCI”); and (2) requirements to encrypt personal information in certain contexts. The SB 227 Amendment became effective on January 1, 2010. This article summarizes the requirements of the SB 227 Amendment, addresses various compliance issues posed by it, and discusses its “safe harbor.”
Continue Reading...The Curious Case of EMI v. Comerica: A Bellwether on the Issue of "Reasonable Security"?
Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law.
Continue Reading...The Breach Notification Obligations in the Data Accountability and Trust Act
The Information Law Group has been following various Federal data security bills as they wind their way through the House and Senate. In December 2009, the Information Law Group commented on the passage of the Data Accountability and Trust Act ("DATA") by the House. I was recently asked by Data Protection Law and Policy (an excellent publication out of the UK focusing on data security and privacy issues) to take a closer look at the data breach obligations of the current version of DATA. The end result was my article entitled: "Potential changes to the US breach notice risk landscape".
Continue Reading...Developing an Information Security and Privacy Schedule for Service Provider Transactions (Part Two)
In Part One of this blog series, we looked at the proactive nature of a data security and privacy schedule ("Schedule"), and considered the compliance function of a Schedule. Part Two of this series discusses security incident response contract terms that should be considered for a Schedule. In addition, we look at more traditional "risk of loss" contract terms and how data security and privacy risks impact those terms.
Continue Reading...Developing an Information Security and Privacy Schedule for Service Provider Transactions
It is a very interesting time for information security and privacy lawyers. Information technology and the processing, storage and transmitting of sensitive and personal information is ubiquitous. At the same time (and likely as a result of this ubiquity) the legal risk and regulatory compliance environment poses increased threats and potential for significant liability. Finally, whether through cloud computing providers or traditional outsourcing of information technology functions (e.g. ASP, hosting and storage), to stay competitive and efficient, companies of all shapes and sizes are outsourcing their information technology functions to third party service providers. It is likely that adoption of these practices will increase at an increasingly faster rate.
This reality poses significant information security, privacy and legal challenges. Internal security and privacy professionals find themselves ceding control of significant decisions to third parties (“Service Providers”) concerning the implementation, maintenance, enhancement and enforcement of information security and privacy measures. Unfortunately, an organization’s legal risk and compliance obligations do not follow – in most cases they remain with the organization that chooses to outsource (the “Customer”). Of course on the Service Provider side, the main motivation is as follows: (1) secure revenue; and (2) void liability. These motivations often counter-oppose the goals of the company seeking to outsource.
These tensions play themselves out during the contract negotiations with Service Providers. It is at this juncture that the role of the Customer’s information security and privacy attorney, working closely with the Customer’s internal security and privacy professions, becomes increasingly important. To navigate these waters legal experience in the areas of data security and privacy law, contract drafting, litigation risk and negotiation tactics is crucial. However, as important, is a solid understanding of technology and substantive security and privacy matters, and how they relate to and interplay with the law. The net result is intense negotiations around the data security and privacy contract terms, which are often in the form of an information security and privacy schedule or exhibit (“InfoSec-Privacy Schedule” or “Schedule”).
In this two-part post, we explore the function and purpose of these Schedules and discuss how they might be drafted and used. Part One discusses the proactive nature of a Schedule and how it should be viewed as compliance document. Part Two details security incident response provisions that should be considered in a Schedule, and contract terms allocating risk of loss between the Customer and Service Provider.
Continue Reading...Issuing Banks File Class Action Suit Against Acquiring Banks in Heartland Breach Matter
In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland's proposed settlement with Visa. This appears and to be an attempted end-run around the proposed $60 million settlement with Visa. It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms. We will have more analysis of the complaint at a later day. In light of the relative lack of success issuing banks have had in these types of cases, it will be very interesting to analyze the legal theories employed by the issuing banks and track the progress of this matter.
Online Banking and "Reasonable Security" Under the Law: Breaking New Ground?
With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law. Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking (Patco Construction Co. v. People’s United Bank ("PATCO”) and JM Test Systems, Inc. v. Capital One Bank ("JMT")) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case). In short, since the Shames-Yeakel case proceeded past the "damages" pleading phase, it (and possibly these other online breach suits) reveals how some courts view security "standards" and approach the question of whether a company has achieved "reasonable security." I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.
Continue Reading...Quickhits: Heartland Settles With Visa for $60 Million
Read all about it here. Note, analyst Avivah Litan of Gartner indicated the "this seems like a very fair settlement, and it seems like Heartland escaped the tremendous costs that TJX incurred - $139 million plus - despite the fact that Heartland's breach was more extensive." In reality TJX settled with Visa for $41 million, and the $139 million figure (wherever she got it from -- this article from June 2009 claims TJX expended $320 million) likely includes both the Visa and Mastercard settlement amounts PLUS the costs and expenses to defend the numerous actions filed against TJX. At this point I doubt that Ms. Litan (or anybody else except Heartland) knows how much Heartland has incurred in expenses to defend the numerous lawsuits and regulatory actions it is facing.
Quickhits: Security in the Ether; Countrywide Settles Data Breach Case
Happy New Decade (2010)! Unbelievably another decade is gone. Information law developments continue to occur at an increasingly fast pace. The InfoLawGroup is catching up from a very busy December, so we will start out the 2010 blogging with a couple quick hits.
Security in the Ether. A very nice article by David Talbot on the security challenges, myths and misperceptions around Cloud computing. The challenge for security pros and lawyers: what is "reasonable security" in the Cloud, how do you perform your "due diligence," how do you document your due diligence process for use in the event of a breach, litigation or a regulatory action, and how do you draft and negotiate contracts for Cloud-based services?
Judge Preliminarily Approves Countrywide Data Breach Lawsuit Settlement. Faced with 35 lawsuits (many of them class actions) arising out of a security breach exposing the records of millions of customers, Countrywide Financial Corp. has chosen to settle. The settlement includes an offer of one year of credit monitoring for up to 17 million people. In addition, customers that suffered identity theft may recover up to $50,000, but only if they actually lost something of value, were not reimbursed and the theft stemmed from the Countrywide breach. Assuming a 20% redemption rate and a cost of $5-$15 per year for credit monitoring, the credit monitoring alone could cost from $17 million to $51 million (probably on the lower end of the scale -- Countrywide should be able to negotiate favorable credit monitoring rates considering the potential volume). Additional costs that Countrywide had to incur include legal fees and breach notice expenses (assuming breach notice laws were triggered). Does this settlement (and others I am aware of other settlements that have been less publicized) indicate a growing fear that the "damages" wall is weakening?
Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.
Continue Reading...
