Mark Paulding

Mark Paulding

(p)202-288-9549 (e)

Mark Paulding is a senior counsel at InfoLawGroup, which he joined in 2013.  He is an experienced data privacy and security professional and attorney.  Previously, Mark practiced law at Hogan Lovells US LLP.  Prior to attending law school, Mark was an analyst in the Technology & Finance Group of Coopers & Lybrand Consulting, developing financial information systems for federal government agencies.

Mark has counseled a wide variety of businesses on data security, privacy, consumer protection, and antitrust matters.  His practice includes conducting privacy and security risk and compliance assessments; development of security programs, policies, and procedures; development of privacy policies and procedures (including public-facing and internal policies); development and implementation of data de-identification procedures; and security incident investigation, response, and reporting.  In addition, Mark has assisted various clients in the development and implementation of web content accessibility policies and procedures.

Mark has extensive experience advising clients regarding compliance with the FTC Act, HIPAA, the GLB Safeguards Rule, CAN-SPAM Act, ISO 27001 – 27002, PCI-DSS, NERC Critical Infrastructure Protection Standards, federal and state wiretap laws, and the state privacy and security laws adopted in Massachusetts, Nevada, and California.  Mark has represented numerous clients during investigations and enforcement actions by the Federal Trade Commission, Department of Health and Human Services, and various state Attorneys General.

Mark provides privacy and security related counseling regarding commercial transactions.  For example, he prepares and negotiates privacy and security terms within commercial agreements, including HIPAA business associate agreements.  Mark performs privacy and security due diligence for proposed mergers and acquisitions.

In addition to his legal practice, Mark is Co-Founder and Chief Executive Officer of YellowHat Laboratories, Inc., a provider of cybersecurity solutions to protect intellectual property and other critical enterprise secrets from malicious insiders and sophisticated cybercriminals.  Mark is a graduate of Princeton University and Harvard Law School.

Subscribe to all posts by Mark Paulding

The SEC’s New Cybersecurity Guidance Is More Significant Than You Might Think

In the wake of increasing major cyber security incidents—such as the recent Equifax data breach that affected about 140 million U.S. consumers— the Securities and Exchange Commission (SEC) issued its interpretive guidance on cybersecurity disclosures in late February. The guidance was highly anticipated within the business community, which had expected it to affirm and expand … Continue Reading

FTC and NJ AG Reach $2.2 Million Settlement to Resolve Vizio Video Privacy Matter

On Monday, February 6, 2017, the Federal Trade Commission (“FTC”) and New Jersey Attorney General (“NJAG”) announced a settlement agreement to resolve their joint enforcement action against Vizio. The regulators claimed that Vizio collected detailed information about the content consumers watched (including identifying the content and advertisements viewed through broadcast and cable networks, DVDs, and … Continue Reading

First Circuit Ruling May Extend Reach of VPPA

On April 29, 2016, the First Circuit Court of Appeals addressed the question of what data constitutes “personally identifiable information” and who is a “subscriber” under the Video Privacy Protection Act (VPPA) in Yershov v. Gannet Satellite Information Network, Inc. The plaintiff claimed that Gannett shared information identifying him and the video clips that he … Continue Reading

Courts Continue to Wrestle with Application of VPPA

Recent weeks have seen two notable federal court decisions involving the Video Privacy Protection Act (“VPPA”) since last week: In re Hulu Privacy Litigation, 3:11-CV-03764 (N.D. Cal. March 31, 2015) (“Hulu Privacy Litigation”) and Austin-Spearman v. AMC Network Entertainment LLC, 1:14-CV-06840 (S.D.N.Y. April 7, 2015) (“Austin-Spearman”). While the Hulu Privacy Litigation decision may establish an … Continue Reading

HIPAA as a Standard of Care for Common Law Negligence Claims

Because the Health Insurance Portability and Accountability Act (“HIPAA”) does not provide a private right of action, plaintiff’s attorneys have sought a means to link HIPAA violations to other state or federal legal frameworks which do provide direct recourse for private individuals.  A recent ruling by the Connecticut Supreme Court may open new avenues of … Continue Reading

Massachusetts Continues Aggressive Information Security Enforcement Agenda

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes.  The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were … Continue Reading

Approaching the CASL: The Compliance Date for Canada’s Anti-Spam Legislation Draws Near

The first phase of Canada’s Anti-Spam Legislation (CASL) goes into effect on July 1, 2014.  Accordingly, all businesses engaged in the transmission of Commercial Electronic Messages (CEMs) in Canada should assess their business practices and take steps to adhere to any applicable provisions of the law.  To that end, my February blog post summarizing several key elements of CASL is presented below.… Continue Reading

FTC Report on Data Brokers: An Analysis of the Call for Stronger Controls and Legislation

Earlier this week, the Federal Trade Commission released its long awaited report on the data brokerage industry – Data Brokers:  A Call for Transparency and Accountability.  This report is the culmination of approximately two years of information collection, public workshops, and analysis by the FTC staff.  Notably, the Report recommends that Congress enact legislation to … Continue Reading

DOJ Consent Decree Provides Guidance on Web Accessibility Compliance Under ADA

On March 6, 2014, the Department of Justice (“DOJ”) issued a press release announcing a proposed consent decree against H&R Block to resolve claims that the H&R Block website, mobile applications, and online tax preparation products were not appropriately accessible to the disabled.  DOJ alleged that failing to make these online services accessible to the … Continue Reading

Information Security Strategy: A Lesson from the Target Breach

Over the past few weeks, new revelations have provided greater insight into the breach of Target Corp. over the holiday shopping season.  Notable among the recent news is the assertion that the cybercriminals behind the Target breach initiated their infiltration through HVAC vendor Fazio Mechanical (  It is believed that the cybercriminals staged a phishing … Continue Reading

Final Regulations Published for Canada Anti-Spam Legislation

The Canadian Radio-television and Telecommunications Commission (CRTC) has released final regulations to implement Canada’s Anti-Spam Legislation (CASL).  CASL applies notice and consent obligations upon organizations that transmit Commercial Electronic Messages (CEMs) to individuals in Canada.  The plain language of the CASL is somewhat broader than some other anti-spam laws, such as the CAN-SPAM Act in … Continue Reading