David Navetta

David Navetta is a prominent leader in privacy, information security and technology law. He has extensive experience counseling clients on novel and cutting-edge data protection issues, including data breach response, cybersecurity risk management, consumer and employee privacy, incident response planning and preparedness, technology transactions, vendor management, board of director advice and consultation, regulatory investigations, litigation and due diligence in corporate transactions. David serves as a "breach coach" on an approved panel for numerous cyber insurance carriers and companies, and he has helped some of the world’s leading corporations to effectively respond to complex data security breaches and protect their enterprise. David’s clients range from startups to large Fortune 500 multinationals across a range of industries, including ecommerce, consumer products, name-brand traditional brick-and-mortar, hotels and hospitality, social media, technology, professional services, healthcare, financial institutions and energy.

David has served as a leader and integral member of a Chambers USA-ranked law firm he co-founded. He is known for his leadership and extensive experience in privacy and data protection law, and is recognized by Chambers USA as a leading lawyer for privacy & data security from 2020 – 2023, by Legal 500 USA as a leading lawyer for international litigation and data protection & privacy from 2016 – 2020, as well as by WWL:Data in the area of Information Technology and Data Privacy & Protection. He is also a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals.

David’s diverse legal experiences over his career have provided him with a unique perspective and pragmatic approach to enterprise security, including serving as the former US co-chair of Norton Rose Fulbright’s data protection, privacy and cybersecurity practice group; his own entrepreneurial endeavor co-founding InfoLawGroup LLP; former assistant general counsel for AIG’s eBusiness Risk Solutions Group in New York for over three years; former co-chair of the American Bar Association's Information Security Committee and former chairman of the organization’s Contracting & Risk Management Working Group; and former co-chair of PCI’s Legal Risk and Liability Working Group.

David speaks and writes frequently concerning technology, privacy and data security legal issues, and is frequently cited as an expert in the press and otherwise. Select publications and speaking engagements include:

Publications

• Co-author, "DDoS Attacks and the Internet of Things," p. 25 of Cyber Defense Magazine, December 2016
• Co-author, "Privacy and Security Issues in Autonomous Cars," p. 25 of Cyber Defense Magazine, October 2016
• Co-author, "U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents," p. 52. of Cyber Defense Magazine, August 2016
• Co-author, "The Proliferation of Informal Cybersecurity Guidelines," Cyber Defense Magazine, June 2016
• Co-author, "SCOTUS mulls 'no-injury' privacy class actions," Intellectual Property Magazine, June 2015
• Co-author, "Sharing Cyber Threat Information: A Legal Perspective," Information Systems Security Association ISSA Journal, January 2015

Speaking Engagements

• "Cyber Insurance Trends," ACC Foundation, Virtual Cybersecurity Summit, March 4, 2021
• "Data Security and Privacy Legal Outlook In 2021," Cooley Webinar, December 15, 2020
• "Increased Privacy Risk in a Post COVID-19 World," Gallagher Webinar, August 19, 2020
• "The Cybersecurity War Room: Practicing Your Response to the First 72 Hours of a Breach," ACC SoCal Webinar, June 9, 2020
• "CCPA Training for Privacy and Customer Support Teams," Cooley Webinar, May 28, 2020
• "Mergers & Acquisitions: Identifying and Minimizing Cyber Risk," Gallagher Webinar, April 29, 2020
• "California Consumer Privacy Act (CCPA) Update – Data Breach Response and Litigation," Cooley, San Diego, CA, January 16, 2020
• "Legal Considerations for Ransomware Incidents," 2019 Ransomware Summit, Pittsburgh, PA, September 12-13, 2019
• "GDPR DPO University," Cooley, New York, NY, October 18, 2018
• "California Consumer Privacy Act Update," Silicon Valley Association of General Counsel All Hands Meeting 2018, Santa Clara, CA, October 16, 2018
• "Internet of Things and Cybersecurity with Chris Valesek, the 'Jeep Hacker'", Norton Rose Fulbright, New York, NY, January 28, 2016
• "Not If, But When:  Incident Response and Risk Mitigation," RM&I Conference, Colorado Springs, CO, September 2015
• "Emerging Trends and Developments in Cybersecurity," American Law Institute Webinar, July 13, 2015
• "PCI Adjudication & Liability - The Weakest Link:  Third-Party Vendors," NetDiligence Cyber Risk and Liability Forum, Philadelphia, PA, June 1-3, 2015
• "The United State(s) of Breach," Financial Institute Symposium, Sydney, Australia, May 3-7, 2015
• "Wargaming for the Boardroom:  How to Have a Successful Tabletop Exercise," RSA Conference 2015, San Francisco, CA, April 20-24, 2015
• "The United State(s) of Breach," Insurance Week Conference, London, England, March 23-27, 2015
• "The Widening Scope of the PCI Compliance Chain -- a Card Breach Scenario," IAPP Privacy Summit, Washington, D.C., March 4-5, 2015
• "Preventative Privacy Risk Management:  Just What the Doctor Ordered," Norton Rose Fulbright 2015 Health Law Symposium, Austin, TX,  January 28-30, 2015
• "Data Breach and Incident Response Planning," XL Advisory Board, Sonoma, CA, October 21, 2014
• "Examining the Payment Card Industry (PCI) Adjudication Process – PCI Breach Scenario," NetDiligence Cyber Risk & Privacy Liability Forum, Santa Monica, CA, October 8-9, 2014
• "Cyber Risk/Liability Panel," International Association of Claims Professionals Annual Meeting, Marana, AZ, September 30, 2014
• "Breach Coach Perspectives 2014," 10th Annual Aon Insurance Company Client Symposium, Vail, CO, September 8-9, 2014
• "PCI Adjudication Process," NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, June 12, 2014
• "The Dark Side of a Payment Card Breach," Resort Hotel Association, Webinar, June 24, 2014
• "Big Data for Educational Institutions -- A Framework for Addressing Privacy Compliance and Legal Considerations," Higher Education Compliance Conference, Austin, TX, June 1-4, 2014
• "The Dark Side of A Payment Card Breach," Rocky Mountain Information Security Conference, Denver, CO, May 15, 2014
•  "CONVERGENCE:   When (and How) Legal and Security Must Work Together," ISSA CISO Forum & Board Meeting, New Orleans, LA, May 1, 2014
• "The Cloud: A Necessary Risk for Business," RIMS 2014, Denver, CO, April 30, 2014
• "Legal Implications of BYOD," Society of Industrial Security Professionals, Webinar, April 10, 2014
• "Wire Transfer Fraud – Reducing Risks and Liabilities," ePlace Webinar, March 20, 2014
• "The Dark Side of a Payment Card Breach," IAPP Practical Privacy Series, New York, NY, November 6, 2013
• "PCI Fines, Penalties and Assessments," NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, October 10, 2013
• "Determining True Data Breach Risk," IAPP Academy, Seattle, WA, October 1, 2013
• "Breach Notification Legal Response Overview," Sedgwick Chicago Seminar Series, September 18, 2013, Chicago, IL
• "Hot Topics: Security and Privacy Legislative Update 2013," PLI Privacy and Data Security Law Institute (Fourteenth Annual), July 15, 2013, Chicago, IL
• "The Cloud: Insurance Aggregation, Cloud Contracts & Technology," NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, June 6, 2013
• "Privacy for BYOD Deployments," M3 Best Practices for Mobile IT, San Francisco, CA, June 4, 2013
• "Commercially Reasonable Security," Rocky Mountain Information Security Conference, Denver, CO, May 23, 2013
• "Why Privacy and Data Security Should Be At the Top of Every Business Agenda," PLI's Information Technology Law Institute 2013, San Francisco, CA, May 16, 2013
• "Cloud Computing Legal, Security and Contracting Issues," ePlace Solutions Webinar Series, April 30, 2013
• "Everything You Wanted to Know About Cyber Insurance But Were Afraid to Ask," RSA Conference 2013, San Francisco, CA, February 28, 2013
• "Commercially Reasonable Security," eFraud Conference, San Francisco, CA, February 25, 2013
• "A Legal Look at BYOD," Executive Security Action Forum, San Francisco, CA, February 23, 2013