David Navetta

Partner
Full contact info

I feel lucky to have been a pioneer in the data security and privacy legal space – it is my passion, and it is always my goal to bring that passion and energy when working with my clients.

About David

David is a prominent leader in privacy, information security and technology law. He has extensive experience counseling clients on novel and cutting-edge data protection issues, including data breach response, cybersecurity risk management, consumer and employee privacy, incident response planning and preparedness, technology transactions, vendor management, board of director advice and consultation, regulatory investigations, litigation and due diligence in corporate transactions. David serves as a “breach coach” on an approved panel for numerous cyber insurance carriers and companies, and he has helped some of the world’s top corporations to effectively respond to complex data security breaches and protect their enterprises. David’s clients range from startups to large Fortune 500 multinationals across a range of industries – including ecommerce, consumer products, name-brand, traditional brick-and-mortar companies, hotels and hospitality, social media, technology, professional services, healthcare, financial institutions and energy.

David has served as a leader and integral member of a Chambers USA-ranked law firm he co-founded. Known for his leadership and extensive experience in privacy and data protection law, David is recognized by Chambers USA as a leading lawyer for privacy and data security, by Chambers USA and Chambers Global for privacy and data security: incident response, by The Legal 500 US as a leading lawyer for international litigation and data protection and privacy, as well as by Who’s Who Legal (WWL) in the areas of information technology and data privacy and protection. He also is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP).

David’s diverse legal experiences across his career have provided him with a unique perspective and pragmatic approach to enterprise security – including serving as the former US co-chair of Norton Rose Fulbright’s data protection, privacy and cybersecurity practice group; building his own entrepreneurial endeavor co-founding InfoLawGroup; working as former assistant general counsel for American International Group’s eBusiness Risk Solutions Group in New York for more than three years; serving as former co-chair of the American Bar Association’s Information Security Committee and former chairman of the organization’s Contracting & Risk Management Working Group; and acting as former co-chair of the Payment Card Industry’s Legal Risk and Liability Working Group.

David speaks and writes frequently concerning technology, privacy and data security legal issues and is often cited as an authority in the press and otherwise. Select publications and speaking engagements include:

Publications

  • Co-author, “DDoS Attacks and the Internet of Things,” Cyber Defense Magazine, December 2016
  • Co-author, “Privacy and Security Issues in Autonomous Cars,” Cyber Defense Magazine, October 2016
  • Co-author, “US Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents,” Cyber Defense Magazine, August 2016
  • Co-author, “The Proliferation of Informal Cybersecurity Guidelines,” Cyber Defense Magazine, June 2016
  • Co-author, “SCOTUS mulls ‘no-injury’ privacy class actions,” Intellectual Property Magazine, June 2015
  • Co-author, “Sharing Cyber Threat Information: A Legal Perspective,” The ISSA (Information Systems Security Association) Journal, January 2015

Speaking engagements

  • Speaker, “CPRA and US State Privacy Laws: A Mid-Year Update on the Regulations and Compliance Approaches,” Cooley c/d/p Privacy Talks webinar series, June 15, 2023
  • Panelist, “Privacy Forum,” Rocky Mountain Information Security Conference, June 7, 2023
  • Presenter, “Beyond Personal Data: Data Regulations, Localizations and Limitations,” 21st Annual Rocky Mountain Intellectual Property & Technology Law Conference, June 2, 2023
  • Speaker, “Privacy Governance as a Strategic Initiative,” Cooley c/d/p Privacy Talks webinar series, April 20, 2023
  • Panelist, “Cyber Resilience & the Evolving Cyber Threat Landscape,” American Institute of Certified Public Accountants (AICPA) Conference, November 15, 2022
  • Speaker, “Global Data Breaches,” Cooley c/d/p Privacy Talks webinar series, September 10, 2022
  • Guest, Privacy Governance v. Cybersecurity Governance, “ADCG on Privacy & Cybersecurity” podcast, Association for Data and Cyber Governance, August 22, 2022
  • Panelist, “Customer Loyalty, Privacy & Governance,” SPOKES Privacy Technology Conference, June 23, 2022
  • Presenter, “Privacy and Cybersecurity Developments: The Americas,” CLE presentation to Marsh McLennan, June 22, 2022
  • Speaker, “You’ve got to move it: Data protection and privacy with cross-border transfers,” The Master’s Thought Leadership Conference, June 21, 2022
  • Presenter, “2022 Data Privacy & Security Update,” 20th Annual Rocky Mountain Intellectual Property & Technology Law Institute, June 2, 2022
  • Speaker, “Data Protection Around the Globe: Latin America,” Cooley c/d/p Privacy Talks webinar series, April 5, 2022
  • Speaker, “US Compliance Journey 2022 – CPRA Roadmap,” Cooley c/d/p Privacy Talks webinar series, February 1, 2022
  • Moderator, “Ransomware Response,” The Institute for Law and Technology’s Cybersecurity and Data Privacy Law Conference, September 22, 2021
  • Speaker “Data Processing Agreements: The 10 Most Important Considerations,” GDPR Turns Three – Myths and Must-Haves, Cooley webinar, June 8, 2021
  • Presenter, “Data Breach – A War Game,” 19th Annual Rocky Mountain Intellectual Property & Technology Law Institute, June 3, 2021
  • Speaker, “Appointing a Data Protection Officer: 10 Common Mistakes,” GDPR Turns Three – Myths and Must-Haves, Cooley webinar, June 1, 2021
  • Guest, FTC crack down on AI?, PrivacyPlan’s “Privacy and AI” podcast, April 28, 2021
  • Speaker, “Employee DSARs: The Coming Deluge,” Exterro webinar, March 4, 2021
  • Speaker, “Cyber Insurance Trends,” Association of Corporate Counsel (ACC) Foundation’s Virtual Cybersecurity Summit, March 4, 2021
  • Speaker, “Data Security and Privacy Legal Outlook in 2021,” Cooley webinar, December 15, 2020
  • Speaker, “Increased Privacy Risk in a Post COVID-19 World,” Gallagher webinar, August 19, 2020
  • Speaker, “The Cybersecurity War Room: Practicing Your Response to the First 72 Hours of a Breach,” ACC SoCal webinar, June 9, 2020
  • Speaker, “CCPA Training for Privacy and Customer Support Teams,” Cooley webinar, May 28, 2020
  • Speaker, “Mergers & Acquisitions: Identifying and Minimizing Cyber Risk,” Gallagher webinar, April 29, 2020
  • Speaker, “California Consumer Privacy Act (CCPA) Update – Data Breach Response and Litigation,” Cooley 2019/2020 MCLE workshop, January 16, 2020
  • Speaker, “Legal Considerations for Ransomware Incidents,” 2019 Ransomware Summit, September 2019
  • Presenter, “GDPR DPO University,” Cooley DPO University workshop, October 18, 2018
  • Speaker, “California Consumer Privacy Act Update,” Silicon Valley Association of General Counsel All Hands Meeting 2018, October 16, 2018
  • Speaker, “Internet of Things and Cybersecurity With Chris Valesek, the ‘Jeep Hacker,’” Norton Rose Fulbright presentation, January 28, 2016
  • Speaker, “Not If, But When: Incident Response and Risk Mitigation,” Risk Management & Insurance Conference, September 2015
  • Speaker, “Emerging Trends and Developments in Cybersecurity,” American Law Institute webinar, July 13, 2015
  • Speaker, “PCI Adjudication & Liability – The Weakest Link: Third-Party Vendors,” NetDiligence Cyber Risk & Privacy Liability Forum, June 2015
  • Speaker, “The United State(s) of Breach,” Financial Institute Symposium (Sydney, Australia), May 3 – 7, 2015
  • Speaker, “Wargaming for the Boardroom: How to Have a Successful Tabletop Exercise,” RSA Conference 2015, April 20 – 24, 2015
  • Speaker, “The United State(s) of Breach,” Insurance Week Conference (London, England), March 23 – 27, 2015
  • Speaker, “The Widening Scope of the PCI Compliance Chain – A Card Breach Scenario,” IAPP Privacy Summit, March 4 – 5, 2015
  • Speaker, “Preventative Privacy Risk Management: Just What the Doctor Ordered,” Norton Rose Fulbright 2015 Health Law Symposium, January 28 – 30, 2015
  • Speaker, “Data Breach and Incident Response Planning,” XL Advisory Board, October 21, 2014
  • Speaker, “Examining the Payment Card Industry Adjudication Process – PCI Breach Scenario,” NetDiligence Cyber Risk & Privacy Liability Forum, October 8 – 9, 2014
  • Panelist, “Cyber Risk/Liability Panel,” International Association of Claims Professionals Annual Meeting, September 30, 2014
  • Speaker, “Breach Coach Perspectives 2014,” 10th Annual Aon Insurance Company Client Symposium, September 8 – 9, 2014
  • Speaker, “PCI Adjudication Process,” NetDiligence Cyber Risk & Privacy Liability Forum, June 12, 2014
  • Speaker, “The Dark Side of a Payment Card Breach,” Resort Hotel Association webinar, June 24, 2014
  • Speaker, “Big Data for Educational Institutions – A Framework for Addressing Privacy Compliance and Legal Considerations,” Higher Education Compliance Conference, June 1 – 4, 2014
  • Speaker, “The Dark Side of a Payment Card Breach,” Rocky Mountain Information Security Conference, May 15, 2014
  • Speaker, “CONVERGENCE: When (and How) Legal and Security Must Work Together,” ISSA CISO Forum and Board Meeting, May 1, 2014
  • Speaker, “The Cloud: A Necessary Risk for Business,” RIMS (the risk management society) 2014 Annual Conference & Exhibition, April 30, 2014
  • Speaker, “Legal Implications of BYOD,” Society of Industrial Security Professionals webinar, April 10, 2014
  • Speaker, “Wire Transfer Fraud – Reducing Risks and Liabilities,” ePlace Solutions webinar, March 20, 2014
  • Speaker, “The Dark Side of a Payment Card Breach,” IAPP Practical Privacy Series, November 6, 2013
  • Speaker, “PCI Fines, Penalties and Assessments,” NetDiligence Cyber Risk & Privacy Liability Forum, October 10, 2013
  • Speaker, “Determining True Data Breach Risk,” IAPP Academy, October 1, 2013
  • Speaker, “Breach Notification Legal Response Overview,” Sedgwick Chicago Seminar Series, September 18, 2013
  • Speaker, “Hot Topics: Security and Privacy Legislative Update 2013,” Practising Law Institute (PLI) 14th Annual Privacy and Data Security Law Institute, July 15, 2013
  • Speaker, “The Cloud: Insurance Aggregation, Cloud Contracts & Technology,” NetDiligence Cyber Risk & Privacy Liability Forum, June 6, 2013
  • Speaker, “Privacy for BYOD Deployments,” M3 Best Practices for Mobile IT, June 4, 2013
  • Speaker, “Commercially Reasonable Security,” Rocky Mountain Information Security Conference, May 23, 2013
  • Speaker, “Why Privacy and Data Security Should Be at the Top of Every Business Agenda,” PLI Information Technology Law Institute 2013, May 16, 2013
  • Speaker, “Cloud Computing Legal, Security and Contracting Issues,” ePlace Solutions webinar series, April 30, 2013
  • Speaker, “Everything You Wanted to Know About Cyber Insurance But Were Afraid to Ask,” RSA Conference 2013, February 28, 2013
  • Speaker, “Commercially Reasonable Security,” eFraud Conference, February 25, 2013
  • Speaker, “A Legal Look at BYOD,” Executive Security Action Forum, February 23, 2013

Education

DePaul University College of Law
JD, 1996

Michigan State University
BA, Accounting, 1992

Rankings and accolades

Chambers USA: Privacy & Data Security: Cybersecurity – Nationwide (2024)

Chambers USA: Privacy & Data Security: Privacy – Nationwide (2019 – 2024)

Chambers Global: Band 1 for Privacy & Data Security: Incident Response – Nationwide (2023)

Chambers USA: Privacy & Data Security: Incident Response – Nationwide (2021 – 2022)

The Legal 500 US: Leading Lawyer in Cyber Law (Including Data Privacy and Data Protection) (2023)

Who's Who Legal: Telecommunications Media & Technology – Information Technology

WWL: Data – Information Technology and Data Privacy & Protection

Memberships and affiliations

International Association of Privacy Professionals