Use of cookies by
Norton Rose Fulbright
We use cookies to deliver our online services. Details and instructions on how to disable those cookies are set out at By continuing to use this website you agree to our use of our cookies unless you have disabled them.

Boris Segalis

Co-Head, Data Protection, Privacy & Cybersecurity, United States

Boris Segalis

New York

T:+1 212 318 3105

Boris Segalis is a US co-chair of Norton Rose Fulbright's Data Protection, Privacy & Cybersecurity practice group. He edits the practice's data protection blog,

Boris counsels clients regarding a broad range of privacy, information security, cybersecurity and information management issues. The practice addresses all aspects of information management lifecycle, including its collection, use, storage, disclosure and destruction, as well as the protection of the information and the infrastructure supporting the data.

Boris advises clients on information law issues that arise in the context of data-based products and services, big data programs, smart grid operations, marketing and advertising, corporate transactions (including M&A and bankruptcy), state and federal investigations and regulatory actions, cross-border data transfer, vendor management, cloud computing, technology transactions, incident and breach response and pre-response planning. Boris represents clients in a variety of industries, ranging from start-ups to Fortune 100 companies. His clients include companies in the consumer products and services areas, online retailers and media companies, pharmaceutical companies, utilities, travel-related businesses, B2B technology providers, payment processing businesses, and non-profit organizations.

Prior to joining Norton Rose Fulbright, Boris practiced at two national firms, and subsequently joined InfoLawGroup LLP, a boutique national law firm focusing on information technology, privacy, and data security. As one of the core partners at the firm, Boris helped develop InfoLawGroup into one of the leading privacy and data security practices in the United States, recognized by Chambers USA in 2013 and 2014. From 2014 to present, Boris has been individually recognized by Chambers USA as a Ranked Lawyer in the Nationwide, Privacy & Data Security category. Boris began his professional career in the aerospace industry, where he worked as an engineer on the Space Shuttle and other space programs.

Boris is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals.

Boris advises clients on a variety of privacy, data protection and cybersecurity legal requirements and self-regulatory guidance and programs, such as:

  • Tile V of GLBA, and the banking, insurance and FTC regulations implementing the GLBA's privacy and security requirements, including the interagency guidance on breach response
  • FCRA, as amended by FACTA, and FTC and banking regulations implementing the law, including the Disposal Rule and the Red Flags Rule
  • State breach notification laws and information security laws
  • State financial privacy laws, including in California and Vermont
  • NIST privacy and cybersecurity guidance, including NIST 800-53, 800-122, and the Cyber Security Framework
  • The PCI-DSS payment card industry standards
  • Cross-border data transfer requirements, including the U.S.-EU and U.S.-Swiss Safe Harbor frameworks for the transfer of personal data from Europe to the U.S., model clauses and BCRs
  • HIPAA and HITECH privacy and data security requirements, including HHS regulations, and state health information privacy laws, including in Texas and California
  • FERPA educational privacy and data security requirements, and analogous state requirements
  • Federal guidance and public utility commission regulations governing the confidentiality and security of energy usage data, including requirements in California, Colorado, Minnesota, Texas and other states
  • The Privacy Act and FISMA requirements applicable to federal government agencies and federal contractors
  • NLRB guidance on employee use of social media, and state employee privacy requirements
  • CalOPPA online privacy disclosure requirements for websites, mobile apps and other Internet services
  • COPPA requirements governing children's privacy
  • TCPA, including FTC and FCC requirements governing mobile marketing, and equivalent state requirements
  • Mobile carrier rules for mobile marketing
  • CAN-SPAM email marketing requirements
  • FTC guidance on behavioral advertising and endorsements
  • IAB behavioral advertising principles and the MMA code of conduct for mobile marketing
[+Open all]
  • Education

    2003 –  JD, NYU School of Law
    1996 –  BS, Mechanical Engineering, Georgia Tech


  • Representative experience
    • Disputes
      • Represented a big data company in a Federal Trade Commission investigation
      • Represented numerous clients in responding to state and federal regulatory inquiries in connection with data security breaches
      • Represented a utility in a dispute with a vendor responsible for monitoring and repairing the smart grid network, after vendor abruptly terminated services
      • Served as a court-appointed Consumer Privacy Ombudsman in a bankruptcy proceeding in the United States Bankruptcy Court for the District of Delaware
      • Represented an online publisher in a dispute before BBB enforcement panel regarding compliance with the IAB online behavioral advertising guidelines
      • Represented a data broker in a dispute with the Network Advertising Initiative regarding compliance with the organization's online advertising standards
    • Compliance Counseling
      • Advised numerous clients on global privacy and cybersecurity compliance strategy in conjunction with local counsel
      • Assisted financial institutions, utilities and creditors in complying with the Red Flags Rule
      • Assisted two utilities in preparation of filings in response to Public Utilities Commissions' regulatory proceeding relating to privacy of utility customers, including energy usage information
      • Assisted numerous organizations across a variety of industries in verifying compliance with the US-EU and US-Swiss Safe Harbor program and certification with the US Department of Commerce
      • Advised clients on compliance with HIPAA and HITECH requirements and updated policies and procedures to comply with the laws and implementing regulations
      • Developed a privacy and information security module for an organizations' vendor management programs, based on legal requirements, self-regulatory requirements and best practices applicable to the organization, and assisted in the implementation of the programs
      • Prepared workplace social media guidance to comply with NLRB requirements
      • Developed privacy and security policies and procedures for "Bring Your Own Device" programs for employees
      • Advised client on patient privacy issues in connection with patient health records, electronic health records and adherence programs
      • Advised a federal government-owned corporation on compliance with the Privacy Act and FISMA, and NIST requirements in developing a mortgage assistance program under TARP
      • Prepared numerous privacy notices for websites and mobile applications, in compliance with CalOPPA and global data protection requirements, and advised companies on changes to privacy practices in light of FTC guidance
      • Advised financial institutions on data sharing practices and compliance with GLBA and FCRA
      • Advised clients on compliance with legal and self-regulatory privacy requirements in connection with email, telephone and mobile marketing programs
    • Breach Response & Preparedness
      • Developed incident response plans for multiple organizations across industries, reflecting state breach law requirements, federal banking requirements under the GLBA, HHS breach response requirements, and SEC disclosure guidance
      • Trained employees on breach response plans
      • Developed a social media crisis response plan
      • Advised clients on response to hundreds of information on security incidents involving compromise of consumer data, employee data, health information and payment card information
    • Product Design & Strategy
      • Advised a payment card brand on the development of a data analytics service
      • Advised a client on developing an electronic health records portal and compliance with the California Medical Information Act
      • Advised an electronics manufacturer on the development of activity-tracking device and portal
      • Advised on an acquisition through bankruptcy proceedings of a customer database containing detailed and highly confidential personal information; counseled the client on re-launching the business and engaging former customers
    • Transactions
      • Negotiated technology agreements, on behalf of B2B technology providers and business customers in technology agreements, including SaaS
      • Negotiated numerous Business Associate Agreements on behalf of health plans and Business Associates
      • Negotiated data privacy and security terms in numerous vendor agreements
  • Admissions
    • New York State Bar License
  • Rankings and recognitions
    • Legal 500 USA, recommended lawyer, International litigation; Technology - data protection and privacy, The Legal 500, 2016-2017
    • Crain's New York Business, 40 Under 40, Crain Communications Inc., 2015
    • Chambers Global, USA: Privacy & Data Security, Chambers & Partners, 2017
    • Chambers USA, Nationwide: Privacy & Data Security, Chambers & Partners, 2014-2017
    • New York Metro Super Lawyers, technology transactions, Thomson Reuters, 2017
    • New York Metro Rising Stars, technology transactions, Thompson Reuters, 2014-2016
  • Publications

    Boris has regularly discussed privacy and data security issues on Fox Live. He is a co-author of the Privacy and Data Security Law Deskbook, Aspen Publishers, Wolters Kluwer Law & Business, July 2010. Other noted publications include:

    • Quoted in "Should Banks be in the Business of 'Surveillance Capitalism'?" American Banker, June 8, 2017
    • Quoted in "How WannaCry can Help Businesses Prepare for GDPR," WSJ Pro Cybersecurity, May 31, 2017
    • Co-author, "Will the Trump Administration Take US-EU Data Protection Disputes to the WTO?," New York Law Journal, February 14, 2017
    • Co-author, "Privacy and Security Issues in Autonomous Cars," p. 25 of Cyber Defense Magazine, October 2016
    • Co-author, "U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents," p. 52. of Cyber Defense Magazine, August 2016
    • Co-author, "The Proliferation of Informal Cybersecurity Guidelines," Cyber Defense Magazine, June 2016
    • Co-author, "Ensuring Cybersecurity of Critical Infrastructure," New York Law Journal, March 7, 2016
    • Quoted in "Why the CFPB is About to Ramp Up Cyber Enforcement," Bloomberg BNA, March 3, 2016
    • "Cybersecurity Will Be A Top Priority In State Of The Union," Law360, January 14, 2015
    • "Record Number of Data Breaches for New Yorkers in 2013," InfoLawGroup Blog, July 18, 2014
    • "Co-author, Cybersecurity Effort Moves Forward – NIST Issues Final Critical Infrastructure Cybersecurity Framework," InfoLawGroup Blog, February 18, 2014
    • "New HIPPA/HITECH Rules Implementation Roadmap; Countdown begins to Sept. 23, 2013 Compliance Deadline," InfoLawGroup Blog, January 31, 2013
    • "Online Retailers Stumped by Internet Marketing Self-Regulation in an Unwelcome Holiday Surprise," InfoLawGroup Blog, January 31, 2013
    • "Emerging Privacy Issues in Bankruptcy," New York Law Journal, June 10, 2010
    • "Preservation and Monitoring of Corporate Messaging," New York Law Journal, November 2009
    • "FTC's Red Flags Rule: Delays Suggest Confusion on the Part of the Industry," Privacy & Data Security Law Journal, July 2009
  • Speaking engagements
    • IAPP KnowledgeNet, "The Future Rules of Artificial Intelligence, AI and Privacy: The Transatlantic Debate," Speaker, New York, New York, November 17, 2017
    • "Implementing the New DFS Cybersecurity Regulation," Panelist, Benjamin N. Cardozo School of Law, New York, New York, April 28, 2017
    • "Latest in Cybersecurity - and How to Comply," Speaker, Norton Rose Fulbright US LLP, New York, New York, April 6, 2017
    • IAPP KnowledgeNet, "GDPR Deep Dive: Guidance on DPOs, Data Portability and Other Individual Rights", Speaker, New York, New York, March 20, 2017
    • IAPP Europe Data Protection Congress - Speaker, Brussels, Belgium, November 10, 2016
    • Data Protection and Cyber Risks for Critical Public Infrastructure, Speaker, Norton Rose Fulbright US LLP, New York, New York, November 3, 2016
    • General Counsel Forum and Compliance Workshop - Speaker, New York Stock Exchange, New York, New York, November 3, 2016
    • The Legal Landscape of Autonomous Vehicles - Where Are We and Where Are We Going in the United States and Germany, Webinar Speaker, Norton Rose Fulbright US LLP, October 26, 2016
    • "Current Trends in Cybersecurity and Privacy for the Financial Sector," Panelist, Association of Corporate Counsel, 3rd Annual Securities Law Symposium, Toronto, Ontario, October 6, 2016
    • "Cyber Security Threats: Is the Electrical Industry Prepared?"  Speaker, GCPA Annual Fall Conference, Austin, Texas, October 5, 2016
    • European Union General Data Protection Regulation, Norton Rose Fulbright US LLP, New York, New York, May 25, 2016
    • DFS Summit, Moderator and Speaker - Regulatory Panel, Columbia Business School, New York, New York, May 20, 2016
    • Cybersecurity in the Shipping Industry, Norton Rose Fulbright US LLP, New York, New York, May 17, 2016
    • GDPR Comprehensive 2016, IAPP KnowledgeNet, New York, New York, May 17-18, 2016
    • "The Great Debate: Balancing Government Interests and Access to Data vs. the Consumer Right to Privacy," Americas Global Risk Leadership Conference, Los Angeles, California, May 9-12 2016
    • "UJA-Federation of New York, Big Data - From the Dark Past to the Unknown Future," Event Chair and Speaker, New York, New York, March 16, 2016
    • "Internet of Things and Cybersecurity - A Talk with Chris Valasek, the 'Jeep Hacker'," Norton Rose Fulbright US LLP, January 28, 2016
    • "U.S. and Europe at a Privacy Crossroads," IAPP KnowledgeNet, New York, New York, November 18, 2015
    • "Upping the Ante on Data Breach Response: New Developments in Cybersecurity," TechForum Security Forum,  New York, New York, October 1, 2015
    • "UJA-Federation of New York, Tech Talk Cybersecurity," Norton Rose Fulbright panelist and host, July 22, 2015
    • "Update on Privacy Litigation," Sedona Conference WG11 Meeting, Miami, Florida, June 24, 2015
    • "Managing Employee Privacy in the MobileFirst Era," MobileFirst 2015, San Francisco, California, June 10-11, 2015
    • "Cybersecurity, Enterprise Risk and the Boardroom," Director's Roundtable Seminar Series, Houston, Texas, May 28, 2015
    • "U.S. Privacy Law Overview," Maine Law Information Privacy Summer Institute, University of Maine School of Law, Portland, Maine, May 21, 2015
    • "M&A in 2015: Data Protection Due Diligence,"  Norton Rose Fulbright web conference, April 30, 2015
    • Privacy Roundtable with FTC Commissioner Brill, IAPP KnowledgeNet, New York, New York, January 30, 2105
    • "Privacy Law Update, NYIPLA Hot Topics in Trademarks," Advertising & Copyrights CLE Seminar, Princeton Club, New York, New York, July 17, 2014
    • "U.S. Privacy Law Overview," Maine Law Information Privacy Summer Institute, University of Maine School of Law, Portland, Maine, June 11, 2014
    • "Data Protection – the Impact of Technological Integration," ABA Section of International Law Conference on Data Protection – Challenges for Electronic Communication in Transatlantic Business, Frankfurt, Germany, May 22, 2014
    • "Big Data in Utility Industry," PG&E, International Privacy Day, San Francisco, California, January 28, 2014
    • "What's Important (and What's Not) for Your InfoSec Program," IAPP Privacy Academy 2013, Seattle, Washington, September 30-October 2, 2013
    • "Taming Big Data," IAPP Privacy Academy 2013, Seattle, Washington, September 30-October 2, 2013
    • "The Snowden Fallout: New EU Demands, Questions for U.S. Service Providers and How to Respond," IAPP Web Conference, September 12, 2013
    • "Privacy & Cybersecurity Law: Advising the C-Suite on Critical Issues in Our Information Society," New York City Bar Association, March 20, 2013
    • "Blending the Personal and Professional on One Device," Seventh Law & Information Society Symposium: Privacy and Employment in the Digital Society, Center on Law and Information Policy at Fordham Law School, March 19, 2013
    • "Panel on Impact of NSA Controversy on Doing Business in Europe," NYC Practical Privacy Conference 2013 – Data Breach, New York, New York, January 29, 2013
  • Memberships and activities
    • Sedona Conference WG11 Data Security and Privacy Liability – Member
    • Former Co-Chair, IAPP NYC KnowledgeNet Lecture Series
    • NYC Practical Privacy Series 2013 Conference – Data Breach, Chair
    • NYU Polytechnic School of Engineering – Adjunct Professor
  • Languages
    • Russian