Use of cookies by
Norton Rose Fulbright
We use cookies to deliver our online services. Details and instructions on how to disable those cookies are set out at By continuing to use this website you agree to our use of our cookies unless you have disabled them.

David Navetta


David Navetta


T:+1 303 801 2732

David Navetta is a US co-chair of Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group. David focuses on technology, privacy, information security and intellectual property law. His work ranges from compliance and transactional work to breach notification, regulatory response and litigation. David currently serves as "breach coach" or is on the approved panel for numerous cyber insurance carriers and companies, and has helped dozens of companies across multiple industries respond to data security breaches. 

David has enjoyed a wide variety of legal experiences over his career that have provided him with a unique perspective and legal skill set, including work at a large international law firm, in-house experience at a multinational financial institution, and an entrepreneurial endeavor running his own law firm.

Prior to joining Norton Rose Fulbright, David co-founded InfoLawGroup LLP, a law firm focusing on information technology, privacy, security and IP-related law. Under David's leadership, InfoLawGroup was ranked as one of the top privacy and data security firms in the United States by Chambers USA in 2013 and 2014. David and InfoLawGroup successfully served a wide assortment of US and foreign clients from large Fortune 500 multinationals, retailers, hotels and restaurants, ubiquitous social media companies and sophisticated technology companies, to healthcare companies, financial institutions, name-brand traditional brick-and-mortar companies, energy companies and start-ups.

David previously worked for over three years in New York as assistant general counsel for American International Group's eBusiness Risk Solutions Group. While there, David analyzed and forecasted information security, privacy and technology risks, drafted policies to cover such risks, and worked on sophisticated technology transactions. David also engaged in commercial litigation for several years prior to going in-house, including working at the Chicago office of Sedgwick, Detert, Moran and Arnold, a large international law firm.

David is a Certified Information Privacy Professional through the International Association of Privacy Professionals. David previously served as a Co-Chair of the American Bar Association's Information Security Committee and was also Co-Chair of the PCI Legal Risk and Liability Working Group. David also served as the Chairman of the ABA's Information Security Committee's Information Security Contracting & Risk Management Working Group. He has spoken and written frequently concerning technology, privacy and data security legal issues, and is frequently cited as an expert in the press and otherwise.

[+Open all]
  • Education

    1996 - J.D., DePaul University College of Law
    1992 - B.A., Accounting, Michigan State University


  • Admissions
    • Colorado State Bar License
    • Illinois State Bar License
  • Rankings and recognitions
    • Legal 500 USA, recommended lawyers, International litigation; Technology - data protection and privacy, The Legal 500, 2016-2017
  • Publications
    • Co-author, "DDoS Attacks and the Internet of Things," p. 25 of Cyber Defense Magazine, December 2016
    • Co-author, "Privacy and Security Issues in Autonomous Cars," p. 25 of Cyber Defense Magazine, October 2016
    • Co-author, "U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents," p. 52. of Cyber Defense Magazine, August 2016
    • Co-author, "The Proliferation of Informal Cybersecurity Guidelines," Cyber Defense Magazine, June 2016
    • Co-author, "SCOTUS mulls 'no-injury' privacy class actions," Intellectual Property Magazine, June 2015
    • Co-author, "Sharing Cyber Threat Information: A Legal Perspective," Information Systems Security Association ISSA Journal, January 2015 
    • "Cloud Computing Customers' "Bill of Rights," ISSA Journal, January 2011
    • "Data Breach in the Clouds," Hiscox Global Technology News, January 2011
    • "The Legal Defensibility Era," ISSA Journal, August 2010
    • "The PCI Compliance and Encryption Requirements of Nevada's Security of Personal Information Law," DataGuidance, April 2010
    • "Potential Changes to the US Breach Notice Risk Landscape,"  dataprotectionlaw&policy, February 2010
    • "Interpreting 'Risk' in the Massachusetts Data Protection Law,", November 2009
    • "Who is Minding the Legal Risks around PCI?" ISSA Journal, April 2009
    •  "Legally Mandated Encryption -- Two New State Laws Mandate Encryption of Personal Information," BNA Privacy & Security Law Reporter, November 2008
    • "PCI Liability Theories – Minnesota's Plastic Card Protection Law and a New Third Circuit Case Could Open the Door to Potential Liability for Merchants," IAPP Privacy Tracker, November 2008
    •  "The Legal Implications and Risks of the Payment Card Industry (PCI) Data Security Standard," ABA SciTech Lawyer, June 2008.
    • "The Legal Implications of the PCI Data Security Standard," SC Magazine Online, April 2008
    • "The New Privacy Insurance Coverage," ABA SciTech Lawyer, Summer 2006.
  • Speaking engagements
    • "Internet of Things and Cybersecurity with Chris Valesek, the 'Jeep Hacker'", Norton Rose Fulbright, New York, NY, January 28, 2016
    • "Not If, But When:  Incident Response and Risk Mitigation," RM&I Conference, Colorado Springs, CO, September 2015
    • "Emerging Trends and Developments in Cybersecurity," American Law Institute Webinar, July 13, 2015
    • "PCI Adjudication & Liability - The Weakest Link:  Third-Party Vendors," NetDiligence Cyber Risk and Liability Forum, Philadelphia, PA, June 1-3, 2015
    • "The United State(s) of Breach," Financial Institute Symposium, Sydney, Australia, May 3-7, 2015
    • "Wargaming for the Boardroom:  How to Have a Successful Tabletop Exercise," RSA Conference 2015, San Francisco, CA, April 20-24, 2015
    • "The United State(s) of Breach," Insurance Week Conference, London, England, March 23-27, 2015
    • "The Widening Scope of the PCI Compliance Chain -- a Card Breach Scenario," IAPP Privacy Summit, Washington, D.C., March 4-5, 2015
    • "Preventative Privacy Risk Management:  Just What the Doctor Ordered," Norton Rose Fulbright 2015 Health Law Symposium, Austin, TX,  January 28-30, 2015
    • "Data Breach and Incident Response Planning," XL Advisory Board, Sonoma, CA, October 21, 2014
    • "Examining the Payment Card Industry (PCI) Adjudication Process – PCI Breach Scenario," NetDiligence Cyber Risk & Privacy Liability Forum, Santa Monica, CA, October 8-9, 2014
    • "Breach Coach Perspectives 2014," 10th Annual Aon Insurance Company Client Symposium, Vail, CO, September 8-9, 2014
    • "PCI Adjudication Process," NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, June 12, 2014
    • "The Dark Side of a Payment Card Breach," Resort Hotel Association, Webinar, June 24, 2014
    • "Big Data for Educational Institutions -- A Framework for Addressing Privacy Compliance and Legal Considerations," Higher Education Compliance Conference, Austin, TX, June 1-4, 2014
    • "The Dark Side of A Payment Card Breach," Rocky Mountain Information Security Conference, Denver, CO, May 15, 2014
    •  "CONVERGENCE:   When (and How) Legal and Security Must Work Together," ISSA CISO Forum & Board Meeting, New Orleans, LA, May 1, 2014
    • "The Cloud: A Necessary Risk for Business," RIMS 2014, Denver, CO, April 30, 2014
    • "Legal Implications of BYOD," Society of Industrial Security Professionals, Webinar, April 10, 2014
    • "Wire Transfer Fraud – Reducing Risks and Liabilities," ePlace Webinar, March 20, 2014
    • "The Dark Side of a Payment Card Breach," IAPP Practical Privacy Series, New York, NY, November 6, 2013
    • "PCI Fines, Penalties and Assessments," NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, October 10, 2013
    • "Determining True Data Breach Risk," IAPP Academy, Seattle, WA, October 1, 2013
    • "Cyber Risk/Liability Panel," International Association of Claims Professionals Annual Meeting, Marana, AZ, September 30, 2014
    • "Breach Notification Legal Response Overview," Sedgwick Chicago Seminar Series, September 18, 2013, Chicago, IL
    • "Hot Topics: Security and Privacy Legislative Update 2013," PLI Privacy and Data Security Law Institute (Fourteenth Annual), July 15, 2013, Chicago, IL
    • "The Cloud: Insurance Aggregation, Cloud Contracts & Technology," NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, June 6, 2013
    • "Privacy for BYOD Deployments," M3 Best Practices for Mobile IT, San Francisco, CA, June 4, 2013
    • "Commercially Reasonable Security," Rocky Mountain Information Security Conference, Denver, CO, May 23, 2013
    • "Why Privacy and Data Security Should Be At the Top of Every Business Agenda," PLI's Information Technology Law Institute 2013, San Francisco, CA, May 16, 2013
    • "Cloud Computing Legal, Security and Contracting Issues," ePlace Solutions Webinar Series, April 30, 2013
    • "Everything You Wanted to Know About Cyber Insurance But Were Afraid to Ask," RSA Conference 2013, San Francisco, CA, February 28, 2013
    • "Commercially Reasonable Security," eFraud Conference, San Francisco, CA, February 25, 2013
    • "A Legal Look at BYOD," Executive Security Action Forum, San Francisco, CA, February 23, 2013
    • "Legal Challenges of the Mobile Workforce," Corporate Counsel Institute, Atlanta, GA, December 6-7, 2011
    • "Recent Developments in Data Privacy and Emerging Threats in Cyber Security," Corporate Counsel Institute, Atlanta, GA, December 6-7, 2012
    • "Cyber Liability on Main Street: What Coverages Do You Need?" 2012 PLUS International Conference, Chicago, IL, November 7-9, 2012
    • "What Employers Need to Know About Data Protection Before Telling Employees, "BYOD!" (Bring Your Own Device) Confirmation," Park Avenue Presentations, Webinar, October 9, 2012
    • "Information Security and Cyber Risk," Marsh Energy Company Webinar, September 25, 2012
    • "The Privacy and Security Implications of Bring Your Own Device (BYOD)," IAPP Webinar, August 23, 2012
    • "Creating a Bulletproof BYOD (Bring Your Own Device) Policy for Personal Devices at Work," Center for Competitive Management, July 25, 2012, Webinar
    • "Preparing a Personal Device Use Policy," ePlace Webinar, May 23, 2012
    • "Bring Your Own Device – Security, Privacy and Legal Risks," Rocky Mountain Information Security Conference, Denver, CO, May 18, 2012
    • "Damages and Other Litigation Issues After a Data Breach Event," Cyber Liability Summit, Connecticut, April 25, 2012
    • "Is Your Sensitive Data Secure? Cyber Insurance for Your Firm and Your Clients," Colorado Bar Association, Denver, CO, March 29, 2012
    • "The Dark Side of a Payment Card Breach," RSA Conference 2012, San Francisco, CA, February 27 to March 2, 2012
    • "Cyber Insurance and Your Data Breach," ID Experts Webinar, January 26, 2012
    • "The Evolving Nature of Privacy 'Harm,'" IAPP Webinar, December 19, 2011
    • "Taming the Cloud: Contracting for a Cloud that Actually Works," IAPP Academy, Dallas, TX, September 14 –16, 2011
    • "Legally Defensible Security," American Bar Association Annual Meeting, Toronto, ON, August 3, 2011
    • "Risk and Response: Defining an Event The Legal Ramifications, Requirements and Managing Expectations," Dallas TX, April 2011
    • "2011 Security and Privacy Landscape," Chartis Market Trends, San Diego, CA, April 6, 2011
    •  "Security and Privacy Regulatory Environment 2011," Rocky Mountain Information Security Conference, Denver, CO, May 2011
    • "Reasonably Foreseeable, Legally Defensible," RSA Conference 2011, San Francisco, CA, February 14-18, 2011
    • "Social Media Policies, Contracts and Insurance: Anticipating and Managing External Threats from Social Media," ACI Conference, September 2011
    • "Cloud Computing Legal, Security and Contracting Issues," IAOP Risk Management & Data Security in an Outsourced World, Denver, CO, January 11, 2011
    • "The Tension Between New Technologies and Privacy: Does America Really Believe in Privacy? If Not, Why Care?" The 19th Annual Conference on Current Developments in Technology Law, Seattle, WA December 9-10, 2010
    • "Emerging Cyber & Privacy Exposures and Insurance Solutions," Cyber Liability Workshop, Denver, CO, November 4, 2010
    • "Assessing the Impact of Recent Litigation over Privacy/Security Breaches: Current Theories of Liability and Claims," 4th Annual Advanced Forum on Cyber and Data Risk Insurance,  New York, NY, September 27 - 28, 2010
    • "Legally Defensible, Proactively Protected," ISSA International Conference, Atlanta, GA, September 15 -17, 2010
    • "Privacy and Security Regulatory Trends," The NetDiligence Cyber Risk & Privacy Liability Forum, Philadelphia, PA, June 7-8, 2010
    • "Fraud Prevention: Protect Your Customers and Your Institution from Web Vulnerabilities," Bank Information Security Webinars, May 2010
    • "Negotiating and Preparing Cloud Contracts," IAPP Web Conference, May 3, 2010
    • "Electronic Identity: Who Are You...and When Does it Matter," RSA Security Conference, San Francisco, CA March 2010
    • "Hot Topics in Information Security Law," RSA Security Conference, San Francisco, CA, March 2010
    • "Information Security Standards and the Law," RSA Security Conference, San Francisco, CA, March 2010
    • "Hot Topics in InfoSec & Privacy Law 2009," IAPP Knowledgenet, Denver, CO May 2010
    • "When Big, Bad Things Happen to Small Companies: Data Security and the Small-to-Mid-size Business," PLUS Professional Risk Symposium, April 2009
    • "PCI in 2009: A Look at the Legal and Practical Aspects of the PCI-DSS," RSA Security Conference, San Francisco, CA, April 2009
    • "Hot Topics" in InfoSec Law," RSA Security Conference, San Francisco, CA, April 2009          
    • "Bridging the Communications Divide Between IT, Risk and Legal," 2009 Hospitality Law Conference, Houston, TX, February 2009
    • "Information Security and Privacy Legal Compliance," Public Agency Risk Management Association 2009 Conference, Rancho Mirage, CA, February 2009
  • Memberships and activities
    • American Bar Association (former co-chair of the ABA Science and Technology section's Information Security Committee)
    • International Association of Privacy Professionals (IAPP)