Use of cookies by
Norton Rose Fulbright
We use cookies to deliver our online services. Details and instructions on how to disable those cookies are set out at nortonrosefulbright.com/cookies-policy. By continuing to use this website you agree to our use of our cookies unless you have disabled them.

Steven B. Roosa

Head of NRF Digital Analytics and Technology Assessment Platform

Steven B. Roosa

New York

T:+1 212 318 3222

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as senior counsel at our New York office.

Steve advises clients on privacy and data protection at all stages of the development lifecycle from setting initial specifications up through wireframes, beta versions, and post-release.  This includes consumer-facing applications and sites in financial services, healthcare, rich media content (including OTT video), retail, telecommunications, and hospitality areas to name a few.  Steve also advises clients regarding their own and third party application programming interfaces (APIs) and software development kits (SDKs).

In addition to his work with the Data Lab, Steve advises clients on GDPR planning, privacy program documentation, internal data handling policies, and security planning and policies. On emergency privacy or security issues relating to consumer-facing applications and interfaces, Steve will also work with incident response teams in responding to regulatory investigations, media inquiries, and "bug bounty" security researchers.

Other representative matters include: mobile app privacy compliance; leveraging anonymity solutions to help clients safely unlock the value of large data sets; Internet tracking; web security; geo-fencing; FTC compliance; privacy considerations related to modified network protocols; California best practices for websites and mobile apps; compliance with wiretap statutes and the Electronic Communications Privacy Act (ECPA); public-key infrastructure (PKI) issues; and certification authority matters pertaining to online trust. 

Typical clients span jurisdictions and industries and include: global companies, media companies, Fortune 500 corporations, financial services entities, healthcare providers, life sciences companies, privately held companies, large retailers, technology companies, small and medium size businesses, and non-profit entities.

[+Open all]
  • Education

    JD, Rutgers Law School
    BA, Cornell University

  • Representative experience

    Technical and specialized engagements:

    • Mobile app privacy testing on Android, iOS, and Kindle devices
    • Website privacy testing and analysis
    • Data Lake privacy controls
    • API testing
    • IoT privacy and feature testing
    • Hard-coding legal decision making in privacy control platforms
    • Privacy and security training
    • Online ad ecosystem training


    Privacy-related class action litigation defense and regulatory defense:

    • Represented companies in litigation resulting from use of social network widgets
    • Represented companies in relation to state attorneys general inquiries, Civil Investigative Demands (CIDs), subpoenas and investigations.
    • Represented several companies in class action litigation related to the use of cookies and flash cookies.


    General Compliance and Corporate Governance:

    • Provided advice to large retailers with respect to geo-fencing projects
    • Provided strategic advice and counsel on local, national and international privacy and data protection and data transfer laws for numerous companies
    • Assisted numerous companies in drafting, design and implementation of internal company policies, including information security, data and records management and retention, data classification and handling, device management and "Bring Your Own Device" policies, codes of conduct, white papers, marketing materials, vendor white lists and internal policies on Internet tracking.
    • Provided counseling for large communication provider, software companies and mobile app developers with respect to issues pertaining to security, encryption and authentication.
    • Provided advice to numerous companies with respect to the use of geo-location information.
    • Developed privacy training programs.
  • Admissions
    • District of Columbia Bar
    • New Jersey State Bar
    • New York State Bar
  • Rankings and recognitions
    • Outstanding Lawyer, Nightingale's Healthcare News, 2009
    • Top 40 Under 40, New Jersey Law Journal, 2008
  • Publications
    • "A Deep Dive Into the Privacy and Security Risks for Health, Wellness and Medical Apps," IAPP Privacy Tech, April 6, 2015
    • "How Much Does Cybercrime Threaten Latin American Companies?" Inter-American Dialogue Financial Services Advisor, March 20-April 2, 2014
    • "Trust Darknet: Control and Compromise in the Internet's Certificate Authority Model", Internet Computing, IEEE, February 6, 2013, co-author Stephen Schultze, (Peer Reviewed)
    • Co-author, "Study Criticizing Android Apps Was Pretty Lame," Law360, December 3, 2012
    • Co-author, "The New Corporate Approach To Privacy Compliance," Law360, July 31, 2012
    • "SSL Hacked: 2011 Proved That The Enterprise Can't Rely On Encrypted Communications; But Corporate Counsel Can Champion a Fix," Corporate Counsel, Law.com, September 28, 2011
    • "Information Security and Privacy: A Practical Guide for Global Executives, Lawyers, and Technologists," Science and Technology Law Section, American Bar Association, February 17, 2011
    • "The Flawed Legal Architecture of the Certificate Authority Trust Model," Freedom to Tinker Blog, December 15, 2010
    •  "Encryption Is Not Enough: Why It's Time for General Counsel to Weigh In on Authentication Practices Associated With Secure Communications," e-Commerce Law Report, Vol. 12, Issue 11, West Publications, November 2010
    • "The 'Certificate Authority' Trust Model for SSL: A Defective Foundation for Encrypted Web Traffic and a Legal Quagmire," Intellectual Property & Technology Law Journal, Vol. 22, No. 11, November 2010
    • "The Next Generation of Artificial Intelligence in Light of In re Bilski," The Intellectual Property & Technology Law Journal, Vol. 21, No. 3, March 2009
  • Speaking engagements
    • "The Insecure Digital World: Data Breaches and Other Threats to Consumers," Consumer Federation of America Consumer Assembly, May 10-11, 2018
    • "Moral Humans, Immoral Algorithms," Privacy Security Risk (IAPP), San Diego, October 2017
    • Steven Roosa and Josh Kroll, "The Algorithm Made Me Do It: Predictive Power, Ethics and the Law in the Age of Machine Learning, Artificial Intelligence, and Mathematical Perplexity," Highmark Health All-Hands Privacy Workshop, Pittsburgh, PA, January 11, 2017. (Invited).
    • "Moral Humans and Amoral Algorithms: How Machine Learning Creates Privacy and Ethics Exposure and What You Need to Know About It," Privacy + Security Forum, October 24-26, 2016
    •  "New Legal Challenges Resulting from an Escalation of Cyber Risks and Data Breaches," New York Bankers Association's Bank Counsel Seminar, April 23, 2015
    • "AdvaMed's Mobile Health, Wellness and Medical: A Privacy Workshop," Regulatory Oversight of Mobile Medical Devices and Health and Wellness Apps by the FDA and FTC, Hands on Testing of Mobile Apps for Privacy and Security, Shortcomings in De-Identification Schemes, April 22, 2015
    • "Mobile Apps and Network-Aware Devices: Legal Exposure in the Collection of Data and What to Do About It," AdvaMed Webinar, November 4, 2014
    • "Cyber Security Risks that Threaten Corporate Intellectual Property and Client Confidentiality," IP Trademark, Copyright & Licensing Counsel Forum, October 28-29, 2014
    • "Financial Services IT – Avoidance of Risks," Information Security Issues, Practising Law Institute, May 21, 2014
    • Moderator, "Mobile Apps and Privacy: The Hidden Risks," IP Trademark, Copyright & Licensing Counsel Forum, October 22, 2013
    • Moderator, "Compromise and Control at the Perimeter of the Network: Online Trust, Mobile Security and Mitigating Risk in Mergers and Acquisitions," North Virginia Technology Council General Counsel Committee Event, June 7, 2013
    • "Mobile Privacy and Security," The Current Regulatory Landscape and New Risk Threat Model, April 16, 2013
    • "Mobile Privacy and Monetization: Risks and Opportunities in the Era of Networked Data," L2 Blog Social CRM Clinic, April 4, 2013
    • "Privacy and Security in Mobile Apps, the Cloud, and the Internet of Things: The Role of In-House Counsel In Mitigating New Risks," Association of Corporate Counsel, Northeast Chapter, October 3, 2012
    • "Mobile Security & Privacy Best Practices," Online Trust Alliance's Forum, October 1-4, 2012
    • Presenter, "The Devil Is in the Indemnity Agreements: A Critique of the Certificate Authority Trust Model's Putative Legal Foundation," The Center for Information Technology Policy at Princeton University, December 9, 2010