Header graphic for print
Privacy Law Blog

Kristen J. Mathews

Kristen J. Mathews is head of the Privacy and Data Security Group and a member of the Technology, Media and Communications Group.

Kristen focuses her practice on technology, e-commerce and media-related transactions and advice, with concentrations in the areas of data privacy, data security, direct marketing and online advertising. She regularly advises clients on a wide range of matters, including privacy and data security compliance, responding to data security breach incidents, preparing privacy and data security policies, data profiling, behavioral marketing, open source software issues, financial privacy, children's privacy, international privacy, health care privacy, identity theft prevention, geolocational privacy, mobile marketing, social networking, payment card data security and telematics.


Kristen's clients cross all industries, and include retailers, consumer and business service providers, financial institutions, health care institutions, accounting firms, insurance companies, telecommunications and media companies, entertainment conglomerates, online businesses, information aggregators, print and electronic publishers, consumer products conglomerates, automobile companies, technology, hardware and software vendors, and educational entities.


During the course of her career, Kristen's practice has evolved and grown with her clientele to address the most cutting-edge technology and data protection issues. Kristen always brings to the table experience, practicality, creativity, and a desire to enable her client's business purposes.

Posts by Kristen J. Mathews

Second Circuit Ruling Opens Door to Telephone Consumer Protection Act Class Actions in New York

Posted in TCPA

Based on a December 3rd decision by the Second Circuit Court of Appeals, class actions under the Telephone Consumer Protection Act (TCPA) can now be brought in New York federal court. This decision marks a reversal of Second Circuit precedent, and will likely increase the number of TCPA class actions being filed in New York. Companies… Continue Reading

Court Shines Light on California Data-Sharing Law: Proskauer Litigators Obtain Dismissal

Posted in California

On July 3, 2012, Orange County Superior Court Judge Nancy Wieben Stock issued a ruling dismissing a California “Shine the Light” consumer protection law case without leave to amend, making it the first “Shine the Light” case to come to a final decision in a trial court. Judge Stock dismissed the case against XO Group Inc…. Continue Reading

Data Breach Case Research Paper Sheds Light

Posted in Data Breaches

In a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick. Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to… Continue Reading

Finally, A Home for Mobile App Privacy Policies – But One With A Financial “Catch”

Posted in Mobile Privacy

On February 22, 2012, California’s Attorney General, Kamala D. Harris, entered into an agreement with several leading providers of mobile devices and app stores to increase consumer privacy protection for mobile applications or “apps.” Under the agreement’s terms, these companies have agreed to redesign their app stores to provide a location for app developers to display their privacy policies.

The White House Proposes New Consumer Privacy Bill of Rights

Posted in Data Privacy Laws

On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s… Continue Reading

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

Posted in Data Privacy Laws, FTC Enforcement, Online Privacy

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule." We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent… Continue Reading

Breach Notification Obligations In All 50 States?

Posted in Security Breach Notification Laws

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them?  How could that be, you ask?  Because Texas said so.  (Does that surprise you?) Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of… Continue Reading

Proskauer on Privacy: Boston Edition

Posted in Online Privacy

Following the success of our Annual Proskauer on Privacy Conference in New York, we are taking the program on the road and invite you to attend our first Proskauer on Privacy: Boston Edition. Presented by the firm’s Privacy and Data Security Group, this conference will focus on the latest developments in this area of law…. Continue Reading

Mathews Explains Social Media Privacy in Exclusive Bloomberg Video Interview

Posted in Online Privacy

Still don’t really understand all the media attention on Facebook’s, Twitter’s and Google’s user privacy woes?  In a recent video interview by Bloomberg‘s Spencer Mazyck, Proskauer’s Kristen Mathews explained the issues in a way that anyone can understand.  In this video interview, Mathews discussed the background of the recent media scrutiny over Facebook’s and Myspace’s… Continue Reading

Consent to Cookies? Who Wouldn’t?

Posted in Online Privacy

If the European Commission has anything to say about it, starting about 18 months from now companies will have to start obtaining consent from Web site visitors to place cookies on their computers. Last week, the European Parliament approved amendments to Europe’s e-Privacy Directive (see page 76, item 5) requiring, among other things, that operators… Continue Reading

Massachusetts Finally Finalizes Data Security Regulations – We Think

Posted in Identity Theft

In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts’ "Act Relative to Security Freezes and Notification of Data Breaches," which was enacted in Jul 2007.   Regulation 201 CMR 17.00 ("Standards For The… Continue Reading

Who Cares If A List of Email Addresses Gets Stolen?

Posted in Data Breaches

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.”  Should mere contact information be afforded greater protection? One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone… Continue Reading

DC Court Sides with the ABA – No Red Flag Rules for Lawyers

Posted in Identity Theft

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission’s Red Flags Rules cannot be enforced against lawyers, saying that the FTC’s interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s… Continue Reading

Since when does a legal entity have “privacy” rights?

Posted in FOIA

Since the Third Circuit said so, in its September 22, 2009 decision in AT&T v. Federal Communications Commission (No. 084024). Most privacy practitioners would not consider a legal entity to have privacy rights. Rather, a legal entity may have trade secrets or contractual confidentiality protections. However, in its novel holding, the Third Circuit found that… Continue Reading

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

Posted in Data Breaches, Medical Privacy, Security Breach Notification Laws

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning… Continue Reading

Update: Maine’s Marketing to Minors Law Found Likely to Be Unconstitutional

Posted in Direct Marketing

The first lawsuit challenging Maine’s Act to Prevent Predatory Marketing Practices Against Minors has concluded.  The District of Maine issued a Stipulated Order of Dismissal on September 9, stating that there is a likelihood that the statute is "overbroad and violates the First Amendment", and putting third parties "on notice" that a private suit "could… Continue Reading

Massachusetts’ Revised Data Security Regulations Extend Deadline (Again) and Soften Some Requirements

Posted in Data Privacy Laws

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.) The revised regulations emphasize… Continue Reading

Maine Makes Marketing Minors “Predatory”

Posted in Direct Marketing

In mid-September, Maine’s “Act to Prevent Predatory Marketing Practices against Minors” is scheduled to take effect.  Due to the lack of a scienter element in several of the requirements of this new law, this Act could have far-reaching consequences for all businesses that engage in direct marketing or that sell or transfer personal information to… Continue Reading

WEP vs WPA – What You Need to Know

Posted in Data Breaches

In the context of wireless network security, we hear a lot about WEP vs WPA, but these technologies are not widely understood, especially among attorneys.  WEP and WPA are two alternative ways to secure a wireless network from unauthorized interception, and WPA is more secure than WEP. In fact, researchers have reported consistently for several… Continue Reading

FTC Tells Sears That Consumer Disclosures Must be More Conspicuous

Posted in Behavioral Marketing, Data Privacy Laws, FTC Enforcement, Online Privacy, Spyware

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient. On June… Continue Reading

What elementary school did you go to?

Posted in Identity Theft

I don’t know, but I could probably find out.  There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice.  Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be… Continue Reading