Kristen J. Mathews : Privacy Law Blog

Home > Kristen J. Mathews

Kristen J. Mathews

Kristen J. Mathews is head of the Privacy and Data Security Group and a member of the Technology, Media and Communications Group.

Kristen focuses her practice on technology, e-commerce and media-related transactions and advice, with concentrations in the areas of data privacy, data security, direct marketing and online advertising. She regularly advises clients on a wide range of matters, including privacy and data security compliance, responding to data security breach incidents, preparing privacy and data security policies, data profiling, behavioral marketing, open source software issues, financial privacy, children’s privacy, international privacy, health care privacy, identity theft prevention, geolocational privacy, mobile marketing, social networking, payment card data security and telematics.

Kristen’s clients cross all industries, and include retailers, consumer and business service providers, financial institutions, health care institutions, accounting firms, insurance companies, telecommunications and media companies, entertainment conglomerates, online businesses, information aggregators, print and electronic publishers, consumer products conglomerates, automobile companies, technology, hardware and software vendors, and educational entities.

During the course of her career, Kristen’s practice has evolved and grown with her clientele to address the most cutting-edge technology and data protection issues. Kristen always brings to the table experience, practicality, creativity, and a desire to enable her client’s business purposes.

Articles By This Author

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

Posted on December 9, 2011 by Kristen J. Mathews

"Do I really have to obtain consent from all my customers to make a change to my privacy policy? No one else seems to be following that rule."

We get this question all the time. It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users. (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term. Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.

Tags: Data Privacy Laws, FTC, FTC Enforcement, Facebook, Online Privacy, Privacy Policy, material adverse retroactive change

Breach Notification Obligations In All 50 States?

Posted on August 16, 2011 by Kristen J. Mathews

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Texas's amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota).

Tags: Security Breach Notification Laws, Texas, breach, notification, response, state

5 Strategies For Avoiding Wiki Situations

Posted on December 29, 2010 by Kristen J. Mathews

Want to know how you can protect your company from Wikileaks debacles the likes of which have been faced by the U.S. government as well as private companies. Check out this recent article by Proskauer's Dan Winslow and Kristen Mathews.

Tags: Data Breaches

What Do You Really Need to Know About the FTC's Recent Report on Privacy?

Posted on December 8, 2010 by Kristen J. Mathews

Yesterday, we blogged about the FTC’s report released last week, “Protecting Consumer Privacy in an Era of Rapid Change.” But if the FTC’s recommendations become requirements, how would they change what the typical company is doing today?

Tags: Data Privacy Laws, FTC, behavioral, information, opt-in, opt-out, personal, policies, privacy, report

Proskauer on Privacy: Boston Edition

Posted on December 2, 2010 by Kristen J. Mathews

Following the success of our Annual Proskauer on Privacy Conference in New York, we are taking the program on the road and invite you to attend our first Proskauer on Privacy: Boston Edition. Presented by the firm's Privacy and Data Security Group, this conference will focus on the latest developments in this area of law.

Our keynote speaker is Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation of Massachusetts.

Tuesday, December 14, 2010
8:00 a.m. - 8:30 a.m. Breakfast and Registration
8:30 a.m. - 11:45 a.m. Program

One International Place
Boston, MA 02110-2600

Click here to register.

Tags: Online Privacy

Mathews Explains Social Media Privacy in Exclusive Bloomberg Video Interview

Posted on November 30, 2010 by Kristen J. Mathews

Still don't really understand all the media attention on Facebook's, Twitter's and Google's user privacy woes? In a recent video interview by Bloomberg's Spencer Mazyck, Proskauer's Kristen Mathews explained the issues in a way that anyone can understand. In this video interview, Mathews discussed the background of the recent media scrutiny over Facebook's and Myspace's sharing of user data with application vendors, ad networks and data aggregators. She also discussed the legal challenges to Google's use of gmail information to launch its Buzz social network, and the Federal Trade Commission's settlement with Twitter pertaining to security vulnerabilities in Twitter accounts. She also discussed industry standards and pending legislation in this area.

Tags: Online Privacy

Consent to Cookies? Who Wouldn't?

Posted on December 4, 2009 by Kristen J. Mathews

If the European Commission has anything to say about it, starting about 18 months from now companies will have to start obtaining consent from Web site visitors to place cookies on their computers.

Last week, the European Parliament approved amendments to Europe’s e-Privacy Directive (see page 76, item 5) requiring, among other things, that operators of Web sites obtain a user’s consent before placing a cookie on the user’s computer. “Cookies” are digital files that are routinely placed on a user’s computer when they visit a Web site. These files are used for many purposes, including to save a user’s name and password so they can be pre-populated in a Web site’s log-in page; to enable Web sites to engage in behavioral marketing by displaying ads that are keyed to a user’s browsing history; to enable Web sites to perform analyses of the demographics of the site’s visitors and what areas of the site are most popular; and to save the contents of a user’s online shopping cart.

Tags: Online Privacy, behavioral, cookies, web site

Massachusetts Finally Finalizes Data Security Regulations - We Think

Posted on November 2, 2009 by Kristen J. Mathews

In response to feedback received at a public hearing held in September, the Massachusetts Office of Consumer Affairs and Business Regulation has released what it purports to be final regulations under Massachusetts' "Act Relative to Security Freezes and Notification of Data Breaches," which was enacted in Jul 2007.

Regulation 201 CMR 17.00 ("Standards For The Protection of Personal Information of Residents of the Commonweath") was previoulsly amended in August in response to industry backlash.

This week's final amendments make very few changes to the regulations that were released in August:

The regulations apply to persons who "store" personal information in addition to those who receive, maintain, process, or otherwise have access to personal information
Service Providers include persons who "store" personal information through their provision of services directly to a person that is subject to the regulations (in addition to those who receive, maintain, process, or otherwise are permitted access to personal information)
The express carve-out of the U.S. Postal Service from the definition of "Service Providers" has been removed
The amendments clarify that Service Provider agreements that are entered into before March 1, 2010 do not have to be amended to comply with the regulations until March 1, 2012.

The March 1, 2010 effective date of the regulations has not changed.

Tags: Identity Theft

Who Cares If A List of Email Addresses Gets Stolen?

Posted on October 30, 2009 by Kristen J. Mathews

A typical corporate data security policy classifies consumer contact information as confidential, but not “highly confidential” or “sensitive.” Should mere contact information be afforded greater protection?

One case on point has dragged on since late 2007, when Ameritrade reported that a database of its customers’ contact information (including names, physical addresses, email addresses and phone numbers) had been compromised. A class action law suit quickly followed, and the third settlement attempt was rejected just recently by the court on the grounds that, in the judge’s view, it provided an inadequate remedy for the affected consumers.

Tags: Data Breaches, ameritrade, class action, e-mail addresses, settlement

DC Court Sides with the ABA - No Red Flag Rules for Lawyers

Posted on October 30, 2009 by Kristen J. Mathews

The U.S. District Court for the District of Columbia has ruled that the Federal Trade Commission's Red Flags Rules cannot be enforced against lawyers, saying that the FTC's interpretation of the Fair and Accurate Credit Transactions Act overreaches, and its application to lawyers is unreasonable. Judge Reggie Walton said he had trouble accepting the FTC’s definition of a creditor. Judge Walton ruled from the bench with a written decision to follow.

The American Bar Association, represented by a Proskauer team led by partner Steven Krane, argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers are not covered by the rule. The FTC contended that lawyers should be covered, because many of their billing practices, such as charging clients on a monthly basis rather than up front, made them “creditors.”

The American Bar Association's complaint, prepared on a pro bono basis by Proskauer Rose, said that the application of the Rule to practicing lawyers is “arbitrary, capricious and contrary to law,” and that the FTC has failed “to articulate, among other things: a rational connection between the practice of law and identity theft; an explanation of how the manner in which lawyers bill their clients can be considered an extension of credit under the FACTA; or any legally supportable basis for application of the Red Flags Rule to lawyers engaged in the practice of law.”

The FTC has not yet indicated whether it will appeal Judge Walton's ruling.

Here is a link to the court’s order.

Here is a link to the ABA’s press release.

Tags: Identity Theft, Proskauer, aba, red flags rule