Kristen J. Mathews

Kristen J. Mathews has no picture

Kristen J. Mathews is head of the Privacy and Data Security Group and a member of the Technology, Media and Communications Group.

Kristen focuses her practice on technology, e-commerce and media-related transactions and advice, with concentrations in the areas of data privacy, data security, direct marketing and online advertising. She regularly advises clients on a wide range of matters, including privacy and data security compliance, responding to data security breach incidents, preparing privacy and data security policies, data profiling, behavioral marketing, open source software issues, financial privacy, children’s privacy, international privacy, health care privacy, identity theft prevention, geolocational privacy, mobile marketing, social networking, payment card data security and telematics.

Kristen’s clients cross all industries, and include retailers, consumer and business service providers, financial institutions, health care institutions, accounting firms, insurance companies, telecommunications and media companies, entertainment conglomerates, online businesses, information aggregators, print and electronic publishers, consumer products conglomerates, automobile companies, technology, hardware and software vendors, and educational entities.

During the course of her career, Kristen’s practice has evolved and grown with her clientele to address the most cutting-edge technology and data protection issues. Kristen always brings to the table experience, practicality, creativity, and a desire to enable her client’s business purposes.

Articles By This Author

Door to Increased Liability for Banks Opened by U.S. Court of Appeals for the First Circuit

The United States Court of Appeals for the First Circuit has opened the door to increased liability for banks when hackers make fraudulent withdrawals. In Patco Construction Co., Inc. v. People's United Bank, the Court held that Ocean Bank, a division of People's United Bank, failed to establish "commercially reasonable" measures to prevent six fraudulent withdrawals from an account held by a local business. This alert provides an analysis of this significant decision and its potential implications for financial institutions.

Court Shines Light on California Data-Sharing Law: Proskauer Litigators Obtain Dismissal

On July 3, 2012, Orange County Superior Court Judge Nancy Wieben Stock issued a ruling dismissing a California “Shine the Light” consumer protection law case without leave to amend, making it the first “Shine the Light” case to come to a final decision in a trial court. Judge Stock dismissed the case against XO Group Inc. by filing a ruling sustaining demurrers to both of the plaintiff’s two causes of action in the initial Complaint without leave to amend. The ruling holds that, based on the facts that the plaintiff admitted in her Complaint and that her attorney confirmed at oral argument, there is no possibility of showing that XO Group violated the Shine the Light law.

Continue Reading...

Data Breach Case Research Paper Sheds Light

In a draft research paper titled "Empirical Analysis of Data Breach Litigation", three prominent scholars have collected and analyzed a sample of over 230 federal data breach lawsuits in order to deduce just what makes them tick.

Romanosky, Hoffman and Acquisti examined, for example, what factual and legal characteristics made a company more likely to be sued for a breach of personal data, and what made a data breach lawsuit more likely to settle.

As an interesting example, they found that the odds of a company being sued over a data breach are six times lower when the company offered free credit monitoring following the breach. They also examined the probability of lawsuit and settlement as a function of the causes of the breach and the types of data lost.

The researchers provided some very interesting summary data. For example, by coding data within the federal complaints, they found 87 unique causes of action brought by plaintiffs' attorneys. They also provided information on settlement amounts, attorney's fees awards and cy pres awards.

Any lawyer who handles data breach cases would likely find this article to provide valuable insights.


Finally, A Home for Mobile App Privacy Policies - But One With A Financial "Catch"

On February 22, 2012, California’s Attorney General, Kamala D. Harris, entered into an agreement with several leading providers of mobile devices and app stores to increase consumer privacy protection for mobile applications or “apps.” Under the agreement’s terms, these companies have agreed to redesign their app stores to provide a location for app developers to display their privacy policies.

California has long taken privacy – including technology-related privacy – seriously. Article 1, Section 1 of the California Constitution recognizes privacy as an inalienable right. California’s Online Privacy Protection Act of 2003 (“CalOPPA”) provides substantial consumer privacy protection by requiring any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California” to post a conspicuous privacy policy detailing, for example, the categories of personally identifiable information collected from users and the categories of third-parties with whom the information may be shared.

Continue Reading...

The White House Proposes New Consumer Privacy Bill of Rights

On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s efforts are also intended to bring about conformity with the privacy principles that have become the norm in other countries such as in Europe, thereby increasing interoperability between the U.S. privacy framework and that which has arisen in the rest of the world.

For now, the Consumer Privacy Bill of Rights is still a blueprint and does not include enforceable rules, but the Administration is pursuing implementation through legislation and a multistakeholder rule-making process.

Continue Reading...

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule."

We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users.  (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term.  Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.

Continue Reading...

Breach Notification Obligations In All 50 States?

Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them?  How could that be, you ask?  Because Texas said so.  (Does that surprise you?)

Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Texas's amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota). 

Continue Reading...

5 Strategies For Avoiding Wiki Situations

Want to know how you can protect your company from Wikileaks debacles the likes of which have been faced by the U.S. government as well as private companies.  Check out this recent article by Proskauer's Dan Winslow and Kristen Mathews. 

What Do You Really Need to Know About the FTC's Recent Report on Privacy?


Yesterday, we blogged about the FTC’s report released last week, “Protecting Consumer Privacy in an Era of Rapid Change.” But if the FTC’s recommendations become requirements, how would they change what the typical company is doing today? 


Continue Reading...

Proskauer on Privacy: Boston Edition

Following the success of our Annual Proskauer on Privacy Conference in New York, we are taking the program on the road and invite you to attend our first Proskauer on Privacy: Boston Edition. Presented by the firm's Privacy and Data Security Group, this conference will focus on the latest developments in this area of law.

Our keynote speaker is Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation of Massachusetts.

Tuesday, December 14, 2010
8:00 a.m. - 8:30 a.m. Breakfast and Registration
8:30 a.m. - 11:45 a.m. Program

One International Place
Boston, MA 02110-2600

Click here to register.


Older Entries

November 30, 2010 — Mathews Explains Social Media Privacy in Exclusive Bloomberg Video Interview

December 4, 2009 — Consent to Cookies? Who Wouldn't?

November 2, 2009 — Massachusetts Finally Finalizes Data Security Regulations - We Think

October 30, 2009 — Who Cares If A List of Email Addresses Gets Stolen?

October 30, 2009 — DC Court Sides with the ABA - No Red Flag Rules for Lawyers

September 30, 2009 — Since when does a legal entity have "privacy" rights?

September 23, 2009 — HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

September 9, 2009 — Update: Maine's Marketing to Minors Law Found Likely to Be Unconstitutional

August 17, 2009 — Massachusetts' Revised Data Security Regulations Extend Deadline (Again) and Soften Some Requirements

August 7, 2009 — Maine Makes Marketing Minors "Predatory"

August 2, 2009 — WEP vs WPA - What You Need to Know

June 30, 2009 — FTC Tells Sears That Consumer Disclosures Must be More Conspicuous

May 29, 2009 — What elementary school did you go to?

May 1, 2009 — Red Flag Rules Blindside Retailers, But Extension of Compliance Deadline Helps

April 1, 2009 — Red Flag Rules Leave Health Care Industry Wondering

January 5, 2009 — "Address Book Harvesting" Issues to Contend With

November 26, 2008 — Privacy Issues When "Computing in the Cloud"

October 31, 2008 — One Reputable Retailer Takes a $7M Hit On Text Messages

September 30, 2008 — MA Issues New Rules for the Protection of Personal Information

August 7, 2008 — CT's New SSN Law Is Third 0f Its Kind

June 26, 2008 — New CAN-SPAM Rule Gives Long-Awaited Answers

June 10, 2008 — Emerging Standards For Mobile Marketing