Steven B. Roosa
Head of NRF Digital Analytics and Technology Assessment Platform, United States
Norton Rose Fulbright US LLP
Related services and key industries
Biography
Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security, including with respect to the CCPA/CPRA, CAN-SPAM Act, COPPA, GDPR, GLBA, HIPAA, TCPA, and VPPA. Steve also codes and develops in-house technical solutions to assist clients with their legal compliance efforts. Steve serves as partner at our New York office and oversees the development of the firm's privacy compliance tool suite, NT Analyzer.
NT Analyzer is a practical tool suite for managing privacy compliance in mobile apps, websites, and IoT. The tool detects and tracks the full range of data, including personally identifiable information, that is collected and shared, and then generates actionable reports through the lens of applicable privacy requirements. Additionally, NT Analyzer analyzes code associated with the "fingerprinting" of browsers as well as data used for "fingerprinting" mobile devices.
In addition to overseeing NT Analyzer, Steve advises clients on privacy and data protection at all stages of the development lifecycle from setting initial specifications up through wireframes, beta versions, and post-release. This work includes consumer-facing applications and sites in financial services, healthcare, rich media content (including OTT video), retail, telecommunications, and hospitality areas to name a few. He also advises clients regarding their own and third party application programming interfaces (APIs) and software development kits (SDKs).
Steve also advises clients on building privacy programs, internal data handling policies, and security planning and policies. When emergency privacy or security issues relating to consumer-facing applications and interfaces arise, he will also work with incident response teams in responding to regulatory investigations, media inquiries, and "bug bounty" security researchers.
Other representative matters include: mobile app privacy compliance; leveraging anonymity solutions to help clients safely unlock the value of large data sets; Internet tracking; web security; geo-fencing; FTC compliance; privacy considerations related to modified network protocols; California best practices for websites and mobile apps; compliance with wiretap statutes and the Electronic Communications Privacy Act (ECPA); public-key infrastructure (PKI) issues; and certification authority matters pertaining to online trust.
Typical clients span jurisdictions and industries and include: global companies, media companies, Fortune 500 corporations, financial services entities, healthcare providers, life sciences companies, privately held companies, large retailers, technology companies, small and medium size businesses, and non-profit entities.
Professional experience
Collapse allJD, Rutgers Law School
BA, Cornell University
- District of Columbia Bar
- New York State Bar
Technical and specialized engagements:
- Mobile app privacy testing on Android, iOS, and Kindle devices
- Website privacy testing and analysis
- Data Lake privacy controls
- API testing
- IoT privacy and feature testing
- Hard-coding legal decision making in privacy control platforms
- Privacy and security training
- Online ad ecosystem training
Privacy-related class action litigation defense and regulatory defense:
- Represented companies in litigation resulting from use of social network widgets
- Represented companies in relation to state attorneys general inquiries, Civil Investigative Demands (CIDs), subpoenas and investigations.
- Represented several companies in class action litigation related to the use of cookies and flash cookies.
General Compliance and Corporate Governance:
- Provided advice to large retailers with respect to geo-fencing projects
- Provided strategic advice and counsel on local, national and international privacy and data protection and data transfer laws for numerous companies
- Assisted numerous companies in drafting, design and implementation of internal company policies, including information security, data and records management and retention, data classification and handling, device management and "Bring Your Own Device" policies, codes of conduct, white papers, marketing materials, vendor white lists and internal policies on Internet tracking.
- Provided counseling for large communication provider, software companies and mobile app developers with respect to issues pertaining to security, encryption and authentication.
- Provided advice to numerous companies with respect to the use of geo-location information.
- Developed privacy training programs.
- Chambers USA, Nationwide, Privacy and Data Security: Privacy, Chambers and Partners, 2024
- Legal 500, Recommended Lawyer, Cyber law (including data privacy and data protection), The Legal 500, 2022-2024
- Legal 500, Recommended Lawyer, General Commercial Disputes, The Legal 500, 2021
- New York Trailblazer, New York Law Journal, 2020
- Who's Who Legal, Data: Information Technology, Legal Business Research Ltd., 2018
- Outstanding Lawyer, Nightingale's Healthcare News, 2009
- Top 40 Under 40, New Jersey Law Journal, 2008
- Co-author, "Google's Data Safety Form: Timeline Extended and Key Considerations," NT Analyzer Insights, February 28, 2022
- Co-author, "Google's Data Safety Form: Timeline Extended and Key Considerations," Data Protection Report, February 28, 2022
- Co-author, "European rulings on the use of Google Analytics and how it may affect your business," Data Protection Report, February 14, 2022
- Co-author, "Data Privacy Concerns in 2022 and Beyond," NT Analyzer Insights, January 31, 2022
- Co-author, "iOS 15 Privacy Report Update: What it Means for App Owners," NT Analyzer Insights, January 19, 2022
- Co-author, "Google Play Store Releases Data Safety Form," NT Analyzer Insights, November 19, 2021
- Co-author, "Does Your App Track Users that Opted-out of Tracking?," NT Analyzer Insights, October 26, 2021
- Co-author, "iOS 15: New Privacy Features Industry Should Note - NT Analyzer," NT Analyzer Insights, October 7, 2021
- Co-author, "Why is Unintended Data Leakage and Third Party Code So Prevalent?," NT Analyzer Insights, July 26, 2021
- Co-author, "Global Privacy Control Opt-Out of "Sale" – A Technical and Legal Viewpoint," NT Analyzer Insights, July 16, 2021
- Co-author, "Google Will Nix the "GAID" for Opted-Out Users on Android," NT Analyzer Insights, June 8, 2021
- Co-author, "How Data Privacy Can Affect Consumer Goods," NT Analyzer Insights, June 2, 2021
- Co-author, "iOS 14.5 and ATT Framework Coming to an App Near You," NT Analyzer Insights, April 22, 2021
- Co-author, "Rejected: Don't Let Apple Determine Your App's Fate," NT Analyzer Insights, April 13, 2021
- Co-author, "NT Analyzer Navigates Virginia's New Privacy Law," NT Analyzer Insights, April 7, 2021
- Co-author, "Google Privacy Sandbox Won't Support Alternate Identity Solutions," NT Analyzer Insights, March 19, 2021
- Author, "iOS: IDFA/Tracking Opt-In: What You Should Know," NT Analyzer Insights, March 11, 2021
- Co-author, "Solving Apple's New App Privacy Requirements," NT Analyzer Insights, October 16, 2020
- Co-author, "101 Problems and Schrems Ain't One," NT Analyzer Insights, September 25, 2020
- Co-author, "IDFA Opt-In: Good for User Privacy or Not So Much?," NT Analyzer Insights, July 21, 2020
- Author, "Why So Many Cookie Policies Are Broken," NT Analyzer Insights, June 25, 2020
- Co-author, "How to navigate Advanced Persistent Threat (APT) intrusions," New York Law Journal, March 2020
- Co-author, "CCPA: 'Wait and see' is not the right approach," Norton Rose Fulbright Data Protection Report, August 29, 2019
- "A Deep Dive Into the Privacy and Security Risks for Health, Wellness and Medical Apps," IAPP Privacy Tech, April 6, 2015
- "How Much Does Cybercrime Threaten Latin American Companies?" Inter-American Dialogue Financial Services Advisor, March 20-April 2, 2014
- "Trust Darknet: Control and Compromise in the Internet's Certificate Authority Model", Internet Computing, IEEE, February 6, 2013, co-author Stephen Schultze, (Peer Reviewed)
- Co-author, "Study Criticizing Android Apps Was Pretty Lame," Law360, December 3, 2012
- Co-author, "The New Corporate Approach To Privacy Compliance," Law360, July 31, 2012
- "SSL Hacked: 2011 Proved That The Enterprise Can't Rely On Encrypted Communications; But Corporate Counsel Can Champion a Fix," Corporate Counsel, Law.com, September 28, 2011
- "Information Security and Privacy: A Practical Guide for Global Executives, Lawyers, and Technologists," Science and Technology Law Section, American Bar Association, February 17, 2011
- "The Flawed Legal Architecture of the Certificate Authority Trust Model," Freedom to Tinker Blog, December 15, 2010
- "Encryption Is Not Enough: Why It's Time for General Counsel to Weigh In on Authentication Practices Associated With Secure Communications," e-Commerce Law Report, Vol. 12, Issue 11, West Publications, November 2010
- "The 'Certificate Authority' Trust Model for SSL: A Defective Foundation for Encrypted Web Traffic and a Legal Quagmire," Intellectual Property & Technology Law Journal, Vol. 22, No. 11, November 2010
- "The Next Generation of Artificial Intelligence in Light of In re Bilski," The Intellectual Property & Technology Law Journal, Vol. 21, No. 3, March 2009
- International Association of Privacy Professionals (IAPP) Little Big Stage Online, NT Analyzer: Empowering You to Manage Digital Privacy Risk at Every Level, June 3, 2021
- Webinar - NT Analyzer: Partnering With Your Business to Prepare for the Future of AdTech, May 25, 2021
- Webinar - Solving Apple's New App Privacy Requirement, November 13, 2020
- "The Insecure Digital World: Data Breaches and Other Threats to Consumers," Consumer Federation of America Consumer Assembly, May 10-11, 2018
- "Moral Humans, Immoral Algorithms," Privacy Security Risk (IAPP), San Diego, October 2017
- Steven Roosa and Josh Kroll, "The Algorithm Made Me Do It: Predictive Power, Ethics and the Law in the Age of Machine Learning, Artificial Intelligence, and Mathematical Perplexity," Highmark Health All-Hands Privacy Workshop, Pittsburgh, PA, January 11, 2017. (Invited).
- "Moral Humans and Amoral Algorithms: How Machine Learning Creates Privacy and Ethics Exposure and What You Need to Know About It," Privacy + Security Forum, October 24-26, 2016
- "New Legal Challenges Resulting from an Escalation of Cyber Risks and Data Breaches," New York Bankers Association's Bank Counsel Seminar, April 23, 2015
- "AdvaMed's Mobile Health, Wellness and Medical: A Privacy Workshop," Regulatory Oversight of Mobile Medical Devices and Health and Wellness Apps by the FDA and FTC, Hands on Testing of Mobile Apps for Privacy and Security, Shortcomings in De-Identification Schemes, April 22, 2015
- "Mobile Apps and Network-Aware Devices: Legal Exposure in the Collection of Data and What to Do About It," AdvaMed Webinar, November 4, 2014
- "Cyber Security Risks that Threaten Corporate Intellectual Property and Client Confidentiality," IP Trademark, Copyright & Licensing Counsel Forum, October 28-29, 2014
- "Financial Services IT – Avoidance of Risks," Information Security Issues, Practising Law Institute, May 21, 2014
- Moderator, "Mobile Apps and Privacy: The Hidden Risks," IP Trademark, Copyright & Licensing Counsel Forum, October 22, 2013
- Moderator, "Compromise and Control at the Perimeter of the Network: Online Trust, Mobile Security and Mitigating Risk in Mergers and Acquisitions," North Virginia Technology Council General Counsel Committee Event, June 7, 2013
- "Mobile Privacy and Security," The Current Regulatory Landscape and New Risk Threat Model, April 16, 2013
- "Mobile Privacy and Monetization: Risks and Opportunities in the Era of Networked Data," L2 Blog Social CRM Clinic, April 4, 2013
- "Privacy and Security in Mobile Apps, the Cloud, and the Internet of Things: The Role of In-House Counsel In Mitigating New Risks," Association of Corporate Counsel, Northeast Chapter, October 3, 2012
- "Mobile Security & Privacy Best Practices," Online Trust Alliance's Forum, October 1-4, 2012
- Presenter, "The Devil Is in the Indemnity Agreements: A Critique of the Certificate Authority Trust Model's Putative Legal Foundation," The Center for Information Technology Policy at Princeton University, December 9, 2010