Law Practice

Innovative lab checks digital products for privacy risks

  • Print.

Christopher G. Cwalina

Photo of Christopher G. Cwalina by Stacy Zarin Goldberg

The legal environment in data privacy is complex, with a veritable alphabet soup of laws: COPPA (the Children's Online Privacy Protection Act), FCRA (the Fair Credit Reporting Act), HIPAA (the Health Insurance Portability and Accountability Act), GLBA (the Gramm-Leach-Bliley Act) and VPPA (the Video Privacy Protection Act), to name a few.

A company with a website, mobile application or network-aware product receives intense scrutiny from technologists and independent researchers about its data-handling and privacy practices. This leads to targeted scrutiny from the Federal Trade Commission or state attorneys general and potentially damaging class action litigation.

Chris Cwalina and Steve Roosa, lawyers from Holland & Knight's Washington, D.C., and New York City offices, are providing a service designed to reduce companies' risk. They built the Data Privacy Testing Lab to perform a series of security- and privacy-based tests on their clients' websites, mobile apps and other products.

They represent pharmaceutical companies, big-box retailers, app developers, financial services companies, global media companies and others.

The two lawyers appear to have a symbiotic relationship and effusively credit each other for their successes. Cwalina, who writes and speaks reguarly on privacy and data information issues, is the primary person who assesses legal risk from testing. Mean-while, Roosa runs the lab and possesses keen technological acumen sharpened by his experience as a fellow for the Center for Information Technology Policy at Princeton University.


The two thought of creating this privacy and data security lab more than three years ago. "We realized that we should be providing technical testing and research services for clients on the front end before they were sued, faced with a government inquiry or an embarrassing news story," Roosa says. "So we switched gears and focused on tech-driven testing and research solutions for clients."

"When we first started," Cwalina says, "it was mostly website privacy testing. Today, however, we routinely do privacy testing on mobile apps, network-aware products and services, toys, enterprise tracking software, and mobile medical applications and devices."

"What is unique among law firms is that we built internally our own testing and research computer lab to perform technical testing using specialized networking environments and software to identify, at the packet level, all information collected or shared by a particular device, mobile app or service," Cwalina explains. "Our lab is run by a lawyer, which is certainly unique, but invaluable because only a lawyer can provide legal advice pertaining to the legal risk associated with data collection use and sharing."

Cwalina and Roosa say that since providing this partic-ular brand of service, their clients' satisfaction has gone way up, enhancing relationships and helping their clients develop products that are more aware and sensitive to privacy and security concerns.

"A company may have the best IT and information security people in the world, but they may not always be thinking about or have their finger on the latest privacy risk," Cwalina says. "Our clients tell us that we help bridge the communication from legal/compliance to marketing and IT."

This article originally appeared in the November 2014 issue of the ABA Journal with this headline: "Security Test: Innovative lab checks digital products for privacy risks."
Give us feedback, share a story tip or update, or report an error.