Media publications, interviews & quotes

Below you will find important announcements from The Beckage Firm, media publications, blog posts, as well as interviews & quotes concerning the attorneys at the firm, who are often quoted for their tech, innovation and privacy know-how./>

*Attorney Advertising: Prior results do not guarantee similar outcomes.* 

Proposed Rulemaking to COPPA


"On December 20, 2023, the Federal Trade Commission (“FTC”) issued a Notice of Proposed Rulemaking to the Children’s Online Privacy Protection Rule (“COPPA”) to place new restrictions on the use and disclosure of children’s personal information, attempting to shift the burden from parents to providers to help make digital services safe and secure for children.

Proposed modifications to the rule include: Requiring separate opt-in for targeted advertising: A separate verifiable parental opt-in consent to disclose information to third parties would be required, with very narrow exceptions.

Prohibition against conditioning a child’s participation on collection of personal information: Reinforcement of the prohibition on conditioning participation in an activity on the collection of personal data, serving as an outright ban on collecting more personal information than is reasonably necessary for the child to participate.

Limiting push notifications to keep children online longer: Notice and consent would be required for the use of “engagement enhancing techniques,” including push notifications.

Changes related to Ed Tech: Using the personal information of students for commercial purposes would be barred.

Increasing accountability for Safe Harbor programs: COPPA Safe Harbor programs would be required to publicly disclose its membership list and report additional information to the FTC.

Strengthen data security requirements: Operators would be mandated to establish, implement, and maintain a written children’s personal information security program.

Limits on data retention: Operators would be prohibited from using retained information for any secondary purpose and information would be retained only for as long as necessary to fulfill the specific purpose it was collected for.

The COPPA rule has not been updated since 2012, and the FTC has already received over 176,000 comments in response to its call to comment on updating the COPPA rule. The FTC has called for additional input on various topics still under consideration. After Notice is published in the Federal Register, the public will have sixty (60) days to comment.”

At The Beckage Firm, we have a group of seasoned attorneys that are highly experienced with COPPA and other privacy laws relating to the collection of information of children. Protecting children online is a crucial step in compliance. We help businesses remain compliant with current and future rules and regulations relating to securing the personal information of children online.


By: Juliana Cipolla


The Payment Card Industry (PCI) Data Security Standards (DSS) is a global card brand requirement designed to prevent fraud through the increased control of credit card data. While the PCI DSS has no legal authority to compel compliance, it becomes binding when inserted into merchant card processing contracts used by Visa, Mastercard, Discover Financial Services, JCB International, and American Express.

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business processes, determining what an enterprise requires to remain compliant.

Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Level 1 merchants must conduct an internal audit one a year and submit to a PCI scan by an Approved Scanning Vendor one a quarter.

Level 2: Applies to merchants processing one to six million real-world credit or debit card transactions annually. Level 2 merchants are required to complete an assessment one a year using a Self-Assessment Questionnaire and may be required to conduct a quarterly PCI scan

Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. Level 3 merchants are required to complete a yearly assessment using the relevant Self-Assessment Questionnaire and may require a quarterly PCI scan.

Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. Level 4 merchants are required to complete the Self-Assessment Questionnaire and may be required to complete a quarterly PCI scan.

Additionally, it is necessary for compliance across all enterprises handling cardholder data and maintaining a secure network to have: a secure network, secure cardholder data, vulnerability management, access control, network monitoring and testing, and information security, among other nuanced requirements. In some instances, businesses and organizations may leverage third-party service providers to achieve their objectives. However, leveraging a third-party does not relieve an entity of its responsibility for PCI DSS compliance, nor exempt the entity from accountability and obligation from ensuring cardholder data and the components of the cardholder data environment are secure. Ultimate responsibility for compliance with the entity, regardless of how specific responsibilities may be allocated.

It is essential for merchants and financial institutions will handle this data securely to prevent theft and help make the cardholder data environment both safe and secure. Merchants and other financial solutions should be aware of the PCI DSS requirements to help store and safeguard collected data. At The Beckage Firm, we have a team of technologists and seasoned attorneys who can help your organization meet the compliance standards required by the PCI DSS.


Indiana Signs Privacy Act Into Law
By: Juliana Cipolla


On May 1, 2023, Indiana became the seventh state to enact a comprehensive data privacy law. Indiana Governor Eric Holcomb signed Senate Bill 5, known as the Indiana Consumer Data Protection Act (“INCDPA”), following the footsteps of previous state privacy laws, going into effect January 1, 2026.

The law applies to entities that conduct business in the state or produce products or services targeted to Indiana residents that either control or process the personal data or either 100,000 consumers or 25,000 consumers while deriving 50% of their gross revenue from the sale of personal data.

However, data that is subject to the Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, data covered by existing federal laws, and employment data and human subjects research data covered by federal law or other standards are exempted types of data under the INCDPA. Additionally, the law does not apply to government entities or the parties under contract with such entities acting on behalf of the entity and within the scope of the agreed upon contract. Other exempt entities include financial institutions, nonprofit organizations, higher education institutions or public utilities.

Under this act, the INCDPA distinguishes a “controller,” an entity that determines the purpose and means of processing personal data, from a “processor,” an entity that processes personal data on behalf of a controller. Processors must adhere to the controller’s instructions and must require: (1) confidentiality of personal data; (2) deletion or return of personal data at termination of the agreement; (3) demonstration of compliance with the INCDPA upon request; (4) cooperation with data protection impact assessments; and (5) use of subcontractors that are subject to the same privacy requirements as processors.

Additionally, the INCDPA provides the following rights for consumers:

  • Right to Access: Consumers can request access to the personal data processed by the controller.
  • Right to Correct: Consumers can request covered entities to correct inaccuracies in personal data provided to the controller.
  • Right to Data Portability: Consumers can obtain a copy or summary of the personal data in a portable and readily usable format that allows the consumer to share it with another controller.
  • Right to Delete: Consumers can request to delete data provided or obtained about the consumer.
  • Right to Opt Out: Consumers can opt out of the processing of their personal data.
  • Right to Opt In: Controllers cannot process sensitive data without consent of the consumer.

In addition to the consumer rights, the INCDPA requires controllers to complete annual data protection assessments for (1) processing data for targeted advertising; (2) selling personal data; (3) processing data for the purpose of profiling if certain risk factors are met; (4) processing sensitive data; and (5) any processing activities that present a “heightened risk of harm.”

Covered entities are required to limit personal data collection to what is adequate, have reasonable administrative technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, and provide and accessible, clear, and meaningful privacy notice. Covered entities must also provide processors with a binding data processing contract, detailing instructions for processing personal data, the nature and purpose of the processing, type of data subject to processing, duration of processing, and the rights and obligations of both parties.

Despite the robust framework of the INCDPA, the law does not afford a private right of action to consumers who suffer violations under the INCDPA. Under the INCDPA, the Indiana Attorney General has the power to issue a civil investigative demand to investigate a suspected violation. Violations can be enforced by an injunction and/or seeking a civil penalty of up to $7,500 for each violation if not cured within 30 days of written notice.

Indiana is not going to be one of the only states to pass a comprehensive privacy law in 2023, as Montana and Tennessee are on track to pass their own state privacy laws. Companies are advised to actively monitor proposed state legislation and ensure compliance with new state privacy laws. At The Beckage Firm, we have a team of seasoned attorneys who stay up-to-date with emerging state law and can help ensure your business stays compliant.

The Beckage Firm is a boutique, woman and veteran owned law firm focusing on tech, data security, and privacy. It is one of only a handful of law firms certified as a BreachCoach© to work on data breaches, and its team are peer nominated for numerous awards and interviewed by global media on emerging tech and data security and privacy topics.
24/7 (o) 2 BECK FIRM 2 (223 253 4762)
24/7 Data Incident Help




The First of Many? Washington’s My Health, My Data Act
By: Scott M. Lupiani, EQ.,Member


It is well known that the Health Insurance Portability and Accountability Act's (HIPAA) Privacy and Security regulations have limitations on their reach. One such limitation is that HIPAA only applies to covered entities and their business associates, not health data in general. To address this issue, Washington's legislature passed House Bill 1155 on April 17, 2022, also known as the My Health, My Data Act (the Act). The bill aims to regulate health data collected by entities not covered by HIPAA, (think apps and websites).

If signed into law, it will take effect on March 31, 2024, with certain parts of the legislation possibly taking effect earlier.

Under the Act, a “Regulated Entity” is defined as an entity that conducts business in Washington, produces or provides products or services targeted to consumers in Washington, and determines the purposes and means of collecting, processing, sharing, or selling consumer health data. The law creates a subgroup of Regulated Entities called “small businesses” to provide additional time to comply. Small businesses collect, process, sell, or share consumer health data of fewer than 100,000 consumers during a calendar year or derive less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data and control, process, sell, or share consumer health data of fewer than 25,000 consumers.

The Act is intended to protect “consumer health data,” defined as personal information that identifies a consumer's past, present, or future physical or mental health status, linked or reasonably linkable to a consumer. Health status includes:

  • Individual health conditions
  • Treatment
  • Diseases
  • Diagnosis
  • Social, psychological, behavioral, and medical interventions
  • Health-related surgeries or procedures
  • Use or purchase of prescribed medications
  • Bodily functions, vital signs, symptoms, or measurements of health-related functions
  • Diagnoses or diagnostic testing
  • Treatment or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services and supplies, and data that identifies a consumer seeking health care services

Under the Act, a protected consumer is a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington. The law only protects consumers for actions taken as individuals or on behalf of a household and not actions taken by an individual in an employment context.

Consumers have several rights under HIPAA with respect to their protected health information (PHI). The Act provides consumers with the right to:

  • Confirm whether their consumer health data is being collected, shared, or sold
  • Consent to or deny the collection or sharing of health data
  • Withdraw consent from a regulated entity or small business to collect or share health data
  • Delete health data collected by a regulated entity or small business
  • Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data

Regulated entities and small businesses must maintain a consumer health data privacy policy prominently on their homepages that includes categories of:

  • Consumer health data collected and the purpose for which the data is collected
  • Sources from which the consumer health data is collected
  • Consumer health data that are shared
  • A list of third parties and specific affiliates with whom consumer health data is shared

The Act also mandates contracts be in place with processors of consumer health data and codifies specific data security obligations for regulated entities and small businesses, including specific access management requirements. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They must also respond to requests from consumers to withdraw consent to collect or share health data and to delete their consumer health data.

The law makes it unlawful for any person (not merely Regulated Entities or Small Businesses) to implement geofence technology around an entity that provides in-person health care services used to:

  • Identify or track consumers seeking health care services
  • Collect consumer health data from consumers
  • Send notifications, messages, or advertisements to consumers related to their consumer health data or health care services

The Act is enforceable either by the Washington’s State Attorney General or via a statutory private right of action by affected consumer(s).


Proposed Second Amendment to 23 NYCRR Part 500 

The Department of Financial Services released their Proposed Second Amendment to the Cybersecurity Regulation, 23 NYCRR Part 500. This amendment requires Class A Companies to implement additional cybersecurity controls, such as independent audits or their cybersecurity programs at least annually, monitoring privileged access activity, and using external experts to conduct a risk assessment at least once every three years.

Additionally, the Proposed Second Amendment states a Class A Company is a covered entity within the meaning of the statute. Further, Class A Companies are a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from the business operations of the covered entity and (1) has over 2,000 employees averaged over the last two fiscal years, or (2) over $1 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and its affiliates.

The most significant proposed changes under the Second Amendment include:

  • Section 500.3: covered entities are required to implement and maintain a written policy, approved at least annually, by the senior governing body of the covered entity that must be development, documentation, and implementation in accordance with the entity’s written policies.  
  • Chief Information Security Officer Section 500.4: covered entities are required to designate a qualified individual as Chief Information Security Officer (“CISO”) to ensure cybersecurity risks are appropriately managed. The CISO should report at least annually to the senior governing body or senior officer responsible for the entity’s cybersecurity program.  
  • Vulnerability and Penetration Testing Requirements Section 500.5: covered entities are required to develop and implement written policies and procedures for vulnerability management. These policies ensure entities conduct penetration testing from both inside and outside the information system’s boundaries by a qualified internal or external independent party at least annually and automated scans of information systems and a manual review of systems not covered by such scans to analyze and report vulnerabilities. Covered entities are also required to have monitoring processes for emerging security vulnerabilities and the timely remediation of such vulnerabilities.  
  • Access Controls Section 500.7: Covered entities shall limit the use of privileged accounts with access to nonpublic information to the privileges necessary to perform the user’s job.  
  • Use of Multifactor Authentication Section 500.12: Covered entities should use multifactor authentication for (1) remote access to the entity’s information systems; (2) remote access to third-party applications; and (3) all privileged accounts.  
  • Asset Management and Data Retention Requirements Section 500.13: Covered entities are required to implement written policies that include a method to track key information for each asset.  
  • Encryption Section 500.15: Covered entities are required to implement a written policy requiring encryption that meets industry standards to protect nonpublic information.  
  • Business Continuity Section 500.16: Covered entities are required to establish written plans that contain proactive measures to investigate and mitigate disruptive events, including incident response, business continuity, and disaster recovery plans to address different types of cybersecurity events.  
  • Notice Requirements Section 500.17: Covered entities must provide the DFS with (1) notice of the cybersecurity event within 72 hours from occurrence, (2) information regarding the investigation of the cybersecurity event within 90 days of the occurrence of the event, and (3) notify the DFS in the event an entity is affected by a cybersecurity event at a third-party service provider within 72 hours of the occurrence of the cybersecurity event.  

The Proposed Amendment’s comment period expired on January 9, 2023, and has a planned phased rollout beginning 180 days from the effective date of the Proposed Second Amendment.


First FTC Enforcement Action Under the Health Breach Notification Rule Alerts Companies To Focus on Data Security and Privacy Initiatives 
On February 1, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action for the first time under its Health Breach Notification Rule against the telehealth ad prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”). The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify consumers following a breach involving unsecured, personally identifiable health information. 

The FTC has taken this enforcement action against GoodRx for GoodRx’s alleged failure to notify customers and others of its unauthorized disclosures of consumer’s personal health information to Facebook, Google, and other companies. The proposed order, filed by the Department of Justice (“DOJ”) on behalf of the FTC, prohibits GoodRx from sharing user health data with applicable third-parties for advertising purposes. Further, GoodRx has agreed to pay a $1.5 million civil penalty for violating the Health Breach Notification Rule. However, for the proposed order to be enforced, a federal court must approve the order for it to go into effect.  

The California based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services, collecting personal and health information about its users. GoodRx has allegedly violated the Health Breach Notification Rule by sharing user’s sensitive personal health information for years with advertising companies and platforms, and failed to report these unauthorized disclosures in direct conflict to GoodRx’s own privacy promises and the Health Breach Notification Rule.  

Specifically, GoodRx has deceptively promised users it would not share personal health information with advertisers or other third-parties, to which GoodRx has repeatedly violated its own promise by sharing sensitive personal health information with third-party advertising companies and advertising platforms like Google, Facebook, and Criteo, among others. Further, GoodRx used the personal health information that it collected to target GoodRx’s own users with personalized health and medication specific advertisements on Facebook and Instagram. GoodRx also allowed third-parties it shared data with to use collected personal health information for their own research and development or improvement to advertising. GoodRx misrepresented its compliance with HIPAA and failed to implement and maintain sufficient policies and procedures to protect the personal health information of its users.  

The GoodRx enforcement action by the FTC under the Health Breach Notification Rule highlights the increased scrutiny regulators are placing on companies using and disclosing consumer health information. Because of the increased scrutiny of regulators and the emphasis on the protection of sensitive consumer health information, it is imperative that businesses implement and maintain policies and procedures that prevents the unauthorized disclosures to third-party advertisers.  

At The Beckage Firm, we have a team of professionals that are highly knowledgeable of HIPAA and the Health Breach Notification Rule and can help your business implement safeguards that are compliant with federal and state regulations surrounding sensitive health information.  

Class Action* Filed (December 14, 2022) – Artificial Intelligence Resulting in Alleged Discrimination in Claims Processing and Procedures
*The complaint filed contains alleged
conduct. Admissible evidence is
required to prove allegations.


Jaqueline Husky, on behalf of herself and all others similarly situated filed suit against State Farm Fire & Casualty Company, U.S. District Court, Northern District of Illinois, Case No. 22-cv-7014, dated December 14, 2022, alleging violations of the Fair Housing Act by State Farm.

Husky, and her counsel, claim that State Farm’s use of Artificial Intelligence (“AI”) disparately treats its Black homeowners’ claims relative to white homeowners’ claims in the Midwest (Illinois, Indiana, Michigan, Missouri, Ohio, and Wisconsin). The alleged disparate treatment involves “greater suspicion than claims made by their white counterparts,” “greater inconvenience as well as detrimental impact” to property values and “quality of life,” and delays in the claim adjustment procedures.

Husky alleges that State Farm’s use of AI in automated claims processing procedures, including “machine-learning algorithms,” effects “predictions and decisions about whether a claim might be fraudulent, how much scrutiny it requires, and how it should be processed,” relying upon “(1) biometric data that function as proxies for race, such as physical appearance, genetics, and voice; (2) intrusive behavioral data that function as proxies for race, such as geolocation, social media presence, and browser search history; and (3) historical housing and claims data that are themselves infected with racial bias.”

The AI algorithms, again as alleged, “too often have discriminatory effects, even where demographic data, such as race, are not included as inputs. This is because algorithms can “learn” to use omitted demographic features by combining other inputs that are correlated with race (or another protected classification), like zip code, college attended, and membership in certain groups.”

To support Husky’s allegations, the following information was provided:
Survey of 648 white and 151 Black policyholders demonstrated large and statistically significant racial disparities, regarding (1) the time for claims to be paid; (2) the supplemental paperwork required as part of claims adjudication; and (3) the number of adjustor/claimant interactions for each claim.
   (1) 39% of white compared to 30% of Black policyholders received payment for their claim within one month or less (Alleged difference would occur less than 5% of time as a result of random chance).
   (2) 46% of white compared to 64% of Black policyholders were required to submit additional materials beyond the materials that initiated their claims (Alleged difference would occur less than 1% of time as a result of random chance).
   (3) 51% of white compared to 42% of Black policyholders resolved their claims after only one to three interactions with State Farm, and 49% of white and 58% of Black policyholders needed three or more interactions.

The Complaint further alleges an industry shift from person-to-person claims handling to an AI-based analysis designed to separate claims into one of three buckets: “no touch,” “low touch,” and “high touch.” There is a newer reliance on analytics and AI learned algorithms to determine the level of Adjustor involvement. However, as Husky alleges, it is the social stratification of the data, the weighed importance relative to the benefits, and the AI interpretation of the data that creates the discriminatory results.

The Beckage Firm, a boutique data security and privacy firm with lawyers who are also technologists with AI backgrounds, understands AI and its positive, and potential legal compliance issues that may arise. As organizations adopt AI, or use third parties who use AI, legal compliance evaluation can help mitigate regulatory investigations and unintended outputs.

Scott Michael Lupiani, Esq.
Member, The Beckage Firm PLLC


Posted 10/31/22
Post Dobbs, organizations are taking a closer look at their geolocation practices, data that they receive from third parties, including data brokers, and their operational practices. To further complicate this review, the FTC has shined a light on the issue with its recently filed suit against Kochava, who is in the data broker industry. This suit can provide insight on how the FTC and other agencies will look at geolocation data and what organizations should be on the lookout for.
With the FTC finally having a full complement of commissioners, Commissioner Lena Khan’s ambitious agenda appears to finally be kicking into motion. In addition to her efforts to tie antitrust law to data protection practices and jumpstarting the federal rulemaking process for badly needed updates to federal privacy law, Khan’s FTC brought an action in late August against Kochava, a data broker, for the sale of precise geolocation data of consumers in the U.S. District Court of Idaho.
Theory of the Case
The FTC’s suit centers around Kochava’s role in the data broker industry and some of the most controversial data practices regarding consumer data. Kochava is not alone in this but is one of the key players in the precise geolocation industry and has found itself in the crosshairs here for reselling consumer precise geolocation data to consumers that can be tied back to places of worship, health care clinics, schools, and other locations. This data, coupled with an advertising ID, can reveal intimate details about consumers’ lives and habits. It goes without saying that this level of data, no matter how pseudonymized, has high value to advertisers with precise geolocation data audience segments ad analytics selling at some of the highest rates in the programmatic advertising industry.
Kochava claims to process more than 94 billion data transactions each month for 125 million monthly active users and 35 million daily active users. The consumer data is made available for purchase through a license or through a free sample that contains a rolling 7 day period.  Kochava denies the allegations in the complaint, stating their practices are in compliance with all applicable privacy laws and, “Kochava sources 100% of the geo data in our data marketplace from third party data brokers all of whom represent that the data comes from consenting consumers.”
The FTC is seeking a permanent injunction to stop this practice. Typically, the FTC has brought privacy cases under the “deceptive” practices prong of its authority under Section 5 of the FTC Act. Advancing this case on unfairness grounds represents an aggressive move against not just Kochava, but geolocation as a whole, enabling the FTC to seek a permanent injunction against the practice, not just about any statements related to the practice, of selling precise geolocation data. The FTC is choosing to advance a harder argument here – that the practice of selling precise geolocation data is uniquely unfair because a consumer cannot meaningfully consent to the transaction by companies it has no knowledge of and that the practice has and will substantially harm individuals – in order to have a greater impact on the business model as a whole.

A win by the FTC here would likely result in a substantial impact on not just data brokers and advertisers, but also analytics companies, retail groups, device tracking technologies (e.g. Apple Airtags) and automotive manufacturers who increasingly process substantial amounts of precise geolocation data for a wide variety of purposes. But key questions remain: Is Kochava the right target for this action if no particularized harm has been identified and alleged from the sale of its particular data set?
Additional Implications
Precise geolocation data is also highly valuable to law enforcement. Earlier this week, the Associated Press released an article based on a joint investigation with the Electronic Frontier Foundation, unmasking a data broker called Fog Data Science LLC, licensing a tool to law enforcement and government agencies for a reputed $7,500/year fee, that would provide geofencing and location tracking capabilities without a warrant. Such practice is currently lawful because of the exception under 4th Amendment caselaw for publicly available information.  

Precise geolocation data is considered highly sensitive data – a type of digital plutonium – because of the difficulty anonymizing the data and the rich insights that can be extracted from the feed. Precise geolocation tied to a time stamp and advertising identifier – the unique number each phone is assigned by Apple or Google for advertisers to use for targeting – can reveal an individual’s home address, work address, and other sensitive data. In 2021, a Catholic priest resigned after he was outed as visiting LGBTQ+ bars. His precise geolocation data was obtained through a data broker by a Catholic news organization who outed him. The data broker got it from Grindr, the LGBTQ+ dating app. Precise geolocation has revealed numerous national security implications as well. In 2018, the US military was forced to reexamine its security practices after fitness tracker Strava’s heatmaps revealed military bases and patrol routes. That story, among others, was part of a New York Times series on location data practices that included the ability to locate devices traveling to and from CIA Headquarters in Langley, Virginia. At the same time, the US military and other law enforcement agencies have been caught buying precise geolocation data from Muslim prayer apps, a move that clearly has First Amendment implications.

In a post-Dobbs’ America, the implications are profound with Republican governed states rapidly moving to criminalize women who seek abortions or the doctors who provide them. Some are even exploring enforcing their laws on women who seek abortions across state lines.  
Client Aware
The FTC’s suit here in this case coupled with its move to update its regulations via the rulemaking process last month, show an increased appetite to tackling privacy problems under current authority while proposed federal privacy law remains deadlocked in Congress. Businesses that collect, process, sell, or otherwise use precise geolocation data or engage with vendors who do, should take a renewed look at their data practices, their technical and administrative compliance measures, and their consumer disclosures and methods of obtaining consent, where applicable. The Beckage Firm of seasoned privacy and cybersecurity professionals is available to assist as needed.
*Attorney Advertising: Prior Results Do Not Guarantee Similar Outcomes

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E named to list of the 40 top data breach attorneys
in the United States for fifth year in a row

NEW YORK, October 20, 2022 - Jennifer A. Beckage, Esq., CIPP/US, CIPP/E has been named among the top 40 data breach lawyers in the U.S. Cybersecurity Docket's Incident Response 40. Incident Response 40 is peer nominated and reviewed and “lists the 40 best data breach response lawyers in the business,” states Bruce Carton, Editor of Cybersecurity Docket.

To date, Ms. Beckage has received this illustrious recognition in 2018, 2019, 2020, 2021 putting her amongst an elite few to repeatedly receive such distinction.

“I am utterly humbled by this designation, especially from my peers, whom I admire and hold in high regard,” said Jennifer A. Beckage, Managing Director and founder of The Beckage Firm. “I have responded to countless headline-making data security and privacy breaches and related putative class actions while launching and managing a high growth tech-forward law firm.  Concurrently, I have benefited from professional growth and recognition in the niche data security and privacy and cyber insurance markets.” 

“The data security and privacy market, my professional career and my personal life have been through a lot,” warmly states Ms. Beckage.  “After five years, I am beyond humbled by this recognition along with other talented cyber professionals and I look forward to see the future generations of recipients of this award.”

Jennifer Beckage is the Founder and Managing Director of The Beckage Firm, a Women and Veteran owned law firm focused on incident response, data privacy and compliance, litigation, and emerging technologies.  During the DotCom era, Ms. Beckage started her career, which eventually led to the sale of her tech business to a publicly traded entity, where she was retained as VP of Operations over technical services and products. At that time, Ms. Beckage consulted Fortune 100 companies to abandon antiquated practices and invest in a new technology platform called a “website” on the future forward “Internet.”

With the emergence of cyber threat actors, Ms. Beckage then focused her career on incident response (incidentally, most leading from activities on the Internet). With a robust understanding of how internet technologies are built, Ms. Beckage has provided consultation to organizations of various sizes and maturities on incident response preparedness.  Beckage was among the early counselors to help corporate clients navigate international data breaches, and related putative class actions. Ms. Beckage predicted the need for organizations to proactively prioritize data security, privacy, and incident response.  To that end, she has received numerous awards and recognition as a sought-after speaker on topics including cybersecurity and privacy.  Ms. Beckage holds Certification from MIT Sloan School of Management for business strategies and implications of artificial intelligence technology use and has taught masters level studies on artificial intelligence, incident response, data security, privacy and ethics.  Years prior to the pandemic, Ms. Beckage created the first majority remote law firm and has helped organizations safely, compliantly and efficiently migrate to the cloud.

Among her certifications, Ms. Beckage maintains Certified Information Privacy Professional, United States (CIPP/US) and Certified Information Privacy Professional, Europe (CIPP/E).



The Beckage Firm

Kevin Johnson, a United States Air Force veteran, will serve as the Firm’s Chief Information Security Officer.

NEW YORK, October 3, 2022

The Beckage Firm PLLC, a women-owned, boutique data security and privacy law firm announced the addition of Kevin Johnson to the rapidly growing team of The Beckage Firm. Kevin Johnson, a United States Air Force veteran, will serve as the Firm’s Chief Information Security Officer. 

With almost two decades of experience, Mr. Johnson has been responsible for securing critical government and private sector systems by managing diverse teams in application development, infrastructure, and cyber security. He has extensive experience in vulnerability management, continuous monitoring, incident response, security governance, risk management, compliance, auditing, and process development.  In his new role with The Beckage Firm, Mr. Johnson will work directly in compliance, risk/threat management, and develop preventative policies and strategies.

“Kevin has led government and private sector organizations by developing and implementing security policies, programs, best practices, procedures, and standards from the ground up,” said Jennifer A. Beckage, Esq. CIPP/US, CIPP/E founder of The Beckage Firm. “His vast experience, attention to detail, and ability to communicate complex security threats will be valuable assets to the Beckage Team.”

“Risk management, IT Security, and the laws regulating these areas are changing around the globe at a record pace,” said Kevin Johnson. “The Beckage Firm is committed to providing guidance and procedural detail on the latest information security threats, tech, and standards. The team that we are building is truly world class in understanding the latest changes to compliance and standards in these vital business areas.”

Mr. Johnson started his career by serving in the United States Air Force in various physical and information security capacities. By working overseas in highly stressful and rapidly changing environments, his ability to remain calm and adapt to any situation has proven to be vital to the safety and security of government leaders, critical resources, and systems. Receiving some of the highest clearances available, Mr. Johnson has demonstrated an immense level of trust and competency throughout his time in the military.

Following his military experience, Kevin Johnson transitioned to a federal civilian, working for Navy Headquarters in Washington, DC. In this capacity, he managed technical assets, compliance, policy, and contract teams for an application utilized jointly by all DoD services. He worked with military leaders at the Pentagon to ensure requirements were met, demonstrated compliance with regulatory and industry standards, and provided overall security updates.

The Beckage Firm is headquartered in New York. Its services include Incident Response/Data Breach, Data Security and Privacy Compliance, Personal Privacy, and Data Due Diligence.

About The Beckage Firm: The Beckage Firm is a women-owned law firm. Its attorneys and technology professionals counsel clients on matters pertaining to data security and privacy compliance, government investigations, litigation and class action defense, incident response, technology, personal security and privacy, data due diligence, and emerging technologies such as Artificial Intelligence (AI). Prior results do not guarantee similar outcomes. In addition to women-owned, the Beckage Partnership Team also includes military veterans. Learn more at


The Beckage Firm

The Beckage Firm PLLC has partnered with the Spencer Educational Foundation

NEW YORK, September 22, 2022

The Beckage Firm PLLC, a women-owned, boutique data security and privacy law firm has partnered with the Spencer Educational Foundation to provide a scholarship to undergraduate students pursuing a career in risk management who self -identify with a traditionally underrepresented race/ethnicity or as female.  

“At The Beckage Firm our missions is to help support programs that make education more impactful, diverse and transformative,” said Jennifer A. Beckage, Esq. CIPP/US, CIPP/E founder of The Beckage Firm. “We are proud to offer this scholarship opportunity and we cannot wait to provide the scholarship and watch the impact of the dollars and our mentoring to future generations.”

The First Scholarship will be awarded in May 2023. In addition to the Scholarship, The Beckage Firm is a sponsor of the Funding the Future Gala in New York City on September 22, over 800 Industry Executives will participate in this marquee fundraising Event.

The Spencer Foundation has been a leading funder of education research since 1971 and is the only national foundation focused exclusively on supporting education research. The Spencer Foundation has been a strong advocate for broader access to education in science, technology, engineering, and mathematics (STEM).

The Beckage Firm is headquartered in New York. Its services include Incident Response/Data Breach, Data Security and Privacy Compliance, Personal Privacy, and Data Due Diligence.


The Beckage Firm

Scott is a dynamic voice and thought-leader in the cyber-security community

NEW YORK, September 19, 2022

The Beckage Firm PLLC, a women owned boutique data security and privacy law firm is proud to announce the addition of Scott Morris as Senior Vice President, Technology and Security. Scott Morris has served as Senior Vice President and Chief Information Security Officer “CISO” for a spectrum of organizations in size and maturity. As CISO for Blue Cross Blue Shield of WNY, Mr. Morris maintained responsibility for the information and cyber security programs. A refined information security executive possessing over two decades of experience, Morris has a stellar track record for developing security programs, governance, and percolating vertical stakeholder engagement. 

"Scott is a dynamic voice and thought-leader in the cyber-security community," stated The Beckage Firm Founder, Jennifer Beckage. "His experience, knowledge and foresight provide a great resource for The Beckage Team and our partners."

The Beckage Firm counsels organizations and high-net-worth individuals on innovation, data security and privacy, tech business strategy, crisis preparedness, merger and acquisition data due diligence, and litigation and regulatory inquiry defense.

"I'm confident we can make a real impact in the cyber-security space and truly be an asset for our clients and partners," said Scott Morris. "Cyber-Security is constantly evolving and I believe The Beckage Firm is committed to building a team that understands and helps shape the next generation of Cyber-Security." The Beckage Firm's home office is in New York. It's services include Incident Response/Data Breach, Data Security and Privacy Compliance, Personal Privacy and Data Due Diligence. About The Beckage Firm: Beckage is a women-owned law firm that focuses on technology, data security, and privacy, incident response, and litigation and regulatory inquires. The Beckage Firm attorneys and team counsel clients on matters pertaining to data security and privacy compliance, government investigations, litigation and class action defense, incident response, technology, and emerging technologies such as Artificial Intelligence (AI). The Beckage Firm's headquarters is in New York. Learn more at

The Beckage Firm Names Jodi Beaubien, Senior Vice President, Global Partnership Operations

Cision PRWeb

Jodi Beaubien PMP, SHRM-CP, Senior Vice President, Global Partnership Operations

September 12, 2022
Jodi is a key addition to our firm, she boasts over 20 years of communications experience working with SMBs, large international brands, municipalities, private healthcare conglomerates, and financial institutions.
Read Article

Jen Beckage quoted In Bloomberg Law Regarding Ransomware

Bloomberg Law

Ransomware Rise Means Greater Regulatory, Legal Risk for Victims

May 12, 2021
"The threat to disclose information in itself raises a lot of different issues, such as determining whether it’s a credible threat," Beckage said. "A whole analysis has to be performed to understand the ‘who’ and the ‘what’ that occurred."
Read Article

Jen Beckage quoted In Bloomberg Law Article regarding President Biden cyber initiatives

Bloomberg Law

Biden's Russia Strike Marks Shift in U.S. Cybersecurity Strategy

April 16, 2021
"It's nice to see the government support private-public collaboration to drive this forward," Beckage said. "It's more indication from the current administration that cybersecurity is important and will continue to be going forward."
Read Article

Featured Story in SuperLawyers© Magazine About Jen Becage's Tech & Legal Career

Super Lawyers

Before she was a tech lawyer, Jennifer Beckage was in on the internet's ground floor

August 19, 2021
In the late '90s, Jennifer Beckage was a 20-something Southerner with big hair and a Texas twang who saw the future. She would sit down in boardrooms across the Northeast making a simple ask of Fortune 500 presidents: "Just throw away your entire marketing plan," she says. "The whole world is changing. You should listen to me, a 20-year-old, and move your 100-year-old business online."
Read Article

Jen Beckage was published in Risk Management Magazine regarding legal issues in data breach response

Risk Management Magazine

The Legal Issues in Cyber Incident Response

April 1, 2021
When we think about cyber incident response, we think about detection, analysis, containment, eradication, remediation and reporting. These stages are not just about technical and forensic response, however. Throughout each, legal risks and considerations must also be addressed. It is imperative to focus on gaining technical understanding of what the threat actor did, when they did it, and how to overcome their interference and resulting business interruptions.
Read Article

Jen Beckage Quoted by Regarding FTC Initiatives


What's Behind the FTC's Push for More Detailed Orders?

May 14, 2019

More Publications


    • “Vulnerabilities in SolarWinds and Microsoft,” VOA News, Dec. 28, 2021
    • “Ransomware Prevention Best Practices to Follow and Pitfalls to Avoid,” Presidio Insight Blog, Oct. 8, 2021
      Read Article
    • Review and analysis of artificial intelligence (AI) webinar featuring Jennifer Beckage as a panelist. JD Supra, July 8, 2021
      Read Article
    • “Pandemic Data Privacy - A Q&A With Jennifer Beckage”, NetDiligence, Jun. 2021
      Read Article
    • Jennifer Beckage's "One Big Thing" for Incident Response Forum Masterclass 2021, Apr. 5, 2021 (video)
      Watch Video
    • Jennifer Beckage on the 2021 Cyber Threat Landscape - Ransomware, Vishing, Data Shaming, & More, Feb. 24, 2021 (video)
      Watch Video
    • “Cybersecurity Resolutions for 2021,” Cybersecurity Law Report, Jan. 13, 2021
      Read Article


    • Jennifer A. Beckage’s “One Big Thing” for Incident Response Forum 2020, Apr. 8, 2020 (video)
      Watch Video


    • “From Tech Business to Tech Law”, University at Buffalo Forum Magazine, July 26, 2019
      Read Article
    • “All businesses have 'people problems' when it comes to this risk” Insurance Business Magazine, by Alicja Grzadkowska, June 11, 2019
      Read Article
    • “Industry leader [Jennifer Beckage] says 'cyber insurance' may be too narrow a designation amid potential threats,” Inside Cybersecurity, by Mariam Baksh, Apr. 16, 2019
      Read Article
    • “Inside the booming and controversial world of sneaker bots,” Glossy Magazine, By Danny Parisi Apr. 5, 2019
      Read Article
    • “Legal Mind Tech Focus,” SUNY Buffalo at Law, Feb. 2019
      Read Article
    • “Incident Response Plan,” summary and quotes form Jennifer Beckage’s presentation at LegalWeek NYC 2019, Feb. 19, 2019
      Read Article


    • Pandemic Data Privacy - A Q&A With Jennifer Beckage Of Beckage Law Firm, NetDiligence (video)
      Watch Video
    • New York Firm Launches With Novel Cybersecurity Mandate: Get Technical, September 14, 2018
      Read Article
    • Jennifer Beckage, Esq. starts firm, Buffalo News, Oct 31, 2018
      Read Article

More publications by Jennifer A. Beckage, Esq., CIPP/US, CIPP/E

    • "Construction Industry - Target For Data Breaches" Construction Exchange of Buffalo & WNY, Inc. Newsletter, May 24, 2018
    • Quoted in “When Law and Technology Converge,” Buffalo Law Journal and Business First, May 2018
    • "Prepping for the GDPR Deadline,” Buffalo Law Journal, Mar. 26, 2018
    • "Regulators, Hackers, Plaintiffs, and Lawyers, Oh My,” Buffalo Business First · Mar. 16, 2018
    • "Additional FAQs Answered by the DFS Concerning the DFS Cybersecurity Regulation Address Exempt Mortgage Servicers, Not-for-Profit Mortgage Brokers, HMOs and CCRCs, and Mergers and Acquisition Matters,” Phillips Lytle Alert, Mar. 1, 2018
    • "Understanding and Managing Cybersecurity Risks Posed by Third Parties," Phillips Lytle Data Security and Privacy Blog, Feb 22, 2018
    • "Avoid Cybersecurity Fatigue and Frustration: Practical advice for businesses in a complicated cybersecurity world," Rochester Business Journal, Feb. 16, 2018
    • "SEC Issues Guidance on Cybersecurity Disclosures," Phillips Lytle Alert, Feb. 1, 2018
    • "Additional FAQs Answered by the DFS Concerning the DFS Cybersecurity Regulation," Phillips Lytle Alert, Jan. 1, 2018
    • "February 15, 2018: First Certification Deadline Under the NYSDFS Cybersecurity Regulation" Phillips Lytle Alert, Jan. 1, 2018
    • "New General Data Protection Regulation Takes Effect on May 25, 2018: Take Steps Now to Ensure Compliance," Phillips Lytle Alert, Jan. 1, 2018
    • Quoted in "Education, action needed to protect business from cyber threats," Business First, Apr. 2018
    • Featured: "Jennifer Beckage, on data security," Invest Buffalo Niagara, podcast, Feb. 2018
    • Quoted in "Another cybersecurity deadline this week for banks, insurance companies and other financial organizations," Business First, Feb. 2018
    • Quoted in "Front Line Workers Key to Defense In Cyber Attacks," Buffalo Law Journal and Business First, Jan. 2018


    • "The Impact of Blockchain Technology," Buffalo Law Journal, Nov. 1, 2017
    • "Understanding the practical and legal challenges of blockchain," Rochester Business Journal, Sept. 2017
    • Interviewed, Facebook cybersecurity matters, WKBW, July 2017
    • Quoted in: "Financial institutions must boost security," Business First, May 2017
    • Quoted in Business First & Buffalo Law Journal articles on responding to cyberattacks, May 2017
    • "A Lesson Plan for Data Security: Protecting School Data," Phillips Lytle Alert, May 1, 2017
    • "The Value of Tabletop Exercises to Crisis Response," Buffalo Law Journal, Mar. 1, 2017
    • "NIST Introduces Proposed Updates to Cyber Security Framework," Phillips Lytle Alert, Feb. 1, 2017
    • "Record Retention & Destruction Policies for Health Care Providers," Phillips Lytle Alert, Feb. 1, 2017
    • "The NYS DFS Has Revised Its Proposed Cyber Security Regulation," Phillips Lytle Alert, Jan. 1, 2017

2016 and earlier

    • "Trump and Technology," Phillips Lytle Newsletter Global Coverage, Dec. 1, 2016
    • "In the Wake of Brexit, the UK Offers Practical Advice for Those Looking to Comply with GDPR, Phillips Lytle Alert, Nov. 1, 2016
    • "The NYS Department of Financial Services’ Proposed Cyber Security Regulation," Phillips Lytle Alert, Nov. 1, 2016
    • “Tips for Cost-Effective & Secure Methods to Review Documents During an Investigation or Litigation,” Phillips Lytle Alert, May 1, 2016
    • "Landscape of Food-Product Litigation & Regulation," Phillips Lytle Alert, Dec. 1, 2014
    • “Shift E-Discovery Costs To The Requesting Party,” Phillips Lytle Alert, Jun. 1, 2013

The Beckage Firm PLLC