Robinson Cole LLP
High Contrast Mode
Marquee

Data Privacy + Cybersecurity

Data privacy and cybersecurity increasingly affects all businesses and industries. To handle this complex and rapidly changing area of law, our Data Privacy + Cybersecurity practice group collaborates with lawyers throughout Robinson+Cole’s diverse practice areas.

Each member of our highly experienced team understands the spectrum of challenges businesses may face with evolving digital technologies. We are dedicated to helping you achieve success, providing you with the right resources to match your specific business needs.

Our Services

Our clients include public and private companies in all industries, including:

  • Software companies
  • Companies with websites and mobile apps
  • Health care providers and hospital systems
  • Retail and marketing companies
  • Higher education providers
  • Start-up companies
  • Tax-exempt organizations
  • Utilities, manufacturing, energy, and wireless telecommunications service providers

Our team regularly works with federal and state data privacy and security rules and regulations, including:

  • California Consumer Privacy Act (CCPA) and Privacy Rights Act and implementing regulations and state data privacy laws and emerging privacy regulations
  • Laws and regulations applicable to tracking technology and pixels
  • Children's Online Privacy Protection Act (COPPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act)
  • European Union (EU) General Data Protection Regulation (GDPR) and revised Standard Contractual Clauses (SCCs)
  • Fair Credit Reporting Act (FCRA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Aviation Administration’s (FAA) Small Unmanned Aerial Systems (UAS) regulations (Part 107), and state and local laws related to the use of UAS and privacy concerns
  • Federal Trade Commission Act (FTC Act)
  • FTC's Telemarketing Sales Rule (TSR)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • New York Department of Financial Services Cybersecurity Regulations
  • Consumer protection enforcement actions by Attorneys General or federal agencies including the Office for Civil Rights and the Federal Trade Commission
  • SEC cybersecurity regulations
  • State data security laws and regulations, including implementation of statutorily required Written Information Security Programs
  • State and federal data privacy and security laws and regulations related to employee and workplace privacy
  • State specific biometric information privacy laws and regulations
  • Telephone Consumer Protection Act (TCPA)
  • Video Privacy Protection Act (VPPA)

Our lawyers are knowledgeable about data collection technology, including the use of tracking technology like cookies and pixels for targeted advertising and behavioral advertising. We also understand the value and risks of collecting and using data for marketing and strategic purposes.

The team has a significant HIPAA compliance practice and assists covered entities and business associates navigate the intricacies of HIPAA, guidance from the OCR, and OCR enforcement actions. We have vast experience with HIPAA data breach response and statutory requirements.

Our Financial Services Cyber-Compliance team helps protect our banking, insurance, and financial services clients on a wide range of issues, including implementation of enterprise-wide cybersecurity programs, and adoption of required written cybersecurity policies and procedures to comply with state and federal laws.

Our Team

Our team is well-versed in incident and data breach response, mitigation, remediation, coordination, and litigation, including investigations by the U.S. Office for Civil Rights and state Attorneys General (AGs). We coordinate forensic investigations and mitigation tactics in the event of ransomware or other cyber attacks.

Our attorneys advise our clients in data mapping and development of enterprise-wide privacy and security plans, and compliance with privacy requirements and industry-specific regulations. We also advise on sharing and transfer of collected data and assist with strategy to minimize risk associated with the collection, use and disclosure of data. We regularly structure arrangements relating to data transfer, and prepare technology contracts and information security addenda to outline appropriate protection obligations for the sharing and care of customer and patient data.

We promote practices and policies to safeguard data against accidental or deliberate disclosure, including security programs. We provide tailored education programs for employees, executives and boards. We have completed dozens of cybersecurity tabletop exercises, which are designed to experience a live cybersecurity event and response.

Our lawyers also work with clients to develop website and mobile app privacy policies and terms and conditions of use, and social media policies, practices, and procedures.

Our Robinson+Cole team members also author the Data Privacy + Cybersecurity Insider blog, providing clients with timely, thoughtful, and cutting-edge legal news and perspectives about data privacy and cybersecurity issues. The widely-recognized blog has received multiple Readers Choice Awards distinction from JD Supra and featured in FeedSpot's "100 Best Infosec Blogs and Websites in 2025."

We actively speak at industry-sponsored programs on data privacy and cybersecurity developments, cases, trends, and agendas. We proactively track updates to federal and state privacy and security laws and proposals.

Our Data Privacy + Cybersecurity team is here to help you navigate the ever-evolving complexities of nationwide laws and regulations, providing skilled legal services for businesses in the digital sphere.

Data Privacy + Cybersecurity Insider


Threat Actors Using FIFA Spoofed Websites to Launch Attacks

The FBI and the Internet Crime Complaint Center (IC3) has issued a public service announcement warning the public about a surge in malicious spoofed websites related to the FIFA games. Cybercriminals are using these fake sites to impersonate FIFA, tricking fans into giving up personal information, credit card numbers, or buying counterfeit tickets and fake travel packages. “The malicious domains employ typosquatting and alternative top-level domains (TLDs) to impersonate the official FIFA domain (fifa.com), deceiving users into divulging sensitive information or purchasing counterfeit tickets and hospitality packages. The sophistication of these sites is such that even experienced users may be fooled, especially as attackers leverage HTTPS certificates and cloned branding.” Two cybersecurity research firms have identified over 1400 malicious spoofed websites. These websites include operating fake visa and travel portals, and fraudulent hospitality and ticketing sites. In addition, “the scale of credential theft is staggering, with more than 1.5 million compromised accounts and 7,300+ leaked credentials related to FIFA and its partners being traded on the dark web.” Enjoy watching the games, but don’t let these fake domains fool or scam you. Here are some tips to avoid becoming a victim: Access FIFA resources only via https://www.fifa.com and official subdomains. Block and monitor the IOCs listed above at the network perimeter. Educate staff and fans about the risks of fake ticketing and job sites. Monitor for phishing campaigns using World Cup themes. Coordinate with law enforcement and FIFA’s official cybersecurity partners for incident response.

Visit Blog

Message Received: PA Courts Say TCPA Do-Not-Call Rules Apply to Text Messages

On June 17, 2026, the U.S. District Court for the Eastern District of Pennsylvania denied Brown-Daub Chevrolet of Nazareth’s motion to dismiss a putative class action alleging violations of the Telephone Consumer Protection Act’s (TCPA) National Do Not Call Registry (DNCR) provisions. In Pero v. Brown-Daub Chevrolet of Nazareth (E.D. Pa. June 17, 2026), the court considered whether a text message is a “telephone call” under Section 227(c) of the TCPA, and concluded that it is. The TCPA restricts certain telemarketing communications and, through Section 227(c), provides a private right of action to a person who receives more than one prohibited telephone call within a 12-month period. The plaintiff alleged that she registered her number on the DNCR in 2021, gave the dealership her number in October 2024 to receive truck sales information, later opted out of texts, and then received six unwanted texts between January 8 and March 28, 2025. The court’s analysis is notable in the current  environment. The Supreme Court recognized that Chevron deference has been abolished and that courts must exercise independent judgment rather than defer automatically to agency interpretations. At the same time, it emphasized that agency interpretations may still deserve respect as the product of “a body of experience and informed judgment,” particularly where Congress delegated implementation authority to the FCC. Turning to the statutory text, the court focused on Section 227(a)(4), which defines “telephone solicitation” as the initiation of a “telephone call or message” for telemarketing purposes. Although texts did not exist when Congress enacted the TCPA, the court found that Congress “intended to prohibit more than solicitations by telephone” because it also used the phrase “by message.” Applying ordinary meaning, the court concluded that a text message is “a communication (message) transmitted by a telephone,” and therefore falls within the statute. The court also gave “considerable weight” to the FCC’s interpretation and noted the FCC’s 2024 clarification that DNCR protections extend to text messages. Considering the statutory language, FCC rules, and the “overwhelming majority of courts,” the court held that texts are calls under Section 227(c). For companies using SMS campaigns, they should treat texts to DNCR-listed numbers as regulated telemarketing contacts, confirm the required consent, and make opt-outs durable across systems and personnel. The decision also suggests that post-Loper Bright challenges to FCC TCPA interpretations may face headwinds where the agency’s position aligns with statutory text and the weight of judicial authority.

Visit Blog

Another CIPA Warning Shot: DraftKings Sued Over Website Tracking Tools

DraftKings is the latest target in California’s wave of California Invasion of Privacy Act (CIPA) website-tracking litigation. In Hughes v. DraftKings Inc., filed in the Central District of California, plaintiff Dana Hughes alleges that DraftKings operated its website with data broker software from NextRoll, The Trade Desk, and Comscore that secretly collected data about website visitors, their devices, locations, page views, and browser characteristics to identify and track users for marketing and profiling purposes. The complaint alleges that Hughes visited the DraftKings website and that data reasonably likely to identify her was transmitted to at least three third parties through code running on the site.  The core CIPA theory is familiar but still high stakes: the complaint claims the tracking code operated as an unlawful “trap and trace device” under California Penal Code section 638.51 because it captured electronic signals and identifying information from visitors’ devices without a court order or consent. Hughes seeks class certification, statutory damages under CIPA, punitive damages, restitution, disgorgement, injunctive relief, attorneys’ fees, and other relief. For companies, the warning is straightforward: plaintiffs are continuing to scrutinize routine website advertising and analytics tools through the lens of California’s wiretap and trap-and-trace laws. The DraftKings complaint targets third-party tags that many businesses may view as standard marketing infrastructure, including retargeting pixels, cookie-based identifiers, browser fingerprinting, cookie matching, and cross-site tracking tools. Businesses that receive CIPA demands or complaints should quickly map which third-party scripts run on their sites, what data those scripts collect or transmit, whether the vendors are data brokers or advertising technology providers, and what consent, disclosure, and vendor controls are in place before responding.

Visit Blog

Five Eyes Issue “Call to Action” to Protect Against AI Cyber Threats

The leaders of the Five Eyes cyber security agencies, representing Australia, New Zealand, Canada, the United Kingdom, and the United States, issued an alert on June 22, 2026, entitled “The AI Shift in Cyber Risk: Why Leaders Must Act Now” urging organizations to a “call to action” to protect against cyber threats both for organizations and society as a whole. The Five Eyes are expressing urgency because artificial intelligence (AI) is quickly changing cyber risk, and organizations need to act fast to keep up. The call to action is informed by the fact that AI can improve cyber defense, but it also makes cyber-attacks faster, larger, and more advanced, including how attacks happen and how organizations can defend against them. Because of this, the Five Eyes urge that cyber resilience is critical for business continuity, market confidence, and long-term success. The Five Eyes encourage leaders to: understand and assess risks, readiness, and accountability  focus on basic cybersecurity practices and controls  give cyber leaders the authority and resources they need  stay involved as threats and guidance change  The alert emphasizes how “success for organizations depends on getting the basics right, acting quickly, and making cybersecurity part of the core business strategy.” It stresses that cyber risk is not just a technical issue—it is a business risk and a leadership responsibility. Boards and executives must ensure systems are resilient and work under pressure. It is not enough to have controls; leaders must know those controls will work during a real incident. This may require rethinking past decisions and using AI carefully to strengthen defenses, not just improve efficiency. The alert outlines key actions for leaders, including: Build systems to be secure from the start and by default  Do not rely on a single solution—use multiple layers of defense  Expect new and unknown vulnerabilities as AI evolves, including zero-day risks It also lists “urgent” practical actions: Reduce your attack surface: Limit unnecessary access and external connections. Only expose systems when truly needed.  Speed up patching: AI is reducing the time between finding and exploiting vulnerabilities. Delays increase risk, especially for older systems.  Fix legacy systems: Unsupported systems are easy targets and create serious risk.  Strengthen access controls: Limit who can access critical systems. Use strong authentication and regularly review permissions.  Prepare for incidents: Test response plans, train teams, and assume breaches will happen. Focus on quick containment and recovery. It also suggests that leaders use AI to strengthen defense against cyber-attacks. Getting ahead of cyber-attacks when threat actors are using AI requires continued preparedness and the ability to use tools to detect, monitor, and defend against them, including AI tools developed for defense purposes. If ever there was digital warfare, it is now with the proliferation of AI enhanced tools. Leaders of all organizations should review the recommendations by the Five Eyes and implement them for the preparedness of the organization and society.

Visit Blog

AI in Insurance: The Real Test Is Readiness, Not Technology

After several years of experimenting with generative AI, machine learning, and AI agents, many insurers are no longer asking whether AI belongs in the business. The harder question is whether a pilot is ready to scale. The answer usually is not found in the model architecture or the novelty of the tool. It is found in how the organization talks about AI: whether leaders can tie the use case to specific business outcomes, define the process changes required, and explain how human teams will rely on the output in day-to-day work. That distinction matters because AI can easily become a solution in search of a problem. A technically impressive pilot may still fail if it addresses an “interesting” problem rather than an important one. The AI use cases most likely to scale are the ones embedded into core workflows, not bolted on as side experiments. In insurance, that often means giving underwriters, claims teams, or operations personnel tools that help them review, prioritize, and decide more effectively, while preserving clear human oversight and accountability. For carriers, the scaling question is also a governance question. Before expanding an AI pilot, organizations need to be clear about whether AI is making decisions, recommending actions, summarizing information, or helping employees work faster. They also need data showing whether users trust the tool, when they override it, and where it may create downstream risk across interconnected systems. Moving too fast without governance creates obvious regulatory and operational concerns. But waiting too long has its own risk. The carriers best positioned for the next phase of AI adoption will be those that treat scaling as a readiness exercise: aligning business value, workflow design, oversight, infrastructure, and regulatory expectations before the pilot becomes part of the enterprise.

Visit Blog

Privacy Tip #497 – LastPass Security Incident Raises Concern for Targeted Phishing Attacks

LastPass has confirmed that a security incident with a vendor, a third-party market intelligence platform “which integrates with our Salesforce and Gong systems” has compromised some customers information. As a result, the threat actor was able to use credentials to access LastPass customer data within its Salesforce environment. The compromised information includes “business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.” LastPass is recommending that customers: “remain vigilant of potential phishing attacks or social engineering attempts, which could leverage exposed contact details. Always exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information. Please remember that no one at LastPass will ever ask for your master password. All official communication from LastPass comes through our trusted support channels. “ These are sound tips generally, but particularly helpful if you have a LastPass account.

Visit Blog

Darktrace Report Highlights Cyber Threats Against Global Sporting Sector

In a recently released report titled Cybersecurity in Global Sport: Threats, Signals, and Strategic Implications for a Digitized Industry, cybersecurity firm Darktrace has outlined “the current challenges the global sporting sector faces and...forward-looking views on future challenges as AI increasingly becomes adopted across the sector.” The Report’s conclusions were the result of a survey to 875 IT cybersecurity professionals across sports organizations located in the U.S., U.K., Australia, and Germany. Because the global sports industry “has undergone a rapid and continuous digital transformation” (including digital ticketing platforms, broadcasting, mobile applications, and third-party vendor support), and sports organizations are adopting generative AI and agentic AI tools, emerging cybersecurity threats are targeting these organizations. The Report’s key takeaways include: 84% of professional sports organizations surveyed have experienced at least one cyber incident in the past 12 months, with more than half (57%) hit multiple times. This underscores that cyber risk is already an operational issue for the sector. 34% of respondents cited stadium operations as the most critical function to protect during a live event, reinforcing that cyber resilience in sport is defined by high-visibility moments where downtime is least acceptable. Sports sector customers received 19% more phishing emails than non-sports sector customers, reinforcing that email and identity remain dominant attack vectors for sports organizations. 21% of phishing emails targeting sports sector customers were sent to VIPs, while 37% contained novel social engineering techniques, highlighting how attackers are focusing on high value identities and adapting tactics to exploit urgency, trust, and operational complexity in the sports sector. 47% of respondents cited AI prompt risks and attacks and AI development risks and deployment as top concerns for AI use within their organizations. 72% of IT cybersecurity professionals from sports organizations surveyed believe AI will increase cyber risk over the next 12 months as adoption grows in high stakes areas including stadium operations, ticketing and fan engagement, and business operations. Sports organizations have been victimized by various threats including: “client-side payment skimming, ransomware outbreaks, and compromise of ecommerce infrastructure through third-party scripts. Fan platforms and mobile applications have been accessed via exposed keys and weak API security, placing large user populations at risk.” Darktrace suggests that organizations treat cyber risk “as an operational and governance challenge” to be resilient against attacks. This includes: 1.         Threat modeling for emerging technologies, including AI misuse; 2.         Rigorous supply chain governance and vendor access control; 3.         Strong segmentation across IT, OT, and fan-facing systems; 4.         Identity-centric security with anomaly detection and universal multi-factor authentication (MFA); 5.         Phishing resilience across all channels, including QR-based vectors; and 6.         Operational playbooks aligned to live event constraints. The Report is a must read for those in the sports sector

Visit Blog

ShinyHunters Targeting Higher Education Sector

Researchers from Mandiant and Google Threat Intelligence Group are warning the higher education sector, including universities, that ShinyHunters has exploited an Oracle PeopleSoft zero-day vulnerability and has “potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education.” ShinyHunters has reportedly started publishing the names of the compromised victims and stolen data. The vulnerability (CVE-2026-35273) “allows unauthorized attackers to execute remote code and takeover affected servers.” Oracle has published mitigation steps, but a patch has not yet been released. According to Mandiant, “This campaign is still active.” Google adds that “most of the potential victim pool is based in the United States and 68% are in the higher education sector.” If you are in the higher education sector, implement Oracle’s mitigation steps  as soon as possible, and look out for a released patch.

Visit Blog

Honey, Where’s the Harm?

A recent court order from the Northern District of California offers a useful reminder that not every alleged collection of browsing data will support an invasion-of-privacy claim. In Campbell v. Honey Science, LLC (N.D. Cal. June 15, 2026), the plaintiffs alleged that PayPal’s Honey browser extension promised to search for and apply the “best” coupons or discount codes when users shopped online, but sometimes failed to provide the lowest available price. According to the complaint, Honey allegedly did not actually search the internet for discount codes and instead used codes from affiliate networks, a website, or Honey subscribers, while also allegedly maintaining vendor agreements that affected which discounts would be applied. The plaintiffs asserted claims under California’s Unfair Competition Law, unjust enrichment, and invasion of privacy. On the invasion of privacy front, the plaintiffs alleged that Honey examined users’ visited websites and browser cookies without adequate disclosure or consent. The court assumed, for purposes of the motion, that browsing history could involve a legally protected privacy interest and a reasonable expectation of privacy. However, the court held that this was not enough. To state a California invasion-of-privacy claim, according to the court, the plaintiffs also had to allege conduct that was “highly offensive” and amounted to a serious invasion of privacy. That element turned on context. The court contrasted Honey with cases involving more surreptitious tracking, including tracking after a user logged out of an account. Honey, by contrast, was a browser extension downloaded for the “express purpose” of monitoring online shopping activity and applying coupon codes at checkout. Therefore, the court held that the alleged collection looked more like “routine commercial behavior” than a highly offensive privacy intrusion. The court also held that the pleading lacked the details needed to turn tracking into an actionable privacy claim. The plaintiffs did not allege what specific browsing behavior Honey tracked, what information was collected, or why that information was “embarrassing, invasive, or otherwise private” enough to make the collection highly offensive. The court rejected the idea that collection of browsing data, standing alone, was enough “without more detail.” Browser extensions, plug-ins, apps, shopping tools, and loyalty technologies should still be built around clear disclosures, appropriate consent flows, and data minimization. Still, where data collection aligns with the product’s apparent function, plaintiffs may need specific allegations of sensitive, unexpected, or intrusive tracking to state a privacy claim.

Visit Blog

FCC Narrows Foreign Drone Restrictions with Toy Exception

The Federal Communications Commission (FCC) has narrowed its foreign-produced drone restrictions by removing a specific category of “Toy Drones” and “Toy Drones that contain foreign-produced components” from the FCC Covered List. The June 15, 2026, Public Notice follows a June 12, 2026, National Security Determination from the Department of War, which found that this defined class of devices does not pose an unacceptable risk to U.S. national security or to the safety and security of U.S. persons. The update refines the FCC’s broader December 2025 action, which added foreign-produced uncrewed aircraft systems and UAS critical components to the Covered List, subject to later specific determinations that particular systems or components do not present the same level of risk. The key takeaway is that the exception is narrow. To qualify as a “Toy Drone,” a device must meet a detailed set of technical and marketing criteria, including a maximum take-off weight of 150 grams, line-of-sight operation of 100 meters or less, maximum sustained altitude of 300 feet, no GPS or equivalent navigation system, no internet, mobile app, cellular, or Wi-Fi connectivity, no imaging or sensing capabilities, flight time of 10 minutes or less, and marketing as a toy for recreational use. The Department of War framed the distinction around capability: low-risk toys lack the range, endurance, sensing, payload, connectivity, and data collection or storage features that raise national security concerns in more capable UAS. For drone manufacturers, importers, retailers, and equipment authorization applicants, the notice offers a clearer view into how federal officials are separating low-risk consumer toy products from higher-risk drone systems. The Covered List now expressly excludes foreign-produced Toy Drones, as defined in the National Security Determination, and Toy Drones that contain foreign-produced components, while leaving the broader restrictions in place for foreign-produced UAS and UAS critical components that do not fit an exception. Companies should treat the update as a targeted compliance opening rather than a general relaxation of the FCC’s drone-related supply chain restrictions

Visit Blog

Deepfake Site Taken Down by DOJ + DHS

On June 12, 2026, the U.S. Departments of Justice and Homeland Security announced that deepfake domains CFAKE.com and SOCFAKE.com were seized and taken down using the TAKE IT DOWN Act. The seized domains “were being used to publish thousands of digitally forged images and videos depicting famous women as nude and sometimes engaged in sexual activity, without their consent.” The deepfakes included royalty, journalists, television personalities, athletes, entertainers, and others. According to the press release, “The website allowed people to browse by tags that included topics like ‘rape,’ ‘forced,’ and ‘degradation.’” U.S. authorities were alerted to the website by Italy’s Polizia di Stato Postal and Cybersecurity Policy. After a U.S. investigation, evidence was shared with French authorities, who also investigated and made an arrest in Nice on June 10, 2026. This is a great example of how important international law enforcement cooperation is in prosecuting individuals outside of the U.S. and taking down harmful and illegal domains. This is a big win for law enforcement in the U.S., Italy, and France in combatting deepfakes.

Visit Blog

Why AI Is Changing Anonymized Data Rules

For years, companies have treated anonymization as a legal comfort zone. Remove names, emails, phone numbers, and other identifiers, and the remaining dataset was often viewed as safer to share, analyze, monetize, and retain. That assumption is getting harder to defend. Artificial intelligence (AI) has changed the practical re-identification analysis by making it easier to connect patterns across datasets, infer identity from indirect signals, and combine “anonymous” information with public, breached, scraped, or commercially available data. Location trails, purchase histories, voiceprints, facial geometry, writing style, device signals, and other data points may not identify someone on their own, but AI can make those fragments far more revealing when viewed together. The legal and business takeaway is important: anonymization should no longer be treated as a permanent status. It is better understood as a technical condition that can degrade over time. Regulators are beginning to reflect that reality, including through frameworks that do not automatically exclude anonymized, de-identified, or pseudonymized data when re-identification remains realistic. The question is shifting from “Did we remove direct identifiers?” to “Could a reasonably capable actor re-identify individuals using current tools and available data?” That shift matters for consent strategies, disclosure obligations, litigation exposure, vendor contracting, AI training rights, audit provisions, and liability allocation. De-identification still matters, but it needs to sit inside a more modern governance model. Companies should evaluate re-identification risk on a recurring basis, account for external data sources, restrict downstream use, prohibit re-identification attempts, and apply technical controls such as differential privacy, synthetic data, aggregation, and formal risk testing where appropriate. The organizations best positioned for this next phase will treat identifiability as a spectrum, not a binary switch. In an AI-driven data ecosystem, “anonymous” is not the end of the privacy analysis. It is the beginning of a continuing risk management obligation.

Visit Blog

Privacy Tip #496 – Imposter Scams Hit Senior Population Hard: How to Avoid Becoming a Victim

June 15, 2026, was designated World Elder Abuse Awareness Day. One of the ways seniors are victimized is through financial scams. According to the Federal Trade Commission (FTC), “in 2025, [elderly] people reported losing about $16 billion to scams, compared to $12.8 billion the previous year. And because not everyone who experiences a scam reports it, this likely represents only a fraction of the actual amount lost.” Imposter scams are one of the most common ways seniors become financial fraud victims. An imposter pretends to be someone else, such as a government, bank, or law enforcement, friend or family member and contacts the victim through phone, text, email, or other messaging to obtain information to further financial fraud. Threat actors commonly pose as an Internal Revenue Service agents and call the victim to let them know they are behind on their taxes and if they don’t pay up immediately, something dreadful will happen. They use scare tactics to quickly obtain credit card information, cash, or personal information from the victim. Awareness of imposter scams can prevent you from becoming a victim. Here are some tips to help you avoid them.

Visit Blog

CISA + Partner Warn That Automatic Tank Gauge Systems Are Being Targeted

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Department of Energy (DOE), the Environmental Protection Agency (EPA), the Transportation Security Administration (TSA), the Department of Transportation (DOT), and the U.S. Department of Agriculture (USDA) recently issued an alert warning of malicious cyber activity targeting U.S.-based automatic tank gauge (ATG) systems. ATG systems are widelyused throughout the Energy, Chemical, Food and Agriculture, and Transportation Systems Sectors forautomated and remote monitoring of storage tank parameters, including fuel and liquid levels,temperature, and possible leak detection. The authoring organizations urge ATG owners and operators todefend against this malicious activity by securing their ATG systems with strong passwords and byremoving them from the internet to reduce public exposure. According to the alert, the recent malicious cyber activity “involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution.” This means that cyber actors could “disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console.” This would enable the threat actors to: Alter system(s) attributes, such as network settings, product identifiers, tank volumes, and pump controls; Compound operational malfunctions; components operating incorrectly could create a denial of view condition of tank fill levels, which could cause permanent damage to the tank system’s critical function; Disable system alerts, reducing an operator’s ability to detect and mitigate system issues increases the risk of environmental or physical hazards from incidents such as leaks or relay failures. The alert provides mitigation steps which should be implemented immediately.

Visit Blog

Doxim Data Breach Settlement Underscores Third-Party Data Security Risk

On May 5, 2026, the parties in In re Doxim, Inc. Data Security Incident Litigation (E.D. Mich. June 13, 2024), filed a proposed $5.5 million class action settlement arising from a cyber incident involving Doxim, a software provider serving credit unions, wealth management service providers, and banking sectors in the United States and Canada. Doxim detected suspicious activity on December 30, 2023, in the part of its network supporting credit union services. It later determined that files had been removed from its network and that those files included names, mailing addresses, account numbers, and/or Social Security numbers. Doxim began notifying affected individuals on approximately May 31, 2024. In the litigation that followed, Plaintiffs alleged that Doxim failed to implement and maintain reasonable safeguards, failed to comply with industry-standard data security practices, failed to properly train employees, failed to timely detect the unauthorized access, and failed to timely notify impacted individuals. The proposed settlement class includes 1,100,911 individuals identified by Doxim’s records. The case illustrates how a vendor incident can become a customer-data incident. If a service provider processes, stores, or transmits sensitive customer information, a breach at the service provider can still affect the organization’s customers and create risk around whether reasonable safeguards were in place, whether the vendor followed industry-standard security practices, whether employees were properly trained, and whether unauthorized access was timely detected and disclosed. For organizations using vendors to handle sensitive customer data, the diligence question is not only whether the vendor can perform the service, but whether it has appropriate safeguards for the data it receives.

Visit Blog

Experience


Software + Technology Contract Negotiations

Represented multiple companies in the negotiation of software and technology contracts with third-party vendors.

Start-Up Policy Development

Worked with multiple start-up organizations in developing privacy policies and terms of use for websites and mobile applications, as well as privacy and security plans and compliance programs.

Data Breach Assistance

Assisted dozens of organizations with reportable data breaches, including notification, mitigation, and regulatory enforcement, as well as class action defense.



News


June 29, 2026

Linn Freedman Recognized Among 2026 Cybersecurity/Data Privacy “Go To Lawyers”

Data Privacy + Cybersecurity practice and AI Team chair Linn Freedman was recognized as a “Massachusetts Go To Lawyer” in the area of Cybersecurity/Data Privacy by Massachusetts Lawyers Weekly (MLW) and profiled in a special section published on June 29, 2026. MLW’s “Go To Lawyer” recognition showcases top lawyers in their respective fields from across the Commonwealth nominated by their colleagues and selected by a panel from Lawyers Weekly. A “Go-To Lawyer” is a senior attorney with deep command of case law, statutes, and regulations; a proven track record of success in significant matters and transactions; a trusted advisor to whom other lawyers routinely refer work because of demonstrated expertise and accomplishments; and a creative, strategic thinker who identifies and evaluates all available options to achieve the best outcomes for clients. Read the special section, here.

Massachusetts Lawyers Weekly
June 4, 2026

Robinson+Cole Recognized Across Practices and Regions with 46 Chambers USA 2026 Rankings

Chambers & Partners
Robinson+Cole Recognized Across Practices and Regions with 46 Chambers USA 2026 Rankings teaser
April 17, 2026

Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee

Beta Gamma Sigma Society
Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee teaser
June 29, 2026

Linn Freedman Recognized Among 2026 Cybersecurity/Data Privacy “Go To Lawyers”

Data Privacy + Cybersecurity practice and AI Team chair Linn Freedman was recognized as a “Massachusetts Go To Lawyer” in the area of Cybersecurity/Data Privacy by Massachusetts Lawyers Weekly (MLW) and profiled in a special section published on June 29, 2026. MLW’s “Go To Lawyer” recognition showcases top lawyers in their respective fields from across the Commonwealth nominated by their colleagues and selected by a panel from Lawyers Weekly. A “Go-To Lawyer” is a senior attorney with deep command of case law, statutes, and regulations; a proven track record of success in significant matters and transactions; a trusted advisor to whom other lawyers routinely refer work because of demonstrated expertise and accomplishments; and a creative, strategic thinker who identifies and evaluates all available options to achieve the best outcomes for clients. Read the special section, here.

Massachusetts Lawyers Weekly
June 4, 2026

Robinson+Cole Recognized Across Practices and Regions with 46 Chambers USA 2026 Rankings

Chambers & Partners
Robinson+Cole Recognized Across Practices and Regions with 46 Chambers USA 2026 Rankings teaser
April 17, 2026

Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee

Beta Gamma Sigma Society
Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee teaser
April 15, 2026

Robinson+Cole Presented with 2026 Law Firm Excellence in Innovation Award

Massachusetts Lawyers Weekly
Robinson+Cole Presented with 2026 Law Firm Excellence in Innovation Award teaser
March 19, 2026

Roma Patel Authors Article on Secondary Liability and AI

The Licensing Journal
March 18, 2026

Linn Freedman Sounds the Alarm About the Growth of Deepfake Content

Corporate Counsel
March 16, 2026

Kathryn Rattigan Quoted on Disney CCPA Opt-Out Settlement

Cybersecurity Law Report
February 25, 2026

Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards

JD Supra
Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards teaser
February 19, 2026

Linn Freedman Receives Global Ranking in Chambers Global Guide 2026

Chambers & Partners

April 15, 2026

Robinson+Cole Presented with 2026 Law Firm Excellence in Innovation Award

Massachusetts Lawyers Weekly
Robinson+Cole Presented with 2026 Law Firm Excellence in Innovation Award teaser
March 19, 2026

Roma Patel Authors Article on Secondary Liability and AI

The Licensing Journal
March 18, 2026

Linn Freedman Sounds the Alarm About the Growth of Deepfake Content

Corporate Counsel
March 16, 2026

Kathryn Rattigan Quoted on Disney CCPA Opt-Out Settlement

Cybersecurity Law Report
February 25, 2026

Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards

JD Supra
Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards teaser
February 19, 2026

Linn Freedman Receives Global Ranking in Chambers Global Guide 2026

Chambers & Partners

Events


Past

2026 Pennsylvania Legal Awards

Jun 11 2026
Hilton Philadelphia at Penn’s Landing
Past

Managing Matter Mobility - Setting Defensible Rules for Data Leaving or Entering the Firm

Mar 9 2026
Law.com Legalweek 2026
Past

2026 Pennsylvania Legal Awards

Jun 11 2026
Hilton Philadelphia at Penn’s Landing
Past

Managing Matter Mobility - Setting Defensible Rules for Data Leaving or Entering the Firm

Mar 9 2026
Law.com Legalweek 2026
Past

Mastery of IG: Legal and Regulatory

Feb 19 2026
ARMA IG Mastery Session 4
Past

State AI Laws and the Federal EO: Effective Dates, Scope, Enforcement, Compliance Planning

Jan 27 2026
Barbri Webinar
Past

Deepfakes: A Demonstration of How They are Made and Used by Threat Actors

Nov 19 2025
Boston Bar Association 2025 Privacy, Cybersecurity & Digital Law Conference
Past

Fireside Chat | The Cyber Brief: Law, Liability & Response

Sep 19 2025
SCG Legal 2025 Annual Meeting
Past

Mastery of IG: Legal and Regulatory

Feb 19 2026
ARMA IG Mastery Session 4
Past

State AI Laws and the Federal EO: Effective Dates, Scope, Enforcement, Compliance Planning

Jan 27 2026
Barbri Webinar
Past

Deepfakes: A Demonstration of How They are Made and Used by Threat Actors

Nov 19 2025
Boston Bar Association 2025 Privacy, Cybersecurity & Digital Law Conference
Past

Fireside Chat | The Cyber Brief: Law, Liability & Response

Sep 19 2025
SCG Legal 2025 Annual Meeting

Publications


Data Privacy + Cybersecurity Insider teaser
June 26, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 18, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 12, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 26, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 18, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 12, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 5, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 28, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 21, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 14, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 7, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 30, 2026

Data Privacy + Cybersecurity Insider



Data Privacy + Cybersecurity Insider teaser
June 5, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 28, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 21, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 14, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 7, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 30, 2026

Data Privacy + Cybersecurity Insider