Ieuan G. Mahony

Ieuan G. Mahony is a partner in Holland & Knight's Boston office. He focuses a core element of his practice on data privacy and security, with particular attention to compliance and contract-based issues. Mr. Mahony's representative matters include:

• Advising data controllers, data processors, subscribers and service providers on data security issues in connection with IT outsourcing and cloud service procurement agreements. The matters include advice concerning service level agreements (SLAs), information security policies, risk assessments, PCI-DSS, SSAE No. 16 audits (for example), third party security verifications, data backup and network redundancy.
• Reviewing data flows and structures, and developing and implementing privacy and security policies for companies in the following illustrative industries: financial services providers; credit reporting and monitoring services; retirement fund services; travel services; pharmaceutical provider (targeted to new compound); online consumer goods retailers; medical information and informatics providers; medical blood and tissue bank donation services; translation services (online and traditional); geospatial information services; real estate maintenance services; real estate brokerage services; electronics manufacturing and distribution; transportation services; political campaign organizing services; educational services (K-12 and college/university); for-profit distance education services; online music licensing services; and online musical and dramatic performance rights licensing services.
• Assisting international pharmaceutical company in migrating EU-based servers to the U.S. and centralizing associated IT functions. Reviewed the company's current privacy policies and compliance program. Managed and coordinated local counsel in EU member states to ensure compliance with the EU Data Protection Directive and country specific laws and requirements. Assisted company in reviewing local counsel advice and in determining compliance approach, including (i) registration with local data protection officials, (ii) managing timelines for compliance and migration dates in each country, (iii) drafting notifications to employees regarding the upcoming server migration, and (iv) revising global and local policies for local compliance.
• Advising an international company concerning compliance with (i) call recording disclosure and consent requirements under the Electronic Communications Privacy Act, its implementing regulations and similar state laws and (ii) robocalling requirements and restrictions under the Telephone Consumer Protection Act, the Telemarketing and Consumer Fraud and Abuse Prevention, respective implementing regulations, as well as similar state laws.
• Establishing compliance policy for an international electronics manufacturing service provider with more than 35,000 employees and worldwide plants, including plants in South America, Mexico, the United States, Austria, Belgium, England, France, Hungary, Ireland, Italy, Poland, Scotland, India, China and Japan.
• Advising online disease management and managed care providers in connection with telehealth and other remote healthcare delivery mechanisms. The representations included advice concerning sensitive personal and medical information, ownership and rights in user data, and in aggregated and de-identified data for data mining purposes.
• Representing convention center and travel industry participants in transactions with data aggregators, online travel services providers, hotels and local attractions in connection with online referral arrangements, online behavioral advertising and user-generated content, including user ratings of services.
• Representing national pharmacy benefits manager ("PBM") in the creation of a secure PBM portal connecting through federated identity and single sign-on technology (a) a set of PBMs and (b) the primary employer/client of the PBMs, a leading national bank. The representation included tying security obligations to criteria of specified standards setting organizations and specifying data segregation methods between PBMs.
• Representing leading industry consortium in planning and implementation of mitigation action plan for software security vulnerability.
• Representing data center services and managed services provider in connection with hosted data center infrastructure and cloud services. The matter involves a series of transactions whereby our client (i) increases its services offerings, including cloud services offerings, through upstream vendor contracts, and (ii) provides to customers these services bundled with its own services. The transaction also addresses structures to facilitate "modular" use of upstream vendors, with an ability to "plug and unplug" vendors and specific vendor offerings efficiently, to permit scaling and low transaction costs in connection with the cloud and data center services generally.
• Advising retailer concerning class action complaint against a third party retailer, asserting improper collection of information (ZIP codes) from customers using credit cards.
• Representing transportation authority in connection with hacker threat to disclose -- at the world's largest hacker convention -- information compromising smartcard and magnetic stripe payment structures; relied on the Computer Fraud and Abuse Act to obtain an injunction preventing the hackers from presenting at the conference, based in part on "responsible disclosure" principles. Massachusetts Bay Transportation Authority v. Zack Anderson, RJ Ryan, Alessandro Chiesa, and The Massachusetts Institute of Technology, United States District Court, District Of Massachusetts Civil Action No. 08-11364-GAO