Mark H. Francis
Mark H. Francis is a cybersecurity, data privacy and intellectual property attorney advising clients on a wide array of "tech and data" counseling, transactional and litigation matters.
Counseling. Mr. Francis focuses on data strategy and information governance, cybersecurity, technical controls, cross-border data transfers, and data privacy laws. In that capacity, Mr. Francis advises clients on:
- federal laws, including Federal Trade Commission (FTC) Section 5 requirements (unfair and deceptive practices), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Children's Online Privacy Protection Act (COPPA), Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003
- state privacy and security laws, including California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), New York SHIELD Act, Massachusetts 201 CMR 17.00
- international laws, including the EU General Data Protection Regulation (GDPR) and Brazil Lei Geral de Proteção de Dados (LGPD)
- industry standards and frameworks, including the PCI Data Security Standard (DSS), card brand operating regulations, adtech industry practices, National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) standards and other related legal and regulatory requirements
Mr. Francis has advised on the adoption of emerging technologies such as artificial intelligence and machine learning (AI/ML) with pragmatic approaches to ethical AI principles, legal and reputational risk mitigation practices, due diligence and contracting considerations.
Tech Agreements and Corporate Transactions. Mr. Francis regularly advises clients on data and intellectual property agreements and technology transactions, including master service agreements and statements of work (SOWs), open source and proprietary software licenses, IP/data transfers and licenses, e-commerce platforms, software as a service (SaaS) and cloud computing agreements. He also works with deal teams on data and technology risks and representations in corporate transactions.
Crisis Management and Incident Response. Mr. Francis has counseled dozens of clients on U.S. and global data breaches and other security incidents across a number of industries, including healthcare, financial services, retail, technology, consulting, industrial and telecommunications. He advises clients on internal and forensic investigations, regulatory and individual notifications and interactions with law enforcement and other third parties.
Cybersecurity and Data Privacy Litigation and Regulatory Actions. Mr. Francis represents clients in regulatory and state Attorney General investigations, data breach class actions and PCI assessments.
Intellectual Property Counseling and Litigation. Mr. Francis represents clients in a wide range of intellectual property (IP) litigation in federal courts across the country. His IP matters have often involved complex technologies such as wired and wireless communications, cloud computing, mobile operating systems, virtual machines, web browsers, encryption, image processing and semiconductor devices. He is a registered patent attorney with the U.S. Patent and Trademark Office and assists clients with patent prosecution, as well as copyright and trademark procurement.
Mr. Francis is an International Information System Security Certification Consortium (ISC)² Certified Information Systems Security Professional (CISSP) and EC-Council Certified Ethical Hacker (CEH). He is also an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional/United States (CIPP/US), IAPP Certified Information Privacy Technologist (CIPT) and IAPP Fellow of Information Privacy (FIP).
In addition, Mr. Francis is an accredited attorney for the preparation, presentation and prosecution of claims for veterans' benefits before the U.S. Department of Veterans Affairs (VA).
- Represent clients in digital health services agreements, including for remote/home diagnostics, telehealth services and "health pass" verification platforms
- Advise on cross-border data transfers following the Court of Justice of the European Union (CJEU) Schrems II decision, including with respect to data transfer risk assessment, contractual terms and Privacy Shield implications
- Counsel clients in response to business email compromise, wire fraud and ransomware incidents, including guidance on Office of Foreign Assets Control (OFAC) and sanctions matters
- Lead global privacy assessment of a large entertainment and media company
- Advise cloud services provider (IaaS) on data security and privacy program, including publicly posted terms of service, privacy representations and enterprise contracting forms
- Conduct pre-launch privacy assessments of a pharmaceutical provider's mental health app
- Advise clients on adoption of artificial intelligence and machine learning technology (AI/ML), including ethical principles, risk mitigation strategies, due diligence and contracting
- Advise clients across multiple industry sectors on CCPA, CPRA, GDPR, LGPD and related data privacy compliance projects
- Advise clients on data strategy and utilization with intellectual property, contractual and technical controls for data rights management
- Advise a financial services provider on third-party risk management, outsourcing and services agreements
- Advise a healthcare services provider on customer agreements
- Counsel clients on software, cloud services and outsourcing agreements, including in connection with data and intellectual property (IP) rights, cybersecurity and data privacy, service level agreements and international considerations
- Advise medical device manufacturers and digital health providers on cybersecurity programs and customer contracts
- Counsel clients in response to cyber incidents and data breaches to manage business and legal exposure, including oversight of forensic investigations, notifications, and compliance with legal and contractual obligations
- Conduct cybersecurity assessments and provide counseling on cyber governance, policies and practices, including in connection with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, International Organization for Standardization (ISO) 27000-series, Payment Card Industry Data Security Standard (PCI DSS), NIST 800-53 and Risk Management Framework (800-37), Critical Security Controls (CSC), Cloud Security Alliance (CSA) Cloud Controls Matrix, Open Web Application Security Project (OWASP) Top 10 and other industry standards
- Advise on written information security policies, privacy policies, incident response plans and other corporate policies addressing information governance, technical infrastructure and cybersecurity risk management
- Conduct merger and acquisition (M&A) due diligence in regard to cybersecurity practices, data privacy, cross-border data transfers, software and open source considerations, PCI compliance and IP rights
- Murray v. Community Care Physicians, P.C. et al (NDNY; Sup. Ct. Albany Cnty.): Representing defendant in purported class action for alleged data breach
- Bath Authority, LLC v. Anzzi LLC (E.D. Pa.): Represented defendant in intellectual property dispute; see 2018 WL 5112889 (E.D. Pa. Oct. 19, 2018); case dismissed with prejudice (E.D. Pa. Nov. 14 2019)
- Enslin v. The Coca-Cola Company, et al. (E.D. Pa.): Represented defendant in purported class action for alleged data breach, summary judgment granted for defendants and affirmed on appeal; see 2017 WL 3727033 (E.D. Pa. Aug. 29, 2017), aff’d, 739 Fed. App’x. 91 (3d Cir. June 20, 2018)
- Epstone, Inc. v. Soho Studio, Corp. (S.D.N.Y.): Represented defendant in intellectual property dispute; settled on favorable terms
- Oracle America, Inc. v. Google, Inc. (N.D. Cal.): Represented defendant Google in first trial of a patent and copyright litigation involving virtual machine technology and application programming interfaces (APIs) used in the Android operating system. After a five-week jury trial, the Court held that APIs are not copyrightable as a matter of law and the jury returned a unanimous verdict rejecting all claims of patent infringement
- Mobile Enhancement Solutions LLC v. Nokia Corp. et al. (N.D. Tex.): Represented defendants Microsoft and Nokia in a patent litigation involving Long-Term Evolution (LTE) and acoustic technologies
- Lake Cherokee Hard Drive Tech., LLC v. MediaTek USA Inc. et al. (E.D. Tex.): Represented defendant Hewlett Packard in a patent litigation involving error correction codes for optical disks; case against HP was dismissed
- National Cheng Kung University v. Nokia Corporation et al. (E.D. Tex.): Represented defendant Nokia in a patent litigation involving the removal of unwanted objects from captured images; case against Nokia dismissed
- Parallel Iron LLC v. Cloudera Inc. et al. (D. Del.): Represented defendant Nokia in a patent litigation involving the Hadoop distributed file system (HDFS) for computer clusters; settled on favorable terms
- CRS LLC v. Cellco Partnership d/b/a Verizon Wireless (D. Del.): Represented defendant Verizon Wireless in a patent litigation involving content adaptation technology for mobile devices; settled on favorable terms
- Textscape LLC v. Google Inc. (N.D. Cal.): Represented defendant Google in a patent litigation involving web browser user interfaces; patent invalidated during reexamination proceedings and the case dismissed
- Michael S Sutton Ltd. v. Nokia Corporation et al. (E.D. Tex.; Fed. Cir.): Represented defendant Nokia in patent litigation relating to multimedia messaging for mobile devices; judgment entered for Nokia by the district court and affirmed by the Federal Circuit
- Fordham University School of Law, J.D.
- Fordham University, MBA
- City University of New York, B.S.
- New Jersey
- New York
- U.S. Court of Appeals for the Federal Circuit
- U.S. Court of Appeals for the Third Circuit
- U.S. District Court for the Southern District of New York
- U.S. District Court for the Eastern District of New York
- U.S. District Court for the Northern District of New York
- U.S. District Court for the District of New Jersey
- U.S. District Court for the District of Colorado
- U.S. District Court for the Eastern District of Texas
- U.S. Patent and Trademark Office
- International Association of Privacy Professionals (IAPP), Training Advisory Board, 2017-2018; CIPP/US Exam Development Board, 2020-2022
- InfraGard, New York Metro InfraGard Members Alliance, Board of Directors, 2018-2021
- International Information System Security Certification Consortium (ISC)²
- Rising Stars, New York Super Lawyers magazine, 2015-2017
- Nathan Burkan Memorial Award, Fordham University School of Law, 2006