Mark H. Francis
Mark H. Francis is a leading cybersecurity, data privacy and intellectual property attorney who leverages extensive technical skill and experience to provide clients with pragmatic legal guidance across a wide array of counseling, transactional and litigation matters.
Mr. Francis has received significant recognition for his practice, and has been appointed to the U.S. Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee (DPIAC), which provides advice at the request of the Secretary of Homeland Security and the DHS Chief Privacy Officer on programmatic, policy, operational, administrative and technological issues within the DHS that relate to personally identifiable information, as well as data integrity and other privacy-related matters. He is also an active member of the International Association of Privacy Professionals (IAPP), and currently serves on the IAPP Certification Advisory Board.
With a subject matter focus on "tech and data" issues, Mr. Francis provides risk-oriented advice and representation to clients across the following areas:
Counseling. Mr. Francis focuses on data strategy, cybersecurity, risk assessments, policy development, technical controls, cross-border data transfers, data privacy laws, cookie tools, advertising technology (AdTech), data analytics and information governance (including records retention and defensible disposition). In that capacity, Mr. Francis advises clients on:
- Federal laws, including Federal Trade Commission (FTC) Section 5 requirements (unfair and deceptive practices), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Children's Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003, and the Telephone Consumer Protection Act (TCPA)
- State privacy and security laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), New York SHIELD Act, Massachusetts 201 CMR 17.00 and a variety of educational technology (EdTech), student privacy and data breach notification laws
- International laws, including the EU General Data Protection Regulation (GDPR), Canada Personal Information Protection and Electronic Documents Act (PIPEDA), and Brazil Lei Geral de Proteção de Dados (LGPD), and
- Industry standards and frameworks, including the Payment Card Industry Data Security Standard (PCI DSS), card brand operating regulations, AdTech industry practices, National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) standards, and other related legal and regulatory requirements
Mr. Francis regularly advises clients on the adoption of emerging technologies such as artificial intelligence and machine learning (AI/ML) with pragmatic approaches to ethical AI principles, legal and reputational risk mitigation practices, due diligence and contracting.
Tech Agreements and Corporate Transactions. Mr. Francis routinely advises clients on complex data and intellectual property agreements and technology transactions, including large-scale master service agreements (MSAs), statements of work (SOWs), data processing agreements (DPAs), open source and proprietary software licenses, AI/ML licensing, IP/data transfers and licenses, e-commerce platforms, software as a service (SaaS) and other cloud services agreements. He also works with deal teams on data and technology due diligence, risk assessments and representations in mergers and acquisitions (M&A) transactions.
Crisis Management and Incident Response. Mr. Francis has counseled clients in responding to a wide spectrum of cyberattacks and other security incidents such as data breaches, cloud/vendor incidents, ransomware, insider threats and wire fraud across a number of industries, including healthcare, financial services, retail, technology, consulting, industrial and telecommunications. He advises clients on internal and forensic investigations, regulatory and individual notifications and interactions with law enforcement and other third parties.
Cybersecurity and Data Privacy Litigation and Regulatory Actions. Mr. Francis represents clients in regulatory and state attorney general investigations, PCI assessments, and arbitrations, class actions or other civil disputes relating to alleged data breaches, data misuse incidents or other allegations involving the privacy or security of personal information.
Intellectual Property Counseling and Litigation. Mr. Francis represents clients in a wide range of intellectual property (IP) disputes and litigation. Many of his IP matters have involved complex technologies such as wired and wireless communications, cloud computing, mobile operating systems, virtual machines, web browsers, encryption, image processing and semiconductor devices. He is a registered patent attorney with the U.S. Patent and Trademark Office and assists clients with patent prosecution, as well as copyright and trademark procurement.
Mr. Francis is an International Information System Security Certification Consortium (ISC)2 Certified Information Systems Security Professional (CISSP) and EC-Council Certified Ethical Hacker (CEH). He is also an IAPP Certified Information Privacy Professional/United States (CIPP/US), IAPP Certified Information Privacy Technologist (CIPT) and IAPP Fellow of Information Privacy (FIP). He has also received a number of cloud services and artificial intelligence certifications.
In addition, Mr. Francis is an accredited attorney for the preparation, presentation and prosecution of claims for veterans' benefits before the U.S. Department of Veterans Affairs (VA).
- Developing client policies, procedures and contractual terms for artificial intelligence and machine learning technology (AI/ML), including ethical principles, risk assessments and employee policies on generative AI
- Advise on website governance programs and operationalizing website/app privacy risk management with respect to the use of third-party cookies, pixels, scripts and other online advertising and performance tools
- Advise clients across multiple industry sectors, including retail, e-commerce, financial services, and healthcare in regard to California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) and other state privacy laws (as well as EU General Data Protection Regulation or GDPR and other international laws) on data privacy compliance projects, such as the revision or adoption of public-facing privacy disclosures, internal privacy program materials, contractual terms and operational privacy practices
- Advise multiple sensor chip hardware and software companies on transactional, intellectual property and privacy compliance matters
- Advise an entertainment and media company on global privacy laws and app store policies for children-facing apps and online services
- Represent healthcare systems and hospitals on enterprise-wide agreements for data hosting, software licensing, analytics and related cloud services, as well as counseling on consumer facing websites, online services and marketing strategies
- Represent clients in digital health services agreements, including for remote/home diagnostics, telehealth services, and "health pass" verification platforms
- Advise on cross-border data transfers following the Court of Justice of the European Union (CJEU) Schrems II decision and adoption of new Standard Contractual Clauses in 2021, including with respect to Data Processing Agreements (DPAs), data transfer risk assessments, intercompany agreements, other contractual terms and Privacy Shield implications
- Counsel clients in response to business email compromise, wire fraud and ransomware incidents, including guidance on OFAC and sanctions matters
- Lead global privacy assessment of a large entertainment and media company
- Advise cloud services provider (IaaS) on data security and privacy program, including publicly-posted terms of service, privacy representations and enterprise contracting forms
- Conduct pre-launch privacy assessments of a pharmaceutical provider’s mental health app
- Advise clients on adoption of artificial intelligence and machine learning technology (AI/ML), including ethical principles, risk mitigation strategies, due diligence and contracting
- Advise clients on data strategy and utilization with intellectual property, contractual and technical controls for data rights management
- Advise a financial services provider on third-party risk management, outsourcing and services agreements
- Advise a healthcare services provider on customer agreements
- Counsel clients on software, cloud services and outsourcing agreements, including in connection with data and intellectual property (IP) rights, cybersecurity and data privacy, service level agreements and international considerations
- Advise medical device manufacturers and digital health providers on cybersecurity programs and customer contracts
- Counsel clients in response to cyber incidents and data breaches to manage business and legal exposure, including oversight of forensic investigations, notifications, and compliance with legal and contractual obligations
- Conduct cybersecurity assessments and provide counseling on cyber governance, policies and practices, including in connection with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, International Organization for Standardization (ISO) 27000- series, Payment Card Industry Data Security Standard (PCI DSS), NIST 800-53 and Risk Management Framework (800-37), Critical Security Controls (CSC), Cloud Security Alliance (CSA) Cloud Controls Matrix, Open Web Application Security Project (OWASP) Top 10 and other industry standards
- Advise on written information security policies, privacy policies, incident response plans and other corporate policies addressing information governance, technical infrastructure and cybersecurity risk management
- Conduct merger and acquisition (M&A) due diligence in regard to cybersecurity practices, data privacy, cross-border data transfers, software and open source considerations, PCI compliance and IP rights
- Gavin Siegfried v. Dick's Sporting Goods, Inc. (E.D. Pa.): Representing defendant in purported class action for alleged violation of the Video Privacy Protection Act (VPPA)
- Carissa Coulter v. Dick's Sporting Goods, Inc. (Ch. Cnty., Pa.): Representing defendant in purported class action for alleged violation of the Pennsylvania wiretap statute; preliminary objection granted
- Wenston Desue, et al. v. 20/20 Eye Care Network, Inc. et al., (S.D. Fla.): Representing defendant in six consolidated data breach class action lawsuits; preliminary approval of settlement granted
- Murray v. Community Care Physicians, P.C. et al (NDNY; Sup. Ct. Albany Cnty.): Representing defendant in purported class action for alleged data breach
- Bath Authority, LLC v. Anzzi LLC (E.D. Pa.): Represented defendant in intellectual property dispute; see 2018 WL 5112889 (E.D. Pa. Oct. 19, 2018); case dismissed with prejudice (E.D. Pa. Nov. 14 2019)
- Enslin v. The Coca-Cola Company, et al. (E.D. Pa.): Represented defendant in purported class action for alleged data breach, summary judgment granted for defendants and affirmed on appeal; see 2017 WL 3727033 (E.D. Pa. Aug. 29, 2017), aff’d, 739 Fed. App’x. 91 (3d Cir. June 20, 2018)
- Epstone, Inc. v. Soho Studio, Corp. (S.D.N.Y.): Represented defendant in intellectual property dispute; settled on favorable terms
- Oracle America, Inc. v. Google, Inc. (N.D. Cal.): Represented defendant Google in first trial of a patent and copyright litigation involving virtual machine technology and application programming interfaces (APIs) used in the Android operating system. After a five-week jury trial, the Court held that APIs are not copyrightable as a matter of law and the jury returned a unanimous verdict rejecting all claims of patent infringement
- Mobile Enhancement Solutions LLC v. Nokia Corp. et al. (N.D. Tex.): Represented defendants Microsoft and Nokia in a patent litigation involving Long-Term Evolution (LTE) and acoustic technologies
- Lake Cherokee Hard Drive Tech., LLC v. MediaTek USA Inc. et al. (E.D. Tex.): Represented defendant Hewlett Packard in a patent litigation involving error correction codes for optical disks; case against HP was dismissed
- National Cheng Kung University v. Nokia Corporation et al. (E.D. Tex.): Represented defendant Nokia in a patent litigation involving the removal of unwanted objects from captured images; case against Nokia dismissed
- Parallel Iron LLC v. Cloudera Inc. et al. (D. Del.): Represented defendant Nokia in a patent litigation involving the Hadoop distributed file system (HDFS) for computer clusters; settled on favorable terms
- CRS LLC v. Cellco Partnership d/b/a Verizon Wireless (D. Del.): Represented defendant Verizon Wireless in a patent litigation involving content adaptation technology for mobile devices; settled on favorable terms
- Textscape LLC v. Google Inc. (N.D. Cal.): Represented defendant Google in a patent litigation involving web browser user interfaces; patent invalidated during reexamination proceedings and the case dismissed
- Michael S Sutton Ltd. v. Nokia Corporation et al. (E.D. Tex.; Fed. Cir.): Represented defendant Nokia in patent litigation relating to multimedia messaging for mobile devices; judgment entered for Nokia by the district court and affirmed by the Federal Circuit
- Fordham University School of Law, J.D.
- Fordham University, MBA
- City University of New York, B.S.
- New Jersey
- New York
- U.S. Court of Appeals for the Federal Circuit
- U.S. Court of Appeals for the Third Circuit
- U.S. District Court for the Southern District of New York
- U.S. District Court for the Eastern District of New York
- U.S. District Court for the Northern District of New York
- U.S. District Court for the District of New Jersey
- U.S. District Court for the District of Colorado
- U.S. District Court for the Eastern District of Texas
- U.S. Patent and Trademark Office
- International Association of Privacy Professionals (IAPP), Training Advisory Board, 2017-2018; CIPP/US Exam Development Board, 2020-2022; Certification Advisory Board, 2023-2024
- InfraGard, New York Metro InfraGard Members Alliance, Board of Directors, 2018-2021; Governance Committee Chair, 2020-Present
- International Information System Security Certification Consortium (ISC)²
- The Legal 500 USA, Media, Technology and Telecoms – Cyber Law (Including Data Privacy and Data Protection), 2023
- Meeting the Challenge Award, InfraGard National Members Alliance, 2022
- Holland & Knight Pro Bono All-Star, 2020
- Rising Stars, New York Super Lawyers magazine, 2015-2017
- Nathan Burkan Memorial Award, Fordham University School of Law, 2006