Photo of Brad Davis*

*Brad Davis is a Legal Intern in the Privacy and Cybersecurity Practice Group of Murtha Cullina LLP.

Brad assists the group’s attorneys in a wide variety of privacy, cybersecurity, and data protection matters.

Brad has a strong background in security management from years of experience working with the Department of Defense, Department of State, other government agencies, and all branches of the military. He is a former United States Marine bringing over 15 years of domestic and international leadership experience with Fortune 50 companies, small businesses and military operations.

Prior to joining Murtha Cullina, Brad served as a legal intern at the U.S. Attorney’s Office in New Haven, CT, and an International Trade Compliance intern at Sikorsky Aircraft.


In a recent post, we discussed the Canadian Cabinet’s announcement that Canada’s new data breach regulations go into effect on November 1, 2018. Despite announcing the effective date, Canada had not yet finalized these regulations.  However, on April 18, 2018, Canada unveiled the Breach of Security Safeguard Regulations: SOR/2018-64 (“Regulations”).

To highlight some of the finer points, in order to trigger notification requirements, the Regulations require organizations to determine if a data breach poses a “real risk of significant harm” to any individual had their information accessed in the breach.  If an organization meets this harm threshold, then the affected organization must notify the Privacy Commissioner of Canada, as well as the affected individuals.   Continue Reading Canada Releases New Data Breach Regulations

In August, 2017, the Federal Trade Commission (“FTC”) proposed a settlement agreement with Uber stemming from its investigation of a 2014 data breach due to Uber’s “unreasonable security practices”. The lengthy investigation found that Uber’s employees were accessing customer’s personal information, and that there were security lapses in Uber’s third-party cloud storage service. That settlement agreement required Uber to implement a “comprehensive privacy program”; however, the agreement was withdrawn by the FTC and amended recently. Why, you ask? Uber experienced a second data breach in 2016, while the investigation from the 2014 breach was well underway. The 2016 breach was a result of those same security lapses in the third-party cloud storage service and Uber waited over one year to report that second breach. Uber’s handling of the second breach continued its trail of misconduct, clearly demonstrating that the company had not learned its lesson. Continue Reading Uber Goes 0-2 in Data Breach Notifications

The Cabinet in Ottawa quietly proclaimed on March 26, 2018 that the official implementation date for Canada’s much-needed and long-awaited mandatory data breach notification laws will be November 1, 2018.  Oddly enough, the regulations regarding notification have not yet been finalized.   Continue Reading Canada’s Data Breach Notification Law Goes Into Effect November 1, 2018

The Federal Bureau of Investigation and the Department of Homeland Security issued a joint Technical Alert late last week to warn that Russian government-based hackers are actively targeting U.S. utilities, other critical infrastructure, aviation, manufacturing, and commercial facilities.  The alert reports that the Russian hackers are initially obtaining access to suppliers or third-party vendors as “staged targets,” waiting for an opening, and then accessing their ultimate “intended target” utilizing malware and spear phishing techniques.  Once the hackers gain access to the intended target, they conduct reconnaissance and collect information on the industrial control systems.  The hackers use that information to take control of those systems, allowing them to conduct multiple, simultaneous shutdowns in a coordinated attack to deny necessary services such as electricity and water.  These attacks highlight the necessity for third-party and vendor due diligence.  See our Three Minute Check-In Series here to learn more.

*Brad Davis is a Legal Intern in the Privacy and Cybersecurity Practice Group of Murtha Cullina LLP.