Mazanec, Raskin & Ryder Welcomes Steven Kelley to Cleveland Office

Mazanec, Raskin & Ryder (MRR) is pleased to announce that Steven K. Kelley has joined the firm’s Cleveland office as a Partner in its Professional Liability Practice Group.

Prior to joining MRR, Steve worked at CNA Insurance Company for over 12 years, initially as a Managing Trial Attorney and then an Assistant Vice President in the company’s litigation department.

At MRR, his practice will focus on the defense of architects and engineers as well as other professional liability matters and product liability claims.

“With Steve’s experience and leadership in the insurance industry, his addition highlights our commitment to enhancing both the breadth and quality of services that we can provide to our clients,” said MRR President and Managing Partner Joseph F. Nicholas, Jr. said. “We are thrilled to welcome him to the firm.”

Mr. Kelley earned his Juris Doctorate from Case Western Reserve University School of Law and he received his Bachelor of Arts degree from Ohio Northern University. He is active professionally as a member of the Ohio Bar Association, Claims and Litigation Management Alliance, Cleveland Association of Civil Trial Attorneys (Former President), Defense Research Institute, and is a Life Member of the Eighth Judicial District Conference.

MRR Article: Can Europe’s New Privacy Rule Cost My Business Money?

By: Barry M. Miller & Curtis M. Graham

If your business offers goods or services to consumers in the European Union (or tracks information on EU consumers), you must become familiar with the acronym “GDPR.” The “General Data Protection Regulation” goes into effect May 25, 2018. And even if you are confident that your business complies with state or U.S. data-protection principles, that confidence may not be warranted as you face the GDPR.

Your business may already take care to protect information such as a customer’s Social Security number, credit card number, health data, and other personally identifiable information. But the GDPR broadens the definition of personal data that holders must protect. Article 4 of the GDPR defines “personal data” to include “any information relating to an identified or identifiable natural person (‘data subject’)” relating to the “physiological, genetic, mental, economic, cultural or social identity of that natural person.” Information about a person’s race or ethnicity, religious affiliation (or non-affiliation), political leanings, or sexual orientation would fall within this definition.

How does the GDPR impose obligations on American businesses in the first place? Its drafters intend the regulation to apply to anyone who processes the personal data of an EU resident—even if the processing is not done in the EU. Whether that intended reach can be enforced against an American business will be the subject of litigation, both here and in the EU. But as of now, the EU intends to subject data processors to fines of the greater of 20 million euros, or up to four percent of the processor’s annual global revenue. Even if your company is one of the forward-thinking ones, with cyber liability insurance in place, whether such policies cover fines imposed for a breach of the GDPR is something else to be litigated in coming years.

Rita Heimes, who holds the Certified Information Privacy Professional (CIPP) designation under both European and U.S. law (as well as the CIPM credential, for those who manage privacy programs), describes a “core value” of the GDPR: “Natural persons should have control over their own personal data.” She contrasts this with the U.S.-centric view that data, once collected, belongs to the collector. “This means when customers share their data with us it is not ours, but rather theirs, at least as the European Union sees it and as reflected in the GDPR.”

Mike Mandato, of Calyx IT in Cleveland, points out that businesses must carry this mindset through the entire life cycle of data, including data that may not pertain to active transactions—data businesses that businesses might think of as “on file,” but what information technology professionals call “at rest” data. The GDPR gives EU consumers the right to request that their data be removed from a data controller’s systems. This may require businesses to rethink their backup strategy, email and record retention policies, and any other in-house systems that hold “at rest” data. Mandato views this as a mixed blessing: “It is a good opportunity to fine tune security measures and data integrity within a business. But it may present added expense deploying processes and policies to examine data on a periodic basis to maintain compliance.”

What all this means is that companies of all sizes must make a conscious decision whether they want to do business (or continue to do business) with EU residents. They must weigh the potential costs of GDPR-compliance against the amount of business they hope to get from EU consumers. If the potential return is small or non-existent, it may be prudent to forgo that business. If, after weighing the benefits, you decide to retain or pursue business from EU residents, consult your technology vendor, your attorney, and your insurance agent to help you mitigate the potential costs that could follow non-compliance.

For more information, or questions on the topic, please contact Barry Miller at or Curt Graham at Both Barry and Curt focus their practices on Data Management & Cyber Security Law in MRR’s Lexington office.

Barry Miller

Curt Graham