Cybersecurity and Data Privacy Attorney Guiding Clients Through Complex State, Federal, and Global Compliance
Carly Rothstein is an Associate at Mandelbaum Barrett PC, with a practice spanning cybersecurity and data privacy, healthcare law, and litigation. She counsels healthcare providers and business entities on the full spectrum of privacy and security matters, including compliance with the GDPR, CCPA, HIPAA, the New York SHIELD Act, and other state and federal privacy laws. She has experience guiding clients through all phases of data security incidents—from initial investigation and notifications to regulatory compliance and litigation risk management—and brings a practical, solutions‑oriented approach to highly time‑sensitive matters.
Carly also represents clients in a range of disputes, including commercial litigation, healthcare litigation, and privacy litigation. She is actively involved in all phases of litigation, including pleadings, motion practice, and discovery, and supports case strategy through detailed legal research and analysis.
Carly earned her J.D. from the Benjamin N. Cardozo School of Law, where she served as Editor in Chief of the Cardozo Arts and Entertainment Law Journal. During law school, she worked with the Filmmakers Legal Clinic, advising independent, social‑justice‑oriented filmmakers on transactional, intellectual property, and First Amendment matters. She received her B.A., summa cum laude, in History and Psychology from the University of Alabama. She is admitted to practice in New York and is a member of the New York City Bar Association’s Technology, Cyber, and Privacy Law Committee.
- Member, New York City Bar Association
- Member, New York State Bar Association
- “The Instructure Breach May Create Independent Institutional Exposure Beyond the Vendor Incident” New Jersey Law Journal, May 2026
- “Understanding New York’s Strengthened Data Security Laws: Lessons from the National General Lawsuit and What Businesses Must Do Now,” The Compliance & Ethics Blog, April 2025.
- “Navigating the 2024 proposed HIPAA security rule amendments,” Healthcare Dive, March 2025.
New York
- J.D. from the Benjamin N. Cardozo School of Law
- B.A. from the University of Alabama
When AI Becomes Evidence: What Employers Need to Know About Chatbots and Internal Investigations
May 29, 2026
As artificial intelligence tools become more accessible, individuals are increasingly turning to chatbots for guidance on sensitive legal and workplace issues. What many don’t realize is that those interactions may not be as private or as inconsequential as they seem. At Mandelbaum Barrett PC, we are seeing how digital evidence, including emerging technologies like AI, […]Navigating State Workplace Violence Laws: What Healthcare Employers Should Know
April 28, 2026
If you run a hospital or health system, workplace violence prevention just moved to the top of your compliance checklist. Healthcare workers face elevated risks from patients, visitors, and external actors and account for roughly 73% of all nonfatal workplace injuries caused by violence. With no comprehensive federal OSHA standard in sight, states have stepped […]When the Breach Hits the Docket: How Law Firms Should Respond When Client Files Leak to the Dark Web
October 10, 2025
When a law firm experiences a data breach, which includes both unauthorized data access as well as disclosure, the consequences extend far beyond reputational harm. Increasingly, attackers exfiltrate entire client files—including documents filed under seal or protected by attorney–client privilege—and post them on the dark web. Once that happens, courts can’t “unring the bell,” and firms must navigate a complex mix of ethical duties, procedural obligations, and legal protections.Steven Teppler and Carly Rothstein Featured in the New Jersey Law Journal on Institutional Exposure Following the Instructure/Canvas Breach
May 13, 2026
Featured in the New Jersey Law Journal, Steven Teppler, Chair of the Firm’s Cybersecurity & Data Privacy Practice Group, and Carly Rothstein, Associate in the group, examine the broader legal and regulatory implications stemming from the recent Instructure/Canvas cybersecurity incident. Their article explores why educational institutions may face independent exposure beyond the vendor breach itself, […]Carly Rothstein Joins the New York City Bar Association’s Technology, Cyber, and Privacy Law Committee
August 6, 2025
We’re proud to share that Carly Rothstein, Associate in our Cybersecurity & Data Privacy Practice Group, has been selected to join the New York City Bar Association’s Technology, Cyber, and Privacy Law Committee.Strengthening HIPAA Security: Key Updates to Protect Healthcare Data from Steven Teppler and Carly Rothstein
March 14, 2025
Now’s the time to get ahead—understanding these updates will help you stay compliant and protect against growing cyber threats.