Privacy, Cyber Risk & Data Security
Practice Overview
Businesses face increasingly complex and difficult challenges associated with collecting, using, disclosing, and securing sensitive and highly regulated data and information. Security breaches and other cyberattacks are a constant risk and have attracted heightened regulatory scrutiny in the U.S. and around the globe. States are responding quickly to consumer concerns, leading to inconsistent and occasionally conflicting expectations and requirements. Buckley provides privacy and cybersecurity legal counsel that safeguards the interests of clients and mitigates future risk.
Our attorneys are well-versed in privacy and data security laws, including the Gramm-Leach-Bliley Act (GLBA) and the Safeguards Rule, the Fair Credit Reporting Act (FCRA), the Electronic Communications Privacy Act (ECPA), the Computer Fraud and Abuse Act (CFAA), the Right to Financial Privacy Act (RFPA), and the CAN-SPAM Act. Additionally, we routinely advise clients on state laws concerning data sharing, information privacy, security breaches, and cybersecurity, including the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Privacy Act (BIPA), the California Financial Information Privacy Act (CFIPA), and the New York Department of Financial Services Cybersecurity Rules (NYDFS Cybersecurity Rules). We also closely track and interpret proposed changes in both federal and state laws with respect to privacy and cybersecurity.
As part of our engagements, we leverage our experience in other regulatory compliance areas to navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) requirements. We are attuned to the increasingly stringent European Union privacy and security requirements, and those of other nations that have followed the European model, and we advise clients on cross-border information-sharing requirements, including issues arising in criminal and civil investigations. We also routinely advise clients on compliance with foreign privacy frameworks, such as the EU General Data Protection Regulation (GDPR).
Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policies, craft privacy notices, and advise on the structure of privacy and security programs, employee education, and training materials. We assist clients with devising solutions to permissibly share information within and outside an enterprise. Our team routinely drafts and revises agreements with third parties to ensure compliance with regulatory requirements. We provide critical assistance in transactional matters by analyzing the privacy and security risks of mergers, acquisitions, spin-offs, restructurings, joint ventures, and significant outsourcing relationships.
We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and drafts breach notice letters and customer service center call scripts. We have significant experience honed over many years working with federal and state regulators and attorneys general on inquiries, examinations, and enforcement actions involving privacy and security issues. Our litigators defend individuals and companies charged with data privacy violations.
Our representative experience includes:
- Privacy and Cybersecurity Law Inventories. Preparing privacy and cybersecurity law inventories tailored to a company’s business models to allow for identification of regulatory requirements in their daily operations
- Security Incident and Data Breach Response. Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking
- Examination and Investigation Response. Working with clients in responding to examinations by state regulators and civil investigative demands from federal financial regulators, including the FTC involving privacy and information security practices, particularly for companies in the fintech space
- Data Sharing. Advising financial institutions on compliance with the GLBA and state disclosure requirements and restrictions on data sharing, including advising a bank on whether its practices with respect to hashed data triggered Regulation P when shared with third-party joint marketing partners
- Compliance Advice. Advising numerous clients on how to comply with the various state and federal laws regarding privacy and cybersecurity, including advising clients on applicable CCPA exemptions, including the exemption available to certain information collected, processed, sold, or disclosed pursuant to the GLBA, and preparing policies and procedures, disclosures, and other relevant materials
- Vendor Management Compliance. Conducting enterprise-wide vendor management compliance reviews to ensure compliance with relevant state and federal privacy and cybersecurity laws, including advising one of the largest technology companies in the world on addressing the special requirements that U.S. and foreign financial institutions have for critical third-party vendors
Articles
"Put bank exam council in charge of data privacy" by Jeremiah S. Buckley (American Banker)
From the European Union to California and now other states and countries, data protection and privacy standards going into effect often share the same objectives, but have separate and different regulatory requirements. This creates a confusing array of legal requirements that pose compliance and...
Articles"Adjusting information security for long-term telework" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Bloomberg Law)
Amid a fast-moving pandemic in the spring of 2020, many companies were forced to adopt remote-work operations almost overnight to maintain critical business functions. This approach initially seemed like a temporary and imperfect solution to maintaining workforce safety while continuing essential...
Articles"What constitutes reasonable security per Calif. privacy law?" by Amanda R. Lawrence, Michael A. Rome, and James C. Chou (Law360)
California Consumer Privacy Act compliance has been focused on developing the policies, procedures and infrastructure to support new privacy rights for California residents, which include, among other things, the right to know what personal information companies have on them, the right to delete...
Articles"TCPA relief for Covid-19 communications could extend to financial institutions" by Ali M. Abugheida and Geoffrey L. Warner (Bloomberg Law)
Financial institutions face unprecedented and rapidly evolving challenges in the wake of the Covid-19 pandemic, including the need to communicate quickly and efficiently with customers in the face of government-issued stay-at-home orders. But the Telephone Consumer Protection Act, with its steep...
Articles"Privacy and cybersecurity issues in 2020 – What to expect" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Journal of Banking and Finance Law and Practice)
A steady drumbeat of data breaches and growing concern among consumers about how companies are using their personal information will keep regulators, policy-makers and private litigants focused on cybersecurity and privacy in 2020 and beyond. While Congress tentatively explores comprehensive...
Articles"Ruling on anti-hacking law may guide fair lending tests" by Jeffrey P. Naimon, H Joshua Kotin, and Frida Alim (Law360)
Regulators, consumer groups, academics and private litigants are grappling with the fair lending implications of the credit models powering the explosive growth in online lending by banks and financial technology firms. The U.S. District Court for the District of Columbia in late March concluded...
Articles"Financial regulators’ dilemma: Administrative and regulatory hurdles to innovation" by Jeremiah S. Buckley and Sasha Leonhardt (George Washington University Law School: Business & Finance Law Review)
Developments in financial technology hold great promise to enhance the quality, delivery, and reach of consumer financial services. However, many of the laws dictating the operations of financial regulators are more than 50 years old, and in drafting these laws Congress understandably did not...
Articles"Preparing for private right of action under Calif. privacy law" by Amanda R. Lawrence and Michael A. Rome (Law360)
The California Consumer Privacy Act went into effect at the beginning of this year, and while the California attorney general will not begin enforcing it until July, the private right of action that the CCPA created is available to consumers now. The CCPA expressly provides for a private right of...
Articles"The truth about the California Consumer Privacy Act: Debunking three common misconceptions" by Amanda R. Lawrence, Moorari K. Shah, Sherry-Maria Safchuk, and Doris Yuen (Equipment Leasing & Finance Magazine)
The highly-anticipated California Consumer Privacy Act (CCPA) took effect on Jan. 1, 2020, and many businesses are scrambling to understand the applicability of the CCPA’s expansive obligations. The CCPA provides California consumers with the following rights: The right to know and access the...
Articles"Mitigating crypto UDAAP risk after Ripple ICO ruling" by Ali M. Abugheida (Law360)
Cryptocurrency advocates have long argued that cryptocurrencies are not securities, and therefore not subject to state and federal securities laws. But a district court in California just shed light on whether advocates’ desired outcome also carries a substantial downside: application of state and...
Articles"Don’t let your shield down—FTC gets tough on EU-U.S. privacy shield framework" by Elizabeth E. McGinn, Jonathan D. Jerison, and Magda Gathani (Bloomberg Law)
The Federal Trade Commission took more enforcement actions related to the EU-U.S. Privacy Shield Framework in 2019 and the beginning of 2020 than it did in the prior three years combined. The FTC also has alleged deception in many cases where there was no indication that any misrepresentations...
Articles"2020 examination priorities: OCIE pushes again on information security" by Ian Acker
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations announced its annual examination priorities for...
Buckley Commentary & AnalysisSpecial Alert: California attorney general releases modified proposed CCPA regulations
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Buckley Special Alert ) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Buckley Special Alert ) and amended...
Special Alerts"State privacy law initiatives to prepare for in 2020" by Amanda R. Lawrence, Sasha Leonhardt, and David Rivera (Law360)
The California Consumer Privacy Act, which went into effect on Jan. 1, gave California residents the broadest rights in the nation to learn what data a business has about them, to request that the business delete that data and to demand that the business not sell their data. The CCPA opened a...
Articles"Managing legal risks to U.S. companies from foreign cyberattacks" by Amanda R. Lawrence, Sasha Leonhardt, and James C. Chou (Cybersecurity Law Report)
Protecting online systems against individual hackers has been a top priority for companies for several years, but as we begin a new decade, a new threat has risen to the forefront: well-funded and sophisticated foreign governments seeking to wage a new kind of warfare on the United States. In...
Articles"GDPR-based objections to U.S. discovery requests: 2019 year in review" by Leslie L. Meredith (Legaltech News)
U.S. civil litigants faced with an obligation to produce “personal data” protected by GDPR, the European Union’s General Data Protection Regulation, can find themselves on the horns of a serious dilemma. In 2019, the first full year since GDPR was enacted, not a single court excused compliance with...
Articles"Website cookies and privacy—GDPR, CCPA, and evolving standards for online consent" by Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (Bloomberg Law)
Virtually all companies with high-traffic websites use cookies to track visitors’ online experience, but global best practices in disclosing the use of cookies—and obtaining visitors’ consent to their use—have proven elusive despite intense scrutiny from privacy advocates. With requirements varying...
Articles"Congress needs to hurry up on data protection" by Jeremiah S. Buckley (American Banker)
Data is the lifeblood of the burgeoning digital economy. The debate about its use — and its protection — is now playing out globally. As big data, artificial intelligence and machine learning increasingly shape everyday lives, Congress will have some important policy choices to make, weighing how...
Articles"A new era of FCRA scrutiny for consumer data furnishers" by Jessica L. Pollet and Frida Alim (Law360)
Furnishers provide information to consumer reporting agencies on over 1.3 billion consumer credit accounts or other tradelines each month, with the three largest national consumer reporting agencies holding the personal information of over 200 million consumers. Given the extent of the consumer...
ArticlesSpecial Alert: California attorney general releases proposed CCPA regulations
Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert ), amended several times and with the most recent amendments signed...
Special Alerts
News & Blogs
District court approves MDL data breach settlement
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’...
InfoBytesNYDFS enforces its cybersecurity regulation for the first time
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’...
InfoBytesFCC provides safe harbors for blocking illegal robocalls
On July 16, the FCC issued an order adopting rules to further encourage phone companies to block illegal and unwanted robocalls and to continue the Commission’s implementation of the TRACED Act (covered by InfoBytes here ). The rule establishes two safe harbors from liability for the unintended or...
InfoBytesCourt of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its opinion in the Schrems II case (Case C-311/18). In its opinion, the CJEU concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established...
InfoBytesDistrict court allows data breach claim to proceed against national credit reporting agency
On July 8, the U.S. District Court for the Eastern District of New York allowed a consumer’s claim under New York’s consumer protection law (N.Y. G.B.L. § 349) to proceed against a national credit reporting agency (CRA) for grievances stemming from a 2017 data breach that compromised the consumer’s...
InfoBytesCalifornia AG publishes CCPA FAQs
The California attorney general recently published a set of frequently asked questions providing general consumer information on the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (covered by a Buckley Special Alert ) and amended several times—became effective January 1...
InfoBytesDistrict court preliminarily approves $6.8 million TCPA settlement
On July 6, the U.S. District Court for the Eastern District of California granted preliminary approval to a nearly $6.8 million settlement between class members and a collection agency that allegedly violated the TCPA, FDCPA, and California’s Rosenthal Fair Debt Collection Practices Act by making...
InfoBytesSupreme Court keeps TCPA, severs government-debt exception as unconstitutional
On July 6, the U.S. Supreme Court held in Barr v. American Association of Political Consultants Inc. that the TCPA’s government-debt exception is an unconstitutional content-based speech restriction and severed the provision from the remainder of the statute. As previously covered by InfoBytes ,...
InfoBytesFCC narrows “autodialer” definition
On June 25, the FCC narrowed the Commission’s definition of an “autodialer,” providing that “if a calling platform is not capable of originating a call or sending a text without a person actively and affirmatively manually dialing each one, that platform is not an autodialer and calls or texts made...
InfoBytesOklahoma regulator amends working from home guidance
On June 30, the Oklahoma Department of Consumer Credit extended, for the third time, its interim guidance to regulated entities on working from home (see here , here , and here for previous coverage). The guidance sets forth data security standards that regulated entities must meet in order for the...
InfoBytes
Press Releases & Announcements
Legal 500 2020 recognizes 21 Buckley attorneys in six practice areas
“Buckley attorneys are incredibly responsive while providing top quality legal services,” is how respondents described the firm in the 2020 edition of Legal 500, which ranked Buckley as a top law firm and recognized it in six categories:
- Corporate Investigations and White ...
The Legal 500 2019 recognizes 17 Buckley attorneys in five practice areas
The Legal 500 once again ranked Buckley as a top law firm and recognized it in five categories:
- Corporate Investigations and White Collar Criminal Defense: Corporate – Tier 4
- Corporate Investigations and White Collar Criminal Defense: Individuals – Tier 2 ...
The Legal 500 2018 recognizes five practice areas and 17 attorneys at Buckley Sandler
Buckley Sandler LLP again has been noted as one of the nation’s top law firms by The Legal 500 in its 2018 rankings, with recognition in five practice areas:
- Financial Services: Litigation
- Financial Services: Regulation
- Corporate ...
The Legal 500 2017 Recognizes Four Practice Areas and 20 Attorneys at Buckley Sandler
Buckley Sandler has again been cited as one of the nation’s top law firms by The Legal 500 in its 2017 rankings, with the recognition of four practice areas:
- Financial Services: Litigation
- Financial Services: Regulatory
- Cyber Law (Data Protection and ...
Legal 500 Recognizes Four Practice Areas and 14 Attorneys at BuckleySandler in 2016 Rankings
BuckleySandler LLP has again been noted as one of the nation’s top law firms, with recognition of four practice areas by The Legal 500 in its 2016 rankings: Financial Services: Litigation Financial Services: Regulatory Technology: Data Protection and Privacy White-Collar Criminal Defense In...
Press ReleasesNew Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information...
Press ReleasesMaryland Attorney General Douglas F. Gansler to Join Buckley Sandler
WASHINGTON, DC (November 18, 2014) – Buckley Sandler LLP is pleased to announce that Douglas F. Gansler, Attorney General of Maryland, will join the firm as Partner in its Washington, DC office upon completion of his second term as Maryland Attorney General in January 2015. Gansler, the former...
Press ReleasesBuckley Sandler Establishes International Presence With Opening of London Office
WASHINGTON, DC / LONDON, ENGLAND (September 8, 2014) – Buckley Sandler LLP , a leading financial services and criminal & civil enforcement defense law firm, announced today the opening of its first international office, located in London. James T. Parkinson has relocated from the firm’s...
Press ReleasesBuckley Sandler Launches "Privacy, Cyber Risk & Data Security" Hotline
WASHINGTON, DC (January 24, 2014) – Buckley Sandler LLP , a leading financial services regulatory, criminal & civil enforcement defense law firm, has launched a Privacy, Cyber Risk & Data Security Hotline to assist companies with mitigating online security risks. The Hotline ( 1-855-5-DATA-...
Press Releases
Our Privacy, Cyber Risk & Data Security Team
Partners
FYI
"Put bank exam council in charge of data privacy" by Jeremiah S. Buckley (American Banker)
"Adjusting information security for long-term telework" by Amanda R. Lawrence, Elizabeth E. McGinn, and James C. Chou (Bloomberg Law)
"What constitutes reasonable security per Calif. privacy law?" by Amanda R. Lawrence, Michael A. Rome, and James C. Chou (Law360)
Recent Blog Posts
-
July 24, 2020
District court approves MDL data breach settlement
-
July 24, 2020
NYDFS enforces its cybersecurity regulation for the first time
-
July 21, 2020
FCC provides safe harbors for blocking illegal robocalls
-
July 16, 2020
Court of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
-
July 15, 2020
District court allows data breach claim to proceed against national credit reporting agency