Privacy, Cyber Risk & Data Security
Practice Overview
Businesses face increasingly complex and difficult challenges associated with collecting, using, disclosing, and securing information and data systems. Security breaches and other cyber attacks are a constant risk and have attracted heightened regulatory scrutiny at the federal and state level in the U.S. and in countries around the globe. Buckley provides privacy, cyber risk, and data security legal counsel that not only safeguards the interests of clients, but also mitigates future risk.
Our attorneys are well-versed in the federal privacy and security laws, including the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), the Electronic Communications Privacy Act (ECPA), the Computer Fraud and Abuse Act (CFAA), and the CAN-SPAM Act, as well as the myriad of state laws and regulations on security breach notice, information security and cybersecurity. We navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) requirements. We are attuned to the increasingly stringent European Union privacy and security requirements and those of other nations that have followed the European model and we advise clients on cross-border information sharing requirements, including issues in criminal and civil investigations.
Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policy sets, craft privacy notices, and advise on the structure of privacy and security programs employee education and training materials. We are involved in devising solutions to permissibly share information within and outside an enterprise. Our team drafts and revises agreements with third parties to ensure compliance with regulatory requirements, as well as shields our clients from the pitfalls associated with information sharing and use. We analyze the privacy and security risks for mergers, acquisitions, spin-offs, and restructurings.
We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and draft breach notice letters and customer service center call scripts. We have deep experience in working with federal and state regulators and attorneys general on inquiries, examinations and enforcement actions involving privacy and security issues and our practice includes a former state attorney general. Our litigators defend globally individuals charged with data privacy violations.
Noteworthy matters include:
- Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking
- Working with clients in responding to civil investigative demands from federal financial regulators involving privacy and information security practices, particularly for companies in the fintech space
- Assisting nonfinancial companies in sectors such as telecommunications, energy and technology in offering financial products or services while meeting the regulatory requirements and business partner expectations
Articles
Special Alert: California governor signs significant data privacy bill into law
On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of...
Special Alerts"The great data breach standing circuit split" by Amanda R. Lawrence, Antonio J. Reynolds, and Michael A. Rome (Law360)
Data breaches are back in the news in a big way. Over the past several weeks alone, prominent hotel chains, online platforms and retailers announced significant data breaches. Unsurprisingly, in the aftermath of these disclosures, consumers filed class actions alleging that the data breaches...
Articles"SEC tool could test executive online impulse control" by Thomas A. Sporkin and Ian Acker (Legaltech News)
A message to corporate executives and their public-relations minders: One in a trillion may no longer be a reasonable guarantee of anonymity. The Securities and Exchange Commission (SEC) is confronting the difficult challenge of how to keep an eye on and sort through a fire hose of social media...
Articles"‘Reasonable security’: A moving target" by Elizabeth E. McGinn (Cyber Security)
The concept of ‘reasonable security’ for personal information maintained by financial institutions began with the Gramm-Leach-Bliley Act (GLBA). On 12th November, 1999, Congress enacted GLBA, a landmark privacy and data security law which required the federal financial regulatory agencies to...
Articles"FTC v. D-Link Systems and the internet of things" by Elizabeth E. McGinn, John B. Williams, and Christopher M. Walczyszyn (Westlaw)
As businesses expand the availability of internet-connected devices, Buckley Sandler LLP attorneys Elizabeth McGinn, John Williams and Christopher Walczyszyn address the Federal Trade Commission’s role in regulating and enforcing “internet of things” device security to protect consumers’ data...
Articles"The devil is in the details: LabMD imposes limitations on the FTC’s enforcement authority" by Elizabeth E. McGinn and Sasha Leonhardt, (Cybersecurity Law Report)
In the latest data security case with significant implications for all enforcement actions, the United States Court of Appeals for the Eleventh Circuit struck down a cease-and-desist order as impermissibly vague. By ruling against the FTC in its long-running and contentious dispute with LabMD, the...
Articles“Social media in the current enforcement landscape,” by Elizabeth E. McGinn, John B. Williams, and Timothy Coley (Banking Exchange)
Perhaps no aspect of the internet has grown so broadly in the past decade as social media. From its infancy at sites like MySpace, Friendster, and “TheFacebook” (originally open only to students at select colleges), to the current industry leaders of Facebook (now open to all, and touting more than...
ArticlesBuckley Sandler Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually...
ArticlesElizabeth E. McGinn, Antonio J. Reynolds, and Jessica M. Shannon Authored a Bloomberg BNA Article, "Consumer Privacy Should Be Top-of-Mind for FinTech Firms to Avoid Scrutiny"
With many people underserved by traditional lending institutions, including the close to 45 million adults in the U.S. who the Consumer Financial Protection Bureau estimates are “credit invisible” or have had past credit challenges, emerging FinTech lenders and online lending platforms (FinTech...
ArticlesElizabeth E. McGinn Authored a Westlaw Journal Article, "Data Security Breach Litigation Post-Spokeo"
California enacted the nation’s first data security breach notification law 15 years ago. Following a few high-profile incidents in 2005, other states rapidly began enacting breach-notice requirements based largely on the California model. This proliferation of laws — and the constant news of...
Articles
News & Blogs
FCC proposed rulemaking will expand caller ID spoofing enforcement
On February 14, the FCC released a notice of proposed rulemaking intended to strengthen its rules against caller ID spoofing and expand the agency’s enforcement efforts against illegal spoofed text messages and phone calls, including those from overseas. The proposed rules would enact requirements...
InfoBytesSenate Banking Committee seeks feedback on data privacy, protection, and collection
On February 13, Senate Committee on Banking, Housing, and Urban Affairs Chairman Mike Crapo (R-ID) and Ranking Member Sherrod Brown (D-OH) invited stakeholder feedback on “the collection, use and protection of sensitive information from financial regulators and private companies” as a means of...
InfoBytesDistrict Court concludes communications transmitter can be liable under the TCPA
On February 13, the U.S. District Court for the District of Nevada rejected a cloud communication company’s motion to dismiss a TCPA class action. According to the opinion, the plaintiffs’ alleged the company “collaborated as to the development, implementation, and maintenance of [a] telemarketing...
InfoBytesFDIC issues 2018 annual report
On February 14, the FDIC released its 2018 Annual Report , which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives...
InfoBytesState AGs urge FTC to update identity theft rules
On February 11, a bipartisan group of 29 state Attorneys General, the District of Columbia Attorney General, and an official from the Hawaii Office of Consumer Protection, responded to the FTC’s request for comment on whether the agency should make changes to its identity theft detection rules (the...
InfoBytesDistrict Court approves final $2.5 million TCPA class action settlement
On February 8, the U.S. District Court for the Eastern District of Virginia granted final approval to a $2.5 million putative class action settlement resolving allegations that a student loan servicer violated the TCPA by using an autodialer to contact student borrowers’ credit references without...
InfoBytesDistrict court orders TCPA suit to mediation, states FCC’s interpretation of autodialer may take years
On February 1, the U.S. District Court for the Eastern District of Missouri issued an order referring the parties in a putative TCPA class action to mediation. The plaintiff’s complaint alleges that the defendant’s insurance company sent her text messages without her consent using an automatic...
InfoBytesNYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500 , which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update...
InfoBytesFinal deadline approaching for NYDFS cybersecurity regulation
On January 31, NYDFS issued a reminder for regulated entities that the final deadline for implementing NYDFS’s cybersecurity regulation ends March 1. Under the new regulation, banks, insurance companies, mortgage companies, money transmitters, licensed lenders and other financial services...
InfoBytesDistrict Court: Approval of data breach settlement denied due to several deficiencies
On January 28, the U.S. District Court for the Northern District of California denied preliminary approval of a proposed class action settlement after identifying several deficiencies with the deal. The proposed settlement was intended to resolve allegations concerning security failures by a global...
InfoBytes
Press Releases & Announcements
The Legal 500 2018 recognizes five practice areas and 17 attorneys at Buckley Sandler
Buckley Sandler LLP again has been noted as one of the nation’s top law firms by The Legal 500 in its 2018 rankings, with recognition in five practice areas:
- Financial Services: Litigation
- Financial Services: Regulation
- Corporate ...
The Legal 500 2017 Recognizes Four Practice Areas and 20 Attorneys at Buckley Sandler
Buckley Sandler has again been cited as one of the nation’s top law firms by The Legal 500 in its 2017 rankings, with the recognition of four practice areas:
- Financial Services: Litigation
- Financial Services: Regulatory
- Cyber Law (Data Protection and ...
Legal 500 Recognizes Four Practice Areas and 14 Attorneys at BuckleySandler in 2016 Rankings
BuckleySandler LLP has again been noted as one of the nation’s top law firms, with recognition of four practice areas by The Legal 500 in its 2016 rankings: Financial Services: Litigation Financial Services: Regulatory Technology: Data Protection and Privacy White-Collar Criminal Defense In...
Press ReleasesNew Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information...
Press ReleasesMaryland Attorney General Douglas F. Gansler to Join Buckley Sandler
WASHINGTON, DC (November 18, 2014) – Buckley Sandler LLP is pleased to announce that Douglas F. Gansler, Attorney General of Maryland, will join the firm as Partner in its Washington, DC office upon completion of his second term as Maryland Attorney General in January 2015. Gansler, the former...
Press ReleasesBuckley Sandler Establishes International Presence With Opening of London Office
WASHINGTON, DC / LONDON, ENGLAND (September 8, 2014) – Buckley Sandler LLP , a leading financial services and criminal & civil enforcement defense law firm, announced today the opening of its first international office, located in London. James T. Parkinson has relocated from the firm’s...
Press ReleasesBuckley Sandler Launches "Privacy, Cyber Risk & Data Security" Hotline
WASHINGTON, DC (January 24, 2014) – Buckley Sandler LLP , a leading financial services regulatory, criminal & civil enforcement defense law firm, has launched a Privacy, Cyber Risk & Data Security Hotline to assist companies with mitigating online security risks. The Hotline ( 1-855-5-DATA-...
Press Releases
Our Privacy, Cyber Risk & Data Security Team
Partners
FYI
"The devil is in the details: LabMD imposes limitations on the FTC’s enforcement authority" by Elizabeth E. McGinn and Sasha Leonhardt, (Cybersecurity Law Report)
Recent Blog Posts
-
February 20, 2019
FCC proposed rulemaking will expand caller ID spoofing enforcement
-
February 20, 2019
Senate Banking Committee seeks feedback on data privacy, protection, and collection
-
February 20, 2019
District Court concludes communications transmitter can be liable under the TCPA
-
February 20, 2019
FDIC issues 2018 annual report
-
February 13, 2019
State AGs urge FTC to update identity theft rules