Privacy, Cyber Risk & Data Security
Practice Overview
How to comply with privacy and data security requirements has emerged as one of the most difficult legal questions businesses face. As customer information proliferates — and along with it, the ways established companies and innovators hope to put it to use — policymakers are struggling to keep up, prodded by a steady increase in security breaches and cyberattacks. States across the country are racing to fill the gap left by the absence of an integrated federal regime, leaving in their wake inconsistent and occasionally conflicting expectations and requirements. A lack of international consensus and different national approaches to privacy and data security replicates the problem at global scale.
Buckley helps companies manage the increasingly complex challenges associated with collecting, using, disclosing, and securing sensitive and highly regulated data and information. We provide privacy and cybersecurity legal counsel that safeguards our clients’ interests and mitigates future risk. Legal 500 has ranked us as a leading privacy and data protection firm for the past decade, noting that we offer a “practical, business-friendly approach to the practice of law” that helps clients meet their goals and address their concerns.
Our attorneys are well-versed in the patchwork of federal, state, and international privacy and data security laws, and closely track and interpret proposed changes in them.
Federal laws and regulations
- Gramm-Leach-Bliley Act (GLBA)
- Safeguards Rule
- Fair Credit Reporting Act (FCRA)
- Telephone Consumer Protection Act (TCPA)
- Electronic Communications Privacy Act (ECPA)
- Computer Fraud and Abuse Act (CFAA)
- Right to Financial Privacy Act (RFPA)
- CAN-SPAM Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Children’s Online Privacy Protection Act (COPPA)
State laws and regulations
- California Consumer Privacy Act (CCPA) and the
- California Privacy Rights Act (CPRA)
- Illinois Biometric Information Privacy Act (BIPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- California Financial Information Privacy Act (CFIPA)
- New York SHIELD Act
- New York Department of Financial Services’ Cybersecurity Regulations (NYDFS Cybersecurity Regulations)
International laws and regulations
- EU General Data Protection Regulation (GDPR)
- UK General Data Protection Regulation (UK GDPR)
- Schrems II and cross-border information sharing
We rely upon our experience in other regulatory compliance areas to navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) compliance. We are attuned to the increasingly stringent European Union privacy and security requirements, and those of other nations following the European model.
Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policies and procedures, craft privacy notices, and advise on the structure of privacy and security programs, employee education, and training materials. We assist clients with devising pragmatic solutions to comply with the law while sharing information within and outside an enterprise. Our team routinely drafts and revises agreements with third parties to ensure compliance with regulatory requirements. We provide critical assistance in transactional matters by analyzing the privacy and security risks of mergers, acquisitions, spin-offs, restructurings, joint ventures, and significant outsourcing relationships.
We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and drafts breach notice letters and customer service center call scripts. We have significant experience honed over many years working with federal and state regulators and attorneys general on inquiries, examinations, and enforcement actions involving privacy and security issues. Our litigators defend individuals and companies charged with data privacy violations.
Our representative experience includes:
- Compliance Advice. Advising numerous clients on how to comply with state and federal laws privacy and cybersecurity laws, including applicable CCPA and GLBA exemptions, and preparing policies and procedures, disclosures, DSAR responses, CCPA notices, and other relevant materials
- Privacy and Cybersecurity Law Inventories. Preparing privacy and cybersecurity law inventories tailored to a company’s business model to allow for identification of regulatory requirements in their daily operations; alternatively, financial or lending institutions can generate surveys and searches tailored to their specific business type and licensing, the financial products they offer, and the jurisdiction where their products are offered through Winnow, our powerful, comprehensive, and dynamic database of state privacy and data security requirements
- Security Incident and Data Breach Response. Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking; our team also works with clients to prepare for potential incidents including by conducting table-top exercises, advising and responding to ransomware attacks, and reviewing and revising cyber insurance policies and provisions
- Examinations, Investigations, and Enforcement Actions. Working with clients in responding to examinations by state regulators and investigative demands from federal and state financial regulators, including the FTC involving privacy and information security practices, particularly for companies in the fintech space; we represented clients in investigations and negotiated the first consent order with NYDFS under its Cybersecurity Regulations
- Contract Negotiation/Review. Negotiating and reviewing contracts between financial institutions or third parties related to privacy and data security provisions, including data sharing
- Data Sharing. Advising financial institutions on compliance with the GLBA, FCRA, and state disclosure requirements and restrictions on data sharing, whether sharing information such as hashed data, marketing leads, affiliate information, and consumer reporting information triggers requirements under privacy laws related to sharing of personal information; advise financial institutions on requirements and restrictions related to data sharing with governmental entities under the RFPA and state analogs
- Vendor Management Compliance. Conducting enterprisewide vendor management compliance reviews to ensure compliance with relevant state and federal privacy and cybersecurity laws, including advising one of the largest technology companies in the world on addressing the special requirements that U.S. and foreign financial institutions have for critical third-party vendors
Articles
"Scrutiny over dark patterns presents further challenges in online contracting" by Sherry-Maria Safchuk, Edward W. Somers, and Melina W. Montellanos (CSLR)
The Electronic Signatures in Global and National Commerce (ESIGN) Act and its state analogue, the Uniform Electronic Transactions Act (UETA), have played a transformative role advancing e-com- merce in the United States for more than two decades. Provisions of the ESIGN Act contain safe- guards...
Articles"How Cos. can ease risk amid 'dark pattern' regulatory focus" by Elizabeth E. McGinn, Sherry-Maria Safchuk, and Melina W. Montellanos (Law360)
Federal and state regulators, legislators, and courts have increased their focus on dark patterns — web and mobile design elements that shepherd users to make decisions, often not in their best interest. To avoid consumer dissatisfaction, as well as legal and regulatory risk, companies should...
Articles"Companies doing business in China caught in a double bind" by Michael Rosenberg
Continuing tensions between the U.S. and China are creating concerns for multinational companies doing business in China. Last June, China enacted the Anti-Foreign Sanctions Law, designed to counteract “discriminatory restrictive measures employed by foreign nations” against Chinese citizens or...
Buckley Commentary & AnalysisSpecial Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank...
Special AlertsSpecial Alert: House subcommittee hears testimony on privacy bill
The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing , “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data...
Special AlertsSpecial Alert: Congress releases draft privacy bill
A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act. Passage of the ADPPA, which combines elements of prior proposals in an effort to...
Special Alerts"U.S., E.U. announce Trans-Atlantic data privacy framework: What companies can do now" by Elizabeth E. McGinn, Sasha Leonhardt, and Lauren Bomberger (CSLR)
The White House and European Commission in late March 2022 announced a new agreement in principle for trans-Atlantic data flows – the Trans-Atlantic Data Privacy Framework – that would replace the E.U.- U.S. Privacy Shield. The United States and European Union began negotiations on a new framework...
Articles"No end in sight: Biometrics litigation trends" by Elizabeth E. McGinn, Amanda R. Lawrence, Scott T. Sakiyama and Michael Rosenberg (CSLR)
Modern biometrics applications are myriad with more continually being developed. They allow users to unlock devices, make payments, detect theft, track time and much more. These applications are not overlooked by the plaintiffs’ bar. Since 2019, more than 1,000 class action lawsuits have been filed...
ArticlesSpecial Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing...
Special Alerts"FTC updates data security expectations for nonbanks" by Elizabeth E. McGinn, Amanda R. Lawrence, Sherry-Maria Safchuk, Lauren Bomberger (Bloomberg Law)
Persistent cyberbreaches are compelling government responses to protect consumer data, particularly consumer financial information. Laws passed in California, Colorado, and Virginia are among the most influential at the state level, but federal regulators are also moving to implement additional...
Articles
News & Blogs
U.S. messaging service fined €5.5 million for GDPR violations
On January 19, the Irish Data Protection Commission (DPC) announced the conclusion of an inquiry into the data processing practices of a U.S.-based messaging service’s Ireland operations and fined the messaging service €5.5 million. The investigation was part of a broader GDPR compliance inquiry...
InfoBytes9th Circuit reverses decision in COPPA suit
In December, the U.S. Court of Appeals for the Ninth Circuit reversed and remanded a district court’s decision to dismiss a suit alleging that a multinational technology company used persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their...
InfoBytesFTC finalizes data breach order with online alcohol marketplace
On January 10, the FTC announced it has finalized an order with a company that operates an online alcohol marketplace, along with its CEO, related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. As previously covered by InfoBytes , the FTC alleged...
InfoBytesDistrict Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including...
InfoBytesDistrict Court preliminarily approves data breach suit
On January 9, the U.S. District Court for the District of New Mexico granted preliminary approval of a class action settlement in a data breach suit that allegedly compromised approximately 191,000 individuals’ personally identifiable information (PII). According to the plaintiffs’ motion , the...
InfoBytesFCC chair asks Congress to act on robocalls
In December, FCC Chair Jessica Rosenworcel sent a letter to twelve senators in response to their June 2022 letter inquiring about combating robocalls. In the letter, Rosenworcel highlighted the FCC’s efforts to combat robocalls by discussing the agency’s “important” proposed rules , adopted in May...
InfoBytesAgencies highlight downpayment assistance, child privacy in regulatory agendas
Recently, the Office of Information and Regulatory Affairs released fall 2022 regulatory agendas for the FTC and HUD. With respect to an FTC review of the Children’s Online Privacy Protection Rule (COPPA) that was commenced in 2019 (covered by InfoBytes here ), the Commission stated in its...
InfoBytesFCC proposes new data breach notification requirements
On January 6, the FCC announced a notice of proposed rulemaking (NPRM) to launch a formal proceeding for strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI). FCC Chairwoman Jessica Rosenworcel noted...
InfoBytesFrance fines software company €60 million for data violations
In December, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €60 million penalty against a global software development company accused of making it harder for users of its search engine to reject cookies than to accept them. Based on...
InfoBytesIrish DPC fines global social media company €390 million over targeted ads
On January 4, the Irish Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing practices of a global social media company’s European operations. Collectively, the DPC imposed fines totaling €390 million against the company for allegedly requiring users...
InfoBytes
Press Releases & Announcements
Legal 500 2022 recognizes 18 Buckley attorneys in five practice areas
“They treat their clients better than any other law firm I’ve experienced,” is what one respondent said about Buckley LLP to Legal 500, which ranked the firm as a top law firm in five categories and recognized 18 of its attorneys for its 2022 edition.
The publication recognized...
AnnouncementsLegal 500 2021 recognizes 17 Buckley attorneys in six practice areas
“While some firms will provide lengthy and expensive legal analysis, Buckley’s team relies on their depth and breadth of expertise to provide useful guidance from various team members quickly and efficiently,” a respondent told Legal 500, which ranked Buckley LLP as a top law firm and...
AnnouncementsRep. Suzan DelBene joins Jerry Buckley on privacy podcast
Jerry Buckley, a founder of Buckley LLP and co-host of the U.S. National Privacy Legislation podcast, interviewed U.S. Rep. Suzan DelBene (D-WA) about legislation she recently introduced that...
AnnouncementsLegal 500 2020 recognizes 21 Buckley attorneys in six practice areas
“Buckley attorneys are incredibly responsive while providing top quality legal services,” is how respondents described the firm in the 2020 edition of Legal 500, which ranked Buckley as a top law firm and recognized it in six categories:
- Corporate Investigations and White ...
The Legal 500 2019 recognizes 17 Buckley attorneys in five practice areas
The Legal 500 once again ranked Buckley as a top law firm and recognized it in five categories:
- Corporate Investigations and White Collar Criminal Defense: Corporate – Tier 4
- Corporate Investigations and White Collar Criminal Defense: Individuals – Tier 2 ...
The Legal 500 2018 recognizes five practice areas and 17 attorneys at Buckley Sandler
Buckley Sandler LLP again has been noted as one of the nation’s top law firms by The Legal 500 in its 2018 rankings, with recognition in five practice areas:
- Financial Services: Litigation
- Financial Services: Regulation
- Corporate ...
The Legal 500 2017 Recognizes Four Practice Areas and 20 Attorneys at Buckley Sandler
Buckley Sandler has again been cited as one of the nation’s top law firms by The Legal 500 in its 2017 rankings, with the recognition of four practice areas:
- Financial Services: Litigation
- Financial Services: Regulatory
- Cyber Law (Data Protection and ...
Legal 500 Recognizes Four Practice Areas and 14 Attorneys at BuckleySandler in 2016 Rankings
BuckleySandler LLP has again been noted as one of the nation’s top law firms, with recognition of four practice areas by The Legal 500 in its 2016 rankings: Financial Services: Litigation Financial Services: Regulatory Technology: Data Protection and Privacy White-Collar Criminal Defense In...
Press ReleasesNew Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information...
Press ReleasesMaryland Attorney General Douglas F. Gansler to Join Buckley Sandler
WASHINGTON, DC (November 18, 2014) – Buckley Sandler LLP is pleased to announce that Douglas F. Gansler, Attorney General of Maryland, will join the firm as Partner in its Washington, DC office upon completion of his second term as Maryland Attorney General in January 2015. Gansler, the former...
Press Releases
Our Privacy, Cyber Risk & Data Security Team
Partners
FYI
Special Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
"FTC updates data security expectations for nonbanks" by Elizabeth E. McGinn, Amanda R. Lawrence, Sherry-Maria Safchuk, Lauren Bomberger (Bloomberg Law)
"Differences between the California Consumer Privacy Act and the California Privacy Rights Act" by Sherry-Maria Safchuk (Conference on Consumer Finance Law Quarterly Report)
Recent Blog Posts
-
January 25, 2023
U.S. messaging service fined €5.5 million for GDPR violations
-
January 13, 2023
9th Circuit reverses decision in COPPA suit
-
January 13, 2023
FTC finalizes data breach order with online alcohol marketplace
-
January 13, 2023
District Court approves $11 million data breach settlement
-
January 13, 2023
District Court preliminarily approves data breach suit