Privacy, Cyber Risk & Data Security
Practice Overview
How to comply with privacy and data security requirements has emerged as one of the most difficult legal questions businesses face. As customer information proliferates — and along with it, the ways established companies and innovators hope to put it to use — policymakers are struggling to keep up, prodded by a steady increase in security breaches and cyberattacks. States across the country are racing to fill the gap left by the absence of an integrated federal regime, leaving in their wake inconsistent and occasionally conflicting expectations and requirements. A lack of international consensus and different national approaches to privacy and data security replicates the problem at global scale.
Buckley helps companies manage the increasingly complex challenges associated with collecting, using, disclosing, and securing sensitive and highly regulated data and information. We provide privacy and cybersecurity legal counsel that safeguards our clients’ interests and mitigates future risk. Legal 500 has ranked us as a leading privacy and data protection firm for the past decade, noting that we offer a “practical, business-friendly approach to the practice of law” that helps clients meet their goals and address their concerns.
Our attorneys are well-versed in the patchwork of federal, state, and international privacy and data security laws, and closely track and interpret proposed changes in them.
Federal laws and regulations
- Gramm-Leach-Bliley Act (GLBA)
- Safeguards Rule
- Fair Credit Reporting Act (FCRA)
- Telephone Consumer Protection Act (TCPA)
- Electronic Communications Privacy Act (ECPA)
- Computer Fraud and Abuse Act (CFAA)
- Right to Financial Privacy Act (RFPA)
- CAN-SPAM Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Children’s Online Privacy Protection Act (COPPA)
State laws and regulations
- California Consumer Privacy Act (CCPA) and the
- California Privacy Rights Act (CPRA)
- Illinois Biometric Information Privacy Act (BIPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- California Financial Information Privacy Act (CFIPA)
- New York SHIELD Act
- New York Department of Financial Services’ Cybersecurity Regulations (NYDFS Cybersecurity Regulations)
International laws and regulations
- EU General Data Protection Regulation (GDPR)
- UK General Data Protection Regulation (UK GDPR)
- Schrems II and cross-border information sharing
We rely upon our experience in other regulatory compliance areas to navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) compliance. We are attuned to the increasingly stringent European Union privacy and security requirements, and those of other nations following the European model.
Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policies and procedures, craft privacy notices, and advise on the structure of privacy and security programs, employee education, and training materials. We assist clients with devising pragmatic solutions to comply with the law while sharing information within and outside an enterprise. Our team routinely drafts and revises agreements with third parties to ensure compliance with regulatory requirements. We provide critical assistance in transactional matters by analyzing the privacy and security risks of mergers, acquisitions, spin-offs, restructurings, joint ventures, and significant outsourcing relationships.
We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and drafts breach notice letters and customer service center call scripts. We have significant experience honed over many years working with federal and state regulators and attorneys general on inquiries, examinations, and enforcement actions involving privacy and security issues. Our litigators defend individuals and companies charged with data privacy violations.
Our representative experience includes:
- Compliance Advice. Advising numerous clients on how to comply with state and federal laws privacy and cybersecurity laws, including applicable CCPA and GLBA exemptions, and preparing policies and procedures, disclosures, DSAR responses, CCPA notices, and other relevant materials
- Privacy and Cybersecurity Law Inventories. Preparing privacy and cybersecurity law inventories tailored to a company’s business model to allow for identification of regulatory requirements in their daily operations; alternatively, financial or lending institutions can generate surveys and searches tailored to their specific business type and licensing, the financial products they offer, and the jurisdiction where their products are offered through Winnow, our powerful, comprehensive, and dynamic database of state privacy and data security requirements
- Security Incident and Data Breach Response. Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking; our team also works with clients to prepare for potential incidents including by conducting table-top exercises, advising and responding to ransomware attacks, and reviewing and revising cyber insurance policies and provisions
- Examinations, Investigations, and Enforcement Actions. Working with clients in responding to examinations by state regulators and investigative demands from federal and state financial regulators, including the FTC involving privacy and information security practices, particularly for companies in the fintech space; we represented clients in investigations and negotiated the first consent order with NYDFS under its Cybersecurity Regulations
- Contract Negotiation/Review. Negotiating and reviewing contracts between financial institutions or third parties related to privacy and data security provisions, including data sharing
- Data Sharing. Advising financial institutions on compliance with the GLBA, FCRA, and state disclosure requirements and restrictions on data sharing, whether sharing information such as hashed data, marketing leads, affiliate information, and consumer reporting information triggers requirements under privacy laws related to sharing of personal information; advise financial institutions on requirements and restrictions related to data sharing with governmental entities under the RFPA and state analogs
- Vendor Management Compliance. Conducting enterprisewide vendor management compliance reviews to ensure compliance with relevant state and federal privacy and cybersecurity laws, including advising one of the largest technology companies in the world on addressing the special requirements that U.S. and foreign financial institutions have for critical third-party vendors
Articles
"U.S., E.U. announce Trans-Atlantic data privacy framework: What companies can do now" by Elizabeth E. McGinn, Sasha Leonhardt, and Lauren Bomberger (CSLR)
The White House and European Commission in late March 2022 announced a new agreement in principle for trans-Atlantic data flows – the Trans-Atlantic Data Privacy Framework – that would replace the E.U.- U.S. Privacy Shield. The United States and European Union began negotiations on a new framework...
Articles"No end in sight: Biometrics litigation trends" by Elizabeth E. McGinn, Amanda R. Lawrence, Scott T. Sakiyama and Michael Rosenberg (CSLR)
Modern biometrics applications are myriad with more continually being developed. They allow users to unlock devices, make payments, detect theft, track time and much more. These applications are not overlooked by the plaintiffs’ bar. Since 2019, more than 1,000 class action lawsuits have been filed...
ArticlesSpecial Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing...
Special Alerts"FTC updates data security expectations for nonbanks" by Elizabeth E. McGinn, Amanda R. Lawrence, Sherry-Maria Safchuk, Lauren Bomberger (Bloomberg Law)
Persistent cyberbreaches are compelling government responses to protect consumer data, particularly consumer financial information. Laws passed in California, Colorado, and Virginia are among the most influential at the state level, but federal regulators are also moving to implement additional...
Articles"Differences between the California Consumer Privacy Act and the California Privacy Rights Act" by Sherry-Maria Safchuk (Conference on Consumer Finance Law Quarterly Report)
The transformation of privacy laws in California has been swift. The rapid adoption of the California Consumer Privacy Act of 2018 (“CCPA”), its regulations, and the California Privacy Rights Act of 2020 (“CPRA”) has required businesses to diligently track new consumer protections across privacy...
Articles
News & Blogs
FTC addresses importance of effective incident response and breach disclosure
On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures . The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to...
InfoBytesFDIC highlights operational risks in 2022 Risk Review
On May 20, the FDIC released its 2022 Risk Review , summarizing emerging risks in the U.S. banking system observed during 2021 in four broad categories: credit risk, market risk, operational risk, and climate-related financial risk. According to the FDIC, the current risk review expands upon...
InfoBytesDOJ will not charge researchers who report cybersecurity flaws in “good faith”
On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that...
InfoBytesFCC acts to ensure gateway providers stop international robocalls
On May 19, the FCC unanimously adopted proposed rules to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls. As part of the...
InfoBytesFTC cracks down on ed tech providers’ COPPA compliance
On May 19, the FTC warned providers of education technology (ed tech) tools for children that they must fully comply with all provisions of the Children’s Online Privacy Protection Act (COPPA). The Commission voted unanimously to approve a policy statement clarifying how COPPA applies to ed tech...
InfoBytesOklahoma establishes telephone solicitation restrictions
On May 20, the Oklahoma governor signed HB 3168 , which establishes the Telephone Solicitation Act of 2022. The bill, among other things, prohibits (i) certain sales calls without the prior express written consent of the called party; (ii) commercial telephone sellers or salespersons from using...
InfoBytesIllinois amendments address confidentiality of customer financial records
On May 13, the Illinois governor signed SB 3971 , which makes various amendments to Illinois Banking Act and Savings Bank Act provisions concerning the confidentiality of customer financial records. Among other things, the Act provides that a bank must disclose financial records “only after the...
InfoBytesU.S. signs protocol to strengthen international efforts to combat cybercrime
On May 12, the U.S. signaled its commitment to fight cybercrime by signing the Second Additional Protocol to the Convention on Cybercrime to obtain access to needed electronic evidence. Deputy Assistant Attorney General Richard Downing of the DOJ’s Criminal Division signed the new protocol to...
InfoBytesSenate confirms Bedoya as FTC commissioner; Powell to serve second term as Fed chair
On May 11, the U.S. Senate voted along party lines to confirm Alvaro Bedoya as an FTC Commissioner. Bedoya, who brings a background in privacy and data security, fills the FTC commissioner seat vacated by current CFPB Director Rohit Chopra. A Georgetown University visiting professor of law, Bedoya...
InfoBytesConnecticut becomes fifth state to enact comprehensive privacy legislation
On May 10, the Connecticut governor signed SB 6 , establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (...
InfoBytes
Press Releases & Announcements
Legal 500 2021 recognizes 17 Buckley attorneys in six practice areas
“While some firms will provide lengthy and expensive legal analysis, Buckley’s team relies on their depth and breadth of expertise to provide useful guidance from various team members quickly and efficiently,” a respondent told Legal 500, which ranked Buckley LLP as a top law firm and...
AnnouncementsRep. Suzan DelBene joins Jerry Buckley on privacy podcast
Jerry Buckley, a founder of Buckley LLP and co-host of the U.S. National Privacy Legislation podcast, interviewed U.S. Rep. Suzan DelBene (D-WA) about legislation she recently introduced that...
AnnouncementsLegal 500 2020 recognizes 21 Buckley attorneys in six practice areas
“Buckley attorneys are incredibly responsive while providing top quality legal services,” is how respondents described the firm in the 2020 edition of Legal 500, which ranked Buckley as a top law firm and recognized it in six categories:
- Corporate Investigations and White ...
The Legal 500 2019 recognizes 17 Buckley attorneys in five practice areas
The Legal 500 once again ranked Buckley as a top law firm and recognized it in five categories:
- Corporate Investigations and White Collar Criminal Defense: Corporate – Tier 4
- Corporate Investigations and White Collar Criminal Defense: Individuals – Tier 2 ...
The Legal 500 2018 recognizes five practice areas and 17 attorneys at Buckley Sandler
Buckley Sandler LLP again has been noted as one of the nation’s top law firms by The Legal 500 in its 2018 rankings, with recognition in five practice areas:
- Financial Services: Litigation
- Financial Services: Regulation
- Corporate ...
The Legal 500 2017 Recognizes Four Practice Areas and 20 Attorneys at Buckley Sandler
Buckley Sandler has again been cited as one of the nation’s top law firms by The Legal 500 in its 2017 rankings, with the recognition of four practice areas:
- Financial Services: Litigation
- Financial Services: Regulatory
- Cyber Law (Data Protection and ...
Legal 500 Recognizes Four Practice Areas and 14 Attorneys at BuckleySandler in 2016 Rankings
BuckleySandler LLP has again been noted as one of the nation’s top law firms, with recognition of four practice areas by The Legal 500 in its 2016 rankings: Financial Services: Litigation Financial Services: Regulatory Technology: Data Protection and Privacy White-Collar Criminal Defense In...
Press ReleasesNew Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information...
Press ReleasesMaryland Attorney General Douglas F. Gansler to Join Buckley Sandler
WASHINGTON, DC (November 18, 2014) – Buckley Sandler LLP is pleased to announce that Douglas F. Gansler, Attorney General of Maryland, will join the firm as Partner in its Washington, DC office upon completion of his second term as Maryland Attorney General in January 2015. Gansler, the former...
Press ReleasesBuckley Sandler Establishes International Presence With Opening of London Office
WASHINGTON, DC / LONDON, ENGLAND (September 8, 2014) – Buckley Sandler LLP , a leading financial services and criminal & civil enforcement defense law firm, announced today the opening of its first international office, located in London. James T. Parkinson has relocated from the firm’s...
Press Releases
Our Privacy, Cyber Risk & Data Security Team
Partners
FYI
Special Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
"FTC updates data security expectations for nonbanks" by Elizabeth E. McGinn, Amanda R. Lawrence, Sherry-Maria Safchuk, Lauren Bomberger (Bloomberg Law)
"Differences between the California Consumer Privacy Act and the California Privacy Rights Act" by Sherry-Maria Safchuk (Conference on Consumer Finance Law Quarterly Report)
Recent Blog Posts
-
May 25, 2022
FTC addresses importance of effective incident response and breach disclosure
-
May 24, 2022
FDIC highlights operational risks in 2022 Risk Review
-
May 24, 2022
DOJ will not charge researchers who report cybersecurity flaws in “good faith”
-
May 24, 2022
FCC acts to ensure gateway providers stop international robocalls
-
May 24, 2022
FTC cracks down on ed tech providers’ COPPA compliance