Privacy, Cyber Risk & Data Security

How to comply with privacy and data security requirements has emerged as one of the most difficult legal questions businesses face. As customer information proliferates — and along with it, the ways established companies and innovators hope to put it to use — policymakers are struggling to keep up, prodded by a steady increase in security breaches and cyberattacks. States across the country are racing to fill the gap left by the absence of an integrated federal regime, leaving in their wake inconsistent and occasionally conflicting expectations and requirements. A lack of international consensus and different national approaches to privacy and data security replicates the problem at global scale.

Buckley helps companies manage the increasingly complex challenges associated with collecting, using, disclosing, and securing sensitive and highly regulated data and information. We provide privacy and cybersecurity legal counsel that safeguards our clients’ interests and mitigates future risk. Legal 500 has ranked us as a leading privacy and data protection firm for the past decade, noting that we offer a “practical, business-friendly approach to the practice of law” that helps clients meet their goals and address their concerns.

Our attorneys are well-versed in the patchwork of federal, state, and international privacy and data security laws, and closely track and interpret proposed changes in them.

Federal laws and regulations

• Gramm-Leach-Bliley Act (GLBA)
• Safeguards Rule
• Fair Credit Reporting Act (FCRA)
• Telephone Consumer Protection Act (TCPA)
• Electronic Communications Privacy Act (ECPA)
• Computer Fraud and Abuse Act (CFAA)
• Right to Financial Privacy Act (RFPA)
• CAN-SPAM Act
• Health Insurance Portability and Accountability Act (HIPAA)
• Children’s Online Privacy Protection Act (COPPA) 

State laws and regulations

• California Consumer Privacy Act (CCPA) and the
• California Privacy Rights Act (CPRA)
• Illinois Biometric Information Privacy Act (BIPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• California Financial Information Privacy Act (CFIPA)
• New York SHIELD Act
• New York Department of Financial Services’ Cybersecurity Regulations (NYDFS Cybersecurity Regulations)  

International laws and regulations

• EU General Data Protection Regulation (GDPR)
• UK General Data Protection Regulation (UK GDPR)
• Schrems II and cross-border information sharing

We rely upon our experience in other regulatory compliance areas to navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) compliance. We are attuned to the increasingly stringent European Union privacy and security requirements, and those of other nations following the European model.

Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policies and procedures, craft privacy notices, and advise on the structure of privacy and security programs, employee education, and training materials. We assist clients with devising pragmatic solutions to comply with the law while sharing information within and outside an enterprise. Our team routinely drafts and revises agreements with third parties to ensure compliance with regulatory requirements. We provide critical assistance in transactional matters by analyzing the privacy and security risks of mergers, acquisitions, spin-offs, restructurings, joint ventures, and significant outsourcing relationships.

We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and drafts breach notice letters and customer service center call scripts. We have significant experience honed over many years working with federal and state regulators and attorneys general on inquiries, examinations, and enforcement actions involving privacy and security issues. Our litigators defend individuals and companies charged with data privacy violations.

Our representative experience includes:

• Compliance Advice. Advising numerous clients on how to comply with state and federal laws privacy and cybersecurity laws, including applicable CCPA and GLBA exemptions, and preparing policies and procedures, disclosures, DSAR responses, CCPA notices, and other relevant materials
   
• Privacy and Cybersecurity Law Inventories. Preparing privacy and cybersecurity law inventories tailored to a company’s business model to allow for identification of regulatory requirements in their daily operations; alternatively, financial or lending institutions can generate surveys and searches tailored to their specific business type and licensing, the financial products they offer, and the jurisdiction where their products are offered through Winnow, our powerful, comprehensive, and dynamic database of state privacy and data security requirements
   
• Security Incident and Data Breach Response. Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking; our team also works with clients to prepare for potential incidents including by conducting table-top exercises, advising and responding to ransomware attacks, and reviewing and revising cyber insurance policies and provisions
   
• Examinations, Investigations, and Enforcement Actions. Working with clients in responding to examinations by state regulators and investigative demands from federal and state financial regulators, including the FTC involving privacy and information security practices, particularly for companies in the fintech space; we represented clients in investigations and negotiated the first consent order with NYDFS under its Cybersecurity Regulations
   
• ​Contract Negotiation/Review. Negotiating and reviewing contracts between financial institutions or third parties related to privacy and data security provisions, including data sharing
   
• Data Sharing. Advising financial institutions on compliance with the GLBA, FCRA, and state disclosure requirements and restrictions on data sharing, whether sharing information such as hashed data, marketing leads, affiliate information, and consumer reporting information triggers requirements under privacy laws related to sharing of personal information; advise financial institutions on requirements and restrictions related to data sharing with governmental entities under the RFPA and state analogs
   
• Vendor Management Compliance. Conducting enterprisewide vendor management compliance reviews to ensure compliance with relevant state and federal privacy and cybersecurity laws, including advising one of the largest technology companies in the world on addressing the special requirements that U.S. and foreign financial institutions have for critical third-party vendors