Privacy, Cyber Risk & Data Security
Practice Overview
Businesses face increasingly complex and difficult challenges associated with collecting, using, disclosing, and securing sensitive and highly regulated data and information. Security breaches and other cyberattacks are a constant risk and have attracted heightened regulatory scrutiny in the U.S. and around the globe. States are responding quickly to consumer concerns, leading to inconsistent and occasionally conflicting expectations and requirements. Buckley provides privacy and cybersecurity legal counsel that safeguards the interests of clients and mitigates future risk.
Our attorneys are well-versed in privacy and data security laws, including the Gramm-Leach-Bliley Act (GLBA) and the Safeguards Rule, the Fair Credit Reporting Act (FCRA), the Electronic Communications Privacy Act (ECPA), the Computer Fraud and Abuse Act (CFAA), the Right to Financial Privacy Act (RFPA), and the CAN-SPAM Act. Additionally, we routinely advise clients on state laws concerning data sharing, information privacy, security breaches, and cybersecurity, including the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Privacy Act (BIPA), the California Financial Information Privacy Act (CFIPA), and the New York Department of Financial Services Cybersecurity Rules (NYDFS Cybersecurity Rules). We also closely track and interpret proposed changes in both federal and state laws with respect to privacy and cybersecurity.
As part of our engagements, we leverage our experience in other regulatory compliance areas to navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) requirements. We are attuned to the increasingly stringent European Union privacy and security requirements, and those of other nations that have followed the European model, and we advise clients on cross-border information-sharing requirements, including issues arising in criminal and civil investigations. We also routinely advise clients on compliance with foreign privacy frameworks, such as the EU General Data Protection Regulation (GDPR).
Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policies, craft privacy notices, and advise on the structure of privacy and security programs, employee education, and training materials. We assist clients with devising solutions to permissibly share information within and outside an enterprise. Our team routinely drafts and revises agreements with third parties to ensure compliance with regulatory requirements. We provide critical assistance in transactional matters by analyzing the privacy and security risks of mergers, acquisitions, spin-offs, restructurings, joint ventures, and significant outsourcing relationships.
We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and drafts breach notice letters and customer service center call scripts. We have significant experience honed over many years working with federal and state regulators and attorneys general on inquiries, examinations, and enforcement actions involving privacy and security issues. Our litigators defend individuals and companies charged with data privacy violations.
Our representative experience includes:
- Privacy and Cybersecurity Law Inventories. Preparing privacy and cybersecurity law inventories tailored to a company’s business models to allow for identification of regulatory requirements in their daily operations
- Security Incident and Data Breach Response. Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking
- Examination and Investigation Response. Working with clients in responding to examinations by state regulators and civil investigative demands from federal financial regulators, including the FTC involving privacy and information security practices, particularly for companies in the fintech space
- Data Sharing. Advising financial institutions on compliance with the GLBA and state disclosure requirements and restrictions on data sharing, including advising a bank on whether its practices with respect to hashed data triggered Regulation P when shared with third-party joint marketing partners
- Compliance Advice. Advising numerous clients on how to comply with the various state and federal laws regarding privacy and cybersecurity, including advising clients on applicable CCPA exemptions, including the exemption available to certain information collected, processed, sold, or disclosed pursuant to the GLBA, and preparing policies and procedures, disclosures, and other relevant materials
- Vendor Management Compliance. Conducting enterprise-wide vendor management compliance reviews to ensure compliance with relevant state and federal privacy and cybersecurity laws, including advising one of the largest technology companies in the world on addressing the special requirements that U.S. and foreign financial institutions have for critical third-party vendors
Articles
"6 key ways the California Privacy Rights Act of 2020 would revise the CCPA" by Amanda R. Lawrence, Sherry-Maria Safchuk, Garylene D. Javier, and John Georgievski (Corporate Compliance Insights)
The California Consumer Privacy Act (CCPA), the state’s landmark privacy regulation, became effective only eight months ago – and yet, the California Privacy Rights Act of 2020 (CPRA), a modified version of the CCPA, has garnered enough support to appear on the November 2020 ballot in California...
Articles"Implementing the CCPA regulations: Are you ready?" by Amanda R. Lawrence, Elizabeth E. McGinn, and Sherry-Maria Safchuk (Cybersecurity Law Report)
The final regulations under the California Consumer Privacy Act, introduced by the California Attorney General last October, became effective on August 14, 2020. The AG has already implemented many of the changes suggested in the public comments, but there are still several open questions that...
Articles"Data security best practices for licensed lenders' telework" by Sherry-Maria Safchuk and James C. Chou (Law360)
State-licensed/registered brokers, lenders and servicers have increased their focus on data security as the spread of COVID-19 has extended work-from-home orders, and what now seems to be a lasting acceptance of remote work means that the tools used to secure data will remain relevant when the...
Articles"Reopening well: Balancing employee privacy with employee safety" by Elizabeth E. McGinn, Amanda R. Lawrence, James C. Chou, and David Rivera (Corporate Compliance Insights)
Consumer privacy has been a key area of focus over the past several years, but as companies begin return-to-work operations, they discover that employee privacy looms large as well. Well-intentioned companies seeking to keep employees safe risk incurring penalties from a variety of agencies based...
Articles"Confusion surrounding the Privacy Shield rollback" by Amanda R. Lawrence, Elizabeth E. McGinn, and Magda Gathani
The Court of Justice of the European Union (CJEU) last month invalidated the EU-U.S. Privacy Shield, which over 5,000 companies have relied on as a legal mechanism of transferring data from the EU to the United States.
The European Data Protection Board (EDPB) did not provide a grace...
Buckley Commentary & Analysis"Put bank exam council in charge of data privacy" by Jeremiah S. Buckley (American Banker)
From the European Union to California and now other states and countries, data protection and privacy standards going into effect often share the same objectives, but have separate and different regulatory requirements. This creates a confusing array of legal requirements that pose compliance and...
Articles
News & Blogs
Law firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected...
InfoBytesNew York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of...
InfoBytesUpdated Washington State Privacy Act re-introduced
On January 5, the Washington State Privacy Act , SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here .) Highlights...
InfoBytesCourt dismisses data breach claims citing lack of compromised sensitive information
On January 12, the U.S. District Court for the Central District of California dismissed a data breach lawsuit brought against a hotel chain, ruling the plaintiff lacked standing. The plaintiff claimed class members were victims of a data breach when hotel employees at a franchise in Russia...
InfoBytesState AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised...
InfoBytesCourt grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the...
InfoBytesFinCEN warns financial institutions about Covid-19 vaccine-related scams and cyberattacks
On December 28, the Financial Crimes Enforcement Network (FinCEN) issued a notice to financial institutions concerning the potential for Covid-19 vaccine-related fraud, ransomware attacks, and other types of criminal activity. Specifically, FinCEN warns financial institutions to be aware of the...
InfoBytes9th Circuit affirms dismissal of data breach class action against online payment firm
On December 17, the U.S. Court of Appeals for the Ninth Circuit affirmed dismissal of a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. As...
InfoBytesFTC settles with company for data security lapses
On December 16, the FTC announced a settlement with a Nevada-based travel emergency services provider, resolving allegations that the company violated the FTC Act by failing to implement a comprehensive security program to ensure the security of personal consumer information, including sensitive...
InfoBytesIrish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European...
InfoBytes
Press Releases & Announcements
Legal 500 2020 recognizes 21 Buckley attorneys in six practice areas
“Buckley attorneys are incredibly responsive while providing top quality legal services,” is how respondents described the firm in the 2020 edition of Legal 500, which ranked Buckley as a top law firm and recognized it in six categories:
- Corporate Investigations and White ...
The Legal 500 2019 recognizes 17 Buckley attorneys in five practice areas
The Legal 500 once again ranked Buckley as a top law firm and recognized it in five categories:
- Corporate Investigations and White Collar Criminal Defense: Corporate – Tier 4
- Corporate Investigations and White Collar Criminal Defense: Individuals – Tier 2 ...
The Legal 500 2018 recognizes five practice areas and 17 attorneys at Buckley Sandler
Buckley Sandler LLP again has been noted as one of the nation’s top law firms by The Legal 500 in its 2018 rankings, with recognition in five practice areas:
- Financial Services: Litigation
- Financial Services: Regulation
- Corporate ...
The Legal 500 2017 Recognizes Four Practice Areas and 20 Attorneys at Buckley Sandler
Buckley Sandler has again been cited as one of the nation’s top law firms by The Legal 500 in its 2017 rankings, with the recognition of four practice areas:
- Financial Services: Litigation
- Financial Services: Regulatory
- Cyber Law (Data Protection and ...
Legal 500 Recognizes Four Practice Areas and 14 Attorneys at BuckleySandler in 2016 Rankings
BuckleySandler LLP has again been noted as one of the nation’s top law firms, with recognition of four practice areas by The Legal 500 in its 2016 rankings: Financial Services: Litigation Financial Services: Regulatory Technology: Data Protection and Privacy White-Collar Criminal Defense In...
Press ReleasesNew Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information...
Press ReleasesMaryland Attorney General Douglas F. Gansler to Join Buckley Sandler
WASHINGTON, DC (November 18, 2014) – Buckley Sandler LLP is pleased to announce that Douglas F. Gansler, Attorney General of Maryland, will join the firm as Partner in its Washington, DC office upon completion of his second term as Maryland Attorney General in January 2015. Gansler, the former...
Press ReleasesBuckley Sandler Establishes International Presence With Opening of London Office
WASHINGTON, DC / LONDON, ENGLAND (September 8, 2014) – Buckley Sandler LLP , a leading financial services and criminal & civil enforcement defense law firm, announced today the opening of its first international office, located in London. James T. Parkinson has relocated from the firm’s...
Press ReleasesBuckley Sandler Launches "Privacy, Cyber Risk & Data Security" Hotline
WASHINGTON, DC (January 24, 2014) – Buckley Sandler LLP , a leading financial services regulatory, criminal & civil enforcement defense law firm, has launched a Privacy, Cyber Risk & Data Security Hotline to assist companies with mitigating online security risks. The Hotline ( 1-855-5-DATA-...
Press Releases
Our Privacy, Cyber Risk & Data Security Team
Partners
FYI
"6 key ways the California Privacy Rights Act of 2020 would revise the CCPA" by Amanda R. Lawrence, Sherry-Maria Safchuk, Garylene D. Javier, and John Georgievski (Corporate Compliance Insights)
"Implementing the CCPA regulations: Are you ready?" by Amanda R. Lawrence, Elizabeth E. McGinn, and Sherry-Maria Safchuk (Cybersecurity Law Report)
"Data security best practices for licensed lenders' telework" by Sherry-Maria Safchuk and James C. Chou (Law360)
Recent Blog Posts
-
January 22, 2021
Law firm ordered to produce cyberattack report in malpractice action
-
January 22, 2021
New York introduces biometric privacy act
-
January 22, 2021
Updated Washington State Privacy Act re-introduced
-
January 20, 2021
Court dismisses data breach claims citing lack of compromised sensitive information
-
January 8, 2021
State AGs reach $2 million settlement to resolve data breach