Privacy, Cyber Risk & Data Security
Practice Overview
How to comply with privacy and data security requirements has emerged as one of the most difficult legal questions businesses face. As customer information proliferates — and along with it, the ways established companies and innovators hope to put it to use — policymakers are struggling to keep up, prodded by a steady increase in security breaches and cyberattacks. States across the country are racing to fill the gap left by the absence of an integrated federal regime, leaving in their wake inconsistent and occasionally conflicting expectations and requirements. A lack of international consensus and different national approaches to privacy and data security replicates the problem at global scale.
Buckley helps companies manage the increasingly complex challenges associated with collecting, using, disclosing, and securing sensitive and highly regulated data and information. We provide privacy and cybersecurity legal counsel that safeguards our clients’ interests and mitigates future risk. Legal 500 has ranked us as a leading privacy and data protection firm for the past decade, noting that we offer a “practical, business-friendly approach to the practice of law” that helps clients meet their goals and address their concerns.
Our attorneys are well-versed in the patchwork of federal, state, and international privacy and data security laws, and closely track and interpret proposed changes in them.
Federal laws and regulations
- Gramm-Leach-Bliley Act (GLBA)
- Safeguards Rule
- Fair Credit Reporting Act (FCRA)
- Telephone Consumer Protection Act (TCPA)
- Electronic Communications Privacy Act (ECPA)
- Computer Fraud and Abuse Act (CFAA)
- Right to Financial Privacy Act (RFPA)
- CAN-SPAM Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Children’s Online Privacy Protection Act (COPPA)
State laws and regulations
- California Consumer Privacy Act (CCPA) and the
- California Privacy Rights Act (CPRA)
- Illinois Biometric Information Privacy Act (BIPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- California Financial Information Privacy Act (CFIPA)
- New York SHIELD Act
- New York Department of Financial Services’ Cybersecurity Regulations (NYDFS Cybersecurity Regulations)
International laws and regulations
- EU General Data Protection Regulation (GDPR)
- UK General Data Protection Regulation (UK GDPR)
- Schrems II and cross-border information sharing
We rely upon our experience in other regulatory compliance areas to navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) compliance. We are attuned to the increasingly stringent European Union privacy and security requirements, and those of other nations following the European model.
Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policies and procedures, craft privacy notices, and advise on the structure of privacy and security programs, employee education, and training materials. We assist clients with devising pragmatic solutions to comply with the law while sharing information within and outside an enterprise. Our team routinely drafts and revises agreements with third parties to ensure compliance with regulatory requirements. We provide critical assistance in transactional matters by analyzing the privacy and security risks of mergers, acquisitions, spin-offs, restructurings, joint ventures, and significant outsourcing relationships.
We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and drafts breach notice letters and customer service center call scripts. We have significant experience honed over many years working with federal and state regulators and attorneys general on inquiries, examinations, and enforcement actions involving privacy and security issues. Our litigators defend individuals and companies charged with data privacy violations.
Our representative experience includes:
- Compliance Advice. Advising numerous clients on how to comply with state and federal laws privacy and cybersecurity laws, including applicable CCPA and GLBA exemptions, and preparing policies and procedures, disclosures, DSAR responses, CCPA notices, and other relevant materials
- Privacy and Cybersecurity Law Inventories. Preparing privacy and cybersecurity law inventories tailored to a company’s business model to allow for identification of regulatory requirements in their daily operations; alternatively, financial or lending institutions can generate surveys and searches tailored to their specific business type and licensing, the financial products they offer, and the jurisdiction where their products are offered through Winnow, our powerful, comprehensive, and dynamic database of state privacy and data security requirements
- Security Incident and Data Breach Response. Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking; our team also works with clients to prepare for potential incidents including by conducting table-top exercises, advising and responding to ransomware attacks, and reviewing and revising cyber insurance policies and provisions
- Examinations, Investigations, and Enforcement Actions. Working with clients in responding to examinations by state regulators and investigative demands from federal and state financial regulators, including the FTC involving privacy and information security practices, particularly for companies in the fintech space; we represented clients in investigations and negotiated the first consent order with NYDFS under its Cybersecurity Regulations
- Contract Negotiation/Review. Negotiating and reviewing contracts between financial institutions or third parties related to privacy and data security provisions, including data sharing
- Data Sharing. Advising financial institutions on compliance with the GLBA, FCRA, and state disclosure requirements and restrictions on data sharing, whether sharing information such as hashed data, marketing leads, affiliate information, and consumer reporting information triggers requirements under privacy laws related to sharing of personal information; advise financial institutions on requirements and restrictions related to data sharing with governmental entities under the RFPA and state analogs
- Vendor Management Compliance. Conducting enterprisewide vendor management compliance reviews to ensure compliance with relevant state and federal privacy and cybersecurity laws, including advising one of the largest technology companies in the world on addressing the special requirements that U.S. and foreign financial institutions have for critical third-party vendors
Articles
"Scrutiny over dark patterns presents further challenges in online contracting" by Sherry-Maria Safchuk, Edward W. Somers, and Melina W. Montellanos (CSLR)
The Electronic Signatures in Global and National Commerce (ESIGN) Act and its state analogue, the Uniform Electronic Transactions Act (UETA), have played a transformative role advancing e-com- merce in the United States for more than two decades. Provisions of the ESIGN Act contain safe- guards...
Articles"How Cos. can ease risk amid 'dark pattern' regulatory focus" by Elizabeth E. McGinn, Sherry-Maria Safchuk, and Melina W. Montellanos (Law360)
Federal and state regulators, legislators, and courts have increased their focus on dark patterns — web and mobile design elements that shepherd users to make decisions, often not in their best interest. To avoid consumer dissatisfaction, as well as legal and regulatory risk, companies should...
Articles"Companies doing business in China caught in a double bind" by Michael Rosenberg
Continuing tensions between the U.S. and China are creating concerns for multinational companies doing business in China. Last June, China enacted the Anti-Foreign Sanctions Law, designed to counteract “discriminatory restrictive measures employed by foreign nations” against Chinese citizens or...
Buckley Commentary & AnalysisSpecial Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank...
Special AlertsSpecial Alert: House subcommittee hears testimony on privacy bill
The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing , “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data...
Special AlertsSpecial Alert: Congress releases draft privacy bill
A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act. Passage of the ADPPA, which combines elements of prior proposals in an effort to...
Special Alerts"U.S., E.U. announce Trans-Atlantic data privacy framework: What companies can do now" by Elizabeth E. McGinn, Sasha Leonhardt, and Lauren Bomberger (CSLR)
The White House and European Commission in late March 2022 announced a new agreement in principle for trans-Atlantic data flows – the Trans-Atlantic Data Privacy Framework – that would replace the E.U.- U.S. Privacy Shield. The United States and European Union began negotiations on a new framework...
Articles"No end in sight: Biometrics litigation trends" by Elizabeth E. McGinn, Amanda R. Lawrence, Scott T. Sakiyama and Michael Rosenberg (CSLR)
Modern biometrics applications are myriad with more continually being developed. They allow users to unlock devices, make payments, detect theft, track time and much more. These applications are not overlooked by the plaintiffs’ bar. Since 2019, more than 1,000 class action lawsuits have been filed...
ArticlesSpecial Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
The New York Department of Financial Services last week issued guidance on its cybersecurity and virtual currency regulations in response to the Russian military actions in Ukraine and recently imposed sanctions. NYDFS specifically raised the specter of elevated cyber risk due to ongoing...
Special Alerts"FTC updates data security expectations for nonbanks" by Elizabeth E. McGinn, Amanda R. Lawrence, Sherry-Maria Safchuk, Lauren Bomberger (Bloomberg Law)
Persistent cyberbreaches are compelling government responses to protect consumer data, particularly consumer financial information. Laws passed in California, Colorado, and Virginia are among the most influential at the state level, but federal regulators are also moving to implement additional...
Articles
News & Blogs
SEC adopts truth-in-advertising rule enhancements for funds
On September 20, the SEC adopted amendments (as set forth in the final rule and as discussed in the fact sheet ) to the Investment Companies Act rule that requires investment companies whose names suggest a focus in a particular type of investment to adopt a policy to invest not less than 80...
InfoBytesSEC approves final Privacy Act rules
On September 20, the SEC announced the approval of its revised Privacy Act rules, which govern the handling of personal information in the federal government. Among other things, the final rule will update, clarify, and streamline the SEC’s Privacy Act Regulations by (i) clarifying the purpose and...
InfoBytesUK-U.S. data bridge adequacy regulations to come into effect October 12
The EU-US Data Privacy Framework (the “Framework”) sets forth a set of principles and requirements that US organizations can comply with and, following certification, be permitted to join the Framework. On October 12, the UK extension to the Framework will come into effect following the UK digital...
InfoBytesTech giant to pay $62M in smartphone location tracking suit
On September 14, 2023, in the U.S. District Court of the Northern District of California, San Jose Division, plaintiffs filed a motion for preliminary approval of a proposed Class Action Settlement Agreement and Release pursuant to which a tech giant will pay $62 million to resolve claims that it...
InfoBytesDelaware Personal Data Privacy Act to protect consumers
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or...
InfoBytesCPPA continues efforts towards California Privacy Rights Act
The California Privacy Protection Agency board is continuing its efforts to prepare regulations implementing the California Privacy Rights Act (covered by InfoBytes here and here ). Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8...
InfoBytesNIST updates its Cybersecurity Framework
The National Institute of Standards and Technology (NIST) recently unveiled a proposed update to its Cybersecurity Framework , which was originally developed to provide information security guidelines for “critical infrastructure” like banking and energy industries. (Covered by InfoBytes here )...
InfoBytesDistrict court declines to reconsider BIPA accrual ruling
On August 14, an Illinois District Court denied in part and granted in part a tech company’s motion to dismiss a class-action suit that alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”). The complaint alleged that the tech giant failed to safeguard the facial data in its...
InfoBytesChopra announces rulemaking for data brokers
On August 15, CFPB Director Rohit Chopra delivered remarks at the White House Roundtable on the harms of data broker practices. Referencing the prevalence of artificial intelligence in data surveillance, Chopra highlighted a common practice employed by companies: the gathering, leveraging, and...
InfoBytesDFPI launches actions against crypto scams, initiates education campaign
On August 9, the California Department of Financial Protection and Innovation (DFPI) announced that it issued cease and desist orders against three entities (orders here , here , and here ) for allegedly offering and selling unqualified securities, and making material misrepresentations and...
InfoBytes
Press Releases & Announcements
Legal 500 2022 recognizes 18 Buckley attorneys in five practice areas
“They treat their clients better than any other law firm I’ve experienced,” is what one respondent said about Buckley LLP to Legal 500, which ranked the firm as a top law firm in five categories and recognized 18 of its attorneys for its 2022 edition.
The publication recognized...
AnnouncementsLegal 500 2021 recognizes 17 Buckley attorneys in six practice areas
“While some firms will provide lengthy and expensive legal analysis, Buckley’s team relies on their depth and breadth of expertise to provide useful guidance from various team members quickly and efficiently,” a respondent told Legal 500, which ranked Buckley LLP as a top law firm and...
AnnouncementsRep. Suzan DelBene joins Jerry Buckley on privacy podcast
Jerry Buckley, a founder of Buckley LLP and co-host of the U.S. National Privacy Legislation podcast, interviewed U.S. Rep. Suzan DelBene (D-WA) about legislation she recently introduced that...
AnnouncementsLegal 500 2020 recognizes 21 Buckley attorneys in six practice areas
“Buckley attorneys are incredibly responsive while providing top quality legal services,” is how respondents described the firm in the 2020 edition of Legal 500, which ranked Buckley as a top law firm and recognized it in six categories:
- Corporate Investigations and White ...
The Legal 500 2019 recognizes 17 Buckley attorneys in five practice areas
The Legal 500 once again ranked Buckley as a top law firm and recognized it in five categories:
- Corporate Investigations and White Collar Criminal Defense: Corporate – Tier 4
- Corporate Investigations and White Collar Criminal Defense: Individuals – Tier 2 ...
The Legal 500 2018 recognizes five practice areas and 17 attorneys at Buckley Sandler
Buckley Sandler LLP again has been noted as one of the nation’s top law firms by The Legal 500 in its 2018 rankings, with recognition in five practice areas:
- Financial Services: Litigation
- Financial Services: Regulation
- Corporate ...
The Legal 500 2017 Recognizes Four Practice Areas and 20 Attorneys at Buckley Sandler
Buckley Sandler has again been cited as one of the nation’s top law firms by The Legal 500 in its 2017 rankings, with the recognition of four practice areas:
- Financial Services: Litigation
- Financial Services: Regulatory
- Cyber Law (Data Protection and ...
Legal 500 Recognizes Four Practice Areas and 14 Attorneys at BuckleySandler in 2016 Rankings
BuckleySandler LLP has again been noted as one of the nation’s top law firms, with recognition of four practice areas by The Legal 500 in its 2016 rankings: Financial Services: Litigation Financial Services: Regulatory Technology: Data Protection and Privacy White-Collar Criminal Defense In...
Press ReleasesNew Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information...
Press ReleasesMaryland Attorney General Douglas F. Gansler to Join Buckley Sandler
WASHINGTON, DC (November 18, 2014) – Buckley Sandler LLP is pleased to announce that Douglas F. Gansler, Attorney General of Maryland, will join the firm as Partner in its Washington, DC office upon completion of his second term as Maryland Attorney General in January 2015. Gansler, the former...
Press Releases
Our Privacy, Cyber Risk & Data Security Team
Partners
FYI
Special Alert: NYDFS guidance on cybersecurity and virtual currency responds to events in Ukraine
"FTC updates data security expectations for nonbanks" by Elizabeth E. McGinn, Amanda R. Lawrence, Sherry-Maria Safchuk, Lauren Bomberger (Bloomberg Law)
"Differences between the California Consumer Privacy Act and the California Privacy Rights Act" by Sherry-Maria Safchuk (Conference on Consumer Finance Law Quarterly Report)
Recent Blog Posts
-
September 22, 2023
SEC adopts truth-in-advertising rule enhancements for funds
-
September 22, 2023
SEC approves final Privacy Act rules
-
September 22, 2023
UK-U.S. data bridge adequacy regulations to come into effect October 12
-
September 22, 2023
Tech giant to pay $62M in smartphone location tracking suit
-
September 22, 2023
Delaware Personal Data Privacy Act to protect consumers