Privacy, Cyber Risk & Data Security
Practice Overview
Businesses face increasingly complex and difficult challenges associated with collecting, using, disclosing, and securing sensitive and highly regulated data and information. Security breaches and other cyberattacks are a constant risk and have attracted heightened regulatory scrutiny at the federal and state level in the U.S. and in countries around the globe. Buckley provides privacy and cybersecurity legal counsel that both safeguards the interests of clients and mitigates future risk.
Our attorneys are well-versed in the federal privacy and data security laws, including the Gramm-Leach-Bliley Act (GLBA) and the Safeguards Rule, the Fair Credit Reporting Act (FCRA), the Electronic Communications Privacy Act (ECPA), the Computer Fraud and Abuse Act (CFAA), the Right to Financial Privacy Act (RFPA), and the CAN-SPAM Act. Additionally, we routinely advise clients on state laws concerning data sharing, information privacy, security breaches, and cybersecurity, including but not limited to the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Privacy Act (BIPA), the California Financial Information Privacy Act (CFIPA), and the New York Department of Financial Services Cybersecurity Rules (NYDFS Cybersecurity Rules). We also closely track and interpret proposed changes in both federal and state laws with respect to privacy and cybersecurity.
As part of our engagements, we leverage our experience in other regulatory compliance areas to seamlessly navigate clients through related issues such as the USA Patriot Act and the Office of Foreign Assets Control (OFAC) requirements. We are attuned to the increasingly stringent European Union privacy and security requirements and those of other nations that have followed the European model, and we advise clients on cross-border information sharing requirements, including issues arising in criminal and civil investigations. We also routinely advise clients on compliance with foreign privacy frameworks, such as the EU General Data Protection Regulation (GDPR).
Our attorneys perform gap analyses and risk assessments, design comprehensive privacy and security policies, craft privacy notices, and advise on the structure of privacy and security programs, employee education, and training materials. We also are involved in devising solutions to permissibly share information within and outside an enterprise. Our team routinely drafts and revises agreements with third parties to ensure compliance with regulatory requirements, as well as shields our clients from the inherent risks associated with information sharing and use. We provide critical assistance in transactional matters by analyzing the privacy and security risks of mergers, acquisitions, spin-offs, restructurings, joint ventures and significant outsourcing relationships.
We work with our clients on incident response plans and investigations, including customer service and media strategies. Our team negotiates with law enforcement agencies and regulators, and drafts breach notice letters and customer service center call scripts. We have significant experience honed over many years working with federal and state regulators and attorneys general on inquiries, examinations, and enforcement actions involving privacy and security issues. Our litigators defend individuals and companies charged with data privacy violations.
Our representative experience includes:
- Privacy and Cybersecurity Law Inventories. Preparing privacy and cybersecurity law inventories tailored to a national bank’s and insurance company’s business models to allow for identification of regulatory requirements in their daily operations
- Security Incident and Data Breach Response. Advising many companies in investigating, addressing, and meeting compliance obligations relating to security incidents and breaches. Incidents have ranged from local to global in nature, from targeted attacks to widespread incidents impacting millions, and from inadvertent disclosure to hacking
- Investigation Response. Working with clients in responding to civil investigative demands from federal financial regulators, including the FTC involving privacy and information security practices, particularly for companies in the fintech space
- Data Sharing. Advising financial institutions on compliance with the GLBA’s disclosure requirements and restrictions on data sharing, including advising a bank on whether its practices with respect to hashed data triggered Regulation P when shared with third-party joint marketing partners
- Compliance Advice. Advising numerous clients on how to comply with the various state and federal laws regarding privacy and cybersecurity, including advising clients on applicable CCPA exemptions, including the exemption available to certain information collected, processed, sold, or disclosed pursuant to the GLBA
- Vendor Management Compliance. Conducting enterprise-wide vendor management compliance reviews to ensure compliance with relevant state and federal privacy and cybersecurity laws, including advising one of the largest technology companies in the world on addressing the special requirements that U.S. and foreign financial institutions have for critical third-party vendors
Articles
"GDPR-based objections to U.S. discovery requests: 2019 year in review" by Leslie L. Meredith (Legaltech News)
U.S. civil litigants faced with an obligation to produce “personal data” protected by GDPR, the European Union’s General Data Protection Regulation, can find themselves on the horns of a serious dilemma. In 2019, the first full year since GDPR was enacted, not a single court excused compliance with...
Articles"Website cookies and privacy—GDPR, CCPA, and evolving standards for online consent" by Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (Bloomberg Law)
Virtually all companies with high-traffic websites use cookies to track visitors’ online experience, but global best practices in disclosing the use of cookies—and obtaining visitors’ consent to their use—have proven elusive despite intense scrutiny from privacy advocates. With requirements varying...
Articles"BankThink: Congress needs to hurry up on data protection" by Jeremiah S. Buckley (American Banker)
Data is the lifeblood of the burgeoning digital economy. The debate about its use — and its protection — is now playing out globally. As big data, artificial intelligence and machine learning increasingly shape everyday lives, Congress will have some important policy choices to make, weighing how...
Articles"A new era of FCRA scrutiny for consumer data furnishers" by Jessica L. Pollet and Frida Alim (Law360)
Furnishers provide information to consumer reporting agencies on over 1.3 billion consumer credit accounts or other tradelines each month, with the three largest national consumer reporting agencies holding the personal information of over 200 million consumers. Given the extent of the consumer...
ArticlesSpecial Alert: California attorney general releases proposed CCPA regulations
Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert ), amended several times and with the most recent amendments signed...
Special Alerts"Wearables present new realm of legal risks for teams" by Elizabeth E. McGinn, Jonathan D. Jerison, and John B. Williams, III (Sports Business Journal)
Reaching peak athletic performance is an increasingly scientific and quantitative pursuit, and professional sports franchises, which have tremendous financial and emotional motivation to be the best, are at the forefront in gathering as much data about their assets as possible. FitBits, Apple...
ArticlesSpecial Alert: California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers...
Special Alerts"3 key areas where the NYDFS ups the ante on cybersecurity" by Elizabeth E. McGinn and David Rivera (Westlaw Journal)
On March 1, the two-year transitional period under the New York State Department of Financial Services’ “Cybersecurity Requirements for Financial Services Companies” regulation expired, making all requirements effective. The cybersecurity regulation marks a shift in the governance of cybersecurity...
Articles"Navigating today’s biometric landscape" by Elizabeth E. McGinn, Scott T. Sakiyama, Magda Gathani, and Garylene D. Javier (Cybersecurity Law Report)
Biometrics-based authentication of payments and other transactions has been on the rise for the past several years, promising unparalleled convenience and security for consumers. However, the distinctive nature of biometric features that confers its advantages is also the source of the technology’s...
Articles"FTC has big agenda for 2019. How should companies prepare?" by Michelle L. Rogers and Katherine L. Halliday (Bloomberg Law)
Federal Trade Commission Chairman Joseph Simons recently previewed an aggressive and expansive consumer protection agenda for 2019, invoking the commission’s broad powers to pursue unfair or deceptive acts or practices, and adding “fraudulent” to the types of conduct he expects to police. Among the...
ArticlesSpecial Alert: California governor signs significant data privacy bill into law
On June 28, California Governor Jerry Brown signed the California Consumer Privacy Act (the “Consumer Privacy Act” or the “Act”) into law. The Act was enacted largely in response to a more restrictive ballot initiative (“Ballot Initiative”) that appeared to have gained a sufficient number of...
Special Alerts"The great data breach standing circuit split" by Amanda R. Lawrence and Michael A. Rome (Law360)
Data breaches are back in the news in a big way. Over the past several weeks alone, prominent hotel chains, online platforms and retailers announced significant data breaches. Unsurprisingly, in the aftermath of these disclosures, consumers filed class actions alleging that the data breaches...
Articles"SEC tool could test executive online impulse control" by Thomas A. Sporkin and Ian Acker (Legaltech News)
A message to corporate executives and their public-relations minders: One in a trillion may no longer be a reasonable guarantee of anonymity. The Securities and Exchange Commission (SEC) is confronting the difficult challenge of how to keep an eye on and sort through a fire hose of social media...
Articles"‘Reasonable security’: A moving target" by Elizabeth E. McGinn (Cyber Security)
The concept of ‘reasonable security’ for personal information maintained by financial institutions began with the Gramm-Leach-Bliley Act (GLBA). On 12th November, 1999, Congress enacted GLBA, a landmark privacy and data security law which required the federal financial regulatory agencies to...
Articles"FTC v. D-Link Systems and the internet of things" by Elizabeth E. McGinn, John B. Williams, and Christopher M. Walczyszyn (Westlaw)
As businesses expand the availability of internet-connected devices, Buckley Sandler LLP attorneys Elizabeth McGinn, John Williams and Christopher Walczyszyn address the Federal Trade Commission’s role in regulating and enforcing “internet of things” device security to protect consumers’ data...
Articles"The devil is in the details: LabMD imposes limitations on the FTC’s enforcement authority" by Elizabeth E. McGinn and Sasha Leonhardt, (Cybersecurity Law Report)
In the latest data security case with significant implications for all enforcement actions, the United States Court of Appeals for the Eleventh Circuit struck down a cease-and-desist order as impermissibly vague. By ruling against the FTC in its long-running and contentious dispute with LabMD, the...
Articles“Social media in the current enforcement landscape,” by Elizabeth E. McGinn, John B. Williams, and Timothy Coley (Banking Exchange)
Perhaps no aspect of the internet has grown so broadly in the past decade as social media. From its infancy at sites like MySpace, Friendster, and “TheFacebook” (originally open only to students at select colleges), to the current industry leaders of Facebook (now open to all, and touting more than...
ArticlesBuckley Sandler Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually...
ArticlesElizabeth E. McGinn and Jessica M. Shannon Authored a Bloomberg BNA Article, "Consumer Privacy Should Be Top-of-Mind for FinTech Firms to Avoid Scrutiny"
With many people underserved by traditional lending institutions, including the close to 45 million adults in the U.S. who the Consumer Financial Protection Bureau estimates are “credit invisible” or have had past credit challenges, emerging FinTech lenders and online lending platforms (FinTech...
ArticlesElizabeth E. McGinn Authored a Westlaw Journal Article, "Data Security Breach Litigation Post-Spokeo"
California enacted the nation’s first data security breach notification law 15 years ago. Following a few high-profile incidents in 2005, other states rapidly began enacting breach-notice requirements based largely on the California model. This proliferation of laws — and the constant news of...
Articles
News & Blogs
Treasury seeks information on financial sector cybersecurity risks
On January 22, the Department of the Treasury published a request for comments on a proposed information collection designed to better understand cybersecurity risks facing the U.S. financial services sector and financial services critical infrastructure. The “Financial Sector Critical...
InfoBytesNew York Fed analyzes potential impact of cyber attacks on payments network
In January, the Federal Reserve Bank of New York (New York Fed) released a staff report that analyzes how a cyber attack transmitted through a payment network could be amplified throughout the U.S. financial system. According to the report, Cyber Risk and the U.S. Financial System: a Pre-Mortem...
InfoBytesDistrict Court: Michigan privacy law covers out-of-state residents
On January 16, the U.S. District Court for the Eastern District of Michigan denied a publishing company’s motion to dismiss putative class allegations that it disclosed subscribers’ personal information to third parties, ruling that the subscribers did not need to live in Michigan in order to bring...
InfoBytesFDIC, OCC issue joint notice of heightened cybersecurity risk
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020 , OCC Bulletin 2020-5 ) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test...
InfoBytesData breach settlement of $380.5 million approved in credit reporting agency class action
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large credit reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data...
InfoBytesWashington state introduces comprehensive privacy bill
On January 13, Washington state lawmakers announced two bills designed to strengthen consumer access and control over personal data and regulate the use of facial recognition technology. Highlights of SB 6281 , the Washington Privacy Act, include the following: Applicability. SB 6281 will apply to...
InfoBytesSupreme Court to review TCPA debt collection exemption
On January 10, the U.S. Supreme Court announced it had granted a petition for a writ of certiorari filed by the U.S. government in Barr v. American Association of Political Consultants Inc. —a Telephone Consumer Protection Act (TCPA) case concerning an exemption that allows debt collectors to use...
InfoBytesSEC announces 2020 OCIE exam priorities
On January 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of its 2020 Examination Priorities . The annual release of exam priorities provides transparency into the risk-based examination process and lists areas that pose current and potential risks to...
InfoBytesRepresentatives urge financial regulators to strengthen cyber infrastructures
On January 7, Representatives Emanuel Cleaver II (D-MO) and Gregory Meeks D-NY) sent a letter to nine federal financial regulators urging them to strengthen their financial infrastructures against possible cyber-attacks in the wake of recent threats against the U.S. from Iran and its allies...
InfoBytesCalifornia outlines new data privacy rights
On January 6, the California attorney general issued an advisory explaining consumers’ rights under the California Consumer Privacy Act (CCPA), which took effect January 1. (See previous InfoBytes coverage on the CCPA here .) These rights include (i) the right to request from businesses what...
InfoBytes
Press Releases & Announcements
The Legal 500 2019 recognizes 17 Buckley attorneys in five practice areas
The Legal 500 once again ranked Buckley as a top law firm and recognized it in five categories:
- Corporate Investigations and White Collar Criminal Defense: Corporate – Tier 4
- Corporate Investigations and White Collar Criminal Defense: Individuals – Tier 2 ...
The Legal 500 2018 recognizes five practice areas and 17 attorneys at Buckley Sandler
Buckley Sandler LLP again has been noted as one of the nation’s top law firms by The Legal 500 in its 2018 rankings, with recognition in five practice areas:
- Financial Services: Litigation
- Financial Services: Regulation
- Corporate ...
The Legal 500 2017 Recognizes Four Practice Areas and 20 Attorneys at Buckley Sandler
Buckley Sandler has again been cited as one of the nation’s top law firms by The Legal 500 in its 2017 rankings, with the recognition of four practice areas:
- Financial Services: Litigation
- Financial Services: Regulatory
- Cyber Law (Data Protection and ...
Legal 500 Recognizes Four Practice Areas and 14 Attorneys at BuckleySandler in 2016 Rankings
BuckleySandler LLP has again been noted as one of the nation’s top law firms, with recognition of four practice areas by The Legal 500 in its 2016 rankings: Financial Services: Litigation Financial Services: Regulatory Technology: Data Protection and Privacy White-Collar Criminal Defense In...
Press ReleasesNew Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information...
Press ReleasesMaryland Attorney General Douglas F. Gansler to Join Buckley Sandler
WASHINGTON, DC (November 18, 2014) – Buckley Sandler LLP is pleased to announce that Douglas F. Gansler, Attorney General of Maryland, will join the firm as Partner in its Washington, DC office upon completion of his second term as Maryland Attorney General in January 2015. Gansler, the former...
Press ReleasesBuckley Sandler Establishes International Presence With Opening of London Office
WASHINGTON, DC / LONDON, ENGLAND (September 8, 2014) – Buckley Sandler LLP , a leading financial services and criminal & civil enforcement defense law firm, announced today the opening of its first international office, located in London. James T. Parkinson has relocated from the firm’s...
Press ReleasesBuckley Sandler Launches "Privacy, Cyber Risk & Data Security" Hotline
WASHINGTON, DC (January 24, 2014) – Buckley Sandler LLP , a leading financial services regulatory, criminal & civil enforcement defense law firm, has launched a Privacy, Cyber Risk & Data Security Hotline to assist companies with mitigating online security risks. The Hotline ( 1-855-5-DATA-...
Press Releases
Our Privacy, Cyber Risk & Data Security Team
Partners
FYI
"GDPR-based objections to U.S. discovery requests: 2019 year in review" by Leslie L. Meredith (Legaltech News)
"Website cookies and privacy—GDPR, CCPA, and evolving standards for online consent" by Amanda R. Lawrence, Sasha Leonhardt, and Magda Gathani (Bloomberg Law)
"BankThink: Congress needs to hurry up on data protection" by Jeremiah S. Buckley (American Banker)
Recent Blog Posts
-
January 24, 2020
Treasury seeks information on financial sector cybersecurity risks
-
January 24, 2020
New York Fed analyzes potential impact of cyber attacks on payments network
-
January 22, 2020
District Court: Michigan privacy law covers out-of-state residents
-
January 22, 2020
FDIC, OCC issue joint notice of heightened cybersecurity risk
-
January 17, 2020
Data breach settlement of $380.5 million approved in credit reporting agency class action