Privacy, Cyber Risk & Data Security

All organizations continue to struggle with the ever-increasing challenges of collecting, using, disclosing, and protecting personal information relating to customers, employees, and others.  Heightened regulatory oversight and scrutiny along with data breach incidents, many of which have been high profile, pose significant risks to companies. BuckleySandler advises and represents clients, particularly financial services institutions, on matters involving the full spectrum of privacy issues affecting their business operations, including:

  • Compliance with U.S. federal and state privacy and information management regulations, including:
    • Gramm-Leach-Bliley Act and state law restrictions on sharing nonpublic personal information
    • Fair Credit Reporting Act restrictions with respect to the use and disclosure of customer information
    • Data safeguarding requirements, including identity theft and "red flag" requirements
    • Section 5 of the Federal Trade Commission Act claims
    • USA PATRIOT Act and Office of Foreign Assets Control (OFAC) requirements
    • Cross-border information sharing limitations, including the European Union Privacy Directive
    • Electronic Communications Privacy Act requirements
    • Marketing limitations and requirements, including under the CAN-SPAM Act
  • Compliance with international data protection laws, including cross-border information sharing requirements, such as the European Union Privacy Directive and similar privacy regimes
  • State, federal, and foreign data security breach notification responsibilities

BuckleySandler has extensive experience and provides clients a range of legal services in privacy, cyber risk, and data security.

Regulatory

  • Reviewing existing policies and procedures, performing gap analyses and risk assessments, and making necessary changes and additions to compliance programs
  • Designing comprehensive policies and procedures, red flags, privacy notices, privacy and data security programs, and employee education and training materials
  • Drafting affiliate marketing plans and third party data sharing arrangements
  • Structuring outsourcing arrangements to ensure compliance with U.S. and international requirements, including the European Union Privacy Directive

Cybersecurity

  • Coordinating incident response investigations, including formulating customer service and media strategies
  • Negotiating with law enforcement agencies and regulators
  • Drafting incident response plans, breach notice letters, and customer service center call scripts

Diligence & Third Party Relationships

  • Reviewing privacy and security risks involved in proposed mergers, acquisitions, spin-offs, and restructurings
  • Revising agreements with third parties to best ensure compliance with regulatory requirements and to mitigate risks from information sharing and use

Investigations & Examinations

  • Addressing issues involving information sharing and use for investigations, including cross-border transfers
  • Preparing clients for privacy and data security regulatory examinations and advising clients during the course of the exam
  • Addressing inquiries from legislative and administrative panels and state attorneys general involving privacy and data security issues

Litigation & Enforcement

  • Representing company executives charged with data privacy violations in non-U.S. jurisdictions
  • Handling disputes and litigation arising from security breaches and other cyber events, including network intrusion investigations, consumer and regulatory notification, and discussions with entities in the payment card process
  • Representing companies in privacy class action litigation
  • Incident investigations, including the coordination of external investigators as appropriate
  • Preparing witnesses
  • Negotiating with state and federal government officials to ensure best possible outcome
  • Addressing contractual disputes relating to information sharing, use, safeguarding, and disposal

Members of the Privacy, Cyber Risk, and Data Security group frequently speak at privacy and data security and financial institutions conferences including those of the International Association of Privacy Professionals, the RSA Conference, the American Conference Institute, the Information System Security Association, the American Bar Association, and the International Information Systems Security Certification Consortium. Group members also have authored articles and papers on privacy and data security topics.

Related Professionals

Name Title Phone Office
Buckley, Jeremiah S. Partner 202.349.8010 Washington, DC
Buffone, Samuel J. Partner 202.349.7940 Washington, DC
Klubes, Benjamin B. Partner 202.349.8002 Washington, DC
McGinn, Elizabeth E. Partner 212.600.2370 New York, NY
Naimon, Jeffrey P. Partner 202.349.8030 Washington, DC
Tank, Margo H. K. Partner 202.349.8050 Washington, DC
Eisenhardt, Howard A. Of Counsel 202.461.2945 Washington, DC
Jerison, Jonathan D. Counsel 202.349.8015 Washington, DC
Wiles, Ann D. Counsel 202.349.7942 Washington, DC
Mears, Rena Managing Director 202.349.7977 Washington, DC
Lutch, Alexander D. Associate 202.349.7947 Washington, DC
Paluch, Daniel Associate 310.424.3941 Los Angeles, CA
Shreve, James T. Associate 202.461.2994 Washington, DC

Significant Representations

  • Ades v. Chase Manhattan Bank, USA, N.A.
    Class action alleging invasion of privacy torts by sharing of customer information with third party vendors. Complaint dismissed and dismissal upheld on appeal.
  • Dublin v. Citibank, N.A.
    Privacy class action alleging invasion of privacy torts and Section 17200 violations by sharing of customer information with third party vendors.
  • Fyhrie, et al. v. Fleet Mortgage Corp, et al.
    Privacy class action alleging invasion of privacy torts and unfair and deceptive trade practices violations by information sharing and telemarketing with respect to mortgage customers.
  • Gates v. Fleet Mortgage
    Privacy class action alleging invasion of privacy torts and unfair and deceptive trade practices violations by information sharing and telemarketing with respect to mortgage customers.
  • Italian Data Privacy Indictment of Google Officials
    Represented Google’s Global Privacy Officer, Peter Fleischer, and Chief Legal Officer, David Drummond, in a criminal data privacy case in Milan, Italy. Served as personal counsel for the two exe... MORE
  • Lassman v. Fleet Mortgage Corporation
    Privacy class action alleging unfair and deceptive trade practices violations by information sharing and telemarketing with respect to mortgage customers.
  • Minnesota v. Fleet Mortgage Corporation
    Privacy action by Minnesota Attorney General alleging violations of state and federal telemarketing and unfair and deceptive trade practices acts relating to third party vendor telemarketing to mortga... MORE
  • Mirfasihi v. Fleet Mortgage Corp
    Represented defendant in privacy class action alleging invasion of privacy torts, Truth in Lending Act and unfair and deceptive trade practices violations by information sharing and telemarketing with... MORE
  • Patricia Koluncich v. Fleet Mortgage Corp
    Privacy class action alleging invasion of privacy torts and Section 17200 violations by information sharing and telemarketing with respect to mortgage customers.
  • Sevilla v. Citigroup Inc.
    Privacy class action alleging invasion of privacy torts and Section 17200 violations by sharing of customer information with third party vendors.
  • Smith v. Chase Manhattan Bank
    Class action alleging invasion of privacy torts by sharing of customer information with third party vendors. Complaint dismissed and dismissal upheld on appeal.
  • Tennet v. The TJX Companies, Inc. et al.
    Putative class action alleging negligence, common law bailment and statutory claims related to third-party intrusion of retailer’s computer system to obtain credit and debit car information and ... MORE
  • Thomas E. Slayton Jr v. Citibank NA
    Privacy class action alleging invasion of privacy torts and Section 17200 violations by sharing of customer information with third party vendors.
  • United States v. PLS Financial Services, Inc.
    Two companies that allegedly failed to safeguard discarded, sensitive personal information will pay $101,500 to settle related Federal Trade Commission charges filed in the U.S. District Court for the... MORE
  • Utility Consumers’ Action Network and Rupp v. Texaco Credit Card Services
    Privacy class action alleging invasion of privacy torts and Section 17200 violations by sharing of customer information with third party vendors.

Publications