Privacy, Cyber Risk & Data Security

All organizations continue to struggle with the ever-increasing challenges of collecting, using, disclosing, and protecting personal information relating to customers, employees, and others.  Heightened regulatory oversight and scrutiny along with data breach incidents, many of which have been high profile, pose significant risks to companies. BuckleySandler advises and represents clients, particularly financial services institutions, on matters involving the full spectrum of privacy issues affecting their business operations, including:

  • Compliance with U.S. federal and state privacy and information management regulations, including:
    • Gramm-Leach-Bliley Act and state law restrictions on sharing nonpublic personal information
    • Fair Credit Reporting Act restrictions with respect to the use and disclosure of customer information
    • Data safeguarding requirements, including identity theft and "red flag" requirements
    • Section 5 of the Federal Trade Commission Act claims
    • USA PATRIOT Act and Office of Foreign Assets Control (OFAC) requirements
    • Cross-border information sharing limitations, including the European Union Privacy Directive
    • Electronic Communications Privacy Act requirements
    • Marketing limitations and requirements, including under the CAN-SPAM Act
  • Compliance with international data protection laws, including cross-border information sharing requirements, such as the European Union Privacy Directive and similar privacy regimes
  • State, federal, and foreign data security breach notification responsibilities

BuckleySandler has extensive experience and provides clients a range of legal services in privacy, cyber risk, and data security.


  • Reviewing existing policies and procedures, performing gap analyses and risk assessments, and making necessary changes and additions to compliance programs
  • Designing comprehensive policies and procedures, red flags, privacy notices, privacy and data security programs, and employee education and training materials
  • Drafting affiliate marketing plans and third party data sharing arrangements
  • Structuring outsourcing arrangements to ensure compliance with U.S. and international requirements, including the European Union Privacy Directive


  • Coordinating incident response investigations, including formulating customer service and media strategies
  • Negotiating with law enforcement agencies and regulators
  • Drafting incident response plans, breach notice letters, and customer service center call scripts

Diligence & Third Party Relationships

  • Reviewing privacy and security risks involved in proposed mergers, acquisitions, spin-offs, and restructurings
  • Revising agreements with third parties to best ensure compliance with regulatory requirements and to mitigate risks from information sharing and use

Investigations & Examinations

  • Addressing issues involving information sharing and use for investigations, including cross-border transfers
  • Preparing clients for privacy and data security regulatory examinations and advising clients during the course of the exam
  • Addressing inquiries from legislative and administrative panels and state attorneys general involving privacy and data security issues

Litigation & Enforcement

  • Representing company executives charged with data privacy violations in non-U.S. jurisdictions
  • Handling disputes and litigation arising from security breaches and other cyber events, including network intrusion investigations, consumer and regulatory notification, and discussions with entities in the payment card process
  • Representing companies in privacy class action litigation
  • Incident investigations, including the coordination of external investigators as appropriate
  • Preparing witnesses
  • Negotiating with state and federal government officials to ensure best possible outcome
  • Addressing contractual disputes relating to information sharing, use, safeguarding, and disposal

Members of the Privacy, Cyber Risk, and Data Security group frequently speak at privacy and data security and financial institutions conferences including those of the International Association of Privacy Professionals, the RSA Conference, the American Conference Institute, the Information System Security Association, the American Bar Association, and the International Information Systems Security Certification Consortium. Group members also have authored articles and papers on privacy and data security topics.

Related Professionals

Name Title Phone Office
Buckley, Jeremiah S. Partner 202.349.8010 Washington, DC
Buffone, Samuel J. Partner 202.349.7940 Washington, DC
Klubes, Benjamin B. Partner 202.349.8002 Washington, DC
McGinn, Elizabeth E. Partner 212.600.2370 New York, NY
Naimon, Jeffrey P. Partner 202.349.8030 Washington, DC
Tank, Margo H. K. Partner 202.349.8050 Washington, DC
Eisenhardt, Howard A. Of Counsel 202.461.2945 Washington, DC
Jerison, Jonathan D. Counsel 202.349.8015 Washington, DC
Wiles, Ann D. Counsel 202.349.7942 Washington, DC
Lutch, Alexander D. Associate 202.349.7947 Washington, DC
Paluch, Daniel Associate 310.424.3941 Los Angeles, CA
Shreve, James T. Associate 202.461.2994 Washington, DC