Privacy and Data Protection – Financial Services

Overview

Our team has represented more than 50 financial institutions and service providers, from some of the largest U.S. banks to local credit unions. We provide proactive compliance and reactive security incident response services for insurance companies, financial services organizations, banks, and credit unions, as well as their technology service providers. We handle a wide range of incidents, such as malware infections, vendor errors, complex network intrusions, denial-of-service attacks, and incidents resulting from employee carelessness, and intentional acts by malicious employees. We also help financial institutions with Gramm-Leach-Bliley (GLBA) and other regulatory compliance issues. These engagements often involve interaction with state and federal financial regulatory authorities.

Select Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
More »

Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
  • Represented clients in numerous M&A transactions, including the $1.5 billion acquisition by a payment processor of another processor, conducting privacy and security due diligence as well as preparing relevant representations and warranties.
  • Represented a professional services firm, conducting a global security assessment to ensure compliance with privacy and security provisions contained in its contractual agreements with its financial institution clients.
  • Represented a regional bank, the acquiring sponsor of a payment processor that had up to 130 million payment cards stolen from its system, achieving multiple successes over nearly two years of defending the bank’s interests, reaching settlements with payment card companies that released the bank from financial responsibilities related to the data breach, obtaining indemnification for the bank’s attorneys’ fees from the payment card processor, and securing the dismissal of a putative class action suit brought against the bank by payment card issuers.
  • Represented multiple financial services clients, advising on their information-sharing practices with law enforcement and participation in groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
  • Represented a regional bank on a data security incident involving a cryptolocker infection affecting one of the bank’s service providers, assessing whether the attack may have subjected the bank’s former consumer loan clients’ data to unauthorized access, a task that was complicated by the service provider’s failure to preserve necessary forensic evidence.
  • Represented a multinational investment banking firm, investigating, containing, and remediating a system compromise involving malware that was spread by phishing and designed to capture content posted to https: sites.
  • Represented a financial services client, leading the investigation of a security incident that occurred on the eve of a financial transaction, coordinating with the transactional and underwriters’ counsel to address notification and materiality issues.
  • Represented a credit union that was obligated to notify all of its members following the loss of an unencrypted backup tape, directing the investigation, notification, and regulatory review process, including responding to regulatory inquiries, working with crisis communications counsel to prepare executives for media appearances, and navigating sensitivities with respect to the notification of high-profile members.
  • Represented commercial customers of financial services entities, leading investigation, analysis, and notification efforts with respect to security incidents, including analyzing contractual notification obligations, preparing messaging and FAQs for relationship managers to notify affected customers, and coordinating with the companies and forensic firms to develop containment and remediation plans.
  • Represented a financial services client on an incident first identified by law enforcement authorities involving temporary employees who engaged in identity theft and other fraud using information stolen from banks and financial services providers, supporting the law enforcement investigation, working with forensic firms to examine the suspects’ network privileges and access history, notifying potentially affected customers, and pursuing indemnity claims against the providers of the temporary employees.
  • Represented a financial services client on its response to an electronic data security incident involving unauthorized access to 32,000 PDFs containing handwritten sensitive personal information, including coordinating, training, managing, and supervising a team of paralegals and attorneys engaged through a staffing company to conduct a manual review of the affected files and build a notification list.
  • Represented a credit union after it discovered some of its employee workstations were infected with malware that was designed to capture sensitive information as it appeared on individual computer screens, providing analysis of notification obligations to the approximately 140,000 affected individuals, providing crisis management, and overseeing the forensic investigation of the incident as well as directing regulatory compliance efforts, including notification to multiple state and federal agencies and on-site representation and support of the credit union in face-to-face meetings with regulators.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Chambers Fintech: Legal – USA (2018)
    • Band 4
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2019 BTI Client Service 30 for the fifth consecutive year.

Publications

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Deeper Dive: The Landscape of Healthcare Data Breaches
April 24, 2019
Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health...
Read More ->
Data Privacy Monitor
SEC Updates Data Privacy and Cybersecurity Guidance for Registered Firms
April 22, 2019
On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P –...
Read More ->
Data Privacy Monitor
Deeper Dive: Choose the Right Forensics Firm for the Job
By William R. Daugherty, Eric A. Packel
April 17, 2019
Forensics are a key component of many data incident investigations. The importance of forensics cannot be overstated. In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation. Forensics firms can not...
Read More ->
Data Privacy Monitor
In BIPA's Wake, a Wave of New Biometric Privacy Proposals
By Robyn M. Feldstein, Melinda L. McLellan
April 15, 2019
Over the past year, a host of new national, state and local laws have been introduced to regulate the collection and use of biometric information. Although these proposals vary in their requirements, certain elements appear to be inspired...
Read More ->
Data Privacy Monitor
Deeper Dive: The Scourge of O365 Incidents
April 11, 2019
A Growing Menace 2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved...
Read More ->