Privacy and Data Protection – Financial Services

Overview

Our team has represented more than 50 financial institutions and service providers, from some of the largest U.S. banks to local credit unions. We provide proactive compliance and reactive security incident response services for insurance companies, financial services organizations, banks, and credit unions, as well as their technology service providers. We handle a wide range of incidents, such as malware infections, vendor errors, complex network intrusions, denial-of-service attacks, and incidents resulting from employee carelessness, and intentional acts by malicious employees. We also help financial institutions with Gramm-Leach-Bliley (GLBA) and other regulatory compliance issues. These engagements often involve interaction with state and federal financial regulatory authorities.

Select Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
More »

Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
  • Represented clients in numerous M&A transactions, including the $1.5 billion acquisition by a payment processor of another processor, conducting privacy and security due diligence as well as preparing relevant representations and warranties.
  • Represented a professional services firm, conducting a global security assessment to ensure compliance with privacy and security provisions contained in its contractual agreements with its financial institution clients.
  • Represented a regional bank, the acquiring sponsor of a payment processor that had up to 130 million payment cards stolen from its system, achieving multiple successes over nearly two years of defending the bank’s interests, reaching settlements with payment card companies that released the bank from financial responsibilities related to the data breach, obtaining indemnification for the bank’s attorneys’ fees from the payment card processor, and securing the dismissal of a putative class action suit brought against the bank by payment card issuers.
  • Represented multiple financial services clients, advising on their information-sharing practices with law enforcement and participation in groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
  • Represented a regional bank on a data security incident involving a cryptolocker infection affecting one of the bank’s service providers, assessing whether the attack may have subjected the bank’s former consumer loan clients’ data to unauthorized access, a task that was complicated by the service provider’s failure to preserve necessary forensic evidence.
  • Represented a multinational investment banking firm, investigating, containing, and remediating a system compromise involving malware that was spread by phishing and designed to capture content posted to https: sites.
  • Represented a financial services client, leading the investigation of a security incident that occurred on the eve of a financial transaction, coordinating with the transactional and underwriters’ counsel to address notification and materiality issues.
  • Represented a credit union that was obligated to notify all of its members following the loss of an unencrypted backup tape, directing the investigation, notification, and regulatory review process, including responding to regulatory inquiries, working with crisis communications counsel to prepare executives for media appearances, and navigating sensitivities with respect to the notification of high-profile members.
  • Represented commercial customers of financial services entities, leading investigation, analysis, and notification efforts with respect to security incidents, including analyzing contractual notification obligations, preparing messaging and FAQs for relationship managers to notify affected customers, and coordinating with the companies and forensic firms to develop containment and remediation plans.
  • Represented a financial services client on an incident first identified by law enforcement authorities involving temporary employees who engaged in identity theft and other fraud using information stolen from banks and financial services providers, supporting the law enforcement investigation, working with forensic firms to examine the suspects’ network privileges and access history, notifying potentially affected customers, and pursuing indemnity claims against the providers of the temporary employees.
  • Represented a financial services client on its response to an electronic data security incident involving unauthorized access to 32,000 PDFs containing handwritten sensitive personal information, including coordinating, training, managing, and supervising a team of paralegals and attorneys engaged through a staffing company to conduct a manual review of the affected files and build a notification list.
  • Represented a credit union after it discovered some of its employee workstations were infected with malware that was designed to capture sensitive information as it appeared on individual computer screens, providing analysis of notification obligations to the approximately 140,000 affected individuals, providing crisis management, and overseeing the forensic investigation of the incident as well as directing regulatory compliance efforts, including notification to multiple state and federal agencies and on-site representation and support of the credit union in face-to-face meetings with regulators.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

Publications

Blog

In The Blogs

Previous Next
Data Privacy Monitor
HHS Releases Interim Guidance on Authorizations for Research
July 18, 2018
The Department of Health and Human Services (HHS) recently released interim guidance on sufficiency of authorizations for future uses or disclosures of protected health information (PHI) for research purposes. The Health Insurance...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
July 16, 2018
Class Actions Macy’s Faces Suit After Disclosing Data Breach • Retail giant Macy’s notified its customers and state regulators of a data breach affecting the accounts of online shoppers. The breach occurred between April 26 and June 12...
Read More ->
Data Privacy Monitor
California Passes Groundbreaking Data Privacy Law Granting Consumers Expansive Privacy Rights
July 3, 2018
California has passed an unprecedented privacy law that protects consumers’ rights by providing them with a greater degree of transparency and choice with respect to their personal information online. On June 28, 2018, Assembly Bill 375...
Read More ->
Data Privacy Monitor
California Passes Law Protecting Consumers' Online Privacy
By Alan L. Friel, Niloufar Massachi
June 29, 2018
On June 28, 2018, California lawmakers passed Assembly Bill 375 and Gov. Jerry Brown signed it into law as the California Consumer Privacy Act of 2018, a privacy law that grants consumers a range of rights with respect to their personal...
Read More ->
Data Privacy Monitor
Privacy Advocates See Victory as Supreme Court Extends Fourth Amendment Protections to Historical Cellphone Location Information
By Brian P. Bartish, Jonathan B. New
June 26, 2018
On June 22, the Supreme Court issued its highly anticipated decision addressing privacy in the digital age, holding that the government generally must obtain a search warrant supported by probable cause to search a target’s historical cell...
Read More ->