Privacy and Data Protection – Financial Services

Overview

Our team has represented more than 50 financial institutions and service providers, from some of the largest U.S. banks to local credit unions. We provide proactive compliance and reactive security incident response services for insurance companies, financial services organizations, banks, and credit unions, as well as their technology service providers. We handle a wide range of incidents, such as malware infections, vendor errors, complex network intrusions, denial-of-service attacks, and incidents resulting from employee carelessness, and intentional acts by malicious employees. We also help financial institutions with Gramm-Leach-Bliley (GLBA) and other regulatory compliance issues. These engagements often involve interaction with state and federal financial regulatory authorities.

Select Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
More »

Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
  • Represented clients in numerous M&A transactions, including the $1.5 billion acquisition by a payment processor of another processor, conducting privacy and security due diligence as well as preparing relevant representations and warranties.
  • Represented a professional services firm, conducting a global security assessment to ensure compliance with privacy and security provisions contained in its contractual agreements with its financial institution clients.
  • Represented a regional bank, the acquiring sponsor of a payment processor that had up to 130 million payment cards stolen from its system, achieving multiple successes over nearly two years of defending the bank’s interests, reaching settlements with payment card companies that released the bank from financial responsibilities related to the data breach, obtaining indemnification for the bank’s attorneys’ fees from the payment card processor, and securing the dismissal of a putative class action suit brought against the bank by payment card issuers.
  • Represented multiple financial services clients, advising on their information-sharing practices with law enforcement and participation in groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
  • Represented a regional bank on a data security incident involving a cryptolocker infection affecting one of the bank’s service providers, assessing whether the attack may have subjected the bank’s former consumer loan clients’ data to unauthorized access, a task that was complicated by the service provider’s failure to preserve necessary forensic evidence.
  • Represented a multinational investment banking firm, investigating, containing, and remediating a system compromise involving malware that was spread by phishing and designed to capture content posted to https: sites.
  • Represented a financial services client, leading the investigation of a security incident that occurred on the eve of a financial transaction, coordinating with the transactional and underwriters’ counsel to address notification and materiality issues.
  • Represented a credit union that was obligated to notify all of its members following the loss of an unencrypted backup tape, directing the investigation, notification, and regulatory review process, including responding to regulatory inquiries, working with crisis communications counsel to prepare executives for media appearances, and navigating sensitivities with respect to the notification of high-profile members.
  • Represented commercial customers of financial services entities, leading investigation, analysis, and notification efforts with respect to security incidents, including analyzing contractual notification obligations, preparing messaging and FAQs for relationship managers to notify affected customers, and coordinating with the companies and forensic firms to develop containment and remediation plans.
  • Represented a financial services client on an incident first identified by law enforcement authorities involving temporary employees who engaged in identity theft and other fraud using information stolen from banks and financial services providers, supporting the law enforcement investigation, working with forensic firms to examine the suspects’ network privileges and access history, notifying potentially affected customers, and pursuing indemnity claims against the providers of the temporary employees.
  • Represented a financial services client on its response to an electronic data security incident involving unauthorized access to 32,000 PDFs containing handwritten sensitive personal information, including coordinating, training, managing, and supervising a team of paralegals and attorneys engaged through a staffing company to conduct a manual review of the affected files and build a notification list.
  • Represented a credit union after it discovered some of its employee workstations were infected with malware that was designed to capture sensitive information as it appeared on individual computer screens, providing analysis of notification obligations to the approximately 140,000 affected individuals, providing crisis management, and overseeing the forensic investigation of the incident as well as directing regulatory compliance efforts, including notification to multiple state and federal agencies and on-site representation and support of the credit union in face-to-face meetings with regulators.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Chambers Fintech: Legal – USA (2018)
    • Band 4
  • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

Publications

Blog

In The Blogs

Previous Next
Data Privacy Monitor
The Weekly Privacy Rewind
December 10, 2018
California Consumer Protection Act Privacy Groups Urge California Lawmakers Not to Weaken California Consumer Privacy Act • A variety of privacy groups, including the Electronic Frontier Foundation, the Digital Privacy Alliance and the...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
By Aaron R. Lancaster
December 5, 2018
GDPR European Regulators Fine Uber Over 2016 Data Breach • British and Dutch privacy regulators issued fines totaling approximately $1.2 million against ride-hailing company Uber over its 2016 data breach. • According to the U.K.’s...
Read More ->
Data Privacy Monitor
HHS OIG Launches Cybersecurity Webpage to Raise Awareness and Boost Cybersecurity Best Practices
By Alexandra Royal, Lynn Sessions
December 5, 2018
Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with...
Read More ->
Data Privacy Monitor
Cookies and Consent Under the EU GDPR
By David M. Brown
November 29, 2018
According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
By Aaron R. Lancaster
November 26, 2018
Class Actions Pennsylvania Supreme Court Declares Employers Have Affirmative Duty to Protect Employee Personal Information • According to a recent opinion by the Pennsylvania Supreme Court, “an employer has a legal duty to exercise...
Read More ->