Privacy and Data Protection – Financial Services

Overview

Our team has represented more than 50 financial institutions and service providers, from some of the largest U.S. banks to local credit unions. We provide proactive compliance and reactive security incident response services for insurance companies, financial services organizations, banks, and credit unions, as well as their technology service providers. We handle a wide range of incidents, such as malware infections, vendor errors, complex network intrusions, denial-of-service attacks, and incidents resulting from employee carelessness, and intentional acts by malicious employees. We also help financial institutions with Gramm-Leach-Bliley (GLBA) and other regulatory compliance issues. These engagements often involve interaction with state and federal financial regulatory authorities.

Select Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
More »

Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
  • Represented clients in numerous M&A transactions, including the $1.5 billion acquisition by a payment processor of another processor, conducting privacy and security due diligence as well as preparing relevant representations and warranties.
  • Represented a professional services firm, conducting a global security assessment to ensure compliance with privacy and security provisions contained in its contractual agreements with its financial institution clients.
  • Represented a regional bank, the acquiring sponsor of a payment processor that had up to 130 million payment cards stolen from its system, achieving multiple successes over nearly two years of defending the bank’s interests, reaching settlements with payment card companies that released the bank from financial responsibilities related to the data breach, obtaining indemnification for the bank’s attorneys’ fees from the payment card processor, and securing the dismissal of a putative class action suit brought against the bank by payment card issuers.
  • Represented multiple financial services clients, advising on their information-sharing practices with law enforcement and participation in groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
  • Represented a regional bank on a data security incident involving a cryptolocker infection affecting one of the bank’s service providers, assessing whether the attack may have subjected the bank’s former consumer loan clients’ data to unauthorized access, a task that was complicated by the service provider’s failure to preserve necessary forensic evidence.
  • Represented a multinational investment banking firm, investigating, containing, and remediating a system compromise involving malware that was spread by phishing and designed to capture content posted to https: sites.
  • Represented a financial services client, leading the investigation of a security incident that occurred on the eve of a financial transaction, coordinating with the transactional and underwriters’ counsel to address notification and materiality issues.
  • Represented a credit union that was obligated to notify all of its members following the loss of an unencrypted backup tape, directing the investigation, notification, and regulatory review process, including responding to regulatory inquiries, working with crisis communications counsel to prepare executives for media appearances, and navigating sensitivities with respect to the notification of high-profile members.
  • Represented commercial customers of financial services entities, leading investigation, analysis, and notification efforts with respect to security incidents, including analyzing contractual notification obligations, preparing messaging and FAQs for relationship managers to notify affected customers, and coordinating with the companies and forensic firms to develop containment and remediation plans.
  • Represented a financial services client on an incident first identified by law enforcement authorities involving temporary employees who engaged in identity theft and other fraud using information stolen from banks and financial services providers, supporting the law enforcement investigation, working with forensic firms to examine the suspects’ network privileges and access history, notifying potentially affected customers, and pursuing indemnity claims against the providers of the temporary employees.
  • Represented a financial services client on its response to an electronic data security incident involving unauthorized access to 32,000 PDFs containing handwritten sensitive personal information, including coordinating, training, managing, and supervising a team of paralegals and attorneys engaged through a staffing company to conduct a manual review of the affected files and build a notification list.
  • Represented a credit union after it discovered some of its employee workstations were infected with malware that was designed to capture sensitive information as it appeared on individual computer screens, providing analysis of notification obligations to the approximately 140,000 affected individuals, providing crisis management, and overseeing the forensic investigation of the incident as well as directing regulatory compliance efforts, including notification to multiple state and federal agencies and on-site representation and support of the credit union in face-to-face meetings with regulators.

Publications

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Moving Beyond Passwords – Does Your Face Raise Privacy Concerns?
November 8, 2017
Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake...
Read More ->
Data Privacy Monitor
From the Mouths of Babes: FTC Issues COPPA Enforcement Policy Regarding Voice Recordings
By Alan L. Friel, Melinda L. McLellan
November 7, 2017
On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services...
Read More ->
Data Privacy Monitor
Deception and Unfair Practices Come Preinstalled
By Alan L. Friel
October 23, 2017
Lenovo, a manufacturer of personal computers, recently agreed, among other things, to implement a software security program in a settlement with the Federal Trade Commission (FTC) over issues with third-party software preinstalled on some...
Read More ->
Data Privacy Monitor
FTC Takes Action Against Individual Social Media Influencers
By Stephanie A. Lucas
September 26, 2017
Advertisers’ and brands’ use of social media influencers has continued to grow in importance as brands seek to reach new consumers while marketing to a widespread demographic. Traditionally, influencers are known as people who leverage...
Read More ->
Data Privacy Monitor
European Court Provides Further Clarity on Employee Monitoring
By Emily R. Fedeles, Nichole L. Sterling
September 20, 2017
The September 5, 2017, decision of the Grand Chamber of the European Court of Human Rights (ECHR) in Barbulescu v Romania (Barbulescu) has interrupted a recent trend toward limiting privacy in the European workplace. The Barbulescu...
Read More ->