Privacy and Data Protection – Financial Services

Overview

Our team has represented more than 50 financial institutions and service providers, from some of the largest U.S. banks to local credit unions. We provide proactive compliance and reactive security incident response services for insurance companies, financial services organizations, banks, and credit unions, as well as their technology service providers. We handle a wide range of incidents, such as malware infections, vendor errors, complex network intrusions, denial-of-service attacks, and incidents resulting from employee carelessness, and intentional acts by malicious employees. We also help financial institutions with Gramm-Leach-Bliley (GLBA) and other regulatory compliance issues. These engagements often involve interaction with state and federal financial regulatory authorities.

Select Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
More »

Experience

  • Represented a multibillion-dollar financial and commodity derivatives exchange, as global privacy and incident response counsel, including developing a coordinated incident response plan, preparing “playbooks” for different incident response team disciplines, vetting and advising on the selection of incident response service providers, and working with the incident response team to investigate and resolve suspected data breaches.
  • Represented a national independent broker-dealer and investment adviser, enhancing the company’s information security program, providing incident response counsel, and developing privacy policies and a national training program.
  • Represented a regional financial services entity consisting of a collection of banks, providing incident response advice, developing privacy policies, and addressing affiliate data sharing compliance issues as well as mobile payment security concerns.
  • Represented an insurer and financial services provider, providing a range of services, including revising the company’s incident response plan and enhancing the information security program by updating internal policies, and addressing vendor privacy and security compliance, among other improvements.
  • Represented multiple financial institutions, managing compliance obligations under the Gramm-Leach-Bliley Act, including developing appropriate notice and opt-out forms and procedures as required by the Privacy Rule, crafting information security policies and standards to comply with the Safeguards Rule, implementing vendor due diligence and oversight procedures, and negotiating privacy- and security-oriented contract provisions.
  • Represented clients in numerous M&A transactions, including the $1.5 billion acquisition by a payment processor of another processor, conducting privacy and security due diligence as well as preparing relevant representations and warranties.
  • Represented a professional services firm, conducting a global security assessment to ensure compliance with privacy and security provisions contained in its contractual agreements with its financial institution clients.
  • Represented a regional bank, the acquiring sponsor of a payment processor that had up to 130 million payment cards stolen from its system, achieving multiple successes over nearly two years of defending the bank’s interests, reaching settlements with payment card companies that released the bank from financial responsibilities related to the data breach, obtaining indemnification for the bank’s attorneys’ fees from the payment card processor, and securing the dismissal of a putative class action suit brought against the bank by payment card issuers.
  • Represented multiple financial services clients, advising on their information-sharing practices with law enforcement and participation in groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
  • Represented a regional bank on a data security incident involving a cryptolocker infection affecting one of the bank’s service providers, assessing whether the attack may have subjected the bank’s former consumer loan clients’ data to unauthorized access, a task that was complicated by the service provider’s failure to preserve necessary forensic evidence.
  • Represented a multinational investment banking firm, investigating, containing, and remediating a system compromise involving malware that was spread by phishing and designed to capture content posted to https: sites.
  • Represented a financial services client, leading the investigation of a security incident that occurred on the eve of a financial transaction, coordinating with the transactional and underwriters’ counsel to address notification and materiality issues.
  • Represented a credit union that was obligated to notify all of its members following the loss of an unencrypted backup tape, directing the investigation, notification, and regulatory review process, including responding to regulatory inquiries, working with crisis communications counsel to prepare executives for media appearances, and navigating sensitivities with respect to the notification of high-profile members.
  • Represented commercial customers of financial services entities, leading investigation, analysis, and notification efforts with respect to security incidents, including analyzing contractual notification obligations, preparing messaging and FAQs for relationship managers to notify affected customers, and coordinating with the companies and forensic firms to develop containment and remediation plans.
  • Represented a financial services client on an incident first identified by law enforcement authorities involving temporary employees who engaged in identity theft and other fraud using information stolen from banks and financial services providers, supporting the law enforcement investigation, working with forensic firms to examine the suspects’ network privileges and access history, notifying potentially affected customers, and pursuing indemnity claims against the providers of the temporary employees.
  • Represented a financial services client on its response to an electronic data security incident involving unauthorized access to 32,000 PDFs containing handwritten sensitive personal information, including coordinating, training, managing, and supervising a team of paralegals and attorneys engaged through a staffing company to conduct a manual review of the affected files and build a notification list.
  • Represented a credit union after it discovered some of its employee workstations were infected with malware that was designed to capture sensitive information as it appeared on individual computer screens, providing analysis of notification obligations to the approximately 140,000 affected individuals, providing crisis management, and overseeing the forensic investigation of the incident as well as directing regulatory compliance efforts, including notification to multiple state and federal agencies and on-site representation and support of the credit union in face-to-face meetings with regulators.

Recognition

  • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

Publications

Blog

In The Blogs

Previous Next
Data Privacy Monitor
U.S. Senate Duo and California Ballot Initiative Propose to Radically Alter U.S. Consumer Internet Privacy and Upend Digital Advertising
By Alan L. Friel
April 19, 2018
Amid growing concerns over the improper use of user information and data breaches, and in the same week as the Senate examines the Cambridge Analytica controversy, a duo of U.S. senators who have long advocated for federal consumer privacy...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
April 18, 2018
Class Actions Uber Data Breach Suits Consolidated in California • The U.S. Judicial Panel on Multidistrict Litigation has settled on the U.S. District Court for the Central District of California in which to centralize the class actions...
Read More ->
Data Privacy Monitor
Deeper Dive: Take Action to Close the Largest Cause of Data Security Incidents – Your Employees
By David E. Kitchen
April 17, 2018
If you work at a typical company, employee actions and inadvertent present the greatest threat to the security of your data. Therefore, providing proper training and technical safeguards is one of the most important means to enhance your...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
By Julie A. Hein, Aaron R. Lancaster
April 11, 2018
Canada Data Breach Notification Provisions of PIPEDA Act Go Into Effect Nov. 1, 2018 • Pursuant to a March 26, 2018 Order in Council, the mandatory breach notification provisions of Canada’s Personal Information Protection and Electronic...
Read More ->
Data Privacy Monitor
Deeper Dive: Key findings From Baker Hostetler's 2018 Data Security Incident Report
By Laura E. Jehl
April 10, 2018
In our 2018 Data Security Incident Report, “Building Cyber Resilience: Compromise Response Intelligence in Action,” we identify and analyze the most important trends and takeaways from the more than 560 incidents we handled last year...
Read More ->