Capabilities
Financial Services

Privacy and Data Security

What financial services firms know about their customers has become a heavily regulated aspect of doing business. We have been active for two decades in representing our financial services clients on matters relating to customer privacy.

We counsel financial institutions on the rapidly growing body of federal and state privacy laws affecting their operations, including developing privacy notices, negotiating data protection agreements with business partners, and setting up internal databases to ensure appropriate safeguards on access to, and disclosure of, personal information. We also work with clients on the privacy rules adopted pursuant to the HIPAA and on international privacy requirements, including the restrictions imposed by the Data Protection Directive of the EU. Our privacy experience includes protection of financial information, including electronic data. As a complement to this advice, we work closely with clients on the security aspects of information privacy, which involve technical considerations that are integral to any program of privacy compliance.

We represent clients in diligence on privacy and data security matters and contracts negotiations with data systems vendors.

As another core aspect of our Privacy and Data Security practice, Arnold & Porter's Data Breach Rapid Response team, which has members from across the firm, helps clients develop appropriate data breach response plans and, when breaches occur, works with clients to mitigate damage, to provide required notices to affected individuals, and to rapidly fortify defenses to potential legal challenges so as to minimize both short-term and long-term losses.

Experience

New York state-chartered bank Cybersecurity program development

Represented client in the development of cybersecurity program, procedures, and controls to ensure compliance with the New York Department of Financial Services’ Part 500 requirements and annual certification.

Multi-billion dollar bank holding company Cybersecurity internal investigation

Represented client in comprehensive internal investigation of the organization's information technology systems and controls in response to an internal whistleblower complaint of insufficient systems and controls.

Large state chartered bank Gramm-Leach-Bliley Act

Assisted financial institution in meeting its privacy and security obligations under the Gramm-Leach-Bliley Act

Major insurance company FCRA and FACTA

Advising insurance company on compliance with the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA)

National bank Privacy and security implications of non-US outsourcing arrangement

Development and government review of privacy and security protections for a foreign software company to develop and maintain software involved in the delivery of services to US government customers.

More

Perspectives

Cybersecurity Risks and Considerations for 2018
Arnold & Porter Seminar, New York, NY
NYDFS Cybersecurity Regulations: One Year Later (pdf)
Fintech Law Report, Volume 18, Issue 2
NYDFS Issues New Cybersecurity Reporting Guidance
Advisory
NYDFS Issues New Cybersecurity FAQs
Advisory
Nuts and Bolts of Data Breaches and Identity Fraud (pdf)
New Jersey Banker
More
Overview

Email Disclaimer