Privacy and Data Security
What financial services firms know about their customers has become a heavily regulated aspect of doing business. We have been active for two decades in representing our financial services clients on matters relating to customer privacy.
We counsel financial institutions on the rapidly growing body of federal and state privacy laws affecting their operations, including developing privacy notices, negotiating data protection agreements with business partners, and setting up internal databases to ensure appropriate safeguards on access to, and disclosure of, personal information. We also work with clients on the privacy rules adopted pursuant to the HIPAA and on international privacy requirements, including the restrictions imposed by the Data Protection Directive of the EU. Our privacy experience includes protection of financial information, including electronic data. As a complement to this advice, we work closely with clients on the security aspects of information privacy, which involve technical considerations that are integral to any program of privacy compliance.
We represent clients in diligence on privacy and data security matters and contracts negotiations with data systems vendors.
As another core aspect of our Privacy and Data Security practice, Arnold & Porter's Data Breach Rapid Response team, which has members from across the firm, helps clients develop appropriate data breach response plans and, when breaches occur, works with clients to mitigate damage, to provide required notices to affected individuals, and to rapidly fortify defenses to potential legal challenges so as to minimize both short-term and long-term losses.
Represented client in the development of cybersecurity program, procedures, and controls to ensure compliance with the New York Department of Financial Services’ Part 500 requirements and annual certification.
Represented client in comprehensive internal investigation of the organization's information technology systems and controls in response to an internal whistleblower complaint of insufficient systems and controls.
Assisted financial institution in meeting its privacy and security obligations under the Gramm-Leach-Bliley Act
Advising insurance company on compliance with the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA)
Development and government review of privacy and security protections for a foreign software company to develop and maintain software involved in the delivery of services to US government customers.