Our team has worked with clients on emerging laws and regulations restricting the use and disclosure of personal financial information at virtually all levels: in the legislative arena, the rulemaking process, and the implementation of company privacy and security policies and practices. We regularly counsel financial institutions and their service providers on their rights and obligations under the GLBA, the FCRA, the FACTA, and the Right to Financial Privacy Act, as well as state law and the laws of other nations, including in particular the member countries of the European Union. For purposes of compliance with these laws and their implementing regulations, we assist clients in designing and establishing policies and procedures regarding permissible data disclosures and information security, such as GLBA Safeguards Programs and Identity Theft Prevention Programs to comply with the "Red Flags" regulations issued by the federal banking agencies and the Federal Trade Commission under FACTA. In this context, we frequently help develop materials for proper employee training, and counsel on "best practices" for assessment, updating, and administration of company policies, procedures, and data protection programs.
We also are regularly called upon to draft or advise on the drafting of agreements with business partners that involve sharing, processing, and protecting financial and other confidential data. In the international context, this frequently involves drafting data transfer agreements, data privacy and confidentiality agreements for data processors, data security policies and the implementation of procedures that allow for the transfer of data from the EU, Switzerland, Canada, and other countries to the US. For data from the EU and Switzerland, such agreements and policies include model contracts, binding corporate rules, and policies incorporating the principles prescribed under the US/EU Data Protection Safe Harbor Program.