For most law firms, cybersecurity and data privacy is a relatively new service area that has emerged in the 21st Century.
But because of our long history in the financial services industry, McGlinchey Stafford attorneys have been practicing in this arena for decades, often pioneering the best practices to deal with the cybersecurity and data privacy issues that manifest at the crossroads of law and business.
In addition to our extensive tenure in this field of law, we also bring a depth and breadth of knowledge to our practice. We draw attorneys from across our many disciplines to help clients develop a comprehensive approach to compliance with data privacy and network security laws, including mandatory documentation and the best strategies to avoid or mitigate risks. Our group consists of members of the firm’s Intellectual Property, Labor & Employment, Consumer Financial Services Compliance, Government and Internal Investigations, and Commercial Litigation groups.
This multidisciplinary teamwork enhances our ability to help clients comply with applicable regulatory obligations, and prevent and respond to data breaches. Through our collaborative efforts, we fully understand the ins and outs of the statutory framework that affects our clients’ businesses – both the nuances of the myriad rules and regulations, and the big-picture legal ramifications.
One attribute that especially distinguishes us is our deep experience in many different industries. While our attorneys may not fully know what a new client’s exact system looks like, we have a very good idea of how most systems operate, who’s accessing what system, and what information various systems contain. Consequently, we know a lot about the client before we start asking questions – and we ask a lot of questions, the right ones that quickly and efficiently unearth the answers we need to deliver practical strategies and solutions within their budget.
Furthermore, when we deliver that service, we match our communication style and content with what the clients want – some prefer detailed-oriented responses with citations and explanations and others prefer a clear, concise summary. We can do both and anything in between.
Our attorneys offer clients many services, some of which include:
- We develop proactive policies, process management, and practices, including evaluating which state, federal, and foreign laws may apply, and best practices to avoid or mitigate data breaches and exposure for violation of applicable consumer privacy rights.
- We draft incident response plans, written information security programs (WISP), training programs, confidentiality agreements, and document retention and employee policies.
- We counsel clients about cybersecurity insurance coverage.
- We manage data breach response, including crisis management.
- We address potential liability for company officers and directors.
- We assist clients with third-party vendor management.
- We conduct internal investigations within client organizations.
- We litigate the myriad, complex direct and derivative actions that can stem from a data breach.
Our Cybersecurity & Data Privacy team has particular experience counseling companies and financial institutions in the following areas:
- We represent a wide range of providers and business enterprises (including life science and data management companies) on mandated state and federal compliance obligations and related mandated documentation.
- We navigate potential breach events and evaluate whether installed security measures have avoided a reportable breach event, or if breach notification is mandated under state or federal laws.
- We evaluate evolving complexities triggered by broader circulation of health data related to employment, growing integration of genetic/genomic data, and harmonizing compliance solutions with state and federal legal obligations triggered by variable data types.
- Negotiating and drafting mission-critical cloud service and other data processing agreements taking into account critical data security, privacy regulatory compliance, insurance, and risk mitigation on behalf of our clients.
Our service extends to these areas:
- We represent companies and marketplace lenders offering alternative lending and payment solutions.
- We provide legal compliance advice on virtually all types of issues FinTech companies face, including evaluating existing compliance programs, establishing data storage and sharing protocol, and assessing organizations’ risk of data breaches and cyberattacks.
- We counsel in response to cyberattacks and data breaches, from communications with customers and stakeholders to litigation arising from these types of incidents.
Consumer Privacy & Notifications
- We draft policies and procedures that establish the permissible use, disclosure, and disposal of consumers’ personally identifiable information, including consumer report information.
- We develop notices to provide financial privacy disclosures required by the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), California Financial Information Privacy Act (CFIPA), and other applicable state privacy laws.
- We produce service agreements that restrict service providers’ use and disclosure of consumer information and that establish requirements for keeping consumer information secure, require reporting any breach in the security of the system, and require destroying or returning consumer information.
- We provide breach notifications to individuals affected by security breaches as required by state law, as well as providing related notifications to consumer reporting agencies and state enforcement agencies.
Website Compliance & Online Transactions
- We review the online borrower experience in executing electronic loan documents or applying for loans or credit, as well as reviewing applicable documents.
- We draft opinion letters on the enforceability of electronic records and signatures for consumer credit transactions, including E-SIGN compliance.
- We help ensure compliance with the Uniform Electronic Transactions Act (UETA) and other laws governing the retention of paper records, such as checks and electronic signatures, and maintaining documentation of online activity, such as loans.
- We handle compliance issues related to Automated Clearing House (ACH) transactions and the National Automated Clearing House Association (NACHA), wire transfer, and Regulation E, as well as other electronic payment issues and statutes.
- We conduct state licensing analysis governing online lenders, entities purchasing loans from originating lenders, online loan brokers, and lead generators.
Lending Programs, Contracts, & Joint Marketing Agreements
- We advise FinTech lenders on the creation of multistate lending programs.
- We set up bank partnership models and draft loan agreements.
- We develop joint marketing agreements with other institutions to market a jointly endorsed or sponsored financial product.
- We write computer software licensing and service agreements.
- We draft credit card processing contracts.
- We help craft and implement vendor management programs, including ongoing audits.
- We assist clients with state licensing, particularly in helping FinTech startups with compliance and 50-state licensing.
- We handle all aspects of software patent applications, such as those on novel encrypted payment methods, investment models, and bond trading platforms, as well as IP portfolio development, management and enforcement.
- We provide counsel on trade secret protection policies and procedures relevant to proprietary data stores.
- We assess security risks to consumer information, develop strategies for mitigating those risks, and draft information security policies and procedures for adoption and implementation by financial institutions.
- We perform due diligence on lead generators and brokers.
- We help ensure compliance with state licensing and servicing issues for unsecured and personal property secured credit.
Investigations & Litigation
- We respond to civil investigative demands and other requests for information in conjunction with administrative enforcement actions relating to privacy and data security issues, including with respect to the use of GPS and other technology to locate and disable collateral.
- We negotiate and revise contracts with consumer reporting agencies and other third-party data providers, regarding the financial institution’s use and furnishing of information.
- We litigate direct and derivative actions — as both plaintiff and defendant — related to data breaches and data incidents.