In our increasingly connected world, all enterprises with electronic communications and data navigate the inevitability of data breach and state and federal laws regulating data security, consumer notification/consent, and breach notification/mitigation.

Many organizations may not be compliant with applicable privacy and data security laws so they risk substantial exposure thanks to their possession of information such as Social Security, credit card, and driver’s license numbers. As virtually all organizations possess personal information data, competent legal guidance is needed when addressing appropriate consumer notice and consent, risk mitigation, and related mandatory documentation. The cost of ignoring this issue until a loss occurs can be staggering.

McGlinchey Stafford’s Cybersecurity & Data Privacy team aids clients in developing a comprehensive approach to legal compliance with data privacy and network security laws, including mandatory documentation and best practices to avoid or mitigate risks. Our team brings together people from a variety of disciplines to address problems across industries and of all sizes and deliver value to our clients. Our team is comprised of members of the firm’s Healthcare, Intellectual Property, Labor & Employment, Consumer Financial Services Compliance, White Collar/Government Investigations, and Commercial Litigation groups. We draw upon our depth and knowledge in these related fields to help organizations comply with applicable regulatory obligations, and prevent and respond to data breaches. We are familiar with the myriad regulations and laws that affect this market.

Our sophisticated practice addresses the full spectrum of security concerns. We have published articles and presented on the subjects of retail data breaches, cybersecurity, risks of the internet of things (IoT) for manufacturers and Federal Trade Commission (FTC) response, among other topics. If a cyberattack or data breach does occur, we assist clients with data breach response and remediation efforts, including litigating suits and enforcement actions that inevitably follow breaches, and we explain the cybersecurity and data privacy risks in business terms.

In addition to representing clients directly affected by data breaches and cybersecurity incidents, we have experience working with insurers as approved counsel to handle consumer notifications, ensuring compliance with applicable state and federal regulatory requirements and interfacing with regulatory bodies and personnel through the course of a response.

Our experience includes:

  • Drafting proactive policies, process management, and practices, including evaluating which state and federal laws may apply, and best practices to avoid or mitigate data breaches
  • Drafting incident response plans, written information security programs (WISP), training, confidentiality agreements, document retention, and employee policies
  • Counseling clients regarding cybersecurity insurance coverage
  • Ensuring compliance with state and foreign data security regulations
  • Managing data breach response, including crisis management
  • Addressing potential liability for company officers and directors
  • Assisting clients with third-party vendor management
  • Conducting internal investigations within client organizations
  • Litigating the myriad complex direct and derivative actions that can stem from a data breach

Our Cybersecurity & Data Privacy team has particular experience counseling companies and financial institutions in the following areas:

  • Representing a wide range of providers and business enterprises (including life science and data management companies) on mandated state and federal compliance obligations and related mandated documentation
  • Navigating potential breach events and evaluating whether installed security measures have avoided a reportable breach event, or if breach notification is mandated under state or federal laws
  • Evaluating evolving complexities triggered by broader circulation of health data related to employment, growing integration of genetic/genomic data, and harmonizing compliance solutions with state and federal legal obligations triggered by variable data types


  • Representing companies and marketplace lenders offering alternative lending and payment solutions
  • Providing legal compliance advice on virtually all types of issues FinTech companies face, including evaluating existing compliance programs, establishing data storage and sharing protocol, and assessing organizations’ risk of data breaches and cyberattacks
  • Counseling in response to cyberattacks and data breaches, from communications with customers and stakeholders to litigation arising from these types of incidents

Consumer Privacy & Notifications

  • Developing policies and procedures that establish the permissible use, disclosure, and disposal of consumers’ personally identifiable information, including consumer report information
  • Developing notices to provide financial privacy disclosures required by the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), California Financial Information Privacy Act (CFIPA), and other applicable state privacy laws
  • Developing service agreements that restrict service providers’ use and disclosure of consumer information and that establish requirements for keeping consumer information secure, require reporting any breach in the security of the system, and require destroying or returning consumer information
  • Providing breach notifications to individuals affected by security breaches as required by state law, as well as providing related notifications to consumer reporting agencies and state enforcement agencies

Website Compliance & Online Transactions

  • Developing website terms of use and online privacy policies to mitigate risk of federal and state trade practice claims and to comply with California laws regarding online privacy
  • Reviewing the online borrower experience in executing electronic loan documents or applying for loans or credit, as well as reviewing applicable documents
  • Drafting opinion letters on the enforceability of electronic records and signatures for consumer credit transactions, including E-SIGN compliance
  • Ensuring compliance with the Uniform Electronic Transactions Act (UETA) and other laws governing the retention of paper records, such as checks, and electronic signatures, and maintaining documentation of online activity, such as loans
  • Handling compliance issues related to Automated Clearing House (ACH) transactions and the National Automated Clearing House Association (NACHA), wire transfer, and Regulation E, as well as other electronic payment issues and statutes
  • Conducting state licensing analysis governing online lenders, entities purchasing loans from originating lenders, online loan brokers, and lead generators

Lending Programs, Contracts, & Joint Marketing Agreements

  • Advising FinTech lenders on the creation of multistate lending programs
  • Setting up bank partnership models and drafting loan agreements
  • Developing joint marketing agreements with other institutions to market a jointly endorsed or sponsored financial product
  • Developing computer software licensing and service agreements
  • Drafting credit card processing contracts
  • Assisting with drafting and implementing vendor management programs, including ongoing audits
  • Assisting clients with state licensing, particularly helping FinTech startups with compliance and 50-state licensing

Intellectual Property

  • Handling all aspects of software patent applications on encrypted payment methods, investment models, and bond trading platforms
  • Counseling clients on trade secret protection policies and procedures relevant to proprietary data stores

Risk Assessment

  • Assessing information security risks to consumer information, developing strategies for mitigating those risks, and drafting information security policies and procedures for adoption and implementation by financial institutions
  • Performing due diligence on lead generators and brokers
  • Ensuring compliance with state licensing and servicing issues for unsecured and personal property secured credit

Investigations & Litigation

  • Responding to civil investigative demands and other requests for information in conjunction with administrative enforcement actions relating to privacy and data security issues, including with respect to the use of GPS and other technology to locate and disable collateral
  • Negotiating and revising contracts with consumer reporting agencies and other third-party data providers, with respect to the financial institution’s use and furnishing of information
  • Litigating direct and derivative actions—as both plaintiff and defendant—related to data breaches and data incidents