Squire Patton Boggs (US) LLP has continued the growth of its globally recognized Data Privacy, Cybersecurity & Digital Assets and related litigation practices with the promotion of CPW’s Kristin Bryan and Kyle Fath to Partner.

Kristin Bryan is a litigation partner who is part of the firm’s Global Data Review-ranked data disputes practice.  She has deep expertise representing clients in bet-the-company data privacy, cybersecurity and data breach disputes in federal and state courts nationwide.  Kristin has obtained dismissals of multibillion-dollar privacy litigations where plaintiffs alleged that her client’s business practices violated federal and state privacy laws.  She has litigated cases brought under the Electronic Communications Privacy Act (ECPA), the Video Privacy Protection Act (VPPA), the Driver Privacy Protection Act (DPPA), the Fair Credit Reporting Act (FCRA), the Computer Fraud and Abuse Act (CFAA) and the California Consumer Privacy Act (CCPA), as well as class actions asserting deceptive trade practice claims based on privacy practices.  Kristin has also advised clients concerning claims brought under the Illinois Biometric Privacy Act (BIPA).  Kristin is CIPP/US certified and Editor in Chief of Consumer Privacy World.

Kyle Fath is a partner in the firm’s globally preeminent Data Privacy, Cybersecurity & Digital Assets Practice.  Companies across a broad spectrum of industries turn to Kyle for his in-depth and unique blend of experience in privacy compliance, technology transactions, and IP matters.  A considerable portion of Kyle’s practice focuses on product counseling, in which he advises clients on the privacy, advertising, intellectual property, regulatory, and third-party risks associated with the development, operation, licensing, and other exploitation of technology, platforms, data, and other digital assets.  As a go-to resource on emerging and complicated technologies, Kyle is an authority on the digital advertising ecosystem and the regulatory and industry challenges faced by advertisers, publishers, and AdTech companies.  He also advises companies in the web3 and blockchain space, including having counseled dozens of brands, entertainment studios, gaming and e-sports companies, and prominent celebrities on various aspects of non-fungible token (NFT) drops.

Congratulations Kristin and Kyle!

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity.  Privacy World has been tracking these developments throughout the year.  Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021.  At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events.  On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information.  Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). 

Continue Reading 2023 Cybersecurity Year In Review

On June 7, 2023, Singapore’s Minister for Communications and Information announced that AI Verify,[1] the world’s first-ever artificial intelligence (AI) governance testing framework and toolkit, will be made available to the open-source community.

AI Verify was launched as a minimum viable product for international pilot in 2022. It is aimed at helping organizations validate the performance of their AI systems through internationally recognized governance principles[2] and standardized tests.

The principles on which AI Verify is premised are as follows:

  • Transparency
  • Explainability
  • Repeatability/reproducibility
  • Safety
  • Security
  • Robustness
  • Fairness
  • Data governance
  • Accountability
  • Human agency and oversight
  • Inclusive growth, and social and environmental wellbeing

AI Verify, a single integrated software toolkit operating within a user’s enterprise environment, allows users to conduct technical tests on their AI models and to record process checks. It also generates testing reports for these AI model tests, which facilitates transparency in AI development and deployment. Additional toolkits, to take into account sector-specific governance, for instance, can be built upon it.

Singapore has also launched the AI Verify Foundation,[3] a not-for-profit, multistakeholder body, for members to collaborate on AI governance and testing through information sharing and educational outreach of best practices.

Privacy World will continue to cover developments. For more information, contact your relationship partner at the firm.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] https://aiverifyfoundation.sg/

[2] For instance, those from the EU, the OECD and Singapore.

[3] https://aiverifyfoundation.sg/foundation-members/

Earlier this month, the Consumer Financial Protection Bureau (the “CFPB”) announced that it had issued a request for information (“RFI”) seeking public comment on “companies that track and collect information on people’s personal lives. In issuing this new Request for Information, the CFPB wants to understand the full scope and breadth of data brokers and their business practices, their impact on the daily lives of consumers, and whether they are all playing by the same rules.”  The deadline for submitting comments in response to the RFI is June 13, 2023. Continue Reading CFPB Issues Request for Information to Determine Data Brokers’ Compliance with FCRA

In recent years text messaging has emerged as one of the most used methods of communications among American consumers, and those entities who seek to reach out to contact them. According to the Federal Communications Commission’s (FCC) Consumer Advisory Committee (CAC), in 2020, 2.2 trillion Short Message Service (SMS) and Multimedia Messaging Service (MMS) messages were exchanged in America alone. These figures do not include messages using applications such as WhatsApp and We Chat.

This dynamic growth has also raised concern about those who would use the technology to scam and trick consumers. Last October, then Acting FCC Chair Jessica Rosenworcel, out of a concern about such potential abuses, circulated to her fellow Commissioners “a proposed rulemaking that would require mobile wireless providers to block illegal text messaging, building on the agency’s ongoing work to stop illegal and unwanted robocalls”. That proposal remains pending at the FCC.

Continue Reading FCC Consumer Advisory Committee Reports on State of Text Messaging and Makes Recommendations

On August 1, the New York State Department of Financial Services (“NYDFS” or “DFS”) announced a Consent Order  and $30 million fine against Robinhood Crypto, LLC (“RHC”), the wholly-owned cryptocurrency trading unit of the popular investing app by Robinhood Financial LLC. In the Order, NYDFS alleges RHC failed to comply with NYDFS rules pertaining to the federal Bank Secrecy Act and state and federal anti-money laundering rules (“BSA/AML”) and the NYDFS Cybersecurity Regulations. According to a Press Release issued by the DFS, the investigation revealed “significant deficiencies” in RHC’s BSA/AML compliance program and “critical failures” with the company’s cybersecurity program.

Compliance Program Inadequacies

BSA/AML Violations

In the Consent Order, NYDFS asserts that an investigation into RHC’s BSA/AML program revealed a number of deficiencies. Under NYDFS and federal BSA/AML regulations, organizations must implement and maintain policies and procedures to detect and report suspicious activity and block transactions prohibited by the U.S. Treasury Department’s Office of Financial Asset Control Regulations. However, the DFS alleges that RHC failed to implement adequate policies and procedures to meet these requirements. In particular, the DFS alleges that RHC failed to maintain a BSA/AML program “commensurate with the risk profile of the licensee,” noting that RHC continued to rely on a manual internal reporting system notwithstanding the fact that RHC processed an average of 106,000 transactions, totaling $5.3 million per day as of September 30, 2019. As a result of the manual reporting system and inadequate staffing, the NYDFS claims “that [RHC’s] AML staff simply could not keep up with the transaction alerts, resulting in [a] significant backlog” of processing alerts. RHC was apparently aware that its BSA/AML policies and procedures were inadequate, due to the fact that the company had hired a third-party consultant (the “Consultant”) to review its BSA/AML program in December 2019. During the engagement, the Consultant reported to RHC that its BSA/AML procedures were of “minimal value”. Even so, RHC’s Chief Compliance Officer certified to compliance with the New York Transaction Monitoring Regulation for calendar year 2019.

Cybersecurity Deficiencies

The NYDFS also identified inadequacies in the RHC cybersecurity program. Among other failures, the DFS faulted RHC for RHC’s overreliance on its parent company’s policies and procedures, which did not fully address RHC’s operations, risks, and reporting lines, or the full requirements of the Cybersecurity Regulations. Among other shortcomings, the DFS investigation determined that RHC: (i) employed insufficient cybersecurity personnel to manage its cybersecurity risks and to perform core functions specified in the Cybersecurity Regulation; (ii) had insufficiently detailed policies and procedures to guide its data governance and classification, IT asset management, business continuity and disaster recovery planning, systems operations, systems and network monitoring, systems and application development, risk assessment, and incident response activities; and (iii) failed to conduct risk assessments satisfying the requirements of the Cybersecurity Regulation.

In addition to the compliance failures identified, NYDFS took issue with RHC’s cooperation and candor in the investigation, noting that RHC failed to disclose investigations by federal and state regulators, in violation of RHC’s DFS Supervisory Agreement.

Consent Order Requirements

Under the Consent Order, RHC must pay a $30 million civil monetary penalty to DFS. Notably, the Order forbids RHC from recouping the cost of the penalty via any insurance policy, indemnification, or tax deduction.  RHC must also re-engage its existing Consultant to conduct a comprehensive review of and assist RHC with improvements to RHC’s current compliance programs against the requirements of the BSA/AML and Cybersecurity Regulations. Under the new engagement, the Consultant will be obligated to provide regular reports to DFS regarding the RHC’s compliance with the Regulations.

Key Takeaways

The financial services industry has been subject to strict regulation for many years, and startups are not exempt from these obligations. Innovative organizations in nontraditional industries often face unique compliance challenges (for example, heightened risk of fraud, money laundering, and illegal activity in the cryptocurrency space, coupled with similar cybersecurity challenges faced by traditional financial institutions). Exponential growth is the dream of every organization, but rapid expansion often also entails increased compliance burden (and, potentially, regulatory scrutiny). Accordingly, organizations must engage in thoughtful compliance assessments and swift remediation of any gaps identified to ensure that they are meeting applicable legal, regulatory, and contractual requirements.  When conducting such assessments, organizations should consider engaging consultants and other vendors via legal counsel, to shield the assessment findings with privilege and prevent their later production in court or regulatory investigations, to the extent possible.  Assessments serve legal as well as compliance and information technology purposes, and conducting such assessments under the supervision of counsel enables counsel to provide the organization with legal advice regarding compliance with applicable laws and regulations.

In addition to existing laws requiring specific cybersecurity controls and assessments, many organizations will soon be required to conduct privacy impact assessments under the forthcoming California, Colorado, Connecticut, and Virginia privacy laws.  Accordingly, businesses operating in multiple jurisdictions should establish a privacy and security assessment programs to help ensure they are meeting the requirements established under applicable laws and regulations (including the proportionality, data minimization, and retention obligations these laws contain).  Additionally, companies should be mindful of applicable industry-specific obligations (like AML in the financial services industry), and tailor their compliance programs to meet those needs, as well. Team SPB has prepared a 2023 State Privacy Law Compliance Guide.  This free resource offers information regarding the requirements of each of the current operative state privacy laws as well as sample workstreams to assist your compliance team with planning and preparing for the new 2023 state privacy laws.

Welcome to the 2022 Q2 edition of the SPB Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team. 


Q2 did not disappoint in the AI and biometric privacy space, with a number of noteworthy litigation, legislative, and regulatory developments having taken place in these two rapidly developing areas of law. Read on to see what has transpired over the last quarter and what you should keep your eyes on as we head into the second half of 2022.

Continue Reading SPB 2022 Q2 Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter

Members of the globally recognized Squire Patton Boggs (US) LLP’s Data Privacy, Cybersecurity & Digital Assets Practice gathered in Washington, DC, to participate in person at the IAPP Global Privacy Summit (“GPS 2022”). The Practice has experienced tremendous growth in the past twelve months under the leadership of Alan Friel. The full contingency of #TeamSPB at GPS 2022 included:

Keynote Highlights

GPS 2022 is the first in-person IAPP Global Privacy Summit since 2019 and featured numerous speakers, each with a unique perspective on current and emerging privacy issues, including, among others:

  • Keynote speaker Tim Cook (CEO, Apple) emphasized that “privacy is a fundamental right” and warned that competition law, which Apple supports, is being used as a tool to erode consumers’ online privacy for commercial profit, a move Apple does not support. In particular, Cook expressed concern regarding recent legislation and litigation that could force Apple to allow unvetted mobile apps onto the App Store through “sideloading,” which is the process of installing a mobile app without using the device’s official app-distribution method. Sideloading would allow app developers to bypass Apple’s stringent privacy and security requirements for apps published on the App Store, which opens the door to bad actors seeking to exploit user data, such as by tracking users without their consent.     
  • In her first public address, Lina Khan (Chair, Federal Trade Commission (“FTC”)) discussed the FTC’s priorities. Chair Khan explained that the FTC is prepared to use its expertise in privacy and antitrust laws to navigate complex business issues arising from business conduct and strategies that affect both consumer protection and competition and will use its rulemaking process to address commercial surveillance and data security practices. The FTC is also reviewing remedies for privacy harms, focusing on remedies that fully cure underlying harm, and deprive bad actors of the fruits of their misconduct. Chair Khan shared that the FTC seeks to develop remedies that “reflect the latest and best practices in security and privacy,” as demonstrated by its recent enforcement action against CafePress.com, which included requirements for data minimization and use of multifactor authentication, among other things.
  • Brad Smith (President and Vice-Chair, Microsoft) reminded attendees that Microsoft was the first to call for federal privacy legislation in 2005 and expressed the company’s continued support for the same, citing the business challenges of complying with a patchwork of laws. He opined that “the failure of the US to legislate doesn’t stop global regulation . . . [but merely] makes our country less influential in the world.” Smith also suggested that the US may benefit from a standalone commission dedicated to digital affairs, similar to the UK. Digital Regulation Cooperation Forum.   

#TeamSPB enjoyed a week of learning and interacting with our privacy peers and are looking forward to future scheduled events. Join us in May for a hybrid event series on “Navigating Opportunities and Challenges: Cross-border Data, the Cookiepocalypse, and Standard Contractual Clauses.” There will be a webinar version of the presentation on May 23, 2022, and in-person CLE options in Los Angeles (May 24, 2022) and Cleveland (May 25, 2022). 

Click here for more information.

For more, stay tuned. CPW will be there to keep you in the loop.

CPW is proud to welcome six new senior hires to Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets team.  These valued additions to our ranks join us in four offices across Europe and the US as the firm continues to bolster our global capabilities in the ever-expanding world of data protection, privacy, and cybersecurity.

Jonathan Jones, Squire Patton Boggs’ European managing partner, commented that “[w]e are committed to building the premiere global privacy team and the arrival of our new colleagues is a measure of our ambition for the future of our practice.”  “As the regulatory environment becomes more complex and rigorous, data protection has become a key priority for clients. In addition to regulatory issues, we have seen an uptick in demand for due diligence and advisory services due to a significant increase in M&A activity,” added Alan Friel, chair of the firm’s Data Privacy, Cybersecurity & Digital Assets Practice. “Our new lawyers are welcome additions to our expanding team, bringing a wealth of experience that is important for the continued development of our practice and the services we provide to clients.”

Squire Patton Boggs is recognized among 25 Elite firms by Global Data Review in its 2022 edition of the GDR 100. With a team of more than 60 partners and associates in its Data Privacy, Cybersecurity & Digital Assets Practice, the firm advises clients on a diverse range of local, regional and international issues in both developed and emerging markets, operating under various data protection, privacy and cybersecurity regimes.

Meet the Team

David Naylor specializes in working with technology, media, communications and intellectual property-focused businesses and investors. He has significant experience serving as outside general counsel to US and European companies on international business expansion and cross-border transactions and projects. He acted as outside counsel to one of the world’s first smartphone manufacturers on its rollout in Europe, and he also served as Tesla’s outside counsel in the company’s formative years, leading the negotiations on its ground-breaking deal with Lotus for the joint development and manufacture of Tesla’s first electric vehicle. He is recognized as a leading lawyer in technology transactions and data privacy and cybersecurity matters.

Malcolm Dowden has more than 25 years’ experience as a commercial lawyer with a focus on technology, data protection, privacy and electronic communications in the UK. He has particular expertise in UK GDPR compliance and contract remediation projects, as well as extensive international experience acting for clients operating in the US, Southeast Asia, the GCC region and Africa. Mr. Dowden has advised and trained government bodies in a number of jurisdictions through FCO Prosperity Fund programs, as well as advising UK government departments on significant infrastructure projects.

Bartolomé Martín has more than 15 years’ experience advising clients in Spain on all aspects of data protection, from the design and implementation of GDPR compliance projects through to the design of cross-border data protection systems. He also has wide experience in the negotiation and conception of technological agreements, including outsourcing, distribution agreements and all types of commercial law and intellectual property matters, such as trademarks, copyrights, software licensing agreements, e-commerce consulting and entertainment law.

George Wheeler-Carmichael specializes in UK technology-related commercial matters, data protection and information governance. He was at Agilisys for nine years and prior to that, he was a partner at Nabarro and DLA Piper.

David Oberly focuses his practice on biometric privacy, data privacy and security/data protection matters. He is the founder and chair of the Cincinnati Bar Association’s Cybersecurity & Data Privacy Practice Group, as well as a vice chair of the American Bar Association’s Cybersecurity & Data Privacy Committee.

Christian Brundell combines his career in private practice with time spent as in-house legal counsel in the private equity space at Endless LLP to bring a blend of regulatory and commercial experience, with wide-ranging expertise in data protection, privacy and electronic communications law. Christian is dual-licensed to practice both as a solicitor in England and Wales and as an attorney in the US, with a focus on working with clients operating in the transatlantic data corridor.

If you are interested in getting to know more about our new team members, take a look at the firm’s official announcement which can be found here.  These new hires are in addition to the promotion of CPW’s Kristin Bryan and Kyle Fath to partner earlier this year in a reflection of the firm’s commitment to growing its in-demand data and data protection litigation practices.

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at 31st National HIPAA Summit | Consumer Privacy World

Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

Squire Patton Boggs (US) LLP and CPW Welcomes Privacy Pro David Oberly | Consumer Privacy World

ICO, CMA and Google Reach Agreement on Privacy Sandbox Proposals | Consumer Privacy World

The Metaverse Social and Economic Implications: A Do-Not-Miss CTO Circle Event | Consumer Privacy World

Federal Judge Refuses Second Time to Approve Class Action Settlement, Rejecting Plaintiffs “You Can Lead a Horse To Water” Explanation Upon Identifying Notice Deficiencies | Consumer Privacy World

Squire Patton Boggs Continues Growth of Acclaimed Data Privacy, Cybersecurity & Digital Assets Practice With Promotion of Kyle Fath and Litigator Kristin Bryan to Partner | Consumer Privacy World

President Biden to Nominate DC Circuit Judge Ketanji Brown Jackson to Supreme Court-What Impact Will This Have on Data Privacy and Cybersecurity Cases Going Forward? | Consumer Privacy World

Illinois Appellate Panel Ruling Findings Union Workers Biometric Claims Preempted by Labor Law and Subject to Binding Arbitration | Consumer Privacy World

Federal Court Dismisses California Cybersecurity Litigation Concerning Alleged Disclosure of Information in Website Hack | Consumer Privacy World

Early FTC Action in 2022 on Data Privacy, Facial Recognition and AI Less Likely Following Commissioner Remarks to U.S. Chamber of Commerce | Consumer Privacy World

Loyalty Program CCPA Compliance: Kyle Dull Talks to Law360 | Consumer Privacy World

Federal Court Gives Rare Refusal for Final Sign Off on Data Privacy Class Action Settlement, Faulting Low Take Rate and Excessive Fees | Consumer Privacy World

CCPA/CPRA Proposed Amendments Would Extend HR and B2B Data Exemptions, or Would They? | Consumer Privacy World

EDPB Coordinated Enforcement Action on Cloud under the CEF and the French CNIL’s 2022 Investigation Program | Consumer Privacy World