Photo of David Fagan

David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)

In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

The White House released on November 15, 2017 the Vulnerabilities Equities Policy and Process for the United States Government (“VEP”) — the process by which the Government determines whether to disseminate or restrict information about new, nonpublic vulnerabilities that it discovers.  This release was motivated by criticism following the allegations that significant cyber-attacks have exploited

As we reported on October 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754).  If enacted into law, CISA would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government and private entities.  CISA must now be reconciled with two similar bills that the House passed in April before it can be sent to the President and enacted into law.  According to CISA’s co-sponsor Sen. Richard Burr (R-NC), a conference version of CISA will not be available for review until January 2016, at the earliest.  Below is a deeper explanation of CISA’s four Titles and how they purport to improve cybersecurity.
Continue Reading A Closer Look at CISA’s Cybersecurity Information-Sharing Provisions

On Tuesday, President Obama announced his proposal for legislation that would encourage sharing of cyber threat information between the public and private sector by shielding private entities from liability for sharing information on cyber threats. The White House has since released the text of the proposed bill, which includes limitations on liability for private entities along with a mandate to develop policies and procedures to address privacy concerns. In comparison with previous failed attempts to enact similar legislation, the current White House proposal offers increased privacy protections and more narrowly defined exemptions from liability, but it remains to be seen whether this proposal can succeed where others have failed.
Continue Reading Analysis of President Obama’s Information Sharing Legislation

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.
Continue Reading New State Privacy Laws Go Into Effect on Jan. 1, 2015

By David Fagan and Sumon Dantiki

Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.”  The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.Continue Reading Cybersecurity Regulators (Renew) Focus on Outside Vendors of Financial Institutions

Senate Judiciary Chairman Patrick J. Leahy introduced a new version of the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2014 (the “USA FREEDOM Act” or “Act”) in the Senate on Tuesday, more than two months House of Representatives passed a version of the bill that omitted several reforms sought by privacy advocates.

Leahy, a co-author of the original bill, said the updated legislation has the support of the Obama Administration.  The Reform Government Surveillance coalition of technology companies, the American Civil Liberties Union, and the Electronic Frontier Foundation also support the new version, according to a statement by Leahy’s office.  The measure has 13 co-sponsors in the Senate, including Senators Ted Cruz (R-Texas), Mike Lee (R-Utah), Al Franken (D-Minn.) and Tom Udall (D-N.M.).

The proposed Act would effectively ban bulk collection of phone records by circumscribing the scope and application of the so-called “business records” provision of the Foreign Intelligence Surveillance Act (also known as Section 215 of the USA PATRIOT Act).  It makes clear that the government may not collect all information relating to a particular service provider or to a broad geographic region, such as a city, zip code or area code.Continue Reading New Version of USA Freedom Act Introduced

By David Fagan, Richard Hertling, and Sumon Dantiki

On July 28, 2014, the U.S. House of Representatives (“House”) passed three cybersecurity bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696) (“NCCIP Act”), the Critical Infrastructure Research and Development Advancement Act (H.R. 2952) (“CIRDA Act”), and the Homeland Security Cybersecurity Boots-on-the-Ground Act (H.R. 3107) (“Boots-on-the-Ground Act”) with broad bipartisan support.

 The NCCIP Act was introduced in December 2013 and is the most significant of the three measures.  As we noted at the time, the bill focuses primarily on strengthening the authorities of the Department of Homeland Security (“DHS”).  Under the provisions of the bill as passed by the House, the Secretary of DHS would have broad responsibilities for the protection of critical infrastructure (“CI”) from cyber threats.  Specifically, the Secretary would be charged with facilitating “a national effort to strengthen and maintain secure, functioning and resilient critical infrastructure” by seeking “industry-specific expertise” to “identify and disrupt threats” and providing “education and assistance” to CI owners and operators who request them. Continue Reading House of Representatives Passes Three Cybersecurity Bills

By David Fagan and Susan Cassidy

As an indicator of the continuing focus of government authorities on cybersecurity breaches and potential notification requirements, certain contractors for the federal government may soon face new rapid reporting requirements for successful network penetrations.  Specifically, President Obama signed the 2014 Intelligence Authorization Act (“2014 IAA”) into law on July 7, 2014, starting a 90-day clock under Section 325 of the Act for the Director of National Intelligence (“DNI”) to promulgate regulations for “cleared intelligence contractors” to report the successful penetration of their networks and information systems.

Section 325 defines a cleared intelligence community (“IC”) contractor as “a private entity granted clearance . . . to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of [the IC].”  The new regulations will apply to “covered” networks and information systems that “contain[] or process[] information created by or for an element of the [IC] with respect to which such contractor is required to apply enhanced protection.”Continue Reading Extending Cybersecurity Breach Notice Requirements to Intelligence Community Contractors

By Jim Garland, David Fagan, and Alex Berengaut

On January 27, 2014, the Attorney General and Director of National Intelligence announced that the U.S. government will allow Internet companies and telecommunications providers to disclose more information about government demands for customer data in national security investigations.  The government’s new transparency policy addresses legal demands served under two distinct statutory authorities.  First, under the Foreign Intelligence Surveillance Act (“FISA”), the government can apply to the U.S. Foreign Intelligence Surveillance Court (“FISC”) for orders compelling providers to disclose both the contents of their customers’ communications as well as non-content “metadata” relating to such communications.  Second, under the National Security Letter (“NSL”) statute, the FBI can compel companies to disclose certain non-content information about their customers.

Under the new policy announced on January 27, technology companies now have two options for reporting on the number of FISA orders and NSLs they receive:  Continue Reading Justice Department Allows More Transparency on Government Demands for Customer Information in National Security Investigations