David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.
Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)
In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”
Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.
Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.
In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.
In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.
The White House released on November 15, 2017 the Vulnerabilities Equities Policy and Process for the United States Government (“VEP”) — the process by which the Government determines whether to disseminate or restrict information about new, nonpublic vulnerabilities that it discovers. This release was motivated by criticism following the allegations that significant cyber-attacks have exploited … Continue Reading
As we reported on October 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754). If enacted into law, CISA would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government and private entities. CISA must now be reconciled with two similar … Continue Reading
On Tuesday, President Obama announced his proposal for legislation that would encourage sharing of cyber threat information between the public and private sector by shielding private entities from liability for sharing information on cyber threats. The White House has since released the text of the proposed bill, which includes limitations on liability for private entities … Continue Reading
State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.… Continue Reading
By David Fagan and Sumon Dantiki Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.” The letter requested financial institutions to … Continue Reading
Senate Judiciary Chairman Patrick J. Leahy introduced a new version of the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2014 (the “USA FREEDOM Act” or “Act”) in the Senate on Tuesday, more than two months House of Representatives passed a version of the bill that omitted several … Continue Reading
By David Fagan, Richard Hertling, and Sumon Dantiki On July 28, 2014, the U.S. House of Representatives (“House”) passed three cybersecurity bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696) (“NCCIP Act”), the Critical Infrastructure Research and Development Advancement Act (H.R. 2952) (“CIRDA Act”), and the Homeland Security Cybersecurity Boots-on-the-Ground Act … Continue Reading
By David Fagan and Susan Cassidy As an indicator of the continuing focus of government authorities on cybersecurity breaches and potential notification requirements, certain contractors for the federal government may soon face new rapid reporting requirements for successful network penetrations. Specifically, President Obama signed the 2014 Intelligence Authorization Act (“2014 IAA”) into law on July 7, … Continue Reading
By Jim Garland, David Fagan, and Alex Berengaut On January 27, 2014, the Attorney General and Director of National Intelligence announced that the U.S. government will allow Internet companies and telecommunications providers to disclose more information about government demands for customer data in national security investigations. The government’s new transparency policy addresses legal demands served … Continue Reading
By Alex Berengaut On Monday, October 29, the Supreme Court heard oral argument in Clapper v. Amnesty International (No. 11-1025), a challenge brought by the American Civil Liberties Union (ACLU) against the FISA Amendments Act (FAA) of 2008. The FAA amended the Foreign Intelligence Surveillance Act (FISA) of 1978 by authorizing new procedures for electronic … Continue Reading
The costs associated with a data security breach can be substantial. In addition to addressing the security issue that gave rise to the breach, companies often must assess notice obligations under federal and state law, manage public relations challenges, and work to rebuild consumer trust. The costs–in terms of time and resources–needed to accomplish these … Continue Reading
By David Fagan Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills … Continue Reading
by David Fagan and Alex Berengaut On November 10, 2011, Judge Liam O’Grady of the United States District Court for the Eastern District of Virginia issued a 60-page memorandum opinion in a dispute over the validity of a special court order issued to Twitter for non-content records for certain users connected to the government’s Wikileaks … Continue Reading
Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches. The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue. The Division noted that as companies have turned to digital technologies to … Continue Reading
By David Fagan and Alex Berengaut Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data. In this regard, one of the principal privacy-based concerns raised in connection … Continue Reading
By David Fagan and Josephine Liu The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity. The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework. As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress. … Continue Reading
By David Fagan & Libbie Canter Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707). During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make … Continue Reading
The fallout from the last month’s data breaches of Sony’s PlayStation Network and its Online Entertainment service continued this week. On Tuesday, Sen. Richard Blumenthal (D-CT) sent a follow-up letter to Sony saying he is “deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches,” and New … Continue Reading
I’ve recently had the opportunity to participate in or moderate several panels on cloud computing, addressing issues such as governance, security, privacy, and legal liability. One issue that frequently comes up is whether cloud computing is really new or different. That depends on how you look at it. As a legal matter, the model itself … Continue Reading
Multiple press outlets are reporting on remarks from Rep. Robert Goodlatte (R-Va.) regarding his intent to take up cybersecurity legislation during the 112th Congress. In remarks at the 2011 State of the Net Conference, sponsored by the Congressional Internet Caucus, Goodlatte reportedly said that the Judiciary Committee should explore the use of “limited liability protections” as an incentive … Continue Reading