Photo of David Fagan

David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

Mr. Fagan has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer for 2016 and 2019. Clients laud him for providing “excellent advice,” “know[ing] everything there is to know about CFIUS” and being “extremely well regarded” by key regulators. (Chambers USA)

In the foreign investment and national security area, Mr. Fagan is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense firms, private equity firms, and sovereign investors, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

Mr. Fagan’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues – including through proactive mitigation and carve-outs – is a critical path for the transaction. Mr. Fagan is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, Mr. Fagan is regularly engaged by multi-national companies, including the world’s leading technology companies, to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China. Mr. Fagan also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In the privacy and data security area, Mr. Fagan has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. Mr. Fagan has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.

In addition, he routinely counsels clients on preparing for and responding to cyber-based attacks on their networks and information, enhancing their supply chain and product development practices, assessing their security controls and practices for the protection of data, developing and implementing information security programs, and complying with federal and state regulatory requirements. He also frequently advises clients on transactional matters involving the transfer of personal data.

By Alex Berengaut

On Monday, October 29, the Supreme Court heard oral argument in Clapper v. Amnesty International (No. 11-1025), a challenge brought by the American Civil Liberties Union (ACLU) against the FISA Amendments Act (FAA) of 2008.  The FAA amended the Foreign Intelligence Surveillance Act (FISA) of 1978 by authorizing new procedures for electronic

The costs associated with a data security breach can be substantial.   In addition to addressing the security issue that gave rise to the breach, companies often must assess notice obligations under federal and state law, manage public relations challenges, and work to rebuild consumer trust.   The costs–in terms of time and resources–needed to accomplish these

By David Fagan

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills introduced in this and prior Congresses and resulted from a lengthy consultation process — shepherded by Senate Majority Leader Reid and Minority Leader McConnell — with private sector stakeholders, the Executive Branch, and other interested parties. Upon introducing the bill earlier this week, Majority Leader Reid and Committee Chairman Lieberman said that they intended not to hold any committee mark-up and instead would bring the bill directly to the floor for a full vote in March.

As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.Continue Reading Senate Holds Hearing on Newly Introduced ‘Cybersecurity Act of 2012’

by David Fagan and Alex Berengaut

On November 10, 2011, Judge Liam O’Grady of the United States District Court for the Eastern District of Virginia issued a 60-page memorandum opinion in a dispute over the validity of a special court order issued to Twitter for non-content records for certain users connected to the government’s Wikileaks

Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue.

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks–and incidents–have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups.

Continue Reading SEC’s Division of Corporation Finance Issues Guidance on Disclosing Cybersecurity Risks

By David Fagan and Alex Berengaut

Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data.  In this regard, one of the principal privacy-based concerns raised in connection

By David Fagan and Josephine Liu

The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity.  The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework.  As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress.  Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request. 

While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:

  • National data breach notification.  The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach.  Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances.  These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general. 
  • Development of critical infrastructure cybersecurity plans.  DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks.  An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate.  Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors.  DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient. 
  • Voluntary sharing of cybersecurity threat information.  The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so.  DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information. 

Continue Reading White House Releases Legislative Proposal on Cybersecurity

By David Fagan & Libbie Canter

Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707).  During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make it out of the Senate Commerce Committee before the end of the session.  The legislation would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.

  • Scope.  The legislation covers persons engaged in interstate commerce, with certain additional requirements applicable to information brokers.  The provisions generally apply to the ownership or possession of personal information, which is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.”  Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers. 
  • Breach Notification.  Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed.  Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
    • Timing.  Under the bill, notification would be required not later than 60 days following discovery of the breach, with a limited number of exceptions available.
    • Content Requirement.  Consumer notifications would be required to include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act would require businesses to furnish); and contact information for the major credit reporting agencies and the FTC.
    • Obligation to Furnish Credit Products.  The bill indicates businesses will be required to provide or arrange for the provision of free consumer credit reports on a quarterly basis and credit monitoring to affected individuals for a period of two years following a breach.  The bill directs the FTC to promulgate rules with respect to the circumstances in which such credit products will be required to be offered.
    • Risk of Harm.  There is no notification requirement or other obligations on a business if it determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct.  This is presumed to be the case if the data is encrypted or otherwise unreadable, although the bill directs the FTC to promulgate regulations on the technologies that adequately render data unreadable.
    • Service Providers.  Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.

Continue Reading Rep. Rush Reintroduces Data Breach Legislation

The fallout from the last month’s data breaches of Sony’s PlayStation Network and its Online Entertainment service continued this week. 

  • On Tuesday, Sen. Richard Blumenthal (D-CT) sent a follow-up letter to Sony saying he is “deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches,” and New

I’ve recently had the opportunity to participate in or moderate several panels on cloud computing, addressing issues such as governance, security, privacy, and legal liability.  

One issue that frequently comes up is whether cloud computing is really new or different.  That depends on how you look at it.  As a legal matter, the model itself