On Tuesday April 14, 2020, the fifth annual Incident Response Forum (the “Forum”) convened an extensive roster of presenters from private practice and the government, including from the DHS, DOJ, FTC, SEC, NYDFS, FBI, and the Secret Service, to discuss best practices for incident response.

The government panelists shared insights
Continue Reading 2020 Incident Response Forum: Lessons Learned from Regulators and Law Enforcement

As we have discussed here previously, the coronavirus outbreak has driven many companies further into the digital workplace, putting new strains on information technology systems and related privacy and security compliance controls.  Despite these burdens on companies, few regulators have offered relief from their privacy and security requirements.  As detailed
Continue Reading Data Privacy and Security Requirements During Coronavirus? Little Relief in Sight

You have invoked your business continuity plan and it is working.  Thanks to your IT team, your employees have the technology they need to work from home and to do it securely.  You are tracking statements and guidance from key government resources.  Your networks are segmented, your software are
Continue Reading Your IT Systems Are Coronavirus-Ready: What About Your Cyber-Risk Controls?

We have issued a client alert on four key takeaways on the Office of the Attorney General of California’s recent modified regulations to provide guidance on the California Consumer Privacy Act.
Continue Reading Highlights & Takeaways: California Attorney General Issues Modifications to Proposed CCPA Regulations

The SEC’s recent publication of examination observations related to cybersecurity practices provides a helpful benchmark for firms trying to understand common market practices.

***

The Davis Polk Cyber Blog welcomes a new author, partner Robert Cohen.  Rob has 15 years of experience in the SEC’s Division of Enforcement across
Continue Reading Introducing a New Author to the Davis Polk Cyber Blog with His First Blog Post: What SEC Examiners Will Ask About Cybersecurity

The Davis Polk Cyber Blog has won a LexBlog Excellence Award for Exemplary Writing on Legal Blogs as the first runner-up in the category of Best Commentary/Advice for Legal Professionals.  The winning post can be read here and discusses the private right of action for inadequate cybersecurity under the California
Continue Reading Davis Polk Cyber Blog Wins LexBlog Excellence Award

Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests.  But how do you know that the person making the request is actually who they say they are?  As we have previously noted on this blog,
Continue Reading The Risks of Fraudulent CCPA Access Requests – Guidance from a $10.7 million GDPR Fine for Poor Customer Authentication

With 2019 coming to a close, we wanted to take a look at what can be learned from the FTC’s cybersecurity enforcement actions this year.  As we have previously noted, the FTC came under criticism last year in the LabMD decision for not providing companies with sufficient clarity as to
Continue Reading What the Last Year of Cyber Enforcement Tells Us About the FTC’s Compliance Expectations

Davis Polk attorneys authored a chapter on U.S. Cybersecurity Laws for the GDR Insight Handbook 2020.  The chapter, which can be read here, was written by Avi Gesser, Matthew J. Bacal, Daniel F. Forester, Matthew A. Kelly, Clara Y. Kim, and Gianna C. Walton, and was published by
Continue Reading Global Data Review Publishes Davis Polk’s Chapter on United States Cybersecurity Laws in GDR Insight Handbook

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have
Continue Reading A 14.5 million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation