Photo of Avi Gesser

Mr. Gesser is a partner in Davis Polk’s Litigation Department.  He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations.  He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force.  In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues. [Full Bio]

Davis Polk attorneys authored a chapter on U.S. Cybersecurity Laws for the GDR Insight Handbook 2020.  The chapter, which can be read here, was written by Avi Gesser, Matthew J. Bacal, Daniel F. Forester, Matthew A. Kelly, Clara Y. Kim, and Gianna C. Walton, and was published by
Continue Reading

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have
Continue Reading

On Wednesday, December 4, please join Avi Gesser, Matt Kelly and Michelle Adler from Davis Polk, and Nick Pelletier from Mandiant, for our monthly conference call on cybersecurity and privacy issues. This month we will discuss “Cybersecurity and Civil Liability Under CCPA: What you can do today to protect
Continue Reading

We have recently written on whether protecting personal data should be regulated using a property model instead of a privacy model (and concluded, probably not).  Another framework for regulating personal data that is getting increased attention is a national security model, which looks at securing personal data as a means
Continue Reading

Over the last few years, the creation of new cybersecurity regulations has been robust, but actual enforcement has been tepid. This is understandable in any new regulatory regime, especially one where the standards are vague, the conduct is evolving, and therefore, there is considerable uncertainty on the part of the
Continue Reading

We have issued a client alert on three key takeaways on the Office of the Attorney General of California’s recent notice of proposed rulemaking activity and related proposed regulations to provide guidance on the California Consumer Privacy Act.
Continue Reading

As public pressure increases on legislators to better protect the personal information that organizations collect, interest has grown in using a property framework, rather than the current privacy model. On October 1, U.S. presidential candidate Andrew Yang became the latest policymaker to advocate for a data security framework that treats
Continue Reading

As regulators ramp up their cybersecurity enforcement, one area of increasing focus is in-house expertise.  Regulators are starting to explicitly require companies to have qualified data protection personnel.  For example, the New York Department of Financial Services (NYDFS) cyber rules require that companies’ cybersecurity personnel be qualified to manage the
Continue Reading

We first wrote about Business Email Compromise (“BEC”) scams in 2015.  Over the last four years, these attacks have continued unabated.  According to the FBI, in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion.  One reason this
Continue Reading