Photo of Avi Gesser

Mr. Gesser is a partner in Davis Polk’s Litigation Department.  He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations.  He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force.  In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues. [Full Bio]

In the last few years, we have seen a dramatic increase in the purchase and sale of alternative data—a shorthand for big data sets, such as satellite images of parking lots, drug approvals, credit card purchases, cellphone data on retail foot traffic, and construction permits. According to alternativedata.org, the alternative
Continue Reading

The Cybersecurity Law Report recently published an article by Davis Polk titled Reducing Risk in the Dawn of Equifax and Other Cyber-Related Securities Fraud Class Actions.  The article analyzes the January 2019 decision in In re Equifax Securities Litigation and uses lessons from that case to examine strategies for
Continue Reading

Until recently, biometric privacy was a niche area of the law that had little application to most companies.  But with the rapid growth in commercial biometric data collection, including voice samples, fingerprints, retina scans, and facial geometry, as well as some recent developments in the applicable case law, it’s probably
Continue Reading

2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below
Continue Reading

Momentum is building for federal privacy legislation, with several different proposals circulating in Washington.  Ohio’s new cybersecurity law offers an interesting approach for incentivizing companies to protect their customers’ personal data.

We have written previously on two competing models for cybersecurity regulation—“standards” versus “rules.”  The standards-based approach, historically
Continue Reading

Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws.  These developments have businesses concerned that they will face a patchwork
Continue Reading

On November 1, Canada provided the U.S. with another model for a national breach law:  the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  Under that law, companies are required to notify Canada’s Privacy Commissioner and affected individuals as soon as feasible if they experience “any breach of security safeguards
Continue Reading

A recent SEC Order should be a reminder to registered entities, including small- and medium-sized firms, that the SEC is monitoring the reasonableness of their cybersecurity policies and procedures, and that it may take action in the event of a breach, even in the absence of economic harm.

The SEC’s
Continue Reading