As regulators ramp up their cybersecurity enforcement, one area of increasing focus is in-house expertise.  Regulators are starting to explicitly require companies to have qualified data protection personnel.  For example, the New York Department of Financial Services (NYDFS) cyber rules require that companies’ cybersecurity personnel be qualified to manage the
Continue Reading Lack of In-House Cyber Expertise, a Growing Concern for Regulators, Leads to $1.5M CFTC Penalty

We have issued a memo on the European Court of Justice’s recent preliminary ruling on the GDPR and a data subject’s qualified right of erasure with respect to personal data, which concluded that EU rules require a search engine operator to carry out such a request only on versions of
Continue Reading European Court of Justice Limits Territorial Reach of “Right to Be Forgotten” – Davis Polk Memo

We first wrote about Business Email Compromise (“BEC”) scams in 2015.  Over the last four years, these attacks have continued unabated.  According to the FBI, in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion.  One reason this
Continue Reading The Rise of Deepfake Audio Means It’s Time to Revisit Business Email Compromise Scams and Ways to Reduce Risk

The Cybersecurity Law Report recently published an article by Davis Polk titled Lessons from Equifax on How to Mitigate Post-Breach Legal Liability.  The article analyzes the July 2019 settlement between Equifax and the Federal Trade Commission, Consumer Financial Protection Bureau, and 50 state and territorial attorneys general and uses
Continue Reading Lessons from Equifax on How to Mitigate Post-Breach Legal Liability, by the Davis Polk Cyber Blog Team, published in The Cybersecurity Law Report

We have previously written about legal risks companies will face from the California Consumer Privacy Act (CCPA) when it goes into effect on January 1, 2020.  In short, companies can be subject to consumer class actions alleging statutory damages for mishandled data—and a key defense to those suits will be
Continue Reading New York’s SHIELD Act Creates Significant New Cybersecurity Obligations for Thousands of Firms Worldwide

By now, most major U.S. companies are generally aware of the new privacy requirements that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information. 
Continue Reading The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare

We have issued a memo on transactional considerations for investors, purchasers, and sellers of companies that collect or process personal data of California residents arising from the California Consumer Privacy Act, which becomes effective January 2020.

View as a PDF
Continue Reading Impact of the California Consumer Privacy Act on M&A – Davis Polk Memo

On Episode 4 of the Davis Polk Dialogues podcast, Avi Gesser joined Davis Polk partners Jon Leibowitz and Ronan Harty and former Federal Trade Commission (“FTC”) official Eileen Harrington to discuss the FTC’s Hearings on Competition and Consumer Protection in the 21st Century.  The episode covers, among other topics, the
Continue Reading Avi Gesser Discusses FTC Hearings and Cybersecurity Issues on Davis Polk Dialogues Podcast

Avi Gesser co-authored an article with Davis Polk associates Matthew Kelly, Will Schildknecht, and Anna Marienko that was published in the New York Law Journal on May 31, 2019, and that discusses the competing interests of cybersecurity and employee privacy that employers must balance when implementing reasonable cybersecurity measures.  The
Continue Reading New York Law Journal Publishes Avi Gesser’s Article on Balancing Between Cybersecurity and Employees’ Privacy

One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data.  By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with
Continue Reading Ephemeral Messaging for Businesses: Balancing the Risks of Keeping and Deleting Data by Default