Ms. Kim is an associate in Davis Polk's Litigation Department. [Full Bio]

The SEC’s recent publication of examination observations related to cybersecurity practices provides a helpful benchmark for firms trying to understand common market practices.

***

The Davis Polk Cyber Blog welcomes a new author, partner Robert Cohen.  Rob has 15 years of experience in the SEC’s Division of Enforcement across
Continue Reading Introducing a New Author to the Davis Polk Cyber Blog with His First Blog Post: What SEC Examiners Will Ask About Cybersecurity

The Davis Polk Cyber Blog has won a LexBlog Excellence Award for Exemplary Writing on Legal Blogs as the first runner-up in the category of Best Commentary/Advice for Legal Professionals.  The winning post can be read here and discusses the private right of action for inadequate cybersecurity under the California
Continue Reading Davis Polk Cyber Blog Wins LexBlog Excellence Award

Davis Polk attorneys authored a chapter on U.S. Cybersecurity Laws for the GDR Insight Handbook 2020.  The chapter, which can be read here, was written by Avi Gesser, Matthew J. Bacal, Daniel F. Forester, Matthew A. Kelly, Clara Y. Kim, and Gianna C. Walton, and was published by
Continue Reading Global Data Review Publishes Davis Polk’s Chapter on United States Cybersecurity Laws in GDR Insight Handbook

As regulators ramp up their cybersecurity enforcement, one area of increasing focus is in-house expertise.  Regulators are starting to explicitly require companies to have qualified data protection personnel.  For example, the New York Department of Financial Services (NYDFS) cyber rules require that companies’ cybersecurity personnel be qualified to manage the
Continue Reading Lack of In-House Cyber Expertise, a Growing Concern for Regulators, Leads to $1.5M CFTC Penalty

We first wrote about Business Email Compromise (“BEC”) scams in 2015.  Over the last four years, these attacks have continued unabated.  According to the FBI, in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion.  One reason this
Continue Reading The Rise of Deepfake Audio Means It’s Time to Revisit Business Email Compromise Scams and Ways to Reduce Risk

By now, most major U.S. companies are generally aware of the new privacy requirements that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information. 
Continue Reading The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare

Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works.  But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for
Continue Reading Regulators and Plaintiffs Aren’t Waiting for Privacy Legislation: Companies Face Potential Liability Now and Can Take Steps to Reduce Risks

In the last few years, we have seen a dramatic increase in the purchase and sale of alternative data—a shorthand for big data sets, such as satellite images of parking lots, drug approvals, credit card purchases, cellphone data on retail foot traffic, and construction permits. According to alternativedata.org, the alternative
Continue Reading Alternative Data Goes Mainstream, and Gets Increased Attention from Regulators

2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below
Continue Reading 2019 Predictions – Top 10 Cybersecurity/Privacy Trends to Prepare for Now

Companies have good reasons to limit business-related communications to devices and applications (“apps”) controlled by the company, and to avoid having sensitive company information on the personal devices and apps of employees:

  • Security: The company does not control the cybersecurity and privacy on employees’ personal apps on personal devices,


Continue Reading Company Documents on Personal Phones?  Consider Updating Your Policies