Photo of Elizabeth A. Tippett

Ms. Tippett is an associate in Davis Polk’s Litigation Department. She works on a variety of matters, with a focus on white collar defense and cybersecurity regulatory and compliance issues.

We had previously predicted that the Equifax data breach could lead to increased state-level cybersecurity enforcement. On June 27, the NYDFS announced that Equifax has agreed to take corrective action for its 2017 data breach, as set forth in a consent order reached with the NYDFS and seven other … Read More

Readers of our blog know that the NYDFS cybersecurity rules and the European GDPR are part of a trend in regulation towards onerous breach notification requirements with very short (i.e., 72-hour) deadlines.  But there are other, less well-known examples.

Alabama and South Dakota recently passed data security statutes, which means … Read More

The New York Department of Financial Services (“NYDFS”) recently issued guidance for its covered entities[1] highlighting the importance of cybersecurity as a necessary part of M&A due diligence. This guidance comes in the greater context of the Yahoo! SEC resolution to demonstrate that regulators are paying close attention to … Read More

The new year is fast approaching.  2017 has been a year of major cyber incidents, including the Equifax breach.  Cybersecurity will continue to be a top concern for companies in the new year.  Avi Gesser spoke with Markets Media about his outlook for cybersecurity law and regulation in 2018.

Which Read More

Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.

Courts have rejected many of these … Read More

On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification.  Earlier this week, we noted that the Reserve Bank of India (“RBI”) imposed a $1 million USD fine on India’s Yes Bank for violating RBI’s 2 to 6 … Read More

The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification.  On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach … Read More

During congressional hearings earlier this month, senators grilled Richard Smith, the former Equifax CEO, on the company’s reporting structure for cybersecurity; specifically, on the appropriateness of Equifax’s CISO reporting to the general counsel.  This has caused several companies to question their own reporting structures for cybersecurity issues.  So what is … Read More

Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC.  With the recent Equifax breach, this appears to be changing.

The Massachusetts Attorney General filed … Read More

Today marks the first deadline for entities regulated by the New York Department of Financial Services (“NYDFS”) to comply with certain provisions of the recent NYDFS cybersecurity rules.  The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns.  The … Read More