Ms. Xu is an associate in Davis Polk's Litigation Department. [Full Bio]

On Tuesday April 14, 2020, the fifth annual Incident Response Forum (the “Forum”) convened an extensive roster of presenters from private practice and the government, including from the DHS, DOJ, FTC, SEC, NYDFS, FBI, and the Secret Service, to discuss best practices for incident response.

The government panelists shared insights
Continue Reading 2020 Incident Response Forum: Lessons Learned from Regulators and Law Enforcement

Over the last few years, the creation of new cybersecurity regulations has been robust, but actual enforcement has been tepid. This is understandable in any new regulatory regime, especially one where the standards are vague, the conduct is evolving, and therefore, there is considerable uncertainty on the part of the
Continue Reading The NYAG Dunkin’ Donuts Cyber Case – One More Sign that the Days of Stick for Cybersecurity Enforcement May Be Around the Corner

One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data.  By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with
Continue Reading Ephemeral Messaging for Businesses: Balancing the Risks of Keeping and Deleting Data by Default

2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below
Continue Reading 2019 Predictions – Top 10 Cybersecurity/Privacy Trends to Prepare for Now

Some of the most significant recent cyber breaches originated at vendors.  We have previously discussed the importance of effective oversight of third parties because vendor breaches can lead to regulatory actions for companies.  Indeed, recent regulatory guidance provides that vendor diligence is an essential part of any cybersecurity program.  This
Continue Reading Cybersecurity Vendor Due Diligence—Some Practical Tips from the Front Lines

In early August, the City of Atlanta reported that the costs associated with its SamSam ransomware infection could reach $17 million, and the FBI has estimated the number of ransomware attacks may be as high as 4,000 per day. To help address the complex issue of when organizations
Continue Reading Ransomware: Never Say Never – A Framework for Deciding When to Pay

In February, we wrote about how the road for plaintiffs in cyber breach class actions may be getting smoother.  Since then, the U.S. Supreme Court has continued to avoid the issue of standing in data breach cases (declining to take up the issue in CareFirst, Inc. v. Attias
Continue Reading Still Standing, Part 2 – Plaintiffs Continue to Rack Up Victories in Data Breach Class Actions, and New Laws Are Coming That May Help Both Sides

For U.S. companies subject to the GDPR, figuring out breach notification obligations is about to get even harder as the GDPR adds another layer of complexity to the existing patchwork of 50 different state breach notification laws and several federal ones.

The GDPR will come into force on May 25,
Continue Reading GDPR Is Almost Here, Making Breach Notification Even More Complicated

In January 2018, at the Eleventh Annual International Conference on Computers, Privacy and Data Protection (the “Conference”) in Brussels, one panel that made some headlines centered around blockchain technology in the context of data protection. The core inquiry of the panel was two-fold: (1) whether blockchain technology can
Continue Reading Blockchain for Data Protection: A Double-edged Sword or a Techno-regulatory Oxymoron?

If you haven’t been closely following, you may be of the mistaken view that without evidence of actual harm, consumer plaintiffs in federal cyber breach cases have no standing.  While that may have been roughly correct in 2016, the story in 2018 is more complicated, and getting better for plaintiffs.
Continue Reading Still Standing—The Road for Plaintiffs in Consumer Cyber Breach Class Actions May Be Getting Smoother