Photo of Shahira D. Ali

Ms. Ali is an associate in Davis Polk’s Litigation Department.   Her practice focuses on cybersecurity and data breach issues, complex commercial litigation, securities class actions, and internal investigations. [Full Bio]

On November 1, Canada provided the U.S. with another model for a national breach law:  the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  Under that law, companies are required to notify Canada’s Privacy Commissioner and affected individuals as soon as feasible if they experience “any breach of security safeguards
Continue Reading What You Need to Know About Canada’s New Breach Notification Law

In the lead-up to the EU’s General Data Protection Regulation (“GDPR”) becoming effective on May 25, little attention was paid in the U.S. to the private right of action that the GDPR creates. But so far, private actors have filed approximately 24 cross-border GDPR complaints with EU regulators.

At least
Continue Reading Private Actions Under the GDPR—One More Privacy Concern for U.S. Companies to Worry About?

If you haven’t been closely following, you may be of the mistaken view that without evidence of actual harm, consumer plaintiffs in federal cyber breach cases have no standing.  While that may have been roughly correct in 2016, the story in 2018 is more complicated, and getting better for plaintiffs.
Continue Reading Still Standing—The Road for Plaintiffs in Consumer Cyber Breach Class Actions May Be Getting Smoother

Cybersecurity regulators appear to be converging on 72-hour breach notification.  First it was the European Union’s General Data Protection Regulation (“GDPR”), then it was the New York Department of Financial Services (“NYDFS”) cybersecurity rules, and now the National Association of Insurance Commissioners (“NAIC”) have adopted the Insurance Data Security Model
Continue Reading Insurance Industry Moves Towards 72-Hour Breach Notification

Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.

Courts have rejected many of these
Continue Reading The Rise of State Consumer Protection Act Cyber Cases

On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification.  Earlier this week, we noted that the Reserve Bank of India (“RBI”) imposed a $1 million USD fine on India’s Yes Bank for violating RBI’s 2 to 6
Continue Reading More Tough Penalties for Late Breach Notification

In a statement issued on Wednesday, September 20th, the U.S. Securities and Exchange Commission (SEC) revealed that it was investigating a 2016 data breach of its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database.  The SEC does not believe that personally identifiable information was exposed, but the investigation is still
Continue Reading Your Sensitive Information Was Accessed in a Government Hack? You May Have No Remedy.