Mr. Schildknecht is an associate in Davis Polk’s Litigation Department. His cybersecurity practice focuses on regulatory compliance, incident response and transaction risk assessments. [Full Bio]

While businesses operating in California are still adjusting to the requirements of the California Consumer Privacy Act (CCPA) and are watching for enforcement actions brought by the California Attorney General, as its enforcement powers begin on July 1, an expansive new privacy initiative was certified today by the California Secretary
Continue Reading Expansive New California Privacy Measure Cleared for November Ballot

On Friday, May 29, 2020, Davis Polk’s own Rob Cohen led a panel on cybersecurity law and enforcement issues for the Practising Law Institute’s (“PLI”) tenth annual program on enforcement. The panel included individuals from the FBI, U.S. Attorney’s Office for the Southern District of New York, New York
Continue Reading PLI Cybersecurity Enforcement Panel: Lessons Learned from Regulators and Law Enforcement

New commentary from a respected think tank attempts to provide guidance on cross-border data transfers.  The guidance proposes principles for determining which country’s law to apply to a cross-border transfer.  Although there is no guarantee that the guidance will gain favor with courts or regulators, it is an important indicator
Continue Reading Navigating Cross-Border Data Transfers: Lessons from the Sedona Conference Commentary

On Tuesday April 14, 2020, the fifth annual Incident Response Forum (the “Forum”) convened an extensive roster of presenters from private practice and the government, including from the DHS, DOJ, FTC, SEC, NYDFS, FBI, and the Secret Service, to discuss best practices for incident response.

The government panelists shared insights
Continue Reading 2020 Incident Response Forum: Lessons Learned from Regulators and Law Enforcement

As we have discussed here previously, the coronavirus outbreak has driven many companies further into the digital workplace, putting new strains on information technology systems and related privacy and security compliance controls.  Despite these burdens on companies, few regulators have offered relief from their privacy and security requirements.  As detailed
Continue Reading Data Privacy and Security Requirements During Coronavirus? Little Relief in Sight

The Davis Polk Cyber Blog has won a LexBlog Excellence Award for Exemplary Writing on Legal Blogs as the first runner-up in the category of Best Commentary/Advice for Legal Professionals.  The winning post can be read here and discusses the private right of action for inadequate cybersecurity under the California
Continue Reading Davis Polk Cyber Blog Wins LexBlog Excellence Award

Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests.  But how do you know that the person making the request is actually who they say they are?  As we have previously noted on this blog,
Continue Reading The Risks of Fraudulent CCPA Access Requests – Guidance from a $10.7 million GDPR Fine for Poor Customer Authentication

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have
Continue Reading A 14.5 million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation

We have previously written about legal risks companies will face from the California Consumer Privacy Act (CCPA) when it goes into effect on January 1, 2020.  In short, companies can be subject to consumer class actions alleging statutory damages for mishandled data—and a key defense to those suits will be
Continue Reading New York’s SHIELD Act Creates Significant New Cybersecurity Obligations for Thousands of Firms Worldwide

By now, most major U.S. companies are generally aware of the new privacy requirements that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information. 
Continue Reading The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare