Mr. Schildknecht is an associate in Davis Polk’s Litigation Department. His cybersecurity practice focuses on regulatory compliance, incident response and transaction risk assessments. [Full Bio]

On Tuesday April 14, 2020, the fifth annual Incident Response Forum (the “Forum”) convened an extensive roster of presenters from private practice and the government, including from the DHS, DOJ, FTC, SEC, NYDFS, FBI, and the Secret Service, to discuss best practices for incident response.

The government panelists shared insights
Continue Reading 2020 Incident Response Forum: Lessons Learned from Regulators and Law Enforcement

As we have discussed here previously, the coronavirus outbreak has driven many companies further into the digital workplace, putting new strains on information technology systems and related privacy and security compliance controls.  Despite these burdens on companies, few regulators have offered relief from their privacy and security requirements.  As detailed
Continue Reading Data Privacy and Security Requirements During Coronavirus? Little Relief in Sight

The Davis Polk Cyber Blog has won a LexBlog Excellence Award for Exemplary Writing on Legal Blogs as the first runner-up in the category of Best Commentary/Advice for Legal Professionals.  The winning post can be read here and discusses the private right of action for inadequate cybersecurity under the California
Continue Reading Davis Polk Cyber Blog Wins LexBlog Excellence Award

Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests.  But how do you know that the person making the request is actually who they say they are?  As we have previously noted on this blog,
Continue Reading The Risks of Fraudulent CCPA Access Requests – Guidance from a $10.7 million GDPR Fine for Poor Customer Authentication

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have
Continue Reading A 14.5 million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation

We have previously written about legal risks companies will face from the California Consumer Privacy Act (CCPA) when it goes into effect on January 1, 2020.  In short, companies can be subject to consumer class actions alleging statutory damages for mishandled data—and a key defense to those suits will be
Continue Reading New York’s SHIELD Act Creates Significant New Cybersecurity Obligations for Thousands of Firms Worldwide

By now, most major U.S. companies are generally aware of the new privacy requirements that will be imposed by the California Consumer Privacy Act (“CCPA”) when it goes into effect on January 1, 2020, including data access and deletion rights for consumers as well as restrictions on selling personal information. 
Continue Reading The Biggest Risk with CCPA May Be Cybersecurity, Not Privacy: 10 Things Companies Are Doing Now to Prepare

Avi Gesser co-authored an article with Davis Polk associates Matthew Kelly, Will Schildknecht, and Anna Marienko that was published in the New York Law Journal on May 31, 2019, and that discusses the competing interests of cybersecurity and employee privacy that employers must balance when implementing reasonable cybersecurity measures.  The
Continue Reading New York Law Journal Publishes Avi Gesser’s Article on Balancing Between Cybersecurity and Employees’ Privacy

As we highlighted in our predictions for 2019, the proliferation of leaked personal information online provides an increasingly valuable resource for threat actors to use in cyber attacks. So far in 2019, billions of records have been leaked, creating significant additional cybersecurity risks for companies. To help understand this
Continue Reading How to Reduce the Cybersecurity Risks Posed by Leaked Data

We recently wrote about companies monitoring employees to reduce cybersecurity risks. Those insider threat risks do not end when employees leave the company. Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a
Continue Reading Cyber Monitoring Employees Part 2 – Insider Threats Continue After Employees Leave