As we have discussed here previously, the coronavirus outbreak has driven many companies further into the digital workplace, putting new strains on information technology systems and related privacy and security compliance controls.  Despite these burdens on companies, few regulators have offered relief from their privacy and security requirements.  As detailed
Continue Reading Data Privacy and Security Requirements During Coronavirus? Little Relief in Sight

Both the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) require companies to respond to customer data access requests.  But how do you know that the person making the request is actually who they say they are?  As we have previously noted on this blog,
Continue Reading The Risks of Fraudulent CCPA Access Requests – Guidance from a $10.7 million GDPR Fine for Poor Customer Authentication

We have written several times here over the last few years about data minimization being an important part of an effective cybersecurity program.  For most companies, the total amount of data that they control grows substantially each year, and more data generally creates more data protection risks.  Companies that have
Continue Reading A 14.5 million Euro Fine for Failing to Get Rid of Old Files – Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation

Davis Polk partner Pritesh Shah and associate Daniel Forester are among the authors of a new Practice Note for Thomson Reuters’ Practical Law discussing blockchain technology and recent trends in data privacy law and the tensions between them.  The article explains blockchain technology’s characteristics and describes issues and potential strategies
Continue Reading Blockchain Technology: Data Privacy Issues and Potential Mitigation Strategies – Practical Law Practice Note

We have issued a memo on the European Court of Justice’s recent preliminary ruling on the GDPR and a data subject’s qualified right of erasure with respect to personal data, which concluded that EU rules require a search engine operator to carry out such a request only on versions of
Continue Reading European Court of Justice Limits Territorial Reach of “Right to Be Forgotten” – Davis Polk Memo

We have written here before about the challenges and benefits of getting rid of old data.  As we have noted, in light of recent legal, regulatory, and technological developments, companies should reevaluate their long-term data management planning.  Last week, the New York Department of Financial Services (“NYDFS”) issued a reminder
Continue Reading With the Sedona Report, Companies Get Some Helpful Guidance on How to Get Rid of Large Volumes of Old Data

In the lead-up to the EU’s General Data Protection Regulation (“GDPR”) becoming effective on May 25, little attention was paid in the U.S. to the private right of action that the GDPR creates. But so far, private actors have filed approximately 24 cross-border GDPR complaints with EU regulators.

At least
Continue Reading Private Actions Under the GDPR—One More Privacy Concern for U.S. Companies to Worry About?

For years, the default setting at many companies was to keep electronic data indefinitely. Storage is cheap, there are legal risks associated with deleting data, and you never know when an email from 10 years ago is going to become important. Some companies have document management policies, but often they
Continue Reading Getting Rid of Old Data Is Becoming a Regulatory Requirement

A recent article in the American Lawyer highlights the growing relevance of lawyer-led “tabletop” exercises, where companies engage in half-day or full-day drills designed to test their response plans for various crisis scenarios.

Executives are increasingly utilizing these exercises to hone their emergency policies, procedures, and decision-making.  Originally developed to
Continue Reading More Companies Doing ‘Tabletop’ Exercises to Test Crisis Management

For U.S. companies subject to the GDPR, figuring out breach notification obligations is about to get even harder as the GDPR adds another layer of complexity to the existing patchwork of 50 different state breach notification laws and several federal ones.

The GDPR will come into force on May 25,
Continue Reading GDPR Is Almost Here, Making Breach Notification Even More Complicated