We first wrote about Business Email Compromise (“BEC”) scams in 2015.  Over the last four years, these attacks have continued unabated.  According to the FBI, in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion.  One reason this
Continue Reading

Avi Gesser co-authored an article with Davis Polk associates Matthew Kelly, Will Schildknecht, and Anna Marienko that was published in the New York Law Journal on May 31, 2019, and that discusses the competing interests of cybersecurity and employee privacy that employers must balance when implementing reasonable cybersecurity measures.  The
Continue Reading

Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works.  But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for
Continue Reading

As we highlighted in our predictions for 2019, the proliferation of leaked personal information online provides an increasingly valuable resource for threat actors to use in cyber attacks. So far in 2019, billions of records have been leaked, creating significant additional cybersecurity risks for companies. To help understand this
Continue Reading

Davis Polk’s Avi Gesser, associate Matt Kelly, and law clerk Samantha Pfotenhauer co-authored an article, The Expanding Role of Lawyers in Addressing Cyber Risk at Financial Firms, appearing in this month’s issue of The Review of Securities & Commodities Regulation.

Not that long ago, cybersecurity was viewed as
Continue Reading

Two-factor authentication is one of the most common measures that companies use to reduce cyber risk, but it is not very effective if companies don’t also have a good lost-phone protocol.

Various regulations and industry rules require two-factor authentication (also referred to as multi-factor authentication or MFA) including the NYDFS
Continue Reading

Insider data threats – which include the deliberate theft or destruction of sensitive information, as well as innocent mistakes that result in a loss of control of confidential data – have become a primary risk factor to most businesses.  To properly maintain cybersecurity and protect confidential information, companies need to
Continue Reading

In Part 1 of this blog post, we discussed some key contractual provisions that lawyers should consider when entering into agreements with cloud service providers (“CSPs”).  In this Part 2, we discuss some additional contractual considerations to keep in mind, as well as some post-contract practices to consider in order
Continue Reading

Companies have good reasons to limit business-related communications to devices and applications (“apps”) controlled by the company, and to avoid having sensitive company information on the personal devices and apps of employees:

  • Security: The company does not control the cybersecurity and privacy on employees’ personal apps on personal devices,


Continue Reading

In early August, the City of Atlanta reported that the costs associated with its SamSam ransomware infection could reach $17 million, and the FBI has estimated the number of ransomware attacks may be as high as 4,000 per day. To help address the complex issue of when organizations
Continue Reading