One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data. By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with
Continue Reading
SEC
Regulators and Plaintiffs Aren’t Waiting for Privacy Legislation: Companies Face Potential Liability Now and Can Take Steps to Reduce Risks
By Avi Gesser, Eric McLaughlin, Greg Swanson & Clara Y. Kim on
Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works. But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for…
Continue Reading
Avi Gesser Interviewed by Law360 on Equifax Shareholder Class Action
By Avi Gesser on
Avi Gesser was interviewed by Law360 in an January 31, 2019 article regarding an shareholder class action suit against Equifax and its former CEO relating to the company’s 2017 data breach and possible implications for cybersecurity risk disclosures.
Continue Reading
Avi Gesser Interviewed by The Cybersecurity Law Report on Recent SEC Enforcement
By Avi Gesser on
Avi Gesser was interviewed by The Cybersecurity Law Report in an October 31, 2018 article regarding recent SEC cybersecurity enforcement actions and how firms can meet their regulatory obligations to reduce the risk of business email compromise scams.
Continue Reading
SEC Penalizes Cybersecurity Weakness
A recent SEC Order should be a reminder to registered entities, including small- and medium-sized firms, that the SEC is monitoring the reasonableness of their cybersecurity policies and procedures, and that it may take action in the event of a breach, even in the absence of economic harm.
The SEC’s…
Continue Reading
Davis Polk Memo – Adding Insult to Injury
By Avi Gesser on
We have issued a memo on a Section 21(a) report of investigation from the Securities and Exchange Commission, which warns that cyber incidents may lead to enforcement action.
Two Recent Cases Highlight the Insider Trading Risks Associated with Cyber Breaches
The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event. These risks come in two forms.
First, there is the risk that…
Continue Reading
2018 SEC Cybersecurity Guidance on Board Oversight
By Avi Gesser & Will Schildknecht on
On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued a statement and interpretive guidance on issuers’ cybersecurity disclosures. For a general discussion of the guidance, see Davis Polk’s recent Client Memorandum. Although the guidance does not impose any new requirements on issuers, the SEC’s emphasis on Board…
Continue Reading
Cybersecurity Whistleblowers – Another Thing to Consider Following a Breach
By Avi Gesser, Ronald J. Krock & Carolin L. Raspe on
Companies that experience a cyber breach face several immediate and difficult challenges: quickly getting a handle on the scope of the breach, making sure that the intruder is out of their system, remediating any vulnerability, assessing what data was accessed (if any), deciding whether to reach out to law enforcement,…
Continue Reading
FinRegReform Blog Post: Security Concerns Prompt Questions Regarding Whether the SEC Should Delay the CAT
By Avi Gesser on
Posted in Cyberaware, SEC
The Davis Polk Financial Regulation Reform Team recently blogged about the breach of the SEC’s EDGAR database and how that breach impacts the Consolidated Audit Trail (“CAT”)
“In the wake of a highly-publicized cybersecurity breach involving the SEC’s EDGAR system, SEC Chairman Jay Clayton has been in the hot seat