Data Privacy & Cybersecurity

In the face of heightened public attention, government scrutiny and private litigation risks, data privacy and cybersecurity considerations should be front of mind for management, directors and shareholders of businesses in all sectors.  These issues will only grow in prominence as the financial value of personal data and other types of information continues to increase and cyber threats continue to proliferate and evolve in sophistication.

With an interdisciplinary approach that draws on the strengths of our world-class practices across the firm, Davis Polk’s data privacy and cybersecurity team is well positioned to support our clients through all phases of their business models and in any circumstances that arise.  Our team is composed of lawyers from a range of corporate, regulatory and litigation practices, and includes many with significant government tenure – including at the Securities and Exchange Commission, Federal Trade Commission, Department of Justice and FBI.

We provide our clients with comprehensive data privacy and cybersecurity counseling on a range of issues, including:

  • Advising on the applicability of, and compliance with, relevant laws, rules and regulations relating to the collection, use, retention, protection, disclosure, destruction and other processing of personal data under the evolving patchwork of U.S. federal and state legislation and regulation, including the California Consumer Privacy Act, the New York SHIELD Act and the New York State Department of Financial Services’ cybersecurity regulations, as well as under the EU’s General Data Protection Regulation
  • Advising on the implementation of privacy and cybersecurity programs, including third party oversight and internal and external privacy policies
  • Advising boards of directors and senior management on data privacy and cybersecurity corporate governance
  • Advising on the impact of privacy and cybersecurity laws and regulations on product development from inception through launch
  • Structuring, drafting and negotiating data licenses, pooling arrangements, vendor agreements and international data transfers
  • Advising on data privacy and cybersecurity diligence, risk allocation and transaction structuring implications in connection with mergers and acquisitions and other commercial transactions
  • Drafting data privacy and cybersecurity disclosures in connection with IPOs and other capital markets offerings and ongoing reporting obligations
  • Providing policy advice and representation before federal and state legislatures on pending bills and other privacy-related issues
  • Advising companies on data access requests by government agencies
  • Providing strategic advice to clients before, during, and after cybersecurity incidents such as data breaches and ransomware attacks
  • Leading internal investigations and responding to regulatory inquiries from the SEC, FTC, CFTC and other federal and state regulators
  • Representing clients in civil litigation concerning data privacy and cybersecurity issues

Notable Matters

  • A global technology company. We represented a global technology company in connection with a data pooling arrangement, combining data sets across jurisdictions for analysis and exploitation.
  • Private equity sponsors and hedge funds. We have represented numerous private equity sponsors and hedge funds in connection with their data privacy and cybersecurity compliance programs.
  • Leading technology companies. We have represented leading technology companies in connection with live data incidents in the context of mergers and acquisitions.
  • A global consulting firm. We represented a global consulting firm in connection with its data privacy compliance program, from notices to data subject requests and internal processes and controls, and structuring and drafting of client and vendor agreements.
  • A leading technology company. We represented a leading technology company in connection with the data privacy aspects of proposed products and services.
  • A global financial services firm. We represented the firm in connection with a sophisticated attack on its computer system, including:
    • Overseeing a large investigation into the source, timing, nature and scope of the intrusion
    • Communicating and coordinating with regulators, law enforcement, insurers and auditors
    • Determining various federal, state and international regulatory disclosure obligations, as well as contractual disclosure requirements
    • Preparing for possible civil and regulatory actions
  • A major financial services company. We represent the company in connection with various cybersecurity matters, including a CFTC investigation and associated civil litigation stemming from a successful business email compromise scam accomplished through the use of spoofed emails.
  • A global media company. We represented the company in connection with a governmental investigation into an alleged security vulnerability.
  • A European financial institution. We represented the financial institution in connection with a request from the DOJ regarding cyber intrusions at the bank. This was part of an industrywide inquiry into potential insider trading threats to financial institutions.
  • A pharmaceutical company. We advised the company in connection with an SEC subpoena regarding cyber intrusions at the company. This was part of an industrywide inquiry into potential insider trading threats to biotech companies.
  • A major telecom company. We advised the company on both criminal and civil issues relating to a hacking incident.
  • An online commerce company. We advised the board of directors of an online commerce company in connection with a shareholder demand related to a data breach.
  • A financial firm. We advised the firm in connection with an investigation by the New York Police Department’s Cybercrimes Unit involving a cyberattack.
  • A major aerospace and defense company. We provided corporate governance advice on cyber risks to the company.
  • Direct Edge. We represented the board of directors of Direct Edge in connection with an SEC multidisciplinary inquiry relating to potential violations concerning technology, information security, securities compliance and governance.
  • A major U.S. retailer. We provided privacy advice to the retailer in the wake of a state investigation relating to its rewards program. The investigation was terminated without action.
  • Morgan Stanley. We advised Morgan Stanley in connection with the bankruptcy of National Systems Resources. As a customer, Morgan Stanley sought to ensure proper treatment of its confidential data.
  • A major U.S. manufacturing company. We provided advice in connection with the acquisition of a customer database and related issues.
  • An advocacy coalition. We are leading a coalition formed by the major U.S. communications companies and trade associations – including AT&T, Verizon and Comcast – providing the group with advice and advocacy regarding U.S. privacy and data security laws. The coalition supports a single robust federal data breach statute and laws ensuring that consumer data is treated the same by any federal regulatory regime.
  • We have also advised numerous clients in connection with:
    • The facilitation of international data transfers and the structuring of outsourcing arrangements in compliance with federal, state, EU and other laws
    • Data privacy and cybersecurity policies, procedures and training, as well as cyber breach prevention and mitigation measures
    • Information-law issues that arise in connection with internal investigations, such as the data-protection issues related to the FCPA, and civil discovery involving documents and witnesses outside the United States
    • Drafting and negotiating data protection, licensing, sharing and pooling agreements, with respect to both personal and financial data
    • Internal investigations relating to cyber incidents, including phishing and spoofing attacks

Our Lawyers

The lawyers in our data privacy and cybersecurity practice combine a deep knowledge of the range of applicable laws and regulations in the data privacy and cybersecurity space with a focus on delivering practical advice and solutions to clients in the largest and most complex transactions, disputes and regulatory scenarios.

We are an interdisciplinary practice that draws on Davis Polk’s strength in various areas including intellectual property and technology transactions, litigation, mergers and acquisitions, financial institutions, capital markets and corporate governance.


  • American Lawyer – Davis Polk honored as a finalist for “Best Use of Technology,” 2019
  • BTI Consulting – “The Law Firms Best at Cybersecurity,” 2017