Cybersecurity and Data Privacy

Davis Polk’s cybersecurity and data privacy practice brings together lawyers with deep experience in multiple areas of the law to assist clients with the ever-expanding range of cybersecurity and data privacy issues.  Our team includes lawyers with significant government tenure—including at the Federal Trade Commission, Department of Justice and FBI.  We provide technology, media and biotechnology companies and financial institutions, among our other clients, with comprehensive counseling, including:

  • Preparing for, and responding to, cyber incidents such as data breaches and ransomware attacks, including by assessing regulatory and contractual notification obligations, responding to regulatory inquiries and investigations and providing representation in civil litigation;
  • Providing cybersecurity and data privacy advice in connection with mergers and acquisitions and other commercial transactions, regarding diligence, risk allocation and transaction structuring implications;
  • Drafting cybersecurity and data privacy disclosures in connection with IPOs and other capital markets offerings and ongoing reporting obligations;
  • Providing advice on compliance with cybersecurity and data privacy laws and regulations, and industry and enforcement trends; and
  • Providing policy advice and representation before federal and state legislatures on pending bills and other privacy-related issues.


Focused commentary on the latest in cybersecurity preparedness, regulatory compliance and incident response

Read Cyber Blog

Notable Matters

  • Global Financial Services Firm. We represent the firm in connection with a sophisticated attack on their computer system. We are:
    • Overseeing a large investigation into the source, timing, nature and scope of the intrusion;
    • Communicating and coordinating with regulators, law enforcement, insurers and auditors;
    • Determining various federal, state and international regulatory disclosure obligations, as well as contractual disclosure requirements; and
    • Preparing for possible civil and regulatory actions.
  • Major Financial Services Company. We represent the company in connection with various cybersecurity matters, including a CFTC investigation and associated civil litigation stemming from a successful business email compromise scam accomplished through the use of spoofed emails.
  • Global Media Company. We represented the company in connection with a governmental investigation into an alleged security vulnerability.
  • European Financial Institution.  We represented the financial institution in connection with a request from the DOJ regarding cyber intrusions at the bank. This was part of an industry-wide inquiry into potential insider trading threats to financial institutions.
  • Pharmaceutical Company.  We advised the company in connection with an SEC subpoena regarding cyber intrusions at the company. This was part of an industry-wide inquiry into potential insider trading threats to biotech companies.
  • Major Telecom Company.  We advised the company on both criminal and civil issues relating to a hacking incident.
  • Online Commerce Company.  We advised the board of directors of an online commerce company in connection with a shareholder demand related to a data breach.
  • Financial Firm.  We advised the firm in connection with an investigation by the New York Police Department’s Cybercrimes Unit involving a cyberattack.
  • Major Aerospace and Defense Company. We provided corporate governance advice on cyber risks to the company.
  • Direct Edge.  We represented the board of directors of Direct Edge in connection with an SEC multidisciplinary inquiry relating to potential violations concerning technology, information security, securities compliance and governance.
  • Major American Retailer.  We provided privacy advice to the retailer in the wake of a state investigation relating to its rewards program.  The investigation was terminated without action.
  • Morgan Stanley.  We advised Morgan Stanley in connection with the bankruptcy of National Systems Resources, Inc.  As a customer, Morgan Stanley sought to ensure proper treatment of its confidential data.
  • Major American Manufacturing Company.  We provided advice in connection with the acquisition of a customer database and related issues.
  • Advocacy Coalition.  We are leading a coalition formed by the major U.S. communications companies and trade associations – including AT&T, Verizon and Comcast – providing the group with advice and advocacy regarding U.S. privacy and data security laws. The coalition supports a single robust federal data breach statute and laws ensuring that consumer data is treated the same by any federal regulatory regime.  
  • We have also advised numerous clients in connection with:
    • The facilitation of international data transfers and the structuring of outsourcing arrangements in compliance with federal, state, E.U. and other laws;
    • Cybersecurity and data privacy policies, procedures and training, as well as cyber breach prevention and mitigation measures;
    • Information-law issues that arise in connection with internal investigations, such as the data-protection issues related to the FCPA, and civil discovery involving documents and witnesses outside the United States;
    • Drafting and negotiating data protection, licensing, sharing and pooling agreements, with respect to both personal and financial data; and
    • Internal investigations relating to cyber incidents, including phishing and spoofing attacks.

Our Lawyers

The lawyers in our cybersecurity and data privacy practice combine a deep knowledge of the range of applicable laws and regulations in the cybersecurity and data privacy space with a focus on delivering practical advice and solutions to clients in the largest and most complex transactions, disputes and regulatory scenarios.

We are a cross-disciplinary practice that draws on Davis Polk’s strength in various areas including mergers and acquisitions, litigation, intellectual property and technology transactions, financial institutions and capital markets.  Our lawyers have experience providing strategic advice to our clients with respect to the General Data Protection Regulation; the evolving patchwork of U.S. federal and state legislation and regulation, including the California Consumer Privacy Act of 2018 and the New York State Department of Financial Services cybersecurity regulations; implementation of privacy programs and the performance of international data transfers.

Members of the team include several notable partners across the firm’s practice areas and offices who have overseen a broad range of high-profile and sensitive cybersecurity and data privacy cases of national and international significance, including:

  • Avi Gesser, former counsel to the Chief of the Fraud Section in the DOJ’s Criminal Division. Avi represents clients in a wide range of cybersecurity matters, including enforcement and investigation matters, and is the primary author of the Davis Polk Cyber Blog.
  • Jon Leibowitz, former chairman of the Federal Trade Commission. Jon’s practice includes consumer protection and privacy matters, and he is the host of our podcast series on the FTC Hearings on Competition and Consumer Privacy in the 21st Century.
  • Neil MacBride, former U.S. Attorney for the Eastern District of Virginia. Neil is co-chair of Davis Polk’s White Collar Criminal Defense and Government Investigations Group.
  • Ken Wainstein, former Homeland Security Advisor, Assistant Attorney General for National Security and FBI general counsel and chief of staff.  Ken’s practice focuses on corporate internal investigations and civil and criminal enforcement proceedings.


  • Financial Times North America Innovative Lawyers Report – Davis Polk’s Cyber Portal received “Standout” (highest ranking) in the “Business of Law: New Products and Services Category,” 2018
  • BTI Consulting – “The Law Firms Best at Cybersecurity,” 2017

Cyber Portal

Davis Polk recently developed the Cyber Portal, a secure online suite of tools designed to help companies maintain robust cybersecurity programs and prepare for a possible cybersecurity event.

At the core of the Cyber Portal is the Notification Assessment Tool, a web application that enables users to quickly assess a company’s state and federal data breach notification obligations, including those under HIPAA, Gramm-Leach-Bliley, and all U.S. states and territories.  In a matter of minutes, by answering a series of questions, a user can generate a detailed Preliminary Assessment Report that documents key aspects of the relevant notification obligations, including who needs to be notified, the deadlines for notification, the contents of the required notifications and methods for delivering the notifications. 

As part of the holistic incident response services available to users of the Cyber Portal, a user can apply the results of the Preliminary Assessment Report to generate template notification letters to affected individuals, state regulators, and other required organizations (such as credit reporting agencies) consistent with the legal requirements of federal and state laws.  The Cyber Portal also contains current contact information for federal, state, and international cybersecurity regulators.

 Davis Polk Cybersecurity Assessment Portal     


For more information on our Cyber Portal, visit the Cyber Portal, view the Cyber Portal Guide or request a demo