Cybersecurity and Data Privacy

Cybersecurity and data protection are nearly universal concerns for corporations, auditors, financial institutions, consultants and law firms. The financial and reputational costs associated with a significant data breach can be catastrophic.   

Our ranks include some of the most highly respected cybersecurity and privacy lawyers in the country, including former Chairman of the Federal Trade Commission Jon Leibowitz and former United States Attorney Neil MacBride, who have overseen a broad range of high-profile and sensitive cybersecurity and data-privacy cases of national and international significance.

Davis Polk is able to harness its longstanding experience in multi-disciplinary crisis management to support our core team of cybersecurity and data-protection professionals. We are uniquely able to assist our clients who have experienced a possible data breach in making disclosure decisions, communicating with regulators and law enforcement, defending civil and regulatory actions, and managing interactions with various vendors, employees, clients, insurers, auditors and the market. We also have deep experience working with cybersecurity firms and communications experts to help clients reduce the risks of, and prepare for, various cybersecurity events, including:

  • Working with cybersecurity firms to assess company threats, defenses, policies, procedures and training. 
  • Identifying data that should be deleted, or protected with enhanced measures.
  • Assisting in responding to regulatory inquiries on cyber measures. 
  • Running tabletop exercises and mock breach drills.
  • Drafting and implementing incident response and business continuity plans.
  • Establishing contacts in the FBI cyber unit.
  • Assessing regulatory and contractual obligations to notify employees, customers, regulators, insurers, auditors and the market in the event of a breach, including the nature and timing of such notification. 
  • Ensuring that companies have adequate cyber insurance.
  • Reviewing vendor contacts to ensure they require appropriate defenses, notification, insurance, and cooperation.
  • Determining the appropriate level of involvement by senior management and the Board. 
  • Ensuring that companies’ public statements, including SEC filings, regarding cybersecurity risks and measures are appropriate.

Davis Polk Cybersecurity Assessment Portal


The Davis Polk Cybersecurity Assessment Portal is a secure online suite of tools designed to help companies maintain robust cybersecurity programs and prepare for a possible cybersecurity event.

Download the brochure >

Cyber Blog

Focused commentary on the latest in cybersecurity preparedness, regulatory compliance and incident response.


For more information on our Cyber Blog, visit >>


DOJ Update

A month-by-month recap of the U.S. Department of Justice’s criminal enforcement and policy developments and other significant issues.


For more information on our DOJ Update, visit >>


SEC and CFTC Update

A month-by-month recap of the U.S. Securities and Exchange Commission, and Commodity Futures Trading Commission enforcement activities and developments.


For more information on our SEC and CFTC Update, visit >>



  • BTI Consulting – “The Law Firms Best at Cybersecurity,” 2017

Notable Matters

  • Global Financial Services Firm. We represent the firm in connection with a sophisticated attack on their computer system, including:

    • Overseeing a large investigation into the source, timing, nature and scope of the intrusion.
    • Communicating and coordinating with regulators, law enforcement, insurers and auditors.
    • Determining various federal, state, and international regulatory disclosure obligations, as well as contractual disclosure requirements.
    • Preparing for possible civil and regulatory actions.
  • Major Financial Services Company. We represent the company in a CFTC investigation into losses resulting from spoofed emails leading to fraudulent wire transfers and related cyberbreaches.
  • Global Media Company. We represent the company in connection with an internal investigation into alleged security vulnerability.
  • European Financial Institution. We represented the financial institution in connection with a request from DOJ into cyber intrusions at the bank. This was part of an industry-wide inquiry into potential insider trading threats to financial institutions.
  • Pharmaceutical Company. We advised the company in connection with an SEC subpoena for cyber intrusions at the company. This was part of an industry-wide inquiry into potential insider trading threats to biotech companies.
  • Major Telecom Company. We advised the company on both criminal and civil issues relating to a hacking incident.
  • Online Commerce Company. We advised the Board of Directors of an online commerce company in connection with a shareholder demand related to a data breach.
  • Financial Firm. We advised the firm in connection with an investigation by the New York Police Department’s Cybercrimes Unit involving a cyberattack.
  • Major Aerospace and Defense Company. We provided corporate governance advice on cyber risks to the company.
  • Direct Edge. We represented the Board of Directors of Direct Edge in connection with an SEC multidisciplinary inquiry relating to potential violations concerning technology, information security, securities compliance and governance. 
  • Major American Retailer. We provided privacy advice to the retailer in the wake of a state investigation relating to its rewards program. The investigation was terminated without action.
  • Morgan Stanley. We advised Morgan Stanley in connection with the bankruptcy of National Systems Resources, Inc. As a customer, Morgan Stanley sought to ensure proper treatment of its confidential data.
  • We have also advised numerous clients in connection with:
    • Facilitating international data transfers and structure of outsourcing arrangements in compliance with federal, state, E.U., and other laws
    • Cybersecurity policies, procedures and training, as well as cyberbreach prevention and mitigation measures.
    • Information-law issues that arise in connection with internal investigations, such as the data-protection issues related to the FCPA, and civil discovery involving documents and witnesses outside the United States.
    • Internal investigations relating to various phishing and spoofing attacks.