Experience

- SolarWinds Corporation, a software developer, in an investigation related to the December 2020 SUNBURST cyber attack.
- Paysafe Group Plc in a putative class action complaint filed in the Northern District of California alleging violations of the California Consumer Privacy Act and related claims resulting from a data breach that may have exposed customer data.
- A Global Financial Services firm in several cybersecurity events relating to compromised accounts, phishing attacks, and other attempts to gain unauthorized access to the company’s computer systems.
- A social media company in the investigation and related regulatory defense after the company suffered a prolonged, worldwide outage of all of its systems and services.
- A leading financial institution in responding to a cybersecurity incident involving data of more than 100 million individuals.
- A global, publicly traded financial technology company in responding to and investigating security vulnerabilities in one of its newly acquired subsidiaries, as well as addressing inquiries from multiple state regulators.
- A Fortune 100 financial services entity in an internal investigation following a widespread business continuity event triggered by a large-scale data center outage.
- A major domain registrar and web hosting company as cybersecurity counsel in the corporate defense of a European subsidiary facing a publicized data breach of personal data of more than 200k customers.
- Led investigation for global, public company to root out national security APT hacking group and address numerous regulatory considerations.
- The Home Depot in an internal investigation following a data breach that exposed the personal information of tens of millions of individuals.
- A major international bank in a comprehensive AI risk assessment for their artificial intelligence programs.
- A major healthcare company in advice related to regulatory and governance issues around artificial intelligence.
- A global media company in responding to a series of credential-stuffing attacks and related regulatory inquires.
- Viacom in securing dismissal of a nationwide privacy lawsuit that alleged it illegally shared data regarding the Internet activity of children who visited Nickelodeon websites.
- Royal Bank of Canada in responding to a significant data breach at one of its vendors.
- A leading financial institution in resolving a dispute with a service provider concerning its complex method of accessing our client’s customer data.
- BMO Financial Group in litigation concerning a large-scale breach of Hilton Hotels.
- A Fortune 100 global financial institution in responding to an issue that exposed data relating to more than half a million customers and raised international issues involving a recent data security law.
- Edward Jones Trust Company on a wide range of cybersecurity matters, from advisory work to incident response.
- A major banking institution in an investigation of fraudulent wire transfers made by a third-party service provider.
- A public utility company in an internal investigation into the cybersecurity and data privacy threats posed by an insider threat.
- A global Fortune 500 company in a $9 million cyber-enabled fraud involving one of its merchants.
- A prominent retail chain in neutralizing a significant ransomware attack that disrupted company operations.
- A media client in interdicting a fraudulent wire initiated by a cybercrime group.
- A technology-enabled healthcare company in responding to and containing a significant ransomware attack that disrupted certain company operations.
- A leading private equity firm in investigating and responding to a cybersecurity incident involving diverted wire transfers.
- A publicly traded multinational professional services company in successfully averting a potentially catastrophic ransomware attack by a well-known and sophisticated ransomware group.
- A multinational data networking and telecommunications equipment company on a cybersecurity incident involving the company’s operations in Russia.
- A leading professional services firm in the investigation of a malware incident affecting their computer network.
- An accounting firm in an internal investigation in response to a data misuse incident.
- A publicly traded technology company to assist in investigating and responding to apparent malicious behavior by a former employee.
- A leading e-commerce consumer products company in responding to a cyber incident at one of the company’s subsidiaries.
- A world-leading blockchain company following a cybersecurity incident, resulting in efforts by the hacker to defraud investors.
- A foreign government in the investigation of a cyber attack alleged to have been part of a major geopolitical dispute involving multiple other countries.
- A financial services company in incident response efforts following a potential compromise of one of its vendor’s systems.
- A major online retailer in the healthcare space in responding to a “credential stuffing” cyberattack.
- An internal cyber and data privacy investigation for a global client of the firm concerning operations in Eastern Europe.
- A leading private equity firm in responding to an incident in which a fraudster created a website that was a near duplicate of the firm's as part of a scheme to defraud individuals.
- A major financial institution in conducting incident response planning.
- Several media and technology companies in responding to ransomware attacks.
- A major mining company in responding to a data breach that exposed confidential internal documents and the personal identification information of employees.
- A major insurance company in responding to a data security incident that exposed customers’ data.
- A prominent Internet service provider in regulatory investigations regarding online child safety, and an investigation regarding its delivery of marketing messages to its users.
- A major U.S. banking organization in a U.S. regulatory inquiry as to its cross-border data safeguarding practices and its customer privacy notices.
- A major electronic gaming company in all aspects of its response to a remote hacking incident that exposed certain personal information of consumers, triggering data breach disclosure obligations under state laws.
- A major U.S.-based bank in its internal investigation relating to its loss of back-up tapes containing the non-public personal information of millions of consumers.
- A major sports league in privacy issues relating to the collection, transfer and use of personal data, as well as protection of data about children.
- Multiple publicly traded companies in their cybersecurity risk disclosures in SEC filings.
- A major consumer electronics company with respect to allegations that its external storage devices created security risks on personal computers.
- Two UK-based video game developers in a consumer fraud class-action lawsuit arising out of their use of copy-protection software on their game DVDs.
- A leading Russian bank on the personal data protection and banking secrecy issues related to the transfer of the credit portfolio and integration of IT systems.
- A software company in consumer class actions alleging that malicious third parties could obtain personally identifiable information from computers without consultation and that the defendant violated state and federal consumer fraud and anti-spyware laws.
- A consulting firm that experienced a series of data breaches due to deficiencies in its web-based interface and technology.
- Sony BMG Music Entertainment in consumer class actions and government investigations alleging that software distributed by the company created security vulnerabilities in violation of state and federal consumer fraud laws and a state anti-spyware law.
- ABC, ESPN, Hulu, MTV Networks, MySpace and NBC Universal in a consumer fraud and electronic privacy putative class action relating to the use of Adobe Flash “zombie cookies” by the co-defendant, a web analytics company.
- MySpace in an electronic privacy putative class action concerning its response to out-of-state search warrants.
- Metacafe in an electronic privacy putative class action concerning its use of Flash cookies and other aspects of its stated privacy policies.
- Major global companies such as Siemens AG, Ferrostaal AG (both headquartered in Germany) and several U.S. domiciled enterprises, in several investigations where we established methodologies that permitted sharing of results from the investigations with public authorities in several countries, including the U.S., in compliance with data protection laws of EU member states including Austria, France, the United Kingdom and Italy.
- Prudential Financial in cybersecurity and data privacy due diligence in its $2.35 billion acquisition of Assurance IQ.
- John Hancock, Guardian Life, and numerous other clients in conducting the risk assessment required by the New York Department of Financial Services Cybersecurity Regulation.
- The Financial System Analysis and Resilience Center (FSARC) as cybersecurity and national security counsel.
- A large insurance company on a broad range of cybersecurity and data privacy issues including related to the DFS cybersecurity regulation, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.
- A major auto manufacturer in updating their cyber incident response program and assisting in response to a cybersecurity matter affecting the company.
- A large financial services company in a global, enterprise-wide cybersecurity risk assessment.
- Two major sports leagues in designing privacy compliance programs to respond to the California Consumer Privacy Act.
- A large vitamins and supplement manufacturer in ongoing privacy and cybersecurity advice on the company’s compliance with U.S. privacy laws as well as international law, particularly GDPR.
- A professional sports league on a wide range of data privacy and security issues, including compliance with US privacy laws, obligations under GDPR, and privacy architecture for global expansion.
- Several financial, media and entertainment companies in creating incident response plans and tabletop exercises.
- Several private equity firms in cybersecurity reviews in connection with technical forensic vendors.
- An investment trade association regarding its data privacy agreement and policy.
- A risk management company with respect to Fair Credit Reporting Act matters.
- Numerous financial services and media companies and other clients with respect to their privacy policies and website terms of service, particularly regarding their right to merge, mine and transfer data and to market products and services to their consumers using data collected online.
- Two major professional sports leagues in inquiries by the Children’s Advertising Review Unit of the Council of Better Business Bureaus concerning children’s online privacy.

The Debevoise Data Strategy & Security (DSS) practice is global and interdisciplinary—combining our cybersecurity, privacy, artificial intelligence, business continuity, M&A diligence and data governance practices into one fully integrated and coordinated group.Together, we advise leading companies on responding to ransomware and other cybersecurity events, including regulatory inquiries and civil litigation. We also advise our clients on their overall data strategy, including how to manage, protect, and optimize their data, including through the use of artificial intelligence. Our strategic advice includes both legal and technical assistance with the data issues that arise in M&A diligence, licensing and vendor contracting. In addition, we help our clients determine what data they should delete or not collect because of cybersecurity, privacy or other risks.Our integrated strategic advice on data includes:

Helping clients across the globe prepare for, and respond to, significant data breaches and related investigations and litigation. In addition to our U.S. offices, we serve clients from offices strategically located in the United Kingdom, France, Germany, Russia, China, and Hong Kong. We also regularly work on matters that involve a wide range of other non-U.S. jurisdictions, including the EU and EEA, Japan, Singapore, Brazil, Canada, Colombia and Argentina, to name a few.

Identifying existing and proposed laws and standards in the United States and around the world that will impact our clients’ use of data, including regulations and guidance relating to cybersecurity, privacy, AI, data minimization, records retention, document discovery and data governance.

Because we are constantly leading responses to significant cyber, privacy and AI incidents, we are able to channel that deep experience into helping our clients improve their preparations and resilience. Based on our incident work, we regularly assess our clients’ Incident Response Plans, policies, processes, training and resources, and make suggestions to allow them to more effectively respond to the latest cybersecurity, privacy and AI challenges that they face.Predictions and Priorities for 202324 January 2023Andrew J. Ceresney, Erin Cleary, Avi Gesser, Ted Hassi, Eric T. Juergens, Arian M. June, Peter F.G. Schuur, Erica S. Weisgerber, Anna R. Gressel, Ashley YoonEpisode 18: A Conversation on AI and Hiring with EEOC Commissioner Keith Sonderling10 January 2023Keith Sonderling, Avi Gesser, Anna R. GresselColorado’s Approach to AI Governance for Insurers9 December 2022Eric Dinallo, Marshal Bozo, Avi Gesser, Anna GresselNYDFS New Draft Amendments to Part 500 Cybersecurity Rules18 November 2022Eric R. Dinallo, Avi Gesser, Erez Liebermann, Caroline N. Swett, Johanna N. SkrzypczykEthical Use of AI and the Emerging Legal Landscape22 September 2022Avi GesserSpecial Discussion with CT Insurance Commissioner Andrew Mais on AI and Big Data19 August 2022Eric Dinallo, Avi GesserNYDFS Draft Amendments to Part 500 Cybersecurity Rules5 August 2022Eric Dinallo, Luke Dembosky, Avi Gesser, Erez Liebermann, Charu ChandrasekharWhat the Recent California Bulletin Means for AI and Big Data Regulation15 July 2022Eric Dinallo, Avi Gesser, Erez Liebermann, Anna GresselEpisode 17: AI Oversight Obligations for Directors24 May 2022Avi Gesser, William D. Regner, Anna R. GresselPart III: Artificial Intelligence and Discrimination in the Insurance Industry20 May 2022Eric Dinallo, Avi Gesser, Marshal Bozzo, Anna GresselThe SEC & Cybersecurity – Spring 2022 Update19 April 2022Avi Gesser, Kristin Snyder, Charu Chandrasekhar, HJ BrehmerEpisode 16: Artificial Intelligence - Vendor Contracting and Diligence22 March 2022Avi Gesser, Anna Gressel, Tigist KassahunCybersecurity for Not-for-Profit Organizations: Tips on Preparing for, and Responding to, Cyber Attacks2 March 2022Luke Dembosky, Suchita Brundage, Mengyi XuPart II: Artificial Intelligence and Discrimination in the Insurance Industry11 February 2022Eric Dinallo, Avi Gesser, Anna Gressel, Marshal BozzoEpisode 15: Whistleblowers for Cybersecurity and Artificial Intelligence Issues – Tips for Preparation and Response16 December 2021Avi Gesser, Anna Gressel, Jyotin Hamid and Maeve O’ConnorCybersecurity and the Insurance Industry4 November 2021Avi Gesser, Benjamin Lyon, Martha Hirst and Robert MaddoxEpisode 14: Practical Tips on Managing AI Risks in the Insurance Sector - A Discussion with Alex Singla, Doug McElhaney and Liz Grennan of McKinsey 3 November 2021Avi Gesser, Anna Gressel, Alex Singla, Doug McElhaney, Liz GrennanPart I: Artificial Intelligence and Discrimination in the Insurance Industry8 October 2021Eric Dinallo, Avi Gesser, Anna Gressel, Marshal BozzoEpisode 13: The Future of Artificial Intelligence Regulation – A Recap of Recent Developments and What Companies Can Do Now to Prepare 3 May 2021Avi Gesser, Anna Gressel with guest speaker Stephen McDougallEpisode 12: Artificial Intelligence and Consumer Data - A Discussion with Kaitlin Asrow, Fintech Policy Advisor for Federal Reserve Bank of San Francisco 3 March 2021Avi Gesser, Anna Gressel, Kaitlin AsrowEpisode 11: Artificial Intelligence and Cyber Insurance – A Discussion with Stefan Toi of Aon Cyber Solutions and Marcello Antonucci of Beazley on Navigating “AI Gaps” in Cyber Insurance Coverage 6 January 2021Avi Gesser, Keith Slattery, Anna Gressel, Marcello Antonucci, Stefan ToiSupervising AI: The Role of Corporate Boards 16 November 2020Avi Gesser, Anna Gressel, Edward StrozEpisode 10: Artificial Intelligence and the Insurance Sector- A Discussion with Jon Godfread, North Dakota Commissioner of Insurance and Chair of the NAIC Artificial Intelligence Working Group 13 October 2020Avi Gesser, Anna Gressel, Jon GodfreadEpisode 9: Artificial Intelligence and Consumer Protection Risks - A Discussion with Andrew Smith, Director of the FTC's Bureau of Consumer Protection 6 August 2020Avi Gesser, Anna Gressel, Andrew SmithEpisode 8: Artificial Intelligence Regulation in the Securities Industry - A Discussion with Haimera Workie of FINRA's Office of Financial Innovation 23 July 2020Avi Gesser, Anna GresselEpisode 7 - Safeguarding Employees’ Credentials and Preventing Unauthorized Access to Sensitive Data Stored in the Cloud and on Employees’ Personal Devices. 7 July, 2020Avi Gesser, Mengyi Xu, Luke Tenery, Joe ShepleyEpisode 6: Ransomware 2.0 - A Discussion with Dave Wong of FireEye Mandiant on the Evolving Threat Landscape, Risk Mitigation Strategies, and Legal and Practical Considerations 23 June 2020Avi Gesser, HJ BrehmerEpisode 5: How to Demonstrate “Reasonable Cybersecurity Procedures” for Regulatory Inquiries and Litigation 16 June 2020Avi Gesser, Stephanie CipollaReturning to Work in the US: Key Employment Law Considerations 5 June 2020Alexander Cochran, Eric Dinallo, Avi Gesser, Jyotin Hamid, Tricia ShernoEpisode 4: Emerging Cybersecurity Issues for PE Sponsors and Portfolio Companies 21 May 2020Luke Dembosky, Avi GesserEpisode 3: Protecting Policyholder Data: Risks and lessons for insurers from the first weeks of work-from-home arrangements due to COVID-19 8 May 2020Luke Dembosky, Eric Dinallo, Avi GesserEpisode 2: Artificial Intelligence Regulation - A Discussion with Matthew Homer of the NYDFS on Reducing Risks Arising from AI Programs 21 April 2020Avi Gesser, Anna Gressel, Matthew HomerEpisode 1: Reducing Cybersecurity and Related Regulatory Risks Arising from Remote Working Arrangements 1 April 2020Luke Dembosky, Avi Gesser, Justin HerringAre You Ready for CCPA?

19 November 2019Jeremy Feigelson, Kate Saba, Warren Metlitzky Life Under GDPR: A Breach Response Scenario23 May 2017Pierre Clermontel, Luke Dembosky, Jane Shvets, Anna V. Maximenko, Dr. Friedrich Popp