Practice Area Insights: Privacy & Data Security
Lawyers in this area advise business clients on cyber security issues, including internal security protocols, the collection and storage of personal data, and on how to respond to a data breach. While privacy lawyers are most often called into action in the wake of a data security breach, they also help their clients comply with regulations and counsel on ways to prevent data theft or loss. Lawyers may work on incidence response teams and can be called on to work long hours after a client’s data has been breached. Data privacy lawyers will also frequently be involved in claims, litigation, and regulatory investigations arising from data security breaches. This is a growing and changing area of law, so lawyers may be regularly dealing with unsettled law and must stay up to date on security technology and emerging threats to IT security, as well as rapidly emerging regulations and case law that can pose challenges to their clients.
In our guide, Practice Perspectives: Vault’s Guide to Legal Practice Areas, attorneys from law firms with top-ranked Privacy & Data Security practices share insights about their practice, including what the practice area is and entails as well as what the typical day in the practice area is like. Keep reading for their insights!
Describe your practice area and what it entails.
Christian Lee, Associate—Cooley: I think of my practice as falling into three buckets. The first bucket is helping clients comply with privacy and security laws both in the United States and in key international jurisdictions like Europe and China. I work with clients to determine if they’re subject to those laws, and if they are, what they need to do to comply with them. This involves taking into account the client’s available resources (because not all budgets can be spent on legal) and what their peers are doing. Sometimes the work involves helping the company itself to comply with laws, while other times it is helping them to launch products that are in compliance with laws.
The second bucket is data breaches. I help clients prepare for data plans and breaches by looking for security vulnerabilities in their networks with the help of forensic firms, preparing data breach playbooks, and testing the clients’ preparation through simulated data breaches. When a data breach happens (and it’s not a matter of “if,” but “when”), I guide clients in responding to it under attorney-client privilege.
The third bucket of my practice is providing subject matter expertise on deals that have a privacy and security aspect. These deals can range from routine agreements (like data licensing agreements) to financings (from VCs, for example), IPOs, and M&A deals.
Anna Westfelt, Partner—Gunderson: I’m the head of our Data Privacy Group—we help solve privacy issues for our clients. We help with day-to-day matters such as drafting privacy policies and negotiating data-related agreements. We also help in financings and M&A deals, where we negotiate purchase agreements, create disclosure schedules, and perform diligence to discover any privacy and security issues. We also spend a lot of time learning about developments in privacy laws. There is a lot going on in the privacy world right now!
Adam H. Solomon, Partner—Hunton Andrews Kurth: Our top-ranked global privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues.
For cybersecurity matters, we advise large, multinational companies on all aspects of catastrophic cybersecurity incidents, including providing strategic and legal advice in investigating and remediating the incident, fulfilling their data breach notification responsibilities; responding to multi-jurisdictional regulatory investigations; and managing inquiries from customers, business partners, media, and regulators.
We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans and information security policies, running executive-level tabletops, performing information security assessments and tests, and engaging third-party experts in advance of an incident.
In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws; conduct privacy and data security impact assessments; and counsel companies on managing risk in connection with leading-edge and innovative technologies.
Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.
What is a typical day like and/or what are some common tasks you perform?
Christian Lee: My typical day usually involves meetings/calls with clients to talk about complying with privacy laws or how to design products or services without violating those laws; reviewing and commenting on drafts from junior associates; drafting more complex documents on my own; figuring out different aspects of privacy laws and developing guidance and best practices on them by talking with colleagues; and managing expectations of clients and more senior attorneys. Sometimes I have to help a client with a data breach, which usually upends my plans for the next few hours (or days).
Outside of the office, I’m involved in different professional organizations like the privacy committee of local bar associations and the International Association of Privacy Professionals (“IAPP”). I speak on panels, so I’ll often either be preparing presentations or organizing events.
I usually do a mix of most of these things in one day, although it’s unpredictable because my priorities always seem to change!
Anna Westfelt: My day often consists of meetings with different clients to scope out needed privacy compliance work, often in preparation for a financing or acquisition. I also assist other Gunderson Dettmer attorneys with their clients’ privacy questions, which means moving quickly from one matter to another in a day. I also help clients with their international expansion, making sure they have the required contracts and safeguards in place. If a client has a data breach, we quickly mobilize a team to assist no matter what time of day it is. This type of practice suits someone who enjoys a fast pace and lots of variety!
Adam H. Solomon: Each day is different based on my clients’ needs. On a given day, I might negotiate privacy and data protection clauses in a vendor agreement, help a client investigate a cybersecurity incident, work with a client on assessing or testing their cybersecurity safeguards, advise a client on their privacy obligations associated with a new product or service they’re launching, or help clients evaluate the privacy and data security risks inherent in a company they’re buying or investing in. Because our practice is so wide-ranging, every day brings novel and interesting issues to analyze.