Privacy and data security

In a nutshell

The issue of privacy and data security is one of the most pressing and controversial in our digital age – so naturally it’s a growth area for lawyers. The law in this area is still relatively new, but nonetheless it struggles to keep up with rapid technological advances. Lawyers advise clients on the collection, use and transfer of personal information. Multinational companies, developers of products and public bodies are all under pressure to comply to ever-changing regulation that protects the consumer.


Cybersecurity is going to be a hot button issue.” Mary Ellen Callahan, Jenner & Block.


Attorneys might focus on compliance and take a proactive approach, ensuring clients adhere to their obligations to protect personal information either from outside attack or from misuse by employees. Alternatively, lawyers might assume a more reactive role and deal with data breaches, as well as contentious matters and investigations conducted by data protection authorities. This part of the practice is also known as the enforcement side.

The rise of social media companies, smart technology and data transmission means that lawyers in this field are increasingly relevant. A growing awareness of what is being shared between organisations has prompted the need to protect not only personal data but intellectual property too. “Cybersecurity is going to be a hot button issue,” Mary Ellen Callahan of Jenner & Block says. “There is more interest than ever in keeping information protected.”

What lawyers do

  • Advise companies on data transfer and storage.
  • Advise companies on risk factors that make them vulnerable to cyber attacks.
  • Negotiate settlements for clients accused of neglecting their legal obligations.
  • Litigate on behalf of clients whose data has been breached.
  • Are sometimes employed on a 'just in case' basis to take action in tricky situations.
  • Work with engineers and developers to ensure that software adheres to regulatory obligations.

Realities of the job

  • Given that this area affects all types of businesses, you’ll “work with a whole range of clients,” Mary Ellen Callahan tells us. Her practice covers everything from “the entertainment industry to government contracts. I like the variety. I like the fact that I deal with six to 12 clients a day.”


The matters that arise are a really big deal for the client; it's like heart surgery.” Doug Meal,  Ropes & Gray.


  • On the reactive side of the practice, the pressure can be high. “The matters that arise are a really big deal for the client; it's like heart surgery,” says Doug Meal of Ropes & Gray. “Dealing with a major security breach feels truly life threatening for the client so it's really rewarding when, first of all, you get engaged by a client who needs help in this scary and stressful situation.” However, this can also “put significant stress on you; the clients are really counting on you and you feel tremendous responsibility for them.”
  • This burgeoning area of law provides plenty of hands on experience for young lawyers. Callahan tells us: “I have a woman working on international data transfers and another on mobile data protections. They will work somewhere between one and four hours and then meet to talk about the issues. They might participate once a week in client calls to follow up on aspects and do a status check. When we are in reactive mode we need a more rapid pace, perhaps with hourly calls. On a breach, for example, we need to be all hands on deck.”
  • With new territory comes the need for creativity.“This body of law barely existed 10 years ago,” says Meal. “On every matter you're dealing with legal issues that have never been dealt with before. There are not enough prior decisions out there to really decide for you what the answer will be to an issue that arises. As a lawyer you have an opportunity as you're not bound by a whole body of established law. You have the ability to argue and have a role in making the law.”
  • Although a technical background “can be useful and give you some credibility,” it is not necessarily required, says Callahan. Meal agrees: “Prior experience in computer technology is valuable but certainly not essential.”
  • Variety is key in the beginning, says Meal: “I would want the opportunity to do both compliance and enforcement for some period of time. I would be looking hard for a law firm that would give you a chance to do this in the area – it's quite important.”

Current Issues

  • The Trump administration could affect the Federal Communications Commission's (FCC) scope. “The FCC has been under Democratic control for the last eight years, and during that time it has dramatically expanded its regulatory reach in privacy and data security,” explains Meal. “The FCC will now be moving under Republican control, so you could see a significant rollback of what has been occurring under Democratic control.”
  • Privacy and data security legislation could also take a new turn depending on who Trump appoints as the ninth member of the Supreme Court. “In issues where the Supreme Court is going to be asked to speak about how to interpret various statutes and what the scope of the FCC's authority is, you could see those situations coming out more pro business than pro consumer,” says Meal.
  • The alleged Russian hacking of the Democratic National Committee highlighted priorities for lawyers in the field. “Good data governance and hygiene” will become increasingly important factors, says Callahan.“It's very sobering,” she adds,pointing to the rising stakesof cyber attacks:“CEOs have been fired over breaches that occurred due a lack of data security.”
  • On the privacy front, the focus on the EU will increase as we receive more data from Europe,” says Callahan.New regulations on the movement of personal data have been adopted in the EU in the form of TheGeneral Data Protection Regulation: the regulations aim to simply the transfer of personal data for businesses while offering EU citizens control over how their data is processed. While data transfer between the USA and EU may become easier, business with the UK could be affected by the “complexities created by Brexit,” according to Meal.
  • Businesses are also keen to keep their information under wraps. “They need to protect their intellectual property,” Callahan points out. Recent high-profile hackings and leaks – such as the Panama Papers – mean that risk mitigation will be especially relevant in the months ahead.
  • The Federal Trade Secrets Act may produce some interesting cases brought by companies whose trade secrets have been stolen. On a related note, lawyers will see an uptick in “drafting employment contracts to comply” to ensure employees don't pass information on to competitors,according to Lori Lesser of Simpson Thacher & Bartlett.
  • Government surveillance of companies and individuals will continue to be discussed. Recent news stories accuse governments of collecting personal data to analyze security threats, while whistleblower Edward Snowden is still making headlines for exposing the US government's tracking of personal emails and phone calls. In addition, Apple recently got into a courtroom brawl with the FBI, which demanded that it help them access an iPhone formerly belonging to San Bernardino shooter Syed Rizwan Farook. Going forward, the law will need to adapt to balance the individual's right to privacy with the perceived safety of the population at large.
  • The advance of technology – especially 'smart' devices – has already caused a number of privacy concerns. For example: the potential to track the movement of an electric car; to monitor the activity of smart technology; to reach private spaces with drones; and to watch a user through their own webcam are all possibilities which the law will need to keep up with.
  • The popularity of mobile apps means that personal information is more accessible than ever. Many apps ask the user to input details about themselves; most people neglect to read the small print and remain unaware of the extent to which their information could be shared.
  • The ethics of using personal data for targeted advertising is being called into question. Facebook was recently criticized for drawing on messages sent via WhatsApp – which it acquired – to provide advertisements that it believes will appeal to its users. The question of whether it is acceptable or not to build a profile of app users in such a way will no doubt shape future legislation.