In a nutshell
The issue of privacy and data security is one of the most pressing and controversial in our digital age – so naturally it’s a growth area for lawyers. The law in this area is still relatively new, but nonetheless it struggles to keep up with rapid technological advances. Lawyers advise clients on the collection, use and transfer of personal information. Multinational companies, developers of products and public bodies are all under pressure to comply with ever-changing regulation that protects the consumer.
“Cybersecurity is going to be a hot button issue.” - Mary Ellen Callahan.
Attorneys might focus on compliance and take a proactive approach, ensuring clients adhere to their obligations to protect personal information either from outside attack or from misuse by employees. Alternatively, lawyers might assume a more reactive role and deal with data breaches, as well as contentious matters and investigations conducted by data protection authorities. This part of the practice is also known as the enforcement side.
The rise of social media companies, smart technology and data transmission means that lawyers in this field are increasingly relevant. A growing awareness of what is being shared between organizations has prompted the need to protect not only personal data but intellectual property too. “Cybersecurity is going to be a hot button issue,” according to ex-head and founder of Jenner & Block's privacy team Mary Ellen Callahan. “There is more interest than ever in keeping information protected.”
What lawyers do
- Advise companies on data transfer and storage.
- Advise companies on risk factors that make them vulnerable to cyber attacks.
- Negotiate settlements for clients accused of neglecting their legal obligations.
- Litigate on behalf of clients whose data has been breached.
- Are sometimes employed on a 'just in case' basis to take action in tricky situations.
- Work with engineers and developers to ensure that software adheres to regulatory obligations.
Realities of the job
- Given that this area affects all types of businesses, you’ll “work with a whole range of clients,” Callahan tells us. Her practice covers everything from “the entertainment industry to government contracts. I like the variety and the fact that I deal with six to 12 clients a day.”
- On the reactive side of the practice, the pressure can be high. “The matters that arise are a really big deal for the client; it's like heart surgery,” says Doug Meal of Orrick. “Dealing with a major security breach feels truly life threatening for the client so it's really rewarding when, first of all, you get engaged by a client who needs help in this scary and stressful situation.” However, this can also “put significant stress on you; the clients are really counting on you and you feel tremendous responsibility for them.”
- This burgeoning area of law provides plenty of hands-on experience for young lawyers. Callahan tells us: “I have a woman working on international data transfers and another on mobile data protections. They will work somewhere between one and four hours and then meet to talk about the issues. They might participate once a week in client calls to follow up on aspects and do a status check. When we are in reactive mode we need a more rapid pace, perhaps with hourly calls. On a breach, for example, we need to be all hands on deck.”
- With new territory comes the need for creativity. “This body of law barely existed 10 years ago,” says Meal. “On every matter you're dealing with legal issues that have never been dealt with before. There are not enough prior decisions out there to provide all the answers for issues that might arise. As a lawyer you have an opportunity as you're not bound by a whole body of established law.; you have the ability to argue and have a role in making the law.”
- Although a technical background “can be useful and give you some credibility,” it is not necessarily required according to Callahan. Meal agrees: “Prior experience in computer technology is valuable but certainly not essential.”
- Variety is key in the beginning, says Meal: “I would want the opportunity to do both compliance and enforcement for some period of time. I would be looking hard for a law firm that would give you a chance to do this in the area – it's quite important.”
“The matters that arise are a really big deal for the client; it's like heart surgery.” Doug Meal, Ropes & Gray.
- With many companies moving to remote work as a result of the Covid-19 pandemic, the use of online cloud data storage has hit an all-time high. As a result, protecting data both inside cloud infrastructures as well as outside cloud parameters has become even more vital – the UN has warned that cybercrime was up a whopping 600% during the pandemic.
- According to CrowdStrike’s 2020 incident-analysis report, ransomware attacks accounted for 51% of major cyber-attacks in 2020. This indicates that cybercriminals have changed their focus to securing high-figure ransoms from corporations, as opposed to stealing personal information to sell online.
- In 2015 (under Obama), the FCC adopted net neutrality rules which were overturned in 2017 under Donald Trump’s presidency. In 2018, in response, California legislature adopted a state law requiring net neutrality, which was challenged by the US Justice Department under Trump. In February 2021, the US Justice Department withdrew this challenge when Biden took office, which will likely pave the way for other states to pass similar bills and lead to a state-by-state approach to net neutrality and general internet regulation.
- The alleged Russian hacking of the Democratic National Committee highlighted new priorities for lawyers in the cybersecurity field. “Good data governance and hygiene” will become increasingly important factors, says Mary Ellen Callahan. “It's very sobering,” she adds, pointing to the rising stakes of cyber-attacks: “CEOs have been fired over breaches that occurred due a lack of data security.” Questions of data security were repeatedly raised during the 2020 Presidential Election .
- Following the allegations brought against Cambridge Analytica (the analytics firm was accused of harvesting Facebook users' personal information to target them with political ads), social media sites' data privacy measures have been called into question. In April 2018 Facebook founder Mark Zuckerberg testified on the subject before the United States Senate Committee on Commerce, Science, and Transportation.
- The Federal Trade Secrets Act may produce some interesting cases brought by companies whose trade secrets have been stolen. On a related note, lawyers will see an uptick in “drafting employment contracts to comply” to ensure employees don't pass information on to competitors, according to Lori Lesser of Simpson Thacher & Bartlett.
- In 2019, Europe started implementing the General Data Protection Regulation: new legislation that focuses on consumer control over personal data. GDPR affects the US too, as domains outside of the EU that process data of people inside the EU must comply with the regulations.
- The absence of such legislation in the US on a federal level means states have started to legislate locally. Examples include the New York SHIELD ACT, the Nevada Privacy Law and the California Consumer Act (CCPA).
- The Nevada Privacy Law was the first state privacy law to come into play after GDPR. California started to enforce the California Consumer Act (CCPA) in January 2020, allowing California consumers to see any personal data a company has saved or shared. California approved updates to this Act in November 2020, which moved the state’s data protections closer to the EU’s GDPR. More than 24 other states are passing or considering bills to enhance data privacy which means more companies will need to prepare themselves to comply with new regulations.
- Biometric identification (BI) is becoming more commonplace, and used increasingly as a security measure in mobile phones. The technology's coming on fast and improving all the time: the chance of somebody breaking into your phone because of a rogue Apple Touch ID match is 1 in 50,000, while in the newer Face ID it's just 1 in 1,000,000.
- The advance of technology – especially 'smart' devices – has already caused a number of privacy concerns. One example is the rise of voice activated AI assistants like Amazon’s Alexa, which continue to raise privacy concerns for consumers, and in 2019 it emerged that Google’s Nest home security system contained a hidden microphone despite it not being listed on the device’s specs.
- As artificial intelligence (AI) gathers pace, so does its threat to cybersecurity. According to a Webroot report 91% of security professionals believe that hackers could launch more sophisticated cyber attacks than previously by using AI.
- Cybersecurity investments in FinTech have more than doubled from 2019 to 2020, growing to $646.2 million, according to Fortunly.