In a nutshell
The issue of privacy and data security is one of the most pressing and controversial in our digital age – so naturally it’s a growth area for lawyers. The law in this area is still relatively new, but nonetheless it struggles to keep up with rapid technological advances. Lawyers advise clients on the collection, use and transfer of personal information. Multinational companies, developers of products and public bodies are all under pressure to comply with ever-changing regulation that protects the consumer.
“Cybersecurity is going to be a hot button issue.” - Mary Ellen Callahan.
Attorneys might focus on compliance and take a proactive approach, ensuring clients adhere to their obligations to protect personal information either from outside attack or from misuse by employees. Alternatively, lawyers might assume a more reactive role and deal with data breaches, as well as contentious matters and investigations conducted by data protection authorities. This part of the practice is also known as the enforcement side.
The rise of social media companies, smart technology and data transmission means that lawyers in this field are increasingly relevant. A growing awareness of what is being shared between organizations has prompted the need to protect not only personal data but intellectual property too. “Cybersecurity is going to be a hot button issue,” according to ex-head and founder of Jenner & Block's privacy team Mary Ellen Callahan. “There is more interest than ever in keeping information protected.”
What lawyers do
- Advise companies on data transfer and storage.
- Advise companies on risk factors that make them vulnerable to cyber attacks.
- Negotiate settlements for clients accused of neglecting their legal obligations.
- Litigate on behalf of clients whose data has been breached.
- Are sometimes employed on a 'just in case' basis to take action in tricky situations.
- Work with engineers and developers to ensure that software adheres to regulatory obligations.
Realities of the job
- Given that this area affects all types of businesses, you’ll “work with a whole range of clients,” Callahan tells us. Her practice covers everything from “the entertainment industry to government contracts. I like the variety and the fact that I deal with six to 12 clients a day.”
- On the reactive side of the practice, the pressure can be high. “The matters that arise are a really big deal for the client; it's like heart surgery,” says Doug Meal of Orrick. “Dealing with a major security breach feels truly life threatening for the client so it's really rewarding when, first of all, you get engaged by a client who needs help in this scary and stressful situation.” However, this can also “put significant stress on you; the clients are really counting on you and you feel tremendous responsibility for them.”
- This burgeoning area of law provides plenty of hands-on experience for young lawyers. Callahan tells us: “I have a woman working on international data transfers and another on mobile data protections. They will work somewhere between one and four hours and then meet to talk about the issues. They might participate once a week in client calls to follow up on aspects and do a status check. When we are in reactive mode we need a more rapid pace, perhaps with hourly calls. On a breach, for example, we need to be all hands on deck.”
- With new territory comes the need for creativity. “This body of law barely existed 10 years ago,” says Meal. “On every matter you're dealing with legal issues that have never been dealt with before. There are not enough prior decisions out there to provide all the answers for issues that might arise. As a lawyer you have an opportunity as you're not bound by a whole body of established law.; you have the ability to argue and have a role in making the law.”
- Although a technical background “can be useful and give you some credibility,” it is not necessarily required according to Callahan. Meal agrees: “Prior experience in computer technology is valuable but certainly not essential.”
- Variety is key in the beginning, says Meal: “I would want the opportunity to do both compliance and enforcement for some period of time. I would be looking hard for a law firm that would give you a chance to do this in the area – it's quite important.”
“The matters that arise are a really big deal for the client; it's like heart surgery.” Doug Meal, Ropes & Gray.
- “The FCC is now under Republican control, so you could see a significant rollback of what was previously put in place," Meal explains. One example is proposed changes to US net neutrality laws, which come with data privacy implications. It's possible that internet providers could charge additional fees for consumers to keep their browsing private, and monitor internet users more closely to calculate what other products they'd be interested in.
- In September 2018 the state of California passed a net neutrality bill, only to be sued by the Department of Justice shortly after. The California Consumer Protection Act is expected to come into force in 2020, with other states expected to follow suit with similar legislation.
- The alleged Russian hacking of the Democratic National Committee highlighted new priorities for lawyers in the cybersecurity field. “Good data governance and hygiene” will become increasingly important factors, says Mary Ellen Callahan. “It's very sobering,” she adds, pointing to the rising stakes of cyber attacks: “CEOs have been fired over breaches that occurred due a lack of data security.” Questions of data security have been repeatedly raised during the election process for the Democratic Party's 2020 candidate for President.
- Following the allegations brought against Cambridge Analytica (the analytics firm was accused of harvesting Facebook users' personal information to target them with political ads), social media sites' data privacy measures have been called into question. In April 2018 Facebook founder Mark Zuckerberg testified on the subject before the United States Senate Committee on Commerce, Science, and Transportation.
- The Federal Trade Secrets Act may produce some interesting cases brought by companies whose trade secrets have been stolen. On a related note, lawyers will see an uptick in “drafting employment contracts to comply” to ensure employees don't pass information on to competitors, according to Lori Lesser of Simpson Thacher & Bartlett.
- In 2019, Europe started implementing the General Data Protection Regulation: new legislation that focuses on consumer control over personal data. GDPR affects the US too, as domains outside of the EU that process data of people inside the EU must comply with the regulations.
- The absence of such legislation in the US on a federal level means states have started to legislate locally. Examples include the New York SHIELD ACT, the Nevada Privacy Law and the California Consumer Act (CCPA).
- The Nevada Privacy Law was the first state privacy law to come into play after GDPR. California started to enforce the California Consumer Act (CCPA) in January 2020, allowing California consumers to see any personal data a company has saved or shared. The consequences for noncompliance or violation can even result in jail time.
- Biometric identification (BI) is becoming more commonplace, and used increasingly as a security measure in mobile phones. The technology's coming on fast and improving all the time: the chance of somebody breaking into your phone because of a rogue Apple Touch ID match is 1 in 50,000, while in the newer Face ID it's just 1 in 1,000,000. Taylor Swift hit headlines in 2018 when it emerged that her security team had used facial recognition technology to monitor fans during her stadium tour.
- In February 2020, Clearview A1 suffered a catastrophic data breach. The facial recognition company had its entire client list stolen, comprising 2,200 organizations such as the FBI and retailers like Walmart. A hacker managed to access the client list and leak private data; Clearview's database stores billions of images, scraped from sites such as Facebook, LinkedIn and Twitter.
- The advance of technology – especially 'smart' devices – has already caused a number of privacy concerns. One example is the rise of voice activated AI assistants like Amazon’s Alexa, which continue to raise privacy concerns for consumers, and in 2019 it emerged that Google’s Nest home security system contained a hidden microphone despite it not being listed on the device’s specs.
- As artificial intelligence (AI) gathers pace, so does its threat to cybersecurity. According to a Webroot report 91% of security professionals believe that hackers could launch more sophisticated cyber attacks than previously by using AI.