Data is the great commodity of our age. It's a hot, controversial topic that needs good lawyers to handle its complexities. Step forward, Perkins Coie.
Chambers Associate: How exactly would you describe data security?
Erin Earl, partner: Data security is the suite of technological, organizational, physical, and other measures deployed to protect nonpublic information held by individuals, companies, or other organizations. Data security as a legal practice involves helping clients develop their processes for putting appropriate protections in place, generate legally compliant documentation, and respond to legal issues that arise when those protections turn out to be ineffective.
Jim Snell, partner: Data security involves issues regarding the appropriate balance of privacy rights versus innovation (and the ability of the United States to remain a technology leader); consumer and business expectations about the collection, storage, sharing, and use of data; and a host of constitutional issues. In that sense, the work we do is very, very important.
CA: What do the partners do?
Nicola Menaldo, partner: On the litigation side, partner work involves directing strategy, including helping to develop defenses to novel legal theories that appear each year. We also review and revise advice, briefs, and other work product; prepare for and takedepositions; and present arguments at hearings. On the counseling side, we work with clients on both short- and long-term goals around mitigating privacy risk and building robust privacy compliance programs. This often entails phone calls with in-house counsel and engineers, drafting legal memos or analyses, reviewing user experiences and disclosures, and generally being available as a legal advisor to fast-moving and bold clients. In addition, partners are expected to stay abreast of the rapidly changing legal environment and trends, and to participate in thought leadership.
JS: Our overall goal is to be a one-stop shop where our clients can get the best data security and privacy advice for their jobs. That means that partners need to be able to identify the best colleagues to address specific issues and to introduce the client to those colleagues quickly. At Perkins Coie, we have lawyers with deep expertise in FTC investigations, state AG investigations, class-action litigation, data security and data breach preparation and response, biometric laws, AI laws, HIPAA, COPPA, state privacy laws, wiretap laws, technology transactions and other privacy transactional issues, responses to governmental or other third-party requests for information, product launches, and a host of other issues. I am happiest when clients comment positively on our responsiveness, practical advice, and efficiency.
CA: What do the senior associates do?
EE: Our strongest senior associates show that they are ready to be promoted by fulfilling many of the same responsibilities for a case or matter as would a junior partner. This could involve, for example, helping with day-to-day case or matter management and strategy, supervising junior associates, and participating in business development opportunities.
CA: What do the junior associates do?
EE: Junior associates dive deep into the law and the facts. They are the members of the team primarily responsible for thoroughly researching legal issues, doing the first draft on motions and client advice, and reviewing the evidence in the case. Our junior associates also get involved early with business development, including helping with research for pitches, drafting articles and client updates, and monitoring cases and legislation to provide insight on legal trends.
JS: Our junior associates are supervised closely by more experienced lawyers but generally work one-on-one with the clients, take primary lead on drafting motion papers and responses to client questions, and appear and argue motions in court. Our lawyers work directly with clients and appear in court at a relatively junior level compared to our peers, and this provides a great training ground for the various areas junior associates need to develop.
CA: What kinds of work is involved day to day?
NM: There is a good mix of teamwork and solo work. Some days are consumed with meetings and phone calls; other days are quieter, with time to focus on briefs and strategy. Travel is a significant part of the job as well, though that has reduced somewhat post-COVID-19.
JS: The day-to-day work runs the gamut. In the past several months, for example, I have worked on defense of several mass arbitration demands, represented clients in class actions related to wiretap laws and the Video Privacy Protection Act, defended clients in state attorney general claims, counseled clients on issues related to the state privacy and wiretap laws, and helped clients with questions and litigation related to the Telephone Consumer Protection Act. Nearly all of this work is done with small cross-office teams of Perkins Coie lawyers. The work is dynamic and interesting.
CA: What are the highs and lows?
JS: The highs are that we have a great group of collaborative privacy experts and we work with a great group of clients—from Fortune 50 companies to small startups—on emerging data security issues. Another high is that the developing nature of technology and data security law provides many opportunities for creative solutions to thorny problems. This can also be a low in the sense that complicated issues can be frustrating, but the good far outweighs the bad.
NM: Highs are finalizing and filing high-quality briefs, because of the teamwork involved at the end and the fun of making and refining good legal arguments; and working with and being a part of a team of lawyers whom I truly respect and admire, and who all know and think about privacy issues in sophisticated ways. The low is: always feeling like there isn’t enough time in the day.
EE: For me, the highs involve delivering a win for the client, however, the client defines a “win.” That could be a legal victory, like winning on a motion or convincing a regulator to close an investigation without enforcement; a negotiated victory like a workable consent decree or favorable settlement; or an operational victory like launching an information security program. The lows generally involve long hours on tight deadlines.
CA: Describe your latest case: what was the client's problem? What was your role? How did you spend your days?
NM: I am working on a number of cases challenging the AdTech industry and real-time bidding process for the placement of online ads. These cases take aim at the industry as a whole, so I have spent a lot of time learning more deeply about how the ecosystem works and developing strategy for defending these cases. I also regularly handle questions from clients working at the intersection of AI and privacy and have been busy advising these clients on how to think about the interlocking layer of laws and proposed legislation on these emerging technologies.
EE: My newest matters have been counseling companies about whether their products and services fall within the scope of the new AI laws being enacted in several states. We work as a team to zero in on the client’s goals and the specific question they’re looking to answer, provide written or oral advice assessing legal risk, and offer suggestions on how to mitigate those risks.
JS: My latest case is a claim involving alleged violation of state wiretap laws related to the way a commercial website operates. We contend that the laws alleged do not cover the technology at issue and, even if they do, the plaintiff cannot state a claim. This is a criminal statute, so we are also arguing that the rule of lenity prohibits application of the statute to conduct not clearly covered. And there is legislative activity pending to amend the statute the plaintiffs claim apply. We filed a motion to dismiss the complaint and are waiting for the court to rule on the motion.
CA: What are the current trends affecting data security?
NM: In general, consumers, regulators, legislators, and judges are all scrutinizing privacy and data security more closely than they ever have before, and companies are collecting more personal information than ever before. As a result of both trends, companies face increasing exposure on the privacy and data security front and need more legal help to navigate changing and new laws and defend themselves in the event of litigation.
EE: Both cybersecurity threats and companies’ legal compliance obligations continue to evolve. For example, the availability of AI is both enabling threat actors to more rapidly develop malicious tactics, while also arming companies with more tools to protect their data.
JS: There are several trends affecting data security. The ubiquity of information, devices, and generative AI uses means that more and more companies are collecting and using data in increasingly interesting ways. Regulation in this area is increasing (for example, the growing number of state privacy laws), the regulations are not always as clear as they should be, and regulatory enforcement is increasing as well. This means that the issues are mushrooming and becoming more and more important to companies.
CA: What would you say the future of data security practice looks like?
JS: This is a growth area in the law. Data security will continue to be a more and more important issue for an increasing number of companies. Laws will continue to be passed and interpreted. And breaches will continue to expand and be more sophisticated.
NM: Busy.
EE: One thing’s for sure: Companies are going to need data security lawyers for the foreseeable future.
CA: What's the most interesting data security matter you've worked on?
NM: I can’t think of a matter I’ve worked on that wasn’t interesting! Whether it is advising on voice-cloning technologies or defending privacy class actions involving the latest technologies, I am never bored.
EE: I’ve worked on a number of very interesting FTC data security investigations, including one that related to alleged vulnerabilities in a cloud computing platform.
JS: One of the most interesting matters I worked on was one where a customer of a client had used the same login and password for the client’s website as it had for a different website that had experienced a data breach. A malicious party then used that login and password to access the customer’s information on the client’s website. The customer claimed that the client was at fault, but we could show that the customer’s information was exposed in a different data breach.
CA: What personal qualities make a good data security lawyer?
NM: Interest in technology, ability to navigate uncertainty and a changing legal landscape, creative thinking. At our firm, you also need humility, curiosity, and the ability to work well on a team.
EE: Matters can tend to move very quickly, so being proactive, thinking ahead, and staying organized are all important attributes. At the same time, being flexible enough to roll with the punches and adapting strategy to fit facts as they’re learned and developed also is important.
JS: I think a good data security lawyer is smart, practical, experienced, collaborative, geeky (in the sense they honestly enjoy data security issues), and creative.
CA: What can students do to prepare themselves for a career in data security?
NM: Take classes on privacy and data security; read the Law360 Privacy newsletter, TechCrunch, and other technology-related publications; read good writing off the clock and constantly hone your writing skills; and practice having an open mind, fostering curiosity, and empathizing with those you don’t agree with, so you can think more flexibly and strategize effectively in litigation.
EE: For data security, in particular (more than privacy, in general), a baseline technical understanding will probably be helpful in advising your client. It’s even more helpful to become comfortable and develop strong judgment regarding a variety of legal frameworks.
JS: I would recommend that students immerse themselves in the issues, for example, by subscribing to privacy and data security-related email updates, and identify a few specific areas of interest in which they can become an expert.
CA: What makes the field of data security unique? Could you describe the opportunities unique to Perkins Coie?
NM: The practice is unique because it involves both litigation and counseling. This is beneficial because it allows lawyers to stay abreast of the most recent challenges and laws that companies are grappling with, while also engaging in the exciting world of litigation and gaining the experience and ability to advise clients that comes with that.
Perkins Coie represents nearly all of the household names in the technology industry on privacy and security issues, so practicing at Perkins Coie really allows lawyers to operate at the cutting edge of this type of practice. The work is always changing, never boring, and always challenging.
EE: At Perkins Coie, our clients range from the most sophisticated technology companies to small companies seeking guidance on setting up a basic security program and incident response. This means that not only do you get to work with industry-leading lawyers on the most cutting-edge data security issues, but you also get hands-on experience starting at a junior level to work with clients and build your own chops.
JS: The field of data security is unique because it is constantly evolving, both in terms of law and technology, and it matters to everyone. The opportunities unique to Perkins Coie include our strong collaborative culture, both as a firm and within our group, which means that clients get efficient advice from the best lawyers to render it and our terrific client relationships with many of the major players and startups alike.
Read the Inside View on Perkins Coie
Last updated: August 2025