Privacy and data security

In a nutshell

Privacy and data securityThe issue of privacy and data security is one of the most pressing and controversial in our digital age – so naturally it’s a growth area for lawyers. The law in this area is still relatively new, but nonetheless it struggles to keep up with rapid technological advances. Lawyers advise clients on the collection, use and transfer of personal information. Multinational companies, developers of products and public bodies are all under pressure to comply with ever-changing regulation that protects the consumer.

Cybersecurity is going to be a hot button issue.” - Mary Ellen Callahan.

Attorneys might focus on compliance and take a proactive approach, ensuring clients adhere to their obligations to protect personal information either from outside attack or from misuse by employees. Alternatively, lawyers might assume a more reactive role and deal with data breaches, as well as contentious matters and investigations conducted by data protection authorities. This part of the practice is also known as the enforcement side.

The rise of social media companies, smart technology and data transmission means that lawyers in this field are increasingly relevant. A growing awareness of what is being shared between organizations has prompted the need to protect not only personal data but intellectual property too. “Cybersecurity is going to be a hot button issue,” according to ex-head and founder of Jenner & Block's privacy team Mary Ellen Callahan. “There is more interest than ever in keeping information protected.”


What lawyers do

  •      Advise companies on data transfer and storage.
  •      Advise companies on risk factors that make them vulnerable to cyber attacks.
  •      Negotiate settlements for clients accused of neglecting their legal obligations.
  •      Litigate on behalf of clients whose data has been breached.
  •      Are sometimes employed on a 'just in case' basis to take action in tricky situations.
  •      Work with engineers and developers to ensure that software adheres to regulatory obligations.

Realities of the job

  • Given that this area affects all types of businesses, you’ll “work with a whole range of clients,” Callahan tells us. Her practice covers everything from “the entertainment industry to government contracts. I like the variety and the fact that I deal with six to 12 clients a day.”
  • On the reactive side of the practice, the pressure can be high. “The matters that arise are a really big deal for the client; it's like heart surgery,” says Doug Meal of Orrick“Dealing with a major security breach feels truly life threatening for the client so it's really rewarding when, first of all, you get engaged by a client who needs help in this scary and stressful situation.” However, this can also “put significant stress on you; the clients are really counting on you and you feel tremendous responsibility for them.”
  • This burgeoning area of law provides plenty of hands-on experience for young lawyers. Callahan tells us: “I have a woman working on international data transfers and another on mobile data protections. They will work somewhere between one and four hours and then meet to talk about the issues. They might participate once a week in client calls to follow up on aspects and do a status check. When we are in reactive mode we need a more rapid pace, perhaps with hourly calls. On a breach, for example, we need to be all hands on deck.”
  • With new territory comes the need for creativity. “This body of law barely existed 10 years ago,” says Meal. “On every matter you're dealing with legal issues that have never been dealt with before. There are not enough prior decisions out there to provide all the answers for issues that might arise. As a lawyer you have an opportunity as you're not bound by a whole body of established law.; you have the ability to argue and have a role in making the law.”
  • Although a technical background “can be useful and give you some credibility,” it is not necessarily required according to Callahan. Meal agrees: “Prior experience in computer technology is valuable but certainly not essential.”
  • Variety is key in the beginning, says Meal: “I would want the opportunity to do both compliance and enforcement for some period of time. I would be looking hard for a law firm that would give you a chance to do this in the area – it's quite important.”

The matters that arise are a really big deal for the client; it's like heart surgery.” Doug Meal,  Ropes & Gray.


Current Issues

June 2022

  • The EU is set to reveal a new piece of legislation, the Digital Sales Act, which will force Big Tech to police their platforms more stringently. Failure to adhere to the new regulation could cost companies 6% of their global annual sales. The new act is an attempt to reign in the wild west of the internet and to better protect Users from illegal content.
  • The US and the EU agree ‘in principle’ to a new trans-Atlantic data agreement that could ensure the flow of data between the two continents and open up a $7.3 trillion-dollar economic relationship. The agreement follows the previously unsuccessful ‘privacy shield’ framework that was rejected by the CJEU in July 2020, as US national security laws were deemed inadequate in its ability to protect EU citizens digital privacy rights. The deals collapse was underpinned by fears that stretch back to the controversy surrounding the US National Security Agency and the surveillance of US citizens exposed by Edward Snowden, back in 2013.
  • Ransomware and Cyber-attacks continue into 2022, as the FTC advise companies to remediate the Log4j security vulnerability. Log4j is an open-source logging-library that helps to run a wide range of internet services, including iCloud and Twitter. A failure to patch the vulnerability cost Equifax $700 million, as they settled actions from the FTC and CFPB. This illustrates the FTC’s efforts, enforcing their reasonable data security measures standards to protect consumer data against the growing threat of cyber criminals.
  • According to the IBM report, global supply chains became 2021’s most attacked industry by ransomware criminals.
  • With many companies moving to remote work as a result of the Covid-19 pandemic, the use of online cloud data storage has hit an all-time high. As a result, protecting data both inside cloud infrastructures as well as outside cloud parameters has become even more vital – the UN has warned that cybercrime was up a whopping 600% during the pandemic. IBM’s 2022 report indicates a 146% increase in new Linux ransomware code, significantly increasing the threat to cloud storage.
  • In 2015 (under Obama), the FCC adopted net neutrality rules which were overturned in 2017 under Donald Trump’s presidency. In 2018, in response, California legislature adopted a state law requiring net neutrality, which was challenged by the US Justice Department under Trump. In February 2021, the US Justice Department withdrew this challenge when Biden took office, which will likely pave the way for other states to pass similar bills and lead to a state-by-state approach to net neutrality and general internet.
  • The Federal Trade Secrets Act may produce some interesting cases brought by companies whose trade secrets have been stolen. On a related note, lawyers will see an uptick in “drafting employment contracts to comply” to ensure employees don't pass information on to competitors, according to Lori Lesser of Simpson Thacher & Bartlett.
  • In 2019, Europe started implementing the General Data Protection Regulation: new legislation that focuses on consumer control over personal data. GDPR affects the US too, as domains outside of the EU that process data of people inside the EU must comply with the regulations.
  • The Nevada Privacy Law was the first state privacy law to come into play after GDPR. California started to enforce the California Consumer Act (CCPA) in January 2020, allowing California consumers to see any personal data a company has saved or shared. California approved updates to this Act in November 2020, which moved the state’s data protections closer to the EU’s GDPR. With the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) coming into force by 2023, and many other states working bills to enhance data privacy, companies will need to prepare themselves to comply with new regulations.
  • Biometric identification (BI) is becoming more commonplace, and used increasingly as a security measure in mobile phones. The technology's coming on fast and improving all the time: the chance of somebody breaking into your phone because of a rogue Apple Touch ID match is 1 in 50,000, while in the newer Face ID it's just 1 in 1,000,000.
  • The advance of technology – especially 'smart' devices – has already caused a number of privacy concerns. One example is the rise of voice activated AI assistants like Amazon’s Alexa, which continue to raise privacy concerns for consumers, and in 2019 it emerged that Google’s Nest home security system contained a hidden microphone despite it not being listed on the device’s specs.
  • As artificial intelligence (AI) gathers pace, so does its threat to cybersecurity. According to a Webroot report 91% of security professionals believe that hackers could launch more sophisticated cyber attacks than previously by using AI.