In a nutshell
The issue of privacy and data security is one of the most pressing and controversial in our digital age – so naturally it’s a growth area for lawyers. The law in this area is still relatively new, but nonetheless it struggles to keep up with rapid technological advances. Lawyers advise clients on the collection, use and transfer of personal information. Multinational companies, developers of products and public bodies are all under pressure to comply with ever-changing regulation that protects the consumer.
“Cybersecurity is going to be a hot button issue.” - Mary Ellen Callahan.
Attorneys might focus on compliance and take a proactive approach, ensuring clients adhere to their obligations to protect personal information either from outside attack or from misuse by employees. Alternatively, lawyers might assume a more reactive role and deal with data breaches, as well as contentious matters and investigations conducted by data protection authorities. This part of the practice is also known as the enforcement side.
The rise of social media companies, smart technology and data transmission means that lawyers in this field are increasingly relevant. A growing awareness of what is being shared between organizations has prompted the need to protect not only personal data but intellectual property too. “Cybersecurity is going to be a hot button issue,” according to assistant secretary for the Department of Homeland Security's Countering Weapons of Mass Destruction Office and ex-head and founder of Jenner & Block's privacy team Mary Ellen Callahan. “There is more interest than ever in keeping information protected.”
What lawyers do
-
Advise companies on data transfer and storage.
-
Advise companies on risk factors that make them vulnerable to cyber attacks.
-
Negotiate settlements for clients accused of neglecting their legal obligations.
-
Litigate on behalf of clients whose data has been breached.
-
Are sometimes employed on a 'just in case' basis to take action in tricky situations.
-
Work with engineers and developers to ensure that software adheres to regulatory obligations.
Realities of the job
-
"Given that this area affects all types of businesses, you’ll work with a whole range of clients,” Callahan tells us. Her practice covers everything from “the entertainment industry to government contracts. I like the variety and the fact that I deal with six to 12 clients a day.”
-
On the reactive side of the practice, the pressure can be high. “The matters that arise are a really big deal for the client; it's like heart surgery,” says Doug Meal, former partner at Orrick. “Dealing with a major security breach feels truly life threatening for the client so it's really rewarding when, first of all, you get engaged by a client who needs help in this scary and stressful situation.” However, this can also “put significant stress on you; the clients are really counting on you and you feel tremendous responsibility for them.”
-
This burgeoning area of law provides plenty of hands-on experience for young lawyers. Callahan tells us: “I have a woman working on international data transfers and another on mobile data protections. They will work somewhere between one and four hours and then meet to talk about the issues. They might participate once a week in client calls to follow up on aspects and do a status check. When we are in reactive mode we need a more rapid pace, perhaps with hourly calls. On a breach, for example, we need to be all hands on deck.”
-
With new territory comes the need for creativity. “This body of law barely existed 10 years ago,” says Meal. “On every matter you're dealing with legal issues that have never been dealt with before. There are not enough prior decisions out there to provide all the answers for issues that might arise. As a lawyer you have an opportunity as you're not bound by a whole body of established law.; you have the ability to argue and have a role in making the law.”
-
Although a technical background “can be useful and give you some credibility,” it is not necessarily required according to Callahan. Meal agrees: “Prior experience in computer technology is valuable but certainly not essential.”
-
Variety is key in the beginning, says Meal: “I would want the opportunity to do both compliance and enforcement for some period of time. I would be looking hard for a law firm that would give you a chance to do this in the area – it's quite important.”
“The matters that arise are a really big deal for the client; it's like heart surgery.” Doug Meal.
Current Issues
June 2024
- In September 2022, the EU signed the Digital Services Act (DSA) into law. The Act is an attempt to reign in the wild west of the internet and better protect the swathes of user’s data amassed by these companies. The DSA limits the ability for companies to use sensitive personal data for things such as targeted advertising.
- As artificial intelligence (AI) gathers pace in the form of Chat GPT and Google Gemini, so does its threat to cybersecurity. However, in a truly revolutionary move, the EU has approved its AI Act as of May 2024. With a risk-based system, the establishment of an AI office within the European Commission, and incoming bans on certain AI tools looking to come into effect by the end of the year, this is Act is the first of its kind, but won’t be fully in place until 2026. So, watch this space!
- Naturally, the meteoric rise of AI hasn’t gone unnoticed in terms of its increasing pertinence to privacy and data security considerations too. In an interview with Forbes, the chief cyber and legal officer of Adobe, Nubiaa Shabaka, says of this: “How privacy and security is impacted by AI, ooh ooh ooh, the stories you can tell. The concept of good folks and even bad actors are able to just be so much more sophisticated on a proactive and reactive standpoint. AI is here. We really need to incorporate it in a privacy and security conscious fashion, but it will allow us to be more privacy-centric when done correctly, and allow us to be more security-focused, when done correctly, to counterbalance the bad actors. Having security and privacy sit at the table in AI governance really keeps security and privacy top of mind when we roll out AI to make sure they have those appropriate data protection aspects.”
- Shabaka continues: “If you think about what’s going on in the EU, they’re actually proposing and passing laws that treat all data the same as personal information, where you need to have the transparency and you need to have the impact assessments. Or you have security-related incidents and laws proposed and passed that is not just if you have a security incident as it relates to personal information, but if you have any security incident, you need to provide the appropriate transparency. In data governance, what I am seeing is the convergence of what used to be unique disciplines of privacy and security, AI and data governance, whereby it’s all one and it’s all together. They’re very similar principles.”
- In April 2024, President Biden signed a bill to reauthorize Section 702 of the Foreign Intelligence Surveillance Act for two years, despite widespread concerns about potential misuse. Section 702 allows the government to collect massive amounts of data from phones and the internet, all of which is meant to bolster national security by giving US intelligence agencies easy access to the data of foreigners.
- The White House laid out version 2 of its National Cyber Security Implementation Plan in May of 2024, detailing the ways in which the government is strengthening national cybersecurity. They hope to shepherd the nation towards “a more equitable economy, a safe, secure, and trustworthy artificial intelligence ecosystem, a more cyber secure space systems ecosystem, a more competitive cyber workforce, and a stronger democracy.” The four pillars of this strategy are defending critical infrastructure; disrupting and dismantling threat actors; shaping market forces to drive security and resilience; investing in a resilient future; and forging international partnerships to pursue shared goals.
- With many companies navigating the world of hybrid working, the use of online cloud data storage has hit an all-time high. As a result, protecting data both inside cloud infrastructures as well as outside cloud parameters has become even more vital. Recent stats from Statista show that in just 2023 alone, almost 350 million individuals were affected by data compromises in the US.
- If passed, the recently proposed American Privacy Rights Act (APRA), meant to be the nation’s answer to Europe’s GDPR, will overrule individual state privacy laws by creating standardized, federal law for companies that would hopefully take some of the weight off their shoulders in terms of compliance. It’s also intended to minimize the amount of data they collect through a three-tier system – the Federal Trade Commission (FTC), individual actions, and different states – all of which may put advertisers at a higher compliance risk.
- Amid fears that TikTok’s parent company, ByteDance, will allow sensitive data to become readily accessible to the Chinese government, President Biden has signed legislation that will force TikTok to be sold to a government-approved buyer, or else it risks being banned. In retaliation, the company then sued the federal government. Concerns have also swirled about the rise of misinformation in the United States that stems from TikTok, with lawmakers dubbing the app a “national security threat.”