Becoming a data security lawyer - Perkins Coie

Data security

Data is the great commodity of our age. It's a hot, controversial topic that needs good lawyers to handle its complexities. Step forward, Perkins Coie.

Chambers: How exactly would you describe data security?

Erin Earl: Data security is the suite of technological, organizational, physical, and other measures deployed to protect non-public information held by individuals, companies, or other organizations. Data security as a legal practice involves helping clients develop their processes for putting appropriate protections in place and respond to legal issues that arise when those protections turn out to be ineffective.

Jim Snell: Data security involves national security issues, issues regarding the balance of rights over innovation (and the ability of the United States to remain a technology leader), and a host of constitutional issues. In that sense, the work we do is very, very important.

Marina Gatto: Data security includes helping clients protect their data through the implementation of mechanisms such as “privacy by design,” to ensure that data is protected from unauthorized access.

What do the partners do?

Nicola Menaldo: Partners do a mix of business development (delivering CLEs, working on pitches, attending conferences, etc.) and legal work. The legal work, which is the majority of work for most partners, primarily involves directing and discussing strategy, for example on weekly team calls, reviewing and revising work product, interfacing with the client, preparing for and taking depositions, and providing written advice and advice over the phone.

JS: Our overall goal is for all group members to be data security and privacy generalists (meaning they can issue spot data security and privacy issues) who have specific specialty areas. So we have lawyers with deep expertise in FTC investigations, state AG investigations, class action litigation, data security and data breach preparation and response, HIPAA, COPPA, CCPA, technology transactions and other privacy transactional issues, responses to governmental or other third party requests for information, product launch, etc. The partners are generally the main points of contact for clients and carry a heavier administrative burden relative to the group.

What do the senior associates do?

NM: Senior associates (called “counsel” at Perkins) do similar work to partners, with a bit less business development and more responsibility for supervising junior associates and creating work product from scratch (e.g., working with a team to create a brief that is ultimately reviewed by the partner).

EE: Senior associates help partners with day-to-day case or matter management, including managing discovery, working with junior associates on preparing high-quality motion drafts, and participating in negotiations with opposing counsel. Senior associates also help partners with pitches, drafting articles, and monitoring legal trends.

What do the junior associates do?

EE: Junior associates get involved early with business development, including helping with research for pitches, drafting articles and client updates, and monitoring cases and legislation to provide insight to more senior attorneys on legal trends. Junior associates also are asked to help with day-to-day management of document review teams, with key legal research, and with preparing the first draft of motions.

JS: Our junior associates are supervised closely by more experience lawyers but generally work one-on-one with the clients, take primary lead on drafting motion papers, and appear and argue motions in court. This specialty area is somewhat unique to our firm and provides a great training ground for the various areas junior associates need to develop.

MG: Junior associates will undertake any research necessary to help answer a client’s questions and inform the partner and senior associate they are working with of any recent changes to the law that may be relevant. The associate may also draft recommendations for the client or suggested next steps for compliance with the law.

What kinds of work is involved day to day?

NM: There is a good mix of team work and solo work. As a counsel, some days are consumed with meetings and phone calls and other days I can work on my assignments alone in relative peace.

"...the opportunity to work in such an exciting, fast paced and evolving area of the law which is constantly changing, which challenges me to be a better lawyer."

JS: The kind of work day to day runs the gamut. In the past several months, for example, I have met with state legislators regarding needed amendments to the CCPA, spoken to the California attorney general staff regarding interpretation of the CCPA, argued a motion with potential witness testimony related to the Stored Communications Act and sought and obtained a stay pending appeal of the decision in that matter, counseled a large number of clients on the CCPA, TCPA, and other privacy compliance matters and led the defense of several large class action and smaller litigation matters. The work is dynamic and interesting.

What are the highs and lows?

JS: The highs are that we have a great group of collaborative privacy experts and we work with a great group of clients from Fortune 50 companies to small startups on emerging data security issues. Another high is that the developing nature of technology and data security law provides many opportunities for creative solutions to thorny problems. This can also be a low in the sense that complicated issues can be frustrating but the good far outweighs the bad.

NM: Highs are finishing and filing high quality briefs, because of the team work involved at the end and the fun of making and refining good legal arguments; and working with and being part of a team of lawyers that I truly respect and admire and who all know and think about privacy issues in sophisticated ways. The low is: always feeling like there isn’t enough time in the day.

EE: For me, the highs involve delivering a win for the client, however the client defines a “win.” That could be a legal victory like winning on a motion or convincing a regulatory to close an investigation without enforcement, a negotiated victory like a workable consent decree or favorable settlement, or an operational victory like launching an information security program. The lows generally involve long hours on tight deadlines.

MG: The highs are having the opportunity to work in such an exciting, fast paced and evolving area of the law which is constantly changing, which challenges me to be a better lawyer. The hardest thing for me is saying “no” to work – there are only so many hours in the day.

Describe your latest case: what was the client's problem? What was your role? How did you spend your days?

NM: I am currently handling a TCPA case involving novel issues about what constitutes telemarketing, a case involving claims under Washington’s Gambling Recovery Statute, and several cases under Illinois’ Biometric Information Privacy Act. I generally work on strategy and draft and edit briefs. On one case, I am working a lot with experts and data to prepare for opposing class certification and on another case I am responsible for managing discovery.

EE: My newest case is a data breach class action that’s just getting started. I’ve been involved with the partners in developing case strategy, working on preparing a draft motion to dismiss, conducting a factual investigation (including gearing up for witness interviews), and thinking through an initial discovery plan.

What would you say the future of data security practice looks like? "Busy" - Nicola Menaldo

JS: My latest case involved a felony murder trial where the defendants sought user documents from social media providers. The Stored Communications Act makes it unlawful for providers to produce those documents, which should be obtained from the actual users, but the defendants argued that their constitutional rights trumped the Stored Communication Act. My role was taking the lead on drafting the briefs, arguing before the trial court, and preparing witnesses for an evidentiary hearing.

MG: One of my recent cases involved counseling a client on the impact the California Consumer Privacy Act (“CCPA”) may have on a program they were considering implementing. I conducted an in-depth analysis of how the CCPA may apply to this program, based on the types of personal information the client was likely to be collecting and sharing. It was very exciting to be able to be creative in thinking of various approaches the client could take to minimize their exposure under the CCPA.

What are the current trends in affecting data security?

NM: In general, consumers, regulators, legislators, and judges are all scrutinizing privacy and data security more closely than they ever have before. And companies are collecting more personal information than ever before. As a result of both of these trends, companies face increasing exposure on the privacy and data security front and need more legal help to navigate changing and new laws and defend themselves in the event of litigation.

EE: All 50 states and the District of Columbia now have data breach notice statutes, but a new wave of state legislation led by the California Consumer Privacy Act will lead to new statutory causes of action for data breaches.

JS: There are several trends affecting data security. The ubiquity of Internet of Things devices means that more and more companies are collecting and using data. Regulation in this area is increasing (for example, the California Consumer Privacy Act which has a private right of action for certain data security breaches) and the regulations are not always as clear as they should be. This means that the issues are mushrooming and becoming more and more important to companies.

MG:The biggest trend that is affecting the privacy & data security space is the passage of the California Consumer Privacy Act (“CCPA”). The CCPA is one of the most sweeping and strictest general privacy and data security law in the country, and it creates new rights for California consumers and imposes corresponding obligations on businesses based both inside and outside of California.

What would you say the future of data security practice looks like?

JS: This is a growth area in the law. Data security will continue to be a more and more important issue for more and more companies. Laws will continue to be passed and interpreted. And breaches will continue to expand and to be more sophisticated.

MG:The future of the data security practice is going to be exciting. I think we are going to see the passage of new privacy laws at both the state and potentially the federal level which will continue to transform how companies do business.

NM: Busy.

EE: One thing’s for sure: companies are going to need data security lawyers for the foreseeable future.

What's the most interesting data security matter you've worked on?

NM: I work on a number of facial recognition matters and find them all to be fascinating.

EE: I worked on a really interesting FTC investigation looking into alleged vulnerabilities in devices manufactured by an Internet of Things company.

JS: One of the most interesting matters I worked on was one where a customer of a client had used the same login and password for the client’s website as it had for a different website that had experienced a data breach. A malicious party then used that login and password to access the customer’s information on the client’s website. Getting to the root cause of the event took time, and investigations regarding such causes are usually done on very shortened time with lots of pressure.

What personal qualities make a good data security lawyer?

NM: Interest in technology, ability to navigate uncertainty and a changing legal landscapes, creative thinking. At our firm, you also need humility, curiosity, and the ability to work well on a team.

EE: Matters can tend to move very quickly, so being proactive, thinking ahead, and keeping organized are all important attributes. At the same time, being flexible enough to roll with the punches and adapting strategy to fit facts as they’re learned and developed also is important

JS: I think a good data security lawyer is smart, practical, experienced, collaborative, geeky (in the sense they honestly enjoy data security issues), and creative.

MG: Data security and privacy lawyers must be able to evolve and adjust along with the constantly shifting privacy landscape.

What can students do to prepare themselves for a career in data security?

NM: Take classes on privacy and data security, read TechCrunch and other technology-related publications, consider learning computer science or engaging in extracurricular activities that enhance your ability to communicate with a tech-focused clients and to understand technical issues that regularly arise in these cases.

EE: For data security in particular (more than privacy in general) having a basic level of technical competence and understanding will probably be helpful in understanding your client’s questions and needs. It’s even more helpful to become comfortable and develop instincts regarding a wide range of legal areas, especially statutory interpretation, federal courts, and tort and contract law.

JS: I would recommend that students immerse themselves in the issues and identify a few specific areas of interest in which they can become an expert.

MG: To prepare for a career in data security & privacy students can stay up to date on current and future privacy laws. It is fast paced and evolving area of the law, so any ways that students can stay up to speed on current privacy trends will help them in their future careers.

What makes the field of data security unique? Could you describe the opportunities unique to Perkins Coie?

NM: The practice is unique because it involves both litigation and counseling. This is beneficial because it allows lawyers to stay abreast of the most recent challenges and laws that companies are grappling with, while also engaging in the exciting world of litigation and gaining the experience and ability to advise clients that comes with that.

Perkins Coie represents nearly all of the household names in the technology industry on privacy and security issues, so practicing at Perkins Coie really allows lawyers to operate at the cutting edge of this type of practice. The work is always changing, never boring, and always challenging.

EE: At Perkins Coie, our clients range from the most sophisticated technology companies to small companies seeking guidance on setting up a basic security program and incident response. This means that not only do you get to work with industry-leading attorneys on the most cutting-edge data security issues, but you also get hands-on experience starting at a junior level to work with clients and build your own chops.

JS: The field of data security is unique because it is constantly evolving, both in terms of law and technology, and it matters to everyone. The opportunities unique to Perkins Coie include our strong collaborative culture, both as a firm and within our group, which means that clients get efficient advice from the best lawyers to render it and our terrific client relationships with many of the major players and start-ups alike.

Read the Inside View on Perkins Coie>