DATA PRIVACY & CYBERSECURITY

Data Privacy & Cybersecurity (often referred to as just “Privacy”) practice covers counseling, litigation, negotiation, and other activities related to privacy and protection of personal information and other data under applicable law and cybersecurity best practices.

Data privacy practice is largely driven by applicable laws and regulations in the U.S. and in other countries.  Well-known examples include: GDPR (General Data Protection Regulation, a sweeping data privacy law in the European Union) and equivalents in other countries, CCPA (California Consumer Privacy Act), COPPA (Children’s Online Privacy Protection Rule), BIPA (Illinois Biometric Information Privacy Act), and other state and federal laws.  Although the U.S. does not have an overarching robust data privacy statute similar to the GDPR in the EU, many U.S. states have put such laws into effect or are in the process of doing so.

In addition to more general data privacy laws, other laws cover the protection of specific types of personal data – for example, HIPAA (Health Insurance Portability and Accountability Act) governs the use and privacy of individual’s health information and the Gramm Leach Bliley Act governs the treatment of personal information by financial institutions.

Data privacy practice at a BigLaw firm can take many forms, including:

Transactional:  This can include negotiating contracts or portions of contracts related to data privacy (the most common example is a Data Processing Agreement/Addendum, required between two companies under GDPR and other laws where the transfer of personal data is involved), performing due diligence in mergers and acquisitions to analyze possible risks of a company’s data privacy and cybersecurity practices and history, negotiating data privacy- and cybersecurity-related terms of a merger agreements and other transactions, and other activities.

Litigation:  This can include defending companies against lawsuits brought by classes of individuals or enforcement actions brought by state Attorneys General, the European Union, or other government bodies related to data privacy practices.  Such lawsuits can come out of violations of data privacy laws or in response to data breaches, where a company may be required to take certain actions (such as remedial measures, free credit monitoring to affected individuals, payment of damages, and others) – the latter is often referred to in practice as “data breach litigation” or “breach response litigation.”

Counseling/Compliance:  It is common for law firm privacy practices to provide general regulatory compliance advice and counseling to clients.  Examples include assisting clients in establishing their privacy policies (also known as privacy notices), setting up data privacy and cybersecurity practices that meet legal requirements, industry best standards, and third-party certifications (such as the popular ISO and SOC-2 frameworks) and providing counsel on specific technology or practices on whether they pose a risk of legal violation, civil litigation, or data breach.

Some law firm privacy practice groups handle only certain categories of privacy matters (for example, focusing primarily on support for mergers and acquisitions with due diligence and negotiation of privacy-related terms or focusing only on privacy litigation), while some handle all of the above.  If you are a law student considering data privacy and cybersecurity practice at a BigLaw, it is critical to understand exactly the types of matters the group covers and make sure it aligns with your career goals

As new laws and regulations have come into effect over the past several years to govern emerging technologies, privacy practice has become one of the fastest-growing areas of law.  This is especially the case with the significant increase in popularity of artificial intelligence (AI), which brings considerable privacy implications.

Because privacy best practices and compliance are now a central legal concern for large companies, especially in the technology industry, data privacy legal roles are very common on in-house legal teams.

Within most BigLaw firms, the privacy practice group works closely alongside other adjacent groups, such as technology transactions, because of how commonly data privacy considerations come up in technology deals.  At many firms, the privacy team works as a subset of the technology transactions team, and/or the technology attorneys handle privacy matters in addition to their core technology transactions practice.

Many privacy attorneys are attracted to this area because it is at the forefront of a rapidly developing and relatively new area of law, provides a diverse set of exit opportunities (between law firm and in-house roles), and often provides a rare combination of transactional, litigation, counseling, and regulatory compliance practices.

LEARN

Check out the following stories of high-profile deals and cases related to antitrust. 

This is a great way to learn about antitrust law through actual examples, to determine if this is a practice in which you are interested and become more knowledgeable for networking events and interviews with antitrust attorneys.

The cancellation of this merger between Adobe and Figma, which would have been the largest acquisition of a private company by value, is an example of antitrust considerations getting in the way of a large proposed merger.

In December 2023, large U.S. health insurer Cigna ended its negotiation of acquisition of Humana, another large U.S. health insurer, partially out of concerns of antitrust scrutiny given the sizes of the companies in the industry and health insurance mergers that were blocked in the past on antitrust grounds.  This provides a good example of how antitrust considerations can shape the course of a possible transaction before a formal deal is was even signed or an enforcement action was brought.  

Epic Games, the maker of the popular Fortnite video game, famously brought a lawsuit against Apple for its requirement that games in its App Store use Apple’s payments system at a 30% commission, claiming that the practice violates U.S. antitrust laws as anticompetitive and stemming from Apple’s alleged monopoly in mobile gaming.

This case provides a great example of high-profile antitrust litigation for certain anticompetitive practices, outside of the context of a proposed merger.

This lawsuit brought by the U.S. Federal Trade Commission against Meta (formerly known as Facebook) for allegedly maintaining a monopoly in social media, provides a good example of litigation brought by the U.S. government against a particular company on antitrust grounds (as opposed to litigation brought by another company, an individual, or a class of individuals). This case is also especially interesting because it stems partially out of Meta’s acquisition of Instagram and WhatsApp, which had already been approved and completed several years earlier.

LISTEN

Check out these episodes from the How I Lawyer Podcast, a series by Georgetown Law professor Jonah Perlin.  

Jonah talks to attorneys throughout the professions about what they do, why they do it, and how they do it well.

This podcast series is a great way to learn directly from attorneys about what the day-to-day work is like in different practice areas. 

How I Lawyer Podcast

Kirk Nahra, WilmerHale

In this episode, Jonah Perlin speaks with experienced privacy and cybersecurity lawyer Kirk Nahra, Partner at WilmerHale in Washington, D.C., where he chairs the firm’s Big Data and Cybersecurity & Privacy Practices. He has been a leading authority on privacy and cybersecurity matters for more than two decades. He counsels clients across industries from Fortune 500 companies to startups but is best known for his work with health insurers, hospitals, service providers, pharmaceutical manufacturers, and other health care industry participants.

How I Lawyer Podcast

Pia Owens, In-House Tech Lawyer

In this episode, Jonah Perlin speaks with Pia Owens. Pia has worked as a technology lawyer at a big law firm, in state government, and now for a technology company based in Massachusetts where she is responsible for commercial agreements, software licensing, cybersecurity, and data privacy. This conversation covers how Pia handles new and complex cybersecurity regulatory regimes, how she drafts contracts, the differences between practicing as a technology layer in an in-house setting as outside counsel and as a government attorney.

How I Lawyer Podcast

Suchi Pahi, Databricks

In this episode, Jonah Perlin speaks with Suchi Pahi who is a data privacy and cybersecurity lawyer as Senior Privacy and Product Counsel at Databricks. Earlier in her career, she was an associate in the data privacy and cybersecurity practice groups at two major law firms: Greenberg Traurig and Baker Hostetler. She is a regular speaker on data security topics and holds her CIPP/US certification from the International Association of Privacy Professionals. This conversation covers a deep dive into the worlds of data privacy and cybersecurity (and the differences between the two).

How I Lawyer Podcast

Dan Cotter, Howard & Howard

In this episode, Jonah Perlin speaks with Dan Cotter, an attorney at Howard & Howard in Chicago, where he represents businesses at many different stages in corporate and transactional matters and has a particular emphasis on privacy and cybersecurity law. But over the course of his 25-plus years as a lawyer, Dan has had a varied and in his words "eclectic" practice having practiced in different areas and different settings including but not limited to litigation, in-house counsel, outside general counsel, and working on behalf of both for profit and non-profit entities.

How I Lawyer Podcast

Danielle Citron, UVA Law

In this episode, Jonah Perlin speaks with Danielle Citron, who is the Jefferson Scholars Foundation Schenck Distinguished Professor in Law and Caddell and Chapman Professor of Law at the University of Virginia Law School, where she writes and teaches about privacy, free expression, and civil rights. She is the recipient of numerous awards including the MacArthur Genius Grant in 2019 for her work on cyberstalking and intimate privacy. She also serves as the inaugural director of the school’s LawTech Center. She is a gifted teacher and prolific writer including two books, Hate Crimes in Cyberspace and The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age, and is a public intellectual who has published in popular outlets, given testimony to lawmakers, and worked directly with legislators on issues related to technology and privacy.

Stay tuned for additional content coming soon!