The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Janine Anthony Bowen is co-lead of both the Privacy Governance and Technology Transactions and the Digital Transformation and Data Economy teams. Additionally, she serves as the Atlanta and Orlando Digital Assets and Data Management Leader. Always operating at the intersection of technology, data and value creation, her skills as an entrepreneur, engineer and strategist come together through her technology practice. Janine is a pragmatic and seasoned professional who counsels clients in matters regarding digital transformation, healthcare technology, privacy and data protection, and the use, licensing, acquisition and commercialization of technology and intellectual property. Because of her knowledge of SaaS—software as a service—and her experience as a software development project manager, she has established herself as a valued source of insight for both vendors and acquirers of technology.
Courtney Litchfield focuses her practice in the area of privacy and data security. Courtney advises clients on breach response and preparedness; compliance with state, federal and international data protection laws; and on identifying, evaluating and managing first- and third-party data privacy and security risks. She has handled data breaches for all types of entities, including health systems, hospitals, title companies, accounting and consulting firms, retirement communities and educational institutions.
Describe your practice area and what it entails.
The Digital Assets and Data Management (DADM) practice group marshals the strength of seven key service areas, to provide comprehensive counsel on the full range of complex and evolving issues associated with data and technology, including digital innovation, e-commerce, fintech, cybersecurity, consumer privacy, transactions, governance, risk management, and more. For example, our Privacy Governance and Technology Transactions (PGTT) team provides strategic advice and counsel regarding privacy compliance issues and negotiates sophisticated transactions surrounding data and technology. The PGTT team assists clients in maximizing the commercial value and minimizing the commercial risk with data and the technology that enables it. Our Digital Risk Advisory and Cybersecurity team helps organizations generate and implement solutions to reduce the risk of significant events, become “compromise ready”, and respond effectively to security incidents.
What types of clients do you represent?
We serve a wide array of clients—from small to mid-size organizations to some of the largest names in virtually every industry, including education, healthcare, technology, hospitality, retail, manufacturing, government, nonprofit, and financial services. This across-the-board type of exposure provides our practice group with unparalleled experience, as well as an understanding and appreciation of the different risks our clients are facing or may face. This positions us to advise clients on all aspects of managing data and digital assets. Our clients include: Bloomberg, Canon, Chipotle, Claire’s, Cox, Duke University, Garmin, Luxottica, Marriott, McDonald’s, Memorial Sloan Kettering, Planned Parenthood, Publisher’s Clearing House, and Qurate.
What types of cases/deals do you work on?
Because the DADM practice group works with clients through the life cycle of data— privacy, security, marketing and advertising, transactions, and emerging technology—within an organization, the types of matters our attorneys work on varies exponentially from one service offering to the next.
Janine: As co-lead of DADM’s Privacy Governance and Technology Transactions and Digital Transformation and Data Economy teams, I work at the intersection of data, technology, innovation, and value creation by negotiating strategic commercial transactions and advising clients on data and technology strategy.
Courtney: As an associate with DADM’s Healthcare Privacy and Compliance team, I assist healthcare organizations through privacy and data security incidents, compliance with state, federal and international data protection laws, regulatory investigations, and complex HIPAA issues.
How did you choose this practice area?
Janine: I have a background in engineering and worked in technology companies for about a decade prior to practicing law. During that time, I was exposed to technology contracting on the business side. My transition into a tech-related law practice was a natural next step. Until HIPAA and California’s SB 386 and the dot.com heyday in the late 90s and early 2000s, there was no defined practice called ‘privacy.’ Privacy practice was a direct result of the growth of technology, computing, and the internet. At the beginning, all technology practitioners had to understand privacy, so I did. So, privacy practice for me is supportive of my technology practice.
Courtney: When I transitioned from law clerk to first year associate at my prior firm, I was sort of like a free agent—I worked with a number of partners all in different practice areas (including incident response), which was great because I learned a lot. When I got the opportunity to lateral to BakerHostetler, a big part of my decision was whether I was ready to focus my practice on cybersecurity and data privacy. What it ultimately came down to was—yes, the chance to be part of something that was still relatively new and constantly evolving—but also, and more importantly, the opportunity to be that go-to, indispensable person when an organization needs help most. It is very rare that someone wants to be seeking a lawyer’s guidance—especially in incident response. However, our clients are always extremely grateful to have us in their corner and it truly is a fulfilling practice.
What is a typical day like and/or what are some common tasks you perform?
Janine: In a transactional practice in this space a typical day includes client counseling on tactical tech and privacy issues, drafting tech-related agreements for clients, negotiating enterprise level deals, and developing our associate talent. Giving strategic advice is also core to my practice, so I spend a good bit of time with General Counsel and C-level executives working through their company’s technology and digital business models as well as contemplating the role and value of data in the business. Finally, as data grows in value to businesses, I work with our M&A deal teams on privacy and technology diligence as a subject matter specialist.
Courtney: With incident response, a typical day is tough to come by. Just like the DADM group follows the life cycle of data, we IR attorneys follow the life cycle of an incident. If I am assisting a client through the initial hours of a ransomware infection, I am focused on retaining several different vendors (from forensics to remediation to crisis communications), identifying the internal client workstreams, and developing a response to intense media scrutiny. If I am later working with that same client on preparing for a regulatory investigation following the ransomware attack, my focus has shifted to identifying likely requests and potential gaps in the client’s security posture, and providing guidance on how to remediate those issues to best position the client in advance of the anticipated investigation.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
Janine: Technology and privacy are fast moving and constantly evolving practice areas where the law never catches up with state of the art. A few things are important: (a) be nimble and ready to learn new things, (b) understand the fundamentals of privacy by getting the CIPP/US credential, and (c) generally understand, or have the ability to grasp, technology and esoteric concepts.
What is the most challenging aspect of practicing in this area?
Janine: Technology moves so quickly, simply keeping up with it is challenging. Leveraging the law, which is always lagging behind innovation, in ways that drive value for clients requires pragmatism and creativity.
Courtney: There are various challenging aspects to practicing in this area. For instance, because it’s constantly evolving, keeping up with new technology, cybersecurity trends, regulations, and enforcement issues can be a lot to manage. New data privacy laws and amendments to state breach notification laws are popping up here and there and, of course, no two are the same. Being aware of and understanding the impact of these consistently changing nuances is necessary in this practice area. While this can be difficult, it contributes to why this field is so dynamic. Another challenging aspect specific to incident response is that, when dealing with ransomware, the organization you are counseling literally cannot operate it business. For me, this could mean my client is cancelling patient appointments, taking offline a software application used by providers to read test results, or temporarily closing its COVID-19 testing site. This can of course be stressful, but at the end, knowing you helped a client through some of the worst days, weeks, or even months of their professional lives is very rewarding.
What do you like best about your practice area?
Janine: I really enjoy driving tech and data strategy with clients. Also, my practice is one where it’s my job to say ‘yes’ and figure out how to get deals done. It is not one where ideas go to die. I love enabling client success and driving the bottom line in that way.
Courtney: I really enjoy working closely with healthcare organizations. The fact they provide such essential services makes helping them through a crisis, such as a ransomware attack, very meaningful. Getting our healthcare clients back up and running is critical not just for the organization itself, but for the community they serve (especially when fighting off an unprecedented global pandemic). Other factors that make working with healthcare organizations extremely interesting and engaging is the often-complex structure of the organization, the unique relationship they have with their patients, and the troves of data and information systems they typically maintain.
What misconceptions exist about your practice area?
Janine: A technology transactions-oriented practice is much more than procurement. Navigating technology and data creation in ways to create and drive value for enterprises is strategic and increasingly the lifeblood of business.
Courtney: That my every day is heavily focused on technology or that I have a very detailed understanding of how information technology works—it’s not and I don’t. Like Janine said, being able to grasp technology is important in this area, especially if you are counseling clients on how they can leverage technology to solve business problems. It’s also very helpful when working with organizations and forensic firms—knowing what questions to ask, how to ask them, and what the response means can impact your overall understanding of how a particular incident occurred and/or what a threat actor did while in an environment. However, not every lawyer in this area fully grasps what blockchain is, what a firewall actually does, or how and why an enterprise-wide password reset can “break” systems in an environment. I have learned a lot about technology in the few years I’ve been practicing, and I hope to continue to learn more. Though, with that said, you don’t have to have a deep knowledge of technology to be successful in and enjoy this practice area.
How do you see this practice area evolving in the future?
Janine: Data-as-an-asset will continue to drive the practice in the near terms. Balancing compliance and regulatory obligations with the needs of the business to drive value through and with data will be critically important. Foci that are purely regulatory or purely commercial will not work. A hybrid practice that is focused on both aspects is the future and will be required for business success.