The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
James Sherer, Partner, and Whitney Schneider-White, Associate—Digital Assets and Data Management (2023)
James Sherer co-leads the Emerging Technology team of BakerHostetler’s Digital Assets and Data Management Practice Group (DADM) while directing the firm’s artificial intelligence and information governance engagements. His work spans litigation, transactions, and regulatory enforcement while helping clients confront discovery management process issues; enterprise risk management; records and information governance; data privacy, security, and bank secrecy; artificial intelligence and algorithmic transparency; technology integration issues; and related merger and acquisition, asset purchase, and divestiture diligence.
Whitney Schneider-White’s practice focuses on privacy, data protection, and information governance; advising clients on compliance with evolving U.S. state and federal privacy legislation; and cross-border data protection matters. A certified privacy professional (CIPP/US), Whitney counsels clients on legal questions related to information and data use as well as compliance obligations associated with corporate privacy practices. Leveraging her in-house experience, Whitney also provides clients practical business solutions for compliance with U.S. and global privacy regulations.
Describe your practice area and what it entails.
Our practice varies based on the type of work our clients require. In general, we follow our clients’ data—understanding how client data is flowing and being used and accounting for and documenting that data movement from creation through management, utilization, transfer, and ultimately destruction. We have to understand our clients’ businesses and goals and provide guidance on how to manage and transform data within that structure. This generally requires communication with client attorneys and other stakeholders, including clients’ privacy, security, technology, marketing, and human resources teams. The scope of engagement varies depending on interests, specialties, and seniority, but it always carries an expectation that each professional in our group has sufficient information about the data, the technologies using it, and client expectations to provide forward-thinking and practical advice.
What types of clients do you represent?
Our client list runs the gamut, from very small operations with limited personnel to Fortune 50 companies. This allows us to evaluate issues across various settings with very different stakeholders and understand why certain matters are global initiatives and others are small but important strategic parts of overall goals. We work to develop bigger-picture issues and confirm that ad hoc or project work still supports an overall company strategy and legal requirements. Privacy and data security are intrinsic to day-to-day work for clients ranging from companies that engage us to help them with their privacy programs and compliance to clients from other practice groups that have a privacy or security component within their separate engagements.
What types of cases/deals do you work on?
Our practice focuses less on specific cases or deals and more on multifaceted client engagements. We do, however, support our colleagues’ cases and deals by providing guidance on privacy requirements, due diligence support, and deep litigation subject matter knowledge. As the practice follows the data, so too do the types of cases and deals we work on. We may be involved in acquisition due diligence for privacy issues, especially where data is one of the primary assets considered in divestiture concerns, information is among the assets, or there are data retention or destruction requirements. We also deal with contracting associated with existing or novel uses of information and support data transfers, whether in litigation, in regulatory response, or among contracting parties. In recent months we’ve counseled on compliance with new privacy laws, including the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the New York City Automated Employment Decision Tools Law. Dramatic regulatory transformation is underway, so we find ourselves consulting on in-flight projects or work related to the introduction of new laws and regulations.
How did you choose this practice area?
Attorneys in this area are not afraid of technology, but we also don’t assume that we understand everything, and we know we don’t understand everything perfectly. This practice area is ideal for attorneys fascinated or intrigued by the use of information generally and who are comfortable with confronting ambiguity and digging deeper into technologies to understand what’s happening. Depth of knowledge and experience are ultimately key for our provision of policy requirements, contractual provisions, and the strategies associated with use of those technologies.
James: I wanted to be a telecommunications attorney. I was fascinated by how people communicated and what new uses of data were coming into vogue even back in 2002 or in law school in 1999 during the first dot-com boom. So, I’m a product of my time.
Whitney: I started in a different practice area but wanted to focus more on governance and contracting. I was drawn to the dynamic nature of privacy law and enjoy combining legal interpretation with practical advice.
What is a typical day like and/or what are some common tasks you perform?
The only typical part of the day is the variety of work that will inevitably be addressed. With this practice area, you’re frequently spending the day working for clients across the spectrum of industries and with different needs. We often work for several clients each day—some that have large, ongoing engagements, while others surface every couple of months needing a contract reviewed or a policy updated. Privacy requires a more active client management practice than you would see in traditional regulatory response litigation or deals where there are outside pressures, not just client direction. Our engagements require progress on certain tasks and responsibilities to other stakeholders where we deal with changing internal practices, evaluating information governance regimes, and working on overall strategy, which are different tasks that can take very long periods of time, especially when clients have to develop shareholder support. There’s a role for outside counsel to help manage projects to help keep momentum, but also to be very responsive to clients when they come back with specific questions.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
There are certification and credentialing programs oriented toward this practice area. The International Association of Privacy Professionals maintains a set of different credentialing programs for privacy practitioners, ARMA and AIM provide for credentialing for information governance, and there are a variety of other credentialing bodies (like the Association of Certified E-Discovery Specialists) or technologies (like OneTrust) that can both teach knowledge and demonstrate experience.
Attorneys who want to dig in deeper on the specifics of AI can consider coding programs and certifications in those areas, and while no program is currently required to practice law in this area per se, we’ve seen a fairly gradual but inexorable movement toward certification for our practitioners within this and related spaces.
When we were in law school, there weren’t really classes focusing on this area. But as law schools introduce classes and further define scopes of practice, classes, clinical work, and internships also provide value. Internships can be particularly helpful to understand what future clients will look for. If you’ve had some experience working in-house, it provides insights into communication and governance strategies for the future.
What is unique about your practice area at your firm?
There are very few firms, if any, that have the depth of privacy experience that BakerHostetler does, in part because of the large nature of the group and the opportunities the group gives to both specialize in specific areas and cross pollinate across similar client initiatives and benchmarking opportunities.
Because there are so many aspects to privacy and security, often only a handful of individuals will have specific experience or knowledge in more niche areas, leading to consultation by people across the firm. We have a very distributed structure and work with attorneys all over the country, but we frequently collaborate in a way that not every practice area does.
What are some typical tasks that a junior lawyer would perform in this practice area?
We expect that junior attorneys in this space are conversant in much of the work that we do, and as we benchmark across different client experiences, junior attorneys are essential members of the team. By working for a variety of clients on different tasks, junior attorneys in this space develop a broader understanding of how clients operate—not only with particular clients but also across industries in ways that mirror different types of practices. Specific activities include drafting internal and external privacy policies, assessing cookies and trackers used on client websites, drafting data processing agreements, and performing research on specific privacy laws.
What kinds of experience can summer associates gain at this practice area at your firm?
We try to give summer associates opportunities to build specific areas of knowledge, especially in places where normal associate schedules might not immediately provide for it, e.g., in-depth projects on certain topics like privacy, law regulation, AI considerations, or information governance. These focused projects have led directly to opportunities where first-year attorneys are still working on issues they began as summer associates. We also involve summer associates in client contact and interfacing to learn the soft skills, project management, and expectation setting that are critical for attorney success.
Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?
Staying ahead of the curve requires two separate skill sets. The first is maintaining the appropriate level of curiosity toward the work clients are doing, because that’s where our advice is most directly applicable. We determine what our clients are currently doing as they develop approaches to comply with the different privacy and governance challenges. Attention to questions that are being asked of attorneys and understanding both where the law is going and how technology is actually working are critical to the type of legal advice our clients expect.
Second, attorneys consider how client (and legal) work will evolve. In support, attorneys at BakerHostetler research, write, speak, and publish in areas of emerging technological concern. This includes law review and peer-reviewed articles and opportunities to develop “thought leadership” stature within emerging disciplines, with the expectation that areas such as blockchain, AI, or even new forms of information governance will develop into client needs over time.
We also have the opportunity to leverage the many practice areas within the DADM Practice Group and address, internally through conversations and trainings, different evolving issues to confirm we’re efficiently developing and sharing knowledge.