The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Kaylee is a partner in Goodwin’s Data, Privacy & Cybersecurity practice. Her practice focuses on cybersecurity, which entails counseling on a variety of complex matters, including, but not limited to, corporate governance and risk management, compliance, cybersecurity investigations and breach preparation, regulatory investigations, litigation and class action defense, public disclosures, and development of corporate cybersecurity programs.
Jackie is a partner in Goodwin’s Data, Privacy & Cybersecurity practice. She focuses on transactions, counseling, and strategic advice involving data and technology. In addition to advising on transactions, Jackie counsels clients on compliance with complex privacy and data security requirements, including those established by laws such as the CCPA and similar state consumer privacy laws, CalOPPA, CAN-SPAM Act, TCPA, GLB Act, HIPAA, and the GDPR. She also drafts and assists with the implementation of privacy policies and privacy compliance plans for companies in a wide range of industries, including fintech, EdTech, social media and metaverse, e-commerce offerings, life sciences, and consumer products, among others.
Describe your practice area and what it entails.
Kaylee: My practice focuses primarily on cybersecurity matters, both proactive and reactive. For proactive matters, we counsel clients on their cybersecurity programs and governance, such as how executive leadership and the Board of Directors manage cybersecurity risk, as well as conducting risk assessments and advising on post-assessment implementation and risk mitigation strategies. The reactive side of my practice includes advising companies in connection with investigating and responding to cybersecurity attacks and security incidents conducted by high-profile threat actors and related regulatory investigations and litigation.
Jackie: My practice focuses on transactions, counseling, and strategic advice involving data and technology. I conduct due diligence and advise clients on strategic privacy issues and negotiated transactional documents in thousands of corporate transactions including M&A, private equity investments, SPACs, and similar transactions. I counsel clients on compliance with complex privacy and data security requirements, advise companies and underwriters on IPOs, and draft and assist with the implementation of privacy policies and privacy compliance plans for companies in a wide range of industries.
What types of clients do you represent?
Kaylee: The great thing about our practice is that there is no limit on the types of clients with which we get to work. Virtually every company today has data and access to the Internet, and therefore has a cybersecurity and privacy need. As a result, we have the opportunity to work with organizations of all sizes and across all sectors and geographies.
Jackie: My clients are often data-driven enterprises in the areas of social media, AI, healthcare, technology, consumer products and services, and more. However, all of the clients served by the firm have needs related to privacy and data security, so the practice is extremely broad.
What types of cases/deals do you work on?
Kaylee: The thing I love most about our practice is that no day—and no matter—is the same. With respect to proactive matters, I particularly enjoy conducting cybersecurity simulations and “tabletop” exercises that enable companies to critique and improve upon their incident response process in a controlled and privileged environment—before a crisis ensues. These offerings are especially important now with increased regulatory enforcement and oversight in the cybersecurity space, such as the SEC’s new cybersecurity disclosure rules for public companies. The reactive side of my practice includes counseling on investigating and responding to cybersecurity attacks, such as advising on legal obligations, communications, risk mitigation, and litigation defense strategies. This also can include representing companies in privacy and security matters before U.S. and international regulators (e.g., FTC, DOJ, SEC) and state attorneys general, and in litigation.
Jackie: I spend a significant amount of time in the transactional space. Whenever a company is being bought, sold, becomes the subject of a strategic investment, or is going through a public offering, privacy considerations will come into play. I also provide strategic advice on new product and service offerings, increasingly so whenever AI is involved.
How did you choose this practice area?
Kaylee: I have always had an interest in national security matters, and after I received my J.D., I obtained an LL.M. in National Security Law at Georgetown University Law Center. While pursuing that degree, I studied and worked on cybersecurity-related matters in the program and in internships. I recognized that cybersecurity was quickly becoming a paramount national security issue, and I decided to focus my practice on it. The laws and regulations have evolved significantly since then—it has been fascinating to work in an area that is developing so quickly. You never know what tomorrow will bring!
Jackie: I enjoy practicing in a dynamic and challenging environment. The impact of rapidly developing technology on our practice area is profound, and means that our work never becomes ordinary or routine.
What is a typical day like and/or what are some common tasks you perform?
Kaylee: Again, what I love most about my practice is that every day is different. Most often, we are counseling companies on responding to a cybersecurity attack or other security incident. This involves close coordination with cybersecurity forensic firms, security teams, executive leadership, and law enforcement, and helping companies navigate legal risks and obligations that arise during an incident. A large part of my practice also includes cybersecurity counseling, which takes on many flavors, including advising Boards of Directors and executive leadership on corporate governance strategies and risk management, counseling on and developing corporate policies and procedures, conducting information security assessments, and leading cybersecurity simulations and “tabletop” exercises.
Jackie: One of the things I love most about my practice is that every day is different. New and cutting-edge matters come in all of the time, and my day is never as I anticipate it will be.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
Kaylee: Having a technical background is not necessary—but attorneys should not shy away from learning the technical “language.” Clients look to us to “translate” between the technical, legal, and executive teams. Reading technical reports and articles, understanding common attack methods, and staying up to date on evolving threats and trends goes a long way. Many cybersecurity forensic firms publish content on these topics that are great resources.
To me, the most important skills in this field are the abilities to analyze complex issues and problem solve, to “think on your feet,” to maintain poise under pressure, and to be a team player. We often operate in a world of grey where there is no clear-cut answer, so you should want great minds around you to collectively get to the best answer. Being thoughtful, strategic, collaborative, and decisive are critical skills. You should always have an open mind and be eager to continue learning. In this field, you have the opportunity to learn something new each day if you take advantage of it.
What is the most challenging aspect of practicing in this area?
Kaylee: In the cybersecurity practice, we are often required to act quickly and decisively, under intense time pressures, in high-stakes situations where, many times, there is not a black-and-white answer. That challenge is what I enjoy about this industry. I am never bored, continually learning, and always forced to use my critical thinking skills. We are often interfacing with companies on their worst day. When the cybersecurity attorneys show up, no one is happy to see us! But I enjoy being able to help clients strategically traverse those challenges and give them comfort that while they may not have been in this situation before, we have, and we will help them get through it.
Jackie: To practice effectively in this area, one must be extremely nimble and flexible and able to move quickly from one pressing matter to another. One also needs to be interested in technology and new developments and be committed to being a lifelong learner.
What misconceptions exist about your practice area?
Kaylee: There is a tendency to oversimplify our practice. For example, some think that counseling on cybersecurity incidents and data breaches is simply identifying notification obligations. In reality, cybersecurity investigations are multi-faceted and require counseling on numerous complex issues and legal risks, including forensic investigation, threat actor engagement and response strategy, communications, remediation, litigation defense strategy, and countless others.
Another misconception is that there is a one-size-fits-all approach or that a cybersecurity program can be achieved through plug-and-play templates. While there are industry standards and best practices, the application of cybersecurity risk management is bespoke to a particular organization. What is reasonable and appropriate in one case may not be in another.
Jackie: Oftentimes, people may fail to appreciate the depth of our practice. They assume it is just about drafting privacy policies or responding to incidents. These are important parts of any privacy and cyber practice, but our work involves so much more than that.
What are some typical tasks that a junior lawyer would perform in this practice area?
Kaylee: A great thing about the cybersecurity practice is that junior lawyers can get hands-on experience very quickly through any number of tasks. Some examples related to cybersecurity investigations may include developing communications plans, researching threat actor groups, reviewing forensic investigation reports, analyzing legal obligations and potential liability exposure, preparing for witness interviews, reviewing contracts, and developing an investigation memorandum.
Jackie: Junior associates play a key role. As in other practice areas, junior associates do get involved in research assignments, but given the subject area of our practice, research often involves applying the law to cutting-edge technological matters in a novel way. Associates also assist with due diligence, which requires them to take a very deep dive into learning about a company and its data practices.
How do you see this practice area evolving in the future?
Kaylee: I think the cybersecurity practice is only going to grow and become more complex. The cybersecurity threat is not going away any time soon, and companies and regulators alike are challenged to keep pace. There is not one uniform cybersecurity law that applies to all companies. Different laws and regulations may apply depending on industry, business, or location, and in many cases, there are multiple (sometimes conflicting) laws that can apply. In addition, regulators are, in effect, creating additional requirements through enforcement. Companies will have to balance these evolving requirements with dynamic cyber threats.
Jackie: Advances in technology continue to alter the way in which we live, work, and learn, and current and future technological changes will impact how our practice evolves. The increasing importance of AI, particularly generative AI, will impact the growth and trajectory of our practice area.