The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Whitney Lee and Max Zidel, Partners—Litigation (2022)
Whitney Lee advises clients on significant cybersecurity incidents and other sensitive matters relating to national security, risk, and crisis management. Prior to coming to MoFo, Whitney worked at the New York State Office of the Attorney General in the Public Integrity Bureau. Whitney earned her J.D. from Columbia Law School, where she served as Head Notes Editor for Columbia’s Journal of Transnational Law. She also holds an LL.M. from the University of Amsterdam in International Criminal Law, and a B.A. from Harvard University. She has substantial experience counseling on privacy and cybersecurity issues and on data breach preparation and response.
Max Zidel helps cross-industry clients execute complex data protection strategies. He advises on compliance with federal, state, and international privacy and data security laws, including the CCPA, GDPR, and PIPEDA, and assists with due diligence among M&A and other corporate transactions. Max regularly advises clients in their response to U.S. and cross-border breach incidents, and is experienced in managing third-party forensic and internal investigations, e discovery efforts, and communications with relevant regulatory agencies and impacted stakeholders. Max takes pride in crafting strategies and responses that are practical, compliant, privacy enhancing, and sensitive to unique business needs.
Describe your practice area and what it entails.
Whitney: My practice focuses on providing legal and strategic advice on various domestic and international privacy and data protection laws and advising on cybersecurity preparedness and breach response. My colleagues and I help prepare our clients to be resilient in the event of cybersecurity events and we support our clients as they respond to significant cybersecurity incidents, including ransomware attacks. In doing so, we often coordinate with law enforcement agencies, including the FBI, and we communicate with data protection authorities all over the world on our clients’ behalf.
Max: It is a true hybrid practice, spanning all kinds of counselling, transactional, and litigation type matters. On the counselling side, we help clients comply with various data privacy and data protection laws. Some examples are the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR). These laws regulate how organizations can collect, use, and disclose information (typically personal information), and what they must do to protect it. This might involve updating an organization’s internal privacy program in anticipation of a new law coming into effect or advising on a new app or product. On the litigation side, we help clients investigate and respond to data breaches, including conducting interviews, advising on notification obligations, working with law enforcement, and responding to government inquiries. On the corporate side, we draft agreements governing data sharing, security, and processing obligations generally between parties, as well as advise on the privacy and data security aspects of M&A and investments.
What types of clients do you represent?
Whitney: Our clients come from various industries including but not limited to software development, healthcare, publishing, gaming, aviation, and pharmaceuticals, among others. Our clients also vary in size, from large, established multinational companies to start-up companies.
Max: All types of organizations, from small startups to large multinationals. Though many data privacy/protection laws, for example the CCPA, only apply to businesses that meet certain minimum revenue or other thresholds, the global proliferation of these laws is making it rarer and rarer to escape their grasp entirely. Also, it’s not just “technology” companies anymore that are leveraging personal data as a core part of their business model. Organizations across a wide variety of industries, including retail, financial services, health, hospitality, and media are finding new ways to use data to personalize their services and improve their offerings and operations.
What types of cases/deals do you work on?
Whitney: Right now, my primary focus is cyber incident response. I participate in strategy discussions regarding ransom negotiations with cybercriminals, supervise forensic investigations, liaise with law enforcement, and advise clients on legal and regulatory obligations stemming from cyber incidents. Aside from cyber incident response, I also advise on the privacy and data security aspects of mergers and acquisitions and investments and counsel clients on ways to comply with various domestic and international privacy laws.
Max: Luckily, they are as varied as our practice is varied—which keeps things exciting and keeps me on my toes. I have had the chance to advise on several major cybersecurity incidents involving foreign-state actors and interactions with regulators and law enforcement all over the world, such as the FBI and the U.K. ICO. On the compliance side, I have drafted many privacy policies and looked deep under the hood of many organizations in reviewing and updating their global privacy compliance programs for existing and new laws. The list goes on and on!
How did you choose this practice area?
Whitney: My interest in cybersecurity started during my time at a military boarding school, which had a strong technology focus. In those years, I learned about cybersecurity in the context of national security and protecting military information systems and the country against cyberattacks. By the time I started law school, I knew that I wanted to work in a field that would allow me to marry my interests in cybersecurity and the law—and this practice area has been a perfect fit.
Max: For me, it was the dynamism, youth, and proximity to public policy that really attracted me. In my practice, new laws, regulations, and guidance are disseminated every day, and new technologies are always challenging the way to put those rules into practice—it means there is never a dull moment. It’s also exciting to be in a field where everything is still so new, and I have the chance to not just interpret the law, but shape it. In the data privacy space, we are all simultaneously rookies and experts, no matter how many years we have been in practice. Personal data also really is personal. It matters how businesses and government use and protect it, because with the wrong laws (or simply a lack thereof) these practices really do have the capacity to cause harm—whether that be financial fraud, a violation of our dignity, or a diminishment of our well-being.
What is a typical day like and/or what are some common tasks you perform?
Whitney: One of the great things about our practice is that there really are no “typical days,” but some common tasks that I perform include helping clients identify legal breach notice obligations in the wake of a cyber-incident, managing and advising on internal investigations, communicating with law enforcement in the context of a ransomware attack, and responding to inquiries from data protection authorities and state attorneys general. The pace of my days can also vary dramatically depending on clients’ needs and whether we need to meet particular legal and regulatory deadlines.
Max: Again, really, really variable! At one point, I may be drafting a privacy policy or a data transfer agreement, and at another, I may be on the phone with the FBI reporting a new cyber incident on behalf of a client. When a new proposed law is released, I spend time reading it over in detail so that I can discuss it with clients and colleagues alike. Other times I am reviewing existing laws in order to advise a client by email on how to structure a new application. Some days I find myself switching seamlessly (well, on a good day) between 8 10 different tasks and clients.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
Whitney: There really is no standard path to becoming a privacy and data security attorney and the skills that you need to be a successful attorney in this field are the same skills you need to be a good attorney of any kind: intellectual curiosity, flexibility, strong research and legal writing skills, good oral communication, and strong analytical skills. However, if someone is interested in this field and they have the opportunity to take courses on privacy law or cybersecurity, I recommend taking those courses to become familiar with the issues at play in this field.
Max: I think people of all backgrounds and experience can make great data privacy lawyers. More important, I think is finding out if this is something that interests you. Chatting with lawyers and other practitioners in the space and reading industry publications and online articles, or even laws themselves, is a great way to start.
What is the most challenging aspect of practicing in this area?
Whitney: The most challenging aspect of being a privacy and data security attorney is that you have to be able to evolve and learn constantly to keep up with changes in the privacy and data security law landscape. While this is challenging, it is also part of what makes being in this field so interesting and enjoyable as it requires us to be creative and flexible and gives us the ability to come up with innovative solutions to new issues as they arise.
What do you like best about your practice area?
Whitney: Being a privacy and data security attorney is exciting. I enjoy working in such a challenging, fast-paced area of the law alongside colleagues who are passionate about this work and dedicated to serving our clients. The highlights of this practice for me are delivering favorable outcomes for our clients and working alongside industry-leading attorneys, such as Miriam Wugmeister and Alex Iftimie, on cutting-edge data security issues.
What are some typical tasks that a junior lawyer would perform in this practice area?
Max: I think cybersecurity incidents are a great place for juniors to start. These matters are about so much more than just legal knowledge, and involve all kinds of practical skills related to project management, communication, and advocacy—which makes it easier for juniors to jump right into. I also like to give junior associates opportunities to draft privacy policies, data transfer agreements, internal policies, and other documents that lean heavily on group-maintained templates. It’s a great way to learn about how we put law into practice, and also gives us an opportunity to have fresh eyes on something we see every day.
Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?
Max: I think the most important thing is staying connected. That means keeping up with the news, tracking new and exciting startups (including those founded by your friends!), and playing around with new apps or products. Beyond that, there’s not much you can do other than dive right in. In any case, that’s the fun part!