The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Whitney Lee, Associate—Litigation (2022)
Whitney Lee advises clients on significant cybersecurity incidents and other sensitive matters relating to national security, risk, and crisis management. Prior to coming to MoFo, Whitney worked at the New York State Office of the Attorney General in the Public Integrity Bureau. Whitney earned her J.D. from Columbia Law School, where she served as Head Notes Editor for Columbia’s Journal of Transnational Law. She also holds an LL.M. from the University of Amsterdam in International Criminal Law, and a B.A. from Harvard University. She has substantial experience counseling on privacy and cybersecurity issues and on data breach preparation and response.
Describe your practice area and what it entails.
My practice focuses on providing legal and strategic advice on various domestic and international privacy and data protection laws and advising on cybersecurity preparedness and breach response. My colleagues and I help prepare our clients to be resilient in the event of cybersecurity events and we support our clients as they respond to significant cybersecurity incidents, including ransomware attacks. In doing so, we often coordinate with law enforcement agencies, including the FBI, and we communicate with data protection authorities all over the world on our clients’ behalf.
What types of clients do you represent?
Our clients come from various industries including but not limited to software development, healthcare, publishing, gaming, aviation, and pharmaceuticals, among others. Our clients also vary in size, from large, established multinational companies to start-up companies.
What types of cases/deals do you work on?
Right now, my primary focus is cyber incident response. I participate in strategy discussions regarding ransom negotiations with cybercriminals, supervise forensic investigations, liaise with law enforcement, and advise clients on legal and regulatory obligations stemming from cyber incidents. Aside from cyber incident response, I also advise on the privacy and data security aspects of mergers and acquisitions and investments and counsel clients on ways to comply with various domestic and international privacy laws.
How did you choose this practice area?
My interest in cybersecurity started during my time at a military boarding school, which had a strong technology focus. In those years, I learned about cybersecurity in the context of national security and protecting military information systems and the country against cyberattacks. By the time I started law school, I knew that I wanted to work in a field that would allow me to marry my interests in cybersecurity and the law—and this practice area has been a perfect fit.
What is a typical day like and/or what are some common tasks you perform?
One of the great things about our practice is that there really are no “typical days,” but some common tasks that I perform include helping clients identify legal breach notice obligations in the wake of a cyber-incident, managing and advising on internal investigations, communicating with law enforcement in the context of a ransomware attack, and responding to inquiries from data protection authorities and state attorneys general. The pace of my days can also vary dramatically depending on clients’ needs and whether we need to meet particular legal and regulatory deadlines.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
There really is no standard path to becoming a privacy and data security attorney and the skills that you need to be a successful attorney in this field are the same skills you need to be a good attorney of any kind: intellectual curiosity, flexibility, strong research and legal writing skills, good oral communication, and strong analytical skills. However, if someone is interested in this field and they have the opportunity to take courses on privacy law or cybersecurity, I recommend taking those courses to become familiar with the issues at play in this field.
What is the most challenging aspect of practicing in this area?
The most challenging aspect of being a privacy and data security attorney is that you have to be able to evolve and learn constantly to keep up with changes in the privacy and data security law landscape. While this is challenging, it is also part of what makes being in this field so interesting and enjoyable as it requires us to be creative and flexible and gives us the ability to come up with innovative solutions to new issues as they arise.
What do you like best about your practice area?
Being a privacy and data security attorney is exciting. I enjoy working in such a challenging, fast-paced area of the law alongside colleagues who are passionate about this work and dedicated to serving our clients. The highlights of this practice for me are delivering favorable outcomes for our clients and working alongside industry-leading attorneys, such as Miriam Wugmeister and Alex Iftimie, on cutting-edge data security issues.
What are some typical tasks that a junior lawyer would perform in this practice area?
I think cybersecurity incidents are a great place for juniors to start. These matters are about so much more than just legal knowledge, and involve all kinds of practical skills related to project management, communication, and advocacy—which makes it easier for juniors to jump right into. I also like to give junior associates opportunities to draft privacy policies, data transfer agreements, internal policies, and other documents that lean heavily on group-maintained templates. It’s a great way to learn about how we put law into practice, and also gives us an opportunity to have fresh eyes on something we see every day.
Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?
I think the most important thing is staying connected. That means keeping up with the news, tracking new and exciting startups (including those founded by your friends!), and playing around with new apps or products. Beyond that, there’s not much you can do other than dive right in. In any case, that’s the fun part!