The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
I am a trusted cyber law advisor. I have worked on some of the largest data breaches in history and regularly advise clients regarding cyber breach response, as well as litigation and government enforcement actions that arise from cyber breaches. I also partner with clients on ways to reduce cyber legal risk while supporting innovation, delivering value to the business, and solidifying brand and consumer trust. I also provide strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence.
Describe your practice area and what it entails.
I’m clients’ first or second call after a data breach. I provide strategic legal advice regarding stopping the attack, investigating, and communicating. This involves directing forensics investigations and guiding clients through the complex web of statutory, regulatory, and contractual breach notification requirements. I also provide advice regarding cyber breach-related issues like engaging with law enforcement, cyber insurers, and auditors. I also lead internal investigations where we collect and review evidence, conduct interviews, and provide findings. When data breaches result in regulatory investigations or litigation, I defend clients.
When not responding to data breaches, I partner with clients to help reduce cybersecurity legal risk. This includes counseling on cybersecurity laws, contractual issues, and incident preparedness activities like tabletop exercises, as well as cybersecurity education and training.
What types of clients do you represent?
I focus on cybersecurity issues in the technology, finance, and energy and infrastructure sectors. I represent industry leaders in telecommunications, social networking, renewable energy, and SaaS businesses, as well as financial institutions. These clients vary in size from startups to large public companies. All companies face cybersecurity legal risks, and my goal is to provide accessible and right-sized advice across the spectrum.
What types of cases/deals do you work on?
- Advised in a forensic investigation, notification, and disclosure for one of the largest breaches in history at a multinational telecommunications company.
- Responded to ransomware event at a solar and wind farm company.
- Provided day-to-day cybersecurity and incident preparedness counseling to one of the largest social networks.
- Provided free counseling sessions to start-ups regarding key cyber risk areas, incident preparedness and cyber insurance.
How did you choose this practice area?
I wanted a fast-paced practice where I could learn about a fun area of law and about technology at the same time. I also like solving problems with clients rather than for clients, and breach response tends to generate high-pressure situations in which cross-functional teams must collaborate.
What is a typical day like and/or what are some common tasks you perform?
Today, I revised responses to a state Attorney General inquiry, provided advice on a breach investigation kickoff call, drafted a letter regarding a data-breach damages claim, and conducted an interview for a project where we’re revising an incident response plan. This is fairly typical.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
Honing your core law school skills like analyzing, summarizing, and persuading will help. We solve complex problems quickly and explain solutions clearly and succinctly. This takes practice and experience.
Classes in privacy or cybersecurity would help. Cybersecurity law also relies heavily on tort and admin law. More directly, we work with 50 state breach-notification laws and more than a dozen federal cyber laws and regulations, as well as a variety of industry standards and frameworks. There’s no need to know these ahead of time, but general knowledge gives you a head start.
Having curiosity and enthusiasm for technology is a must.
The abilities to empathize and collaborate help, too. Breach response creates high pressure for quick decisions. You need to understand and appreciate everyone’s views and values, and then work together.
What is the most challenging aspect of practicing in this area?
The intensity. A data breach is often a critical moment for the client. They are stressed and want help fast. You have to be available, committed, and cool-headed.
What is unique about your practice area at your firm?
Orrick has an amazing client base for a cybersecurity practice. For a data-focused practice, you want clients that innovate and push boundaries with data. Managing cyber legal risk is a core component of their growth. That creates interesting problems to solve.
What are some typical tasks that a junior lawyer would perform in this practice area?
Participate on forensic investigation calls; develop timelines; perform notification analyses; prepare for and conduct interviews; draft individual, business, and regulator notifications; and revise contracts.