The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Colleen Theresa Brown is a partner in Sidley’s Privacy and Cybersecurity practice and focuses on privacy, cybersecurity, data protection, and emerging technology issues for a diverse group of companies, including those in the financial, life sciences, telecommunications, media, retail, and manufacturing sectors. She advises on global data protection compliance, litigation and regulatory enforcement actions, data breach response, crisis management, and internal investigations. Colleen is ranked in Chambers as an “Up and Coming” privacy lawyer who “approaches complex legal issues in a practical way.” She also co-founded Sidley’s Women in Privacy®, a networking group for women working as in-house counsel, compliance officers, and other professionals in the field of privacy.
Jenny Seale is a partner in the firm’s office in Washington, DC, and focuses her practice on cybersecurity, crisis management, internal investigations, and regulatory compliance, as well as complex administrative, civil, and criminal litigation. Jenny advises organizations on significant cybersecurity matters, including destructive malware and ransomware incidents, and leads internal investigations related to complex cybersecurity matters. She advises clients in numerous industry sectors, such as the financial services, retail, hospitality, transportation, healthcare, and technology sectors.
Describe your practice area and what it entails.
Colleen: I am a partner in the Privacy and Cybersecurity practice at Sidley. That means that I am a data lawyer—and I work with data throughout its life cycle and in all legal contexts. This means regulatory advising for compliance, data breach incident response and crisis management, privacy and cyber governance, data protection policy in the U.S. and abroad, privacy and cybersecurity litigation and arbitration, and data-critical transactional work, whether that be M&A diligence or negotiating transactions that may present particular privacy or cybersecurity risk.
Jennifer: I am also a partner in Sidley’s Privacy and Cybersecurity practice. My practice focuses on incident response and investigations related to significant cyber events, as well as the post-incident work relating to such an event, including litigation, customer disputes, regulatory investigations and compliance reviews, and insurance claims. I also assist clients with pre-incident work, such as advising on legal and regulatory developments, policies and procedures, and tabletop exercises.
What types of clients do you represent? (Please feel free to list actual clients.)
Colleen: Data is universal, and so I work with clients in every sector—including highly regulated sectors with particular privacy or cybersecurity risks—financial, life sciences, energy, and technology. I also often work with clients in the manufacturing and industrial sectors, which have important data needs as their businesses turn to the Industrial Internet of Things and other digital services.
Jennifer: Like Colleen, I assist clients in multiple industry sectors, including retail, technology, financial services, energy, and business services. While certain sectors may be more regulated, cybersecurity is a hot topic among clients in every industry.
What types of cases/deals do you work on? (Please feel free to share actual cases/deals.)
Colleen: Generally, clients turn to Sidley for matters that matter—high-stakes strategic privacy and cyber initiatives, complex data security incidents, regulatory investigations and defense, and, of course, litigation involving sophisticated privacy allegations. All of these matters require counsel who have deep experience in understanding lateral privacy and cyber risks, policymaker and regulator perspectives, and fluency in technology.
Jennifer: Additionally, the Privacy and Cybersecurity team has considerable experience working on various types of cases and deals. We routinely assist our clients with responding to significant cybersecurity events and navigating the challenges that arise from such an event.
How did you choose this practice area?
Colleen: I was deeply interested in privacy issues throughout my academic career, starting with my interest in constitutional law, as well as women’s and LGBTQ rights issues. Data issues—informational autonomy—are critical to liberty interests in a free society. When looking at firms, I was focused only on those that had established and well-respected privacy practices. I came to Sidley for this practice area and have been here ever since.
Jennifer: Early on in my legal career, I had the opportunity to work on some of the first big cases in this space, which really inspired me to focus on this practice area going forward. Cybersecurity is multidisciplinary, and I very much enjoy working on the various components of a cybersecurity event. Every matter is different and the work is always interesting.
What is a typical day like and/or what are some common tasks you perform?
Jennifer: Every day is different, so it is difficult to describe a typical day. My day largely depends on the specific matter I am working on and what phase of the matter we are in. For example, if we are working on the response to an active cybersecurity incident, we spend much of our day talking to the client and the forensics expert, developing the facts, assisting with communications (internal and external), and helping the client continue its business operations. Cybersecurity is a service-oriented practice, and we communicate with our clients quite frequently.
Colleen: I agree with Jenny that there isn’t a typical day in the life of a privacy and cybersecurity lawyer at Sidley. Data issues are incredibly varied, both in context and in the skills they require a lawyer to deploy. I will say, however, that a large part of my day typically involves back-to-back calls and meetings with clients as we work together, strategically, to manage privacy and cyber risks. There is a lot of direct client collaboration.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
Jennifer: Formal training and classes can be very beneficial, but the best training comes from actual on-the-job experience. I have learned the most about this practice area by working with our clients. Every client and matter is different and presents a new learning experience. I still learn a lot on every one of our matters.
Colleen: While the American Bar Association has some fantastic programs in this space, a key leader in privacy training and development is the International Association of Privacy Professionals (IAPP). An IAPP certification is a great early step. Additionally, privacy professionals must stay current in this fast-paced technology and policy environment. Read the news and read the perspectives of key privacy thought leaders and cybersecurity professionals.
What is the most challenging aspect of practicing in this area?
Colleen: Staying current. Technology changes constantly, presenting new facts that often require applying old law. Some of our most important laws and regulations in this space were drafted before the internet, let alone the metaverse. Additionally, privacy law comprises hundreds of important, interrelating, and overlapping laws and regulations. This complicates issue spotting and analysis, and requires lawyers in this space to constantly build their knowledge.
Jennifer: I’d like to add that one of the bigger challenges in this area is that the law is still developing and changing every day. Cybersecurity is still a relatively new area of law. We often are dealing with old laws that were not designed for these modern topics. Another challenge is that we often are working with non-homogenized laws and regulations around the world. Even a matter that is U.S.-focused requires analyzing multiple laws and regulations, which often are not homogenous.
What is unique about your practice area at your firm?
Colleen: Sidley’s Privacy and Cybersecurity practice is global and interdisciplinary. It also is regulatory, transactional, policy, and litigation focused. We have a deep, broad, and diverse bench, and we collaborate as a team to drive results and client service.
Jennifer: Cybersecurity is a multidisciplinary practice. Our matters involve numerous legal issues that cut across multiple practice areas. As a result, we often get to work with colleagues in other practice groups, which is really exciting.
How do you see this practice area evolving in the future?
Colleen: Data issues in privacy and cybersecurity are increasingly converging with other areas of the law. This convergence is most recently seen in the antitrust space and represented in a cascade of new requirements and risks related to digital services regulation.
Jennifer: Cybersecurity is still a relatively new practice area. The law continues to change every day. Cybersecurity risks will just continue to increase over time. Thus, we expect that the law will continue to evolve as well.
What kinds of experience can summer associates gain at this practice area at your firm?
Colleen: Summer associates work closely with associates up to senior partners in the practice on cutting-edge technology issues. Summer associates often get a variety of projects that give them exposure to issues in regulatory counseling, cyber incident response, policy, and disputes. Projects in this area are usually fast moving, allowing a diverse sampling of projects.
Jennifer: As Colleen said, summer associates are able to work alongside associates and partners on real matters. They will gain critical experience working on significant cybersecurity and privacy issues. We provide projects that cover different areas of our practice so that summer associates can get a feel for what it is like to work in our group.