Skip to Main Content

Privacy & Data Security

Overview

Lawyers in this area advise business clients on cyber security issues, including internal security protocols, the collection and storage of personal data, and on how to respond to a data breach. While privacy lawyers are most often called into action in the wake of a data security breach, they also help their clients comply with regulations and counsel on ways to prevent data theft or loss. Lawyers may work on  incidence response teams and can be called on to work long hours after a client’s data has been breached. Data privacy lawyers will also frequently be involved in claims, litigation, and regulatory investigations arising from data security breaches. This is a growing and changing area of law, so lawyers may be regularly dealing with unsettled law and must stay up to date on security technology and emerging threats to IT security, as well as rapidly emerging regulations and case law that can pose challenges to their clients.

Featured Q&A's
Get an insider's view on working in Privacy & Data Security from real lawyers in the practice area.
Elise Elam, Associate • Sara Goldstein, Partner—Digital Assets & Data Management
BakerHostetler

Describe your practice area and what it entails.

We practice cybersecurity incident response, which means we help our clients prepare for and respond to data security and privacy incidents. This includes engaging cybersecurity investigators and other third parties to assist with the incident response process; providing guidance on federal, state, and international breach notification law requirements, as well as contractual notification obligations; drafting notification materials, including notification letters, press releases, website notices, internal client communications, and regulatory notices; and representing clients in post-incident regulatory investigations.

What types of clients do you represent?

Sara represents clients in a variety of sectors, including healthcare, energy, and higher education.

Elise represents pretty much every other type of client, with a focus on clients in the insurance industry. 

Both of us represent large and small companies, nonprofits, financial institutions, government agencies—you name it.

What types of cases/deals do you work on?

We represent clients responding to all types of data security and privacy incidents, ranging from business email compromises to inadvertent disclosures to ransomware and state-sponsored, large-scale network intrusions.

How did you choose this practice area?

Sara: My interest in data privacy and security began during my law school co-op internship in the office of general counsel at a large research university. I was asked to prepare research memoranda on the Genetic Information Nondiscrimination Act of 2008, which had recently gone into effect, and on new state breach notification laws, and became interested in the then-emerging area of the law. 

Elise: Very deliberately. Prior to practicing incident response, I found myself searching for something that would provide more of a challenge. It was a natural fit given my interest in technology.

What is a typical day like and/or what are some common tasks you perform?

There is no typical day in incident response, and everything we work on is a crisis! No day is ever the same, and it never turns out exactly the way you planned. A typical day consists of numerous conference calls with clients, forensic investigation firms, public relations firms, and other partners in the incident response process. We also draft numerous communications ranging from reactive media holding statements to breach notification letters to legal memoranda. 

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

A great way to learn more about incident response is to listen to podcasts and read blogs prepared by cybersecurity experts.  

What is the most challenging aspect of practicing in this area?

The combination of the volume plus the fast-paced and—usually—urgent nature of this practice area can make it challenging to keep up and stay on track. But we enjoy helping clients navigate through some of the most challenging days of their professional careers and getting them to “the other side” of an incident. A common misconception is that incident response counsel’s only (or primary) purpose is to protect privilege. In truth, we advise our clients on their legal obligations with respect to investigating cybersecurity incidents, determining what data is at risk, and their notification requirements to individuals and regulators.

What are some typical tasks that a junior lawyer would perform in this practice area? 

Typical tasks that a junior lawyer would perform in this practice area include: 

  • Responding to different types of cybersecurity and data privacy incidents, including business email compromises, device theft/loss, system misconfiguration, ransomware, insider wrongdoing, and vendor breaches.
  • Participating in initial calls with clients and forensic scoping calls.
  • Reviewing and revising engagement agreements for third parties being retained to assist with the incident response process. 
  • Drafting communications to clients and other stakeholders involved in the incident response process. 
  • Answering questions from clients and others involved in responding to incidents. 
  • Taking detailed notes on all conference calls.
  • Reviewing and assessing findings from forensic investigations to determine whether an incident results in unauthorized access to or exfiltration of data that could trigger notification obligations. 
  • Working with forensic investigators on drafting/editing forensic investigation reports and factual summaries. 
  • Researching federal, state, and international breach notification law requirements.
  • Drafting notification materials, including notification letters, press releases, website notices, internal client/employee communications, third-party stakeholder notices, and regulatory notices.

What are some typical career paths for lawyers in this practice area?

There are many different career paths for attorneys in incident response. While some associates stay with their law firms and advance to partner, other lawyers opt to go in-house at companies to support their cybersecurity and data privacy practices, and still others opt to join forensic investigation or PR/crisis management firms. There are many possibilities out there!

Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?

We listen to podcasts and read articles and blog posts. We also have a very collaborative team of colleagues, and we constantly share new intel on emerging trends. Also, the cybersecurity forensic investigation firms we partner with provide us with periodic education on the cybersecurity landscape they are encountering.

Elise Elam guides clients through data security matters, including coordinating digital forensic investigations, determining breach notification obligations, overseeing the implementation of restoration efforts, and responding to regulatory inquiries. As a Certified Information Privacy Professional with a master’s degree in information technology, Elise bridges the gap between legal, business, and technology perspectives for clients.

Named a 2021 “Rising Star” by Law360 and a 2021 “Lawyer on the Fast Track” by The Pennsylvania Legal Intelligencer, Sara Goldstein has advised hundreds of clients from a variety of different industries on responding to cybersecurity and data privacy incidents, including several of the largest data breaches to date. Sara has led BakerHostetler’s response to several large, high-profile data security incidents, including one incident at a cloud software company that involved the data of several hundred firm clients. As the leader of these matters, Sara developed the strategy for the incident response process, oversaw the team of attorneys working directly with clients, and created processes and protocols for the attorney team to follow.

Kaylee Cox Bankston, Partner—Complex Litigation and Dispute Resolution • Jaqueline Klosek, Partner—Technology
Goodwin

Describe your practice area and what it entails.

Kaylee: My practice focuses primarily on cybersecurity matters, both proactive and reactive. For proactive matters, we counsel clients on their cybersecurity programs and governance, such as how executive leadership and the Board of Directors manage cybersecurity risk, as well as conducting risk assessments and advising on post-assessment implementation and risk mitigation strategies. The reactive side of my practice includes advising companies in connection with investigating and responding to cybersecurity attacks and security incidents conducted by high-profile threat actors and related regulatory investigations and litigation.

Jackie: My practice focuses on transactions, counseling, and strategic advice involving data and technology. I conduct due diligence and advise clients on strategic privacy issues and negotiated transactional documents in thousands of corporate transactions including M&A, private equity investments, SPACs, and similar transactions. I counsel clients on compliance with complex privacy and data security requirements, advise companies and underwriters on IPOs, and draft and assist with the implementation of privacy policies and privacy compliance plans for companies in a wide range of industries.

What types of clients do you represent?

Kaylee: The great thing about our practice is that there is no limit on the types of clients with which we get to work. Virtually every company today has data and access to the Internet, and therefore has a cybersecurity and privacy need. As a result, we have the opportunity to work with organizations of all sizes and across all sectors and geographies.

Jackie: My clients are often data-driven enterprises in the areas of social media, AI, healthcare, technology, consumer products and services, and more. However, all of the clients served by the firm have needs related to privacy and data security, so the practice is extremely broad. 

What types of cases/deals do you work on?

Kaylee: The thing I love most about our practice is that no day—and no matter—is the same. With respect to proactive matters, I particularly enjoy conducting cybersecurity simulations and “tabletop” exercises that enable companies to critique and improve upon their incident response process in a controlled and privileged environment—before a crisis ensues. These offerings are especially important now with increased regulatory enforcement and oversight in the cybersecurity space, such as the SEC’s new cybersecurity disclosure rules for public companies. The reactive side of my practice includes counseling on investigating and responding to cybersecurity attacks, such as advising on legal obligations, communications, risk mitigation, and litigation defense strategies. This also can include representing companies in privacy and security matters before U.S. and international regulators (e.g., FTC, DOJ, SEC) and state attorneys general, and in litigation.

Jackie: I spend a significant amount of time in the transactional space. Whenever a company is being bought, sold, becomes the subject of a strategic investment, or is going through a public offering, privacy considerations will come into play. I also provide strategic advice on new product and service offerings, increasingly so whenever AI is involved.

How did you choose this practice area?

Kaylee: I have always had an interest in national security matters, and after I received my J.D., I obtained an LL.M. in National Security Law at Georgetown University Law Center. While pursuing that degree, I studied and worked on cybersecurity-related matters in the program and in internships. I recognized that cybersecurity was quickly becoming a paramount national security issue, and I decided to focus my practice on it. The laws and regulations have evolved significantly since then—it has been fascinating to work in an area that is developing so quickly. You never know what tomorrow will bring!

Jackie: I enjoy practicing in a dynamic and challenging environment. The impact of rapidly developing technology on our practice area is profound, and means that our work never becomes ordinary or routine.

What is a typical day like and/or what are some common tasks you perform?

Kaylee:  Again, what I love most about my practice is that every day is different. Most often, we are counseling companies on responding to a cybersecurity attack or other security incident. This involves close coordination with cybersecurity forensic firms, security teams, executive leadership, and law enforcement, and helping companies navigate legal risks and obligations that arise during an incident. A large part of my practice also includes cybersecurity counseling, which takes on many flavors, including advising Boards of Directors and executive leadership on corporate governance strategies and risk management, counseling on and developing corporate policies and procedures, conducting information security assessments, and leading cybersecurity simulations and “tabletop” exercises.

Jackie: One of the things I love most about my practice is that every day is different. New and cutting-edge matters come in all of the time, and my day is never as I anticipate it will be.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Kaylee: Having a technical background is not necessary—but attorneys should not shy away from learning the technical “language.” Clients look to us to “translate” between the technical, legal, and executive teams. Reading technical reports and articles, understanding common attack methods, and staying up to date on evolving threats and trends goes a long way. Many cybersecurity forensic firms publish content on these topics that are great resources.

To me, the most important skills in this field are the abilities to analyze complex issues and problem solve, to “think on your feet,” to maintain poise under pressure, and to be a team player. We often operate in a world of grey where there is no clear-cut answer, so you should want great minds around you to collectively get to the best answer. Being thoughtful, strategic, collaborative, and decisive are critical skills. You should always have an open mind and be eager to continue learning. In this field, you have the opportunity to learn something new each day if you take advantage of it.

What is the most challenging aspect of practicing in this area?

Kaylee: In the cybersecurity practice, we are often required to act quickly and decisively, under intense time pressures, in high-stakes situations where, many times, there is not a black-and-white answer. That challenge is what I enjoy about this industry. I am never bored, continually learning, and always forced to use my critical thinking skills. We are often interfacing with companies on their worst day. When the cybersecurity attorneys show up, no one is happy to see us! But I enjoy being able to help clients strategically traverse those challenges and give them comfort that while they may not have been in this situation before, we have, and we will help them get through it.

Jackie: To practice effectively in this area, one must be extremely nimble and flexible and able to move quickly from one pressing matter to another. One also needs to be interested in technology and new developments and be committed to being a lifelong learner.

What misconceptions exist about your practice area?

Kaylee: There is a tendency to oversimplify our practice. For example, some think that counseling on cybersecurity incidents and data breaches is simply identifying notification obligations. In reality, cybersecurity investigations are multi-faceted and require counseling on numerous complex issues and legal risks, including forensic investigation, threat actor engagement and response strategy, communications, remediation, litigation defense strategy, and countless others.

Another misconception is that there is a one-size-fits-all approach or that a cybersecurity program can be achieved through plug-and-play templates. While there are industry standards and best practices, the application of cybersecurity risk management is bespoke to a particular organization. What is reasonable and appropriate in one case may not be in another.

Jackie: Oftentimes, people may fail to appreciate the depth of our practice. They assume it is just about drafting privacy policies or responding to incidents. These are important parts of any privacy and cyber practice, but our work involves so much more than that.

What are some typical tasks that a junior lawyer would perform in this practice area? 

Kaylee: A great thing about the cybersecurity practice is that junior lawyers can get hands-on experience very quickly through any number of tasks. Some examples related to cybersecurity investigations may include developing communications plans, researching threat actor groups, reviewing forensic investigation reports, analyzing legal obligations and potential liability exposure, preparing for witness interviews, reviewing contracts, and developing an investigation memorandum.

Jackie: Junior associates play a key role. As in other practice areas, junior associates do get involved in research assignments, but given the subject area of our practice, research often involves applying the law to cutting-edge technological matters in a novel way. Associates also assist with due diligence, which requires them to take a very deep dive into learning about a company and its data practices.

How do you see this practice area evolving in the future?

Kaylee: I think the cybersecurity practice is only going to grow and become more complex. The cybersecurity threat is not going away any time soon, and companies and regulators alike are challenged to keep pace. There is not one uniform cybersecurity law that applies to all companies. Different laws and regulations may apply depending on industry, business, or location, and in many cases, there are multiple (sometimes conflicting) laws that can apply. In addition, regulators are, in effect, creating additional requirements through enforcement. Companies will have to balance these evolving requirements with dynamic cyber threats.

Jackie: Advances in technology continue to alter the way in which we live, work, and learn, and current and future technological changes will impact how our practice evolves. The increasing importance of AI, particularly generative AI, will impact the growth and trajectory of our practice area.

Kaylee is a partner in Goodwin’s Data, Privacy & Cybersecurity practice. Her practice focuses on cybersecurity, which entails counseling on a variety of complex matters, including, but not limited to, corporate governance and risk management, compliance, cybersecurity investigations and breach preparation, regulatory investigations, litigation and class action defense, public disclosures, and development of corporate cybersecurity programs.

Jackie is a partner in Goodwin’s Data, Privacy & Cybersecurity practice. She focuses on transactions, counseling, and strategic advice involving data and technology. In addition to advising on transactions, Jackie counsels clients on compliance with complex privacy and data security requirements, including those established by laws such as the CCPA and similar state consumer privacy laws, CalOPPA, CAN-SPAM Act, TCPA, GLB Act, HIPAA, and the GDPR. She also drafts and assists with the implementation of privacy policies and privacy compliance plans for companies in a wide range of industries, including fintech, EdTech, social media and metaverse, e-commerce offerings, life sciences, and consumer products, among others.

Maeve Malik, Associate
Hunton Andrews Kurth LLP

Describe your practice area and what it entails.

Our top-ranked global privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues. For cybersecurity matters, we advise large, multinational companies on all aspects of catastrophic cybersecurity incidents, including providing strategic and legal advice in investigating and remediating the incident; fulfilling their data breach notification responsibilities; responding to multi-jurisdictional regulatory investigations; and managing inquiries from customers, business partners, media, and regulators. We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans and information security policies, running executive-level tabletops, performing information security assessments and tests, and engaging third-party experts in advance of an incident. In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws; conduct privacy and data security impact assessments; and counsel companies on managing risk in connection with leading-edge and innovative technologies.  

Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.

What types of clients do you represent?

We represent a diverse group of clients of all sizes, including retailers, consumer goods companies and manufacturers, energy companies and utilities, technology companies, financial institutions and private equity firms, fintech startups, insurance providers, health care providers, media companies, hospitality and gaming companies, direct marketers, telecommunications and Internet service providers, cloud providers, cybersecurity companies, government agencies, and risk management specialists.

What types of cases/deals do you work on?

We advise clients on:

  • compliance with all U.S. federal and state privacy and cybersecurity requirements, and international data protection laws; 
  • cybersecurity and data breach incident response;
  • drafting and negotiating complex privacy and data security provisions and indemnities in vendor agreements;
  • managing federal, state, and international regulatory inquiries in connection with alleged privacy and data security violations;
  • evaluating cybersecurity and privacy risks and negotiating purchase agreements in connection with potential mergers, acquisitions, and other corporate transactions; 
  • advising on cross-border data transfer strategies;
  • designing and evaluating privacy impact assessments;
  • developing and enhancing comprehensive records management programs; and
  • information product life cycle issues, including marketing and analytics activities.

How did you choose this practice area?

When I was a summer associate at Hunton, I met one of the partners on my current team, Brittany Bacon, who helped foster my interest in privacy work. Brittany became a mentor to me and quickly saw privacy and cybersecurity as a potential area of focus for me. If it weren’t for her identifying that early on, I never would have known to ask. At the time, the practice area was still very new, and I didn’t know anyone else from my law school class who would be pursuing a career in privacy and cybersecurity after graduation.

What is a typical day like and/or what are some common tasks you perform?

Each day varies based on our clients’ needs. On a given day, I might help a client respond to and analyze notification obligations related to a cybersecurity incident; prepare or revise an incident response plan or privacy policy; negotiate privacy and data security provisions in a contract; or provide guidance on how to comply with a new U.S. state privacy law. While every client faces a different set of challenges, questions, and concerns, there are commonalities in terms of privacy and cybersecurity being a top priority for organizations in all industry sectors.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Privacy and cybersecurity is a hot area of focus. Follow industry trends and various industry publications and learn as much as possible. Additionally, I encourage law students and lateral associates to subscribe to Hunton’s Privacy and Information Security Law blog, www.huntonprivacyblog.com, which we update on a near-daily basis with news items and analysis. Our team also has published a Privacy and Cybersecurity Law treatise, updated annually, which provides a comprehensive primer on U.S. and international privacy and data protection laws. Organizations like the International Association of Privacy Professionals (IAPP) are great resources as well.

What is the most challenging aspect of practicing in this area?

The most challenging aspect of practicing in this area is keeping up with the most recent updates in global laws, regulations, guidance, and civil and regulatory actions. This is a constantly evolving practice area that is a primary focus of lawmakers and consumers around the world, so there is always something new on the horizon.

What do you like best about your practice area?

I like the advisory and problem-solving nature of the practice. Our clients come to us because they have complex issues and initiatives involving the use of data and need help navigating new (and often untested) compliance requirements. We take pride in our ability to help them address these challenges in the face of a complicated and constantly evolving patchwork of potentially applicable privacy and data security requirements.

What is unique about your practice area at your firm?

Our practice has been recognized by Computerworld magazine, Chambers and Partners, and The Legal 500 as a top firm for privacy and data security counseling. With nearly 50 privacy professionals, including lawyers located across the globe in New York, Washington, DC, London, Brussels, and Beijing, we have 20 years of experience assisting clients of all sizes with various aspects of privacy and data security. We are supported by a carefully vetted worldwide network of knowledgeable data protection lawyers covering more than 100 countries. Our team works together seamlessly to provide customized, creative, and practical solutions to our clients’ privacy and data security issues.

What are some typical tasks that a junior lawyer would perform in this practice area?

Junior lawyers on our team play a key role in supporting senior attorneys and are introduced to substantive matters from day one. They learn quickly how to draft a variety of documents that privacy and cybersecurity lawyers prepare in their day-to-day practice, such as privacy policies, data breach notification letters, contractual provisions addressing privacy and data security, incident response plans, internal policies, and training materials.

Maeve Malik, Associate—Global Privacy and Cybersecurity Practice

Maeve Malik is an associate in Hunton Andrews Kurth LLP’s New York office and a member of the firm’s global privacy and cybersecurity practice. Maeve has extensive experience advising clients on cybersecurity incident response and has advised on data breach response and notification obligations for several large-scale cybersecurity incidents, including one of the largest breaches affecting 3.5 billion user accounts. Maeve also regularly advises clients on developing or enhancing existing global privacy compliance programs to help manage privacy risks. She works with clients on their proactive cyber incident readiness activities, such as data breach notification toolkits, tabletop exercises, and incident response plans and procedures (including ransomware procedures). Maeve is a co-chair of the firm’s veteran’s pro bono program and serves on the pro bono committee of Hunton’s New York office. She received her J.D., cum laude, from William & Mary Law School, and her B.A. from Drew University, summa cum laude with specialized honors.

Joseph Santiesteban, Partner • Hannah Levin, Senior Associate—Cyber, Privacy, and Data Innovation
Orrick

Describe your practice area and what it entails.

Joseph: I’m clients’ first or second call after a data breach. I provide strategic legal advice regarding stopping the attack, investigating, and communicating. This involves directing forensics investigations and guiding clients through the complex web of statutory, regulatory, and contractual breach notification requirements. I also provide advice regarding cyber breach-related issues like engaging with law enforcement, cyber insurers, and auditors. I also lead internal investigations where we collect and review evidence, conduct interviews, and provide findings. When data breaches result in regulatory investigations or litigation, I defend clients. 

When not responding to data breaches, I partner with clients to help reduce cybersecurity legal risk. This includes counseling on cybersecurity laws, contractual issues, and incident preparedness activities like tabletop exercises, as well as cybersecurity education and training. 

Hannah: I help companies respond to cybersecurity events and defend themselves against attorney general and FTC investigations in the cybersecurity, privacy, and consumer protection space. I also counsel clients on compliance with state and federal privacy, security, and consumer protection laws.

When responding to data breaches, I guide clients through every step of a cybersecurity event, including engaging forensic experts, conducting forensic investigations, developing a strategy for engaging with threat actors, and meeting regulatory breach notification requirements. As a part of this process, I also help clients craft public communications related to the event. I also conduct after-action reviews and internal investigations to provide companies with findings and recommendations related to their response.

With respect to attorney general and FTC investigations, I draft responses to interrogatories and manage document reviews and productions.

What types of clients do you represent?

Joseph: I focus on cybersecurity issues in the technology, finance, and energy and infrastructure sectors.  I represent industry leaders in telecommunications, social networking, renewable energy, and SaaS businesses, as well as financial institutions. These clients vary in size from startups to large public companies. All companies face cybersecurity legal risks, and my goal is to provide accessible and right-sized advice across the spectrum.

Hannah: I represent companies across all sectors and of all sizes, with a special focus on life sciences companies. I’ve also worked with startups.

What types of cases/deals do you work on?

Joseph:

  • Advised in a forensic investigation, notification, and disclosure for one of the largest breaches in history, at a multinational telecommunications company.
  • Responded to a ransomware event at a solar and wind farm company.
  • Provided day-to-day cybersecurity and incident preparedness counseling to one of the largest social networks.
  • Provided free counseling sessions to startups regarding key cyber risk areas, incident preparedness and cyber insurance.

Hannah:

  • Responded to a ransomware event at a consumer packaged goods company.
  • Represented a video game developer and console company in an FTC enforcement action.
  • Represented a crypto company in response to a cybersecurity event and regulatory investigation arising out of the event.
  • Negotiated favorable settlements for companies with the FTC, NYDFS, HHS-OCR, and state regulators arising out of privacy and cybersecurity investigations.

How did you choose this practice area?

Joseph: I wanted a fast-paced practice where I could learn about a fun area of law and about technology at the same time. I also like solving problems with clients rather than for clients, and breach response tends to generate high-pressure situations in which cross-functional teams must collaborate.

Hannah: I started my career as a commercial/white collar defense litigator but pivoted to privacy and cyber work after a couple of years. It was, and continues to be, an exciting and unique field with real-world implications. I was drawn to incident response and regulatory enforcement work because those areas require you to help clients navigate crises and solve complex problems. You get to work very closely with clients and learn their business, which is a special part of what we do.

What is a typical day like and/or what are some common tasks you perform?

Joseph: Today, I revised responses to a state Attorney General inquiry, provided advice on a breach investigation kickoff call, drafted a letter regarding a data-breach damages claim, and conducted an interview for a project where we’re revising an incident response plan. This is fairly typical.

Hannah: On a typical day, I will analyze if a client has any regulatory notification requirements arising out of a cybersecurity event, revise notifications to state regulators, and manage document reviews and/or productions. I typically have a lot of touchpoints with our clients throughout the day because cybersecurity events and regulatory enforcement actions move quickly.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Joseph: Honing your core law school skills like analyzing, summarizing, and persuading will help. We solve complex problems quickly and explain solutions clearly and succinctly. This takes practice and experience.

Classes in privacy or cybersecurity would help. Cybersecurity law also relies heavily on tort and admin law. More directly, we work with 50 state breach-notification laws, more than a dozen federal cyber laws and regulations, and a variety of industry standards and frameworks. There’s no need to know these ahead of time, but general knowledge gives you a head start.

Having curiosity and enthusiasm for technology is a must. The abilities to empathize and collaborate help too. Breach response creates high pressure for quick decisions. You need to understand and appreciate everyone’s views and values, and then work together. 

Hannah: The best thing a person who is interested in privacy and cyber work can do is to stay curious. Read about changes to the laws and emerging threats. If there are classes at your law school focusing on privacy and cybersecurity, consider taking those. Those classes will give you an understanding of the basis of privacy and cybersecurity laws in the United States and other jurisdictions.

In addition to classes, being able to handle high pressure situations and present options to clients in a calm and organized manner is tremendously helpful. 

What is the most challenging aspect of practicing in this area?

Joseph: The intensity. A data breach is often a critical moment for the client. They are stressed and want help fast. You have to be available, committed, and cool-headed. 

Hannah: You are guiding a client during one of the most stressful times in the history of the company. You need to be empathetic and calm, which can be difficult given the high stakes of each decision.

What do you like best about your practice area?

Hannah: It is constantly evolving. The laws, technology, and threats change constantly. Each cybersecurity incident and regulatory enforcement action is different and requires you to learn about the client and their unique situation.

What is unique about your practice area at your firm?

Joseph: Orrick has an amazing client base for a cybersecurity practice. For a data-focused practice, you want clients that innovate and push boundaries with data. Managing cyber legal risk is a core component of their growth. That creates interesting problems to solve.

Hannah: Our group provides a unique experience for associates of all levels to actively participate in client calls and work closely with outside firms. In matters with large cybersecurity events, you have the opportunity to work with team members across the world who each provide the client with jurisdiction-specific advice.

What are some typical tasks that a junior lawyer would perform in this practice area?

Joseph: Participate on forensic investigation calls; develop timelines; perform notification analyses; prepare for and conduct interviews; draft individual, business, and regulator notifications; and revise contracts. 

Hannah: A junior associate can be extremely helpful by keeping track of all the facts, building a timeline, participating in client calls, and drafting regulator notices and/or interrogatory responses. Our junior associates are client-facing and are involved in client calls and managing workstreams early in their career.

Joseph Santiesteban is a trusted cyber law advisor. He has worked on some of the largest data breaches in history and regularly advises clients regarding cyber breach response, as well as litigation and government enforcement actions that arise from cyber breaches. He also partners with clients on ways to reduce cyber legal risk while supporting innovation, delivering value to the business, and solidifying brand and consumer trust. He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence.

Hannah Levin advises clients on cybersecurity incident response and state and federal investigations and enforcement actions. She coordinates breach responses for companies across diverse sectors and represents clients in front of the Federal Trade Commission (FTC) and state regulators for privacy, cybersecurity, and consumer protection issues. She also counsels on all aspects of privacy and data security compliance.

James Sherer, Partner • Whitney Schneider-White, Associate—Digital Assets and Data Management
BakerHostetler

Describe your practice area and what it entails.

Our practice varies based on the type of work our clients require. In general, we follow our clients’ data—understanding how client data is flowing and being used and accounting for and documenting that data movement from creation through management, utilization, transfer, and ultimately destruction. We have to understand our clients’ businesses and goals and provide guidance on how to manage and transform data within that structure. This generally requires communication with client attorneys and other stakeholders, including clients’ privacy, security, technology, marketing, and human resources teams. The scope of engagement varies depending on interests, specialties, and seniority, but it always carries an expectation that each professional in our group has sufficient information about the data, the technologies using it, and client expectations to provide forward-thinking and practical advice.

What types of clients do you represent? 

Our client list runs the gamut, from very small operations with limited personnel to Fortune 50 companies. This allows us to evaluate issues across various settings with very different stakeholders and understand why certain matters are global initiatives and others are small but important strategic parts of overall goals. We work to develop bigger-picture issues and confirm that ad hoc or project work still supports an overall company strategy and legal requirements. Privacy and data security are intrinsic to day-to-day work for clients ranging from companies that engage us to help them with their privacy programs and compliance to clients from other practice groups that have a privacy or security component within their separate engagements. 

What types of cases/deals do you work on? 

Our practice focuses less on specific cases or deals and more on multifaceted client engagements. We do, however, support our colleagues’ cases and deals by providing guidance on privacy requirements, due diligence support, and deep litigation subject matter knowledge. As the practice follows the data, so too do the types of cases and deals we work on. We may be involved in acquisition due diligence for privacy issues, especially where data is one of the primary assets considered in divestiture concerns, information is among the assets, or there are data retention or destruction requirements. We also deal with contracting associated with existing or novel uses of information and support data transfers, whether in litigation, in regulatory response, or among contracting parties. In recent months we’ve counseled on compliance with new privacy laws, including the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the New York City Automated Employment Decision Tools Law. Dramatic regulatory transformation is underway, so we find ourselves consulting on in-flight projects or work related to the introduction of new laws and regulations.

How did you choose this practice area?

Attorneys in this area are not afraid of technology, but we also don’t assume that we understand everything, and we know we don’t understand everything perfectly. This practice area is ideal for attorneys fascinated or intrigued by the use of information generally and who are comfortable with confronting ambiguity and digging deeper into technologies to understand what’s happening. Depth of knowledge and experience are ultimately key for our provision of policy requirements, contractual provisions, and the strategies associated with use of those technologies.

James: I wanted to be a telecommunications attorney. I was fascinated by how people communicated and what new uses of data were coming into vogue even back in 2002 or in law school in 1999 during the first dot-com boom. So, I’m a product of my time.

Whitney: I started in a different practice area but wanted to focus more on governance and contracting. I was drawn to the dynamic nature of privacy law and enjoy combining legal interpretation with practical advice.

What is a typical day like and/or what are some common tasks you perform?

The only typical part of the day is the variety of work that will inevitably be addressed. With this practice area, you’re frequently spending the day working for clients across the spectrum of industries and with different needs. We often work for several clients each day—some that have large, ongoing engagements, while others surface every couple of months needing a contract reviewed or a policy updated. Privacy requires a more active client management practice than you would see in traditional regulatory response litigation or deals where there are outside pressures, not just client direction. Our engagements require progress on certain tasks and responsibilities to other stakeholders where we deal with changing internal practices, evaluating information governance regimes, and working on overall strategy, which are different tasks that can take very long periods of time, especially when clients have to develop shareholder support. There’s a role for outside counsel to help manage projects to help keep momentum, but also to be very responsive to clients when they come back with specific questions.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

There are certification and credentialing programs oriented toward this practice area. The International Association of Privacy Professionals maintains a set of different credentialing programs for privacy practitioners, ARMA and AIM provide for credentialing for information governance, and there are a variety of other credentialing bodies (like the Association of Certified E-Discovery Specialists) or technologies (like OneTrust) that can both teach knowledge and demonstrate experience.

Attorneys who want to dig in deeper on the specifics of AI can consider coding programs and certifications in those areas, and while no program is currently required to practice law in this area per se, we’ve seen a fairly gradual but inexorable movement toward certification for our practitioners within this and related spaces.

When we were in law school, there weren’t really classes focusing on this area. But as law schools introduce classes and further define scopes of practice, classes, clinical work, and internships also provide value. Internships can be particularly helpful to understand what future clients will look for. If you’ve had some experience working in-house, it provides insights into communication and governance strategies for the future.

What is unique about your practice area at your firm?

There are very few firms, if any, that have the depth of privacy experience that BakerHostetler does, in part because of the large nature of the group and the opportunities the group gives to both specialize in specific areas and cross pollinate across similar client initiatives and benchmarking opportunities.

Because there are so many aspects to privacy and security, often only a handful of individuals will have specific experience or knowledge in more niche areas, leading to consultation by people across the firm. We have a very distributed structure and work with attorneys all over the country, but we frequently collaborate in a way that not every practice area does.

What are some typical tasks that a junior lawyer would perform in this practice area? 

We expect that junior attorneys in this space are conversant in much of the work that we do, and as we benchmark across different client experiences, junior attorneys are essential members of the team. By working for a variety of clients on different tasks, junior attorneys in this space develop a broader understanding of how clients operate—not only with particular clients but also across industries in ways that mirror different types of practices. Specific activities include drafting internal and external privacy policies, assessing cookies and trackers used on client websites, drafting data processing agreements, and performing research on specific privacy laws.

What kinds of experience can summer associates gain at this practice area at your firm?

We try to give summer associates opportunities to build specific areas of knowledge, especially in places where normal associate schedules might not immediately provide for it, e.g., in-depth projects on certain topics like privacy, law regulation, AI considerations, or information governance. These focused projects have led directly to opportunities where first-year attorneys are still working on issues they began as summer associates. We also involve summer associates in client contact and interfacing to learn the soft skills, project management, and expectation setting that are critical for attorney success.

Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?

Staying ahead of the curve requires two separate skill sets. The first is maintaining the appropriate level of curiosity toward the work clients are doing, because that’s where our advice is most directly applicable. We determine what our clients are currently doing as they develop approaches to comply with the different privacy and governance challenges. Attention to questions that are being asked of attorneys and understanding both where the law is going and how technology is actually working are critical to the type of legal advice our clients expect.

Second, attorneys consider how client (and legal) work will evolve. In support, attorneys at BakerHostetler research, write, speak, and publish in areas of emerging technological concern. This includes law review and peer-reviewed articles and opportunities to develop “thought leadership” stature within emerging disciplines, with the expectation that areas such as blockchain, AI, or even new forms of information governance will develop into client needs over time. 

We also have the opportunity to leverage the many practice areas within the DADM Practice Group and address, internally through conversations and trainings, different evolving issues to confirm we’re efficiently developing and sharing knowledge.

James Sherer co-leads the Emerging Technology team of BakerHostetler’s Digital Assets and Data Management Practice Group (DADM) while directing the firm’s artificial intelligence and information governance engagements. His work spans litigation, transactions, and regulatory enforcement while helping clients confront discovery management process issues; enterprise risk management; records and information governance; data privacy, security, and bank secrecy; artificial intelligence and algorithmic transparency; technology integration issues; and related merger and acquisition, asset purchase, and divestiture diligence.

Whitney Schneider-White’s practice focuses on privacy, data protection, and information governance; advising clients on compliance with evolving U.S. state and federal privacy legislation; and cross-border data protection matters. A certified privacy professional (CIPP/US), Whitney counsels clients on legal questions related to information and data use as well as compliance obligations associated with corporate privacy practices. Leveraging her in-house experience, Whitney also provides clients practical business solutions for compliance with U.S. and global privacy regulations.

Christian Lee, Associate—Corporate
Cooley

Describe your practice area and what it entails.

I think of my practice as falling into three buckets. The first bucket is helping clients comply with privacy and security laws both in the United States and in key international jurisdictions like Europe and China. I work with clients to determine if they’re subject to those laws, and if they are, what they need to do to comply with them. This involves taking into account the client’s available resources (because not all budgets can be spent on legal) and what their peers are doing. Sometimes the work involves helping the company itself to comply with laws, while other times it is helping them to launch products that are in compliance with laws.  

The second bucket is data breaches. I help clients prepare for data breaches by looking for security vulnerabilities in their networks with the help of forensic firms, preparing data breach plans and playbooks, and testing the client’s preparation through simulated data breaches. When a data breach happens (and it’s not a matter of “if,” but “when”), I guide clients in responding to it under attorney-client privilege.  

The third bucket of my practice is providing subject matter expertise on deals that have a privacy and security aspect. These deals can range from routine agreements (like data licensing agreements) to financings (from VCs, for example), IPOs, and M&A deals.  

What types of clients do you represent?

Cooley has a lot of great clients at different stages of maturity, and I’ve been fortunate to have worked with a variety of them. Our firm has a startup practice that works with companies just starting out and helps them grow until they mature into public companies or are acquired by bigger companies. I’ve had the opportunity to work with interesting startups, including the proverbial “two buddies in a garage” ones, and help them navigate privacy issues as they grow and are exposed to more privacy obligations. I also work with investors like venture capital firms that help fund startups and partner with them through IPOs, and also larger companies including those in the Fortune 100. Most of the clients I work with are in the high tech and life sciences spaces, but a number are in other sectors too like real estate and consumer products.  

What types of cases/deals do you work on? 

There’s a lot of variety in my practice, so I’m rarely bored. A large part of my work is providing day-to-day advice on privacy and security issues that come up for clients. Examples of client issues I’ve recently resolved include advising a client on whether their website needs a cookie banner and how to implement; guiding a U.S.-based company to integrate the user base of a recently purchased French company; analyzing if a client needs to comply with HIPAA or other health laws if they have an app that tracks menopause symptoms; helping a client reduce its class action litigation risk for using different analytics technologies on its mobile app and website; and drafting data terms for client contracts to meet requirements of laws taking effect next year. Advising on these issues can involve anywhere from a 30-minute phone call with just me to a multiweek project involving members of our group in different countries. 

I also serve as a privacy and security specialist for deals led by our colleagues in the corporate practice. This often involves a proposed transaction—which could be as straightforward as a data hosting agreement or as complex as a large acquisition of another company—that involves privacy and security issues that I will handle.  

Data breach preparation and response are also important parts of my practice. I work closely with clients’ IT and legal teams to put in place a game plan for responding to different kinds of data breaches. Then, if a client experiences a data breach, I act as a “coach” to help them navigate containing the incident, investigating what happened, and then dealing with any fallout.  

How did you choose this practice area?

Before law school, I was a paralegal at a large consumer tech company that dealt a lot with the early privacy and security issues related to the internet. After working there for a few years, I decided to take the plunge into law school and continued in the same practice.  

What is a typical day like and/or what are some common tasks you perform?

My typical day usually involves meetings/calls with clients to talk about complying with privacy laws or how to design products or services without violating those laws; reviewing and commenting on drafts from junior associates; drafting more complex documents on my own; figuring out different aspects of privacy laws and developing guidance and best practices on them by talking with colleagues; and managing expectations of clients and more senior attorneys. Sometimes I have to help a client with a data breach, which usually upends my plans for the next few hours (or days).  

Outside of the office, I’m involved in different professional organizations like the privacy committee of local bar associations and the International Association of Privacy Professionals (“IAPP”). I speak on panels, so I’ll often either be preparing presentations or organizing events.  

I usually do a mix of most of these things in one day, although it’s unpredictable because my priorities always seem to change!      

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Privacy and security law touches on a few different traditional practice areas, including securities, corporations, healthcare, and contracts, so I’d think taking classes in those subjects can help.  

Since privacy and security laws are rapidly evolving, one good way to stay up to date is being involved with the professional community. We often put on events featuring speakers from different backgrounds, so participating means you can hear the latest thinking from practitioners, academics, regulators, and others. Experiential learning is another good way to develop expertise in this area. For example, externing with the regulators who enforce privacy and security laws, such as the FTC or California AG’s office, can give students insight into how the laws are viewed by those who are charged with enforcing them.   

What is the most challenging aspect of practicing in this area?

A difficult part of my practice is that often there is no “right answer” to a question, whether because there is no — or conflicting — authority on an issue, the right answer is impractical to implement (because of technical or monetary challenges), or industry practice differs from what the law strictly requires. Succeeding in this field means being able to understand this uncertainty and helping clients to navigate it. 

What do you like best about your practice area?

The constantly evolving nature of privacy and security laws can be frustrating at times, but is also my favorite part of the practice. There are always new laws to learn, new approaches to solving complex problems that we can adopt, and new ways to interpret or comply with laws that we can discover.   

The broad nature of privacy and security laws also lends itself to creating new niche practice areas within the field. For example, I am not a securities lawyer and never thought I’d be heavily involved in SEC filings, but this changed when the SEC proposed rules requiring companies to make filings detailing their privacy and security programs. Now I am developing expertise in securities law (as it relates to privacy and security), which is unexpected and exciting.    

What are some typical tasks that a junior lawyer would perform in this practice area? 

Our group encourages junior associates to take on as much responsibility as they can as early as they can. We usually ask junior associates to take the first draft at documents, and then we provide feedback and direction for edits. Junior associates will always join us on client calls, and then after gaining experience and confidence, we’ll ask them to lead calls with supervision from a senior attorney. They will also directly email clients to provide advice. In short, the nature of our practice—many clients seeking advice on discrete questions—encourages junior attorneys to take on a leading role.     

How do you see this practice area evolving in the future?

I only see more laws and regulations being passed because people care about privacy. This is why the first generally applicable privacy and security law in the United States, the California Consumer Privacy Act, came about as a voter-initiated ballot measure.  

 

Christian focuses his practice on advising data-driven companies on cyber, data, and privacy issues. He works with companies ranging from startups to large Fortune 500 multinationals across a range of industries. He advises clients on complying with U.S. and international data protection laws, including the California Consumer Privacy Act (CCPA) and similar laws passed in other U.S. states, California’s Confidentiality of Medical Information Act (CMIA), as well as U.S. federal laws including the Gramm-Leach-Bliley Act (GLBA), Telephone Consumer Protection Act (TCPA), Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), Children’s Online Privacy Protection Act (COPPA), and Health Insurance Portability and Accountability Act (HIPAA). He also advises clients on the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive, and China’s Personal Information Protection Law (PIPL). 

Christian has substantial experience advising on the cyber, data, and privacy aspects of strategic and commercial transactions, ranging from series seed financings to nine-figure mergers and acquisitions. He also helps clients prepare for and respond to security incidents including drafting incident response plans, running tabletop exercises, sending breach notifications, and responding to regulator inquiries. 

Christian assists clients in responding to third-party and law enforcement requests for user and corporate data, including subpoenas, court orders, and search warrants. He has litigated numerous such matters through appeals, which have involved issues of first impression and resulted in published opinions.

Anna Westfelt, Partner • Frida Alim, Associate—Privacy & Data Security
Gunderson Dettmer Stough Villeneuve Franklin & Hachigian, LLP

Can you describe your practice area and what it entails?

Anna: I’m the head of our Data Privacy Group—we help solve privacy issues for our clients. We help with day-to-day matters such as drafting privacy policies and negotiating data-related agreements. We also help in financings and M&A deals, where we negotiate purchase agreements, create disclosure schedules, and perform diligence to discover any privacy and security issues. We also spend a lot of time learning about developments in privacy laws. There is a lot going on in the privacy world right now!

Frida: I'm an associate within our Data Privacy Group. My practice involves advising startups and venture capital firms on a range of privacy and security-related matters throughout their life cycles. There are a number of new state privacy laws that come into effect this year, so a big part of my current workload involves getting clients up to speed on new laws that apply to their products and services. It’s an exciting time to be a privacy practitioner as there are many matters of first impression as we’re interpreting laws with little or no case law or enforcement history.

What type of clients do you have?

Anna: Our typical clients are venture-backed companies and venture funds. The companies range from early-stage startups to public companies. We have clients in a wide variety of industries, including software, consumer goods, social media, healthtech, and fintech. Since we often work directly with founders and management teams, we really get to know our companies and their businesses. I especially enjoy assisting a company all the way from incorporation to an acquisition or IPO.

Frida: Many of the clients that I work with are in the healthtech, fintech, and edtech space. Most often it's at the very start of their life cycle, and I think that's what's really exciting about our practice.

What cases or deals do you work on?

Anna: A large portion of our work involves assisting clients with the data privacy aspects of venture financings and M&A. We also work on day-to-day privacy matters and commercial agreements. For example, we help clients respond to consumer requests, draft and implement privacy policies and procedures, handle security breaches, negotiate data-related contract terms, and advise on cross-border data transfers.

Frida: I serve as a privacy specialist on venture financings and M&A deals, evaluating privacy- and security-related risks associated with companies that are being sold or financed. I also handle day-to-day transactional matters that implicate privacy and security. The way a contract is negotiated can have huge implications for companies that rely on data to run or improve their services. I also frequently draft policies—both public facing and internal—around our clients’ handling of personal information.

What is a typical day like and/or what are some common tasks you perform?

Anna: My day often consists of meetings with different clients to scope out needed privacy compliance work, often in preparation for a financing or acquisition. I also assist other Gunderson Dettmer attorneys with their clients’ privacy questions, which means moving quickly from one matter to another in a day. I also help clients with their international expansion, making sure they have the required contracts and safeguards in place. If a client has a data breach, we quickly mobilize a team to assist no matter what time of day it is. This type of practice suits someone who enjoys a fast pace and lots of variety!

Frida: I typically start the day by reviewing recent developments in the privacy world. With the fast pace of new regulations and enforcement actions, being up to date on privacy developments is really important. When I’m not on client calls, some of my typical tasks include negotiating commercial contracts, drafting risk assessments, and researching specific privacy issues that come up in our clients’ day-to-day business, like evaluating the client’s user flow to make sure it has the right disclosures or counseling the client on the privacy or security risks associated with a new product. I frequently meet with colleagues in our Tech Group—while our Tech Group does some privacy work, the Data Privacy Group is looped in to assist with complex privacy issues.

How did you choose this practice?

Anna: I started at an international law firm in London, assisting clients with EU and U.K. data protection matters, and really enjoying the problem-solving aspect of data privacy work. When I joined Gunderson Dettmer, I did a combination of technology transactions and data privacy work, but as the U.S. privacy compliance landscape became more complex, I was able to focus on my privacy practice. My background in technology transactions helps me understand the commercial aspects of my clients’ needs. As a firm we are focused on providing practical and commercial advice to our clients.

Frida: I worked on privacy matters when I was in-house as a law student and found that experience really interesting. After law school, I was briefly an IP litigator before transitioning to doing regulatory and transactional work for financial institutions. At one point, I was able to do a little bit of privacy work and I was hooked. I knew I wanted to work in this field full time, so I jumped at the opportunity to join Gunderson Dettmer as a privacy associate and I’ve never looked back.

Are there any training classes, experiences or skill development, you would suggest to somebody who wants to work in this space?

Anna: Some of the most important skills for a data privacy attorney are problem solving and the development of a practical mindset. Our role is not to throw obstacles in the way of what our clients want to do, but instead figure out a way for them to implement a safe and privacy-forward approach while still meeting their business objectives. Everyone on my team has a natural sense of curiosity and spends a lot of the day learning about developments in data privacy.

Frida: This is a research-based area, so it's important to hone your research and writing skills. It really is a practice area where you have to be reading the news every day to make sure you're not missing out on a big development that could impact your clients, and be able to synthesize developments to provide timely guidance to clients. Individuals interested in this practice area should also consider joining the International Association of Privacy Professionals (IAPP).

What do you find most challenging about privacy?

Anna: The U.S. currently doesn’t have a federal privacy law. This means that except for industry-specific laws, privacy is largely regulated on a state-by-state basis. It’s challenging for clients to develop a uniform approach to ensure compliance with the various state laws as well as the EU’s General Data Protection Regulation (GDPR). We spend a lot of time helping clients come up with a practical and operationally sound compliance approach tailored for their particular business and risks. Having a finger on the pulse of privacy drives our practice and client advice.

Frida: One challenging aspect about this practice area is keeping up with new regulations, enforcement action, and regulatory guidance. Our clients have a very global practice, so understanding developments in international privacy law is also very important.

What do you think is the best thing about this practice?

Anna: I enjoy getting to know my clients’ businesses and helping them solve problems in a practical way. This requires staying up to date on legal developments and constantly thinking about how to solve things operationally for our clients. This practice area suits someone who loves to learn.

Frida: I enjoy helping our startup clients with privacy issues because we’re typically looped in at a very early stage. When sensitive data is involved, there are a lot of things to think about and processes to put in place before you can even begin collecting the data. We jump in to help our clients understand their legal obligations, draft public-facing policies, and conduct risk assessments. Being involved early on with the company can help them avoid bigger roadblocks down the road. We’re increasingly seeing investors and acquirers focus on data privacy and security issues in investments and acquisitions.

What misconceptions exist about this practice area?

Anna: There is a misconception that privacy lawyers are primarily regulatory lawyers who tell companies what they cannot do with their data. We place a lot of importance on understanding our clients’ businesses and needs and coming up with practical solutions to their issues instead of just saying “no” to proposed ideas.

Frida: I think there are some misconceptions about our day-to-day work. For example, I think some people believe we only draft privacy policies, which is really just the tip of the iceberg. You have to be versatile, be familiar with laws that apply across industries, and have a broad base of knowledge to be able to issue spot with your clients and help them figure out areas of risk for their business.

What is unique about data privacy here?

Anna: We don’t do any litigation. We focus on helping our clients with their day-to-day privacy needs and really get to know their businesses. We also are much more practical as we know how startups operate and can help our clients implement a risk-based approach. When we represent investors in financings, we bring an understanding of what kinds of privacy issues can cause problems down the line for a company, and we know how to speak with companies (on behalf of our investor clients) about getting their compliance programs in shape.

Frida: We work with innovative startups that are constantly thinking of new ways to collect and leverage data. That presents some interesting privacy questions when set against laws that haven't fully kept up with the pace of innovation.

How do you stay ahead of the curve and prepare for issues that might arise?

Anna: We spend a lot of time evaluating privacy tech solutions that our clients can use to solve compliance tasks. We have an active AI task force together with our Labor & Employment team, where we test out novel AI solutions for our clients as well as keep an eye on developments in AI laws and regulations.

Frida: I stay on top of technology trends, attend conferences, and attend speaking engagements held by regulators. Hearing from regulators is particularly helpful as they sometimes share how they think about specific privacy issues or identify their areas of focus (both in terms of regulation and enforcement), can help your clients avoid pitfalls early on.

Anna is the head of Gunderson Dettmer’s Data Privacy Practice. She counsels clients on a range of U.S. and European data privacy and security issues. Anna has significant experience guiding clients through GDPR and CCPA compliance and advising on model contract clauses, privacy policies, data processing agreements, global privacy compliance strategies, data privacy, and security issues in venture capital financings, mergers and acquisitions, and IPOs.  Anna is a Fellow of Information Privacy (FIP) and a Certified Information Privacy Professional (CIPP). She holds the U.S. private-sector certification (CIPP/US), the EU data protection certification (CIPP/E), and the Information Privacy Manager certification (CIPM).  

Frida counsels clients on information privacy, cybersecurity, and compliance issues. She represents a wide variety of technology companies. Frida advises clients on the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA). Her practice includes advising on privacy considerations in connection with venture capital financings, mergers, and IPOs. Frida is a Certified Information Privacy Professional (CIPP), holding the U.S. private-sector privacy certification granted by the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.

Adam H. Solomon, Partner
Hunton Andrews Kurth LLP

Describe your practice area and what it entails.

Our top-ranked global privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues.

For cybersecurity matters, we advise large, multinational companies on all aspects of catastrophic cybersecurity incidents, including providing strategic and legal advice in investigating and remediating the incident, fulfilling their data breach notification responsibilities; responding to multi-jurisdictional regulatory investigations; and managing inquiries from customers, business partners, media, and regulators.

We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans and information security policies, running executive-level tabletops, performing information security assessment and tests, and engaging third-party experts in advance of an incident.

In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws; conduct privacy and data security impact assessments; and counsel companies on managing risk in connection with leading-edge and innovative technologies.

Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.

What types of clients do you represent? 

We represent a diverse group of clients of all sizes, including retailers, consumer goods manufacturers, energy companies and utilities, technology companies, financial institutions and private equity firms, Fintech startups, insurance providers, healthcare providers, media companies, gaming companies, direct marketers, telecommunications and internet service providers, cloud providers, cybersecurity companies, government agencies, and risk management specialists.

What types of cases/deals do you work on? 

We advise clients on:

  • Compliance with all U.S. federal and state privacy and information management requirements, and international data protection laws;
  • Cybersecurity and data breach incident response;
    Drafting and negotiating complex agreements concerning information privacy, confidentiality, and cybersecurity;
  • Helping companies monetize data and develop their contractual and compliance controls for their data products;
  • Evaluating cybersecurity and privacy risks and negotiating purchase agreements in connection with potential mergers, acquisitions, and other corporate transactions; and
  • Information product life cycle issues, including marketing and analytics activities.

How did you choose this practice area?

I initially became interested in cybersecurity in college when I served as an intern with the U.S. Secret Service, assisting with cybercrime and identity theft investigations. I was later drawn to privacy and cybersecurity law when I saw the opportunity it provided to wear many hats in advising on regulatory, commercial, and transactional issues.

What is a typical day like and/or what are some common tasks you perform?

Each day is different based on my clients’ needs. On a given day, I might negotiate privacy and data protection clauses in a vendor agreement, help a client investigate a cybersecurity incident, work with a client on assessing or testing their cybersecurity safeguards, advise a client on their privacy obligations associated with a new product or service they’re launching, or help clients evaluate the privacy and data security risks inherent in a company they’re buying or investing in. Because our practice is so wide-ranging, every day brings novel and interesting issues to analyze.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Privacy is such a trending area of focus. As a former student focused on computer science, I recommend taking courses that focus on not only privacy issues, but also security, technology, and business topics. Learn as much as possible. Additionally, I encourage law students and lateral associates to subscribe to Hunton’s Privacy and Information Security Law blog, which we update on a near-daily basis with news items and analysis. Our team also has published a Privacy and Cybersecurity Law treatise, updated annually, which provides a comprehensive primer on U.S. and international privacy and data protection laws. Organizations like the International Association of Privacy Professionals (IAPP) are great resources as well.


What do you like best about your practice area?

I love the advisory nature of my practice. Clients come to us with complex risk issues that require good judgment and business acumen to manage effectively. It is incredibly gratifying helping clients navigate through challenging issues, whether it involves helping them manage a cybersecurity incident or launch a new data-driven product.

What misconceptions exist about your practice area?

That you need a technical background to be successful. The most successful privacy lawyers aren’t the most technically advanced, but rather those who are eager to learn about the technology and aren’t afraid to ask questions.

What is unique about your practice area at your firm?

Our practice is a leader in the field and has been recognized by Computerworld magazine, Chambers and Partners, The Legal 500, and GDR 100 as a top law firm for privacy and data security. We have 20 years of global experience assisting clients of all sizes with all aspects of privacy and cybersecurity. We are especially unique in that there are few law firms like Hunton that can advise on and manage incidents involving both cybersecurity and operational technology, having handled one of the most significant cyberattacks on U.S. critical infrastructure. In addition, our practice is complemented by The Centre for Information Policy Leadership, a privacy think tank associated with the firm.

What are some typical tasks that a junior lawyer would perform in this practice area?

Junior lawyers on our team play a key role in supporting senior attorneys. They’ll learn quickly how to draft a variety of documents that privacy and cybersecurity lawyers prepare in their day-to-day practice, such as privacy notices, data breach notification letters, data protection contractual provisions, incident response plans, internal policies, and training materials.

Adam H. Solomon, Counsel—Global Privacy and Cybersecurity Practice (2023)

Adam Solomon is counsel in Hunton Andrews Kurth’s New York office and a member of the firm’s global privacy and cybersecurity practice. Adam regularly advises clients on all legal issues associated with information security programs, cybersecurity incidents, and electronic surveillance practices. A significant focus of his practice is advising clients on compliance with data security laws and industry standards and management of their cybersecurity risks. He also assists clients with complex commercial contracting matters related to privacy, data protection, data monetization, and information security issues. Adam also has experience negotiating a wide range of technology and data licensing agreements, and drafting information security policies and standards, incident response plans, website and mobile app terms of use, privacy notices, and nondisclosure agreements. Adam received his JD from the University of Chicago Law School, MS in Computer Science from the University of Chicago, and BA, magna cum laude, from New York University.

Colleen Brown, Partner • Jennifer B. Seale, Partner—Privacy and Cybersecurity
Sidley Austin LLP

Describe your practice area and what it entails.

Colleen: I am a partner in the Privacy and Cybersecurity practice at Sidley. That means that I am a data lawyer—and I work with data throughout its life cycle and in all legal contexts. This means regulatory advising for compliance, data breach incident response and crisis management, privacy and cyber governance, data protection policy in the U.S. and abroad, privacy and cybersecurity litigation and arbitration, and data-critical transactional work, whether that be M&A diligence or negotiating transactions that may present particular privacy or cybersecurity risk.

Jennifer: I am also a partner in Sidley’s Privacy and Cybersecurity practice. My practice focuses on incident response and investigations related to significant cyber events, as well as the post-incident work relating to such an event, including litigation, customer disputes, regulatory investigations and compliance reviews, and insurance claims. I also assist clients with pre-incident work, such as advising on legal and regulatory developments, policies and procedures, and tabletop exercises.  

What types of clients do you represent? (Please feel free to list actual clients.)

Colleen: Data is universal, and so I work with clients in every sector—including highly regulated sectors with particular privacy or cybersecurity risks—financial, life sciences, energy, and technology. I also often work with clients in the manufacturing and industrial sectors, which have important data needs as their businesses turn to the Industrial Internet of Things and other digital services.

Jennifer: Like Colleen, I assist clients in multiple industry sectors, including retail, technology, financial services, energy, and business services. While certain sectors may be more regulated, cybersecurity is a hot topic among clients in every industry. 

What types of cases/deals do you work on? (Please feel free to share actual cases/deals.)

Colleen: Generally, clients turn to Sidley for matters that matter—high-stakes strategic privacy and cyber initiatives, complex data security incidents, regulatory investigations and defense, and, of course, litigation involving sophisticated privacy allegations. All of these matters require counsel who have deep experience in understanding lateral privacy and cyber risks, policymaker and regulator perspectives, and fluency in technology.

Jennifer: Additionally, the Privacy and Cybersecurity team has considerable experience working on various types of cases and deals. We routinely assist our clients with responding to significant cybersecurity events and navigating the challenges that arise from such an event.  

How did you choose this practice area?

Colleen: I was deeply interested in privacy issues throughout my academic career, starting with my interest in constitutional law, as well as women’s and LGBTQ rights issues. Data issues—informational autonomy—are critical to liberty interests in a free society. When looking at firms, I was focused only on those that had established and well-respected privacy practices. I came to Sidley for this practice area and have been here ever since.

Jennifer: Early on in my legal career, I had the opportunity to work on some of the first big cases in this space, which really inspired me to focus on this practice area going forward. Cybersecurity is multidisciplinary, and I very much enjoy working on the various components of a cybersecurity event. Every matter is different and the work is always interesting.      

What is a typical day like and/or what are some common tasks you perform?

Jennifer: Every day is different, so it is difficult to describe a typical day. My day largely depends on the specific matter I am working on and what phase of the matter we are in. For example, if we are working on the response to an active cybersecurity incident, we spend much of our day talking to the client and the forensics expert, developing the facts, assisting with communications (internal and external), and helping the client continue its business operations. Cybersecurity is a service-oriented practice, and we communicate with our clients quite frequently.

Colleen: I agree with Jenny that there isn’t a typical day in the life of a privacy and cybersecurity lawyer at Sidley. Data issues are incredibly varied, both in context and in the skills they require a lawyer to deploy. I will say, however, that a large part of my day typically involves back-to-back calls and meetings with clients as we work together, strategically, to manage privacy and cyber risks. There is a lot of direct client collaboration.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Jennifer: Formal training and classes can be very beneficial, but the best training comes from actual on-the-job experience. I have learned the most about this practice area by working with our clients. Every client and matter is different and presents a new learning experience. I still learn a lot on every one of our matters.  

Colleen: While the American Bar Association has some fantastic programs in this space, a key leader in privacy training and development is the International Association of Privacy Professionals (IAPP). An IAPP certification is a great early step. Additionally, privacy professionals must stay current in this fast-paced technology and policy environment. Read the news and read the perspectives of key privacy thought leaders and cybersecurity professionals.

What is the most challenging aspect of practicing in this area?

Colleen: Staying current. Technology changes constantly, presenting new facts that often require applying old law. Some of our most important laws and regulations in this space were drafted before the internet, let alone the metaverse. Additionally, privacy law comprises hundreds of important, interrelating, and overlapping laws and regulations. This complicates issue spotting and analysis, and requires lawyers in this space to constantly build their knowledge.

Jennifer: I’d like to add that one of the bigger challenges in this area is that the law is still developing and changing every day. Cybersecurity is still a relatively new area of law. We often are dealing with old laws that were not designed for these modern topics. Another challenge is that we often are working with non-homogenized laws and regulations around the world. Even a matter that is U.S.-focused requires analyzing multiple laws and regulations, which often are not homogenous. 

What is unique about your practice area at your firm?

Colleen: Sidley’s Privacy and Cybersecurity practice is global and interdisciplinary. It also is regulatory, transactional, policy, and litigation focused. We have a deep, broad, and diverse bench, and we collaborate as a team to drive results and client service.

Jennifer: Cybersecurity is a multidisciplinary practice. Our matters involve numerous legal issues that cut across multiple practice areas. As a result, we often get to work with colleagues in other practice groups, which is really exciting. 

How do you see this practice area evolving in the future?

Colleen: Data issues in privacy and cybersecurity are increasingly converging with other areas of the law. This convergence is most recently seen in the antitrust space and represented in a cascade of new requirements and risks related to digital services regulation.

Jennifer: Cybersecurity is still a relatively new practice area. The law continues to change every day. Cybersecurity risks will just continue to increase over time. Thus, we expect that the law will continue to evolve as well.  

What kinds of experience can summer associates gain at this practice area at your firm?

Colleen: Summer associates work closely with associates up to senior partners in the practice on cutting-edge technology issues. Summer associates often get a variety of projects that give them exposure to issues in regulatory counseling, cyber incident response, policy, and disputes. Projects in this area are usually fast moving, allowing a diverse sampling of projects.

Jennifer: As Colleen said, summer associates are able to work alongside associates and partners on real matters. They will gain critical experience working on significant cybersecurity and privacy issues. We provide projects that cover different areas of our practice so that summer associates can get a feel for what it is like to work in our group.

Colleen Theresa Brown is a partner in Sidley’s Privacy and Cybersecurity practice and focuses on privacy, cybersecurity, data protection, and emerging technology issues for a diverse group of companies, including those in the financial, life sciences, telecommunications, media, retail, and manufacturing sectors. She advises on global data protection compliance, litigation and regulatory enforcement actions, data breach response, crisis management, and internal investigations. Colleen is ranked in Chambers as an “Up and Coming” privacy lawyer who “approaches complex legal issues in a practical way.” She also co-founded Sidley’s Women in Privacy®, a networking group for women working as in-house counsel, compliance officers, and other professionals in the field of privacy. 

Jenny Seale is a partner in the firm’s office in Washington, DC, and focuses her practice on cybersecurity, crisis management, internal investigations, and regulatory compliance, as well as complex administrative, civil, and criminal litigation. Jenny advises organizations on significant cybersecurity matters, including destructive malware and ransomware incidents, and leads internal investigations related to complex cybersecurity matters. She advises clients in numerous industry sectors, such as the financial services, retail, hospitality, transportation, healthcare, and technology sectors. 

Related Vault Guides
Check out some of Vault's guides that are related to this field.
Top Ranked Firms
Check out the top-ranked law firms in Privacy & Data Security.