The following is an excerpt from Practice Perspectives: Vault’s Guide to Legal Practice Areas.

Heather Egan Sussman—Partner, Privacy & Cybersecurity

Heather Egan Sussman is a co-head of Ropes & Gray’s privacy and cybersecurity practice. She advises multinational companies on their global privacy and cybersecurity needs and has worked with some of the world’s most recognized brands. She routinely guides clients through the existing patchwork of U.S. federal and state laws, including FCRA, ECPA, TCPA, HIPAA, CAN-SPAM, GLBA, and California’s Online Privacy Protection Act, state breach notification laws, state information security laws, as well as existing self-regulatory frameworks, including those covering online advertising and payment card processing. A thought leader in the field, Heather frequently publishes articles and speaks at industry-leading conferences. She is ranked by Chambers USA and The Legal 500 United States as a leader in her field and was named one of Massachusetts Lawyers Weekly’s “Top Women of Law” in 2015. Heather holds a B.A., magna cum laude, from the University of Massachusetts Dartmouth, and a J.D. from Boston College Law School.

Please provide an overview of what, substantively, your practice area entails.

I help companies around the world comply with privacy and cybersecurity laws. Privacy laws are those that govern a company’s collection, use, storage, disclosure, and disposal of personal information. These include, for example, laws that regulate the collection and use of financial information, health information, and more. Privacy laws also include those that restrict interference with personal privacy or “intrusion upon seclusion”—these laws are akin to the Fourth Amendment, but apply to private companies and cover a broad range of activities from computer and video surveillance to telephone marketing and more.

In the area of cybersecurity, I help companies comply with legal obligations to protect regulated data and reduce the risk of security breaches. I also help them develop strategies for protecting other important data like intellectual property. In the event of a breach, I help clients investigate and remediate the breach and defend them in government investigations and litigation.

What types of clients do you represent?

My clients come from diverse business sectors, including technology, retail, consumer products, telecommunications, healthcare and life sciences, manufacturing, food and beverage, media, academic institutions, service industries, energy, banks, and other financial institutions.

What types of cases/deals do you work on?

I’ve helped some of the world’s most recognizable consumer brands build their privacy compliance programs from the ground up. I work with teams of local counsel from around the world to assess a company’s data practices and legal compliance posture across many different jurisdictions. I perform privileged security assessments and hire security firms to break into my clients’ networks or new products prior to launch to find vulnerabilities and then advise my clients on the legal implications of changing security controls to meet evolving standards.

I help companies with legal issues around launching mobile applications and other digital strategies. I draft online privacy policies, and answer day-to-day compliance questions that come in from privacy officers, legal counsel, compliance personnel, and others in-house. I also manage large, complex data breaches through investigation, remediation, notification, and beyond.

How did you decide to practice in your area?

My practice grew organically. I started as an employment lawyer, and early on was handling employee-related issues involving data loss or theft. I drafted handbook policies including internet and computer use, social media policies, and more. As the internet era exploded, I spent less and less time practicing employment law, until I entirely transitioned to privacy and cybersecurity.

Early on I also was a member of the OSHA catastrophe response group, a team that responded to workplace catastrophes, such as plant explosions. We would arrive on the scene, handle government inquiries, manage the investigation to determine root cause, and advise the company through remediation of the accident. I recall having to interview an injured employee in a hospital burn unit with a forensic specialist because that employee heard the explosion and could describe it.

At the time, I didn’t realize the work was preparing me to handle cyber attacks down the road, which are their own sort of workplace catastrophe. Breaches do not typically involve loss of life, so my practice has come a long way from those days in burn units, but my work today draws from those early skills I developed managing difficult and complex investigations.

What is a typical day or week like in your practice area?

My projects change on a daily basis, so there is no “typical” day in this practice area. On one day I could be conducting a risk assessment for a multinational life sciences company, and the next day I could be drafting a global retailer’s worldwide privacy policy. As a multitude of privacy and cybersecurity issues affect companies across all industries, I experience great variety in my work, which makes it challenging and fun.

What is the best thing about your practice area?

It’s very cutting-edge in that the technology is developing faster than the law, so we have to be flexible, practical, and nimble in our advice. At Ropes & Gray, I also get to work with the best privacy and cybersecurity lawyers in the world. We work well together as a team. They are brilliant and funny and hard-working, and it makes coming to work every day feel a lot less like work and a lot more like a profession.

What is the most challenging aspect of your practice area?

The travel. I have two children in elementary and middle school, and I travel a lot for my work, given that my clients are truly all over the world.  The last time I went to London, I brought my daughter and mother with me, and we had a great time together sightseeing. At one point, they sat in a bookstore reading and having tea while I went into a two-hour business meeting. When I came out of the meeting, I picked them up at the bookstore and we resumed the sightseeing!

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

The International Association of Privacy Professionals has great training opportunities and a terrific network of practitioners. In addition, there are many, many local bar associations that put on privacy and security talks, CLEs, and more.

What misconceptions exist about your practice area? What do you wish you had known before joining your practice area?

A misconception about my practice area is that privacy and cybersecurity attorneys should only be involved in post-breach issues. It’s important for us to establish a relationship early on to strategize about how to reduce the risk that a breach ever happens, help test the incident response plan, and get to know the people and technology deployed within the company to make for a more successful incident response.

What is unique about your practice area at your firm, and how has it evolved since you have been at the firm?

What sets Ropes & Gray apart from other firms is the quality and depth of our experience in this area. Unlike many firms, we have both a strong compliance practice and a strong enforcement practice, enabling us to solve everyday privacy and security compliance challenges and also defend our clients if and when something goes wrong.

What activities do you enjoy when you are not in the office, and how do you make time for them?

When I am not at work, I am with my family. They are the center of my world, so I try to combine activities with my kids. We play golf together and go to church together. And each September, I do a sprint triathlon with a team of women who raise money for Duchenne Muscular Dystrophy. My family is there to cheer me on at the finish line.