The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Brittany M. Bacon, Partner — Corporate
Recognized widely as a “Rising Star” and “Next Generation Lawyer” for privacy and cybersecurity, Brittany assists clients in identifying, evaluating, and managing a panoply of global privacy and information security risks and compliance issues. She helps companies design enterprise-wide, robust privacy and cybersecurity programs and routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use. A significant aspect of her practice is advising large, multi-national companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from boards of directors, consumers, media, and potential acquiring companies in a deal setting. She received her J.D. from Washington University in St. Louis School of Law in 2009 and her B.A. from the University of Notre Dame, cum laude, in 2006. She is admitted to practice in the state of New York.
Describe your practice area and what it entails.
Our global privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues. On the cybersecurity side, we advise large, multinational companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multijurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from consumers, media, and regulators. We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts in advance of an incident.
In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws; conduct privacy impact assessments; and advise companies on managing risk in connection with extensive and innovative data collection and use.
Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.
What types of clients do you represent?
We represent a diverse group of clients, including retailers, consumer goods companies, energy companies, health care providers, direct marketers, telecommunications and internet service providers, financial institutions and private equity firms, insurance providers, government agencies, electronic publishers, reference services, consumer and business credit reporting agencies, and risk management specialists.
What types of cases/deals do you work on?
The types of projects we work on include:
- Advising on compliance with all U.S. federal and state privacy and information management requirements
- Advising on compliance with all international data protection laws, including the EU General Data Protection Regulation and e-Privacy Directive
- Providing comprehensive assistance with significant information security breaches, including directing forensic investigations; customer notification; state and federal regulatory negotiations; discussions with payment card issuers; and public relations, call center, and investor-relations communications and training
- Preventing and managing cyber events
- Assisting with information product life cycle issues, including marketing and analytics activities
- Drafting and negotiating vendor contracts and information use and distribution agreements
- Assisting with dispute resolution, management of consumer concerns, response to allegations of misuse of data, and state and federal investigations (including actions and requests for information from state attorneys general and the Federal Trade Commission)
How did you choose this practice area?
When I was in high school in 1999, I became an original member of a nonprofit group called the Teenangels, which was run by leading cyber lawyer and child advocate Parry Aftab. We went into schools around the country and taught children about responsible and safe use of the internet. We briefed members of Congress, gave interviews to the media, trained teachers and parents, and spoke at major industry conferences. I continued this work through college and law school, including writing my senior thesis on the potential for global privacy convergence in Japan. When I graduated from law school in 2009, the economy was reeling, and law firms were deferring (or letting go) their rising first-year associates. I was deferred from my prior law firm and was advised to look elsewhere for a job. Fortunately, I was introduced to Hunton’s data privacy team by one of my long-term mentors, and the rest is history.
What is a typical day like and/or what are some common tasks you perform?
No day is the same—that’s what makes what we do so interesting! On any given day, we advise companies on data breaches and compliance with applicable privacy laws, negotiate vendor agreements, conduct privacy impact assessments, and develop appropriate policies and procedures.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
There are far more opportunities now than there ever were to learn about data privacy and security law. I would encourage anyone interested in this field to read as much as they can—this includes taking classes and signing up for privacy and cybersecurity blogs and newsletters. There are also privacy and cybersecurity courses and certifications that you can obtain. That said, you don’t need to have studied privacy and cybersecurity law in order to have a successful career in this field. The key is to be naturally curious, think critically, and never stop learning—particularly given this practice area changes daily!
What is the most challenging aspect of practicing in this area?
The most challenging (but also the most interesting) aspect of this practice is the pace at which data privacy and cybersecurity rules and the related technologies are changing.
What do you like best about your practice area?
Given that the core of our practice is data, we have a unique ability to work on matters of significance that impact individuals across cultures, jurisdictions, and socioeconomic backgrounds. It’s incredibly rewarding to know that our work has a direct impact on how organizations use, share, and protect individuals’ personal information and can promote sound data practices that also provide significant value to the clients we represent.
What misconceptions exist about your practice area?
Some may assume that you need to have studied privacy or cybersecurity or have a technical background to practice in this space. That is not true! As long as you are naturally curious, think critically, and thrive on an endless pursuit of learning, you will have the key skills essential to flourishing in this practice area.
What are some typical tasks that a junior lawyer would perform in this practice area?
One of the best parts of being a data privacy and cybersecurity attorney is that you get to engage in substantive work early on as long as you are proactive and demonstrate good judgment and strategic thinking. Our junior associates work on all matters, from conducting legal analysis to preparing breach notification materials to updating privacy notices and developing privacy impact assessments to negotiating complex vendor data privacy and security agreements.