The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Jenna Rode, Counsel—Global Privacy and Cybersecurity Practice
Jenna Rode is counsel in Hunton Andrews Kurth’s New York office and a member of the firm’s Global Privacy and Cybersecurity practice. Jenna regularly assists clients with identifying and managing privacy and data security risks, and she counsels clients on compliance with federal, state, and international privacy and data security laws, with a particular focus on the California Consumer Privacy Act (CCPA), Children’s Online Privacy Protection Act (COPPA), and the EU General Data Protection Regulation (GDPR). Jenna has assisted a number of clients with implementing enterprise-wide privacy compliance programs, drafting website and mobile app privacy notices, and drafting and negotiating privacy and data security terms in commercial contracts and M&A transactions. Jenna also has experience assisting clients with privacy-related issues in the ad tech space, including programmatic advertising, customer matching, and data licensing initiatives. Jenna is active in pro bono work and serves on the Junior Advisory Board of Her Justice, a legal services organization for low-income women in New York. She received her J.D. and B.S. from Fordham University.
Describe your practice area and what it entails.
Our Global Privacy and Cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues. On the cybersecurity side, we advise large, multinational companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from consumers, media, and regulators. We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts in advance of an incident.
In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws, conduct privacy impact assessments, and counsel companies on managing risk in connection with extensive and innovative data collection and use.
Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.
What types of clients do you represent?
We represent a diverse group of clients of all sizes, including retailers, technology companies, cloud providers, media companies, gaming companies, consumer goods manufacturers, energy companies, health care providers, direct marketers, telecommunications and internet service providers, cloud providers, Fintech startups, financial institutions and private equity firms, insurance providers, government agencies, electronic publishers, reference services, security companies, consumer and business credit reporting agencies, and risk management specialists.
What types of cases/deals do you work on?
We advise clients on:
- Compliance with all U.S. federal and state privacy and information management requirements.
- Compliance with international data protection laws, including the EU General Data Protection Regulation and e-Privacy Directive.
- Information security breaches, including directing forensic investigations; customer notification; state and federal reg-
ulatory negotiations; discussions with payment card issuers; and public relations, call center, and investor relations communications and training.
- Prevention and management of cyber events.
- Information product life cycle issues, including marketing and analytics activities.
- The drafting and negotiation of vendor contracts and information use and distribution agreements.
- Privacy and data security due diligence in M&A transactions.
- State and federal investigations and enforcement actions.
How did you choose this practice area?
I have always been interested in consumer protection issues. I was drawn to this area of law because it is so relevant to all of our lives and increasingly more important with the rapid growth and expansion of data-driven technologies. I also love that this field is still in a nascent stage of development. It is exciting to follow new laws and regulations being drafted, debated, and passed in real time. I also have gained great experience interpreting, and advising our clients on how to comply with, new legal developments that often can have a transformative impact on their business practices.
What is a typical day like and/or what are some common tasks you perform?
In a typical day, I might assist a client with the rollout of a new website, app, or online service that involves the processing of personal information; negotiate privacy and data protection clauses in a vendor agreement; draft a privacy notice; counsel a client on employee privacy issues; or advise a client on the privacy and data security risks inherent in an M&A transaction. Because our practice is so wide ranging, every day brings novel and interesting issues to analyze.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
For law school students, I would recommend taking courses that focus on privacy and data protection issues. I would also encourage law students and lateral associates to subscribe to our Privacy and Information Security Law blog, which we update on a near-daily basis with news items and analysis. Our team has also published a privacy and cybersecurity law treatise, updated annually, which provides a comprehensive primer on U.S. and international privacy and data protection laws. Additionally, the International Association of Privacy Professionals (IAPP) is a great resource.
What is the most challenging aspect of practicing in this area?
The most challenging aspect of practicing in the privacy and data protection space is keeping up with the most recent updates in global laws, regulations, guidance, and civil and regulatory actions. Every day seems to bring a breaking news alert. But the fast-paced nature of this area of law also keeps things exciting and new!
What do you like best about your practice area?
Because our practice area is constantly evolving, I appreciate that it’s relatively easy to quickly become an expert in a niche area of the law by staying informed on emerging legislative and regulatory trends. This field truly touches everyone’s lives. It is very meaningful to help our clients comply with the law in a way that enables them to achieve their business goals while also protecting their customers’ and employees’ privacy.
What is unique about your practice area at your firm?
Our practice is a leader in the field and has been recognized by Computerworld magazine, Chambers and Partners, and The Legal 500 as a top firm for privacy and data security counseling. With nearly 50 privacy professionals—including lawyers located across the globe in New York; Washington, DC; London; Brussels; and Beijing—we have 20 years of experience assisting clients of all sizes with various aspects of privacy and data security. We are supported by a carefully vetted worldwide network of knowledgeable data protection lawyers, covering more than 100 countries. Our team works together seamlessly to provide customized, creative, and practical solutions to our clients’ privacy and data security issues.
How do you see this practice area evolving in the future?
I think an omnibus federal privacy law eventually will be passed in the United States. Until then, many states will take California’s lead and pass their own comprehensive privacy laws. Beyond that, advancements in technology, including the increased use of AI and enhanced surveillance technologies, will lead to greater regulatory oversight. Additionally, we will continue to see increased regulatory scrutiny with respect to big tech companies’ handling and protection of user data. Bad actors will only become more sophisticated in their cyber-attack methods, leading to an increase in the number and severity of data security incidents.