Coronavirus Update: Our team is here to help our clients and readers navigate these difficult times. Visit our Resources page now »

Skip to Main Content

Privacy & Data Security

Overview

Lawyers in this area advise business clients on cyber security issues, including internal security protocols, the collection and storage of personal data, and on how to respond to a data breach. While privacy lawyers are most often called into action in the wake of a data security breach, they also help their clients comply with regulations and counsel on ways to prevent data theft or loss. Lawyers may work on  incidence response teams and can be called on to work long hours after a client’s data has been breached. Data privacy lawyers will also frequently be involved in claims, litigation, and regulatory investigations arising from data security breaches. This is a growing and changing area of law, so lawyers may be regularly dealing with unsettled law and must stay up to date on security technology and emerging threats to IT security, as well as rapidly emerging regulations and case law that can pose challenges to their clients.

Featured Q&A's
Get an insider's view on working in Privacy & Data Security from real lawyers in the practice area.
Theodore J. Kobus III, Partner
Baker & Hostetler LLP

Describe your practice area and what it entails.

In a world dependent on data, this group takes a 360-degree approach to the delivery of services and counsel to clients on how they manage and use information, comply with regulations, incorporate new technology, and defend against internal and external threats. For more than a decade, different teams at BakerHostetler have been at the forefront of helping clients leverage data and technology to transform their products and services. Following our own advice of using an enterprise approach to address these issues, we prioritized the importance of “data” as it affects the practice of law and merged these teams into a unique multidisciplinary practice group to help clients address the spectrum of issues in this area.

Our services are structured to reflect the business life cycle of data.

What types of clients do you represent?

We represent some of the most well-known names in retail, hospitality, financial services, health care, and education. Our clients include Marriott, Chipotle, Forever 21, Memorial Sloan Kettering, UC Regents, Children’s Hospital of Philadelphia, Sherwin-Williams, McDonalds, Duke University, and QVC.

What types of cases/deals do you work on?

I work on a variety of matters and oversee the various teams that support our clients. Most of my legal work involves working with the C-suite and boards regarding compliance issues. Additionally, I lead the defense of regulatory investigations by a multi-state group of attorneys general and other regulators. The other members of the practice group focus on all issues that touch the business life cycle of data, including cybersecurity, privacy, advertising, marketing, tech transactions, artificial intelligence, CCPA, GDPR, the increase of the value of data, and health care compliance.

How did you choose this practice area?

I was a full-time litigator before I started practicing in this area more than 15 years ago. I moved into this area of law because of the opportunity to assist clients with business issues. It is very fulfilling to help clients solve problems and to achieve their business objectives—particularly when they are working at brands that my family and I enjoy.

What is a typical day like and/or what are some common tasks you perform?

There are no typical days. Some weeks, I am hopping from city to city, visiting clients or speaking. I particularly enjoy being on-site with a client. The face-to-face interaction is terrific, but it also gives me the opportunity to see what their day is like and to meet people across the enterprise. Since the issues facing a company’s assets are not just legal or IT issues, we interact with a lot of other departments—human resources, finance, compliance, internal audit, marketing, consumer affairs, and others.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area? 

Understanding technology is extremely important. That knowledge helps with counseling clients on privacy issues related to new products. Also, a deep understanding of technology helps attorneys translate the findings of an investigation to a client or redirect the direction of the investigation. And, of course, understanding technology helps to tackle emerging issues, such as artificial intelligence and blockchain.

What is unique about your practice area at your firm?

The practice is a priority at BakerHostetler, and that is why we created the Digital Assets and Data Management practice group. As The American Lawyer pointed out, this practice is on the same level as other core groups at law firms, such as tax, litigation, and business.

What are some typical tasks that a junior lawyer would perform in this practice area?

The type of work varies by team. The one thing that is consistent throughout the teams is that there is direct contact with clients. We think that is very important. This happens a variety of ways, whether you are working on the defense to a regulatory investigation, managing a breach response, or preparing discovery for a litigation we are defending.

How do you see this practice area evolving in the future?

The practice will evolve as technology evolves, and that is why we have an Emerging Tech group in this practice. Data is gold at every company, and every company is—in some form—a technology company. So, as businesses evolve in the way they use and handle data, we too will need to evolve.

What kinds of experience can summer associates gain in this practice area at your firm?

We have had summer associates work on client matters, including compliance projects and incident response. Sometimes our summer associates help us improve the materials we use to train clients with respect to cybersecurity and privacy compliance issues. Other projects include working on surveys of laws globally and helping us prepare our annual Data Security Incident Response Report. We want them to have contact with a variety of teams and projects so that they can see what they really enjoy doing most.

Theodore J. Kobus III, Partner—Digital Assets and Data Management

Theodore J. (“Ted”) Kobus III stands at the forefront of privacy and data security. Under his direction, Ted’s group has managed more than 5,000 data breach responses and hundreds of regulatory investigations. In the health care space, he has defended more than 200 OCR investigations and negotiated more privacy/security-related resolution agreements than any other lawyer.

In January 2020, Ted became the firmwide chair of the firm’s newly formed Digital Assets and Data Management (DADM) Practice Group. The DADM group brings preeminent teams together to provide comprehensive counsel on the full range of complex and evolving issues associated with data and technology, including digital innovation, e-commerce, fintech, cybersecurity, consumer privacy, transactions, governance, risk management, and more. Data is everywhere, and every company is—in some form—
a technology company. BakerHostetler created a one-stop enterprise risk solutions option that clients are seeking.

Ted is consistently ranked in Chambers USA: America’s Leading Lawyers for Business and has been named an MVP by Law360 for Privacy and Consumer Protection. Ted has spoken at the National Association of Attorneys General in a closed session, as well as at the DOJ’s National Security Cyber Specialist’s Training Conference.

Ted is also a member of the firm’s Policy Committee.

Maki DePalo, Partner • Katherine Doty Hanniford, Senior Associate
Alston & Bird LLP

Describe your practice area and what it entails.

Maki: I advise clients on complex technology transactions and data privacy and cybersecurity compliance and risk management. Leveraging my background in technology and global business, my work includes conducting privacy impact assessments, facilitating cybersecurity incident preparedness, strengthening vendor management, and operationalizing compliance with evolving data protection laws, including most recently the CCPA.

Kate: Focusing on cybersecurity, privacy compliance, and enforcement, I help clients resolve data security issues proactively or navigate them under scrutiny during a cybersecurity examination, investigation, or complex breach. My practice includes creating preventive compliance plans, implementing security programs, and putting safeguards into place to comply with the law at the state and federal levels.

What types of clients do you represent?

Maki: I have done extensive work with highly regulated industry clients, like those in the health care and financial institution spaces. With the recent introduction of the General Data Protection Regulation and the CCPA, which are non-industry specific and comprehensive, I have expanded into many new industries and companies of various sizes. All my clients have unique needs depending on their industry, size, or what they do. We work very closely with clients to make sure decisions match their DNA. Cookie-cutter programs and solutions rarely work.

Kate: In financial services, I represent SEC-registered investment advisers, broker-dealers, and private and public companies. I also assist health care plans and insurance companies in their incident response efforts and follow-up regulatory inquiries. In the last two years, I have handled breach response efforts for two of the largest HIPAA breaches in the country.

What types of cases/deals do you work on?

Maki: A lot of my work centers on fixing a problem for a company, and some focuses on creating proactive compliance programs. Right now, I’m working on a lot of CCPA-related work for companies. We also see more M&A support. Only a few years ago, we had to convince clients to review privacy and security diligence before purchasing a company. These days, those issues are increasingly top of mind.

Kate: For some clients, my practice involves responding to data security incidents. I review technical analyses from forensic firms and then take those findings and integrate and enhance them into policies and procedures to meet industry and regulator expectations. I also advise SEC registrants on securities enforcement and compliance matters. My work often includes the investigation and coordination of compliance programs, with an eye toward intense regulatory scrutiny and any follow-on litigation that may arise. I actively monitor cybersecurity-related legislative and regulatory developments at the state and federal levels to provide needed advice on potential impacts so my clients can stay ahead of the curve.

How did you choose this practice area?

Maki: Before I went to law school, I served as a technical and business transformation leader for one of the world’s largest information technology and security services companies, delivering method-based consultation and IT service management. In my role, I often sought the counsel of attorneys. I soon realized that I wanted to be that counsel. I took my skill sets and passion for technology and went into law, which allowed me to help businesses leverage new technology effectively and efficiently to bring value.

Kate: This is a developing area of the law. Technology constantly changes, and the cyber-threat landscape has evolved with those developments. It’s an attractive mix. I get to translate technical and legal requirements in a dynamic and growing field to help clients fix problems. It is both challenging and rewarding to work simultaneously with security, legal, and compliance stakeholders to reach an understanding and move forward in a way that makes sense.

What is a typical day like and/or what are some common tasks you perform?

Maki: In a world where there is a lot of change, client communication is the constant. While there is no typical day and tasks vary, I am always communicating with clients. This could be a call, an in-person work session, or overseas travel to meet with a client for a tabletop to simulate a breach. The daily communications are critical to our success and collaboration.

Kate: Every day brings interesting problems to solve. The one constant is the analysis of interesting or novel fact patterns under changing and/or multiple legal standards. Otherwise, there is no typical day in breach response because it is crisis management. I gather and analyze facts and information as events unfold, advise on containment and remediation, and drive the legal analysis to assess the client’s obligations. I try to use that experience to help strengthen the client’s program in the long term. While doing this, I also need to make sure the trains run on time and that we are exceeding client expectations.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Maki: Having an aptitude in or understanding of the evolving technology is key to honing your skills. Following market trends and their business impact helps keep your antennas up. In addition, the International Association of Privacy Professionals (IAPP) offers a wealth of information online and certification programs that can be a great place to start. I would also suggest working on your communications skills. To be a good lawyer, you need to be a great communicator. And you also need to be a great listener so you can hear what your client not only said, but meant.

Kate: Because privacy and data security are multidisciplinary and evolving areas, my recommendation would be to expose yourself to as much as possible to gain a solid background of the basic U.S. and international legal frameworks. Read as much and as widely as you can. Take national security law classes, but coursework in corporations, securities, and administrative law also can be helpful. Understand the business world and pressures on the client. An IAPP certification can help set yourself apart and develop a deeper understanding of the area.

What is the most challenging aspect of practicing in this area?

Maki: The only constant in this practice is change, including the technology, the laws, and the regulations. On top of that, consumer expectations are evolving and getting harder. All of this creates a challenging mix for privacy and data security attorneys.

Kate: Technology is fast and ever evolving, and so is the world of data security. The 24/7 news cycle only adds new pressures in the breach context. Information security is tailored to the entity, and every client is different and has unique risks and priorities. We need to figure out what’s best for each and find a practical solution.

What do you like best about your practice area?

Maki: The challenges of the area, for me, are the rewards. Because of the constant change, we must work very closely and collaborate with clients. We analyze problems, create solutions, and consider the larger business goals to identify the right strategy and approach together.

Kate: I love the fast-paced nature of my work. I enjoy being put to the test to make good decisions on a short and unexpected timeframe. I also enjoy the collaboration with the clients, various stakeholders, and especially my Alston & Bird team. I work with talented attorneys who bring unparalleled experience to work every day.

What is unique about your practice area at your firm?

Maki: My practice area is one of the fastest-growing areas at the firm. We’re expanding in headcount and in different locations. One of the key differentiators is that the practice lends itself to cross-disciplinary collaboration. Almost every matter we work on involves leveraging different expertise across other practice areas, such as health care, financial services, labor and employment, or litigation.

Kate: We have a very collaborative approach to our work, which speaks to the culture at Alston & Bird. I value how we work together in teams. I also love how I can work on cybersecurity and securities matters at the same time.

What are some typical career paths for lawyers in this practice area?

Maki: There are certainly traditional paths, but one of the more exciting aspects of this area is that we see many nontraditional trajectories, whether it be growing into a role like the chief privacy officer, becoming an entrepreneur, teaching, or going into the public sector. This practice is rewarding because you can become a trailblazer and craft your own career. The sky is the limit.

Kate: Data security is a relatively new area of the law, so we’re just starting to see associates who know early on that they want to pursue it. There is still great allowance for those who take circuitous paths to get to this area. If you have specialty or industry knowledge, like in health care or financial services, data security can be an exciting area to explore if you enjoy taking on big and fast challenges.

Maki DePalo, Partner, and Katherine Doty Hanniford, Senior Associate — Privacy & Data Security

Maki DePalo is a client advocate and a problem-solver who leverages more than a decade of technical leadership and international business experience as an integral component of her law practice. She advises clients on global data privacy, cybersecurity, California Consumer Privacy Act (CCPA) compliance programs, incident preparedness initiatives, and technology transactions, enabling businesses to success-fully navigate new challenges in an ever-evolving digital landscape. Maki’s background and experience in global business, technology, and health care provide her with unique insight into her clients’ business objectives, which results in practical legal counsel with actionable plans.

Katherine (“Kate”) Doty Hanniford is a senior associate on Alston & Bird’s Technology & Privacy and Cybersecurity Preparedness & Response teams, focusing on cybersecurity and privacy compliance and enforcement. She has provided advice on a range of cybersecurity topics, including compliance with various cybersecurity standards, management of cyber risk at all levels of the enterprise, cybersecurity governance, and appropriate responses to security incidents. Kate also assists securities-industry clients with compliance with SEC and FINRA rules and standards, including SEC (OCIE) examination preparation and enforcement matters, as well as Reg SCI and cybersecurity preparedness.

Cecillia X. Xie, Associate
Morrison & Foerster LLP

Describe your practice area and what it entails.

Privacy and data security is a cross-practice that involves a mix of litigation and corporate, as well as counseling. In the litigation bucket, we help clients investigate and respond to data breaches, including conducting interviews, working with law enforcement, and responding to government inquiries regarding the data breach. On the corporate side, we draft agreements governing data sharing, security, and processing obligations generally between parties, as well as advise on the privacy and data security aspects of M&A and investments. For counseling, we assist our clients with creating privacy-compliance programs and structuring security-incident-response processes. Counseling also entails significant “product” work, such as helping a client decide what categories of information to collect through a new product/service, brainstorming what privacy features and settings in a product should look like, and advising on the limits of uses and disclosures for any collected information. In addition, there can be overlaps with employment when, for example, we advise companies on employee monitoring programs and with national security, such as when clients come to us with questions about implementing advanced defensive measures against cyber attacks.

What types of clients do you represent?

We represent everything from small startups that are looking to sign their first customer to large, established multinational corporations. I have represented a significant number of tech firms, as well as companies outside of the classical “tech” sector, including in the hospitality, consumer products, and media sectors. I also have done work for large financial institutions and private equity firms.

What types of cases/deals do you work on?

The litigation matters I work on pertain to investigating a security incident/data breach or responding to a government inquiry about a security incident/data breach. These matters typically involve coordinating forensic and document reviews with meetings and written responses to government agencies or law enforcement. For deals, in addition to the M&A and investments work described above, I also work on joint ventures (due to the necessary sharing of data implicated), service provider agreements that involve a service provider processing data on behalf of a company, and privacy policies and terms and conditions for consumer-facing products or services.

How did you choose this practice area?

For me, privacy and data security is the most dynamic but also most personal practice area of law. Growing up with technology and new gadgets every year, I loved the convenience and new capabilities that such technology afforded me. I became aware, however, of the privacy implications of these new tools as schools and parents rolled out GPS tracking and device monitoring for their children. It was baffling to me that there were so few laws regulating those types of activities, even by private corporations. I studied privacy issues in college and law school as a result, and upon graduation, I was thrilled to see that law firms were beginning to grow their privacy practices in response to the privacy issues that I felt were so omnipresent when I was younger.

What is a typical day like and/or what are some common tasks you perform?

My day can vary greatly depending on what hat I’m wearing for a matter. Sometimes, I am able to set aside the whole day to research or think about a new privacy law and write a memo for a client analyzing the new law’s applicability to, and obligations for, the client. Most other days, however, involve greater intermittent partner and client contact—phone calls to discuss, for example, privacy considerations as the client develops a service or as the client looks to acquire a company. For a breach response, my days can be filled with back-to-back calls with the client’s legal and information security departments, the forensic investigator, and law enforcement, which, surprisingly, resembles the hectic-but-exciting crisis management scenes in movies. Common tasks also include commenting on draft privacy and data security provisions in contracts, reviewing or drafting privacy policies, corresponding with regulators, and summarizing of relevant laws and issues for clients.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Keeping up with the new capabilities of technology is extremely helpful—facility and familiarity with how your own personal information is used in the apps and services you use readily translate to facility and familiarity with your clients’ products. Because privacy involves reading and interpreting new legislation, legislation/regulation classes and experience are also helpful. Privacy also intersects with data use more generally, so intellectual property is great training. Above all, critical thinking is essential, no matter what training, class, or experience it’s developed as a part of.

What is unique about your practice area at your firm?

Unlike at many other firms, privacy is its own practice group at MoFo, which is fantastic. This specialization and trove of resources mean that I am confident that I will not miss key legal developments in privacy and that I have many colleagues to debate with and bounce ideas off, which is particularly important due to the unsettled nature of privacy law. We have an excellent group culture where all partners and associates know each other, partners earnestly solicit and value associate opinions, and associates can take on lots of responsibility early on.

How do you see this practice area evolving in the future?

With the advent of the GDPR in Europe and the CCPA in the United States, privacy is only growing as a practice area, which is what makes the practice area so exciting. Other countries and individual states in the U.S. are introducing privacy legislation in the wake of the newfound attention on privacy, so the practice looks like it will continue to be even more multijurisdictional and will require mastery of a continually changing patchwork privacy regime. While it’s impossible to predict how the privacy and data security laws will evolve, I can say that it won’t be boring!

What are some typical career paths for lawyers in this practice area?

There are a growing number of in-house privacy opportunities at large companies and startups, as well as growing privacy groups at law firms. Privacy also overlaps with work in government and nonprofit organizations, such as the Mozilla Foundation, the Electronic Frontier Foundation, and the Electronic Privacy Information Center. Similar to the fact that privacy work itself spans several law firm practice groups, typical career paths for privacy lawyers can span numerous industries and sectors, both public and private, big and small.

Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?

I’m a firm believer that doing is one of the best ways of learning. I keep an eye out for whatever the hot new app or product is at the moment and then download and try it out for myself, including reading its privacy policy before downloading. As I play around, I make notes to myself about what information was asked for and when, what was clear to me as I clicked around, and what surprised me. As long as you stay curious and open‑minded about quickly evolving technology, it’s easy (and fun) to prepare for new issues that may arise.

Cecillia X. Xie, Associate — Litigation

Cecillia Xie advises clients across various sectors worldwide on strategies for managing privacy and data security risks. She has substantial experience counseling on privacy and cybersecurity issues in product development, corporate transactions—including joint ventures and M&A—and data breach preparation and response.

Cecillia assists both multinationals and startups with navigating the complex and emerging privacy regulatory regimes in the United States and internationally, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR). She has extensive experience in legal research, as well as drafting and negotiating privacy and data security provisions in contracts. She is also well versed with the novel privacy issues in the online advertising space.

Cecillia is a lecturer in computer science at Yale University, where she teaches Intellectual Property in the Digital Age.

Cecillia earned her J.D. from Harvard Law School, where she served as speakers editor for the Journal of Law & Technology and president of the Child & Youth Advocates. During law school, Cecillia interned at the U.S. Department of Justice in the Computer Crime & Intellectual Property Section (CCIPS). She received her B.A., cum laude, in economics from Yale University.

Brittany M. Bacon, Partner
Hunton Andrews Kurth LLP

Describe your practice area and what it entails.

Our global privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues. On the cybersecurity side, we advise large, multinational companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multijurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from consumers, media, and regulators. We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts in advance of an incident.

In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws; conduct privacy impact assessments; and advise companies on managing risk in connection with extensive and innovative data collection and use. 

Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.

What types of clients do you represent?

We represent a diverse group of clients, including retailers, consumer goods companies, energy companies, health care providers, direct marketers, telecommunications and internet service providers, financial institutions and private equity firms, insurance providers, government agencies, electronic publishers, reference services, consumer and business credit reporting agencies, and risk management specialists.

What types of cases/deals do you work on?

The types of projects we work on include:

  • Advising on compliance with all U.S. federal and state privacy and information management requirements
  • Advising on compliance with all international data protection laws, including the EU General Data Protection Regulation and e-Privacy Directive
  • Providing comprehensive assistance with significant information security breaches, including directing forensic investigations; customer notification; state and federal regulatory negotiations; discussions with payment card issuers; and public relations, call center, and investor-relations communications and training
  • Preventing and managing cyber events
  • Assisting with information product life cycle issues, including marketing and analytics activities
  • Drafting and negotiating vendor contracts and information use and distribution agreements
  • Assisting with dispute resolution, management of consumer concerns, response to allegations of misuse of data, and state and federal investigations (including actions and requests for information from state attorneys general and the Federal Trade Commission)

How did you choose this practice area?

When I was in high school in 1999, I became an original member of a nonprofit group called the Teenangels, which was run by leading cyber lawyer and child advocate Parry Aftab. We went into schools around the country and taught children about responsible and safe use of the internet. We briefed members of Congress, gave interviews to the media, trained teachers and parents, and spoke at major industry conferences. I continued this work through college and law school, including writing my senior thesis on the potential for global privacy convergence in Japan. When I graduated from law school in 2009, the economy was reeling, and law firms were deferring (or letting go) their rising first-year associates. I was deferred from my prior law firm and was advised to look elsewhere for a job. Fortunately, I was introduced to Hunton’s data privacy team by one of my long-term mentors, and the rest is history.

What is a typical day like and/or what are some common tasks you perform?

No day is the same—that’s what makes what we do so interesting! On any given day, we advise companies on data breaches and compliance with applicable privacy laws, negotiate vendor agreements, conduct privacy impact assessments, and develop appropriate policies and procedures.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

There are far more opportunities now than there ever were to learn about data privacy and security law. I would encourage anyone interested in this field to read as much as they can—this includes taking classes and signing up for privacy and cybersecurity blogs and newsletters. There are also privacy and cybersecurity courses and certifications that you can obtain. That said, you don’t need to have studied privacy and cybersecurity law in order to have a successful career in this field. The key is to be naturally curious, think critically, and never stop learning—particularly given this practice area changes daily!

What is the most challenging aspect of practicing in this area?

The most challenging (but also the most interesting) aspect of this practice is the pace at which data privacy and cybersecurity rules and the related technologies are changing.

What do you like best about your practice area?

Given that the core of our practice is data, we have a unique ability to work on matters of significance that impact individuals across cultures, jurisdictions, and socioeconomic backgrounds. It’s incredibly rewarding to know that our work has a direct impact on how organizations use, share, and protect individuals’ personal information and can promote sound data practices that also provide significant value to the clients we represent.

What misconceptions exist about your practice area?

Some may assume that you need to have studied privacy or cybersecurity or have a technical background to practice in this space. That is not true! As long as you are naturally curious, think critically, and thrive on an endless pursuit of learning, you will have the key skills essential to flourishing in this practice area.

What are some typical tasks that a junior lawyer would perform in this practice area?

One of the best parts of being a data privacy and cybersecurity attorney is that you get to engage in substantive work early on as long as you are proactive and demonstrate good judgment and strategic thinking. Our junior associates work on all matters, from conducting legal analysis to preparing breach notification materials to updating privacy notices and developing privacy impact assessments to negotiating complex vendor data privacy and security agreements.

Brittany M. Bacon, Partner — Corporate

Recognized widely as a “Rising Star” and “Next Generation Lawyer” for privacy and cybersecurity, Brittany assists clients in identifying, evaluating, and managing a panoply of global privacy and information security risks and compliance issues. She helps companies design enterprise-wide, robust privacy and cybersecurity programs and routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use. A significant aspect of her practice is advising large, multi-national companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from boards of directors, consumers, media, and potential acquiring companies in a deal setting. She received her J.D. from Washington University in St. Louis School of Law in 2009 and her B.A. from the University of Notre Dame, cum laude, in 2006. She is admitted to practice in the state of New York.

Julie Schwartz, Partner • Nicola Carah Menaldo, Counsel
Perkins Coie LLP

Describe your practice area and what it entails.

Julie: I am a litigator, and I specialize in handling disputes relating to user data on our clients’ platforms. Some of the attorneys in our group have more of a mixed practice, and they both litigate and provide counseling to our clients. The law in this area is evolving quickly, so there is always new legislation and case law relating to this work.

Nicola: My practice consists of approximately two-thirds litigation and one-third counseling in the areas of privacy and data security. Most of my litigation work involves defending technology companies in class actions related to alleged privacy issues. The counseling side of my practice generally involves digging deep into statutes and regulations to help clients apply those statutes and regulations to new and emerging technologies and issues. However, these are just examples. What I love about my practice is that it is varied and that I am always learning and doing new things. It is difficult to describe in a few words the varied work that comes across my desk each day.

What types of clients do you represent?

Julie: I work with a wide variety of the firm’s large technology clients, including many (like Google) that are household names.

Nicola: Most of my clients are in the technology industry, though I also have retail clients and utility clients, as well as clients that do not fall into any of those buckets.

What types of cases/deals do you work on?

Julie: I handle litigation that arises from the alleged collection and use of user data. These cases may be private party litigation, class actions, or even cases brought by the attorney general; they most often involve invasion of privacy claims or claims under consumer protection laws prohibiting deceptive or unfair practices.

Nicola: The great majority of my cases are privacy class actions. For example, I defended Google in a landmark class action alleging that aspects of Google Photos violated the Illinois Biometric Information Privacy Act. Following discovery, our team obtained a summary judgment victory on the ground that the plaintiffs had not suffered an injury sufficient to establish Article III standing. I also do appellate work, generally in the capacity of representing clients as amici in matters that are important to them. For example, representing Dropbox Inc., Google Inc., and other clients, I filed a brief with the New York Supreme Court arguing that recipients of warrants issued under the Stored Communications Act have a pre-execution right of review and that indefinite gag orders issued in conjunction with such warrants violate the First Amendment.

How did you choose this practice area?

Julie: I started out as a general commercial litigator. Over time, I began working on matters for our firm’s technology clients, and I found the issues they faced extremely interesting. Working as a privacy lawyer allows me to work on cutting-edge matters in an area that is constantly changing to address novel legal issues.

Nicola: I knew even before going to law school that I wanted to work at the intersection of law and technology because the issues are challenging, interesting, and ever-changing. Over the course of law school and summer jobs, I also realized that the parts of practicing law that I like best are writing, oral advocacy, and working with teams. For those reasons, I chose to be a litigator. When I arrived at Perkins Coie, I discovered a thriving and busy Privacy and Data Security Litigation practice that was full of really smart, intellectually curious, and engaging lawyers. It was, therefore, a no-brainer for me to seek to work in that practice area and with those lawyers.

What is a typical day like and/or what are some common tasks you perform?

Julie: There is no “typical” day since my work changes de-pending on my clients’ immediate needs. On any given day, I may have client meetings, court appearances, or depositions. Often, I spend a good part of my day briefing novel issues for our clients.

Nicola: The type of work I do varies from day to day and includes fact-finding and understanding technology by speaking with in-house counsel, drafting and revising briefs, drafting analyses of products and technologies, working with a litigation team to develop strategy or address discovery issues, and, occasionally, preparing or attending depositions and hearings.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Julie: Someone interested in privacy law should, of course, sign up for law school classes that pertain to this area. Because the law is changing so rapidly, it is good to regularly read up on new developments by reading new cases and experts’ legal blogs.

Nicola: I would recommend a class that introduces you to the basic issues surrounding class action litigation, since that can be difficult to understand initially. I would also recommend classes related to internet law and privacy and data security. A lot of this practice involves applying substantive knowledge of a rapidly changing legal regime to technology and business practices, so it is essential to have a good understanding of that privacy and data legal landscape to practice in this area.

What is unique about your practice area at your firm?

Julie: First, this practice area is unique because it is so new and ever-changing. We get to work on interesting, often unsettled, legal issues for the top companies in the tech world. Also, attorneys in our group can acquire broad experience in both counseling clients on privacy law as well as litigating novel legal issues. Privacy law is challenging (but also endlessly interesting) because it is a relatively new area of the law that is developing and evolving all the time. There is still a lot of uncertainty in the law surrounding new technologies, so this practice keeps me on my toes—there is always something new to learn.

How do you see this practice area evolving in the future?

Nicola: I think privacy and data security law will be growing rapidly in the near and medium term. Personal data is becoming an increasingly important driver of the economy at the same time that society is grappling with how individuals can protect and manage their own personal information. Lawyers in this practice area are going to see a lot of work, ranging from helping clients interpret and comply with new laws to defending litigation asserting new theories and claims related to privacy.

What kinds of experience can summer associates gain in this practice area at your firm?

Julie: Summer associates are assigned the same sort of work that our junior associates handle. They will research legal issues and write memos or sections of court filings. Where appropriate, summer associates are invited to attend client meetings and court appearances. In short, we try to give our summer associates a good idea of the kind of work they would do if they join the firm as a new lawyer.

Given how quickly technology is evolving, how do you stay ahead of it and prepare for issues that may arise?

Julie: Because the law in this area changes so often, I make it a point to regularly read all new legislation and new decisions that affect my practice. The attorneys in the Privacy Law group also share news of important changes to ensure we all stay on top of new developments.

Nicola: I read legal news and case summaries about privacy developments every day and stay attuned to current events generally, which are continually shaping the privacy and data security legal landscape. However, the best way to stay ahead of evolving technology is to understand deeply the clients involved in developing that technology.

Julie Schwartz, Partner, and Nicola Carah Menaldo, Counsel — Commercial Litigation

Julie Schwartz focuses her practice on federal and state court litigation, with an emphasis on internet and technology law. Julie routinely handles unfair competition, false advertising, breach of contract, Communications Decency Act, and First Amendment disputes. She also litigates common law and statutory privacy claims under the Telephone Consumer Protection Act, Wiretap Act, Stored Communications Act, Computer Fraud and Abuse Act, and California’s Song-Beverly Credit Card Act. She is a member of the firm’s Electronic Communications Privacy Act (ECPA) compliance team and works with clients on data security issues and third-party requests for information. In addition, Julie regularly counsels clients on compliance with California’s Proposition 65 law. She has successfully settled numerous Prop 65 disputes for clients in the consumer product space.

Nicola Menaldo represents and counsels technology and retail clients on a wide range of issues central to their business needs, including privacy and data security, marketing, biometrics, scraping and web crawling, machine learning, and international privacy and data security compliance. Nicola’s practice includes counseling and defending clients in class action litigation, as well as product counseling related to product launches and improvements. Nicola also regularly represents parties and amici in appellate matters addressing First Amendment, Fourth Amendment, and privacy-related issues.

Related Vault Guides
Check out some of Vault's guides that are related to this field.
Top Ranked Firms
Check out the top-ranked law firms in Privacy & Data Security.