Skip to Main Content

Privacy & Data Security

Overview

Lawyers in this area advise business clients on cyber security issues, including internal security protocols, the collection and storage of personal data, and on how to respond to a data breach. While privacy lawyers are most often called into action in the wake of a data security breach, they also help their clients comply with regulations and counsel on ways to prevent data theft or loss. Lawyers may work on  incidence response teams and can be called on to work long hours after a client’s data has been breached. Data privacy lawyers will also frequently be involved in claims, litigation, and regulatory investigations arising from data security breaches. This is a growing and changing area of law, so lawyers may be regularly dealing with unsettled law and must stay up to date on security technology and emerging threats to IT security, as well as rapidly emerging regulations and case law that can pose challenges to their clients.

Featured Q&A's
Get an insider's view on working in Privacy & Data Security from real lawyers in the practice area.
Cecillia X. Xie, Associate
Morrison & Foerster LLP

Describe your practice area and what it entails.

Privacy and data security is a cross-practice that involves a mix of litigation and corporate, as well as counseling. In the litigation bucket, we help clients investigate and respond to data breaches, including conducting interviews, working with law enforcement, and responding to government inquiries regarding the data breach. On the corporate side, we draft agreements governing data sharing, security, and processing obligations generally between parties, as well as advise on the privacy and data security aspects of M&A and investments. For counseling, we assist our clients with creating privacy-compliance programs and structuring security-incident-response processes. Counseling also entails significant “product” work, such as helping a client decide what categories of information to collect through a new product/service, brainstorming what privacy features and settings in a product should look like, and advising on the limits of uses and disclosures for any collected information. In addition, there can be overlaps with employment when, for example, we advise companies on employee monitoring programs and with national security, such as when clients come to us with questions about implementing advanced defensive measures against cyber attacks.

What types of clients do you represent?

We represent everything from small startups that are looking to sign their first customer to large, established multinational corporations. I have represented a significant number of tech firms, as well as companies outside of the classical “tech” sector, including in the hospitality, consumer products, and media sectors. I also have done work for large financial institutions and private equity firms.

What types of cases/deals do you work on?

The litigation matters I work on pertain to investigating a security incident/data breach or responding to a government inquiry about a security incident/data breach. These matters typically involve coordinating forensic and document reviews with meetings and written responses to government agencies or law enforcement. For deals, in addition to the M&A and investments work described above, I also work on joint ventures (due to the necessary sharing of data implicated), service provider agreements that involve a service provider processing data on behalf of a company, and privacy policies and terms and conditions for consumer-facing products or services.

How did you choose this practice area?

For me, privacy and data security is the most dynamic but also most personal practice area of law. Growing up with technology and new gadgets every year, I loved the convenience and new capabilities that such technology afforded me. I became aware, however, of the privacy implications of these new tools as schools and parents rolled out GPS tracking and device monitoring for their children. It was baffling to me that there were so few laws regulating those types of activities, even by private corporations. I studied privacy issues in college and law school as a result, and upon graduation, I was thrilled to see that law firms were beginning to grow their privacy practices in response to the privacy issues that I felt were so omnipresent when I was younger.

What is a typical day like and/or what are some common tasks you perform?

My day can vary greatly depending on what hat I’m wearing for a matter. Sometimes, I am able to set aside the whole day to research or think about a new privacy law and write a memo for a client analyzing the new law’s applicability to, and obligations for, the client. Most other days, however, involve greater intermittent partner and client contact—phone calls to discuss, for example, privacy considerations as the client develops a service or as the client looks to acquire a company. For a breach response, my days can be filled with back-to-back calls with the client’s legal and information security departments, the forensic investigator, and law enforcement, which, surprisingly, resembles the hectic-but-exciting crisis management scenes in movies. Common tasks also include commenting on draft privacy and data security provisions in contracts, reviewing or drafting privacy policies, corresponding with regulators, and summarizing of relevant laws and issues for clients.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Keeping up with the new capabilities of technology is extremely helpful—facility and familiarity with how your own personal information is used in the apps and services you use readily translate to facility and familiarity with your clients’ products. Because privacy involves reading and interpreting new legislation, legislation/regulation classes and experience are also helpful. Privacy also intersects with data use more generally, so intellectual property is great training. Above all, critical thinking is essential, no matter what training, class, or experience it’s developed as a part of.

What is unique about your practice area at your firm?

Unlike at many other firms, privacy is its own practice group at MoFo, which is fantastic. This specialization and trove of resources mean that I am confident that I will not miss key legal developments in privacy and that I have many colleagues to debate with and bounce ideas off, which is particularly important due to the unsettled nature of privacy law. We have an excellent group culture where all partners and associates know each other, partners earnestly solicit and value associate opinions, and associates can take on lots of responsibility early on.

How do you see this practice area evolving in the future?

With the advent of the GDPR in Europe and the CCPA in the United States, privacy is only growing as a practice area, which is what makes the practice area so exciting. Other countries and individual states in the U.S. are introducing privacy legislation in the wake of the newfound attention on privacy, so the practice looks like it will continue to be even more multijurisdictional and will require mastery of a continually changing patchwork privacy regime. While it’s impossible to predict how the privacy and data security laws will evolve, I can say that it won’t be boring!

What are some typical career paths for lawyers in this practice area?

There are a growing number of in-house privacy opportunities at large companies and startups, as well as growing privacy groups at law firms. Privacy also overlaps with work in government and nonprofit organizations, such as the Mozilla Foundation, the Electronic Frontier Foundation, and the Electronic Privacy Information Center. Similar to the fact that privacy work itself spans several law firm practice groups, typical career paths for privacy lawyers can span numerous industries and sectors, both public and private, big and small.

Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?

I’m a firm believer that doing is one of the best ways of learning. I keep an eye out for whatever the hot new app or product is at the moment and then download and try it out for myself, including reading its privacy policy before downloading. As I play around, I make notes to myself about what information was asked for and when, what was clear to me as I clicked around, and what surprised me. As long as you stay curious and open‑minded about quickly evolving technology, it’s easy (and fun) to prepare for new issues that may arise.

Cecillia X. Xie, Associate — Litigation

Cecillia Xie advises clients across various sectors worldwide on strategies for managing privacy and data security risks. She has substantial experience counseling on privacy and cybersecurity issues in product development, corporate transactions—including joint ventures and M&A—and data breach preparation and response.

Cecillia assists both multinationals and startups with navigating the complex and emerging privacy regulatory regimes in the United States and internationally, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), and the General Data Protection Regulation (GDPR). She has extensive experience in legal research, as well as drafting and negotiating privacy and data security provisions in contracts. She is also well versed with the novel privacy issues in the online advertising space.

Cecillia is a lecturer in computer science at Yale University, where she teaches Intellectual Property in the Digital Age.

Cecillia earned her J.D. from Harvard Law School, where she served as speakers editor for the Journal of Law & Technology and president of the Child & Youth Advocates. During law school, Cecillia interned at the U.S. Department of Justice in the Computer Crime & Intellectual Property Section (CCIPS). She received her B.A., cum laude, in economics from Yale University.

Brittany M. Bacon, Partner
Hunton Andrews Kurth LLP

Describe your practice area and what it entails.

Our global privacy and cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues. On the cybersecurity side, we advise large, multinational companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multijurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from consumers, media, and regulators. We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts in advance of an incident.

In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws; conduct privacy impact assessments; and advise companies on managing risk in connection with extensive and innovative data collection and use. 

Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.

What types of clients do you represent?

We represent a diverse group of clients, including retailers, consumer goods companies, energy companies, health care providers, direct marketers, telecommunications and internet service providers, financial institutions and private equity firms, insurance providers, government agencies, electronic publishers, reference services, consumer and business credit reporting agencies, and risk management specialists.

What types of cases/deals do you work on?

The types of projects we work on include:

  • Advising on compliance with all U.S. federal and state privacy and information management requirements
  • Advising on compliance with all international data protection laws, including the EU General Data Protection Regulation and e-Privacy Directive
  • Providing comprehensive assistance with significant information security breaches, including directing forensic investigations; customer notification; state and federal regulatory negotiations; discussions with payment card issuers; and public relations, call center, and investor-relations communications and training
  • Preventing and managing cyber events
  • Assisting with information product life cycle issues, including marketing and analytics activities
  • Drafting and negotiating vendor contracts and information use and distribution agreements
  • Assisting with dispute resolution, management of consumer concerns, response to allegations of misuse of data, and state and federal investigations (including actions and requests for information from state attorneys general and the Federal Trade Commission)

How did you choose this practice area?

When I was in high school in 1999, I became an original member of a nonprofit group called the Teenangels, which was run by leading cyber lawyer and child advocate Parry Aftab. We went into schools around the country and taught children about responsible and safe use of the internet. We briefed members of Congress, gave interviews to the media, trained teachers and parents, and spoke at major industry conferences. I continued this work through college and law school, including writing my senior thesis on the potential for global privacy convergence in Japan. When I graduated from law school in 2009, the economy was reeling, and law firms were deferring (or letting go) their rising first-year associates. I was deferred from my prior law firm and was advised to look elsewhere for a job. Fortunately, I was introduced to Hunton’s data privacy team by one of my long-term mentors, and the rest is history.

What is a typical day like and/or what are some common tasks you perform?

No day is the same—that’s what makes what we do so interesting! On any given day, we advise companies on data breaches and compliance with applicable privacy laws, negotiate vendor agreements, conduct privacy impact assessments, and develop appropriate policies and procedures.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

There are far more opportunities now than there ever were to learn about data privacy and security law. I would encourage anyone interested in this field to read as much as they can—this includes taking classes and signing up for privacy and cybersecurity blogs and newsletters. There are also privacy and cybersecurity courses and certifications that you can obtain. That said, you don’t need to have studied privacy and cybersecurity law in order to have a successful career in this field. The key is to be naturally curious, think critically, and never stop learning—particularly given this practice area changes daily!

What is the most challenging aspect of practicing in this area?

The most challenging (but also the most interesting) aspect of this practice is the pace at which data privacy and cybersecurity rules and the related technologies are changing.

What do you like best about your practice area?

Given that the core of our practice is data, we have a unique ability to work on matters of significance that impact individuals across cultures, jurisdictions, and socioeconomic backgrounds. It’s incredibly rewarding to know that our work has a direct impact on how organizations use, share, and protect individuals’ personal information and can promote sound data practices that also provide significant value to the clients we represent.

What misconceptions exist about your practice area?

Some may assume that you need to have studied privacy or cybersecurity or have a technical background to practice in this space. That is not true! As long as you are naturally curious, think critically, and thrive on an endless pursuit of learning, you will have the key skills essential to flourishing in this practice area.

What are some typical tasks that a junior lawyer would perform in this practice area?

One of the best parts of being a data privacy and cybersecurity attorney is that you get to engage in substantive work early on as long as you are proactive and demonstrate good judgment and strategic thinking. Our junior associates work on all matters, from conducting legal analysis to preparing breach notification materials to updating privacy notices and developing privacy impact assessments to negotiating complex vendor data privacy and security agreements.

Brittany M. Bacon, Partner — Corporate

Recognized widely as a “Rising Star” and “Next Generation Lawyer” for privacy and cybersecurity, Brittany assists clients in identifying, evaluating, and managing a panoply of global privacy and information security risks and compliance issues. She helps companies design enterprise-wide, robust privacy and cybersecurity programs and routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use. A significant aspect of her practice is advising large, multi-national companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from boards of directors, consumers, media, and potential acquiring companies in a deal setting. She received her J.D. from Washington University in St. Louis School of Law in 2009 and her B.A. from the University of Notre Dame, cum laude, in 2006. She is admitted to practice in the state of New York.

Julie Schwartz, Partner • Nicola Carah Menaldo, Counsel
Perkins Coie LLP

Describe your practice area and what it entails.

Julie: I am a litigator, and I specialize in handling disputes relating to user data on our clients’ platforms. Some of the attorneys in our group have more of a mixed practice, and they both litigate and provide counseling to our clients. The law in this area is evolving quickly, so there is always new legislation and case law relating to this work.

Nicola: My practice consists of approximately two-thirds litigation and one-third counseling in the areas of privacy and data security. Most of my litigation work involves defending technology companies in class actions related to alleged privacy issues. The counseling side of my practice generally involves digging deep into statutes and regulations to help clients apply those statutes and regulations to new and emerging technologies and issues. However, these are just examples. What I love about my practice is that it is varied and that I am always learning and doing new things. It is difficult to describe in a few words the varied work that comes across my desk each day.

What types of clients do you represent?

Julie: I work with a wide variety of the firm’s large technology clients, including many (like Google) that are household names.

Nicola: Most of my clients are in the technology industry, though I also have retail clients and utility clients, as well as clients that do not fall into any of those buckets.

What types of cases/deals do you work on?

Julie: I handle litigation that arises from the alleged collection and use of user data. These cases may be private party litigation, class actions, or even cases brought by the attorney general; they most often involve invasion of privacy claims or claims under consumer protection laws prohibiting deceptive or unfair practices.

Nicola: The great majority of my cases are privacy class actions. For example, I defended Google in a landmark class action alleging that aspects of Google Photos violated the Illinois Biometric Information Privacy Act. Following discovery, our team obtained a summary judgment victory on the ground that the plaintiffs had not suffered an injury sufficient to establish Article III standing. I also do appellate work, generally in the capacity of representing clients as amici in matters that are important to them. For example, representing Dropbox Inc., Google Inc., and other clients, I filed a brief with the New York Supreme Court arguing that recipients of warrants issued under the Stored Communications Act have a pre-execution right of review and that indefinite gag orders issued in conjunction with such warrants violate the First Amendment.

How did you choose this practice area?

Julie: I started out as a general commercial litigator. Over time, I began working on matters for our firm’s technology clients, and I found the issues they faced extremely interesting. Working as a privacy lawyer allows me to work on cutting-edge matters in an area that is constantly changing to address novel legal issues.

Nicola: I knew even before going to law school that I wanted to work at the intersection of law and technology because the issues are challenging, interesting, and ever-changing. Over the course of law school and summer jobs, I also realized that the parts of practicing law that I like best are writing, oral advocacy, and working with teams. For those reasons, I chose to be a litigator. When I arrived at Perkins Coie, I discovered a thriving and busy Privacy and Data Security Litigation practice that was full of really smart, intellectually curious, and engaging lawyers. It was, therefore, a no-brainer for me to seek to work in that practice area and with those lawyers.

What is a typical day like and/or what are some common tasks you perform?

Julie: There is no “typical” day since my work changes de-pending on my clients’ immediate needs. On any given day, I may have client meetings, court appearances, or depositions. Often, I spend a good part of my day briefing novel issues for our clients.

Nicola: The type of work I do varies from day to day and includes fact-finding and understanding technology by speaking with in-house counsel, drafting and revising briefs, drafting analyses of products and technologies, working with a litigation team to develop strategy or address discovery issues, and, occasionally, preparing or attending depositions and hearings.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Julie: Someone interested in privacy law should, of course, sign up for law school classes that pertain to this area. Because the law is changing so rapidly, it is good to regularly read up on new developments by reading new cases and experts’ legal blogs.

Nicola: I would recommend a class that introduces you to the basic issues surrounding class action litigation, since that can be difficult to understand initially. I would also recommend classes related to internet law and privacy and data security. A lot of this practice involves applying substantive knowledge of a rapidly changing legal regime to technology and business practices, so it is essential to have a good understanding of that privacy and data legal landscape to practice in this area.

What is unique about your practice area at your firm?

Julie: First, this practice area is unique because it is so new and ever-changing. We get to work on interesting, often unsettled, legal issues for the top companies in the tech world. Also, attorneys in our group can acquire broad experience in both counseling clients on privacy law as well as litigating novel legal issues. Privacy law is challenging (but also endlessly interesting) because it is a relatively new area of the law that is developing and evolving all the time. There is still a lot of uncertainty in the law surrounding new technologies, so this practice keeps me on my toes—there is always something new to learn.

How do you see this practice area evolving in the future?

Nicola: I think privacy and data security law will be growing rapidly in the near and medium term. Personal data is becoming an increasingly important driver of the economy at the same time that society is grappling with how individuals can protect and manage their own personal information. Lawyers in this practice area are going to see a lot of work, ranging from helping clients interpret and comply with new laws to defending litigation asserting new theories and claims related to privacy.

What kinds of experience can summer associates gain in this practice area at your firm?

Julie: Summer associates are assigned the same sort of work that our junior associates handle. They will research legal issues and write memos or sections of court filings. Where appropriate, summer associates are invited to attend client meetings and court appearances. In short, we try to give our summer associates a good idea of the kind of work they would do if they join the firm as a new lawyer.

Given how quickly technology is evolving, how do you stay ahead of it and prepare for issues that may arise?

Julie: Because the law in this area changes so often, I make it a point to regularly read all new legislation and new decisions that affect my practice. The attorneys in the Privacy Law group also share news of important changes to ensure we all stay on top of new developments.

Nicola: I read legal news and case summaries about privacy developments every day and stay attuned to current events generally, which are continually shaping the privacy and data security legal landscape. However, the best way to stay ahead of evolving technology is to understand deeply the clients involved in developing that technology.

Julie Schwartz, Partner, and Nicola Carah Menaldo, Counsel — Commercial Litigation

Julie Schwartz focuses her practice on federal and state court litigation, with an emphasis on internet and technology law. Julie routinely handles unfair competition, false advertising, breach of contract, Communications Decency Act, and First Amendment disputes. She also litigates common law and statutory privacy claims under the Telephone Consumer Protection Act, Wiretap Act, Stored Communications Act, Computer Fraud and Abuse Act, and California’s Song-Beverly Credit Card Act. She is a member of the firm’s Electronic Communications Privacy Act (ECPA) compliance team and works with clients on data security issues and third-party requests for information. In addition, Julie regularly counsels clients on compliance with California’s Proposition 65 law. She has successfully settled numerous Prop 65 disputes for clients in the consumer product space.

Nicola Menaldo represents and counsels technology and retail clients on a wide range of issues central to their business needs, including privacy and data security, marketing, biometrics, scraping and web crawling, machine learning, and international privacy and data security compliance. Nicola’s practice includes counseling and defending clients in class action litigation, as well as product counseling related to product launches and improvements. Nicola also regularly represents parties and amici in appellate matters addressing First Amendment, Fourth Amendment, and privacy-related issues.

Related Vault Guides
Check out some of Vault's guides that are related to this field.
Top Ranked Firms
Check out the top-ranked law firms in Privacy & Data Security.