Skip to Main Content

Privacy & Data Security

Overview

Lawyers in this area advise business clients on cyber security issues, including internal security protocols, the collection and storage of personal data, and on how to respond to a data breach. While privacy lawyers are most often called into action in the wake of a data security breach, they also help their clients comply with regulations and counsel on ways to prevent data theft or loss. Lawyers may work on  incidence response teams and can be called on to work long hours after a client’s data has been breached. Data privacy lawyers will also frequently be involved in claims, litigation, and regulatory investigations arising from data security breaches. This is a growing and changing area of law, so lawyers may be regularly dealing with unsettled law and must stay up to date on security technology and emerging threats to IT security, as well as rapidly emerging regulations and case law that can pose challenges to their clients.

Featured Q&A's
Get an insider's view on working in Privacy & Data Security from real lawyers in the practice area.
Theodore J. Kobus III, Partner and Chair—Digital Assets and Data Management Group
BakerHostetler

Describe your practice area and what it entails.

The Digital Assets and Data Management (DADM) practice group is a convergence practice addressing enterprise risks, disputes, compliance, and opportunities through the life cycle of data, technology, advertising, and innovation, including brand strategies and monetization. The DADM group was created to mirror how our clients do business. Leveraging data and technology is a priority for most entities. We have united key service offerings and technologists to address all the risks associated with an entity’s digital assets. Our clients are collecting data and then utilizing advanced technology to transform their products and services. Doing this creates enterprise risk. Our new practice group works with our clients through the life cycle of data—privacy, security, marketing and advertising, transactions, and emerging technology—within an organization.

What types of clients do you represent?

We serve some of the largest names in retail, health care, hospitality, education, and financial services. We also work on small and midsized matters, and these are often the matters that expose us to new trends and risks. Our technologists analyze key data from our matters to help us identify trends, develop insights, and build custom tools to enable digital transformation efforts. The depth and breadth of our group’s experience are unmatched and position us to advise clients on all aspects of managing data and digital assets. Our clients include Marriott, Garmin, Chipotle, Luxottica, Bloomberg, Memorial Sloan Kettering, Claire’s, Cox, Publisher’s Clearing House, Qurate, McDonald’s, and Duke University.

What types of cases/deals do you work on?

I work on a variety of matters and oversee the various teams that support our clients. Most of my legal work involves working with the C-suite and boards regarding compliance issues. Additionally, I lead the defense of regulatory investigations by a multi-state group of attorneys general and other regulators. The other members of the practice group focus on all issues that touch the business life cycle of data, including cybersecurity, privacy, advertising, marketing, tech transactions, artificial intelligence, CCPA, GDPR, and health care compliance as well as increasing the value of data.

How did you choose this practice area?

I was a full-time litigator before I started practicing in this area over 15 years ago. I moved into this area of law because of the opportunity to assist clients with business issues. It is very fulfilling to help clients solve problems and to achieve their business objectives—particularly when they are working at brands that my family and I enjoy.

With the launch of DADM, I get to enjoy everything that revolves around the life cycle of data.

What is a typical day like and/or what are some common tasks you perform?

The year 2020 was unlike any other, causing our entire firm to work in a remote environment. My group rose to the task by embracing technology to conduct video meetings and client consultations and pitches and just generally connecting with one another. There are no typical days. Since the issues facing a company’s assets are not just legal or IT issues, we interact with a lot of other departments—human resources, finance, compliance, internal audit, marketing, consumer affairs, and others.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Understanding technology is extremely important. That knowledge helps with counseling clients on privacy issues related to new products. Also, a deep understanding of technology helps attorneys translate the findings of an investigation to a client or redirect the direction of the investigation. And, of course, understanding technology helps to tackle emerging issues, such as artificial intelligence and blockchain.

What is unique about your practice area at your firm?

The practice is a priority at BakerHostetler, and that is why we created the Digital Assets and Data Management practice group. As The American Lawyer pointed out, this practice is on the same level as other core groups at law firms such as tax, litigation, and business. Also, we were the only law firm to be recognized as a “Pacesetter” in this space by an independent research group associated with The American Lawyer.

What are some typical tasks that a junior lawyer would perform in this practice area?

The type of work varies by team. The one thing that is consistent throughout the teams is that there is direct contact with clients. We think that is very important. This happens in a variety of ways, whether you are working on the defense to a regulatory investigation, managing a breach response, working on consent issues involving the CCPA, or preparing discovery for a litigation we are defending.

How do you see this practice area evolving in the future?

The practice will evolve as technology evolves, and that is why we have an Emerging Tech group in this practice. Data is gold at every company, and every company is in some form a technology company. So as businesses evolve in the way they use and handle data, we too will need to evolve.

What kinds of experience can summer associates gain in this practice area at your firm?

We have had summer associates work on client matters, including compliance projects and incident response. Sometimes our summer associates help us improve the materials we use to train clients with respect to cybersecurity and privacy compliance issues. Other projects include working on surveys of laws globally and helping us prepare our annual Data Security Incident Response Report. We want them to have contact with a variety of teams and projects so that they can see what they really enjoy doing most.

Theodore (“Ted”) J. Kobus III stands at the forefront of issues involving the life cycle of data. Under his direction, the newly launched Digital Assets and Data Management (DADM) practice group has managed thousands of data breach responses and hundreds of regulatory investigations, class action matters, and privacy/compliance projects. The launch of DADM put BakerHostetler at the forefront of the digital risks and assets space. It was the first time a BigLaw firm recognized the importance of this enterprise-wide practice group, and the media and peer firms took notice. Ted has been instrumental in creating a diverse culture within DADM, fostering a sense of inclusion and providing educational and mentorship opportunities. He created a platform that showcases the firm’s female and other diverse attorneys—more than 50 percent of DADM is female and nearly 25 percent of the firm’s attorneys are diverse—many of whom serve in leadership roles in the group. Ted is consistently ranked in Chambers and The Legal 500 and has been named an MVP by Law360 for Privacy and Consumer Protection. He is also a three-time recipient of the Cybersecurity Docket “Incident Response 30.”

Jenna Rode, Counsel
Hunton Andrews Kurth LLP

Describe your practice area and what it entails.

Our Global Privacy and Cybersecurity practice helps companies manage data and mitigate risks at every step of the information life cycle. We advise clients in identifying, evaluating, and managing complex global privacy and information security risks and compliance issues. On the cybersecurity side, we advise large, multinational companies on catastrophic cybersecurity incidents. This includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing inquiries from consumers, media, and regulators. We also advise clients on conducting proactive breach preparedness activities, including developing incident response plans, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts in advance of an incident.

In relation to our privacy compliance practice, we advise clients on state, federal, and international privacy laws, conduct privacy impact assessments, and counsel companies on managing risk in connection with extensive and innovative data collection and use. 

Our privacy and cybersecurity practice is augmented by The Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth, a privacy think tank associated with the firm.

What types of clients do you represent?

We represent a diverse group of clients of all sizes, including retailers, technology companies, cloud providers, media companies, gaming companies, consumer goods manufacturers, energy companies, health care providers, direct marketers, telecommunications and internet service providers, cloud providers, Fintech startups, financial institutions and private equity firms, insurance providers, government agencies, electronic publishers, reference services, security companies, consumer and business credit reporting agencies, and risk management specialists.

What types of cases/deals do you work on?

We advise clients on:

  • Compliance with all U.S. federal and state privacy and information management requirements.
  • Compliance with international data protection laws, including the EU General Data Protection Regulation and e-Privacy Directive.
  • Information security breaches, including directing forensic investigations; customer notification; state and federal reg-
    ulatory negotiations; discussions with payment card issuers; and public relations, call center, and investor relations communications and training.
  • Prevention and management of cyber events.
  • Information product life cycle issues, including marketing and analytics activities.
  • The drafting and negotiation of vendor contracts and information use and distribution agreements.
  • Privacy and data security due diligence in M&A transactions.
  • State and federal investigations and enforcement actions.

How did you choose this practice area?

I have always been interested in consumer protection issues. I was drawn to this area of law because it is so relevant to all of our lives and increasingly more important with the rapid growth and expansion of data-driven technologies. I also love that this field is still in a nascent stage of development. It is exciting to follow new laws and regulations being drafted, debated, and passed in real time. I also have gained great experience interpreting, and advising our clients on how to comply with, new legal developments that often can have a transformative impact on their business practices.

What is a typical day like and/or what are some common tasks you perform?

In a typical day, I might assist a client with the rollout of a new website, app, or online service that involves the processing of personal information; negotiate privacy and data protection clauses in a vendor agreement; draft a privacy notice; counsel a client on employee privacy issues; or advise a client on the privacy and data security risks inherent in an M&A transaction. Because our practice is so wide ranging, every day brings novel and interesting issues to analyze.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

For law school students, I would recommend taking courses that focus on privacy and data protection issues. I would also encourage law students and lateral associates to subscribe to our Privacy and Information Security Law blog, which we update on a near-daily basis with news items and analysis. Our team has also published a privacy and cybersecurity law treatise, updated annually, which provides a comprehensive primer on U.S. and international privacy and data protection laws. Additionally, the International Association of Privacy Professionals (IAPP) is a great resource.

What is the most challenging aspect of practicing in this area?

The most challenging aspect of practicing in the privacy and data protection space is keeping up with the most recent updates in global laws, regulations, guidance, and civil and regulatory actions. Every day seems to bring a breaking news alert. But the fast-paced nature of this area of law also keeps things exciting and new!

What do you like best about your practice area?

Because our practice area is constantly evolving, I appreciate that it’s relatively easy to quickly become an expert in a niche area of the law by staying informed on emerging legislative and regulatory trends. This field truly touches everyone’s lives. It is very meaningful to help our clients comply with the law in a way that enables them to achieve their business goals while also protecting their customers’ and employees’ privacy.

What is unique about your practice area at your firm?

Our practice is a leader in the field and has been recognized by Computerworld magazine, Chambers and Partners, and The Legal 500 as a top firm for privacy and data security counseling. With nearly 50 privacy professionals—including lawyers located across the globe in New York; Washington, DC; London; Brussels; and Beijing—we have 20 years of experience assisting clients of all sizes with various aspects of privacy and data security. We are supported by a carefully vetted worldwide network of knowledgeable data protection lawyers, covering more than 100 countries. Our team works together seamlessly to provide customized, creative, and practical solutions to our clients’ privacy and data security issues.

How do you see this practice area evolving in the future?

I think an omnibus federal privacy law eventually will be passed in the United States. Until then, many states will take California’s lead and pass their own comprehensive privacy laws. Beyond that, advancements in technology, including the increased use of AI and enhanced surveillance technologies, will lead to greater regulatory oversight. Additionally, we will continue to see increased regulatory scrutiny with respect to big tech companies’ handling and protection of user data. Bad actors will only become more sophisticated in their cyber-attack methods, leading to an increase in the number and severity of data security incidents.

Jenna Rode, Counsel—Global Privacy and Cybersecurity Practice

Jenna Rode is counsel in Hunton Andrews Kurth’s New York office and a member of the firm’s Global Privacy and Cybersecurity practice. Jenna regularly assists clients with identifying and managing privacy and data security risks, and she counsels clients on compliance with federal, state, and international privacy and data security laws, with a particular focus on the California Consumer Privacy Act (CCPA), Children’s Online Privacy Protection Act (COPPA), and the EU General Data Protection Regulation (GDPR). Jenna has assisted a number of clients with implementing enterprise-wide privacy compliance programs, drafting website and mobile app privacy notices, and drafting and negotiating privacy and data security terms in commercial contracts and M&A transactions. Jenna also has experience assisting clients with privacy-related issues in the ad tech space, including programmatic advertising, customer matching, and data licensing initiatives. Jenna is active in pro bono work and serves on the Junior Advisory Board of Her Justice, a legal services organization for low-income women in New York. She received her J.D. and B.S. from Fordham University.

Hayley L. Berlin, Counsel
Perkins Coie LLP

Describe your practice area and what it entails.

My practice is a mix of client counseling and litigation. I counsel clients on a wide variety of issues including how to comply with law enforcement processes while protecting their customers’ privacy, data security and governance, and incident response. My litigation practice generally focuses on issues related to national security legal process, First Amendment prior restraint, and the Fourth Amendment.

What types of clients do you represent?

I represent many of the firm’s large technology company clients, the majority of which are household names.

What types of cases/deals do you work on?

I work on a wide array of cases, including those related to the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the First Amendment. I am a member of our firm’s Tech Amicus team and regularly work with our clients as amici to brief novel issues of privacy and constitutional law.

How did you choose this practice area?

I was interested in privacy and First Amendment issues in law school, and when I arrived at Perkins as a summer associate, I discovered that we had a burgeoning Privacy and Security practice with some of the smartest attorneys in the field and a group of amazing clients. Since then, our group has grown substantially, and I feel grateful every day that I get to work with this group of intelligent, thoughtful colleagues and fantastic clients.

What is a typical day like and/or what are some common tasks you perform?

My days vary and can include drafting briefs, researching and drafting analyses related to various (and often novel) legal issues, working with our internal team to develop litigation strategy, and engaging with clients and opposing counsel.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

If your law school offers classes focused on issues related to the First and Fourth Amendments beyond the required first-year courses, take advantage of them. In addition to taking any privacy and internet-related classes your law school may offer, there are a lot of excellent blogs that focus on privacy and national security issues that will help you stay abreast of hot topics and legal developments.

What do you like best about your practice area?

This practice area is exceptionally diverse, which means that I get to work on a diverse group of issues at any given time. The work is intellectually challenging, and I really appreciate that on a daily basis, I am thinking through complex constitutional issues and their application to novel scenarios.

What misconceptions exist about your practice area?

People often equate privacy and security law to data breach preparedness and response, when that’s only a fraction of what this practice involves. Privacy work ranges from class action litigation to data governance to First Amendment prior restraint to national security work. The practice is diverse, and it’s evolving daily.

How do you see this practice area evolving in the future?

This is a practice that will continue to see exponential growth as humans grow more reliant on technology that itself is growing more sophisticated and ubiquitous. As legislation and case law tries (and fails) to keep up with advances in technology and the various ways personal data is tracked and recorded, there will be an ongoing and increasing need for counseling and litigation defense.

Given how quickly technology is evolving, how do you stay ahead of the curve and prepare for issues that may arise?

I read blogs and follow scholars who work on issues that affect my practice. I keep abreast of case law development and legislation. I follow closely any news related to my clients. Most importantly, I work to have close relationships with clients and open lines of communication, which helps ensure that I understand and can anticipate their evolving needs.

Hayley L. Berlin, Counsel—Privacy & Security Law and Commercial Litigation

Hayley Berlin is a member of Perkins Coie’s Privacy & Security Law and Commercial Litigation practices. Hayley regularly litigates on behalf of communications service providers, including social media companies and mobile carriers, on a variety of legal issues, including compliance with and alleged violations of the Electronic Communications Privacy Act (ECPA) and conflicts involving First Amendment and national security law. Additionally, she counsels a wide range of clients on privacy and data security issues.

Hayley’s litigation practice focuses on electronic privacy law, including the federal Stored Communications Act (SCA), the Wiretap Act, the Computer Fraud and Abuse Act (CFAA), and the Foreign Intelligence Surveillance Act (FISA). Hayley handles all aspects of civil litigation in federal and state court, including discovery, dispositive motion practice, dispute resolution and mediation, and trials.

Hayley regularly counsels clients in a variety of industries on their privacy and data security policies and practices. She has conducted extensive enterprise-wide privacy reviews, responded to significant data breaches, developed data breach incident response plans, and counseled clients on related regulatory concerns.

Related Vault Guides
Check out some of Vault's guides that are related to this field.
Top Ranked Firms
Check out the top-ranked law firms in Privacy & Data Security.