Data privacy and cybersecurity law is a fast-moving practice area. This field rewards lawyers who are comfortable with new technologies and, more importantly, comfortable advising clients on legal ambiguity. With each legislative session, our country passes yet another state privacy law. This adds complexity to an existing web of laws covering health care, financial, and children’s data, which further exist within the context of foreign data privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law. The practice area is varied, and the day-to-day work differs dramatically depending on whether an attorney focuses on incident response, proactive privacy consulting and compliance, or cybersecurity risk assessments and audits.
One Practice Area or Four?
For those in incident response, the practice resembles high-tempo litigation. As an attorney, I need to be available to coordinate with client IT and security teams, manage forensic experts, negotiate with adverse parties, and work with cyber insurance. In this line of work, a litigation background is helpful; one must understand the importance of privileged investigations and be aware of class action risk.
On the proactive consulting and compliance side, data privacy operates like a mishmash of tech transactions and international law. A data privacy lawyer needs to be familiar with the internal data lifecycle of a company, from cloud services to customer relationship management to search engine optimization. This understanding forms the basis of privacy policies and external disclosures, along with advice on whether data is being managed, used, and retained properly. For multinational companies, the analysis is more complex. Due to recent court decisions out of the European Union, most companies with a sizeable presence in Europe need further advice and guidance on whether data transfers in and out of Europe and other jurisdictions are lawful. Thus, a data privacy lawyer needs to wear an international hat and follow court and regulatory decisions abroad.
Cybersecurity requirements often dovetail with privacy requirements, but they are two different competencies. On the cybersecurity side, attorneys need to be familiar with cybersecurity standards of such organizations as the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and Center for Internet Security (CIS)—or have a technical expert on speed dial whom they trust and understand. Daily duties may involve reviewing a company’s cybersecurity posture against minimum standards set forth by law (e.g., the New York Cybersecurity Regulation) or industry standards (e.g., the Payment Card Industry (PCI) standard for credit card data). This may also involve substantial contract negotiations with vendors and other data partners on security requirements. In response to customer and regulatory audits, a cybersecurity attorney may also advise companies on how to protect personal and proprietary data during the audit process.
Finally, artificial intelligence (AI) adds an extra layer of interest to data privacy and cybersecurity law. While multiple practice areas, such as intellectual property law and laws governing fake news and disinformation, cover AI and generative large language models (LLMs), data privacy authorities have been the first on the scene to regulate AI. For instance, in a complaint against WW International, Inc., formerly known as Weight Watchers, the Federal Trade Commission (FTC) required the company to destroy algorithms derived from improperly collected children’s data. In Europe, the Italian data protection authority issued a temporary ban on ChatGPT, citing parent company OpenAI’s failure to provide transparent notices regarding how it processes the personal data of users and data subjects (as required under articles 12, 13, and 14 of the GDPR).
Existing data privacy laws, such as the GDPR and the California Consumer Privacy Act, as amended, contemplate the ability to object to or opt out of AI or “automated processing” of personal data. In addition, pending laws in the AI space, such as the European Union AI Act and others, impose transparency and risk assessment requirements that relate to the use (and potential misuse) of personal data. Data privacy and AI law are irrevocably intertwined, and so the data privacy lawyer needs to be aware of AI trends and regulations.