chevron-down Created with Sketch Beta.

GPSolo Magazine

GPSolo March/April 2024: Niche Areas of Law Practice

Privacy and Cybersecurity Law

Lily Li

Summary

  • Data privacy and cybersecurity law rewards lawyers who are comfortable with new technologies and, more importantly, comfortable advising clients on legal ambiguity.
  • The practice area is varied, depending on whether an attorney focuses on incident response, proactive privacy consulting and compliance, or cybersecurity risk assessments and audits.
  • Obtaining technical competence in the field is important, but it is equally important to develop a network of subject matter experts in cybersecurity, forensics, and related data privacy fields.
Privacy and Cybersecurity Law
Andrew Brookes via Getty Images

Jump to:

Data privacy and cybersecurity law is a fast-moving practice area. This field rewards lawyers who are comfortable with new technologies and, more importantly, comfortable advising clients on legal ambiguity. With each legislative session, our country passes yet another state privacy law. This adds complexity to an existing web of laws covering health care, financial, and children’s data, which further exist within the context of foreign data privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law. The practice area is varied, and the day-to-day work differs dramatically depending on whether an attorney focuses on incident response, proactive privacy consulting and compliance, or cybersecurity risk assessments and audits.

One Practice Area or Four?

For those in incident response, the practice resembles high-tempo litigation. As an attorney, I need to be available to coordinate with client IT and security teams, manage forensic experts, negotiate with adverse parties, and work with cyber insurance. In this line of work, a litigation background is helpful; one must understand the importance of privileged investigations and be aware of class action risk.

On the proactive consulting and compliance side, data privacy operates like a mishmash of tech transactions and international law. A data privacy lawyer needs to be familiar with the internal data lifecycle of a company, from cloud services to customer relationship management to search engine optimization. This understanding forms the basis of privacy policies and external disclosures, along with advice on whether data is being managed, used, and retained properly. For multinational companies, the analysis is more complex. Due to recent court decisions out of the European Union, most companies with a sizeable presence in Europe need further advice and guidance on whether data transfers in and out of Europe and other jurisdictions are lawful. Thus, a data privacy lawyer needs to wear an international hat and follow court and regulatory decisions abroad.

Cybersecurity requirements often dovetail with privacy requirements, but they are two different competencies. On the cybersecurity side, attorneys need to be familiar with cybersecurity standards of such organizations as the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and Center for Internet Security (CIS)—or have a technical expert on speed dial whom they trust and understand. Daily duties may involve reviewing a company’s cybersecurity posture against minimum standards set forth by law (e.g., the New York Cybersecurity Regulation) or industry standards (e.g., the Payment Card Industry (PCI) standard for credit card data). This may also involve substantial contract negotiations with vendors and other data partners on security requirements. In response to customer and regulatory audits, a cybersecurity attorney may also advise companies on how to protect personal and proprietary data during the audit process.

Finally, artificial intelligence (AI) adds an extra layer of interest to data privacy and cybersecurity law. While multiple practice areas, such as intellectual property law and laws governing fake news and disinformation, cover AI and generative large language models (LLMs), data privacy authorities have been the first on the scene to regulate AI. For instance, in a complaint against WW International, Inc., formerly known as Weight Watchers, the Federal Trade Commission (FTC) required the company to destroy algorithms derived from improperly collected children’s data. In Europe, the Italian data protection authority issued a temporary ban on ChatGPT, citing parent company OpenAI’s failure to provide transparent notices regarding how it processes the personal data of users and data subjects (as required under articles 12, 13, and 14 of the GDPR).

Existing data privacy laws, such as the GDPR and the California Consumer Privacy Act, as amended, contemplate the ability to object to or opt out of AI or “automated processing” of personal data. In addition, pending laws in the AI space, such as the European Union AI Act and others, impose transparency and risk assessment requirements that relate to the use (and potential misuse) of personal data. Data privacy and AI law are irrevocably intertwined, and so the data privacy lawyer needs to be aware of AI trends and regulations.

Paths to Data Privacy and Cybersecurity Law

I launched my data privacy and cybersecurity practice, Metaverse Law, in 2018. This followed several years of practice in complex civil, intellectual property, and employment litigation (and a lifetime of love for science fiction and new technologies). While my litigation background was helpful in understanding cyber insurance, contract risk, and class action risk, I do not think this background is required for all attorneys entering this field. There are several successful privacy attorneys who approach data privacy and cybersecurity from a compliance and tech transactions perspective, with a strong background in project management and contract negotiations. Other privacy attorneys hail from a specific industry, such as AdTech (advertising technology) or health care, and so are familiar with the ins and outs of these types of businesses. Given the international component of data privacy and cybersecurity, attorneys licensed in the United States and in foreign jurisdictions are also in demand due to their ability to interpret legal requirements abroad.

For those interested in pursuing data privacy without any prior experience, I highly recommend reviewing the resources available through the International Association of Privacy Professionals (IAPP). There are several introductory videos and resources available on the IAPP website, plus regular events across the country through local IAPP chapters. In addition, many bar associations across the country are creating their own privacy law sections with relevant CLEs and networking events. The Privacy Law Section of the California Lawyers Association is a good example.

Technical Competence

While most attorneys are well-equipped to read privacy statutes and provide general guidance, the field is growing more technical. As an example, recent cases in the privacy space involve analysis of cookies, pixels, and other tracking technologies on websites and other digital interfaces, so some familiarity with website development and ad technologies is helpful. On the cybersecurity side, attorneys need to be familiar with minimum security requirements, such as multifactor authentication (MFA) and encryption standards. Consequently, data privacy attorneys need to take significant non-billable time to learn about technology and security. There are plenty of free resources in the field, from LinkedIn Learning to Udemy to local Information Systems Security Association (ISSA) events.

This may seem daunting at first but should not deter those who are passionate about this space. After all, attorneys are used to handling dense texts and analyzing and remembering new content. So, given enough exposure, attorneys can obtain technical competence in this space.

It behooves data privacy attorneys to remember, however, that they do not operate in a vacuum. Obtaining technical competence in the field is very important to understanding client needs and questions, but it is equally important to develop a network of subject matter experts in cybersecurity, forensics, and related data privacy fields. Luckily, the data privacy community is very welcoming and eager to help new attorneys. We all are tackling a very difficult and ambiguous field, and we often rely on each other to brainstorm solutions to new legislation or case law.

Sticking to Your Niche

Solos and small firms wishing to incorporate data privacy into their practice should be realistic about how much time they are willing to commit to this niche. While it is tempting to make privacy an add-on practice, it is a growing field—tantamount to adding an intellectual property practice or mergers and acquisitions practice to the firm. My recommendation is to go “all in” if you choose data privacy, dedicating a substantial portion of your time to the practice. Otherwise, there is a risk of falling behind regarding new legislation.

Think also about your resources and where you will want to focus your practice area. Do you want a fast-paced incident response practice (which may encroach into your nights and weekends)? Or do you want to focus on an industry or compliance problem? Find the right mix for your firm culture and lifestyle.

If you do choose to go “all in”—welcome! This field is fantastic for new attorneys wishing to establish themselves in a new area. We need all the talent we can get to keep the nation secure, protect individual data, and tackle tough ethical questions concerning AI and personal privacy.