With recent news of cyber incidents at Equifax, Deloitte, Verizon, the Democratic National Committee, DLA Piper and Yahoo, to name but a few, cybersecurity and privacy issues have been thrust to the forefront of the national conversation. But for many attorneys, such issues have always been front and center.

Recently, a growing number of law firms focusing solely on privacy and cybersecurity matters have been popping up across the country, buoyed in part by their prescience that “business as usual” faced a reckoning in the age of social media and smartphones. The reasons partners start privacy-focused law firms, however, vary as much as what the firms offer and how they operate. Just as cyber incidents take many shapes and forms, so too do the firms defending, protecting and representing their victims.

|

The Plaintiffs Privacy Firm

A decade ago, when Jay Edelson decided to launch his eponymous privacy-focused law firm, his colleagues were less than encouraging. “We heard a lot of people telling us, 'You really shouldn't do this, you guys are going to fail because no one cares about privacy,'” he recounts. But Edelson was confident in what he saw was a legal reckoning on the horizon. “We just viewed the world differently,” he says. “We thought there was no way the courts wouldn't come to the conclusion that people needed to have some control over their private data.”

Fast forward 10 years, and Edelson has been involved in many seminal data privacy cases. The firm, for example, was the lead plaintiff's counsel in U.S. Supreme Court privacy case Spokeo, Inc. v. Robins, which concerned whether a plaintiff has standing, under Article III of the Constitution, to bring a case alleging injury against a website that published false personal information.

It has also spearheaded a class action suit against Facebook for the social media company's collection of biometrics data, and led suits against the NBA's Golden State Warriors and NFL's Indianapolis Colts that accused the teams of privacy violations for offering mobile apps that listened to user conversations.

A lot of the actions Edelson brings are “first impression” cases, without much case law or established precedent. In finding a path forward, Edelson has found some reliable strategies. “The first is going to sound like it's not a legal strategy, but it's the most important thing, which is you have to establish an emotional connection to the case,” Edelson says. He explains that one needs to select a case with “good facts” that make it “very clear to the court why a certain type of information would matter to people, and why they would be really concerned” if such information were misused or breached.

The second strategy is to keep it simple. “There is nothing special about data breach cases,” Edelson says, explaining that most data privacy cases can be “essentially breach of contract actions,” or actions based on well-established statues such as the Wiretap Act or the Electronic Communications Privacy Act.

But it's not just legal strategies that Edelson relies upon to successfully bring and prosecute cases. Technology also plays a central role. The firm has a technology lab staffed by four forensics experts who regularly dissect new products, from Internet of Things (IoT) devices to mobile apps, to proactively uncover data misuse and legally questionable behavior. “We have an ongoing list of devices we are looking at, and in the past two weeks, we bought around 45 different IoT devices,” says Christopher Dore, a partner at Edelson who oversees the lab. The lab also creates and deploys custom-built forensics technology, such as one recently built tool to help to “capture and analyze thousands of mobile applications and all their different versions and releases.”

|

The Compliance Extension

Justine Gottshall regards her privacy law journey as a type of natural evolution. “Anybody that has been doing privacy for almost 20 years probably fell into it,” she says.

Of course, it helps that when Gottshall was an attorney at Hogan & Hartson (which later merged with Lovells to become Hogan Lovells), she worked alongside former Federal Trade Commission (FTC) commissioner Christine Varney, who represented internet advertising company DoubleClick in what “was the first big privacy investigation that the FTC started looking into relating to online advertising practices,” Gottshall recalls.

Now, Gottshall is putting her experience to work as a partner of InfoLawGroup, a boutique firm that focuses on privacy and information governance matters involving advertising, technology, intellectual property and media. The firm's main service is providing its clients with privacy and cybersecurity due diligence, ensuring their operations, services and offerings comply with pertinent standards and legal obligations. To this end, InfoLawGroup works on “everything from contracts and agreements, to other forms of transactions, consumer policies and overall compliance policies and implementation,” Gottshall says. But it also handles “breach notification and incident response, and we work with clients in M&A and VC related transactions, where there may be some privacy due diligence.”

For many of the firm's clients, ensuring privacy and cybersecurity due diligence means taking a hands-on approach. Often, InfoLawGroup's attorneys are meeting clients “where they are,” Gottshall says. “We act as an extension of an in-house team, and we are able to utilize whatever hardware or software they need us to. And sometimes, that means they may send us a laptop, so that we're actually working directly within their systems or utilizing certain applications.”

The firm has a “CPO on Demand” service, providing a chief privacy officer on a flat fee basis to work “more directly with clients' business teams doing things like privacy by design,” Gottshall says. Typically, the CPO will also vet products and websites for clients, as well as “review everything from consumer-facing policies to internal policies.”

While the laws and regulations governing these policies vary significantly by company and industry, Gottshall notes there is one overarching standard the firm comes back to time and time again: “Without question, I would say there's almost nothing we do in this field where we don't go back to the FTC Act as at least a starting or an ending point.”

|

The Insurer's Incident Response Team

John Mullen first got into the cybersecurity field nearly two decades ago, providing legal work for a friend who opened what was then one of the few cyber insurance companies around. When the industry began to expand, Mullen worked with numerous insurance companies as part of an incident response legal team managing breach responses.

But it wasn't until 10 years later, in 2016, that Mullen turned this work into a full-fledged law firm, Mullen Coughlin. He notes that the firm, which launched with 14 attorneys and grew to 23 attorneys by October 2017, “acts as an incident response team with a caveat.”

“We take the incident through the entire process: instantaneous incident response, forensic and PR management, legal analysis, statutory and contractual compliance, notice to individuals, business partners and regulators, subsequent regulatory response, and lawsuit defense if needed,” Mullen explains.

Usually, Mullen Coughlin handles “in excess of 1,000” claims per year, Mullen says. Many of these claims come through a 1-800 number provided by an insurance carrier for clients that suffer cyber incidents. When breached companies connect with Mullen Coughlin, the first thing the firm does is clarify that while provided by the insurance carriers, they are not hired by, or a part of, the carriers themselves.

Should the breached company decide to use Mullen Coughlin, the law firm immediately begins gathering specifics on the incident, such as how and when it happened and what the response has been thus far. From there, it reaches out to a carrier-approved forensics company, which connects with the client to discuss more technical issues and attempts to get the client back to safety as soon as possible.

While that is happening, the firm's attorneys determine “what kind of legal duties have been triggered, if any, based on the information we are getting from the evolving forensics,” Mullen says. Out of all the tasks, this is perhaps one of the most challenging, in no small part because of the myriad evolving states' statutes covering cybersecurity liabilities. “You've got state data privacy laws, which are relatively new in the scheme of laws. They're all less than 20 years old, and many of them have been changed in the last two or three years,” Mullen says.

And Mullen expects the task of keeping up with state cybersecurity requirements to become more complex over the next few years. As an example, he points to New York State Department of Financial Services' (NYS DFS) new data security regulation, which he calls “probably the most interesting and possibly the most impactful” new regulation due to its proscriptive nature. “Because of that, the NYS DFS law opens up a whole new area of risk for companies to make sure they are affirmatively complying with it, not just complying after a possible event.”

|

The Prevention Professionals

As former litigators, Jordan Fischer and Rebecca Rakoski know the limits of legal services. “While litigators love to go to court and litigate, we're not always counseling our clients on prevention,” Rakoski says. So the duo decided to launch their own law firm “with the idea to uniquely position ourselves in the marketplace to meet those needs that we don't think a lot of attorneys are doing right now.”

That firm is XPAN Law Group. As co-founders and the sole attorneys, Fischer and Rakoski help clients address the various state, federal, regulatory and international cybersecurity and privacy liabilities they may face.

One particular area of service has been helping clients prepare for the EU's upcoming General Data Protection Regulation (GDPR). The focus is a natural one for Fischer, who teaches international law as an adjunct professor at Drexel University's Thomas R. Kline School of Law, and who previously interned at the Court of Justice of the European Union.

But the GDPR is not necessarily an easy area of service. Preparing companies for the GDPR can be “quite a time consuming endeavor,” Fischer says, explaining that there are a “a lot of granular requirements, not only technological, but also legal. And from a management perspective, it's quite invasive in terms of what we get into with clients.”

While regulatory and legal compliance takes up much of the firm's time, XPAN also handles its fair share of breach notification work. “It's a very intensive process,” Rakoski says. “Though, if the client has insurance, a lot of that will be handled off to insurance counsel.”

Otherwise, XPAN will step in to assist with the breach notification process. But being a two-person privacy firm, they often rely on other attorneys and law firms to lend a helping hand. “Our business model is to partner with people, because the two of us cannot handle every single privacy and cybersecurity legal need a client may have,” Fischer says.

The firm, however, is also looking to expand its capabilities by deploying project management technology to allow for more effective use of time and resources. “I would say the number one thing that we have tried to implement and that we are still working on is managing projects with no internal emails, so moving completely away from emails and moving towards project management,” Rakoski says.

But that, essentially, is where the firm's enthusiasm for technology ends. “We conscientiously do not utilize all of the various technologies that we can,” Fischer says. “With every single piece of technology, you have to read every word of the terms of service. And if we don't feel comfortable with it, no matter how much we love the bells and whistles, we don't incorporate it.”

Each of these law firms occupy a unique space in the legal world. At first glance, they seem reactionary, challenged with keeping up with new technologies' privacy violations, or new complex regulations.

For many, it's an exhausting task. When asked how XPAN stays on top of all the privacy and cybersecurity regulations, Rakoski deadpans, “We just don't sleep.”

But in the midst of reacting, these law firms are also treading new ground, creating new case law, growing privacy awareness, and teaching clients how to adapt to the digital age. It is pioneering work, and one that allows for the often illusive benefit of foresight.

In understanding how way privacy statues are being written, and how courts and companies are addressing cybersecurity, such firms can sagely predict the next big legal privacy fight. For InfoLawGroup's Gottshall, it will be around use and collection of biometric data. “I think there is going to be a bit of an explosion, and it's something that we are just starting to see.”

Of course, predicting the future can be a difficult, almost vain effort. But if anyone has their finger on the pulse of privacy, it's these modern law firms. After all, they've been right before. Ten years ago, “we bet the firm on the fact that privacy was going to become a huge deal,” Edelson says. And like many others, they haven't gone back since.

This article first appeared in print as “The Data Defenders.”