A global pandemic, new privacy laws, and an uptick in ransomware attacks are accelerating the need for privacy and data security lawyers, both in-house and at law firms.
Dun & Bradstreet plans to increase worldwide privacy counsel by 60% next year to tackle new regulations, said Joe Reinhardt, chief legal officer of the Short Hills, N.J.-based data analytics company.
Nearly 70% of general counsel cited data security as a top legal risk in a Morrison & Foerster LLP survey taken between September and November. That’s more than double the percentage that held that view in March.
Companies that had been ramping up their privacy work because of the growth of regulations and cyberattacks have been forced to move faster with work-from-home pandemic risks and questions surrounding employees’ eventual return to the office.
“There are so many novel issues related to this pandemic that there’s no way that we’re going to know how to handle it,” said Michael Meehan, general counsel of Raleigh, N.C.-based artificial intelligence company Diveplane Corp. “We have to rely on outside counsel to educate us and help us navigate.”
Reinhardt said he has already hired additional privacy lawyers in North America and China and is actively recruiting in India, all in anticipation of privacy legislation such as India’s Personal Data Protection Bill and Canada’s expected amendments to a privacy law.
Heather Federman, vice president of privacy and policy at BigID, a data protection and compliance company, said she’s expecting questions in 2021 about how personal information can flow between borders following the Court of Justice of the European Union’s Schrems II decision and Brexit negotiations.
“Where data subjects are located and stored is going to become more and more important,” she said.
California voters approved the California Privacy Rights Act in November, which will go into effect in 2023. Other states, including New York, are expected to introduce and possibly pass their own privacy bills once legislatures reconvene.
New state laws would force companies to retain outside firms that can handle more than federal regulations, said Joseph Moreno, general counsel and chief compliance officer of Herndon, Va., software company SAP National Security Services.
“They will need to have a bench that is well versed in these various state laws,” he said.
The sudden shift to remote work led many companies to reevaluate their privacy and data security practices, Meehan said. That meant adding measures such as two-factor authentication and extra security training for employees on unsecured home networks, he said.
Sonia Zeledon, Hershey Co.'s associate general counsel, said her team leaned more heavily on outside law firms to navigate issues such as protecting employee health information and handling data accrued from increased e-commerce.
Jay Newman, vice president and legal counsel at Las Vegas-based MGM Resorts International, said that when the pandemic forced the company to close properties in March and April, his legal team didn’t have “the luxury of a month or a week” to act.
He said he often found himself calling or setting up Zoom sessions with Lisa Sotto, chair of the privacy and cybersecurity practice at Hunton Andrews Kurth LLP in New York.
Sotto said workplace reopenings are also spawning privacy questions. Clients, for instance, have wondered whether they can conduct thermal imaging of workers and how they would store and retain that data.
Remote work has also spurred questions about data security.
“We should remain cognizant that remote work is probably the biggest target for cybercriminals,” Moreno said. “That’s probably the weakest link for a lot of institutions, both in terms of the technological as well as just user behavior and training and making sure people are still maintaining proper cybersecurity hygiene even though their work environment is different.”
Ransomware attacks, in which bad actors use malware to try to extract money from companies, are getting more sophisticated and difficult to stop, said Jim Pastore, a data strategy and security partner at Debevoise & Plimpton LLP in New York.
“The terrible joke that we make is that while clients just started working remotely, hackers have been working remotely for a while,” Pastore said. “Unfortunately, they’re quite good at it.”
Coronavirus-induced budget cuts to legal departments mean some companies, especially small or mid-sized ones, don’t even have a lawyer dedicated to privacy or cybersecurity, said Chris Ballod, associate managing director in the cyber risk practice at Kroll.
Many in-house lawyers have had to shift gears—fast. “More so now than ever, you really see that in-house counsel has had to learn cybersecurity and privacy law,” Ballod said.
About 22% of chief legal officers say data privacy will take up the most additional resources next year, the largest category of concern, according to an Association of Corporate Counsel survey.
That means more work for in-house attorneys and outside counsel. But frequent at-home Zoom calls dotted with wandering toddlers and barking dogs have made it easier to develop relationships, said Jeff Dennis, the head of Newmeyer & Dillion’s privacy and data security practice in Newport Beach, Calif.
“For me, the connections with in-house counsel have become very important,” Dennis said. “I’ve seen a huge increase in collegiality—we’re all in the same boat.”