Boston-based legal recruiter Robert Zinn has met with nearly 20 law firms this year so far and nearly all have raised the need for cybersecurity experience.
“In the Boston market, [cybersecurity] is absolutely one of the prime areas of practice that firms are focusing on, reinforcing that strength if they don’t have it or finding people that can do it,” Zinn said.
Orrick, Herrington & Sutcliffe and Manatt Phelps & Phillips bear that out. Both have opened cyber offices in Boston this year.
With its tech economy and world class legal, academic and research recruiting pools, Boston aptly illustrates the larger point of firms placing a priority on finding specific talent to drive their cyber practices as well as the potential challenges of building out a niche business.
If you were a fly on the wall in strategic planning meetings at law firms, cybersecurity and data privacy practices rank high on the list of growth priorities for many Big Law firms, said Kent Zimmermann, a law firm management consultant at the Zeughauser Group.
Some firms were early in their ambitions to build deep, high-quality cybersecurity practices over the years and many of those practices were aligned with the firm’s overall strategy and areas of focus.
If a firm is focused on building preeminence in particular industry sectors or particular practices, cybersecurity and privacy related practices are often developed to accelerate the firm’s distinction in those particular areas, Zimmermann said.
Case in point is Orrick, Herrington & Sutcliffe, which opened a Boston office in January through the addition of Ropes & Gray’s Doug Meal. His team includes Heather Egan Sussman, who co-headed Ropes & Gray’s privacy and data security practice.
“Clients that are looking for advice in the privacy and cybersecurity area put way, way, way more emphasis and premium on your knowledge, capabilities and experience in the area,” Meal said.
Single Phone Call
Meal spent the first half of his three-decade-long career doing general business commercial litigation, but 13 years ago entered the world of cybersecurity with a single phone call from a client.
On Dec. 18, 2006, the general counsel of TJX Companies, the owners of TJ Maxx and other retail brands, called Meal. He was told about a potential hack into its computer network in what would eventually become one of the largest retailer payment breaches ever, compromising at least 45.7 million credit and debit cards.
“I said, ‘O.K., I’m not sure why you’re calling me, maybe you should call the police,” Meal said.
“It shows you that I knew absolutely zero about the practice area at the time I got this call,” he joked.
TJX hired Ropes to handle the breach and Meal was tasked with leading the defense which included consumer class actions, bank class actions, shareholder litigation, and state, federal and foreign regulatory investigations over the next two years.
Meal learned the ins and outs of the area which Ropes & Gray then turned into a cybersecurity practice that he led.
Meal and his team would go on to represent companies in some of the biggest breaches, including Wyndham Worldwide Corp., and Target Corp.
Since moving to Orrick, Meal’s team is representing Arby’s, Hilton, Landry’s and Nordstrom in their respective data breach litigation cases. In March, the team won a substantial victory for SuperValu Inc. in connection to a 2014 data breach.
Cybersecurity, data privacy and the laws governing are still relatively new and practices like Meal’s are still hard to come by.
“There’s not a huge number of people who truly specialize in this space,” said Mary Rosenfeld D’Eramo, vice president of operations at attorney placement firm Mestel & Company.
Organic growth also would take too long to meet client demands, therefore firms are reliant on bringing on lateral talent.
This makes Boston “a perfect battle ground” for the competition for talent “because of the strength of our market and that its home to some real industry leaders in that practice,” she added.
Even as law firms build out their rosters, there also the question of how to turn cybersecurity into a profitable practice.
“Everybody wants it, but no one really knows how to make money off of it,” Zinn said.
While there is repeat business on the privacy side, it isn’t necessarily so on the cybersecurity side as of yet, he said.
“How often is there going to be a breach that’s so significant for a company that it’s going to turn into a long-term billing engagement?” Zinn said. “And there’s not really necessarily a carryover once it’s done it’s done, hopefully.”
Breaches, however, can create a unique client relationship that can lead to a profitable partnership in the end.
“Putting yourself in the position to save a company that has been breached from millions and millions of dollars in fines and fees and lost money by having a cybersecurity practice that can save that client, you’re going to ingratiate yourself with that client and hopefully be able to transact business in other areas afterwards or throughout that process,” Zinn said.