I came to the data field early in my career as an attorney, as I had the opportunity to work on some interesting privacy and cybersecurity investigations. It was exciting how data affects so much of our lives and how technology is constantly driving developments in the law. After those experiences, I knew that I wanted to focus my legal career on privacy and data protection.
Some highlights from my career so far include my work as an associate on the investigation of the Yahoo! data breaches for the independent special cybersecurity review committee of the Yahoo! board of directors. It was a good opportunity to see first-hand the ways that communication failures between the cybersecurity team, counsel, executives, and directors can lead to significant consequences for businesses. Because of that perspective, some of my favourite projects now involve working proactively with clients to make sure those lines of communication and oversight are in place before something goes wrong.
One of the biggest challenges for my clients right now is keeping up with changes in privacy and cybersecurity laws, both in the US and abroad, which often have conflicting or inconsistent requirements. Because data and technology are such inescapable parts of doing business today, my clients span a broad range of industries and have varying knowledge of the risks that can be associated with holding data. I try to help them understand how to manage those risks while harnessing the value of the data in a responsible way.
A strong data governance programme is key to adapting to this. In large part, I think we are moving toward more global standards. While there is still great variation (and sometimes conflict) between the specifics of the various rules, much of the law – both in the US and in the rest of the world – is based on general values of providing consumers notice about how their data is being collected and used and treating that data appropriately. A thoughtful data governance programme begins with a comprehensive understanding of a business’s data assets and then puts appropriate measures in place for the treatment of that data will go a long way toward the goal of compliance. It is also important for businesses to balance their data assets, jurisdictional requirements, and risk tolerance when building that data governance programme to ensure that it will meet their business needs and implementation will not be too burdensome.
One thing that I’ve been following closely – and my clients are very concerned about – is the rising trend of ransomware payments. Especially with the current situation in Russia, my clients are afraid of being caught in the middle of cyber warfare and have so many questions about the legality and advisability of paying ransom. It is a sticky question that is not likely to be going anywhere quickly, and the best offence is a good defence. Many of the largest ransoms that we hear about in the news could have been avoided or mitigated by having strong cyber controls like multi-factor authentication and encryption of key data assets.
In both the law and data fields, there’s a history of women being underestimated, especially by older generations, if we don’t fit the outdated mould of career-driven men. Women who present as more feminine run the risk of being perceived as less serious or intelligent. Women who choose to have children risk being seen as less focused on our careers than our male colleagues, even those with families. I’ve been so grateful to see this start to shift in both the law and data fields. I am incredibly proud to be at a firm led by strong women and mothers – like Julie Jones our firm chair and Ama Adams who leads our DC office – who value diversity across all fronts at Ropes & Gray, and it has been wonderful to see how privacy and data protection have provided so many opportunities for strong women leaders in the field.
A piece of advice I would give aspiring data lawyers is: This is a fantastic area of the law to go into if you love it. Because it is always changing, I believe one of the main qualifications to be a data lawyer is intellectual curiosity. This is not an area where you learn something once and then repeat that procedure or document for clients over and over. Privacy, cybersecurity, and all data-driven legal work requires you to be continuously learning about new developments in both the law and the technology, and every client’s question or problem is a new opportunity to create a product that is tailored to their specific data and technology needs.