Marcy Wilder walked into her boss’s corner office at law firm Hogan Lovells in 2010 with an idea that seems quaint in retrospect: Start a team dedicated to cybersecurity and privacy.
Many companies at the time were only beginning to face the threat of cyberattacks, and the European Union hadn’t yet set off a global chain reaction of privacy laws. Hogan Lovells didn’t issue a press release after it created the practice group, Ms. Wilder said, “because no one would have been interested.”
Since then, her team has grown to about 85 lawyers amid a global boom in the field.
“Times have changed,” said Ms. Wilder, who specializes in health privacy and co-leads Hogan Lovells’s privacy and cybersecurity practice.
Regulators from Sacramento, Calif., to Brussels in recent years began enforcing laws to rein in what companies can do with personal data, while nations such as China, India and the U.S. are considering national rules of their own. High-profile data breaches, coupled with a surge in cyberattacks on remote workers during the coronavirus pandemic, upped the ante for such protections, consumer advocates say.
The looming need for privacy pros—and attorneys in particular—brings to mind the iconic line from the 1975 thriller “Jaws,” said J. Trevor Hughes, president and chief executive of the International Association of Privacy Professionals, a trade group.
“We’re gonna need a bigger boat,” he said. Mr. Hughes estimated that over a third of IAPP’s more than 65,000 global members are lawyers, with other roles including software engineers, analysts and corporate data protection officers.
Companies that rely on customer data to anchor their products and services are driving demand for much of the legal talent, with some startups paying privacy lawyers as much as general counsels, said PJ Harari, a partner at the legal recruitment firm Major, Lindsey & Africa.
“If it’s a tech company or a health-care company, it might be their second hire,” Ms. Harari said.
At Gusto, a payroll and benefits platform, Chief Legal Officer Alyssa Harvey Dawson said she pushes a team of more than 20 lawyers and compliance specialists, along with engineers and salespeople, to weave privacy into product development. In preparation for the California Consumer Privacy Act’s coming into force July 1, she said, Gusto built a tool to automate a key provision allowing users to request to see what information the platform collected about them.
The work allows Gusto to more easily tweak its software for future regulations, Ms. Dawson said. Reacting to new rules after products or services are deployed, she said, “is the thing that makes it so much more exponentially difficult.”
Resulting costs can be significant. In August, Palantir TechnologiesInc., SnowflakeInc. and other tech firms filing to go public warned investors that a patchwork of privacy rules could affect their bottom lines.
Chief privacy officers have long managed such issues in heavily regulated industries such as financial services and health care, privacy experts say. But the role is now more common at other organizations, such as Carmel, Ind.-based car auctioneer KAR Auction Services Inc. and ad agency Universal McCann, which both named their first CPOs this year.
Arielle Garcia, chief privacy officer at UM, part of Interpublic Group of Cos., isn’t a practicing attorney. But she said her law degree has been crucial in understanding dense legal texts and applying them to day-to-day operations, including by training and appointing a staffer as “privacy champion” of each client account.
“A lot of questions are going to the privacy legal team where, truly, they need a partner on the business side,” Ms. Garcia said. Understanding how data is used differently across platforms such as FacebookInc. and AlphabetInc.’s Google is crucial to crafting advertising strategies, she said.
Coordination similarly is key in New York, said the city’s chief privacy officer, Laura Negrón. Formed in 2018, Ms. Negrón’s six-lawyer team evaluates data collection and usage by 175 agency-level privacy officers across city government, including for its Covid-19 contact-tracing program.
“You have to rely on people feeling comfortable sharing their information, particularly vulnerable populations,” Ms. Negrón said, adding that the disease-tracking initiative required sending sensitive health data between agencies and to and from third-party partners.
Law firms also are beefing up their cyber and privacy ranks to respond to and capitalize on an increase in ransomware incidents, class-action litigation and increasingly complex deal-making questions during the due diligence process.
New regulatory questions from clients pushed Greenberg Traurig LLP to hire eight attorneys for its data, privacy and cybersecurity practice this year, said Gretchen Ramos, who co-chairs the group. About 25 attorneys across the firm now spend half or more of their time on cyber and privacy, she said, up from 15 two years ago.
A whirlwind of changes in November underlined the need for such expertise, she said. California voters approved a new privacy law and the EU issued guidelines for companies transferring data internationally and proposed a new “ePrivacy” regulation for telecommunications company data.
“This may be the busiest 10 days I’ve seen,” Ms. Ramos said at the time.
With new privacy proposals tabledin Canada and Washington state, as well as ongoing talks on data flows from the EU to the U.S. and U.K., Ms. Ramos said her group is in “constant grow mode.”
“We need more people,” she added.