Give us a quick overview of your career. How did your practice in health care evolve to a practice on data management, privacy, and security issues?
I guess you could say I grew up as a lawyer during the same time as many of the data privacy laws in the United States were born, and I have been able to see their evolution over the years. Secret to new practicing lawyers: It is not that partners are smarter than you, they have just watched the laws slowly form and, thus, have had more time to digest and work through the nuances in the law.
Quick overview of my career: I have been practicing law for 16 years – 10 at Foley & Lardner and six at Quarles & Brady. Before law school, I worked at a tech firm where I learned about network security. It sparked my interest in data privacy and security. When I started practicing law, I was in Foley's health care group and developed an expertise in the Health Insurance Portability and Accountability Act (HIPAA) and related compliance matters.
My practice evolved when HIPAA was expanded to govern nontraditional health care and health plan companies that create, receive, maintain, or transmit protected health information of patients and health plan enrollees. This dramatically changed my practice because these entities now needed to implement HIPAA requirements into their data privacy and security compliance programs. As a result, I began advising companies in all industries on HIPAA and other data privacy and security matters. HIPAA was also amended to require reporting of security incidents and data breaches. These reporting obligations forced entities to focus on preventive cybersecurity measures and began my cyber practice of advising companies on how to prepare for and respond to data breaches.
Do you find other lawyers in this area coming from similar backgrounds or are there other common career paths to this industry?
Yes, it is very common for data privacy and security lawyers to have started their careers in health care. In the United States, we have a sectoral privacy regime – meaning we regulate data privacy and security by industry-specific sector. Health care is one of our most heavily regulated industries, second only, perhaps, to the financial industry. For the same reasons my practice evolved, many other health care lawyers followed similar paths and expanded their practices beyond health care to keep up with evolving, often intertwined laws and the impact those laws had, and continue to have, on their clients. It is also common for lawyers practicing in intellectual property, benefits, finance, and litigation to develop data privacy and security-focused practices.
What does it mean to be a cybersecurity lawyer? What does a typical day look like for you?
It means you have a fascinating, fast-paced practice. Really there is no typical day for me because privacy and cybersecurity issues are constantly changing. New and unique cyber threats, technology, laws, government oversight, litigation, and cyber insurance issues mean that very few days look the same for me. That said, I do regularly advise clients on preparing for and responding to data breaches, including preparing security incident response plans and handling breach notifications to consumers, customers, media, and the government.
I also review clients' privacy and security policies and procedures and provide related compliance advice. Each client's approach to developing their policies and procedures is necessarily unique, so unfortunately a standard set of policies and procedures can't fit every client's needs. I also routinely review agreements for data privacy and security risks, data transfer and ownership issues, and related compliance issues. My practice also includes advising clients on the acquisition, sale, and monetization of data. Most recently, I have been helping clients deal with cutting-edge issues posed by big data, the internet of things (IoT), and global data transfers.
The data management and security area is ever evolving. Where do you turn when you're facing new situations? Is this why you founded the Midwest Cyber Security Alliance?
I use a lot of different resources to stay on top of issues, such as the International Association of Privacy Professionals (IAPP), BNA, Politico, Krebs on Security, and various legal and technical blogs. I also cofounded the Midwest Cyber Security Alliance (MCSA), a not-for-profit organization, to provide a multidisciplinary forum where legal, IT, HR, PR, risk, law enforcement, and government members can come together to discuss cyber security issues and brainstorm solutions.
Current practice area: Data privacy and security and health care
Years in practice: 16
Law school: Saint Louis University School of Law
Favorite quote: “Dance like nobody is watching. Encrypt like everyone is.”
Favorite books: Harry Potter
Favorite place in WI: Milwaukee Art Museum
Hobbies: Traveling and reading
I started thinking about forming a group like this after attending a cybersecurity conference in San Francisco a few years ago where I saw how connected the tech, legal, and law enforcement communities were on the west coast. I came home and polled local companies to see if they were interested in forming a group and it became readily apparent that the Milwaukee market was desperately craving this type of forum. The MCSA has since expanded throughout the Midwest. It really has become an awesome organization that I could talk about all day, but it is probably easier to just visit: www.midwestcyber.org
What career advice do you have for a lawyer interested in this area of practice? Where do you start? And, how do you stay on top of the speed of change in this industry?
As cybersecurity law is still developing, many law schools do not have classes or specific data privacy and security curricula. A focus on tech contracting, health care, benefits, finance, and litigation are good areas to start with to develop a cyber practice. If you are in law school and want to practice in this area, you should look for a firm that has a solid data privacy and security practice. The reality is, not too many firms are really operating in this space, so look closely at who is doing what. If you are already a practicing lawyer who wants to get more experience in this space, you should check out the resources I mentioned previously. The IAPP is a good place to start.
This is a highly fluid area of law practice, so you need to be comfortable with rapid change and uncertainty. You will need to constantly adapt your practice by monitoring recent developments in the law on a daily basis. It is also helpful to have some technical background in computer science or prior cyber industry experience.
What are the most challenging aspects of this practice? The most rewarding?
This is a very fast-paced practice because the legal landscape, technical advances, and cybersecurity measures are constantly changing. It is like the wild, wild, west as we say in the cyber business. A lawyer focusing in this area has to be comfortable providing advice based on practical experience rather than always relying on established case or statutory law. The most rewarding aspect of this practice is acting as a data breach coach and helping clients handle stressful security incidents. I like to be the calming force in the storm.
Are there aspects of this practice area that lawyers in small firms might take on? Should steer clear of?
Lawyers in smaller firms should gain experience in general privacy and security issues so they have the background to identify and address them in all contracts, especially in tech- and data-related contracts. For starters, I recommend learning about HIPAA, the Family Education Rights and Privacy Act (FERPA), the Gramm-Leach Bliley Act (GLBA), the Telephone Consumer Protection Act (TCPA), CAN-SPAM (nobody uses its full name), the Fair Credit Reporting Act (FCRA) and, last but not least on the acronym-heavy general resources to start with, the U.S. Commerce Department's National Institute of Standards and Technology (NIST) standards, publications, and frameworks.
You should also be aware that many other federal data privacy and security laws and related guidance can come into play as well depending on your client base, such as laws, standards, and guidance from the U.S. Securities and Exchange Commission (SEC), the Federal Financial Institutions Examination Council (FFIEC), the Financial Industry Regulatory Authority (FINRA), the North American Electric Reliability Council (NERC), and so on.
I also advise reviewing the FTC's website because it has a lot useful information and can help you begin to sort out when a particular privacy or security law or guidance may apply. Government agency enforcement actions and data breach cases should also be followed to understand where regulators and potential plaintiffs are focusing their actions.
I do not recommend that small firms focus their efforts on developing a practice in international data privacy and security related issues, such as data transfers and data breaches outside the United States. For many of these international issues, local foreign counsel should be involved with U.S. counsel to provide clients the best solution. Many U.S. and foreign firms have formed networks of specialists to handle global privacy and security issues.
It's impossible to stop data breaches entirely. In your opinion, what is the biggest threat to law firm security?
The lawyers themselves! Now more than ever, lawyers are under a tremendous amount of stress to answer clients very quickly at any time and in any location. Lawyers need the technical capability to meet this client need. The problem is – convenience does not always promote data security. Law firms need to weigh the benefits and risks of convenience versus data security when implementing their data privacy and cyber security programs. Law firms are not alone in this battle. Companies in every industry should be continually conducting similar risk assessments when implementing their cybersecurity programs.
What is the one thing that your cybersecurity practice has taught you about protecting your personal security? What do you tell your family/children/friends about this issue?
It has taught me that your information is never safe. In fact, in the recent 2016 M-Trends report from Mandiant, the average days a hacker is in a company's system before being detected is 146 days. Yes, that means companies may not even be aware for a long time that a cyber attack has occurred. My best advice is to constantly monitor your financial accounts and other important accounts, documents, and records for irregularities. If you have been a victim of identity theft, you should start by reviewing the FTC website on consumer tips found here: https://www.consumer.ftc.gov/features/feature-0014-identity-theft.
Another important tip is to never click on a suspicious link or respond to an email or phone request for sensitive data without first verifying the authority of the requester through a separate identification process. I'm sure almost everyone has heard this advice before, but people still fall for these phishing attacks all the time.
The proliferation of TV shows and movies about cybersecurity has us believing hackers control our appliances and hear our conversations. Do you watch these shows or turn them off at night?
I am generally not a fan of legal-related shows, but cybersecurity shows are fascinating and often very realistic. One of my current favorites is Mr. Robot.