Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Technology newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (May 8, 2020, 10:02 PM EDT ) As the coronavirus pandemic prompts law firms to cut costs and causes some attorneys to worry about the viability of their practice areas, cybersecurity and privacy lawyers appear to be more in demand than ever.
Cybersecurity and data privacy have consistently grabbed spots on lists of the hottest practice areas in recent years, and legal experts say they have little reason to believe that the pandemic is going to weaken that status, pointing to an influx of cyberattacks during the crisis and a sharpened focus on thorny questions about how to handle health and location data.
"The type of advice provided by cybersecurity and privacy attorneys is almost resistant to any economic cycle, because tech issues are ever-present and, even in an economic downturn like we're experiencing now, these issues become even more important, not less," said Brian Burlant, managing director at legal consulting and recruiting firm Major Lindsey & Africa.
As the pandemic unfolds, there's little doubt that cybersecurity and privacy offerings fall squarely within "the 'essential business' category of legal services," said Antony Kim, co-chair of the cybersecurity, privacy and data innovation practice at Orrick Herrington & Sutcliffe LLP.
"The crisis is prompting a double-down on data, innovation and globalization," Kim said, pointing to the new technologies and data collection activities that employers, companies and public health officials around the world are being required to tap into to help contain the virus and develop treatments. "So this practice, which is all about facilitating the collection and protection of data to drive innovation across borders, will absolutely thrive."
Cybersecurity and privacy attorneys also have their hands full dealing with the significant increase that they've witnessed in cyberattacks, which have sought to capitalize on vulnerabilities created by the mass shift to remote working and consumers' fears related to the virus. Cloud-based information security company Zscaler said last month that it's observed a 30,000% increase in phishing, malicious websites and malware attacks since January, fueled by COVID-19-related scams.
"Any time there's a disruption in the workforce or a crisis, you can expect to see an increase in cybercrime, and this crisis has been no different," said Brenda Sharton, global chair of Goodwin Procter LLP's privacy and cybersecurity practice.
This threat has ramped up the market for legal advisers who can not only steer companies through responding to a data breach, but also help businesses reduce their risk of being hit by these attacks, experts said.
"As the cyber risk goes up for companies, the demand goes up for law firms," said Kent Zimmermann, a principal at legal industry consultancy Zeughauser Group.
Before the pandemic hit, most companies had to protect a largely centralized corporate network that most workers accessed through a single entry point while in the office. But the crisis has forced companies to quickly transition their employees to remote work, opening up scores of new access points for hackers to exploit.
"We've flooded the internet with a lot more information, and we've done it with almost no real capacity to protect it," said Guillermo Christensen, a partner at Ice Miller LLP and former CIA intelligence officer.
This shift has created "an opportunity for a lot [of] these companies and pretty much anyone who uses remote tools to significantly improve their cybersecurity game," said Christensen. And that's led to a spike in demand for the unique cybersecurity and privacy expertise that law firms can offer, experts said.
Many attorneys are proactively reaching out to their clients and other businesses to walk them through these risks and see what help they need, rather than waiting for calls from clients that are less likely to come these days, several experts have observed.
Sharton said that her team at Goodwin Procter, in addition to helping its clients respond to roughly three times as many data breaches as it had pre-outbreak, has embarked on an "education campaign" that involves putting together and disseminating topical alerts, webinars, articles and town halls to its clients.
"I don't know if we've ever been busier," Sharton said.
Michael Rynowecer, president of BTI Consulting Group, said he's seen law firms taking "valuable" proactive steps such as putting together informal task forces of clients to discuss their shared experiences; providing unsolicited insight into what regulatory changes may be on the horizon; and checking to make sure companies have top-notch policies, procedures and training programs in place to protect against cyberthreats.
Additionally, "really savvy" cybersecurity and privacy attorneys have been reaching out to clients to offer them brief walk-throughs of their law firm's COVID-19 resources and pointing them to the portions that are most relevant to them, which is helping to save swamped in-house corporate counsel "untold hours," Rynowecer said.
"Every corporate counsel we've talked to in the past few months has said there's been way more work than they can look at or even think of doing," he said. "So having smart outside counsel there to help them with these cybersecurity and privacy issues is highly valued."
The pandemic has in general hit the legal industry hard, with scores of firms moving to cut salaries, lay off attorneys and make changes to summer associate programs. A report released this month by practice management software company Cilo found that the number of new legal matters has fallen significantly during the first four months of 2020 and many lawyers are now anxious about the success of their practices.
However, like in other hyper-relevant areas such as bankruptcy, restructuring and employment, experts said cybersecurity and privacy practices appear to be well-equipped to weather the COVID-19 storm.
"Although many firms are forecasting revenue declines overall and in some cases paying attorneys less, they're also investing in areas that they believe are going to see an increased demand now and over time," Zimmermann said.
BTI Consulting concluded in its first-ever Cybersecurity & Data Privacy report in March that corporate spending on cybersecurity and data privacy issues is on the rise, and "all signs point to an accelerating rate of increased spending for the foreseeable future." Rynowecer said he "sees no reason" to change that forecast even as the coronavirus takes its toll on the legal industry more broadly.
"With the coronavirus pandemic, technology has taken a quantum leap forward in embedding itself into companies," he said. "And with every leap forward in technology and data transference, there are more privacy and cybersecurity issues."
The complex compliance, legal and regulatory issues presented by an explosion of data breaches, an emerging global patchwork of conflicting privacy laws and the growing popularity of certain types of privacy class actions has been a primary driver of the growth in cybersecurity spending during the past decade, according to the recent BTI survey.
These factors are certain to continue to create work for attorneys both during the pandemic and after it has passed, experts said.
"There will likely be a reckoning when directors and officers will be asked if they did everything they should have done to protect company and customer information, particularly in the U.S. and Europe, as information became shared far more widely during the crisis and afterward than pre-COVID," Zimmermann said.
While there might be an initial lag, it's "safe to say there will be extensive regulatory and litigation activity in this area in the coming months and years," an onslaught that many companies are preparing for with the help of their law firms, Zimmermann said.
This reconfigured landscape is already starting to emerge.
Steve Cairns, chief technology officer at legal technology provider Exigent Group, said that not only are companies being forced to make operational changes in a matter of days that would normally take months to implement, but that the standards and regulations they need to abide by are also quickly evolving.
"The old rule book is being thrown out, and they're having to write a new one as they go," Cairns said.
While the pandemic has derailed most nonurgent lawmaking efforts in the U.S. at both the federal and state level, a group of Senate Republicans have banded together to introduce legislation that would hold companies liable for misusing consumers' health, geolocation and other personal information in fighting the pandemic. The proposal was prompted by concerns over initiatives by the likes of Apple and Google to collect data to trace the spread of the virus.
Regulators are also busy using laws that are currently on the books to address privacy and security concerns exposed by the pandemic. The most recent example came Thursday, when New York's attorney general announced she had reached an agreement with Zoom Video Communications Inc. that requires the videoconferencing provider to implement a range of enhanced security and privacy measures to resolve her probe into issues brought to light by the service's skyrocketing popularity.
"Companies are going to have to be thinking about this dynamic environment of privacy regulation, because it's going to change rapidly," said David Holme, the founder and CEO of Exigent Group.
While the U.K. Information Commissioner's Office said Wednesday that it was pausing a closely watched probe into online advertisers' data usage due to the pandemic, most regulators haven't been so accommodating. Most notably, California's attorney general has stood firm in his refusal to delay the July 1 start date for his office to begin enforcing the state's landmark consumer privacy act, despite widespread industry pressure.
"It's unlikely that regulators are going to be giving companies, especially larger ones, a COVID curve," Sharton said.
Experts are also bracing for an increase in class action litigation as more breaches and privacy missteps come to light.
Zoom and fellow video chat service Houseparty are already facing proposed class actions targeting their allegedly unauthorized sharing of personal information with third parties such as Facebook and LinkedIn, suits that are testing the limits of the narrow private of action under California's new privacy law.
And Christine Reilly, a Manatt Phelps & Phillips LLP partner who heads the firm's Telephone Consumer Protection Act compliance and class action defense practice group, said she's seen no slowdown in the crush of TCPA filings that have hit federal courts in recent years. She forecast that this litigation may also ramp up when the dust settles.
"We haven't seen TCPA filings that are specifically related to the coronavirus pandemic yet, but we're expecting to see suits about whether companies that are eager to get the word out about their coronavirus-related products and services have jumped the gun by relying on the statute's emergency purposes exception to make automated calls," Reilly said, adding that her practice is also "busier than ever."
With so many legal and regulatory risks to wade through, experts anticipate that this pace of work for attorneys will only continue to accelerate, even after the pandemic has ended.
"A lot of law firms have stepped up their game recently, and clients really like that," Rynowecer said. "But that also means that clients are now going to have higher expectations and be expecting more informal communications and engagement, so the challenge for law firms is going to be how they're going to keep that up."
--Editing by Aaron Pelc and Emily Kokoll.
For a reprint of this article, please contact reprints@law360.com.