We are now three years post pandemic, and while a lot has changed, some things remain the same. Last year, I talked about resilience—the uncertainties of the pandemic were still present, the war in Ukraine had just begun, and businesses were addressing new issues caused by technology evolution and workattern changes. Resilience in 2022 meant continued effective implementation of security measures, evolving privacy compliance programs beyond just addressing the biggest compliance risk areas, and responding to continued efforts by litigators to exploit different privacy and privacy-adjacent statutes for financial gain.
The “incident response boom” in 2020 to 2021 saw new vendor entrants to the market. Some of those vendors were suddenly desperate for work in light of the rapid decrease in network intrusions and ransomware incidents. That lull was short-lived. The attacks picked up at the end of 2022 and have continued into 2023.
Over the past 20 years, our attorneys have spent a lot of time on-site with our clients helping them manage security incidents. That experience gave us a window into how our clients interacted with the life cycle of data and technology. We learned our clients’ business, industry, and what mattered from a practical perspective. In 2020, we did something no other law firm has done—we elevated data issues to the practice group level (similar to tax, IP, litigation, labor and employment, and business). The group is called Digital Assets and Data Management (DADM). In the three short years we have been in existence as a firm practice group (rather than a practice team), we are approaching the size of our firm’s IP group, have more than 100 dedicated attorneys and technologists, and have several clients using the services of all seven practice teams. The American Lawyer, Chambers, Legal 500, and BTI continue to recognize
Data issues are cross-practice issues. For example, clients are talking to us about leveraging an existing security tool for privacy management and governance, risk, and compliance (GRC). That type of engagement involves our incident response attorneys, our in-house legal technology team (IncuBaker), and our privacy compliance attorneys. Our adtech, privacy transaction, and privacy attorneys join to help clients manage the sprint to launch new products and services and to build compliance programs for multi-state and global privacy laws. Our litigators responded to the surge of new lawsuits based on security incidents and allegations of violations of privacy laws. Our regulatory, healthcare, advertising, and security attorneys (combined with corporate compliance attorneys) worked to address the federal regulatory focus on cybersecurity, dark patterns, crypto, and post-Dobbs issues. You will see insights and guidance based on this work in this year’s DSIR report.