The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
WWW.ILTANET.ORG 35 parties, a common practice spotlighted two years ago by Facebook Inc.'s initial public offering. They're on consult when startups build "privacy by design" into their business plans and when established companies examine the backlogs of files they can — and should — purge. We're witnessing "a transformative event in the history of law" — the fading ability to keep information under lock and key, says Matthew Prewitt, who co-leads Schiff Hardin LLP's privacy team from the Chicago office. "It's going to take a while for the law to catch up with the business practices. And until the law gets caught up, some people are going to get caught up in the switches." LAST YEAR, FOUR LAPTOPS WENT MISSING FROM A NONDESCRIPT ADVOCATE HEALTH Care office in Park Ridge. With that act, more than four million patient records tumbled into unauthorized hands. It's the third-largest reported data leak in the health care industry. A flurry of lawsuits against the 12-hospital system followed. Any company that escaped a data breach last year was a lucky one in 10, according to a survey of 581 security professionals in the U.S. and Western Europe by the Ponemon Institute of Traverse City, Michigan, and IBM Corp. The list of recent high-profile victims includes JPMorgan Chase & Co., which was the victim of a coordinated hacking attack over the summer; to Home Depot Inc., which is investigating the theft of tens of millions of credit and debit card numbers; and Oscar-winning actress Jennifer Lawrence, who has vowed to prosecute the thief or thieves who hacked her personal accounts and posted nude photos of her on the Internet this month. More than 800 million accounts were infiltrated last year — rivaling the total of the previous three years. "Nobody said, 'Hey, let's go out and find privacy work.' Clients were coming to us," says Rebecca Eisner, a co-leader in Chicago of the U.S. piece of Mayer Brown's privacy and security group. "It's harder and harder to separate data from the core business. To put it a better way, data is becoming a core asset of most businesses." With data protection suddenly a C-suite and boardroom concern, Mayer Brown says it wants to double the size of its privacy group to 50-plus partners within five years and recruit someone to head it. Chicago-based McDermott Will & Emery LLP also is on the prowl. "We think it's a huge area of distinction between us and our competitors," says Daniel Gottlieb, co-head of McDermott's data privacy and protection group. "We need the bodies." TOM SMEDINGHOFF, PARTNER IN THE CHICAGO OFFICE OF EDWARDS WILDMAN LLP, says bank robbers like Jesse James used to be held accountable; now it's the banks themselves and other hacker victims. "It's a substantive change in mindset, I think, and the law is reflecting that," he says. "We're imposing obligations on the party that's in the best position to avoid the harm." Amy Yates, chief privacy officer in Chicago at Avanade Inc., says the Seattle-based installer of Microsoft Corp. products, 90 percent owned by Accenture Ltd., brings in lawyers for every rollout to make sure the new technology complies with local data protection and employment laws. "The demand has increased so much to use these guys," she says. Chicago-based Sidley Austin LLP's Jeffrey Sharer says he doesn't see an equilibrium point soon, in light of the hodge-podge of privacy statutes, as states and regulators — and foreign jurisdictions — exert more sway than Congress. Corporate America is closely following a federal case on appeal challenging the Federal Trade Commission's policing practices. Just one of the agency's many targets is defendant Wyndham Worldwide Corp., whose hotel customers were billed more than $10 million in hack attacks in 2008 and 2009. "The FTC is the new cop on the block," McGuireWoods' Mr. Cook says, "and they're coming in with more and more massive settlements." Of course, law firms aren't just being called in to defend others. They're being forced to re-examine their own security measures, too. Ken Dort, a partner in Drinker Biddle & Reath LLP's Chicago office, says potential clients want law firms to detail their own security protocols when they respond to RFPs: "In addition to just making sure we're good lawyers, they want to make sure we're savvy data handlers as well."