Data Privacy/Cybersecurity Practice. What to you do? Forum

[Anonymous User]

1L heading into OCI/EIW soon and interested in data privacy/cybersecurity law.

1. What firms are best for this work? Is Cooley undisputedly #1?

2. What does a junior/mid do in a data privacy/cybersecurity group? Is it transactional in nature or more lit focused? Hybrid of the two? Are you working on deals or just doing compliance review etc?

3. Is the work consistent or unpredictable?

TIA

[Anonymous User]

1L heading into OCI/EIW soon and interested in data privacy/cybersecurity law.

1. What firms are best for this work? Is Cooley undisputedly #1?

2. What does a junior/mid do in a data privacy/cybersecurity group? Is it transactional in nature or more lit focused? Hybrid of the two? Are you working on deals or just doing compliance review etc?

3. Is the work consistent or unpredictable?

TIA

1. IMO Cooley is not undisputedly #1. It's new to that spot in the Vault/Firsthand ranking, and probably a function of its general reputation for tech-oriented work. Chambers is generally considered a more reliable ranking (for data protection and essentially all other fields):
https://chambers.com/legal-rankings/dat ... 13:21180:1
https://chambers.com/legal-rankings/pri ... 20:12788:1
https://chambers.com/legal-rankings/pri ... 1164:225:1
You can also check the Legal 500:
https://www.legal500.com/c/united-state ... rotection/
Historically, a lot of data protection work has flowed from DC regulatory practices. Hogan Lovells was and still is a top player. Other DC firms, like Covington, Wilmer, and Hunton are quite strong. Other key players include MoFo, Baker McKenzie, Orrick, Cooley, Debevoise, Perkins, Mayer Brown, and DLA, among others.
I would think less in terms of firms/practices and more in terms of specific partners and the particular type of privacy/cybersecurity work at each firm.

2. Highly dependent on the group and the partner(s) you're working for. Some will do a mix of both, others will be on the transactional or lit side. Certainly in DC but in other places as well, it is often treated as a regulatory practice and involves lots of client counseling. Different groups organize their practices differently. A bigger substantive division might actually be between privacy and cybersecurity, which are increasingly distinct bodies of law (other significant divisions are around health vs general/consumer privacy). Chambers breaks this down to some degree.

3. Work has been fairly consistent for me, but it's still big law.

Separately, make sure you do your research, talk to actual practitioners, and think carefully about this practice area. It might not be what you expect. A lot of people think it sounds cool and see the booming demand—but trends can be fleeting and, like any area of law, it can still be quite dry and boring at times.

At the top practices, increasingly many of the applicants have something that signals an interest in the field (e.g., some sort of background in tech or privacy/security certification or law school tech club membership or similar).

[Anonymous User]

I would agree with most of the above, including the advice that the field is being split into privacy and cybersecurity. To add a bit, there's generally 4 buckets of work in cybersecurity and data privacy, and you may do some to most of them. You can do (1) breach response; (2) regulatory work; (3) corporate adjacent work (like tech trans or overseeing privacy clauses in commercial contracts); and (4) class-action litigation. Each firm tends to have partners or groups that do more of one than the other.

Your lifestyle varies with the nature of your practice. Litigation will obviously be more predictable, while the rest may vary with client needs. You can read up about them in-depth on Chambers (which has much better articles on the day in the life of an associate in these areas).

You may want to look at where the partners are located. In DC, expect more regulatory and FTC-related work. In NY, there's typically more work adjacent to corporate, like tech trans. In CA, you will have more class-action litigation and corporate adjacent work (especially tech trans in the Bay Area).

As for OCI, the above poster is correct that firms will largely look at candidates who have current or prior experience with the work. I think that this is a function of supply and demand, and the nature of specializing early on. Firms want candidates who are committed to privacy from the get-go, and that's easier to bet on when the candidate has experience. Further, there are few dedicated slots for cybersecurity and data privacy (which makes it more painful if somebody switches or leaves), and lots of competition because law schools and students know that there's big opportunity in this field.

Assuming you don't have a background and you have an unrelated summer job, you can try to get your CIPP-US (a certification) before OCI and try to line a fall job somewhere in privacy (e.g., FTC, EFF, Attorney General's Office). You can also join some organizations (e.g., WiCYS) or clubs on-campus (or start your own if none exist).

Even if you don't get a cybersecurity and privacy job through OCI, you can still lateral into one later or try to get into the internal one of the firm you join. Seek out the partners during your summer and ask for privacy work to build some credibility for that move.

Good luck!