Two years ago, law firm Jenner & Block tapped Mary Ellen Callahan, the former chief privacy officer of the U.S. Department of Homeland Security, to create the firm’s first formal privacy and data protection practice .
The practice has since grown to include five partner-level attorneys and eight associates who spend much of their time working on privacy issues such as advising corporate clients on data breaches and the collection of customer data. Data security is considered a relatively uncharted — but potentially lucrative — area within the legal industry, and many firms are seeking to brand their services to distinguish themselves. Callahan, whose clients include companies in the retail, financial services, technology and entertainment and media industries, shares insights into how Jenner is expanding its burgeoning data privacy business. Below is an edited transcript of Callahan’s interview with Capital Business.
Capital Business: How has your practice grown since you started?
Mary Ellen Callahan: They say to build a practice, it takes three years. This year, my second year, I will hit the metric I hoped to hit at three years. I’m ahead of the growth curve. I worked on 15 data breaches this year. Some were consumer-facing, the credit card [information theft] scenario. Some were employee information [breaches] including Social Security numbers, and in some cases our client was a service provider [to a company that was breached] where the data exposed wasn’t their customers’ data, but it was their customers’ customers whose information was exposed.
CB: Where do you see the greatest potential for growth within the data privacy legal practice?
MEC: I see three big buckets where privacy is going to grow. Education privacy is one area. As we move to cloud-based services [and massive open online courses], they’re going to be considering privacy in ways education hadn’t in the past. There are education privacy laws, but for some of the online services and online use of information, you also have unregulated use of information about students. . . . There are going to be technologies that look to make schools and universities more efficient, and you want to make sure privacy protections are going to be built with it.
I also think that companies that intersect with the government — government contractors — and others that provide services to the government, like cloud providers, are going to have some real privacy opportunities. The third area is the “Internet of Things” — Internet-enabled devices and what are the privacy protections for that.
CB: What type of work takes up most of your time? Preventive counseling or damage control after a breach?
MEC: It depends on the month. For the year, it was probably 50/50. One month I had five breaches, I didn’t do any counseling that whole month. As I expand the group, I’d like to have some of the more reactive work spread among members of the group and have me work on bigger picture strategic privacy angles, helping [companies] think about information governance in a more wholistic way. That means integrating privacy into the way companies operate — product development and technology development, having privacy be part of the development of the product itself, rather than a separate track or process.
CB: Do you see any trends in data that cut across industries?
MEC: There are three big themes I see across disciplines. One is ‘big data’ and how do we leverage the information we have more effectively, how to be more efficient in understanding your customers. Another is the desire to understand mobile data. Our mobile devices are our alter egos. Consumer-facing companies are very interested in understanding the mobile customer. The third is concern about security, making sure you have your data protected and that you understand your breach notification obligations.
More from Capital Business: