Chris Cwalina, left, and Steve Roosa, the leaders of the data privacy and security team at law firm Holland & Knight. Two years ago, the pair set up a lab that test clients’ Web sites and mobile apps to detect potential security lapses. (Jeffrey MacMillan/Capital Business)

For cars, there are mechanics. For corporate data breaches, there are Chris Cwalina and Steve Roosa.

Cwalina and Roosa are attorneys who lead the data privacy and security team at law firm Holland & Knight, and they are building a novel practice in the world of Big Law. They have created a “lab” to research and test the mobile apps and Web sites of their clients — banks, communications companies and other corporations — to detect security lapses that may enable advertisers or other third-party entities to access consumers’ personal information without them knowing.

Most of the sites they test are ones that consumers use directly, such as mobile-banking apps or retailers’ Web sites where people can order goods online. The point is to detect and fix security problems before their client even knows about them — similar to the way a mechanic inspects a car to spot potential problems before they arise.

Many corporate law firms have started data security practices in recent years, but Holland & Knight may be the first to market its services using this approach.

“It’s a marriage of technology and law,” said Cwalina, who is based in Washington. Roosa is based in New York.

The lab is a room in the law firm’s New York office, filled with desktop computers, iPhones, iPads, Kindle Fire tablets, Blackberrys, Android devices and routers. Roosa and a small team of tech-savvy associates and paralegals test the programs using proxy software and network analyzers to identify what third parties the data is being shared with. The firm typically charges clients a flat fee for the service.

Roosa and Cwalina came up with the idea four years ago, when they were working together at Reed Smith, as a way to bridge a gap in the way companies approach data security issues. At many companies, the people responsible for legal and privacy compliance do not have a background in the technology that goes into apps, Web sites and software, so the information they give their outside lawyers is unintentionally incomplete, Roosa said.

“We realized in doing this lab work that the only real good way to provide valuable legal counsel is to understand the technology ourselves,” Cwalina said.

Cwalina and Roosa joined Holland & Knight two years ago and officially started the lab there. A major advantage to switching firms was Holland & Knight’s lobbying and crisis communications groups, both of which are necessary in helping clients deal with data breaches, Cwalina said.

“There is a lot of [proposed and pending legislation] going on on the Hill in this space,” he said. “We thought we needed our arms around that.”

Cwalina spent most of his career as an in-house lawyer at ChoicePoint, a consumer data broker that in 2005 became one of the first companies to publicly disclose a data breach after the financial records of 163,000 users were compromised. At the time, data security laws were nascent and California was the only state that had laws regulating data breaches. Cwalina found that there were few outside law firms he could turn to that had a complete practice group to guide the company through the data breach, which spurred investigations by federal and state agencies and class action lawsuits.

Today, data privacy is still a relatively new area for law firms, and Holland & Knight’s lab approach is more experimental than most.

“This is a brand new area of the law. It’s still developing,” Cwalina said. “Add that to the fact that we do it this way, with tech consultants added to our legal services, some people say, ‘Huh? Why are lawyers doing this?’ It’s different and it’s a bit of a risk.”