OCS

Data Privacy and Cybersecurity: Shannon Yavorsky

Practice Area Podcast Series

Shannon Yavorsky is the Chair of Orrick’s Global Cyber, Privacy, & Data Innovation Group. She advises clients on a broad range of United States and European data privacy and cybersecurity issues.

Podcast Transcript

Dena: Hello, and welcome to our practice area podcast on data privacy and cybersecurity. My name is Dena Sacco, and I’m an advisor in the Office of Career Services at Harvard Law School. With me today is Shannon Yavorsky, a partner at Orrick and head of the global Cyber, Privacy & Data Innovation group. Shannon advises clients on a broad range of US and European data privacy and cybersecurity issues. Thank you so much for joining us today, Shannon.

Shannon: Thanks so much for having me.

Dena: So I’d like to start by asking you just to describe your role at Orrick. I said a very long title, [LAUGH] but we’d like to understand a little bit more what it is. And how you got to that point and, and kind of what you do.

Shannon: Great, thanks so much, Dena. So I’m the global chair of Orrick’s Cyber, Privacy & Data Innovation team. Just a little bit about my path to where I am now. I went to law school in London, and I qualified as an English solicitor. And I started off working at Kirkland & Ellis in London in their technology transactions team. Where we did sort of license agreements, and IP prosecution, trademark, copyright. We were a small team, and we worked on really anything that touched IP or IT. And at the time, around 2003, there wasn’t a lot of data work, and people didn’t really know where to put it. And it was sort of IP adjacent, so they gave it to IP teams. And you’ll find that with lots of privacy lawyers who are older, [LAUGH] that they’ve actually come from a different kind of, a lot of people from IP or tech transactions background. I worked in London for about 12 years in Kirkland’s tech transactions team doing a broad mix of IP, IT, and data work, until I moved to the US about eight years ago. And when I moved to San Francisco, I started increasingly focusing on the data work, privacy work. Because it was so interesting, the law was changing, people were using data in new and innovative ways. It was the dawn of sort of cross-context behavioral advertising, all the cookies being set on browsers across the Internet. So it was a really, really exciting time. And so, when you talk about what my day looks like now, it’s pretty mixed, still. I do privacy and security aspects of corporate transactions. So I would say there are four main areas, the first is M&A. And so we advise, if one of our clients is buying a company, we’ll look at the company, look under the hood. And see whether they have good privacy and security practices. If they have a good compliance program in place, if there have been any data breaches. And advise our clients on the risks associated with buying that company, so that’s M&A. And then second, I help companies build and scale privacy programs. So what does that mean? It’s figuring out the universe of laws that apply to a company, and designing a program to help them comply with the law. We usually start with something called a gap assessment, which identifies the gaps between a company’s current practices and compliance with the laws that apply. And we create a compliance program and a roadmap for them to follow in order to get into compliance with the universe of laws that apply. Third, I answer a whole lot of ad-hoc privacy questions. So, can we collect precise geolocation data? Can we turn our app tracking to always on, so that you’re always tracking the user? I got that one yesterday. Can we look at our cookie banner, do we need to have a cookie banner in the US? What does it need to say? Can I email all of our customers and ask of them if they wanna buy an adjacent product? We work on a lot of fun privacy advisory projects. Just a few recent examples of some of the more interesting ones. We had a company come to us and ask us to look at the risks associated with transmitting personal information via space laser. So there are satellites that are transmitting data to different satellites and then down to what are called hops on the ground. And the laws associated with all of that data transfer, which was a really, really fun and interesting project. Another one that we worked on recently, quantum computing. So what are the risks for personal information in the era of quantum computers? So how supercomputers are going to be able to hack modern day encryption. And what that means for companies, particularly in the financial services space, where they have lots of financial data. We’re in the health information space, so hospitals who have tons of health information. And then finally, data breaches, but you’ve probably heard about these. They’re in the news all the time that a company gets hacked. They range from ransomware attacks, where an attacker will freeze a company’s systems, and they won’t be able to access anything. Which can be kind of a non-issue for some companies, but can be a life and death issue for a hospital system, where there’s patient data that they’re unable to access. And then all the way through to what we call fat finger issues, where someone has accidentally sent data to a bunch of the wrong people. And we have to figure out what the universe of laws that apply to that kind of data breach. And finally, the other part of my job, at this point, I, as the global chair, I manage about 60 lawyers. And there is a lot that goes along with hiring people, figuring out where we need resources. Managing our budget, managing utilization, like how many hours our lawyers are working, where the work is coming from. And building a strategy for how the team’s gonna evolve going forward. And then finally, business development. And that’s going out and speaking, and writing articles, and meeting people, lots of lunches, lots of dinners. Next week I go to New York on Thursday, and I meet with a client for lunch, I meet with a client for dinner. And then I fly to Miami to go to a conference, so that’s [LAUGH] a day in the life.

Dena: So you are very busy.

[LAUGH]

Dena: It’s a very long day, let’s say.

Shannon: It’s long, exactly.

Dena: And it sounds like fun. So, the terms, you always see the terms data privacy and cybersecurity kind of together, but there’s an and in the middle. And, I guess, can you explain a little bit what each of them is, how they differ from one another, and maybe how they intersect?

Shannon: Yeah, it’s a great question, and something that I think there’s a lot of confusion about in the marketplace. So privacy is more about personal information. And you think about data like your name, your email address, your physical address. But it’s also lots of other things, like your IP address, which I don’t even know my IP address, and your device ID for your phone. It’s lots of different bits of information that are related to you. And there’s a whole universe of laws out there, like the GDPR, which is the General Data Protection Regulation. And laws in the US that apply to how companies are allowed to collect that data, and how they’re allowed to use it. So if they collect your email address and your name in order to send you A product or your physical address in order to send you a product. Are they then able to use your email address to email you about new products that they have available? What are the rules around how they’re allowed to use it? Whereas cybersecurity is more about how that data is protected. So are the system safe? Is the company conducting penetration tests to make sure that those systems are secure? Is there a level of encryption for that data? And then are there data breaches, what we’re talking about earlier. It’s called the cybersecurity incident. So has someone been able to get into that system and exfiltrate the data? So take the data out or damage the data or freeze the data. That’s more what we are talking about when we’re talking about security or cybersecurity.

Dena: So do you work on both but within your group? Do attorneys specialize, or does everyone sort of work on the whole grouping together?

Shannon: It’s a great question. So a lot of people do everything. And I’ll do a few little data breaches if a client comes to me and said, oh my gosh, my HR director just sent everyone’s salaries [LAUGH] across the company. What do we need to do to figure if there’s a really big cybersecurity like a ransomware attack. We actually have a whole team that just lives in the data breach world, and that’s all they do sometimes almost 24 hours a day, and they love it. They thrive on the excitement of a data breach. And we have a whole team that does the communications, like how to communicate with your customers when something like that has happened. And then we hire external forensic firms that are able to sort of pick apart the systems and figure out where the data breach happens and how to remediate it. And then, as another example, we hire external people who are ransomware negotiators. All they do is negotiate with ransomware attackers. So cybersecurity people, if there’s a big breach, there’s a whole team that just focuses on that. But a lot of my team does kind of both things, and certainly our juniors, we try to make sure that they get experienced doing both things so they can figure out what direction they want to go in. And like I said, some people, just personality wise, they love nothing more than a Friday night data breach. [LAUGH] I have to say it’s not my personal favorite, but some people just love the excitement of it. It’s kind of a puzzle and figuring out how to put it back together again.

Dena: So interestingly, and I just wanted to point out for the people listening that we have a podcast also in this series with Seth Berman, who teaches here at the law school generally during winter term and worked at one of these forensics firms. He Led the offices in both Boston and London of one of these forensics firms. So I encourage Stroz Friedberg to give us a call. So I encourage students to look for that if they wanna learn more about how the kind of forensic team operates from an outside perspective. But moving forward, I wanted to ask you Shannon, so you mentioned the GDPR and you work with both EU and US law. Can you tell us some of the most interesting differences or the challenges that you have in working with both sets of laws and how that kinda works?

Shannon: Yeah, sure, so in the European Union and the European Economic Area, which is the EU plus the EFTA states, which are Norway, Iceland, and Liechtenstein. There was a very early on one of the first data protection laws called the Data Protection Directive. And a directive in Europe is a kind of law that has to be broken down into a national laws in each jurisdiction. So at one point, we had 31 different national data privacy, data protection laws in Europe, which was a complicated landscape for companies to comply. It was confusing. And although it had roots in the same law, this directive it was, overly complex. So, then the European Commission put together the General Data Protection Regulation, which is a regulation, which means it has direct effect across all of the member states in the European Union. And so there doesn’t have to be a companion sort of national law. And it had the effect of harmonizing laws across Europe, which made it easier for companies to comply. It also introduced a more robust enforcement environment for companies. So you look at the enforcement from when the GDPR went into effect in 2018 to what it is now and it’s extraordinary how much it’s increased. There are fines that have been up to close to a billion dollars now for one company for violations of the GDPR. So people really stood up and noticed. And there’s a companion law to the GDPR called the ePrivacy Directive. And you’ll notice it’s a directive meaning it’s still broken down into a bunch of national laws that applies to email marketing and cookies, so Internet advertising across Europe. And those are the two main laws that govern personal information, data, and cybersecurity across Europe, but earlier on. And then the US, you have a really complicated legislative landscape because the laws are at a federal level sectoral. You have HIPAA, which is the federal health data law. You have COPPA which is for children’s data, FERPA for education data. The GLBA, the Gramm-Leach-Bliley Act for financial data. The FCRA also for sort of background check data. So you have these federal laws, but then you also have a host of state laws. And now as of 2018, when the California Consumer Privacy Act was passed, you were starting to have a host of state-specific privacy, omnibus privacy laws. You have California now, and then this year in 2023, California expanded its law, Virginia enacted a law, and then Colorado, Connecticut, and Utah will all go into effect before the end of this year. So that’s five new state privacy laws. Ten new states that are considering state privacy laws that look a whole lot like these other state privacy laws. So in the US, you have to look at the federal laws, then you have to look at all the state laws for privacy. And then all 50 states have a slightly different cybersecurity law. [LAUGH] So you can imagine, it’s a complicated for companies to comply with because they have to figure out what state laws apply, what federal laws might apply. It’s a more complicated regime. So that’s some of the key differences between EU and US.

Dena: So interesting, and in the US then, do you find that attorneys tend to specialize within kind of sector areas. So like I deal mostly with FERPA and the state laws under that, or I do deal mostly with HIPAA. You know what I mean by-

Shannon: Yeah, yeah, totally. And you’re absolutely right, because we have a lot of our lawyers, again, for our juniors, we like to make sure that people are getting exposure to each of the laws so they’d figure out, do they love HIPPA work? Are they really interested in health information? Or COPPA, or FERPA, and we definitely have people who specialized in different areas. And we have, in our team, one of our partners is just one of the top COPPA and FERPA experts in the country. She just really just knows everything about every case, everything that’s been written about different legislation. So there’s certainly the ability to sort of specialize in a particular area, and we have our HIPAA lady, I call her, I’m sure she wouldn’t like that. She just specializes in HIPAA, and she’s been doing that law for the better part of 15 years, and just knows it inside and out. And, of course, she does the state privacy laws as well, and other areas of the law, but certainly people have their sort of niche that they do more work in and become experts in. But for our juniors, we’d like to get them a project and all of the different areas, so they can figure out like, how do I wanna steer my career – do I wanna go more towards financial data and do more work for banks and insurance companies? Or do I wanna go more to the life sciences-based and work more for like healthcare companies, for example? Or like our COPPA person do I want to do work for, like ed-tech companies or people who are providing online services for kids?

Dena: So that’s a great segue into my next question actually, which is sort of what kind of work a junior associate might do in this field. And you’ve started to talk about that a little bit in terms of getting them a broad range of experience. But if I’m a junior, listening to what you do, it sounds so exciting and very high level in terms of advising clients, but in the day to day, what might a junior associate on your team be working on?

Shannon: So like have I said, they do a lot of different things, because it’s kind of the bullpen, and we want them to get a broad base of experience in all of the different things that can happen in privacy and security, so they can sort of figure out what they like. But probably the most common task in my team is working on a privacy policy. So drafting a privacy notice for a website, and we asked them to consider what laws apply to this company, and then usually set up a call with the company to walk through a bunch of questions. We like to give our juniors the first chair on those calls because they’re going through a questionnaire and asking the company, do you collect this kind of data? What are you doing with it? What are the purposes for which you use it? And then they go away, and they’re able to draft the privacy notice. That’s probably the most common. Another common task is working on data breaches. So figuring out in each state, so let’s say a data breach there are ten different laws that are state laws that are impacted. And each of the state laws has different requirements with respect to notification, whether you have to notify the AG or any other regulator whether you have to notify individuals, and then there’s a format for what those letters have to look like. Our juniors are often putting together drafts of the communications that have to go out in connection with the data breach. People also commonly work on data processing agreements. So, now in Europe and in the US, if you’re providing data to a service provider. Think about if a company uses Amazon or if they use Salesforce for their customer data, you have to enter into an agreement with those counterparties that say, you, Salesforce can process this data, like our customer data on your system, but you can’t use it for anything. You can’t then take my customer data, sell it to someone else, or use it for any other purpose or use it to improve your systems. And so there’s a set of contract terms that are prescribed by law that people enter into with those service providers with AWS or with Salesforce or Amazon or Adobe or Meta. And our juniors are often redlining those agreements, so they get kind of contract experience as well cause there are lots of standard terms in there. And there’s sort of a checklist that they go through like does it include terms in relation to data security, like what happens if there’s a data breach? When does the service provider have to notify us? So contract, and that’s a key lawyer skill is contract drafting. So there’s always lots of data processing agreements for people to draft. So those are probably some of the most common tasks, I would say, that our juniors get into.

Dena: That’s great. That’s really helpful. So when you’re hiring associates, and let’s talk kind of at the junior level here rather than at the lateral level, because most of our listeners are students, although some may be alums who have been out for a little bit longer. What are you looking for? What types of skills, types of experience, background, interests, sort of do search for when you are hiring?

Shannon: So we look for genuine interest in our topic and some experience, some exposure to it in some way like maybe having taken a course, maybe having attended an event. There aren’t a million privacy and security classes out there just yet. I mean, I think it’s coming. Certainly when I was in law school, there weren’t any. It was maybe like a line or two in my IP class. [LAUGH] But now, what I look for is someone who’s really genuinely interested in privacy and security. And I always like it when someone’s like, oh, I’ve read this article in The New York Times. Kashmir Hill is a commentator on tech and privacy and I thought it was interesting that there are privacy issues in the metaverse, just some genuine interest. Drafting skills for sure are important to us where we do a lot of written work product, more so than like a maybe someone in the corporate or M&A team. But, I look for curiosity, people who are really curious about privacy and security.

Dena:That’s great. And I mean, at Harvard there’s various things that you can do to start to understand this area and develop an interest in it. And we have a cyber-law clinic. That is a fabulous opportunity for students. I actually taught there for several years. So I’m telling it for the students as a way or just at the Berkman Center for Internet and Society to go to events and get involved because those might be the kinds of things that they can speak to about in an interview that they might be able to put on a resume that might pique your interest and so their own developing interest in the field.

Shanon: Yeah, absolutely. Taking a class like that would be something that I’d be sort of laser focused on in a resume, cuz I know there aren’t tons of opportunities, but the extent to which someone has sought it out or really listened or taken an interest in it, that’s what we look, it’s one of the things that we look for.

Dena: So I guess the last question I have for you and you’ve given so much great advice already, but you have any other pieces of advice that you’d like to give to students or young alumni who might be interested in this area of practice beyond what you probably told us, I guess?

Shannon: [LAUGH] Yeah, for sure. So, I think people interested in this space like I said, I look for people who are seeking out opportunities to get involved so. There are different organizations that have privacy or security events like the IAPP. The International Association of Privacy Professionals has a network of different local chapters called KnowledgeNet Groups, where people get together and there’s usually a privacy topic they people talk about. Attending a conference or a speaking event where someone’s talking about privacy or security. Those are, I think, good things to get involved with, I don’t know if there are internships that are available. A lot of people go through in San Francisco in the Bay Area, anyway. The Wikimedia Foundation has a few internships that are always going. So, I think those are the kinds of things, and then talking to privacy lawyers, we love our topic. So if [LAUGH] you find a privacy lawyer, they are going to be more than happy to talk to you about what they do. Because I feel like we’re the kind of lawyers that, I go on hikes with other privacy lawyers on the weekend where we talk about privacy. That’s how nerdy we are.

Dena: That’s wonderful. [LAUGH]

Shannon: We love our thing. [LAUGH]

Dena: Well, that’s all.

Dena: Oh, well, Shannon, thank you so much for joining us today. I feel like I really learned a lot, and I’m sure that our students and other listeners did as well. And we really appreciate your time cuz, we know that you’re busy and that you have a great practice. So, thank you.

Shannon: Oh, thanks Dana. Thanks so much for having me.

Dena: And thanks to everyone listening in, and please look to our other practice area podcasts if you want to explore other related practice areas or other practice areas at all, thank you.