The Potential of a Data Protection Practice

The first volume in our 21st Century Legal Career Series, Data Protection Practice: The Brave New Legal World (available from or e-version at first because it is the hottest and fastest-growing emerging legal career. A recent New York State report validates that assessment several times over.

On March 21, 2017, New York Attorney General Eric T. Schneiderman announced that his office received a record number of data breach notices in 2016. The almost 1,300 reported data breaches represented a 60 percent increase over the previous year, exposing the personal records of 1.6 million New Yorkers. The exposed information consisted overwhelmingly of social security numbers and financial account information. Hacking (40%) and employee negligence (37%) were the main causes of data breaches.

The report shows that no organization is exempt from the risk of a data breach. Cascade the New York experience nationally and you can get an idea of the immensity of this problem and the demand for solutions. Attorneys who are knowledgeable about privacy and cybersecurity protection and law are presented with a golden opportunity to establish a practice in this area. Businesses need help in many areas impacted by this threat, including:

  • Understanding what information is required for its operation, what data have already been collected and stored, how long this data are needed, what steps have been taken to ensure security, how sensitive data are acquired and being shared with third parties, and what access controls are in place;
  • Making sure that the business is collecting only needed information, storing it only for the minimum time required, deploying data minimization tactics wherever possible, and deleting any information no longer needed;
  • Creating a comprehensive Information Security Plan that includes encryption, articulates technical standards, incorporates employee training and awareness, and includes detailed procedural steps in the event of data breaches;
  • Implementing the information security plan;
  • Conducting regular reviews to ensure the plan continues to conform with evolving best practices;
  • Taking immediate action in the event of a breach which, in a growing number of states means notifying consumers, law enforcement, state Attorney Generals’ offices, credit bureaus and other businesses; and
  • Offering free mitigation products and services to consumers affected by a breach, which could include credit monitoring.

This represents a comprehensive list of advisory services that attorneys can provide.

The cost of clearing up the consequences of identity theft can easily reach into the thousands of dollars and require hundreds of hours attending to administrative burdens. Businesses are beginning to realize both the nature of the threat and the implications of laxity.