Welcome to our 9th annual Data Security Incident Response Report!
We are now three years post pandemic and while a lot has changed, some things remain the same. Last year, I talked about resilience–the uncertainties of the pandemic were still present, the war in Ukraine had just begun, and businesses were addressing new issues caused by technology evolution and work-pattern changes. Resilience in 2022 meant continued effective implementation of security measures, evolving privacy compliance programs beyond just addressing the biggest compliance risk areas, and responding to continued efforts by litigators to exploit different privacy and privacy-adjacent statutes for financial gain.
The “incident response boom” in 2020 to 2021 saw new vendor entrants to the market. Some of those vendors were suddenly desperate for work in light of the rapid decrease in network intrusions and ransomware incidents. That lull was short-lived. The attacks picked up at the end of 2022 and have continued into 2023.
Over the past 20 years, our attorneys have spent a lot of time on-site with our clients helping them manage security incidents. That experience gave us a window into how our clients interacted with the life cycle of data and technology. We learned our clients’ business, industry, and what mattered from a practical perspective. In 2020, we did something no other law firm has done—we elevated data issues to the practice level (similar to tax, IP, litigation, labor and employment, and business). The group is called Digital Assets and Data Management (DADM). In the three short years we have been in existence as a firm practice group (rather than a practice team), we are approaching the size of our firm’s IP group, have more than 100 dedicated attorneys and technologists, and have several clients using the services of all seven practice teams. The American Lawyer, Chambers, Legal 500, and BTI continue to recognize our accomplishments.
Data issues are cross-practice issues. For example, clients are talking to us about leveraging an existing security tool for privacy management and governance, risk, and compliance (GRC). That type of engagement involves our incident response attorneys, our in-house legal technology team (IncuBaker), and our privacy compliance attorneys. Our adtech, privacy transaction, and privacy attorneys join to help clients manage the sprint to launch new products and services and to build compliance programs for multi-state and global privacy laws. Our litigators responded to the surge of new lawsuits based on security incidents and allegations of violations of privacy laws. Our regulatory, healthcare, advertising, and security attorneys (combined with corporate compliance attorneys) worked to address the federal regulatory focus on cybersecurity, dark patters, crypto, and post-Dobbs issues. You will see insights and guidance based on this work in this year’s DSIR report.
I remain proud of the efforts of our firm and the DADM group leading the way on DEI efforts. BakerHostetler achieved Mansfield 5.0 certification this past fall. The leader of our IncuBaker team was named the CIO of our firm, and her team continues to receive accolades for their use of technology in serving clients. We remain the most diverse practice group at BakerHostetler.
Thank you to our clients and the vendors we partner with for all of your support. We hope you enjoy this edition of the DSIR Report and we welcome you to contact our DADM group members with questions or suggestions.
(He | Him | His)
Chair, Digital Assets and Data Management Group