Mid-Law Sees Opportunity In Cybersecurity And Privacy
Law360, July 26, 2023
By Emma Cueto
As cybersecurity and privacy grows and matures as a practice area, more Mid-Law firms have been adding or expanding practice groups dedicated to it, with industry observers saying that it makes sense for midsize and regional firms to invest in the space as it evolves.
While cybersecurity and privacy practices are still predominantly the purview of BigLaw, several Mid-Law firms have opened their own groups in 2023. Experts say this is part of the long-term trend of these topics growing not only more important to clients but important to an increasing number of clients, including small and midsize companies.
"I think firms are starting to realize it's a sustainable practice that's not going away," said Chris Batz, a recruiter with Midwestern recruitment firm The Lion Group.
While cybersecurity is relatively new as a practice area, both legal and technological changes have meant that even small and mid-sized companies are looking for advice on the subject, and plenty of Mid-Law firms have stepped in to try to meet those needs.
In 2023 alone, several firms have launched cybersecurity practices. Most notably, employment-focused firm Constangy Brooks Smith & Prophete LLP created a cybersecurity group in January with 32 attorneys and 12 staff from Lewis Brisbois Bisgaard & Smith LLP.
In addition, intellectual property firm Finnegan Henderson Farabow Garrett & Dunner LLP launched a privacy practice in March led by the former chief privacy officer at the U.S. Department of Homeland Security, and Cincinnati firm Keating Muething & Klekamp PLL relaunched and expanded its cybersecurity and data privacy practice in February.
Also this year, New York-based Barclay Damon LLP upgraded its cybersecurity team to a full practice group within the firm.
Firms making moves in the space tended to highlight client demand, saying that they saw a lot of opportunity in the space.
Stacy Cole, a cybersecurity attorney who joined Keating Muething in 2022 to help relaunch its group, said the firm's clients — which are primarily midsized companies — increasingly recognize cybersecurity and privacy as issues they need to be proactive about.
In part, that's because the firm's clients tend to operate widely, even if they are based in Ohio, meaning they have to care about laws such as California's Consumer Privacy Act, she said. But it's also in part the fact that clients seem to recognize that companies of all sizes must now protect themselves from breaches.
"Most small to midsize businesses are seeing that this is the cost of doing business," she said. "Clients are realizing they have to take this seriously, and our experience is that they're doing so."
While the firm expected to have to sell clients on the new group, she said, instead clients have been coming to them.
That increasing concern by midsize companies can present an opportunity for midsize and regional firms, though not all have moved to create one. The demand may also vary by region, especially demand among midsize companies.
David Pedreira, managing partner with Florida recruiting firm MillerBlowers Inc., says that he doesn't see firms in the Sunshine State clamoring for cybersecurity talent. "I think it's still a nascent practice in Florida," he said.
He noted that some Mid-Law firms in the state have a practice, including Shumaker Loop & Kendrick LLP, which offers data breach services, and Shutts & Bowen LLP, which has a standing cybersecurity and data privacy task force. However, most of the firms in the state offering those services are the national firms, he said.
Outside of that, he said, cybersecurity and privacy mostly come up in the context of firms saying it would be nice to find a candidate who has some related expertise on top of their main specialty.
Meanwhile, in California, recruiter Carla Khalife with Swan Legal Search said cybersecurity lawyers are "in high demand," and a number of midsized California firms have practices dedicated to it, including Los Angeles firm Greenberg Glusker Fields Claman & Machtinger LLP, San Francisco firm Coblentz Patch Duffy & Bass LLP and California regional firm Jeffer Mangels Butler & Mitchell LLP.
"California has emerged as an epicenter for privacy, as the first state to pass data and privacy laws and set up a breach notification system," she told Law360 by email.
However, even in California, most cybersecurity and privacy attorneys are concentrated in BigLaw, according to Khalife, including about three quarters of associates based on Swan Legal Search's data.
"While data privacy is a growing practice for many midsize firms, we aren't seeing too many positions open up for associates to practice exclusively in this space," she said. "You may handle some data privacy work, and perhaps more than half of your practice is in this space, but at the smaller firms you are more likely to work on additional matters, too."
Cole noted that this lack of dedicated expertise among attorneys can also make it tricky for a firm to launch a group.
"I think everybody would like to be in this space, but it's not easy to dabble in," the Keating Muething attorney said. "There's a big learning curve. Unless firms are willing to make that investment and have a long term vision it's hard to be successful."
Despite the fact that many midsize and regional firms haven't made those investments in developing cybersecurity or privacy as practice areas, experts said they expect to see more and more doing so.
Batz speculated that in the long term, most midsize and regional firms will want to offer some sort of cybersecurity and privacy services.
"Cybersecurity is a key issue," the recruiter said. "If a firm doesn't offer cyber — and it's common at this point that problems occur — [clients] are going to go to another firm."
Both Batz and Khalife said that firms that this was especially a risk as clients wake up to the importance of being proactive in this arena.
"From our vantage point, a law firm lacking services around cybersecurity isn't a deal breaker for businesses. But it should be," Khalife said.
She said that many companies seem to be unprepared to meet the new legal requirements being placed on them and are not prioritizing cybersecurity — but that she expects that will change and cybersecurity and privacy expertise will grow increasingly more in demand.
At Keating Muething, Cole said the firm is currently very pleased with the new cybersecurity group, and is looking to grow it through a combination of lateral hires and homegrown talent. It's not an area she sees slowing down any time soon, she said.
"Like any other compliance practice, as technology evolves — even if the laws don't — whatever policies and practices you have in place have to evolve," she said. "There's constantly going to be changes to address."
--Editing by Nicole Bleier.
https://www.law360.com/pulse/articles/1704177