Photo by Stephen Voss.
Hogan Lovells scored big in 2012 when Harriet Pearson joined the firm’s Washington, D.C., office after a lengthy stint at IBM, where she was Vice President, Security Counsel and Chief Privacy Officer and had become one of the nation’s leading authorities in cybersecurity legal matters. Pearson’s cutting-edge practice advises clients on their policies related to privacy and cybersecurity and assists them in responding to breaches and other incidents; the Hogan team often acts as “breach and crisis counsel” in such situations. Pearson, a UCLA Law graduate, co-chairs the Georgetown Cybersecurity Law Institute and has served in a number of other leadership and board positions within her field.
Lawdragon: Where along the way at IBM did you start to develop an interest in cybersecurity and privacy issues? How did you and the company come to forge that dedicated role at a time when there were probably very few CPOs?
Harriet Pearson: We identified data privacy and security as key policy issues in the mid-1990s and I managed many of the company’s early initiatives in this area. Working at the heart of a major global technology company I also saw the many different ways these issues intersect with business and realized the value of an enterprise-wide strategy – today, some call it privacy and security “by design.” I proposed the Chief Privacy Officer position to unify the company’s approach and when the company appointed me CPO in the year 2000 it was one of the first companies to formalize the role.
LD: Once you more or less dived in, what about this area of law led you to want to really focus your career on it?
HP: Data privacy has been an issue for decades, but it was the coming digitization and interconnection of seemingly everything that caught my attention and convinced me to dive in for the long-term. The speed with which technology is transforming every sector challenges existing privacy, legal and policy frameworks, and it is now widely understood that cyber risk is a top-tier issue that must be addressed comprehensively including via law. How do we protect data, and the systems on which it resides, while putting it to its most productive use? These are among the big questions, and the big risks, of our time.
LD: After a long time in-house at a place like IBM, I’m sure you had some options of where to go. What led you to Hogan Lovells?
HP: Hogan Lovells has the right strategy and team. In transformative and challenging times like these a firm with geographic reach and a deep bench of talent can anticipate and address clients’ most pressing needs. But only if everyone works together! After two decades leading and contributing to multi-disciplinary teams, I believe passionately in the power of teamwork to create better outcomes for all. Hogan Lovells truly values and rewards collaboration. So choosing where to go was actually quite easy.
LD: A lot has changed even since 2012 in this area. Are companies still mostly reactive when it comes to dealing with cybersecurity issues, coming to you after a problem arises? Or have there been enough high-profile incidents – data-breaches at big retailers, the Sony scandal – so that you are now spending more of your time doing proactive policy-development and planning work with clients?
HP: My practice is now roughly equally divided into three primary parts: First, we help senior management and boards look at today and what’s around the corner. We regularly assess companies’ cybersecurity and privacy programs and recommend enhancements in light of current and emerging global standards. A recent project for Uber, on their customer privacy program, is a publicly-known engagement of this type. We also counsel in the context of investments and other transactions.
Second, I help clients plan how to handle the consequences of a significant breach. Formalizing plans and running “tabletops” are extremely impactful ways of driving useful changes within an organization. Third, our team provides 24/7 support – from legal counseling and investigations to crisis communications to technical interpretation – in the event of a cybersecurity or other type of data or technology-related incident. We have acted as breach and crisis counsel for a wide range of companies, including in many of the most prominent events of the past several years.
LD: If you can comment broadly, what do you see as a few of the really key things that in-house counsel just aren’t doing enough of to deal with these challenges?
HP: In my experience, in-house counsel are now fully engaged with cyber and privacy issues. If only they could manufacture more hours in their day! In all seriousness, with the existing issues on their plates, the additional challenge of counseling on the technically-complex and high-stakes issues in these areas can strain in-house resources. Tapping external specialized resources, including via non-traditional arrangements such as retainers and project-based work, is something we see businesses doing. Reaching out to peer colleagues, especially on an industry sector basis, can also be incredibly helpful to confirm and inform individual company assessments and strategies.
LD: What are some of the challenges of guiding companies in evolving regulatory environments and potentially unpredictable law enforcement situations? Do clients know if they will be treated as victims or as wrongdoers when it comes to government agencies?
HP: I believe that we are in a time of transition, at least in the United States. Let’s say a company has been hit by a cyber attack. On the one hand, there has been a crime committed and the company is a victim. On the other hand, there is every chance that the company will face scrutiny and likely litigation and perhaps enforcement action from a variety of entities. Deciding what to do, in a timely way (given statutorily-imposed notification timelines) is a highly-strategic and nuanced exercise that benefits from advance planning and experience.
LD: On the consumer litigation side, where do you see the law ending up in terms of plaintiffs having standing to sue? Is it too early to tell, or do you expect to have more clients for whom the firm is defending lawsuits to later stages of litigation?
HP: So far, U.S. courts have appropriately looked for concrete evidence of harm in order to allow consumer litigation to move forward, which has meant that most data breach cases are dismissed or settle early. It’s too early to tell how procedural requirements in this area will evolve but having spoken with technical experts I do know that they are worried about increases in the type and magnitude of cyber attacks so unfortunately courts will continue to have an opportunity to develop their thinking.
LD: How do you stay up on an evolving field that involves a number of high-tech issues – are there blogs, sites, colleagues or other sources that you end up relying on a lot?
HP: I look to our practice’s blog, the Chronicle of Data Protection, as well as online posts by academics, technologists and business strategists, for timely updates on key developments. As co-chair of the Cybersecurity Law Institute, now planning for the fourth annual conference at the Georgetown Law Center, I am constantly reviewing new developments in cyber law so that we program the most current issues and speakers. And every Friday afternoon our team prepares a bulletized update on the week’s developments to clients who have requested it – overseeing its preparation pretty much forces me to stay current.
LD: What do you do to rest your brain and get away from these complex legal issues?
HP: I enjoy cycling, hiking and kayaking with my family. We’re fortunate that there are lovely places within an easy drive from DC. My husband has a standing goal to find places with spotty cell coverage to help us stay disconnected for a few hours.