Michael Canty is most comfortable in a courtroom. As a young student, he assumed that was the sole domain of a lawyer and headed towards the profession with a hunger for trial. He was drawn to the very essence of trying a case: asking smart questions to uncover the truth.

It’s no surprise, then, that he spent several years as an Assistant District Attorney in Nassau County a then as a federal prosecutor in Brooklyn, trying dozens of cases with a focus on national security and cybercrime.

Since joining Labaton Sucharow, Canty’s practice has expanded to complex fraud cases, frequently involving issues surrounding security and technology. He spearheads the firm’s consumer cybersecurity practice, and also runs a securities group that focuses on institutional investors.

One highly notable recent win is a case brought against Facebook for their use of facial recognition software, in which him and his colleagues secured $650M for a class of Illinois users. The case called into question larger issues surrounding consumer data privacy within the burgeoning technology of biometrics and is being closely watched for its implications.

Lawdragon: Where have you been during lockdown?

Michael Canty: I've been working out of my home. About the beginning of March, we made a decision as a firm to work remotely. I have to say that, for our firm, we were prepared to work remotely. We had a great support team. We always have worked remotely after hours and on the road, so it was fairly seamless for us, thankfully.

LD: That’s helpful. Law firms are ahead of the curve in terms of cyber security, I’d say. Have clients in any other industries been concerned about cyber breaches or any other issues coming from that quick switch to remote work?

MC: From our perspective as securities litigants, with the Covid crisis and the volatility in the stock market, oftentimes that exposes other fraud. Whereas a consistent up market often can mask fraud or misconduct by a corporation, a volatile or down market oftentimes will expose it. That's something that we're looking at. From a cybersecurity perspective, I think the tide has changed. Ten or fifteen years ago, if a corporation had a breach, it was perceived as the victim, which of course it was, but now I think there's an expectation that corporations are going to provide proper security and cybersecurity within their business to protect their assets and sensitive information. If there is a breach, from our perspective, there could be a securities claim if a corporation makes representations to investors that it has proper security features in place and it doesn’t .

In a securities fraud case, we're not talking about somebody simply having a breach . We're talking about whether a corporation was going out and making affirmative representations that it had provided the proper security when, in fact, it had not. That would be a case that we would look at if it affected investors.

We represent institutional investors, public pension funds. When we talk about public pension funds, I think it's important to kind of go one level below that. Who are we talking about when we talk about public pension funds? We're talking about firefighters, teachers, police officers, civil servants, individuals that are relying on these pensions in their retirement. So we believe we have a fiduciary obligation to protect our clients' interests and we do that through a monitoring program where we look for potential fraud. That's where we're particularly focused on in protecting our clients' interests.

LD: Can you talk more about the monitoring program?

MC: Sure. We have hundreds of clients that we do monitoring for. We monitor their portfolios so that we're an extra set of eyes on their finances. If we see a fraud, we will often let them know that we think there may be something there or we'll give them updates on what's going on in the market. It's to provide assistance to them and their fiduciary obligation to their pensioners.

LD: Interesting. From what I understand of cybersecurity laws, there’s sort of this patchwork of state laws rather than clear federal guidance. Did that come into play with the Facebook biometrics case?

MC: That’s a great point. States have different laws to protect consumers..

In Illinois, they passed the Biometric Information Privacy Act, which was not set up to thwart innovation, but rather to protect consumers. The reason why the law was passed was to essentially tell companies, if you want to use biometric data to help innovate, that's fine, but you have to allow consumers the opportunity to know that it's happening. You have to tell them exactly what you're doing and get written permission before collecting the dataa. The problem is that, in the Facebook case, as we alleged in our claim, Facebook was collecting biometric information, which was scans of face geometry of their users, and they were not giving the users the opportunity to opt out. We alleged users were automatically enrolled without proper consent and that was a violation of the law.

Other states have similar biometric information privacy laws, although not where an individual can bring a case; oftentimes it’s the state that can bring it on behalf of its citizens. In New York, there was a discussion about facial recognition and the use of the technology in law enforcement. You had the also Clearview AI technology. There the company essentially, scraped images off of all publicly available platforms. In light of these and developments An idea was floated in New York City: Let's ban all use of biometric technology. It didn't happen, because there are concerns on that end that you don't want to thwart the ability to use the technology. That makes sense when you think about the context of where it can be used for good. My position has always been that I am not against the use of this innovation. I think it's wonderful in certain regards, but users and consumers need to have the opportunity to say, "No, I want my privacy protected. And if you take it without my permission, there is an injury to me."

States do have a patchwork of laws. The other problem is the technology is moving so fast that it's often difficult for state legislatures in Congress to keep up. We see how long it takes Congress to pass bills. It's a deliberative process and technology moves at lightning speed. So that's another issue.

LD: Very true. The Facebook case focused on facial recognition, right? And that’s under the larger umbrella of biometric privacy?

MC: Yes, biometric information would be your thumbprint, a voiceprint, a scan of face geometry, an iris scan, things that are indelible to you, that belong to you and you alone.

There were cases where companies were using thumbprints to keep records of employee’s time. Instead of punching a clock, you give your thumbprint. The question is, well, what happens with that thumbprint? Does that thumbprint stay with the company? What if the thumbprint gets sold? What if there's a breach in security? Could it be used to interface with an iPhone, if they're able to take that thumbprint and use it to open up somebody's phone?There's also the interaction between different platforms that use a thumbprint for access.

LD: Yikes.

MC: Right. So Illinois said, "Look, we're not going to stop you companies from doing it, but you have to get affirmative consent in writing from the user in order to do it."

LD: With these privacy violations, you then have the challenge of proving a concrete injury, right?

MC: Yes. Facebook basically argued that nobody was injured. The Ninth Circuit agreed with us and said, "No. The fact is that they have a right to their privacy here and you took it without their permission. They have an injury."

LD: Congratulations, that’s a great result and an important precedent to have established. I know you have a long history with cybersecurity. Have the laws and remedies changed completely since the early part of your career?

MC: Cybersecurity is such a broad term. A cybersecurity violation could be a bank employee improperly accessing information and then using that to gain information of a bank customer. That’s an internal cybersecurity issue, which is what the vast majority of cases were at the beginning of my career. Somebody within the company going in and improperly stealing information. Then what you saw was external hackers coming in through a variety of methods. Now, you see a mix of both.

One of the things that we see is the interplay between cybersecurity and the functioning of a corporation. So if a corporation can't properly protect its information, it really affects their bottom line either in their stock price because people don't have faith in the company to protect its information and also, for smaller corporations, there's a big financial hit through a hack.

You're seeing now school districts that have been held hostage to ransomware where criminals encrypt all the files of the school district and demand payment. Insurance, the whole insurance industry, when it comes to cybersecurity, is another area that's growing rapidly.

How we approach cybersecurity and data breaches is really moving at warp speed. It's gone from the beginning of my career where companies were victims of a cyber attack, and again that’s still true, but now it's shifted to, you as a company have an affirmative obligation to protect this information. You can't simply be lax when it comes to cybersecurity. Everybody knows that it's a risk, so you have to acknowledge that risk and take steps to protect the material. I think that's probably the biggest change.

LD: That shift would open the door or bring validity to investor claims.

MC: Absolutely. If companies are out there making affirmative representations about what they're doing to protect the information and how robust the protections are and they are not telling the truth and there is a breach, you have a potential securities fraud claim.

LD: Like the Marriott data breach case?

MC: Exactly. Marriott made representations that they had protected all this information and we alleged they made material false statements about it, specifically in regards to the merger with Starwood. We allege the statements that were made were false because they didn't in fact take the proper steps to make sure that the consumer information was protected. The stock price dropped and now there's both a securities fraud case and a consumer case. We’re seeing that in a lot of instances, those dual cases based on a data breach.

That’s just one example of change. When I was a prosecutor, we used to do presentations for parents on cybersecurity for children. I'm dating myself here, but one of the things we used to say is, "Make sure you keep the family computer in a public area of the house, like the kitchen, or living room. Don't allow a computer in your child's room because, if you have it in a public area, you can observe where they're going. You can look at the websites they're going to and, if they're interacting with anybody, it's right in front of you." Think about how antiquated that advice is now, with the use of tablets and cell phones. So now you say, "Just don't allow them to have any tablets or anything in their room," but we were dealing with desktop computers in people's homes and now you're talking about handheld devices that have more capability and more communicative power than a desktop did ten or fifteen years ago.

LD: You mentioned your time as a prosecutor. Did you enjoy that period of your career?

MC: Oh definitely. As rewarding as the work I do now is, that work was some of the most rewarding work I've ever done in my life. I got to work with some of the smartest lawyers, some of the best people. It was just a wonderful and humbling experience to be able to do that type of work on behalf of my country. It really was.

One thing we took great pride in is that we were able to bring a number of cases to trial and to verdict in the Eastern District of New York. I was on the trial team for Abid Naseer, the al Qaeda member that was a part of a global plot to blow up a shopping mall in Manchester in the United Kingdom. We extradited him to the United States as a part of that global conspiracy. We tried him, and we convicted him.

LD: That’s incredible. Did you find a mentor there?

MC: Seth DuCharme, who’s now the Acing United States Attorney for the Eastern District of New York, was the chief of the counter terrorism unit in the Brooklyn office when I was there. He really took me under his wing and we're very good friends now still. He's really supported me. He was a wonderful chief. He ran such a great unit. He was the consummate professional in getting these cases to trial and really providing support when it came to the counter terrorism initiative.

LD: Between your time at EDNY and in Nassau and now at Labaton, how many trials do you think you’ve handled?

MC: Oh, I've done somewhere around 30 to 35probably.

LD: That’s an impressive amount of courtroom experience.

MC: It’s funny, I've gone back and looked at some of my notes from when I was in the DA's office. I'm like, "Oh, that's right. I did try that case." I've actually forgotten cases. I remember, at one point, I did three trials about three months.

LD: Oh, my gosh.

MC: Yep. It was from September to December. Then, when I was in the US Attorney's Office, I did two trials, back to backPeople were like, "Wait a minute. I thought you just finished a trial." I said, "I did.” They said, "Wow, two in a month." It was about five or six weeks, but yes.

LD: That is so cool. That's the good stuff, right? Do you find you enjoy trial prep as much as the actual trial? Like an actor who prefers rehearsal to performance?

MC: There's nothing like the actual trial. There is litigation, which is the nuts and bolts of the case, discovery, depositions, motion practice. Then it reaches a point where you say, this is really going to trial, and you start preparing in earnest for that. And you’re right, it is like a rehearsal. Going over an opening statement and saying, "I think you should tweak that language," or, "I think you should make that change, it would be far more effective.” There's blocking, where you stand, how you walk, the hand gestures you use, the points you want to make. It's all there.

I also like to analogize it to running a marathon. They say the success in running the marathon is not finishing but rather all the hard work and training you put in in preparing for it. That’s what trial is like. The trial is a reflection of all the hard work that you put in beforehand.

Some of the closest relationships, and I think you'll hear this from almost anybody who works in the US Attorney's Office, some of the closest relationships you have are those with your trial partners. These are individuals that you spend 16-, 18-hour days with, six, seven days a week for weeks on end. I have to say, thankfully, I've always been blessed to have really, really good trial partners and it was really rewarding.

LD: How you first knew you wanted to become a lawyer?

MC: That’s a great question. I went to a college that had an honor system and I was selected to sit on a panel to review a case where the student was accused of cheating. As a part of that, you had the opportunity to ask questions. Asking questions to try to get at the truth just was fascinating to me. That's really what first piqued my interest.

After I was done asking questions there was a professor who was an advisor to the Honor Council. He asked me, "Do you want to be a lawyer?" I said I never had even thought about it. We didn't have any lawyers in the family. My father is a retired New York City firefighter and my two brothers are New York City firefighters I have other brother who is an officer in the Navy. My mom's a nurse.

After college, I went to Washington DC and I worked on Capitol Hill for a committee where I got to work on investigations. Doing those investigations, I got to work with a lot of lawyers. I thought, "This seems like something I would really enjoy." So I applied to law school and came back home.

When I started at law school, people would ask, "What kind of law do you want to practice?" I said, "What do you mean?" They asked, "What kind of law? Do you want to do corporate? Do you want to do ..." I said, "I want to be a lawyer. I want to be in a courtroom. What other law is there?" I was a little naïve. I thought you go to law school to try cases.

Thankfully, I did well in law school, so I went to the DA's office in the county I grew up in. I applied for a job there and was hired. I had the opportunity to move up through the ranks and worked in our homicide bureau. I had the opportunity to try some very serious cases including some murder cases. Then somebody had mentioned the opportunity to work at the US Attorney's Office. I applied and worked there for the better part of six and a half years and then went into private practice.

LD: Are you still as excited about it as you were when you first discovered the profession?

MC: I am. I really am. I get so disheartened when somebody makes the joke, “Oh, you're thinking about becoming a lawyer? Don't go to law school. Biggest mistake I made." I've never felt that way. I've always felt that going to law school, becoming a lawyer, it’s really made me a better person. I've learned to look at things dispassionately and objectively, which oftentimes is really important when you're trying to distill what the facts are. I always tell the younger associates that work at the firm: Facts matter. That’s always been my attitude. The truth matters and, as lawyers, I think we have an obligation to make sure that we are seeking out the truth.That's what we do in the securities litigation practice. When we see that corporations are misleading or lying to investors, we look to hold them accountable for that. Looking at what's going on dispassionately is important because, oftentimes, emotion can cloud judgment and you want to make sure you're making decisions based on the evidence that you discover and fraud that you uncover. The work I do now, it's quite similar, to the work I did as a prosecutor.

LD: You’ve been general counsel at your firm for a couple years now. Has it been interesting getting more into the operational side of things?

MC: I would say it has. My role as general counsel to the firm is that I provide legal advice to the firm on a lot of matters. I am responsible for reviewing and approving the contracts, I review all of the retention agreements we have with clients, I handle personnel issues, that sort of thing.

I also sit in the executive committee meetings as general counsel, and we have a number of initiatives. We have a women's initiative that we started a few years ago. In the past year or so, the firm has done a lot of pro bono work with respect to detained individuals that are seeking asylum in the United States. We've had good success with that in arguing for asylum for individuals that came here, whether they claimed risk of death if they go home or one of the other qualified circumstances to allow them to stay in the United States.

LD: Such important work. What’s involved in the women’s initiative?

MC: We have three female partners at the firm that run the day-to-day of the initiative. We do a speakers series where they invite female leaders in securities litigation or elsewhere in the legal field to come in and speak. We also have individuals in leadership positions not necessarily tied to the law, but in government and other fields entirely. They bring in legal scholars, general counsels, and heads of corporations. They think outside the box and it’s been terrific for the whole firm, everyone is invited to hear them speak.

They had a guest speaker come a couple years ago and it was a woman that had participated in both the Summer and the Winter Olympics. She was a track runner in the Summer Olympics and then she converted over to being a bobsledder in the Winter Olympics and she medaled in both. I was so fascinated by it because, like I said, I've got two daughters. What a wonderful example not only for my daughters, but also for my sons, this woman that took something that was totally out of her wheelhouse and completely excelled at it. I mean, bobsled! She had never even heard of it. It was an incredible thing for me to hear, and to turn around and talk to my kids about.

LD: Do you have a favorite book or movie about the legal system, or TV show?

MC: I do have a few. One I always get a kick out of is “My Cousin Vinny.” I think the reason why I appreciate that movie is, as a state prosecutor, it really talks about skills that you try to teach young prosecutors. There's one scene in particular where Joe Pesci makes an argument to have an expert witness precluded from testifying The judge says something to the effect of, “That was a lucid, intelligent, well thought out argument.Your motion is denied." That's a very realistic thing. There's a difference between paper law and actually practicing it, and it's sometimes unpredictable.

LD: A lot of attorneys love that movie, and its a great flick, but that's the best explanation that I've heard so far of why it’s so great.

MC: You could teach a class on trial skills with some of the things that are involved in that movie. I also really like "A Time to Kill” and “A Few Good Men.”