Jason Pill, Employment Defense and Cybersecurity Attorney, Phelps Dunbar
What are your roles and responsibilities in your organization?
My daily practice encompasses both employment law and cybersecurity law. My primary responsibilities involve assisting employers with various workplace issues, such as harassment, discrimination, and other potential disputes. Additionally, I work with companies to protect their digital assets, corporate information, and trade secrets through several methods, including restrictive covenant agreements and implementing technology-based safeguards.
A significant aspect of my work also includes handling data breach cases, where I collaborate with clients who have experienced data incidents involving former employees or third-party hackers. Alongside my employment practice, I am actively involved in defending companies affected by breaches and litigating class action lawsuits filed against those who have fallen victim to data breaches in both state and federal courts.
What are some of the major challenges currently impacting the cybersecurity industry?
The primary challenges we encounter in the cybersecurity field are mainly related to compliance, as there is a constantly evolving set of laws at both state and federal levels regulating data protection standards, notice requirements, and various other protocols. Naturally, compliance has become a critical concern for companies to ensure adherence to these laws and regulations.
In addition, clients are also concerned about protecting their data from potential breaches. They want to take appropriate measures to prevent such incidents, and if a breach does occur, they aim to be in the best position to defend themselves against what seems to be an inevitable class action lawsuit these days.
The main areas of our work with clients revolve around compliance and defending companies against class action claims resulting from data breaches.
Could you share some of the trends that you notice today in the cybersecurity space?
We are witnessing an increased focus on compliance, with more efforts at the state and federal levels to enact additional legislation and obligations on companies regarding how they store, maintain, collect, process, and delete data, particularly individuals’ personal data. This includes personally identifiable information and protected health information in the case of HIPAA and covered entities. As a result, we see a heightened regulatory effort, both in terms of enacting new laws and increasing enforcement from state and federal agencies, such as state attorneys general offices and various federal agencies with enforcement authority over relevant statutes and restrictions.
In the private sector, we observe a rise in litigation, often in the form of class action lawsuits filed by individuals whose information was compromised or allegedly compromised during a data breach. These individuals seek damages, and this type of litigation has significantly evolved over the last 10 to 20 years as courts try to apply traditional legal principles to data breach cases. Courts are determining how these new theories of harm fit into pre-existing notions of duty under negligence or contract claims.
The main areas of evolution we expect to see in the coming years include increased regulatory involvement with new laws and statutes, heightened regulatory enforcement from state and federal agencies, and an upsurge in data breach litigation
One of the key developments in this area is the growing clarity around legal standing, as more courts issue opinions on this topic. However, this remains a fluid issue, and jurisdictional differences persist depending on where the case was filed. Another emerging challenge is causation, where plaintiffs must demonstrate that their specific harm was caused by the data breach in question. With the increasing frequency of data breaches, it becomes more difficult to trace any alleged harm to a specific breach.
The main areas of evolution we expect to see in the coming years include increased regulatory involvement with new laws and statutes, heightened regulatory enforcement from state and federal agencies, and an upsurge in data breach litigation. We anticipate more lawsuits being filed with larger class sizes, and the development of jurisprudence as more cases are ruled upon. This will hopefully better define the contours of such lawsuits and establish what is sufficient for a plaintiff to bring a lawsuit and ultimately seek damages.
What advice would you like to give to your peers and those aspiring to enter the digital cybersecurity space?
For companies navigating the rapidly evolving cybersecurity landscape, it is essential to consider both internal and external resources. They need to implement cybersecurity measures, including proper alerts for abnormal activity or misconduct, and establish protocols for responding to cyberattacks or incidents. Companies should be prepared to work with external forensic or technological vendors to assess their systems and collaborate with legal counsel to understand the legal requirements imposed on them. Embracing a team mentality and a holistic approach to cybersecurity measures and protections is crucial for providing the best support and security.
For individuals interested in working in the legal fields of cybersecurity and data privacy, they need to familiarize themselves with relevant statutes and understand the scope of their practice. It is essential to have a comprehensive understanding of state and federal regulations and their potential inconsistencies. Gaining litigation experience, particularly with class actions, is vital for those looking to work in the data breach litigation space. Familiarity with federal and state class action frameworks and the unique challenges of data breach cases, such as Article IIIstanding issues and questions of causation and damages, will better prepare individuals to defend companies that have experienced cyber incidents or attacks.