Q&A with Two Privacy, Cybersecurity and Data Innovation Partners at Gibson Dunn was originally published on Firsthand.
1. Tell us a bit about yourself and your professional journey.
Stephenie Gosnell Handler: My professional journey is a great reminder that there is no one path to follow! I attended the U.S. Naval Academy, studied national security in graduate school, and served as an active duty U.S. Marine Corps logistics officer for seven years prior to attending law school. I joined Gibson Dunn immediately after law school in 2011, and initially focused on corporate matters. I had developed a research interest in cybersecurity during law school, and I was intrigued to see cybersecurity issues start to emerge in the corporate context. I also started to focus on international trade matters, particularly foreign direct investment reviews by the Committee on Foreign Investment in the United States (CFIUS), which provided an opportunity to apply my national security background. I left Gibson as a mid-level associate, and spent several years at another international law firm, focusing on cybersecurity and international trade matters. I then moved in-house for several years at McKinsey, first to the legal team and then to the internal cybersecurity group (as a non-lawyer), where I led a phenomenal team focused on cybersecurity strategy and digital acceleration. I returned to Gibson last summer, and am thrilled how my journey has come full circle. At each step, I’ve been guided by my desire to make an impact in a way that is authentic to my values.
Cassandra Gaedt-Sheckter: I grew up in Palm Desert, California went to public schools, including undergrad at UCLA, and graduated with a degree in biological anthropology. I now live in San Jose, with my twin six-year-old boys, and my husband, who is faculty at Stanford and Director of the burn unit at Santa Clara County Valley Medical Center. As far as my legal career, I graduated UCLA law school in 2011 and went straight to Gibson Dunn’s Palo Alto office, where I am now a Partner. I had a technical degree under my belt, so I took the patent bar and thought I would be doing patent litigation the rest of my life. I did it for about five years, and then privacy started becoming a discussion point with my tech clients—and my family in Germany. I took an interest in the area, started doing pro bono work in the area, and then had a semi-secondment at a large tech company, where I focused on these issues. When the CCPA was first introduced, I decided to become a de facto expert on California privacy law. California was at the forefront of privacy, and I wanted to be there.
2. What does it mean to practice in the Privacy, Cybersecurity and Data Innovation industry? What kinds of companies are your clients?
Stephenie: Privacy, cybersecurity, and data are rapidly evolving practice areas, and each practitioner takes a slightly different view on their practice. I focus mostly on cybersecurity, data, and technology matters as these have strong overlays with my international trade practice. Each of these areas could be a full-time practice, and I think one of the core challenges in this area is to develop a cohesive practice that is additive and not dilutive, especially given the rapidly evolving regulatory and technology landscape. Our clients span the range of industries and vary from start-ups to well established global leaders. I enjoy the diversity, as gives me useful perspective from which to analyze different regulatory requirements and best practices, although I have recently been focusing quite a bit on global tech companies, financial services, and critical infrastructure.
Cassandra: It is different for many of us in this group. Two things special about Gibson Dunn, among many things, are our true expertise in all areas of the subject matter, and the free market system, which allows us to specialize—or not—in whatever we want. Our expertise spans across product counseling, litigation, transactional work, compliance, regulatory enforcement, and anything that touches this subject matter—all under the same umbrella. I’m often asked percentages of my practice, and I generally find it to be about 60% product and compliance counseling, 30% regulatory investigation and Order implementation, and 10% transactional. I work with associates who enjoy focusing on one or all of these areas. As far as the kinds of companies that are my clients, I work with clients across industries. I focus largely on global tech companies (from hardware products to video communications), and fashion retail brands. I enjoy the dichotomy of the two, and the unique yet common issues they face.
3. Why were you drawn to the Privacy, Cybersecurity and Data Innovation group at Gibson Dunn?
Stephenie: Because of the people and the practice. I’ve found Gibson overall to be full of brilliant, collegial, and collaborative colleagues, and that’s certainly the case with the PCDI group. We’ve recently brought in a number of experts with in-house experience, which is a great complement to our colleagues with government experiences and those who have spent their careers at law firms. I think the combination of backgrounds allows for dynamic, multi-dimensional counseling that is a differentiator for our clients. I also think that Gibson’s free market system inherently fosters an interdisciplinary approach that makes a lot of sense to me as the lines between practice areas seem to be increasingly blurring around the edges, and it’s important to be able to work closely with colleagues in related practice groups. For instance, I collaborate closely with our corporate governance and securities regulatory group as I advise clients on cybersecurity governance.
Cassandra: Part of it was the combination of the dynamics that I describe above: the ability to focus on the areas I want, do a variety of interesting work within the field, and become an expert where I find an interest and opportunity. The free market system also lends itself towards finding this passion, and I found it even as a mid-level. I think that is truly unique. Also, now that I’ve been at the firm for over 11 years, I can really say that the firm and its interest and focus in this area is burgeoning, and we have—and continue to attract—some of the best talent in the field. It is an exciting time to be a part of this practice area.
4. What are the most interesting trends you are seeing in this area? What do you anticipate for 2023 and beyond?
Stephenie: The increase in regulation is one of the trends with the broadest impact—there’s been huge movement globally and also at the state level in the U.S. on these diverse issues. While we’ve seen a number of bills not quite make it into law this past year, I think there’s a lot of momentum for progress in 2023. Regulators also seem likely to continue their existing trend of high levels of enforcement activity. Further, I anticipate that the increasingly complex geopolitical environment will continue to reverberate across the legal and regulatory landscape in important ways. The 2022 National Security Strategy laid out a modern industrial strategy that prioritizes U.S. technology leadership, and we saw Congress pass legislation in 2022 that will have significant impact on data and technology industries and their global supply chains. The incredible leaps in AI this year also bring new capabilities and new challenges on a variety of fronts.
Cassandra: The increase in state regulation and enforcement is fascinating and changing rapidly. Our clients are faced with regulations that are taking effect, but not finalized, that are differing across states, and that vary across global jurisdictions. But the general focus and trend towards implementation is unlikely to stop, and we may very well see additional states come on board, and a potential for federal legislation (a bill put forth this year garnered more steam than any prior bill). We’re also seeing waves of litigation and enforcement in key subject areas, such as sensitive information, including data from minors, and collection of data online, including relating to transparency, and a continuously evolving nature of the online advertising business. In 2023, we also get to see the first-of-its-kind, dedicated privacy enforcement agency, the California Privacy Protection Agency, which will bring a host of new considerations and enforcement priorities.
5. What advice do you have to law students or junior associates who have an interest in Privacy, Cybersecurity and Data Innovation?
Stephenie: Jump in! This is an exciting time to be part of this practice. There’s a really unique opportunity to contribute to the field and develop expertise in a way that resonates with your own interests. While I don’t think that there’s any specific path that will lead to success, I’ve found certain skillsets to be common amongst many successful practitioners: (1) a practical, problem-solving mindset, (2) comfort operating with ambiguity (as many of these areas are undeveloped or underdeveloped areas of the law), (3) the ability to understand technology at a basic level (you don’t need to code, but you do need to be able to have basic conversations with technologists in order to provide the right legal advice), and (4) a growth mindset – this is a rapidly evolving field and you need to commit to staying current with the latest technological breakthroughs and legal developments. Finally, find the right team that will support, mentor, and provide the right opportunities as you develop your expertise.
Cassandra: When I was in law school, privacy classes were not a thing. I do not think there is any silver bullet path to get here, and would not stress about defining that precisely. Some important features to pursuing a career in this area include: (1) passion, (2) facility with technology, when needed, (3) finding a firm that is first class in this area and does not focus just in one aspect, and (4) working at a reputable firm that gets the best matters, often of first impression. If there are classes in school that can help solidify an interest in this area (or do the opposite!), that can certainly help too. Most importantly, stick with it, and yet, be flexible!