R&G Tech Studio Presents: Data, Privacy & Cybersecurity Co-Leader Ed McNicholas

December 13, 2022
15:23 minutes

In this episode of the R&G Tech Studio, data, privacy & cybersecurity co-lead Ed McNicholas sits down with technology, media & telecommunications co-lead Ed Black to discuss how his time as a litigator on the investigations team in the Clinton White House led him to a career in data privacy, and shares his insights on how the value of data continues to increase as technologies evolve.


Ed Black: This is Ed Black—I’m a partner at Ropes & Gray. I want to welcome everybody to the latest edition of our R&G Tech Studio podcast. In this edition, I have the distinct pleasure of talking to my friend and my partner, Ed McNicholas, the global lead of our data privacy & data security practice at Ropes & Gray. Ed, it is such a pleasure to have you. I do have some questions for you that are about your practice and about the work that I know you do, helping clients with their data and data issues, but before we get there, 10 seconds about who you are.

Ed McNicholas: I live in Alexandria with my wife, three kids and four dogs, and I spend as much time there as I can. My wife would tell you that my main office is the United lounge. It’s very much a global practice. My primary office is out of Washington, D.C. on Pennsylvania Avenue, but it is very much a practice that gets me on the road, meeting new people and solving problems across the globe.

Ed Black: Wow—four dogs. We’re going to come back to the four dogs—put a pin in that, we’re coming back to that. I know that you're focused on data, but let me ask an open-ended question. When you think about what it means to have a practice focused on data, and you go back 10-15 years, then candidly the so-called data practice was mainly about protecting credit card numbers. You scroll forward 10-15 years to the present, it seems like data’s everywhere, doing everything. But am I wrong about that? How do you see the relevance of the data practice in Ropes & Gray and to our business clients?

Ed McNicholas: I trained as a litigator—worked actually in the Clinton White House on the investigations team back in the days of Ken Starr and Monica Lewinsky. And largely because of that, I had an active security clearance when AT&T was accused of sharing data with the NSA. I got into that case, representing AT&T in the NSA wiretapping cases, into the technology piece of this through the national security side of it, through governmental surveillance and some of the international issues that arose from that with the Europeans having concerns about the U.S. intelligence community and having a series of issues with international data transfers. So, I came to it mainly from that national security surveillance piece. And interestingly, a lot of that technology has evolved into commercial usage over time—things that were once highly classified are now commonplace and deployed across corporate America, and so I followed that along. And, yes, the cybersecurity piece of credit card hacks is there, and that has evolved into supply chain attacks, wire fraud diversions, and that sort of thing over the years.

Ed Black: What about data in business transactions and data as almost a political football? Are these features of your practice? Are these things that you see your clients engaged with?

Ed McNicholas: Absolutely. The transnational aspects of data have been the core to the practice, and it keeps pushing against geographically bounded conceptions of privacy and security. We have a decentralized model in the U.S. in which we have focus on various different sectors, specific laws. The Europeans have an omnibus law. That model has spread across most of the globe, except now for China, which is serving data sovereignty in the notion that the nation state should control the data within its boundaries, which is a very interesting approach that challenges this. So, when working on transnational data issues, we go across these different legal systems, and it creates a very interesting and dynamic set of challenges.

Ed Black: Are there any examples of things that have crossed your desk? How does what you help people with fit into this global political battle for how data is regulated, owned, and controlled?

Ed McNicholas: Let me give you two examples. One is a pretty straightforward example. We represented the endowment of an Ivy League school, and they had a significant asset in New Zealand that they sold. There was an intrusion into the email system, and the proceeds of the sale wound up being wired to Australia, Hong Kong, and Singapore, as opposed to the Northeast U.S. And so, we have been working with the school, the FBI, and police in Australia, New Zealand, Hong Kong, and Singapore to get the proceeds back. We’ve recovered a fair amount of that money, but we see this kind of transnational cyber crime very much as a part of what I do on a day-to-day basis, trying to help clients solve that issue.

To take another example, we had to represent in litigation (this is very public) the CEO of SolarWinds, which was a company that makes software that helps enumerate devices across a network. They were hit by what has been attributed by the U.S. government to a Russian nation-state attack in which they injected code into the software, and then, the Russians tried to use this code to further infiltrate other companies. The notion of that kind of very patient attack in which a nation-state would come after a company, and then work very quietly to get into the middle of their software, and then use that to go to other companies is something that is quite novel. And we are working out, through several different pieces of litigation that are pending, what the implications are, but we handled congressional hearings, securities actions, shareholder derivative actions, and other investigations involving that.

Ed Black: What about the commercial side of data? One of the things I see on the news is how big data is taking over Wall Street, taking over advertising and marketing, taking over all sorts of commercial activity. Is that something that your practice addresses? Of course, it seems like it’s a lot less cloak and dagger, but does your practice move in those other areas, as well?

Ed McNicholas: Yes—certainly, the value of data is becoming more obvious and opening up many different business models. Interestingly, the machine data is becoming as important as personal data, but personal data is where we’re seeing a lot more awareness arise as to its impact. People are becoming very concerned—we’re seeing a parade of new privacy laws across the globe really. And what we try to do is we try to go to clients and make sure that they see the value of leaning into data governance. Now, it might be that at the first level, they would say, “Privacy and security are business inhibitors. At most, they are a checkbox that we have to check off. We have to put up a privacy policy in order to do what we really want to do.” And what we try to do is position privacy and security as business enablers, because if you can establish trust with consumers and with your investors through a robust data-governance regime, this will actually allow people to feel more confident in sharing more data.

One of the things that we’ve realized over time is that privacy law actually allows people to share more information. It’s kind of like why they put brakes on cars. They put brakes on cars so that people would feel comfortable going faster because then, they can slow down. The same way, people will share more data if they feel that they can pull it back or they can limit its use. And so what we’re seeing are people looking at the whole ESG revolution, this whole governance revolution and saying, “This is not some annoying compliance issue—this is actually a market opportunity.” We help our clients create trust with their shareholders, with consumers and other stakeholders, and that trust enables data sharing, enables more data use, and enables use that creates more value throughout the training.

Ed Black: Can you give us an example? Is there some specific client, some specific problem that’s crossed you desk recently that really is in this area of establishing the right kind of data governance, the right kind of data management maybe to establish trust?

Ed McNicholas: Let me just give a generic example because a lot of that work is in the nature of client counseling. Let’s say there’s a dashboard, and it says, “Ed McNicholas is interested in cats, sailing, and lawn care.” I am interested in sailing. Not so interested in lawn care—but I have to be somewhat interested, I guess. And I hate cats because I’m a dog guy. But what we see people do is they will uncheck “cat,” and then check “dog.” They will actually share more information—they will correct the information because they want things that are more relevant. People find value through information that’s more targeted to them. And when you give them visibility, they don’t say, “Oh, my goodness. How do you know that I’m interested in sailing?” They say, “I am interested in sailing. Yes, I would like some tips on sailing. But don’t tell me about cat food—tell me about dog food.”

Ed Black: You’ve mentioned some of the cybersecurity issues that you’ve handled, and I know of course you’re the lead author of a leading treatise on cybersecurity. When you think about what crosses your desk on a day-to-day basis, how does cybersecurity play into the specific matters you handle?

Ed McNicholas: As the value of data has increased, people have become more attuned to protecting it because there’s more tax on it. Ransomware was at one point, five years ago, a minor annoyance—now, it’s a real threat. We’ve seen people need to be able to respond in an almost instantaneous way to the cybersecurity events. And so we practice with clients through tabletop exercises and through making sure that boards of directors are fluent—they can understand these issues in advance. Then, we help them through actually incidents, where we have questions of not just sending out notices, but securities issues and primarily reputation issues, and how to mitigate harm in the middle of a breach. And then, we’ll work with them through the whole panoply of things that can happen after a breach from securities lawsuits, consumer class actions, regulatory investigations, and the like. In fact, we just saw today probably the first time, a criminal conviction of Uber’s former security officer coming out of the data breach. And hopefully, that remains a rarity, that we have a data breach resulting in criminal liability, but there is surely something to learn there about the pressure that people feel within companies and the need to make sure that they have a strong governance so that there are guide rails to make sure people stay on the right course in the middle of a stressful data breach.

Ed Black: Interesting. Let me shift gears—one of the things we want to do with this podcast is make sure that people get a feel for who you are as a person, as well. So, let me ask some questions. I’m going to concede, silly questions, but they’re bit of a lightning round—quick question, quick answer. So, four dogs—what breed are your dogs?

Ed McNicholas: Four different breeds. And one of them, I'll just call her an American Rescue Dog—she’s got so many different breeds it’s not even funny.

Ed Black: Lovely. Changing gears a little bit—it’s the last question I ask everybody: In a peanut butter and jelly sandwich, which is more important, the peanut butter or the jelly?

Ed McNicholas: That is such a profound question that I think it merits a profound answer. I think that to subtract either the peanut butter or the jelly makes it not a peanut butter and jelly sandwich, so I think it’s the mystical combination of them.

Ed Black: So, the peanut butter is the yin, the jelly is the yang, and we need them both to maintain universal systemic balance. Is that your answer?

Ed McNicholas: Indeed—yes.

Ed Black: You’re the first person who the personality test has revealed as a Zen monk through the peanut butter and jelly sandwich question. It’s been a pleasure having you. Ed McNicholas, thank you for joining. I want to thank our audience for listening in. The R&G Tech Studio podcast is available through the R&G Tech Studio website and also wherever you find your podcasts. Ed, thank you very much.

Subscribe to R&G Tech Studio Podcast