Alex Pearce Leading NCBA’s Efforts To Tackle Privacy and Data Security Issues

By Russell Rawlings

The Privacy and Data Security Committee, which formed last year, is well on its way to becoming an NCBA Section. On Jan. 17, the NCBA Board of Governors gave a green light to the committee’s plan to form a new NCBA Section. Formal recognition as an NCBA Section is anticipated in July. In support of this effort, and in the interest of providing members with insight regarding the work of this committee, North Carolina Lawyer is pleased to provide the following question-and-answer interview with Alex Pearce, who currently chairs the committee.

Pearce grew up in Santa Fe, New Mexico, and has strong ties to North Carolina, where his father is from. He is a 2001 graduate of Wake Forest University and a 2004 graduate of Stanford Law School. He focuses his practice on privacy and data security law with Wyrick Robbins in Raleigh. He has been certified by the N.C. State Bar Board of Legal Specialization as a Specialist in Privacy and Information Security Law, and as a Privacy Law Specialist by the International Association of Privacy Professionals, which has been accredited by the American Bar Association to certify lawyers in this specialty. He is a member of both specializations’ inaugural classes.

Q: Did you have a background in technology?

A: Not really. I was a political science major at Wake Forest. Then I went off to law school in Silicon Valley. I took a couple of courses that touched on technology and legal issues surrounding the internet. But unlike some of my classmates, I never really saw myself as a tech lawyer. I started my career as a litigator, first in Chicago, where I clerked for a judge in the Northern District of Illinois and spent a couple of years at Winston & Strawn. Then I came back to North Carolina and practiced at Ellis & Winters. Several of the cases I worked on as a litigator involved technology issues, but it wasn’t really a focus of my practice. It wasn’t until I went in-house at SAS that I really developed a deeper interest in the intersection between law and technology.

Q: How did your role in this area evolve at SAS?

A: I started out at SAS doing customer-facing transactional work, negotiating software license agreements, cloud services agreements, and IT consulting agreements, and the like.

In the course of doing that work, and because of the nature of what SAS does, I often had occasion to negotiate privacy and data security issues. I worked closely with the company’s then-privacy counsel, Brian Klemm, who is now with Red Hat. Brian was a great mentor and teacher. I consider him one of the deans of the privacy and data security bar here in North Carolina. I got to work with Brian on privacy and data security issues and thought it was a really interesting field.

When Brian moved on, I had the opportunity to move into that privacy counsel role. That gave me a chance to learn about the broad landscape of privacy and data security law. SAS is a world-wide company doing really interesting and innovative work, and as a result their legal team handles cutting-edge legal issues all over the world, including in the areas of privacy and data security, with customers in a broad range of industries.

Q: Did your work at SAS leave you fully indoctrinated in the field of privacy and data security law?

A: As much as one can be. One of the things I learned very quickly is that this is a very dynamic and constantly changing field. There’s not a lot in the way of settled law and, because it deals so closely with the world of technology, which is advancing and changing all the time, the law sometimes struggles to keep up. That’s one of the things that makes it exciting. I love working through the novel and interesting — not to mention tricky — issues that it presents.

Playing Catch Up

Q: Do you think firms and lawyers are aware of these issues?

A: I think there is a wide spectrum of knowledge and awareness of these issues. I think, as you might hope, many firms are on top of these issues and devote the necessary resources to protect them-selves. Some small firms and solo practitioners may be behind the curve, but that’s one of the things our committee is trying to help with — to point them to resources to that can to help get them up to speed. One of our committee members, Patrick Brown with Lawyers Mutual, is doing a great job in leading that effort.

Q: What about the international aspects of this issue?

A: That is increasingly a significant part of the practice in this area. In many ways, the law concerning privacy and data security here in the United States isn’t particularly well developed. There are some notable exceptions, but historically there hasn’t been a lot of legislation or regulatory activity in the area. But that is not true in other parts of the world.

Europe, for instance, has had comprehensive privacy laws since the mid ’90s. Any company that does business internationally, especially in Europe, has had to confront these issues since then. And a couple of years ago Europe adopted an update to its privacy laws called the General Data Protection Regulation, which was recently really a big focus for many United States companies, even those that don’t have a presence in Europe. That law has in turn caused countries in other parts of the world to become interested in passing their own similar laws.

So even for lawyers who represent clients who don’t have an international presence, the nature of global commerce means that those clients often do business in ways that touch other countries, and that necessarily requires some understanding of when and how these laws apply.

Q: What will it take for the U.S. to catch up?

A: Some of the big data breaches we have been hearing about lately, such Marriott recently, and before that Equifax, and scandals involving the data use practices of some Silicon Valley companies, have generated interest in a national privacy law in ways we haven’t seen before. I think a lot of folks see this as a potential tipping point.

Q: What about at the state level?

A: One of the things that’s been interesting to see is that in the absence of a comprehensive federal privacy law, state attorneys general have stepped into the void to become really active in enforcement in the privacy and data security area. Our own Attorney General Josh Stein is an example of that. His office has been fairly active in bringing or joining enforcement actions and even in proposing legislation in this area. And he’s joined by a number of other state attorneys general who’ve taken a particular interest in the field.

Q: Do you envision the Privacy & Data Security Section crafting legislative proposals in the future?

A: I don’t know if we would be a source of legislative proposals. But I imagine we’ll be looking closely at any proposals that may come through. Our members have a lot of great real world experience and can speak to the consequences — intended or not — that proposed legislation might have on businesses and individuals, which may be helpful for lawmakers to consider.

Q: Have you been involved with the committee since its inception?

A: Yes. The committee was formed in 2017 and Elizabeth Spainhour was the founding chair. I don’t know that anyone expected the amount of interest it got. But thanks to Elizabeth’s leadership it grew very quickly to include a large group of folks with a wide spectrum of experience and interests.

We’ve got members who may not necessarily have a lot of experience in this area but who have developed an interest in it, and members who have been doing this work for years. It has been great to bring those folks together to talk and share experiences and advice. Again, this is a field that is constantly developing, so it can be comforting and empowering to be able to share ideas with others who are dealing with the same issues.

Q: In that regard, has this committee also worked closely with the State Bar?

A: I’d say we have. One of the reasons the committee was created was to support the State Bar’s creation of the Privacy and Information Security Law specialty. I would note that ours is the first state bar in the country to certify specialists in this area of the law, and it is great to be on the forefront there. I think our committee was created partly as a consequence of the State Bar’s recognition that this is an important area that deserved some focused attention. Some of the members of our committee — like Karin McGinnis — also serve on the State Bar’s specialization committee. And several of the members of our committee have been certified as specialists in the first class of specialists in this area.

Gaining Ground

Q: What about national developments in this area?

A: Just before the State Bar began recognizing specialists in our state, the American Bar Association worked with another organization, the International Association of Privacy Professionals, to grant recognition of privacy and data security law as a recognized ABA specialty. Those specialty certifications are granted by the IAPP, and I and others here in North Carolina were recognized as specialists under that program. Matt Cordell, who chaired the State Bar’s specialization committee, was one of the lawyers who has done both. We all owe a lot to Matt and the other specialization committee members who made the State Bar specialization in this field a reality.

Q: Are you optimistic that your committee will become an NCBA Section?

A: Given the strong interest we have had in the committee, I would hope so. One of the benefits of becoming a section is that it would allow us to open up membership to anybody in the NCBA who has an interest in this area, and others have assured me that we will easily be able to meet and surpass the 100-member target to become a Section. Our membership committee is doing great work on that. Steve Snyder and Tara Cho, among others, have been leading that effort, and it looks like we’re well on our way to meeting that target early next year. The sign-up is live on the NCBA’s website, so I’d encourage folks who are interested in joining to go and register now.

Q: What has been the geographic make-up of your commit-tee?

A: Many of our members come from the Triangle and Charlotte. Some folks are from the Triad as well, and I believe we’ve got a few from the coast. I do think we are fortunately drawing from a lot of different parts of the state, but hopefully that will be one of the other benefits of becoming a section: expanding our geographic reach.

Q: What types of threats has your committee been addressing?

A: We talk a fair amount about our own practices, which for many of us involve helping clients identify and respond to cybersecurity threats. Phishing and business email compromise scams are common examples. These are issues that lots of companies face that lawyers can help clients prepare for and protect against, and also help respond to after an incident has happened.

One of the other things we’ve talked about is that law firms and lawyers are just like any other business in this regard. In some ways we’re placed in a unique position because of our ethical responsibilities to clients to protect their information, so these threats pose special considerations for lawyers. We’ve seen fairly recently, for instance, the ABA release a formal ethics opinion on lawyers’ responsibilities after a data breach that impacts client data, so this is an area where there is a lot of activity where our committee can be especially helpful given the knowledge and experience that folks have.

So that is another thing that our committee is focused on — serving as a resource to help lawyers understand what the threats are and how they can protect against them, and what their responsibilities are when something happens.

Q: What would you say is the most common threat?

A: For most folks on a day-to-day basis email threats — like phishing — seem to be the most common and pernicious threat. Criminals are especially skilled at using these attacks to trick even folks who might otherwise be pretty security conscious. That’s often a message I give to clients and that firms should be giving to their lawyers. A lot of the data breaches I see start when someone un-wittingly clicks on a link in an email or opens an attachment that they should not open.

There’s certainly other ways for attackers to get in but this seems to be one of the most common and again the most dangerous because what you’re relying on at that point is not your cybersecurity professionals or your investment in technology. You’re relying on the vigilance of an employee who is just trying to do their job. Fortunately, I think a lot of companies have recognized this and are devoting their efforts to raising aware-ness among employees to equip them to recognize and avoid these email attacks.

Q: Would it help if we had stricter laws in this area?

A: I don’t know that it’s an issue of our laws not being strict enough. Certainly, there is a criticism that our existing laws and regulations don’t sufficiently incentivize companies to invest in this area.
Regardless of one’s view on that issue, I personally think it’s important for legislation to strike an appropriate balance, making sure consumers are protected without imposing unreasonable burdens on organizations or stifling innovation by disadvantaging companies that may not have the resources to conform to a single standard that’s designed to apply to larger, well-established companies.

Charting a Course

Q: What should be our expectations, in terms of privacy, moving forward?

A: In terms of the law, I expect we’ll continue to see calls for stronger and more comprehensive legislation to require organizations to protect individuals’ information and give individuals more control over their data.

With big stories in the media, like the Cambridge Analytica situation with Facebook, and the Marriott and the Equifax breach-es, people are becoming very concerned about how their information is being used and secured.

It’s a topic that Europe has been interested in for a long time, but I think it’s only relatively recently in the last five or so years that it has become prominent in the United States. Folks are starting to understand some of the consequences that come along with the widespread collection and use of data through services that many of us use all of the time. We’re far enough down the road that it may not be realistic to think that people are not going to use these services, but I could see some development of the law to rein in some of the problems—real or perceived—that come along with them.

A great example of that is a law that was passed out in California just this year, which is the strictest data privacy law in the country. It gives California consumers a right to know what data businesses are collecting about them and with whom it’s being shared. It even gives a qualified right to request that that data be deleted. That law is, I think, that is a direct response to other situations where consumers found out after the fact that their data was being used and shared in ways they didn’t expect and were surprised and upset about that. I think the passage of the California law reflects that concern, and it wouldn’t surprise me if California’s law doesn’t lead to laws in other states or a national law that covers that same ground.

Q: Closing thoughts?

A: This is a really exciting time to be in this practice area. I feel really fortunate to be a part of the Privacy and Data Security Committee and to have the opportunity to collaborate and share best practices with our fantastic members. And I’d encourage anybody who’s interested in this field to join us by signing up for the section