The Myriad Career Paths to Cyber Law

There are a lot of paths to a legal career that focuses on cyber security and privacy. Classes on these topics are popular at law schools because they’re cutting edge—and because students believe they’ll lead to jobs. I learned this when I observed a class at Columbia University, and interviewed teachers of cyber security and privacy, who paved their own paths to find jobs in cyber law.

Some lawyers who landed in this field were fascinated by computers from an early age. Their interest in law was partly a way to pursue their interest in tech. Others worked in tech first, then transitioned into law to create a niche that combined the two.

Not all careers are carefully scripted. Some attorneys find themselves tramping on this trail without being fully aware they were on it—until they arrive. That’s more or less what happened to Ryan White.

Litigation was the big draw in his career. It began in law school, White said. He took a course at the UCLA School of Law from a longtime assistant U.S. attorney. And he externed for a district court judge after his first year. A trial he observed that summer happened to be one of the first prosecutions of an individual for selling bootlegs he recorded in movie theaters. White was impressed by the power prosecutors wield, and the responsibility they bear to ensure that the process is fair.

The seed had been planted. In 2011, following two years as an associate at Latham & Watkins, White applied for a job at the U.S. Attorney’s Office for the Central District of California. It was the way to grow as a trial lawyer.

“Your cases are your cases,” he said. To be able to investigate allegations, bring them to a grand jury, try them, and defend the results on appeal—all made the job “just an awesome career development platform.” And getting to do all that while pursuing the mission of protecting the public was almost the perfect job, he added. “The only countervailing consideration was you take a huge pay cut going from a firm to a government job.”

This past July, after nearly a decade as an assistant U.S. attorney, White decided it was time to leave. He accepted an offer to become a partner and chair of the cyber security and data privacy department at litigation boutique Halpern May Ybarra Gelberg.

It was easy to understand why he left. “I had accomplished everything that I wanted to accomplish,” he explained. He had tried lots of cases, defended plenty of appeals and managed teams of lawyers. Three people who had preceded him had moved up into administration. But White wanted to manage people and still try cases. He would have had to drop the trials if he’d moved up, so he left to be able to continue to do both.

Cyber Is Everywhere

When I asked how he came to be a cyber security lawyer in the first place, that was harder to explain. It wasn’t something that felt preordained. When he was growing up he liked computers, but he wasn’t gaga about them. There wasn’t that special cyber security course in law school.

Looking back he sees the pattern, but at the time it felt like he was moving from event to event. He perceived opportunities at the U.S. Attorney’s Office and seized them. It wasn’t a lot more complicated than that. But it demonstrated something significant about the legal world. Cyber has become part of virtually all criminal investigations.

He got pulled into a computer law case early during his tenure in the office. He’d learned a few things during his summer externship. Later, when he’d clerked for Judge Kim Wardlaw of the U.S. Court of Appeals for the Ninth Circuit, he’d worked on an important Stored Communications Act case. As an AUSA, he volunteered to counter, in written and oral arguments, an appeal before the Ninth Circuit of a cyber stalking conviction. He won and the opinion was published. He was on his way.

He tried to use his cyber expertise whenever he could. “I wasn’t the first to do it,” he said, “but I pushed it hard.” And because cyber came up all the time—it could be as simple as a drug case in which defendants used VPN to try to conceal their communications—he was able to partner with prosecutors working in different areas.

Five years in, he broadened his focus in order to gain experience as a manager. He was made deputy chief in the general crimes section, where he managed 20-25 rookie prosecutors who handled all kinds of cases. A year later, in 2017, he was brought back to cyber as deputy chief of the cyber and intellectual property crimes section. After another year he was chief.

Finding the Right Firm

When he began thinking about his next move, he liked the idea of taking what he’d learned and expanding into civil as well as criminal work. But he wanted to find the right fit.

The initial attraction of Halpern May was that White had worked with name partners Grant Gelberg and Aaron May at the U.S. Attorney’s Office. He’d enjoyed their time together, and the boutique that the partners had built seemed like a good place to land. Then White learned that the firm had just merged with litigators from the shop where White had begun his career—Latham & Watkins. It seemed like kismet.

At a boutique of 17 lawyers, White understands that “everybody can do everything.” But as chair of the newly appointed cyber security and data privacy department, he will work with three of his new colleagues who have experience and a special interest in this area. But there’s a lot he’s only starting to work out.

Can you develop a practice solely in cyber security and privacy? Or does it need to be broader? These are some of the questions he’s grappling with. There’s plenty to keep companies, and their lawyers, busy in these areas. He ticked off a list.

Covid has forced companies to close their offices. Employees working remotely can pose a real vulnerability, White said. Data can be stolen from home networks, or intercepted when an employee working from an insecure home network connects to the corporate network.

Privacy laws are growing more complicated all the time, White continued. The Privacy Shield was just invalidated. The California Consumer Privacy Act’s enforcement regulations just went into effect. And if Proposition 24 is adopted in the November election, California will have a new privacy law to add to the list.

Business email compromise continues to be a major concern for many companies. A business can have a great cyber security program in place, but a single employee clicking on a link can blow through all that. And it’s hard to defend against.

One reason, White explained, is the commodification of malware. Once upon a time cyber attacks required sophisticated criminals backed by nation states and real skill. But now they require neither. Ransomware is easy to buy and deploy. And the bad guys can work internationally with people they never even meet.

White sees a lot of opportunities to help companies face these issues. He can assist them in building relationships with law enforcement and regulators because he worked in that world himself, he said. And he can guide their work with cyber security vendors while protecting confidentiality under the attorney-client privilege.

One of his greatest strengths, White added as we wound up our talk, is that he knows how to connect with people. Once he realized that cyber was everywhere, he used it to collaborate with colleagues at the U.S. Attorney’s Office to pursue cases. That same skill will serve him well, he said, in his work with clients. And as he builds his legal team.

“I love working with people,” he said. And he’s not talking about schmoozing and networking for business. “I love hearing their stories and helping them. It’s part of my DNA.”

That wouldn’t have changed if he’d gone into M&A. But it just so happened that cyber security provided a welcome platform.