The demand for privacy and data protection legal counsel has grown along with the complexity of the global regulatory scene. Worldwide, we have seen enterprises increase in-house privacy staff at a rate of as much as 33 percent year over year (see “IAPP-EY Annual Governance Report, 2015”), and increasingly provide privacy training to non-privacy personnel. Nonetheless, companies still need expertise and representation from outside counsel at certain times for certain
When do they engage these outside attorneys, and for what kinds of privacy tasks? How much do they pay for these tasks? Are they satisfied with the results? When might they prefer a consultant instead?
To explore these questions and more, in January 2016 the IAPP and Bloomberg Law conducted a survey of 353 privacy professionals and identified 181 in-house privacy professionals who self-identified as currently employing outside counsel, shopping for external counsel, or having employed outside counsel in the last year. This revealed a number of interesting findings.
We found that a significant percentage of corporate respondents — 76 percent — are currently using outside counsel for privacy and data security matters, with nearly two-thirds employing them as needed (63 percent), and an additional 13 percent on a retainer basis. U.S. companies are even more likely than non-U.S. companies to be using outside counsel(84 percent vs. 62 percent), as are those in medium and large corporations as compared to smaller ones (83 percent and 82 percent respectively vs. 68 percent).
The market couldn’t be considered large by the standards of much more established practice areas, like intellectual property or mergers and acquisitions, but it’s clearly substantial and growing.
In general, 61 percent of our survey respondents reported spending less than $99,999 on legal fees annually; however, 29 percent reported spending between $100,000 and $499,999, and nine percent spend more than $500,000. If we consider only U.S. respondents, they spend considerably more on attorneys than their non-U.S. counterparts – on average over twice as much annually ($194,457 vs. $85,960). Outside the U.S., a full 66 percent of our survey respondents spend under $49,999 on attorney fees each year and no respondent reported spending more than $500,000.
Large corporations spend more than small ones, and outside legal budgets are more likely growing than staying the same or decreasing. A full 49 percent of respondents reported spend growth for outside counsel last year, and 45 percent believe their budget will increase for 2016. Just eight percent expect a decrease. Qualitatively, due to the small non-U.S. base size, a higher proportion of non-U.S. corporations expect 2016 budget increases than U.S. (59 percent non-U.S. vs. 40 percent U.S.).
On average, businesses are paying their external counsel $623 per hour for specialized privacy and data protection matters, such as preparing binding corporate rules, $539 per hour for litigation in the privacy space, and $474 per hour for transactional assistance, which would include preparation of contracts and vendor management.
Overall, respondents are most likely to be willing to pay outside counsel a premium for litigation (43 percent) and for interacting with regulators (39 percent). Additionally, U.S. respondents were more likely than non-U.S. respondents to pay a premium for interacting with regulators (45 percent U.S. vs. 24 percent non-U.S.), perhaps reflective of the more robust enforcement environment that exists in the United States than in many parts of the world, including Europe.
How do in-house privacy professionals find these outside attorneys? Largely through referrals from external and internal colleagues, or through inheriting a law firm their company already engages. If shopping for a new lawyer, they turn to referrals from other outside counsel or to personal relationships with private practice lawyers. Lawyers speaking at events, writing articles, or giving personal pitches can sometimes raise their profiles with inside privacy pros if a relationship isn’t already established.
And what’s most important in the fi rm they eventually settle on? Not surprisingly, responsiveness to client demands is at the top of the list, but the next most important quality — identifi ed by 81 percent of respondents — is a dedicated privacy team. This is not a place for solo operators and one-offs. In fact, 22 percent of respondents are working with a boutique fi rm specifi cally dedicated to privacy matters. Clients also want their attorneys to offer thought leadership in privacy (72 percent), have relationships with regulators (69 percent), and know how to handle a data breach (65 percent).
Tasks outside lawyers are most often hired to perform are litigation, drafting and reviewing contracts and vendor agreements, interacting with regulators, and assisting with trans-border data transfer transactions. Respondents agreed that the market for these services is mature and they have many high-quality options when seeking external counsel to perform them.
Privacy professionals generally do not hire outside attorneys for operational tasks like privacy impact assessments and privacy by design, however, and very few companies have begun to hire outside lawyers as their “outside privacy officer” or DPO. Respondents also perceive the external market for these services as underdeveloped — at least at law firms.
Outside the U.S., moreover, privacy professionals report a weak external counsel market for breach preparedness and breach response services; the U.S. market for these services is perceived as relatively strong.
In the U.S., lawyers still have a strong market position relative to consultants for a variety of privacy tasks regardless of the attorney-client privilege — except for PIAs and privacy by design. Outside the U.S., again with only a small sample size to provide directional conclusions, lawyers are preferred for drafting vendor agreements, assisting with crossborder data transactions, preparing privacy notices, and interacting with regulators, but for many other tasks — such as developing internal privacy policies, serving as offi cial outside privacy officer/DPO, and working on breach preparedness matters — non-U.S. companies prefer consultants to lawyers.
All in all, most people are satisfi ed with their privacy counsel: A full 86 percent told us their lawyer was worth the money. In this full report on how organizations use privacy and data protection counsel, we’ll look into the details of what these firms are doing for their clients and what value organizations are extracting.