On MyShingle, we celebrate the solo and small firm practitioner, and those at the forefront of innovation in the legal field. Our newest project, 41 Legal Practice Areas That Didn’t Exist 15 Years Ago highlights unconventional and upcoming niche practices from Cannabis Law to Tiny House Regulation.
We’re excited to present the second part of our project–spotlights on solo and small firm practitioners who’ve embraced these legal practice areas and made them all their own.
Our first Profile is for Dina B. Ross, a solo practitioner (and fellow Brandeis alum!) in Illinois focusing on Cybersecurity.
Cybersecurity as a field builds on privacy and technology law to create and enforce standards to protect electronic data and illustrate consequences for data breaches. One issue that has arisen in the field is the lack of transparency in data collection by organizations and how privacy can be maintained in the digital world. Dina Ross’ work focuses on cybersecurity in the realm of health information technology.
Q: What is your name, your law firm’s name and location and website?
A: Dina Ross, Dina B. Ross Law Offices, Oak Park, IL, www.dinarosslaw.com
Q: At what point in your career did you begin to focus on Cybersecurity Law, and what was the motivation for choosing Cybersecurity Law?
A: As a tech lawyer, I began focusing on cybersecurity law organically, along with the tech industry in general. My motivation was client based – my clients were dealing with it, so therefore so did I.
Q: Tell us a little about your work in Cybersecurity Law. What types of clients do you represent and what are some of the legal issues you encounter?
A: I work primarily in health information technology which, through HIPAA, is regulated for the purposes of ensuring the privacy and security of “protected health information.” I represent mainly hospitals/health care systems/clinical labs as a “buyer” of technology and cybersecurity products and services. But although these entities are “buyers” of cybersecurity, they are buying it because they owe a duty of confidentiality and privacy to their customers/patients. The most frequent legal issue is around how to best allocate the risk of a security incident/breach between the “buyer” (who likely owes a duty to another party) and the vendor (often the entity actually maintaining/transmitting the data).
Q: What do you enjoy most about Cybersecurity Law?
A: Learning about new technologies and applications of technology, helping clients manage risk of this kind of operational nature while they are actually more focused on risks having to do with the delivery of health care to patients.
Q: What kind of background is necessary for Cybersecurity Law?
A: Some familiarity with technology would be helpful, but mostly a tech lawyer needs a solid background in business/business law and the ability to assess risk.
Q: How did you market your practice and gain a reputation in Cybersecurity Law?
A: Word of mouth and happy clients! I am also active in the ABA’s Cyberspace Law Subcommittee (I co-chair the Health IT Task Force) and the American Health Lawyers Association’s Health Information and Technology Practice Group.
Q: As you know, this practice area really did not exist 15 years ago? How do you address or advise clients on novel or emerging issues for which there is no precedent?
A: I often tell clients that the good news is that there’s no known wrong way to do X and that the bad news is that there is no known right way to do it either! I help them navigate the risk allocation of whatever they are contemplating – how are they likely to be hurt? Who is likely to cause the problem? What is the worst case scenario if the contemplated problem happens? How much risk can be managed by new/different/existing policies or procedures? How are those policies/procedures enforced?
Q: Tell us about one of your most interesting or challenging cases.
A: I helped a start-up in the wellness space figure out how handle transmissions of health information from the individual’s home device, through the cloud, stored in a foreign country and then processed elsewhere (this was pre-GDPR). Having all the parties – including the foreign company – agree to various security procedures and regulatory requirements was both fun and exhausting.
Q: What advice do you have for other attorneys interested in Cybersecurity Law?
A: Cybersecurity law is an off-shoot of tech law generally so I would recommend that an interested attorney have a solid grounding in technology law/business.
The Law Univented Profile Series is co-written and edited by MyShingle’s new Content Coordinator, Rachel Wallen.