Welcome to my website about security law, where I share insights and information about how the law operates in the physical and virtual worlds to ensure our safety and security. My main focus is the interplay between operational security and security law - i.e., their requirements and how they influence one another - as they concern the need to protect people, data, computers, networks, information systems and the cyberspace from threats and risks.
My interest in these areas spans my professional career as a lawyer and management consultant and my academic career. I hope that my site will help you to deal with real operational security problems, such as how to respond to an incident (if the need arises), and to understand some of the philosophical issues that arise, such as the purpose of laws and the personality, character and behavioural issues that create or reduce threats and risks.
I started my career in 1991, as a Barrister at the London Bar, dealing with commercial, common law, consumer and criminal matters (in the US, you'd call me a Trial Attorney). By the mid 1990s my interest had moved firmly into the online, technology and data space, driven by the Dotcom boom and the Information Super Highway idea, Y2K Millennium Bug hysteria and Europe's increasing legal focus on the human rights issues that arise through the use of tech and data. By the end of the 90s, with some Barrister friends, I decided to jump fully into the online world, to start our own Internet law company, Lawsolutions. That was an incredible experience and a big hit with consumers, but we couldn't get investment funding following the bursting of the Dotcom bubble, so I returned to more conventional legal practice and started my first Solicitor's practice in 2001, at a firm called Rowe Cohen, focusing exclusively on data protection and security matters, concentrating on defending clients in cases brought by the Information Commissioner and helping technology companies to align their marketing and sales activities to legal drivers for customer buying decisions. That venture was successful, but to take things to the next level I joined up with a good friend with the shared ambition to build one of Europe's leading data protection and security practice, at Fieldfisher, which I believe we did. And that was my first practice to be independently rated by the legal directories, Chambers and Legal 500, as one of the best.
By 2014 I was looking for new challenges and I joined PwC, to build a new business, based on the idea of multi-disciplinary services, where I was the Global Cyber Security and Data Protection Legal Services leader and the Joint Global Leader of the Data Protection risk business. From a standing start, we built another leading practice, again as recognised by the legal directories. That was my second practice to be so rated.
I joined DWF in 2020, to build my current practice, which replicates the PwC multi-disciplinary idea, but this time being legally-led. We were ranked as a leading practice in record breaking time. This is my third practice to be so rated.
So, what do I do for a living? In simple terms, if an organisation suffers a cybersecurity breach I help them to get through it, by devising response strategies, coordinating across the various functions of incident response and by dealing with all of the legal aspects. If the client finds itself on the wrong side of a regulatory investigation into a security or privacy breach, I will advise and represent them through the investigation and defend them against enforcement actions. If the client is sued after a security or privacy breach, I'll advise and represent them in class actions and individual claims. If a client wants to develop their security program, I'll provide consulting and legal support with the development of governance structures and operating models. If a client wants help regarding the use of personal data, I'll provide them with strategy, consulting, program support and legal advice on any issue that arises under the GDPR and similar laws. If a client is a technology company or security company, I'll help them to position their products and services in the market, by reference to their customers' legal duties and exposures.
As to my qualifications, I have over 30+ years hands-on experience in law and professional services, which has been gained on the global stage, working with some of the world's biggest and most famous brands and important public authorities. I have an undergraduate and two post-graduate law degrees and I'm currently studying for my MSc in cybersecurity. I qualified as a Barrister in 1991 and also as a Solicitor in 2001. My professional memberships include the Hon. Society of The Middle Temple and The Law Society.
As to my academic life, I have written or co-authored nine influential legal text books. These include the UK's first ever book on security law, the first on email law, four editions of the IAPP's European Data Protection book and two editions of the British Computer Society's book on data protection. I'm midway through another book on security, but this one is very different - you might get hints of the focus here!
As to related activities, I'm a co-founder of The Cyber Security Challenge UK, which we started in 2010 as a government and industry-backed initiative as part of HMG's National Cyber Security Strategy, to help fill the skills gap in the economy; the Honorary President of The National Association of Data Protection Officers (the world's oldest membership organisation in this field, I believe); a member of the European Data Protection Board's expert support pool for data protection technology and law matters; a past winner of the Financial Times Legal Innovator of The Year award; and I've been recognised by the legal directories as one of the UK's lawyers in these fields every year since 2009.
If you need any help or support with security or privacy issues, please reach out. If I can't help you myself, I will know someone who can!
Thanks and acknowledgements
All of my career achievements rest on the help and support of others. Moving from the Bar to present day, my deepest thanks go to Charles Joseph, Evan Ashfield, Perry Hill, Simon Cohen, Graham Small, Emily Chantzi, Michael Chiswick, Eduardo Ustaran, Antonis Patrikios, Grant Waterfall, John Berriman, Jane Wainwright, James Drury-Smith, Tughan Thuraisingam, Mike Pritchard, Mark Saville, Raj Roy, Stephen Deadman and Judy Baker OBE. I also thank my former Chambers, firms and current firm (169 Temple Chambers, 8 Stone Buildings, Rowe Cohen, Field Fisher, PwC and DWF); all of my past and current team mates; my past and current colleagues at NADPO and The Cyber Security Challenge; my publishers over the years (British Computer Society, The Law Society, British Computer Society and the IAPP); my Alma Mater; and every client who has had enough confidence in me to instruct me!