Nicola Benz is co-head of MLL’s IT and digitalisation practice group and one of the founders of the Cyber Incident Hub, a multi-disciplinary response team for data security issues of which MLL is the legal partner. She has more than 20 years of experience as a practising lawyer in the field of technology, advising on transactions, disputes and compliance matters and associated issues in IP, competition and contractual law. Nicola is an active member of the iTechLaw Association and is fluent in English and German.

What motivated you to specialise in data law?

Data is an essential resource in our digitalised world. It plays a central role in the business of many of our clients. My motivation comes from an interest in whatever is new and a desire to support clients in tackling the legal challenges and opportunities of using data.

What is it about data security that you enjoy most?

In order to effectively advise clients in relation to data security, it is not enough to just look at the legal aspects. There are technical considerations, communications challenges and governance issues to be dealt with and that requires an inter-disciplinary team. I really enjoy working with professionals from different fields to deliver solutions and provide assistance on data security issues. MLL has partnered with technical experts, communications specialists and an asset recovery service provider to create the Cyber Incident Hub. It is very rewarding to be able to learn from our partners in the Hub and to work as a team with them to help clients improve their readiness for a data security incident and to tackle the consequences if hit by this type of incident.

How do you establish a detailed understanding of a client’s business to advise them effectively?

Taking time to listen to a client is the best way to start understanding their business. Of course, that is not always possible due to time and budget constraints and so we also rely on experience gained from working with other clients in the same or similar fields. We have established industry groups at MLL to focus on certain industries and businesses from a client perspective, to share knowledge and experience in particular business sectors across the firm.

What are the biggest data threats your clients currently face, and how are you helping tackle them?

Cyber attacks are a huge threat. The incidence of attacks has risen sharply over the last two years and continues to do so. The nature of the attacks ranges from social engineering scams - collecting password information or having payments initiated by clever use of email and other communication tools – to ransomware attacks that result in systems being rendered inaccessible through encryption of data and the threat of disclosure to a broad public if the ransom is not paid.

We help clients prepare for these types of attacks, through training of staff, drawing up response plans in the event of an attack, ensuring data protection compliance is up-to-date, reviewing contracts to establish what notification duties a client has towards its contractual partners in the event of an attack and checking insurance policies to be sure of the scope of coverage.

We also provide assistance if an attack does happen, advising on data breach notification requirements and helping with any notifications that need to be made, discussing with the client whether a ransom can and should be paid, looking at questions of liability and insurance and supporting the communications professionals and technical experts in their work immediately after an incident and at the post-incident review stage.

What are the advantages and challenges of the EU’s new standard contractual clauses (SCCs) in a data transfer context?

In a nutshell, the new SCCs do better reflect the different relationships that can arise in a data-processing context, which is an advantage compared to the previous one-size-fits-all approach. However, the task of putting in place SCCs for all relevant data transfers can be daunting for clients. Additionally, the uncertainty of whether any given data transfer is lawful remains, even with the right sets of SCCs in place and after completion of a data transfer risk assessment and implementation of additional measures. Clients understandably like certainty and the current lack of that for international data transfers is highly unsatisfactory.

Adtech providers Google and Amazon received significant fines in France. Is this a sign of things to come in the European and/or global market(s)?

I do believe we will continue to see significant fines from data protection authorities in the EU. Also, as more countries around the world introduce data protection legislation, the fines will probably start coming from different directions. Most Latin American countries have privacy legislation in place and many African countries are now introducing legislation too, all with competences to issue fines.

In my own jurisdiction, Switzerland, a revised data protection statute will enter into force in 2023, also providing for much larger fines than under the present legislation. The figures involved (up to CHF 250’000) are not nearly as high as in the EU, but the fines will be directed towards the responsible individuals and not to companies and it will be unlawful for the sanctioned individuals to have their employer pay on their behalf.

How does your membership in the International Technology Law Association enhance your practice?

Having been a member of iTechLaw for around 15 years, I have built a network of expert colleagues from around the world. This helps greatly when dealing with international data security issues.

What advice would you give to someone starting out in the data security field?

Keep an open mind and don’t just focus on the issues in your field. There is so much to be gained from an interdisciplinary approach.