Justine Phillips focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act and cyber litigation.

She provides actionable and practical guidance to help businesses manage data, technology, cyber threats, privacy, security and digital assets. As businesses navigate complex and far-reaching laws and regulations, Justine proactively creates compliance programs customized to client needs and budgets, including data mapping, vendor management, privacy and security by design, cyber risk management and mitigation, eWorkforce policies, data retention and destruction policies and implementation, consumer request workflows, cyber-awareness policies and trainings, and CCPA/CPRA readiness audits. She also provides reactive cyber services, including incident response, crisis management, privileged forensic investigations into business email compromises, data breaches and ransomware attacks, compliance with notice obligations to individuals and regulators, regulatory inquiries and investigations, and cyber litigation. Justine also handles employment litigation and counseling, as well as commercial litigation.

Why I chose privacy as my field: I attribute the butterfly effect for the good fortune of practicing privacy and cyber law. The seemingly inconsequential decisions and interactions with smart people, coupled with a natural curiosity about data, led to my professional calling.

In my early days as a litigator specializing in eDiscovery, I learned the importance of effectively managing data. In 2011, my experience interviewing custodians and understanding data flows and storage led to an opportunity to be part of a cyber investigation for one of the largest data breaches in history. That moment changed everything and sparked my passion and practice in cyber law. I immersed myself in the cyber community to learn from cyber experts like Bill Bonney, Matt Stamper, and Gary Hayslip (fellow San Diegans and co-authors of the CISO Desk Reference Guide).

In 2018, GDPR became effective, and CCPA was passed, which led to many businesses needing full-blown privacy programs—or, as eDiscovery professionals had long been saying, Information Governance. No books existed that explained the role of people, process, and technology required to build a privacy program. Pressure for meaningful and effective privacy programs increased as more laws emerged globally. New roles and responsibilities evolved internally to manage privacy risk, which led to more opportunities to be proactive. The two years we spent collaborating to write this book was a liminal time in privacy history. As laws and technology evolve, so too will our practices and strategy in how we govern data and build a privacy program that inspires trust. This is why privacy is such a compelling practice area—because it constantly changes, transforms, and evolves.

CISO Desk Reference Guide Books

Data Privacy

The Privacy Desk Reference Guide offers pragmatic advice to various stakeholders on how to build a privacy program that is aligned to organizational strategy and risk management practices of the firm while also addressing important regulations – both domestic and international – that require privacy practices that reflect and support the data subject’s or the consumer’s rights over their information.