Amy Keller of DiCello Levitt Gutzler: “Correct misogyny immediately and recognize supportive colleagues”

…Correct misogyny immediately and recognize supportive colleagues. There are far fewer women in the cybersecurity, privacy, and technology fields than men, which means that it might take a while for the culture of the industry to catch up to societal norms. If I ever encounter misogyny or sexism, I use it as a teachable moment […]

Thrive invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive or its employees. More information on our Community guidelines is available here.

…Correct misogyny immediately and recognize supportive colleagues. There are far fewer women in the cybersecurity, privacy, and technology fields than men, which means that it might take a while for the culture of the industry to catch up to societal norms. If I ever encounter misogyny or sexism, I use it as a teachable moment and call it out. Similarly, if I notice that a male colleague is doing his best to correct sexist behavior, I specifically recognize and thank him. Typically, people change their behavior if they realize that their actions are negatively affecting their colleagues, and if I see an opportunity to make life easier for the next woman to come through the door after me, I take it.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Amy Keller, Partner and Leader of DiCello Levitt Gutzler’s Cybersecurity and Technology Law group.

Amy has experience successfully litigating a variety of complex class actions in leadership positions across the United States. With a focus on consumer protection matters, Amy has litigated a wide range of product liability, data privacy and security, design defect, and food labeling cases against industry titans like Apple, Marriott, Coca-Cola, and BMW. With experience at all court levels — including briefing before the United States Supreme Court — Amy has established herself as an aggressive advocate for the underdog.

Amy has served in various leadership positions in national class actions. After becoming the youngest woman ever appointed to lead a nationwide, multidistrict litigation against Equifax related to its massive, 2017 data breach, the firm appointed her to be its technology practice chair. Since her appointment, the group has received Law360’s “2020 Cybersecurity Practice Group of the Year,” award and The National Law Journal’s “Privacy/Data Breach Practice Group of the Year” award. Based on her knowledge of data privacy litigation, she was named to Law 360’s 11-member Cybersecurity & Privacy Editorial Advisory Board in 2019. Amy is recognized as a SuperLawers Rising Star, a member of the National Trial Lawyers Top 40 Under 40 in civil plaintiff litigation and is an elected member of the American Law Institute. She serves on the board and executive committee of the Public Justice Foundation, and is the President of the Chicago Art Deco Society, where she oversees the organization’s work on historic preservation advocacy. She lives with her husband, who is also an attorney focused on technology issues, and their two dogs in Chicago.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in a traditional (I believe some use the word “nuclear”) middle-class family in a suburb of Detroit, Michigan. My brother and I were both adopted, dad worked very hard as the director of the local hospital’s pharmacy department, and mom split her time between chaperoning school field trips and being a legal secretary. I had a happy childhood, was surrounded by a big, extended family, and often argued with my grandmother over what I would be “when I grew up.” Vacillating between wanting to be a Rockette, an architect, or a doctor throughout childhood, I eventually became a lawyer — just like my Grandma Virg always predicted.

My brother was bullied as a kid when his classmates found out that he was a “little bit different,” and I think I developed a strong sense of empathy watching him go through his own coming-out story. I’ve always been bothered when the “little guy” gets taken advantage of, and I think it’s because I had to watch him go through so much trauma and cruelty at such a young age because his peers were complete and absolute jerks. I’m still bothered by it. I guess that’s one reason I went into plaintiffs’ litigation, representing workers, consumers, small businesses — folks who frequently get the short end of the stick.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

The Immortal Life of Henrietta Lacks by Rebecca Skloot. It’s amazing to me that so much of our knowledge of cancer — and how to treat it — developed because doctors harvested cancer cells from Henrietta Lacks during a biopsy without her knowledge or consent. I picked up the book after my father was diagnosed with cancer in 2020 (he sadly passed away months after). We owe so much to Ms. Lacks, but she died in agony, and neither she nor her family was properly compensated for her amazing contributions to science.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Shortly after I graduated law school, a friend of mine came to me with a horrifying story: adulterated photos of her had shown up on a website, and the hosts of the website were making disgusting and disparaging jokes about how the size of her breasts would cause her “future lower back problems.” It was embarrassing and nothing short of harassment. She had not submitted the photos and certainly did not consent to their use.

The website was based in California, but we tried suing them in Illinois — where she lived. Although the court dismissed for lack of personal jurisdiction, the website’s owners adopted significant reforms, stopped publishing photos of other people without their consent, and took down photos of my friend. I realized that I had only uncovered the “tip of the iceberg” of the privacy issues at stake with my friend’s lawsuit, and started exploring legal theories related to privacy, technology, and cybersecurity after that.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

As a litigator, whenever I make a mistake, it’s usually more horrifying than funny because of the stakes involved in the kind of work that we do. But I always learn a good lesson from my mistakes — big and small!

Are you working on any exciting new projects now? How do you think that will help people?

I am a Steering Committee member of the Sedona Conference’s Working Group 11, where we focus on advancing the laws concerning cybersecurity, privacy, and artificial intelligence in a just and reasoned way. I get to work with fantastic people — seasoned industry professionals, as well as litigators — on tricky issues that impact both individuals and businesses. We are presently trying to develop a “model data breach notification statute,” which we hope will someday be adopted to not only protect consumers, but also ensure that companies do not have to work through complicated, patchwork legal schemes to determine whether they need to send post-breach notices.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I typically represent consumers in nationwide class actions against companies that violate privacy and consumer protection laws. In my line of work, not only do we have to develop complex legal theories to address corporate misconduct and negligence, but we also must develop novel and fair ways to resolve those lawsuits. I’m very excited about the “personal information as a property right” line of cases that my colleagues and I are developing because the United States does not have a statutory scheme to adequately compensate consumers for privacy violations and data breaches. I am also excited that consumers are taking notice of the way companies are using their information, and the greater transparency that some companies are building into their apps and products. Finally, I am excited to see how technology is being used to make our lives more convenient — provided, of course, that consent is obtained and adequate disclosures are made about how our information is used!

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The United States is a world leader on so many issues, but unfortunately, we lag behind when it comes to protecting user information. I am concerned that foreign countries are further along than we are in enacting reforms to protect personal information and the impact that could have on how we treat personal information moving forward. I am also concerned that so many elected officials have no idea how technology works, and rather than ask intelligent questions about how companies use our data, they use congressional hearings as an opportunity to grandstand about “censorship” by social media companies (demonstrating their fundamental misunderstanding about how the First Amendment works). Finally, I am concerned that, because lawmakers have little idea how technology works, the law hasn’t kept pace with technology, and there are not adequate safeguards in place to protect consumers.

The obvious answer to the above concerns, of course, is to not only elect better politicians (that is, intellectually curious people) but to also encourage lawmakers to work with subject matter experts to better understand which policies would make sense when dealing with technology.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Two intertwined issues cause me a great deal of concern when it comes to cybersecurity. One, companies are amassing mountains of information on consumers while, two, simultaneously ignoring lingering security threats associated with end-of-life systems and complex servers on which information is ferreted away. Threat actors know this, and unless companies are incentivized to develop good cybersecurity hygiene and data minimization, more and more of our information will become available to cybercriminals over time. Although paying for cybersecurity is never “sexy,” and rarely marketable for most companies, it’s necessary to protect customers.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I typically become involved in data breaches after notices are sent to consumers — when we file class action lawsuits if a data breach is egregious or if a company has not taken adequate steps to protect consumers after the breach.

Courts have appointed me to lead the nationwide class actions against some of the largest corporations in the country, including a nationwide case against Equifax related to its 2017 data breach, and one against Marriott over the long running data breach of Starwood Hotels. In Equifax I successfully represented nearly 150 million class members and helped to negotiate a 1.4 billion dollars settlement. In the Starwood litigation, I currently represent about 300 million people. While each breach is different, they all demonstrate a common theme: corporate executives who do not listen to concerns from engineers and technical experts experience the largest, and most devastating data breaches. My hope is that, through the kinds of cases I bring, I can be an agent for change, and encourage companies to adjust their policies and processes so that consumer data is better protected in the future. Either that, or I can force companies to take responsibility for their actions through litigation when they fail to heed the advice of people far smarter than me in the first place!

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

In my line of work, I am typically analyzing a company’s use of cybersecurity tools after a data breach. Again, a common theme emerges: although tools are available to a company, those that experience the most devastating breaches are the companies that turn off various alerts or adopt too many exceptions to the rules that are in place to protect the company from threat actors.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Unfortunately, leaving intrusion detection to laypeople is a recipe for disaster — even our law firm has a dedicated cybersecurity and technology professional. For small businesses that cannot afford dedicated cybersecurity support, they should adopt “best practices” to avoid the most obvious breaches. For example, businesses should employ multi-factor authentication for their servers, routinely change passwords to phrases that are difficult to guess, and work with service providers with robust, back-end security.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Every single company should have a breach response plan in place — before a data breach — so they are not scrambling to contain or address a breach after the fact. The response plan should involve professionals who can help identify if any information was accessed or exfiltrated, and what information has been compromised by hackers, so that the company can quickly send notice to consumers.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Although I’ve seen some boneheaded mistakes by companies, four mistakes are common and easy to fix: companies should avoid creating exceptions for their own policies, they should limit administrator credentials, they should employ multi-factor authentication, and they should immediately execute their breach response plan when a data breach occurs. Surprisingly, those four, simple steps will address most of the problems that I typically see in the data breach cases I pursue.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I think that women are making amazing advances in STEM, and it’s encouraging to see that so many young women and women of color are pursuing careers in STEM. But one, big problem remains: how do we accommodate the childcare gap? When women have children, even if they are supported by amazing partners, most of the time they are the ones taking time off work to care for young children. Every single industry — even those outside of STEM — must face an evergreen problem: how do you ensure that talented and qualified women have the option to remain employed (or return to work after a long absence) when they decide to have children? Without an answer to that question, we’ll continue to have problems recruiting and retaining amazing talent.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

I think that, when most people think about “cybersecurity,” they think about hackers sitting in basements trying to steal information. But there are so many more opportunities to get involved in the field — including as an attorney (like me).

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Lesson One: stick to your instincts. I cannot tell you how many times I’ve second-guessed my own instincts and adopted either what a more senior, grey-haired man said, or instead said nothing at all. More often than not, my instincts were correct (or close to it), and I wished I had spoken up.

Lesson Two: there are no dumb questions. I’ve had a lot of meetings with subject-matter experts, and there have been many times where what the expert said just didn’t make sense to me. Every single time I asked the expert to explain, I had others thank me or say, “I was wondering the same thing, too!” Asking questions is often the best way to learn, and it also keeps you more engaged with the issues in front of you.

Lesson Three: say yes to opportunities. I would not be where I am in my career today if I hadn’t said “yes” to some opportunities that were well outside my comfort zone. Keep in mind, however, that you should only say “yes” to opportunities where you feel qualified to do the work (because there’s nothing worse than being out of your depth and making judgment calls that hurt your client or employer).

Lesson Four: be careful of burnout. Saying “yes” to a lot of opportunities, and getting a lot of new and varied experiences, can lead to burnout if you’re not too careful. Make sure that you establish boundaries quickly and take time to recharge. If you’re burnt out, you’ll make bad decisions, which isn’t good for anyone.

Lesson Five: correct misogyny immediately and recognize supportive colleagues. There are far fewer women in the cybersecurity, privacy, and technology fields than men, which means that it might take a while for the culture of the industry to catch up to societal norms. If I ever encounter misogyny or sexism, I use it as a teachable moment and call it out. Similarly, if I notice that a male colleague is doing his best to correct sexist behavior, I specifically recognize and thank him. Typically, people change their behavior if they realize that their actions are negatively affecting their colleagues, and if I see an opportunity to make life easier for the next woman to come through the door after me, I take it.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

Chris Krebs, I have so many questions for you. Instead of breakfast or lunch, I’d like to buy you a beer.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

    You might also like...

    Maskot/ Getty Images
    Thriving Families//

    Why I Added “Mom” to My Resume

    by Raylene Gonzalez Roberti
    Getty Images
    Work Smarter//

    Why Women and Men Must Join Forces to Shatter the Glass Ceiling 

    by Kristin Flor Perret

    Kavitha Mariappan of Zscaler: “Take your seat at the table”

    by Jason Remillard
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.