Former federal prosecutor and Jones Day partner Jay Johnson moved in-house to Charles Schwab in September to help build and lead the financial services giant’s legal program for data privacy and cybersecurity.
Now deputy chief counsel in the technology, digital and innovation legal group at Schwab, Johnson teams up once again with Shamoil Shipchandler, the former regional director of the Securities and Exchange Commission who joined Schwab as chief counsel of the risk and regulatory legal group at the beginning of last year.
The Texas Lawbook caught up with Johnson, who has established himself as one of the preeminent cybersecurity and data privacy legal experts in the area, about the move, working with Shipchandler (yet again) and college football allegiances.
The Lawbook: You’ve been at Charles Schwab now for about five months. Why did you decide to move in-house?
Johnson: To be sure, Jones Day was a very tough place to leave. The firm was my professional home for over eight years and is full of great friends and attorneys. And Hilda Galvan, the partner in charge of the firm’s Dallas office, is a phenomenal mentor and leader. I moved to an in-house legal role for an opportunity to help build, maintain and lead Charles Schwab’s legal program for data privacy and cybersecurity. What I found here is challenging work, a great legal team and very sophisticated internal clients. It’s been a great start.
The Lawbook: How do you keep crossing paths with Charles Schwab Chief Counsel Shamoil Shipchandler?
Johnson: It’s getting awkward, right? We previously worked together at the U.S. Attorney’s Office for the Eastern District of Texas, at Jones Day, and as co-adjunct faculty at SMU’s Dedman School of Law. And before we ever met, we started our careers as clerks for federal judges in the same Washington, D.C., building, just off Pennsylvania Avenue, and as associates in Covington & Burling’s Washington office. At this point, I’ve lost track of who is following who. But kidding aside, he is one of the best attorneys and people that I know, and I’m lucky to have worked with him as much as I have.
The Lawbook: How did you come to specialize in privacy and cybersecurity?
Johnson: I was a patent litigator out of law school, having clerked for Judge Clevenger on the Court of Appeals for the Federal Circuit and in Covington & Burling’s intellectual property practice group. My first exposure to cybersecurity law came from the U.S. Attorney’s Office. Malcom Bales, the U.S. attorney for much of my time there, asked me to coordinate the district’s efforts to investigate and prosecute cybercrime and IP theft. The role had a name — CHIP Coordinator (short for “computer hacking and intellectual property”) — and on the cyber side focused on the district’s investigations of potential violations of the Computer Fraud and Abuse Act. This was around 2010, before data breaches had fully registered in the public consciousness. When I moved to Jones Day in 2013, the firm’s data privacy and cybersecurity team was a natural fit. I later had an opportunity to create, develop and teach the first data privacy and cybersecurity class at SMU’s Dedman School of Law as an adjunct faculty member and have been blessed with six years worth of amazing students and a law school administration that continues to invite me back.
The Lawbook: What privacy and cybersecurity developments are you currently following?
Johnson: The proliferation of U.S. state privacy and security laws; congressional debates over the potential for federal legislation; the adoption of General Data Protection Regulation-style regimes globally; the expansion of regulatory oversight both domestically and abroad; the growing sophistication of criminal activity; supply chain and other third-party risks. For attorneys, data privacy and cybersecurity is as dynamic a legal area as there is. Stay tuned…
The Lawbook: Can you pick out one case from your time as an AUSA and one case from Jones Day that were particularly interesting? Why?
Johnson: Rather than identify any particular cases, let me say instead that when looking back, matters involving advanced persistent threats, or APTs, often proved most challenging. The attacker’s presence in an environment for an extended period of time can make it more difficult to assess and contain the scope of the attack, and victims were rightly uncomfortable with less than full visibility into the attacker’s activities over the entire timeline. Of course, malicious insiders, ransomware and other threats proved challenging as well, but matters involving APTs in particular stand out.
The Lawbook: Is your college football allegiance to Kansas State or Iowa?
Johnson: You’re killing me with this one. I have an undergraduate degree in mechanical engineering from Kansas State University and a law degree from the University of Iowa. I’m loyal to both and very tempted to dodge this question. But truth be told, I could never root against Kansas State, no matter who was on the other side of the ball. (And now if you’ll excuse me, I need to go make a few apology calls to my Iowa friends and classmates!)
The Lawbook: Is there anything else you would like to add?
Johnson: Only that I’ve worked with some phenomenal people over the course of my career in government, at two law firms and now here at Charles Schwab. I could not have been luckier in following this career path. Full speed ahead!