When Susan Duarte walked into Womble Bond Dickinson’s Washington, D.C. Office this spring to accept her new role as partner in the Corporate and Securities Practice Group, she wasn’t just adding another name to the firm’s partnership roster. She was signaling a quiet but significant shift in how top-tier law firms are preparing for the next wave of regulatory scrutiny — one where data privacy isn’t just a compliance checkbox, but a strategic battleground shaping everything from AI deployment to cross-border capital flows.
This move comes at a moment when corporate America is caught between two accelerating forces: the explosive growth of AI-driven business models and a global regulatory landscape that’s becoming less forgiving of missteps. In the last 18 months alone, the Federal Trade Commission has brought over 40 enforcement actions related to deceptive data practices, while state attorneys general have collectively levied more than $1.2 billion in fines under statutes like California’s CCPA and Virginia’s CDPA. For firms like Womble, the message is clear: the next generation of corporate counsel won’t just need to understand securities law — they’ll need to speak fluent privacy.
Duarte’s background makes her uniquely positioned for this moment. Before joining Womble, she spent nearly a decade at the Securities and Exchange Commission, where she helped shape enforcement policy around disclosure failures in tech IPOs and SPAC transactions. Later, as senior counsel at a major fintech firm, she led the integration of GDPR-compliant data architectures across three continents — experience that’s rare even among seasoned partners. “What we’re seeing now isn’t just more regulation,” Duarte told me in a recent interview. “It’s a fundamental rewiring of how risk is assessed. Boards aren’t asking ‘Are we compliant?’ anymore. They’re asking ‘Where are we exposed?’ and that requires a different kind of lawyer.”
That sentiment echoes across the legal industry. According to a 2025 survey by the International Association of Privacy Professionals (IAPP), 68% of corporate legal departments now consider privacy expertise a “critical hiring priority” when evaluating external counsel — up from just 31% in 2022. Meanwhile, demand for lawyers with dual expertise in securities and privacy has grown so rapidly that several law schools, including Georgetown and NYU, have launched joint LL.M. Programs specifically to address the gap.
Womble’s decision to elevate Duarte isn’t happening in a vacuum. The firm has been quietly building its privacy and data protection practice for years, adding specialists in areas like biometric data regulation and cross-border data transfer mechanisms. In 2023, it opened a dedicated Data Innovation Lab in its Charlotte headquarters, focused on helping clients navigate emerging technologies like federated learning and differential privacy. But the D.C. Hire signals something more: a recognition that the nation’s capital is where the rules are being written — and where enforcement priorities are being set.
Consider the recent flurry of activity around the American Privacy Rights Act (APRA), the bipartisan federal privacy bill that’s gained renewed momentum in Congress. Though still pending, APRA would preempt a patchwork of state laws and create a national framework for data protection — complete with a new bureau within the FTC tasked with enforcement. Legal experts warn that companies unprepared for such a shift could face not just fines, but costly operational overhauls. “If APRA passes in its current form,” said Alan Butler, executive director of the Electronic Privacy Information Center (EPIC), in a statement to Congress last month, “companies that have treated privacy as an afterthought will find themselves scrambling to retrofit systems that were never built with accountability in mind.”
Then there’s the international dimension. With the EU’s AI Act now in force and countries like Brazil and India updating their own data protection regimes, multinational corporations are under pressure to align their practices across jurisdictions. A misstep in one region can trigger cascading consequences — think of how a GDPR violation in Germany can lead to heightened scrutiny from regulators in Singapore or Canada under mutual cooperation agreements. For Duarte, who has advised clients on transatlantic data transfers since the Schrems II era, this interconnectedness is both a challenge and an opportunity. “The best privacy lawyers today aren’t just defenders,” she said. “They’re translators — helping businesses turn regulatory complexity into competitive advantage.”
Womble’s move also reflects a broader trend in the legal market: the rise of the “hybrid partner.” Firms are no longer satisfied with specialists who know only one area of law. Instead, they’re seeking attorneys who can sit at the intersection of domains — finance and technology, regulation and innovation, compliance and strategy. Duarte’s profile fits this mold precisely. Her work at the SEC gave her deep insight into how disclosure failures can trigger investor lawsuits and enforcement actions; her time in industry taught her how those risks manifest in real-time systems architecture. That dual perspective is increasingly valuable as regulators begin to scrutinize not just what companies say about their data practices, but how their algorithms actually behave.
Appear no further than the recent SEC action against a prominent AI startup, where the agency alleged that the company misled investors about the extent to which its models relied on scraped personal data. The case didn’t hinge on a privacy law violation per se — but on the failure to disclose material risks tied to data sourcing. It’s exactly the kind of crossover issue Duarte is equipped to handle.
As of April 2026, Womble Bond Dickinson reports that its D.C. Office has seen a 22% year-over-year increase in matters related to data governance and regulatory enforcement — a trend mirrored across the firm’s national practice. With Duarte now in the partner ranks, the firm is positioning itself not just to respond to demand, but to shape the conversation. In a legal landscape where the lines between privacy, securities, and technology law are blurring, that kind of foresight isn’t just advantageous — it’s essential.
The hiring of Susan Duarte may not make headlines in the same way as a high-profile lawsuit or regulatory fine. But for anyone watching the evolution of corporate counsel, it’s a telling sign: the future of law isn’t in silos. It’s in the spaces between — where expertise meets adaptability, and where the next generation of partners is already being forged.
What do you think — are law firms moving fast enough to meet the moment? Or are we still treating privacy as a niche specialty when it’s becoming the backbone of corporate risk? I’d love to hear your thoughts in the comments below.
