GC Fireside

Scaling Legal In The Regulatory Spotlight

Ashlie Beringer
November 1, 2020

The greater scale a company achieves, the larger the regulatory spotlight shines on the organization. For in house counsel who are navigating a variety of issues in the technology space, it is key to have an awareness and big-picture strategy on how to get ahead of regulatory scrutiny. Today we are speaking with Ashlie Beringer, Former Deputy GC @ Facebook who built a global legal team of over 150 attorneys over the course of 7 years. She shares her journey at Facebook and her approach to building her team, managing privacy, streamlining litigation, and how she envisions the next chapter of her career.

Tell us about your journey at Facebook

When I joined Facebook, my team was about 30 US lawyers covering litigation, product counseling, privacy and regulatory issues.  It was my first in-house role, and the GC gave me almost no guidance and let me define the role (telling me only to meet with my reports once a week and contact him if I wanted to talk through anything!).  My initial focus was assessing where my team could proactively advance the company’s goals and unblock issues that were bottlenecking in legal.  My team had been very focused on a few major US litigations I inherited, including a securities class action challenging Facebook’s IPO and a founder’s dispute filed by a now-indicted fraudster claiming to own a majority stake in the company (and yes, we played a direct hand in the indictment).  I ensured we had a strategy to defeat or resolve those cases with no business impact, but I came to believe we were focusing too much on reactive litigation and not enough on emerging threats to the business.  A few examples of where I shifted our focus to head off downstream challenges are:

  • I believed we needed to completely overhaul our terms and data policy because I was getting constant calls from product teams complaining that we were blocked on various product launches by language in our ToS.  This proposal met a lot of initial resistance because Facebook had been hit with lawsuits and regulatory actions every time it had made a policy change in the past.  I was convinced the situation was untenable and that it would only get harder to update over time, so spent almost a year getting our product and business teams on board with the changes, making sure we accounted for their roadmap and data uses in the policy, and briefing regulators and policy advocates to soften the ground.  When we finally launched the new policy, it was actually praised by regulators for its clarity, and it effectively ended the painful annual cycle of debating whether to update our terms to enable new features.  That launch required an enormous amount of internal partnership but it proved to be a great way to build relationships and credibility and a detailed understanding of our product landscape.  
  • I travelled to each of our major international markets within a few months of joining the company, and it became clear that the EU was heating up quickly into a major regulatory battleground.  I also met with product and engineering teams in the EU that were launching major products with no legal support (doing things like copying enterprise terms from other services and trying to morph them to their products) - it was the wild west.  After that trip, I focused on rapidly building out data protection, litigation and regulatory teams in Europe and in establishing Facebook Ireland as the data controller in Europe, to centralize oversight with the Irish Data Protection Commissioner (and to get a bunch of other hostile EU regulators off our back).  For my first 3 years, almost every serious regulatory action (and the key risks to merger approvals, such as with WhatsApp) were based in Europe, so this was timely and reinforced the value of meeting with regional teams to assess the local situation first hand.  The decision to establish in Ireland also was a game changer, and because of it, we defeated multiple regulatory actions filed by other EU regulators.

The biggest learnings for me were to constantly scan the landscape for where the threats are moving and structure your team and strategy to solve for the problems ahead, not merely the current challenges.  For me, this shift ultimately led me to spin off civil litigation to a new team and to focus exclusively on the regulatory, product and privacy challenges that posed the biggest existential threat to the company.

How did you build and structure your team?

The key principles I followed when building out my team were to: 1/ build out in regions and functions before they were on fire; 2/ engender a culture of org innovation - the legal landscape changed frequently for us, so we needed people to be comfortable with change and new models that optimized our team for the most serious challenges; and 3/ establish extreme role clarity to streamline coverage to the product and business teams, who were getting hit from all sides.  

One system that really worked well was to build up my product counseling team to map to each major product and business function and to be “mini GCs” responsible for coordinating legal coverage across all disciplines (so our product teams could look to one lawyer to deliver holistic legal advice vs interfacing with a bunch of specialists).  Product counsel were embedded in the teams they supported, and they were a critical pipeline into the business for developing regulatory threats and requirements.  They were also a key pipeline of information about upcoming product launches and goals, and they worked with our regulatory, privacy and litigation teams to ensure we were accurately positioning our products and data practices externally and advocating for their partners’ goals and roadmap.  

I invested heavily in establishing clear ownership and protocols for working across teams so that everyone understood the zones where they were empowered and the scenarios when they needed to leverage expertise from others.  I implemented the “bus driver” model - per-project clarity on who is driving the bus and who is on the bus and what that meant in practice, which helped to combat sprawling meetings and email chains and the tendency for a bunch of people to run towards the same problem with no clear understanding of their role.   I also came to value strong project managers and did a lot to build that function out within my team.  

I encouraged my team to hire utility players - smart and creative problem solvers, since the problem set was constantly changing -- and to “hire up” by hiring people you would be willing to work for, which is the best way to set yourself up for success.  We looked for lawyers who could absorb technical details and context quickly, have the presence to speak up in a room with strong voices, and provide crisp, actionable guidance quickly.  There is no one background that yields these qualities, and we eventually implemented “case study” interviews that tested candidates ability to issue spot and outline a strategy in response to canned scenarios, much like our product and engineering interviews.  This helped us gauge how quickly a candidate could work through a complex fact pattern since the pace at FB - as you note -- is pretty extraordinary.  This also had the benefit of broadening our candidate pool to those without technical or in house backgrounds, as well as increasing the diversity of our legal team.

How has your experience at Facebook shaped your views on Privacy?

I began working with Facebook in 2010 when it hired me to handle an FTC investigation that culminated in the second major privacy settlement in the US.  In negotiating with the FTC, I pushed hard to avoid terms that would dictate how Facebook built its products or used data, leveraging the fact that for most sectors, the US does not have prescriptive laws around data practices (or for that matter, privacy laws).  We were able to resolve the investigation with a commitment to build a privacy program designed to mitigate the self-determined privacy risks to user data, which gave Facebook enormous flexibility to design a program that made sense for its users and its business. The company put in place a program that was inspired for its time, including a cross-company review process for all product launches and data uses.  That system was an effective safeguard, and we were able to manage the company’s privacy issues with a relatively lean team for a number of years. 

This started shifting in a very real way with GDPR, the first of many regional laws with highly-detailed requirements backed by severe enforcement penalties - and we’re now seeing similar laws in Brazil, many countries in APAC and in many states, especially California.   Our approach to managing privacy had to change and scale to meet the pace of new laws and the increasing target on our back, as well as the demands of our key partners and customers.   In addition to quickly scaling out a privacy legal team, we created a master requirements database mapping all global privacy requirements to common controls so we could build our products around a master set of requirements vs individual country requirements.  I also spent a lot of time advocating with senior leadership to create a technical privacy team outside of legal that would be ultimately accountable for privacy compliance -- which Facebook did and which was a game changer for the function.  I built out an escalation process that provided a channel for lawyers to escalate questions or disputes about how to apply privacy requirements, first to a weekly meeting of my leads and ultimately to me if needed.  This was important to making sure we were providing consistent advice on privacy requirements across the company and also led to better decision making in the many gray areas that exist under emerging privacy laws.   And we invested in very high touch and transparent relationships with our key regional privacy regulators and ensured they were pre-briefed on significant product launches or any major concerns we uncovered, which provided a critical direct feedback loop with our regulators.

If I had to do it all over again, I would have put a lot of this infrastructure in place sooner when things were relatively “calm”.  So for companies that don’t have the resources for a large team, it is worth hiring a technical program manager to inventory, monitor and update core data practices and implementing a basic approval process to make sure external commitments (the greatest source of legal risk) accurately reflect those practices. Companies should focus the most effort on the riskiest data sets -- customer data, personal consumer data, sensitive data categories.  GDPR and CCPA are lengthy, sweeping statutes, but many requirements don’t present a practical enforcement risk to your business.   At the same time, I highly recommend taking the time to read the laws and asking hard questions of your inside and outside counsel to make sure you are comfortable with their advice.  There is a lot of flex in the laws and very little case law, so it is important to advocate and push back on OC to arrive at an interpretation that works for your business.  

How did you streamline litigation?

We had an extremely high volume of litigation at Facebook, and the biggest challenge was ensuring consistency and accuracy across multiple lawsuits with multiple firms in multiple countries.  To address that, I had our product counsel review and partner on the facts in litigations or investigations and established vetted plug and play narratives on major recurring issues.   Quality control at this volume was also a challenge, so I put in place templates and protocols for reviewing core strategy, outlines of key arguments and best case/worst case scenarios at different stages of a matter.  This was a helpful tool for cascading our strategic approach through a large docket, keeping the teams focused on the critical path and impacting major strategic decisions in the long tail of cases where it wasn’t possible to stay involved day to day.  We held mock arguments well in advance of any major argument and expected our OC to follow these models as well.

For high risk cases, we had a handful of go-to counsel who knew us, had strong written advocacy (which in my view is the most important factor in outcomes), and had a proven track record of creative advocacy for the company.  As a rule, I have found that having a short list of trusted firms leads to the best results because they already understand the business, and they are invested in working with you on fees and approach.  When we were hit with a major matter in an entirely new area, we would invite a handful of firms to outline their strategic approach and staffing model and would invite a few of them to pitch based on their responses.  This was a  helpful process, and it was also a way to reinforce how seriously we took our outside counsel diversity requirements (particularly when we let firms know that had been a decisive factor in not hiring them).  For the high volume, lower risk areas, we were more open to trying out new firms or optimizing for rates.  We had a particularly good experience engaging one international firm to coordinate all global litigation in certain domains for an all in annual fee, which worked really well for a number of years.

What's the next career move for you?

What I loved most about my role at Facebook was the ability to work with incredibly sharp people and to impact strategy on issues that really mattered to the company’s success.  I had a unique line of sight because my product counseling teams covered the entire business and because of my ongoing engagement with our key external partners and regulators.  It was thrilling to pull that together to solve problems in a way that furthered our stakeholders goals along with our business.  So it is important to me to be in a role where the GC function is valued and seen as a key strategic contributor - and in an industry where the legal function is critical to outcomes and has a global scope.

I also thrive on building teams and translating complex legal problems into elegant organizational solutions.  I want my legal teams to be generative and am constantly playing with new models that encourage true collaboration and effective partnership, where everyone is growing and adding value.  Particularly as the legal team at FB scaled (to almost 1000 by the time I left), it was increasingly hard to implement holistic solutions and working models because key parts of the equation were rolling up through other teams.  That informs my interest in leading across the legal domain and possibly other domains, like policy, where I can most effectively break down the silos and redundancies that build up in rapidly scaling teams.  

Lastly, the job was a lot more fun when Facebook was a smaller company, so I’d love to step into a company at an earlier stage and lead through the critical growth years - it doesn’t get better than that.

Ashlie Beringer
Ms. Beringer has more than two decades of experience working with media and technology companies to design innovative product and business strategies that overcome legal and regulatory headwinds, while advancing core business objectives and building capital with external stakeholders. She has a proven track record of delivering solutions to seemingly intractable problems and building, inspiring and mobilizing cross-disciplinary leaders and teams.