New Privacy and Information Security Law Specialty
The Privacy and Information Security Law Specialty Committee of the State Bar Board of Legal Specialization is at the cutting edge of a rapidly changing legal landscape. Committee members (see sidebar) are set to launch the new specialty certification in 2018, building upon an existing national certificate offered by the International Association of Privacy Professionals (IAPP). IAPP offers a Certified Information Privacy Professional-US (CIIP/US) training program and exam to applicants throughout the United States and beyond. The North Carolina specialty will utilize the IAPP certificate to qualify applicants for a short exam that will focus on state as well as the interpretation of federal and international law.
Rapidly evolving technologies affect many NC companies, particularly those in specialized fields like pharmaceuticals and sustainable energy. As technology further advances, these companies face big challenges in protecting their corporate and employee data. We have all seen the effects of massive data breaches over the last several years. Privacy lawyers handle those unfortunate situations as well as many other corporate technological and security issues on a daily basis. Lawyers who are able to assist clients in successfully navigating these fast moving business and legal waters are in high demand. This new specialty certification will help clients locate qualified counsel, and also provide all North Carolina lawyers with referral options when the need arises.
The committee members were asked to share their experience and perspectives on practicing privacy and information security law, and on how the new certification can benefit lawyers throughout the state.
Q: What sets this practice area apart?
Privacy law is a cutting edge area. It is constantly evolving and it impacts almost every aspect of our lives. Every time we pick up our smart phone we are implicating some aspect of privacy law. —F. Marshall Wall
Q; Did your interest in privacy law begin in law school?
My interest actually began with pre-law school employment in financial services where data privacy was engrained in the business model. I learned that I really enjoyed helping clients with cutting edge issues in a rapidly evolving topic area. —Nathan Standley
Q: Have you already attained the IAPP CIPP/US certification? If so, why did you pursue that?
I became IAPP CIPP/US certified in 2015 because I had been actively practicing privacy and information security law and I hoped that the CIPP/US certification would help demonstrate to clients and prospective clients that I was knowledgeable in the law, in technology, and in customs relevant to privacy and information security. At the time, neither the ABA nor any state bar recognized a specialization in privacy or information security law, and there was not any other widely-recognized, credible certification authority. —Matthew Cordell
Q: Describe a typical client or client situation.
The situations that our clients face vary significantly. Currently we are seeing a fair number of clients with business email compromise (BEC) or “spoofing” issues. Data incidents involving the insertion of malware into a client’s system to scrape personal data and data incidents involving employee error (such as a lost laptop) are not uncommon. But privacy and information security is much more than just cybersecurity and data breaches. Clients face privacy issues in dealing with employee and customer personal information, monitoring others, recording calls, sending documents containing social security numbers, conducting background checks and drug testing, designing legally adequate data security plans, and providing adequate notice to consumers of collection and use of their personal data. GDPR (the EU General Data Protection Regulation, which will be enforced beginning May 25, 2018) is a priority for many companies right now. —Karin McGinnis
Q: What’s the most interesting/difficult/challenging information security legal issue you have handled?
The large-scale data security incident responses that I have worked on over the years have consistently been the most challenging, because there are so many applicable laws, regulatory bodies, contract and insurance requirements, law enforcement concerns, and reputational risks, all of which must be handled in a very compressed timeframe. —Matthew Cordell
Q: How has the practice changed in the past five years?
The biggest challenges in this practice are keeping up with developments and conforming my advice to the needs of dynamic, fast-paced situations. When I started, my firm had just handed out Blackberries for the first time, MySpace was making more news than Facebook, and there were relatively few privacy laws. The practice changes weekly, not yearly, in terms of new technology, emerging security threats, new case law, and new or amended statutes and regulations. To be successful in this practice, you must be willing to devote substantial time to maintaining expertise because, even though the area is maturing, it will never be static. On this point, having a team of devoted practitioners is a significant advantage.
Clients’ sophistication and knowledge of the subject matter also has increased significantly in the last five years. What has not changed, and likely will never change, is their expectation that our advice will be clear, practical, responsive, and actionable. In this practice, when applicable laws may be out of date with technology or must be applied to unanticipated situations, a depth and variety of experience is really critical to meet client needs and expectations, more so now than five or ten years ago. —Elizabeth H. Johnson
Q: What gives you the most satisfaction about practicing privacy and information security law?
I enjoy helping clients through what can be an extremely stressful and difficult time, for example when a data breach hits and the client needs quick and clear guidance on how to proceed. It is satisfying to see clients gain more confidence that the situation can be resolved and that there is a team I can bring to the table to help the current situation and help minimize the risk of future incidents. I also enjoy the challenge of staying on top of changes in the law and practicing in an area where the new legal theories are being developed and tested, such as legal claims by consumers for data breach violations. It is never boring or routine. —Karin McGinnis
Q: Does a lawyer need to be technologically proficient to practice in this specialty area?
Not necessarily as there are numerous aspects to this practice area that do not involve technology; however, technology prowess is always beneficial. —Nathan Standley
Q: How do you keep up with the changes in technology that affect your clients?
I subscribe to a number of blogs and email updates, follow industry leaders on social media, and am a member of several technology associations that send updates about the industry. —F. Marshall Wall
When I come across a technology I don’t understand, I set aside some time to dig into the topic and educate myself about it—sometimes by simply Googling it and reading for an hour or two. One of the benefits of being an in-house lawyer at a large company with hundreds of technology professionals is that I can call in one of my (internal) clients who has some level of expertise in the technology and ask them to explain it to me until I’m confident that I understand the terminology, mechanics, and applications of the technology. —Matthew Cordell
Q: How do you envision the NC certification affecting your practice or career?
Certification should help differentiate those who have knowledge and experience in this area, which is very specialized and becoming more so. I am excited to be one of those folks. —F. Marshall Wall
Q: What would you say to encourage other lawyers to become board certified specialists in this field?
One of my mentors told me many years ago that in order to be a great lawyer, you must love the law. I would say that if you want to be a great privacy and data security lawyer, you need to love both the law and computer technology. —Matthew Cordell
For more information on specialty certification in Privacy and Information Security Law visit us online at nclawspecialists.gov/ for-lawyers/certification-standards/privacy-and-information-security-law. Application deadline: July 2, 2018.
Privacy and Information Security Specialty Committee
Matthew A. Cordell, Chair
Elizabeth H. Johnson, Vice Chair
Alicia A. Gilleski
Karin M. McGinnis
Elizabeth E. Spainhour
Nathan E. Standley
F. Marshall Wall
Clark C. Walton