Becoming a Cybersecurity or Privacy Lawyer: Tips for Young Attorneys

September 6, 2021
Publications

Privacy and data security law are no longer niche practice areas. Many law schools now offer classes to give students a substantive background on these topics, most large law firms have established privacy and cybersecurity practice groups, and business is booming for boutique firms focused in these practice areas.

Because of the specialized nature of this work, however, young attorneys may wonder how they can break into the field and develop a sustained practice in this area. This article will offer guidance on how to find opportunities to build and grow a practice in privacy and data security.

Do you need a technical background?

No! I often emphasize that my degree is in political science—not computer science. A technical degree is not a prerequisite for a technology-facing legal practice. Indeed, many technologists come from diverse backgrounds.

I spoke with Jordan Fischer, who serves as global data privacy practice group leader at Beckage and co-chair of the Pennsylvania Bar Association’s cybersecurity & data privacy committee. When asked this question, Jordan said: “There are so many paths to become a cyber and privacy attorney, and that is what I love about the space. You do not need a technical background; just an inquisitive mind and an interesting in learning about a very dynamic space in the law.”

A keen interest in technology is helpful, however, as lawyers in this space need to stay abreast of rapid developments in both the law and the underlying space. And taking some classes in IT can be useful to develop a functional tech vocabulary, as you may often find yourself tasked with translating between IT professionals and business leaders within your client’s organizations. If you are already a practicing lawyer, seek out relevant CLE content from the Pennsylvania Bar Association, Practicing Law Institute, Privacy + Security Forum, or other provider; these providers offer annual seminars that provide valuable crossover between tech and legal content.

Privacy vs. data security.

These two concepts are often lumped together—perhaps because most law firms combine the terms into one titular practice area. But privacy and cybersecurity are not interchangeable terms. And while some lawyers practice in both areas, others specialize in one or the other. Data security, or cybersecurity, focuses on protecting computer systems from unauthorized access. Cybersecurity lawyers advise clients on the best practices to protect personally identifiable, confidential, proprietary, and other sensitive data, including developing appropriate internal policies and training programs. Cybersecurity lawyers also might guide clients through data breaches, working closely with IT forensics teams and determining the legal obligations and potential liabilities that might result from a data exposure event. Privacy lawyers instead focus on advising clients regarding the legal frameworks that might limit or restrict their collection and use of personally identifiable information, such as the EU’s General Data Protection Regulation, California’s Consumer Privacy Act, and new privacy laws recently enacted in China, Colorado and Virginia.

Get involved with bar association committees.

The Pennsylvania Bar Association’s cybersecurity and data privacy committee provides an excellent resource for education on cybersecurity and privacy issues and gives practitioners the opportunity to advocate on developing privacy legislation coming out of Harrisburg. Just as importantly, the committee has fostered networking opportunities for the growing number of privacy and cyber lawyers in the commonwealth.

“The cyber field is always evolving, from risk vectors, to newly enacted laws (or courts’ interpretation of them), to techniques employed by threat actors. Privacy also is in a state of continual change and updates. Collaboration and dialogue with your peers is an important component of the practice, and the Committee offers an opportunity for young lawyers to do just that,” says Joshua Mooney, partner at Kennedys and co-chair (with attorney Fischer) of the Pennsylvania Bar Association’s cybersecurity & data privacy committee.

The American Bar Association also has a privacy and information security committee, which provides programming and networking opportunities, including a recently launched young lawyers and professionals advisory panel.

Look for opportunities within your existing practice area.

When I joined my firm as a litigation associate, few lawyers were specializing in privacy or cybersecurity. To be fair, many of the laws in this sector had yet to be enacted. Although the federal Privacy Act and FERPA had been around since 1974, other industry-sectoral federal privacy laws (HIPAA and the Gramm-Leach-Bliley Act) were not enacted until the late 1990s, with HIPAA’s Privacy Rule only taking effect in 2003. The very first state breach notification law (California’s—naturally!) became operative in 2003, while Pennsylvania’s Breach of Personal Information Notification Act did not take effect until 2006.

As a young attorney in the early 2000s, I was fortunate when a partner (and great mentor) asked me to brainstorm potential causes of action for financial institutions faced with merchant data breaches. Several years of litigating these cases provided me with a working knowledge of the credit card industry’s information security requirements and eventually led me to develop my current practice.

Regardless of where you have begun your career, look for crossover opportunities touching on privacy and cybersecurity. Whether that’s corporate due diligence examining cybersecurity incidents and privacy compliance, negotiating service agreements with technology vendors, or addressing employee privacy issues, you can find experience in cybersecurity and privacy within longer-established legal practice areas.

Consider IAPP certifications.

The International Association of Privacy Professionals is a nonprofit organization that markets itself as “the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data.” Along with offering annual conferences, IAPP has developed the leading credentialing program for privacy practitioners (including both lawyers and nonlawyers). IAPP’s Certified International Privacy Professional designations are a prominent way to demonstrate expertise in privacy law (and in some states—but not yet Pennsylvania—IAPP certifications can qualify attorneys for official specializations approved by state bar associations). IAPP also offers training programs focused on both U.S. and international privacy laws and on building privacy compliance programs in private and public sector organizations.

I am fortunate to be part of the growing community of cybersecurity and privacy lawyers. I hope you will find the community to be an open and embracing one, containing individuals from diverse backgrounds who work collegially and enjoy nothing better than a great conversation about the emerging concepts we grapple with together.

As attorney Fischer told me, “Becoming a cyber and privacy attorney is really embracing the unknown. While the law has made drastic strides in the last few years, the technology is moving even faster. So, the use cases and fact patterns that we will see can barely even be imagined today. And, that is what makes this practice such a fun place to work in!”

Devin Chwastyk is a member of McNees Wallace & Nurick and the chair of the firm’s privacy & data security group. For more than 15 years, he has counseled businesses on compliance with emerging privacy laws, represented parties in data breach litigation, and helped clients respond to data security incidents.