With the near-constant turnover in popular technologies and ever-changing security practices, privacy law is one of the hottest and most fluid practice areas in today’s legal market. Attorneys who can keep up with the shifting nature of privacy law will soon be able to market themselves as experts in their field, now that the American Bar Association has approved a privacy law specialist designation.
The ABA House of Delegates endorsed the “privacy law specialist” title for a five-year term at its mid-year meeting in February, bringing an end to a years-long quest by the International Association of Privacy Professionals to create the designation.
“We have a number of members who are attorneys, and we’ve been offering certifications for a long time,” said IAPP research director Rita Heimes. “I think it was just a matter of time before one of our attorney members asked us if we would help them be able to claim the specialization using the certification.”
Creating the certification
The IAPP’s designation is based on the notion that privacy law attorneys who are well-versed in their practice area should be able to market themselves as experts in their fields, Heimes said. But getting ABA approval for a new specialist designation is not a simple task. It took IAPP two years of developing, writing and revising its proposal before it convinced both the ABA Standing Committee on Specialization and the House of Delegates to sign on to the new specialist program.
The IAPP introduced its specialist proposal in 2016 at the behest of its attorney members who already held IAPP certification, such as a U.S. certified information privacy professional certification, or a CIPP/US. At that point, the privacy organization had already created a separate privacy ethics exam specifically designed for attorneys seeking the proposed specialization, on top of its three existing exams — the CIPP/US, Certified Information Privacy Manager and Certified Information Privacy Technologist exams.
However, the privacy law specialist resolution was pulled from the calendar at multipe ABA meetings due to concerns about the lack of a specific definition for “privacy law.” Once that issue was resolved, the Standing Committee sent a favorable recommendation for the resolution to the House of Delegates at this year’s mid-year meeting, where concerns lingered.
Specifically, Heimes said some delegates were worried that too many attorneys might claim to be privacy law “specialists,” when in reality they have only a basic understanding of the practice area. But given the rigorous standards the IAPP proposed for obtaining the certification, Heimes said her organization convinced a majority of delegates to support the much-disputed resolution.
“It’s a certification we have given to many other groups — we certify lawyers who practice in family law, we have bankruptcy law specialists,” said Joseph O’Connor, Indiana’s state delegate who voted in favor of the resolution. “Privacy law is a huge issue right now.”
A high bar
Given the wide scope of issues “privacy law” can include, the IAPP’s standards for certification were likewise designed to ensure certified specialists understand the breadth of the practice area, Heimes said.
Aside from earning a CIPP/US designation, attorneys who want to become certified privacy law specialists must also pass either the CIPM or CIPT tests. Those tests address more specialized areas of privacy issues — management and technology — and thus are used to show that a privacy law specialist understands both the why and the how of working in the field, Heimes said. Additionally, attorneys must also pass the specially designed privacy ethics test for a total of three examinations.
From there, attorneys must prove they have completed at least 36 hours of privacy-related CLE within the last three years. Finally, an attorney must provide five written references from colleagues, supervisors, judges, etc., who can attest to their frequent work in the practice of privacy law.
Heimes acknowledges attorneys will have to put together a hefty package to earn their privacy law specialist designation, but practitioners say they think the requirements are reasonable. Considering the ubiquitous nature of technology, attorneys who attain the specialization will be able to prove their advanced skill in handling technological issues, said Brian McGinnis, a founding member of Barnes & Thornburg’s Data Security and Privacy Law practice group.
“There’s got to be a high bar in this case,” McGinnis said.
For that reason, going through the rigors of becoming a privacy law specialist is likely worth it to privacy law attorneys who want to market their expertise, said Stephen Reynolds, co-chair of Ice Miller’s Data Security and Privacy Practice Group.
“I think the benefit for attorneys is that it establishes for clients and potential clients that they have some actual aptitude in this area,” Reynolds said. “Data security is a hot area, so it may be difficult for consumers to know if you actually have a proficiency, so this is one of the things consumers can use when evaluating and choosing a lawyer.”
To that end, Reynolds and McGinnis agreed the specialization will also work to the benefit of potential clients trying to wade through a sea of attorneys with some experience in the privacy and technology realms. The legal profession also will benefit from the creation of the privacy law specialist designation, they said, because it underscores the importance of technological proficiency in the practice of law.
Obtaining the certification requires a firm grasp of modern technologies, so as the practice area continues to grow – as McGinnis expects it to – more attorneys will become specialists and, thus, will be adept at using technology to their clients’ benefit, he said. And even outside of the privacy law realm, attorneys have an ethical duty to understand how to use technology in their work, Reynolds said, and creating the specialist designation shows that duty isn’t going away.
“Whether you’re a privacy practitioner or not, attorneys have some obligation to understand technology-related issues as an attorney using these platforms,” he said.
With the ABA’s approval in place, it is now up to each state to determine how it will treat the privacy law specialist designation. Some states adopt specializations as soon as ABA approval is given, while others, like Indiana, have their own approval processes.
Pursuant to Indiana Admission and Discipline Rule 30, the Commission for Continuing Legal Education is tasked with reviewing, approving and monitoring independent certifying organizations like the IAPP. That means the privacy organization will have to apply for approval in Indiana, and the CLE commission would then review the application.
Assuming Indiana eventually gives its stamp of approval to the IAPP and its privacy law specialist program, both McGinnis and Reynolds plan to go through the IAPP application process to earn the designation. Both attorneys already have passed the CIPP/US exam, so they are now preparing to take their subsequent exams and complete each of the steps required to officially become specialists in their field.
“The ability to get something more and another CIPP certification is enough of an incentive to go down that road,” McGinnis said.
For its part, the IAPP is preparing to begin accepting applications from attorneys who are ready to apply, Heimes said. The organization plans to begin accepting applications later this month.•