I've received a few questions over the past month from law students and recent law school grads about whether/how to practice cybersecurity and privacy law. Here are my general thoughts:
Most importantly, this is an excellent field to pursue, even in this economy. Companies need help with privacy and security compliance more than ever, between Europe's GDPR, and California's poorly written new data protection law.
I have a lot of specific issues with the California law (can address that another time), but it really is the No Privacy Lawyer Left Behind Act. And California is putting another privacy law on the ballot!
Because privacy and cybersecurity are new fields, there are not as many lawyers on the job market with many years of experience in the field, so that is a positive for newer lawyers.
It's also an incredibly fun area. During my time in biglaw, I learned a ton, worked on challenging issues, and never did a single minute of document review. As a third-year associate, I was advising C-Suite executives at large corporate clients.
If you're starting off at a firm (and I recommend that you do if possible), the exit options are great and diverse. So many companies are now hiring for privacy/security positions that did not exist even a few years ago. There also are a lot of interesting policy-related jobs.
Although advisory work generally lends to a more normal schedule than litigation, if you are dealing with a massive data breach, your next month may be complete chaos.
It also depends on your personality. I thought that I wanted to litigate, but then I clerked and I saw all of the stuff that litigators argued about, and I realized that I might be a better fit with a less adversarial practice. That was a good realization early on.
So you want to practice privacy/security law. How? If possible, start taking classes and getting clinical experience as soon as possible in law school.
The general advice about law schools has been to not select based on faculty/specialties, and while I think that is correct overall, if you are accepted to two schools that are roughly equivalent on ranking/financial aid grounds, I'd use their course/clinics as a tiebreaker.
Law schools take such different approaches to privacy/security. Some have many classes, specialized faculty, clinics, etc. Others might offer one "Internet law" class that covers privacy, security, copyright, and a bunch of other "Internet" subjects, and nothing else.
In my humble opinion, the law schools that offer no or little privacy/security classes to their students, in 2020, are committing malpractice. There are jobs in this area. And these skills are increasingly necessary for non-specialty legal jobs as well.
Of course, internships/summer jobs/externships are vital for privacy and security. Much of this will depend on your location and personal situation, so it's hard to give general advice. I know a number of students who got great in-house privacy experience over the summer.
I still think that the most efficient way to get privacy/security experience is a few years in biglaw, but of course that is not an option for most, and who knows what the job market will be like over the next few years.
I'm seeing an increasing number of mid-sized and small firms have lawyers who specialize in, or at least devote part of their practice, to security and privacy.
IAPP is an excellent way to network and get job leads. They have local networking events across the country (I assume they all are virtual for now). I know a lot of people who got jobs through IAPP contacts.
If you can get your employer to pay for it, get a few IAPP certifications like CIPP. The credential is useful, but preparing for the exam gives a very good, high-level overview of the field.
I believe that privacy and cybersecurity are two very different legal practices, but for now most firms (and many in-house positions) have combined them, so it is good to have experience in both.
Of course, this is all very general advice and may not be useful to a particular situation. I'm happy to advise and put folks in contact with anyone who I think might be able to help them.
You can follow @jkosseff.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.