I teach cybersecurity law & policy to law, graduate, and undergraduate students. Here are some of my observations as I'm wrapping up the Fall 2020 semester.

1. Law students keep telling me how no other class in law school touches on the topics we cover in this class, such as: data security law and litigation, data breach notification, computer crime, industry-specific regulations, and cyber conflict

2. Students taking this class seem to be way more comfortable applying for data security/tech law jobs. I don't have data on whether that makes them more competitive for those jobs, but it definitely increases their confidence and ability to converse on cybersecurity topics

3. I find that starting the semester with at least three weeks covering technical background is extremely helpful for the rest of the semester. Many students have no understanding of TCP/IP, internet architecture, encryption, and general infosec terminology. This is normal.

4. I also start the semester with a discussion of what is cybersecurity law. A lot of students come to this class expecting to learn about intellectual property law or privacy, so defining the scope of "cybersecurity law" is really conducive to a more informed discussion later on

5. Teaching this class simultaneously to law students and graduate students is extremely valuable for two reasons. First, we can all learn from their professional expertise in cybersecurity. Second, most of them have never been exposed to the law and policy of their own field!

6. U.S. cybersecurity law is remarkably outdated, and students have an excellent intuition on that point. As we cover the different topics, some students can clearly see the shortcomings of law and policy pertaining to data security. This happens a lot in the CFAA context.

7. Contrary to popular belief, this class is important for everyone, regardless of whether they wish to practice data security law or not. Cybersecurity issues arise when attorneys handle sensitive client information, when a client is being blackmailed online and more.

8. And finally, cybersecurity IS NOT privacy. I make sure to repeat this a lot throughout the semester. I think the ability to distinguish cybersecurity law from privacy law is immensely important. Yes, both privacy and cybersecurity arise from technology/computers/data...

9. But they pertain to different problems, actors, incentives, and motivations. The distinction is critical because it also demonstrates how schools/law firms who only offer privacy law or digital IP law are doing a disservice to their students/clients.

10. One article that I assign every time I teach this class is @amatwyshyn's "CYBER!" in the BYU Law Review. It elegantly addresses almost all of the common misunderstandings that students may have when they begin learning about cybersecurity law. https://digitalcommons.law.byu.edu/lawreview/vol2017/iss5/6/

11. Cybersecurity law is a fun class to teach, but it is by no means an easy one. Things in this area change FAST, and so my class this semester was substantially different than the one I taught in Spring 2019. I expect that next time it will be different as well. /

12. Last year, a student came to me after class to tell me how she was able to convince her law firm to change their data security practices just by using materials we discussed in class. This was the moment I realized the practical impact that this class has.