As we let you know back in February, the IAPP has been accredited by the American Bar Association to certify lawyers in the specialty area of Privacy Law. U.S. attorneys who meet the IAPP’s rigorous specialist designation requirements may now be permitted under their state’s rules of professional responsibility to advertise their specialization.
This is a major step forward for privacy lawyers and a big opportunity. The Privacy Law Specialist designation instantly places privacy pros among the elite in privacy law. It’s the first title that verifies you’ve met stringent requirements of special knowledge, skill, proficiency and ethics in this rapidly growing and increasingly crucial area of the law.
The Privacy Law Specialist designation signifies to the marketplace and the world at large that you've undertaken substantial time practicing U.S. state and federal law relating to safeguarding personal information; that you have knowledge of relevant privacy laws, regulations, and technology; and that you have a commitment to staying ahead of new developments.
Among the benefits of the Privacy Law Specialist designation are:
- A place among other lawyers on the cutting edge of data-related legal issues.
- A digital IAPP designation badge to add to your credentials.
- The opportunity to be included in a searchable directory on the IAPP website.
Application requirements
To be considered for Privacy Law Specialist status, you must:
- Be an attorney admitted in good standing in at least one U.S. state.
- Earn a CIPP/US designation.
- Earn either a CIPM or CIPT designation.
- Pass an ethics exam administered by the IAPP.
- Provide evidence of “ongoing and substantial” involvement in the practice of privacy law.
- Supply evidence of at least 36 hours of continuing education in privacy law for the three-year period preceding the application date.
- Provide five to eight peer references from attorneys, clients or judges who can personally attest to your qualifications.
It's important to note that accreditation by the ABA indicates solely that the IAPP’s Privacy Law Specialist designation has met the ABA’s standards. Not all states allow attorneys to claim specialization, even if certified by an ABA accredited body like the IAPP. You should check the Rules of Professional Conduct of your state (typically covered in Rule 7) to see what your state’s requirements are regarding advertising specialization. We have compiled a list of the states with links to their Rules of Professional Conduct along with our interpretation of whether they recognize ABA accreditation or have their own certification process (but you should, of course, see for yourself):
Importantly, IAPP CIPP/US certification is required for all PLS applicants. You must also hold a second certification — either CIPM or CIPT. If you hold one certification, your exam for a second certification is discounted by $175, from $550 to $375. If you would like to earn IAPP certification, start the process by visiting the certification portion of the IAPP web site. Visit the IAPP store to purchase and schedule your IAPP ethics exam.
You must also demonstrate (in a manner that does not reveal confidential and privileged information) that you have been actively engaged in the practice of privacy law either as a transactional lawyer, in privacy program management, privacy litigation or regulatory practice, or a combination. Active engagement in information security law will also be considered provided you demonstrate its connection to and role in the privacy specialization.
You also must demonstrate, both quantitatively and qualitatively, substantial involvement in the field. In particular, you must declare and demonstrate through narrative description and support letters that at least one-quarter (25 percent) of your full-time practice in each of the prior three years has been devoted to the practice of privacy law. In the narrative description, you must provide specific examples of your engagement with the following types of privacy law practice activities:
Requirements for outside counsel and in-house lawyers with principally a transactional practice include:
- Preparation and review of privacy notices compliant with state, federal and/or international laws and regulations, and reflective of an organization’s privacy practices and privacy and security policy development, including development of information handling, sharing, storage, training and security policies and programs (at least 5 percent of a full-time law practice).
- Contract development, negotiation and compliance, which may include review of vendor, purchase, procurement or acquisition contracts, as well as drafting and negotiation of contracts for inclusion of privacy and security provisions (at least 5 percent of full-time law practice).
- Privacy advice in compliance with state and federal laws, including legal advice on privacy by design in product design or services (at least 5 percent of full-time law practice).
Some elements of the 25 percent minimum may also include:
- Conducting privacy impact assessments and providing advice in connection with them.
- Risk assessment with regard to use and potential misuse of personally identifiable information, and corresponding legal advice to clients and organizational leadership.
- Counseling on cross-border data transfers and other compliance with international privacy laws pertaining to data transfer (such as drafting binding corporate rules, standard contractual contacts, certifying to U.S.-EU Privacy Shield, and the like).
- Counseling on cybersecurity issues, breach preparedness and breach remediation.
- Legislative or regulatory public policy engagement, which may include drafting of position papers or opinions, and interaction with legislative or regulatory bodies, which develop laws or regulate privacy practices.
- Advice about cyber insurance and negotiating cyber insurance policies.
Requirements for attorneys primarily engaged in data breach response, adversarial proceedings and/or litigation, at least 20 percent of full-time practice must include:
- Internal breach investigation and evaluation, involving managing internal investigations of data breaches and evaluating risks for mitigation and policy development, as well as engaging and overseeing the work of forensic teams, preparing breach notification letters and working with regulators (at least 10 percent of full time law practice).
- Litigation of data protection and data breach matters in state, federal, international and administrative tribunals (at least 5 percent of full-time law practice).
- Regulatory investigations and defense, including federal, state or international filings of regulatory inquiries or responses to regulatory inquiries of privacy and data protection practices (at least 5 percent of full-time law practice)
Some elements of the 25 percent minimum time requirement in privacy law practice may also include:
- Privacy tort litigation such as litigation of consumer protection/privacy statutes that provide a private right of action (federal and state), including without limitation rights of publicity, rights against publication of false information, intrusion on seclusion or public disclosure of private facts.
- Advice about cyber insurance and negotiating cyber insurance policies.
If you have questions about starting your journey to a Privacy Law Specialist designation, email pls@iapp.org for more information.
Photo credit: 3D Scales of Justice via photopin (license)