The need for IT-trained cybersecurity professionals is big and growing bigger. But cybersecurity is a team sport, and IT cyber warriors are but one type of player. Questions like, “What are my obligations during a ransomware attack?” should be tackled by cyber counsel and IT professionals working together. East Coast schools, like Georgetown University, recognized early the need for trained cyber lawyers, and several of them run mature cyberlaw programs. But Southern California law schools have lagged behind.
Until now.
Here's how three top schools in the region are filling the need for formally trained cyber lawyers.
Loyola Law School, Los Angeles, California
“Entrepreneurship” is defined as the capacity and willingness to organize new ventures. It also describes Loyola Law School’s Cybersecurity & Data Privacy Law Program. “Cybersecurity is an issue placing huge demands on business and society,” said Michael Waterstone, dean of Loyola Law School. “Loyola develops courses to prepare our students to meet the world’s needs – both as it is now, and as it will be.”
Waterstone doesn’t exaggerate when he says that Loyola develops courses to meet current and future needs: Loyola was the first Southern California law school to offer a cyberlaw course and recently became the first to offer a fully realized cyber/data privacy law program. It’s a program that combines academic excellence with entrepreneurial nimbleness. Launched in 2016, the program offers cyber/privacy concentrations for law students (JD and LLM), and non-legal working professionals can earn a Master of Legal Studies. The curriculum, co-developed with Loyola Marymount University’s Seaver College of Science & Engineering, includes courses in technology, cybercrime, business cybersecurity, incident response and more.
In keeping with this entrepreneurial theme, Loyola Law’s program is highly business-focused. During the program’s planning phase, Loyola contacted working professionals from business, law, IT and law enforcement, and asked them: “How should we design courses to fill your real world needs?” Loyola then designed the curriculum around that input. Two students gave The Privacy Advisor an example: “We [students] don’t simply hear that companies should have information security policies,” said third-year law students Hanna Sherman and Yvette Gabrielian. “We practice drafting them.”
Waterstone shared another example of Loyola’s entrepreneurial approach: The school is pursuing an online delivery of its cyber and data privacy offerings. “It’s an opportunity to share knowledge outside of our geographic confines," he said.
University of California, Irvine
The course catalog at the University of California, Irvine School of Law (UCI) doesn’t include cyberlaw. And yet, the school is part of one of the country's fastest growing cybersecurity initiatives: the UCI Cybersecurity Policy & Research Institute (CPRI). The CPRI is the child of six schools: law, information & computer science, engineering, physical sciences, social ecology, and social sciences. And, though not expressly stated anywhere, CPRI appears to be positioning itself to become the central academic hub of cybersecurity in Southern California. “I wouldn’t quite put it that way,” laughed Bryan Cunningham, the inaugural director of CPRI, when asked if that was UCI’s goal. “That said, we are an outward-facing multi-disciplinary effort focused on addressing technical, legal and policy challenges to cyber-threats.”
One of Cunningham’s priorities, a “Cyber Victims Defense Clinic,” embodies CPRI’s outward-facing, community-focused approach to cybersecurity. Uniquely, the clinic is intended to provide technical and legal help to cyber victims of limited means, including the elderly and small businesses. In keeping with this multi-disciplinary approach, CPRI has cultivated ties with government agencies like the FBI, as well as law firms such as Alston & Bird and Newmeyer & Dillion, and companies such as Cylance, Qualcomm, Rockwell Collins, and Verizon.
Whether CPRI becomes the central academic hub of cybersecurity, its program is grand in vision.
“No entity can tackle cybersecurity alone,” said Cunningham. “That’s why CPRI is intended to be ‘a whole that is much greater than the sum of its parts.’”
UCLA School of Law
There are many paths to developing effective cyber programs, and UCLA School of Law has chosen to take a methodical approach. Instead of wide scale programs, UCLA offers a cybersecurity survey course, first launched in 2015. The potential to scale-up exists, if demand increases.
The first professor of UCLA’s first cyberlaw course went to Kristen Eichensehr. “I hope that students take away the following,” Eichensehr said: “Despite characterizations of cyberspace as the ‘Wild West,’ [students should learn that] cybersecurity issues are subject to legal rules.”
Her students seemed to have listened. “What I learned prepared me for practice as a summer associate more than any other course,” said student Natasha Amlani, who's in her third year.
IAPP’s role in academia
UC Hastings College of Law described the IAPP as the “key organization for students to get involved with to launch their privacy [and cyber] careers.” The leadership of the IAPP’s Los Angeles KnowledgeNet chapter (of which this author is a part) agrees, and has taken the initiative to collaborate with Southern California schools.
For example, in January 2016, the Los Angeles KnowledgeNet chapter, Loyola Law School and the National Cybersecurity Alliance co-planned and hosted its 2016 Data Privacy Day conference, an event that drew nearly 100 attendees, the chapter’s most well-attended event.
In fact, Loyola has since tapped four of the Los Angeles KnowledgeNet chapters' members to serve as faculty or advisors. Asked why, Loyola Prof. Aaron Ghirardelli explained, "In developing our cyber/privacy program, we naturally went to leading organizations like IAPP for input and talent.”
For its part, UCLA Law, through its Alumni Association, joined forces four times with the Los Angeles KnowledgeNet to mount events like “Intruder Alert” (a plain English walkthrough of the Lockheed Martin Cyber Kill Chain), and “The Cybersecurity War Room” (a tabletop exercise that enabled alumni from the UCLA Schools of Business, Law and Engineering to practice responding to a simulated ransomware attack). More joint programs are on the way, including programs with UCI.
While schools are take different approaches to teaching the new generation of cyber counsel, these schools would seem to indicate they're well positioned to fill the gap.
Editor's Note: Robert Kang is professionally associated with the schools referred to in this article.
Image licensed to R. Kang via iStockPhoto.com