The IAPP’s “Profiles in Privacy” series features a monthly conversation with a notable privacy professional to discuss their journey in privacy, challenges and lessons learned along the way, and more.
When Kirk Nahra, CIPP/US, talks about his career, the WilmerHale partner and Cybersecurity Privacy Practice co-chair doesn’t give the impression that he is a leading voice on privacy and cybersecurity matters in the U.S.
Undoubtedly, however, Nahra, who counsels clients from a wide variety of industries, is a go-to resource on data security and cybersecurity issues, analyzing and implementing health care, privacy and data security laws in the U.S. and beyond. For his leadership and knowledge in the space, Nahra was awarded the Vanguard Award in 2021 by the IAPP, an organization he has been involved with from its inception more than 20 years ago — serving as the first editor of The Privacy Advisor publication, as a member of the organization’s board of directors and most recently ending a term on its Publications Advisory Board.
But that’s not his focus as he talks effortlessly and enthusiastically about his involvement with young privacy minds as a mentor and educator and using his own experience to help guide their paths.
“What I’ve done in my career had nothing to do with anything I studied in law school, anything to do with why I went to that firm in the first place, anything I ever thought about doing and most of the work didn’t really exist,” said Nahra, an adjunct professor at American University’s Washington College of Law and frequent guest lecturer on privacy and data security issues at other law schools.
When he began privacy work in 1999, Nahra said he had limited experience with the emerging field through cases of health care and insurance fraud. As the Gramm-Leach-Bliley and Health Insurance Portability and Accountability Acts came to be, Nahra said he “saw what seemed like an opportunity.”
“My core clients at the time were health insurers. Fortuitous for me, they happened to be the only companies who were covered by both of those laws and so they needed help. There was a new set of laws that were tied to them,” he said. “I sort of took advantage of it as an opportunity for me as a lawyer and at the time I didn’t know that it was going to be anything more than that. I would love to have said I predicted it would be this great, huge thing, but I cannot say that was the case.”
Twenty-four years later the field has changed drastically with a variety of HIPAA evolutions, ever-emerging and evolving issues like data security, data breach compliance and so much more. In 2019, after more than 30 years at Wiley Rein in Washington, D.C., Nahra moved to WilmerHale, where he said his scope in privacy work “greatly expanded.”
“If you go down the list of companies that have major privacy issues, we represent almost all of them on something,” he said.
Nahra said his professional interests lie “at the intersection of academics and policy and law.” He spends a lot of time and energy identifying issues and how to deal with them, for instance in the expansion of health-related data not regulated by the HIPAA rules.
“It’s both a problem and an issue right now. It’s a compliance issue, it’s a regulatory issue, it’s a legislative issue, it’s a policy strategy issue and it’s really interesting. I’m not sure I know the answer to it, but I know the right questions and I think a lot of them are not necessarily getting thought about enough,” he said.
Nahra also spent a lot of time on national legislative issues in recent years and closely watches advancements toward a federal privacy law. He worries too much time and energy is spent on “a couple of issues” around comprehensive privacy law, like preemption, while the substance of proposals and continuously emerging state laws are not getting enough attention.
“The (federal) proposals and the state laws at this point all exempt people covered by the federal laws. That’s ok. It makes my life sort of easier to some extent. But what that means, at the same time, is we’re going to continue to have different sets of rules for the same data held by different people,” he said. “I just think that’s a weird result and I think we’ve sort of backed into it, and I don’t know how much attention has been paid to it.”
Despite the issues and the work ahead, Nahra said he believes the U.S. will see a national privacy law “by the end of this presidential term” — January 2025.
If efforts to pass federal legislation continue to fail in Congress, Nahra said he’ll be watching closely as more state legislators are likely to pass laws “or at least get them started” in 2023.
“I think that becomes a sort of circular effect, as more and more states start to do that, I think it puts more pressure on companies and the companies will put more pressure on Congress to have a national law,” he said. “So that cycle could play on itself. I don’t know if that’s going to happen at all, but I think there’s a decent chance it happens.”
At this stage in his career, with seniority and years of experience, Nahra said the volume of clients he works with is “enormous.” He not only handles day-to-day topics like security breaches, state laws and privacy policies, but is also often called to consult on cases. It also gives him the flexibility to explore topics like federal privacy legislation and to give back through teaching, mentorship and just being a resource to those who need it.
“I try to encourage it and there are certainly days where it’s difficult, but I think it’s important to do, I like doing it and I think I’m good at it, for the most part,” he said.