The American Bar Association Has Authorized a New Specialization in Privacy Law

At the American Bar Association's mid-year meeting in Vancouver, B.C. earlier this week, the Standing Committee on Specialization did something that I frankly did not expect:  It approved International Association of Privacy Professionals' certifications for purposes of ABA designation as a legal "specialist." 


IN A NUTSHELL: For those who already hold the IAPP CIPP/US and either the CIPM or the CIPT certifications, this means that they may soon be permitted to begin referring to themselves as "specialists" in privacy law.

The development came as a surprise to me because the Standing Committee on Specialization had previously considered the proposal at the 2017 Midyear Meeting and again at the 2017 Annual Meeting and declined to move forward, after significant debate; however, the proposal, known as Resolution 103A, was brought for a vote once again at the Committee on Specialization's meeting this week.  According to the ABA, there was "a spirited debate" with "several people" expressing concerns with the scope of the subject matter (i.e., the way IAPP defined the field of privacy law) and the potential for confusion about what a privacy law specialization entails.  The Committee’s role, however, was to determine whether the IAPP's certification process had met the requirements set out in the ABA’s Standards for Accreditation of Specialty Certification Programs For Lawyers. The "ayes" and "nays" were so close, according to the ABA, that the chair of the House of Delegates had to call for a second voice vote to determine the outcome.  The approval is valid for five years, after which the Committee will re-evaluate the IAPP for continued approval.

The specialization credential requires each of the following:

1. Be an attorney admitted in good standing in at least one U.S. state. 
2. Hold a current IAPP CIPP/US certification. 
3. Hold one of the following IAPP certifications: CIPM or CIPT. 
4. Pass a new IAPP examination on professional responsibility in the practice of Privacy Law. 
5. Demonstrate current and ongoing "substantial involvement" in the practice of Privacy Law (meaning that in the prior three years, devoting at least 25% of one's time to the practice of privacy law). 
6. Submit evidence of at least 36 hours of participation in qualified continuing legal education in the field of privacy law for the prior 3-year period. 
7. Provide five to eight peer references attesting to applicant’s qualifications and "substantial involvement" in the practice of Privacy Law.

Roughly one-half of U.S. state bars recognize the ABA’s specialty certification programs. Some states require attorneys to be acknowledged as specialists by their own state-level programs, while others do not require certification by an accredited program before a lawyer can call himself or herself a "specialist," and a few do not allow advertising of specialty regardless. 


North Carolina's Rule of Professional Conduct 7.4 allows lawyers who are certified under the ABA's specialty certification programs to use the term "specialist" to describe themselves. 


The Privacy and Information Security Law Specialization Committee of the NC State Bar, which I chair, continues its work on a North Carolina State Bar certification, notwithstanding the ABA's decision.  North Carolina State Bar certification will be materially different from ABA certification in ways that I think are meaningful, and I look forward to describing how and why North Carolina State Bar certification will be attractive for attorneys and useful for clients in an upcoming post.