Becoming an ABA/IAPP Certified Privacy Law Specialist

I have just been certified as a Privacy Law Specialist by the International Association of Privacy Professionals, and by extension the American Bar Association, as part of the inaugural class of this brand new area of specialization.  Because a specialization in privacy law is something that has never before been possible in the United States, I thought I would describe the specialization, the application criteria and process, and how the ABA/IAPP certification interacts with state bar rules.

What is a legal specialization?

Many lawyers limit their practices to certain areas of law, because, frankly, the law has become far too complex for any one person to be competent, let alone proficient, in the entire spectrum of law.   Not every lawyer who focuses his or her practice on one or two areas of law, however, is necessarily proficient.  Recognizing this, virtually all state bars (the regulatory bodies that govern the practice of law) prohibit attorneys from calling themselves "specialists" or "experts" (or similar terms) unless they have been certified as specialists.  Certification is intended to objectively verify the lawyer's mastery of the practice area.  (See, for example, Rule 7.4 of the Rules of Professional Conduct of the North Carolina State Bar.)  According to the North Carolina State Bar:

"Certification of lawyers as specialists by an objective entity and according to objective criteria fulfills the mission of the State Bar to protect the public by providing relevant, truthful, and reliable information to consumers of legal services. Certification helps consumers to identify lawyers who have experience and skill in a certain area of practice. Certification also helps lawyers by encouraging them to improve their expertise in particular areas of practice and providing them with a legitimate way of informing the public and other lawyers of this expertise."

Most state bars create specializations and the associated criteria themselves, but about one-half of all states allow lawyers to hold themselves out as specialists if they are certified by an American Bar Association (ABA) accredited entity.

Why did the ABA and IAPP create this specialization?

After extensive deliberation, the American Bar Association's House of Delegates voted in February 2018 to approve a new certification in privacy law, making it the 15th such accredited specialization.  Although no state bar had yet issued a specialization certificate in privacy law, it had become clear that lawyers were focusing their practices on this rapidly-evolving area of law, which was becoming more and more complex and specialized.  The ABA acknowledged that privacy law has become so specialized that the public would benefit by knowing which attorneys could be deemed proficient according to objective standards.

What are the requirements?

If you want to be considered for Privacy Law Specialist status, you must meet each of the following seven requirements:

1. Be an attorney admitted in good standing in at least one U.S. jurisdiction; 
2. Earn a CIPP/US designation; 
3. Earn either a CIPM or CIPT designation; 
4. Pass a legal ethics exam administered by the IAPP (similar to a mini-MPRE exam) or submit a very recent MPRE score of at least 80 points;
5. Provide evidence of “ongoing and substantial” involvement in the practice of privacy law (at least 25% of your full-time practice over the last three years);
6. Supply evidence of at least 36 hours of continuing education in privacy law for the three-year period preceding the application date; and
7. Provide five to eight peer references from attorneys, clients or judges who can personally attest to your qualifications.

What is the application process?

First, you need to achieve a passing score on each of three examinations: the CIPP/US exam, either the CIPM or CIPT exam, and the legal ethics exam.  These tests are all administered electronically at testing centers around the world.  You can schedule the exams online at the testing center nearest you, and results are delivered instantly.  The IAPP offers study guides for all of the exams except for the ethics exam.  (However, I created a study manual for the ethics exam, which I am happy to share with you.  Just connect with me on LinkedIn and send me a message!)

Next, you need to compile information about at least 36 hours of continuing education that you have obtained in the past three years relating to privacy or a closely-related area.  If you have not yet taken enough continuing education courses in the area, you need to defer your application and focus on obtaining more continuing education credits. 

You will also need to identify peers who will serve as your references.  I recommend you select lawyers with (or against) whom you have worked, because they have the best, firsthand knowledge of your experience and expertise.  I also suggest you confirm that they are willing to serve as a reference before you submit their names (because...courtesy!) and that you submit at least eight rather than the minimum number of five.  If some of your references get busy and fail to respond to the IAPP, your application could be denied. 

Of course, you will need to pay a fee.  For the $125 application fee, your initial IAPP membership will be included.  You do not have to become an IAPP member, but the annual certification fee is equivalent to the IAPP membership fee, and the membership is included, so it is difficult to imagine why any certificate holder would not also be a member.

Where can I learn more?

That's easy: The IAPP's website has more info.  (Also, the IAPP's staff was pretty cool about answering my questions.)

Can I become a state bar certified specialist in privacy law?

Not quite yet.  No state bar has certified specialists in privacy law, but the North Carolina State Bar has already approved a specialization in privacy and data security law and the first examination will be administered this fall.  This effort (led by yours truly) has been underway since before the ABA considered adopting a privacy law specialization, but the ABA was able to move more quickly because it decided to rely primarily on existing IAPP examinations.  In North Carolina, we are creating a three-hour examination which focuses on North Carolina law, as well as the IAPP's CIPP/US examination.  The first application deadline has already come and gone, and we look forward to certifying our first class of specialists soon!  If you are interested in establishing a privacy and data security specialization in your state, I would be happy to share my experiences with you.

What's a Certified Information Privacy Manager?

Not long ago, I became a Certified Information Privacy Manager.  "What is that, and why did you do it," you ask?  

About three years ago, and after practicing in privacy law for a few years, I became a Certified Information Privacy Professional.   Since then, I left private practice to become in-house counsel.  As an in-house lawyer, one of my challenges is helping my internal clients operationalize the legal advice I provide at the point where "the rubber meets the road."  As a result, I became interested in privacy management--the  practical implementation of privacy law and policies.  I studied the comprehensive guidebook, Privacy Program Management, published by the International Association of Privacy Professionals, and then decided to become a Certified Information Privacy Manager (CIPM).  

This summary of the CIPM is for others who may be interested in pursuing the certification.

Studying Privacy Program Management involves learning about the processes that organizations use to implement privacy, as well as the benefits and detriments of each approach, at a very specific level.  The materials cover, and applicants for the CIPM are given a comprehensive exam that covers, the following areas: 

I. Privacy Program Governance

A. Organization Level

a. Create a company vision

i. Acquire knowledge on privacy approaches

ii. Evaluate the intended objective

iii. Gain executive sponsor approval for this vision

b. Establish a privacy program

i. Define program scope and charter

ii. Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws

iii. Develop a privacy strategy

1. Business alignment

a. Finalize the operational business case for privacy

b. Identify stakeholders

c. Leverage key functions

d. Create a process for interfacing within organization

e. Align organizational culture and privacy/data protection objectives

f. Obtain funding/budget for privacy and the privacy team

2. Develop a data governance strategy for personal information (collection, authorized use, access, destruction)

3. Plan inquiry/complaint handling procedures (customers, regulators, etc.)

c. Structure the privacy team

i. Governance models

1. Centralized

2. Distributed

3. Hybrid

ii. Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization

1. Large organizations

a. Chief privacy officer

b. Privacy manager

c. Privacy analysts

d. Business line privacy leaders

e. “First responders”

2. Small organizations/sole data protection officer (DPO) including when not only job

iii. Designate a point of contact for privacy issues

iv. Establish/endorse the measurement of professional competency

B. Develop the Privacy Program Framework

a. Develop organizational privacy policies, standards and/or guidelines

b. Define privacy program activities

i. Education and awareness

ii. Monitoring and responding to the regulatory environment

iii. Internal policy compliance

iv. Data inventories, data flows, and classification

v. Risk assessment (Privacy Impact Assessments [PIAs], etc.)

vi. Incident response and process, including jurisdictional regulations

vii. Remediation

viii. Program assurance, including audits

C. Implement the Privacy Policy Framework

a. Communicate the framework to internal and external stakeholders

b. Ensure continuous alignment to applicable laws and regulations to support the development of an organizational privacy program framework

i. Understand applicable national laws and regulations (e.g., GDPR)

                                    ii. Understand applicable local laws and regulations

iii. Understand penalties for noncompliance with laws and regulations

iv. Understand the scope and authority of oversight agencies (e.g., Data Protection Authorities, Privacy Commissioners, Federal Trade Commission, etc.)

v. Understand privacy implications of doing business in or with countries with inadequate, or without, privacy laws

vi. Maintain the ability to manage a global privacy function

vii. Maintain the ability to track multiple jurisdictions for changes in privacy law

viii. Understand international data sharing arrangements agreements

D. Metrics

a. Identify intended audience for metrics

b. Define reporting resources

c. Define privacy metrics for oversight and governance per audience

i. Compliance metrics (examples, will vary by organization)

1. Collection (notice)

2. Responses to data subject inquiries

3. Use

4. Retention

5. Disclosure to third parties

6. Incidents (breaches, complaints, inquiries)

7. Employees trained

8. PIA metrics

9. Privacy risk indicators

10. Percent of company functions represented by governance mechanisms

ii. Trending

iii. Privacy program return on investment (ROI)

iv. Business resiliency metrics

v. Privacy program maturity level

vi. Resource utilization

d. Identify systems/application collection points

II. Privacy Operational Life Cycle

A. Assess Your Organization

a. Document current baseline of your privacy program

i. Education and awareness

ii. Monitoring and responding to the regulatory environment

iii. Internal policy compliance

iv. Data, systems and process assessment

1. Map data inventories, flows and classification

2. Create “record of authority” of systems processing personal information within the organization

3. Map and document data flow in systems and applications

4. Analyze and classify types and uses of data

v. Risk assessment (PIAs, etc.)

vi. Incident response

vii. Remediation

viii. Determine desired state and perform gap analysis against an accepted standard or law

ix. Program assurance, including audits

b. Processors and third-party vendor assessment

i. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks

1. Privacy and information security policies

2. Access controls

3. Where personal information is being held

4. Who has access to personal information

ii. Understand and leverage the different types of relationships

1. Internal audit

2. Information security

3. Physical security

4. Data protection authority

iii. Risk assessment

1. Type of data being outsourced

2. Location of data

3. Implications of cloud computing strategies

4. Legal compliance

5. Records retention

6. Contractual requirements (incident response, etc.)

7. Establish minimum standards for safeguarding information

iv. Contractual requirements

v. Ongoing monitoring and auditing

c. Physical assessments

i. Identify operational risk

1. Data centers

2. Physical access controls

3. Document destruction

4. Media sanitization (e.g., hard drives, USB/thumb drives, etc.)

5. Device forensics

6. Fax machine security

7. Imaging/copier hard drive security controls

d. Mergers, acquisitions and divestitures

i. Due diligence

ii. Risk assessment

e. Conduct analysis and assessments, as needed or appropriate

i. Privacy Threshold Analysis (PTAs) on systems, applications and processes

ii. Privacy Impact Assessments (PIAs)

1. Define a process for conducting Privacy Impact Assessments

a. Understand the life cycle of a PIA

b. Incorporate PIA into system, process, product life cycles

B. Protect

a. Data life cycle (creation to deletion)

b. Information security practices

i. Access controls for physical and virtual systems

1. Access control on need to know

2. Account management (e.g., provision process)

3. Privilege management

ii. Technical security controls

iii. Implement appropriate administrative safeguards

c. Privacy by Design

i. Integrate privacy throughout the system development life cycle (SDLC)

ii. Establish privacy gates/PIAs-Data Protection Impact Assessments (DPIAs) as part of the standard process, system development framework

C. Sustain

a. Measure

i. Quantify the costs of technical controls

ii. Manage data retention with respect to the organization’s policies

iii. Define the methods for physical and electronic data destruction

iv. Define roles and responsibilities for managing the sharing and disclosure of data for internal and external use

b. Align

i. Integrate privacy requirements and representation into functional areas across the organization

1. Information security

2. IT operations and development

3. Business continuity and disaster recovery planning

4. Mergers, acquisitions and divestitures

5. Human resources

6. Compliance and ethics

7. Audit

8. Marketing/business development

9. Public relations

10. Procurement/sourcing

11. Legal and contracts

12. Security/emergency services

13. Finance

14. Others

c. Audit

i. Align privacy operations to an internal and external compliance audit program

1. Knowledge of audit processes

2. Align to industry standards

ii. Audit compliance with privacy policies and standards

iii. Audit data integrity and quality

iv. Audit information access, modification and disclosure accounting

v. Communicate audit findings with stakeholders

d. Communicate

i. Awareness

1. Create awareness of the organization’s privacy program internally and externally

2. Ensure policy flexibility in order to incorporate legislative/regulatory/market requirements

3. Develop internal and external communication plans to ingrain organizational accountability

4. Identify, catalog and maintain documents requiring updates as privacy requirements change

ii. Targeted employee, management and contractor training

1. Privacy policies

2. Operational privacy practices (e.g., standard operating instructions), such as

a. Data creation/usage/retention/disposal

b. Access control

c. Reporting incidents

d. Key contacts

e. Monitor

i. Environment (e.g., systems, applications) monitoring

ii. Monitor compliance with established privacy policies

iii. Monitor regulatory and legislative changes

iv. Compliance monitoring (e.g. collection, use and retention)

1. Internal audit

2. Self-regulation

3. Retention strategy

4. Exit strategy

D. Respond

a. Information requests

i. Access

ii. Redress

iii. Correction

iv. Managing data integrity

b. Privacy incidents

i. Legal compliance

1. Preventing harm

2. Collection limitations

3. Accountability

4. Monitoring and enforcement

ii. Incident response planning

1. Understand key roles and responsibilities

a. Identify key business stakeholders

1. Information security

2. Legal

3. Audit

4. Human resources

5. Marketing

6. Business development

7. Communications and public relations

8. Other

b. Establish incident oversight teams

2. Develop a privacy incident response plan

3. Identify elements of the privacy incident response plan

4. Integrate privacy incident response into business continuity planning

iii. Incident detection

1. Define what constitutes a privacy incident

2. Identify reporting process

3. Coordinate detection capabilities

a. Organization IT

b. Physical security

c. Human resources

d. Investigation teams

e. Vendors

iv. Incident handling

1. Understand key roles and responsibilities

2. Develop a communications plan to notify executive management

v. Follow incident response process to ensure meeting jurisdictional, global and business requirements

1. Engage privacy team

2. Review the facts

3. Conduct analysis

4. Determine actions (contain, communicate, etc.)

5. Execute

6. Monitor

7. Review and apply lessons learned

vi. Identify incident reduction techniques

vii. Incident metrics—quantify the cost of a privacy incident

The examination lasts two hours, and can be taken at one of the approved testing centers around the world.   Examinees who pass are notified instantly, and certificates are delivered within a matter of weeks.   Once certified, CIPMs must complete a significant amount of continuing privacy education each year in order to maintain the certification, which you can read about here.

If you would like to learn more about the CIPM credential, check out the Resource List, Body of Knowledge, Candidate Handbook, Exam Blueprint, preparation guide.   Good luck!