Words of Wisdom from the Young Privacy Professionals Panel: Highlights and Takeaways 

KELSEY KENNY, Class of 2023

The evening of Thursday, November 4th, Maine Law’s Information Privacy Association, in collaboration with the Mortiz College of Law’s Data Privacy and Cyber Security Club, hosted an informal discussion panel to facilitate a dialogue between law students with an interest in information privacy and six professionals who have had success navigating the early stages of their evolving and dynamic careers in the field. Craig Carpenter, Caroline Hopland, Casey Waughn, Kenesa Ahmad, Lee Matheson, and Scott Bloomberg graciously contributed their time and insights to the forum.

The panelist’s anecdotes and advice were illuminating, energizing, and worth recounting. Law students who are unsure about the next step in their career path but are curious about information privacy and data security will find the panelist’s comments particularly insightful.

Ranging from traditional “big law” firm experience to founding and operating a consulting firm, working in-house in compliance, or as policy counsel at a privacy think-tank, the panelists brought valuable insight from a wide variety of professional backgrounds.

First question: How did you get started in privacy? 

The first panelist to answer this question suitably responded in a way that perhaps spoke to a degree of a shared sentiment on the zoom call that night: the interest in privacy is personal.

Kenesa Ahmad, a founding partner at Aleada Consulting, LLC, a boutique privacy and data protection consulting firm, was motivated to pursue a career in privacy through her interest in preserving her own privacy as a citizen. Thinking, writing, and learning about privacy with other like-minded professionals has been an integral part of her career.

Starting in the field in about 2009, Kenesa has a firm grounding in all things privacy. She attributes her success to her writing, the professional connections she made in the field, and an element of good luck and good timing.

Most panelists did not know from the start that privacy was a path they wanted to pursue.

Scott Bloomberg is an associate professor at Maine Law; he teaches courses in information privacy law, cannabis law, and constitutional law. He clerked for three years at the federal circuit and district-level courts. He also worked at Foley Hoag out of Boston before starting as a professor.

Scott mentioned that his path into the world of privacy law was non-traditional. When he began work with Foley Hoag, he saw privacy as an opportunity because it was something he could gain expertise in quickly.

Privacy is a new practice, the law is rapidly changing, and you have the opportunity as a new lawyer to become a specialist in the field quickly because everyone is on the same footing. There are new privacy laws passed every year.

This is unlike securities, for example, where partners will have 40 years of experience, and it would take a new attorney just as long to gain their level of expertise.

Scott’s word of advice: if you’re new and working in “big law,” attend different practice group meetings. Find out what they’re about, what they’re doing, chat with the partners and become a familiar face. Find a practice group you’re interested in and build professional connections from there.

When Scott started at Foley Hoag as an associate, the California Consumer Protection Act (“CCPA”) had just gone into effect– no one knew anything about this law yet. So, he saw the opportunity to become an asset to the firm by learning everything about the CCPA.

Through this endeavor, he was inspired to take the Certified Privacy Professional (“CIPP”) exam. He and several other panelists echo that having the CIPP certification on your resumé gives you instant credibility externally when applying for new jobs and within your firm. 

Lee Matheson, currently policy counsel at the Future of Privacy Forum, an international privacy think-tank, has worked as an associate attorney at Crowell & Moring’s privacy and cybersecurity group and was a 2017-2018 IAPP Westin Research fellow.[1]

He echoed Scott’s comments about the rapid development of privacy law creating opportunities for new lawyers to gain a competitive edge rapidly. Specifically referring to his experience attending the IAPP’s “Privacy. Security. Risk. 2021” annual conference in San Diego late last month. He explained that “there’s a huge demand for privacy lawyers at the entry-level” if you’re interested, there are a lot of employment opportunities. 

Craig Carpenter, a partner at Baker Hostetler, is a digital assets and data, management attorney. He has a background in science and worked for some time in intellectual property litigation. He added that if you’re going to work in a law firm, you certainly don’t have to silo yourself into one field.

If your firm doesn’t have a specialized privacy or data security practice group, you can become the issue spotter for clients or potentially help to facilitate the practice area within the firm yourself. Privacy and data security conceptually play a role in many different legal ecosystems. So first and foremost, Craig’s recommendation is to find what you’re interested in and let that interest dictate where you go next in your career. 

Next Question: Did you have an “AHA!” moment where you realized that you wanted to work in privacy? 

Personal inspiration comes from building connections with inspiring people. 

Most of the panelists described taking an eye-opening class in law school or college or working for or with an impressive privacy scholar or practitioner.

Mentorship and professional relationships are key to getting started in the field. For practical networking purposes, but also to find your personal angle of interest[2].

Lee Matheson describes how he became inspired to delve deeper into privacy after taking a class in internet law with Margot Kaminski, a renowned scholar in the field. He continued to take courses in privacy and developed valuable relationships with other members of the faculty at his law school including Dennis Hirsch, another well-known and respected privacy professional.

Lee’s advice, (that the other panelists affirmed) is to reach out to faculty members or professionals in the field that you’re inspired by. Ask questions, listen to their input, and reflect personally on what interests you about the topic.

Caroline Hopland’s fellowship with other professionals directly contributed to getting her to where she is today. Caroline is a senior regulatory compliance consultant at IBM, a position that does not require her to be a practicing attorney, though she passed and was admitted to the Massachusetts bar in 2020.

She found her “angle” while working as a research assistant to Danielle Citron. Through her research collaborating with Professor Citron, she discovered that she was particularly motivated to learn more about privacy laws and protections relating to non-consensual pornography and online abuse or harassment.

Caroline also worked at the Future of Privacy Forum as the Elise Berkower Memorial Fellow under the guidance of Dr. Gabriela Zanfir-Fortuna, where she focused on researching and writing about global privacy law. At this time there was not extensive scholarship on the interrelationship of global privacy laws. Having this research background in global privacy on her resumé proved to be one of the key factors that helped her land her current position at IBM.

Professional inspiration doesn’t only come from fellowship with “mentor” figures alone: peer-to-peer collaboration in this community is equally valuable. 

Casey Waughn, an associate attorney at Armstrong Teasdale, works on the “regulatory” side of privacy. Her work at the firm includes contractual negotiations, consulting businesses in cybersecurity or privacy as well as litigation.

Casey described how she stumbled upon the field of privacy law unintentionally. As a journalism major in her undergraduate career, she was tangentially interested in tech and privacy issues. When she was a 1L in law school, she happened to go to the school’s Data Privacy Club meeting and was inspired by the other students to take classes in privacy and data security.

She took a class with Neil Richards, an active scholar in privacy, and later worked as a student contractor then a policy fellow at the Future of Privacy Forum.

To help facilitate peer-to-peer networking and intellectual collaboration, Kenesa founded and continues to be active in directing the Women in Security and Privacy (“WISP”) organization.

WISP is a non-profit professional organization that provides scholarships for young professionals (particularly women) to attend trainings, conferences, panel events, or networking opportunities in the field of privacy and data security.

The organization also has a “tandem” mentorship program that facilitates collaborative learning by pairing people with other professionals who have skills in a field that they want to learn about. So, for example, someone who is particularly experienced in tech or engineering may choose to be partnered with a privacy attorney to learn from one another.

WISP is not stand-alone, there are many organizations that aim to help facilitate professional and intellectual development in privacy through scholarships, networking events, or mentoring programs. 

Next Question: Writing and getting published are key in this field, so what should one write about? 

The reverberating response to this question was: write about what you’re interested in. It’ll show in the quality of your work if you’re genuine about your interest in a topic. The panelists also had several concrete suggestions for topics they’d be interested to see scholarship on.

Data Sovereignty – The concept that countries have control over their citizen’s data. Kenesa suggested this topic because the regulatory implications of data sovereignty are often confusing to her clients. The political and legal implications are still murky and ripe for academic exploration.

Global privacy and data security laws – Understanding and exploring how various global privacy laws function and intersect is important considering the fact the atmosphere is constantly changing. Sharing this understanding through research and writing will make a new privacy professional a valuable asset to a company or law firm.

Cyber security and risk assessments- Beyond privacy law, Craig emphasized risk assessments are part of data security that is not going to go away. Companies use these assessments to evaluate risk in their security software all the time, exploring new mechanisms of assessing risk is valuable.

Incident and breach response – Several panelists commented that if you go into privacy law, it is invariable a company is going to ask you to help deal with a breach response scenario. Knowing how and when to help with breaches will make you an attractive candidate for jobs involving privacy.

Business advising- Translate what new laws, technology, or consent decrees mean for a business in real-time. The ability to synthesize the law and translate the requirements into “on the ground” procedures, is what companies seek from privacy professionals.

Pick a current event and evaluate what the privacy implications are – There are so many avenues that one can travel when addressing how the law addresses or fails to address privacy. The best way to find a truly novel application of the law is to apply it to a contemporaneous fact pattern and postulate how the law will or should factor in.

Takeaways: 

  • Let your genuine interests guide you 
  • Don’t feel as though you have to remain in one practice area 
  • Don’t feel as though you have to be a practicing attorney 
  • Make connections with people who inspire you 
  • Contribute to the conversation with writing and collaboration 
  • Be forward-looking, creative, and active 

Special thanks to Noah Katz, Moritz College of Law Class of 2023, for inviting Maine Law to take part in this panel! 

[1] The IAPP Westin Research Fellowship is a program run by the International Association of Privacy Professionals (“IAPP”) where a recent graduate is selected to spend a year working on a wide array of privacy research projects with the view of supporting growth and development of the privacy profession and furthering understanding of major privacy issues.

[2] LinkedIn can be a very helpful resource as a new privacy professional to establish connections and discover job opportunities.