June 27, 2016

A Great Honor And A Greater Responsibility

Matt Cordell is the best lawyer in this picture North Carolina Raleigh Durham Chapel Hill Charlotte Asheville Wilmington Greenville New Bern

Matt Cordell is the best lawyer in a tuxedo North Carolina Raleigh Durham Chapel Hill Charlotte Asheville Wilmington Greenville New Bern
Going to the NC Bar Association Gala

One of the best pieces of advice I have received in my professional life was when Knox Proctor took me to lunch during my first week as a lawyer and suggested (okay, insisted) that I become actively involved in the North Carolina Bar Association "because it's the right thing to do."  I promptly signed a volunteer form and was placed on a committee of the Young Lawyers Division.

Nine years (and hundreds of volunteer hours) later, I find myself leading the more than 6,400 members of the Young Lawyers Division of the North Carolina Bar Association.

What an honor and a tremendous responsibility it is to lead such an incredible group of people. The young lawyers who make up the YLD's leadership team and active volunteer committee members truly represent the best of our profession. They are smart, hardworking, selfless people who are giving of their time and talents, and are leading our members--thousands of lawyers and law students--to achieve some remarkable things.  They are giving their scarce time (and abundant talents) to provide wills to first responders, scholarships to the children of fallen law enforcement officers, assisting veterans, helping victims of natural disasters, amassing 300,000 lbs of food for the hungry...and the list goes on and on.

I am the 62nd chair of the Young Lawyers Division, which was established in 1954 by Charles Blanchard.  Although we have grown from five to 6,400, our mission has changed very little.  We continue to serve the public, serve the legal profession, and provide leadership opportunities and training to young lawyers. 

A group of youn lawyers with leader Matt Cordell of Raleigh a best lawyer
L-R: Deyaska Spencer Sweatman, Jason Walters, Matt Cordell, Cabell Clay, Rachel Blunk, Martha Bradley, Kristen Kirby, Brooks Jaffa, Harrison Lord, and Bryan Norris.

The YLD is where the future leaders of the NC Bar Association, the state, and the nation gain valuable leadership experience. This is evident from a quick look at the accomplishments of the prior YLD chairs: Seven have become presidents of the NCBA, and an eighth is the president-elect.  One became president of the American Bar Association.  Two became president of the State Bar.  Two more took the helm of Legal Aid.  A significant number went on to hold public office.  Again, that's just the prior Chairs. Scores of other YLD officers, directors and committee chairs honed leadership skills in the YLD that propelled them on to great things later in life.  I am absolutely confident that our current leaders will be the future leaders of the state of North Carolina.  Many of them will quickly eclipse my own accomplishments--of that I am certain.

I look forward to working this year, for the tenth year, with some of the finest young lawyers in the world.

Collage of candid photos of young lawyers and elite lawyer Matt Cordell privacy law corporate law business law software law data security law

June 14, 2016

New NC Law Enhances Student Privacy Rights and Restricts Providers of Online Educational Resources

image of apple desk board education technolog privacy by best Raleigh business lawyer Matt Cordell

Education technology (or "EdTech") organizations will want to pay close attention to a new North Carolina statute that was signed into law a couple of days ago.  On Thursday, June 9, 2016, a new law titled "An Act to Protect Student Online Privacy" was enacted to further protect the privacy of K-12 students in North Carolina.  It becomes effective October 1st...

Read the rest of this post on the NC Privacy and Information Security Law blog: http://privacylawnc.blogspot.com/2016/06/NCEdTech.html

May 31, 2016

Another Setback in U.S. - European Commerce: Regulator Rejects the Privacy Shield Agreement

Yesterday, the European Data Protection Supervisor (EDPS) delivered a crushing blow to the proposed EU/US Privacy Shield, sending U.S. and European negotiators back to the drawing board. I posted my initial analysis on the NC Privacy and Information Security Law Blog here:


If you do business with Europeans, you should be following this legal saga with interest.

January 30, 2016

Thanks, y'all!

Thanks, y'all!  I am very honored to be named, along with a number of fine lawyers across the state, in Business North Carolina's 2016 "Legal Elite"  as well as in Thompson Reuters' Super Lawyers for 2016.

What is the "Legal Elite"? 

This year I was listed in the "Business" category of the Legal Elite, as well as the "Young Guns" category (which is reserved for young lawyers in any practice area).  Each year, Business North Carolina magazine surveys more than 20,000 North Carolina lawyers by asking the following question: "Whom would you rate among the current best in these categories of law?"   The results are compiled, and fewer than 3% of the lawyers in North Carolina are then named to the list.

What is "Super Lawyers"? Super Lawyers' uses a rigorous method that is intended to create a credible, comprehensive listing of outstanding attorneys in each state.  Super Lawyers compiles its list each year using 
peer nominations from lawyers around the state, peer evaluations, and independent, third-party research.  Each candidate receiving sufficient nominations from across the state is evaluated on 12 criteria of professional achievement.  The selection process for the "Super Lawyers--Rising Stars" list is the same, with one exception: to be eligible for inclusion in Rising Stars, a candidate must be 40 years old or younger or in practice for 10 years or less.  The idea is that it is very difficult for young lawyers to develop a significant statewide reputation within the first ten years of practice, so a separate process is used for them.  While up to 5 percent of the lawyers in the state are named to Super Lawyers, no more than 2.5 percent of eligible lawyers are named to the Rising Stars list.

I am so very blessed to have worked with so many exceptional lawyers across North Carolina, and I appreciate each of you who participated in these and similar peer review processes.  I sincerely appreciate your friendship and trust.  I consider it a privilege to be able to recommend several of you for well-deserved recognition, and I am pleased to see some very deserving names on this year's list (although there are several others I wish had also been included but were inexplicably absent from the lists).   May this new year bring each of you the success and recognition you have earned!

December 16, 2015

New European Privacy Plan Announced

Earlier this week, the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR).  This is really big news for all U.S. companies that do business in Europe or with Europeans.

The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law.  The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer.

• Personal data may only be collected for “specified, explicit and legitimate purposes."  The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”

• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.

• There will still be variation from member state to member state.

• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.

The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow  (December 17) and if it passes, the full Parliament is expected to vote in January.

There is much more to come on this very significant development. 

Source: https://iapp.org/news/a/gdpr-we-have-agreement/

December 1, 2015

PSA: New North Carolina Laws Become Effective Today (December 1, 2015)

The law is ever-changing, which is part of the reason I find it fascinating.  Several new North Carolina laws become effective today, December 1st.  Many of them are criminal laws, but some that may be of interest to business owners and managers including the following:
 - Electronic signature and notarization on vehicle titles [SL 2015-270 / SB 370]
 - An omnibus regulatory reform bill [SL 2015-286] that, among other things:
  • Repeals the offense of "using profane or indecent language on public highways, except in certain counties;
  • Repeals the offense of refusing to relinquish party telephone line in emergency;
  • Exclusion of volunteers and officers of certain nonprofits from the definition of "employee" for purposes of the Worker's Compensation statute;
  • An expansion of the "Good Samaritan" law to allow well-intentioned people to break into a car, boat or aircraft to assist a person in need; and
  • Numerous environmental law changes.

 - Privacy law enhancements (including the so-called "revenge porn" law) [SL 2015-250 / HB 792] (See www.PrivacyLawNC.com for more.)

You can find out more about each of these laws and more in the N.C. General Assembly's summary, available here.


October 6, 2015

The EU/US Safe Harbor Is No Longer Safe!

Today, Europe's top court, the European Court of Justice, ruled that a 15-year-old pact between the United States and the European Union which allowed American organizations to handle the personal data of Europeans (the EU/US Safe Harbor) was invalid.  The decision will have massive, far-reaching implications for American businesses and organizations that are active in Europe.

The Backdrop

Trans-Atlantic data transfers involving the personal information of Europeans must comply with the Data Protection Directive, which is a European pact that has been adopted by each member state (i.e., most of Europe, but not Switzerland).  The Directive requires that a transfer of personal data to a non-EU country may take place only if that country ensures an adequate level of data protection and privacy. The Directive also provides that the EU Data Protection Commission may determine that a non-EU country ensures an adequate level of protection as a result of that country's own domestic privacy laws or an international treaty.  
Paris business district.
by Loïc Lagarde flickr

The Facts

The challenge to the Safe Harbor arose in legal proceedings between an Austrian citizen, Mr. Maximilian Schrems, and the Irish Data Protection Commissioner concerning the Commissioner's refusal to investigate a complaint made by Schrems.  Schrems has been a Facebook user since 2008, and some or all of the data provided by Schrems to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States. Schrems lodged a complaint with the Irish Commissioner, alleging that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (specifically the NSA), the law and practice of the United States do not offer sufficient protection against surveillance. 

The Issues

In response to Schrems' allegations, Facebook pointed out that it was fully compliant with the EU/US Safe Harbor and the US Department of Commerce's requirements for participation in the Safe Harbor.  The Irish Commissioner refused to consider the complaint because the EU Data Protection Commission had long ago ruled (in 2000) that the EU/US Safe Harbor was a valid basis for the trans-Atlantic transfer of personal data of European citizens.  (As a technical legal matter, the case was a challenge of the validity of Commission Decision 2000/520/EC (26 July 2000) pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbor privacy principles and related FAQ issued by the US Department of Commerce.)

The Court's Conclusions

The Court concluded that the decision by the EU Data Protection Commission that the EU/US Safe Harbor is valid did not preclude a member nation's Data Protection Commissioner (in this case Ireland) from reaching the opposite conclusion.  The Court ruled that the Irish Commissioner should have heard the complaint and made an independent determination whether the EU/US Safe Harbor provides adequate protection of the personal information of EU citizens in light of the fact that the US government's surveillance programs might not respect the privacy of EU citizens as interpreted under EU law. 

The Court went further to evaluate the 2000 decision of the EU Data Protection Commission.  It determined that in the US, national security, public interest and law enforcement interests prevail over the Safe Harbor scheme, so that United States organizations are required by US law to disregard the protective rules laid down by the Safe Harbor when they conflict with US policy interests.  The Court then concluded that US law, and the Safe Harbor, enable interference by United States national security and law enforcement authorities with the fundamental rights of Europeans. This interference is incompatible with the Directive, said the Court.

Having reached these conclusions, the Court held that the Irish Commissioner was required to evaluate Schrems’ complaint "with all due diligence" and following its "investigation, " was obligated to "decide whether, pursuant to the Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."  The Court essentially remanded the case to the Irish Commissioner with instructions to evaluate the issues, and with the subtext that the EU/US Safe Harbor is inadequate.

You can read the Court's decision here, and the Court's press release here.

No appeal is possible, because the European Court of Justice is the equivalent of the U.S. Supreme Court--the court of last resort.  Simultaneously, European leaders and US officials are negotiating a new agreement on trans-Atlantic data transfers.  Today's decision will no doubt create a new degree of urgency in those talks.

What Does It Mean to Your Organization?

In other words, the Safe Harbor is no longer SAFE at all!The likely outcome of this decision is that transfers of personal data made under the auspices of the Safe Harbor may violate European data protection laws.  In other words the Safe Harbor is not really "safe" after all.  Without the Safe Harbor, each country in the EU could reach different conclusions as to whether US privacy laws and practices satisfy the EU's Directive, which would require US companies to address each member nation's laws individually rather than satisfying a single set of EU requirements.  This could create enormous obstacles to US organizations doing business in Europe.

As a result, organizations are well-advised to take a belt-and-suspenders approach (or "belt-and-braces" as they say across the Atlantic) by ensuring that data transfers are justified on another basis (in addition to compliance with the Safe Harbor). Those other bases include "binding corporate resolutions" (in which the organization essentially passes a binding corporate resolution and to comply with EU law with respect to EU personal data) and "model clauses" (which are contractual obligations to comply with EU privacy requirements).  The binding corporate resolutions and model clauses have frequently been deemed more onerous for US organizations than the Safe Harbor's requirements.  As a result, fewer US organizations have these measures in place.  Many will be scrambling to adopt them in light of the new uncertainty of the "Safe" Harbor. 

August 8, 2015

The Law of Prize Drawings: It's All Fun and Games, Until...

photo by Elliotphotos / foter

Everyone loves a game. Games activate the creative, imaginative portions of our minds in ways that captivate our attention. Games can help organizations engage with people, which is why marketing professionals love games. Businesses, governments and nonprofits have found tremendous success in garnering attention through various sorts of contests and games. Ancient rulers used games to win the allegiance of their subjects.  In more recent times...well, who among us hasn't played McDonald's Monopoly?

The uncertainty of outcomes is part of what makes games fun. Unfortunately, nefarious characters have also used games in unethical ways, causing state and federal governments to enact laws governing the use of certain games. Anyone who wishes to sponsor a game should give thought to whether these laws apply, in order to avoid running afoul of regulatory authorities and being sued in a class action. The following is a basic overview of the federal and North Carolina laws governing games and contests.


State laws restrict lotteries for two primary reasons. First is the potential for harm to the public (especially "problem gamblers"). Second, a state may create a government monopoly on lotteries, which allows it to raise money without competition. The penalties for violating these laws can be significant.
A lottery is generally defined by three elements: a chance for a prize for a price. Not all lotteries are easy to identify. A cash entry fee is certainly a telltale sign of a lottery, however, purchase requirements and noncash entry "prices" can also cause a game to be deemed a lottery. If a purchase is required to enter into a drawing or other game of chance, the event may well be a lottery. Courts in some other states have held that merely requiring participants to travel to the sponsor's premises to register is a sufficient "price" to cause the promotion to be deemed a lottery, even if the participants are not required to buy anything. North Carolina courts have never gone that far, but it should be remembered that nonfinancial, performance-based conditions to entry might cause a promotion to be considered a lottery.
A "raffle" is nothing more than a specific type of lottery. It is a game in which the prize is won by random drawing of the name or number of one or more persons purchasing chances. For-profit entities are prohibited by North Carolina law from hosting a raffle. A tax-exempt nonprofit organization, candidate, political committee, or government entity is permitted to host up to two (2) raffles per year. If a nonprofit hosts the raffle, a certain percentage of the net proceeds must be used for charitable, religious, educational, civic, or other nonprofit purposes. There are also some specific items that the net proceeds of the raffle cannot be used to pay.
Sweepstakes/Prize Drawings
Under federal law, a chance to win a prize for which no money or other item of value is paid is called a "sweepstakes." (Often we see or hear these advertised on television or radio, and the announcer rattles off "no purchase necessary to enter.") There are federal requirements regarding the disclosure of terms and conditions, and other specific items. North Carolina law covers the same subject, although the term "sweepstakes" is not used. The requirements of North Carolina and federal law are similar, but there are a few differences. 
The sponsor of a prize drawing should disclose to each participant the following information: 
  • the name of the organization conducting the contest and its principal business address
  • all conditions that a participant must meet
  • an accurate description of each prize to be awarded
  • the retail value of each prize
  • the number of each prize to be awarded
  • the odds of receiving each prize
The law also contains requirements for the precise placement of certain disclosures on any advertisements.
A disclaimer should be included in all materials related to a sweepstakes or drawing that explains in clear terms that no purchase is necessary to enter or win, and that a purchase will not increase the chances of winning.
In addition to these statutory requirements, there are additional considerations that a drawing or contest sponsor will want to address in order to limit its liability under contract law and tort law. 
Tax Reporting Requirements
The Internal Revenue Code and U.S. Treasury regulations require an organization awarding a prize to file informational returns with the IRS when the prize is valued at a certain amount (currently $600), and to withhold a certain percentage of the winnings (currently 25%) if the value exceeds another amount (currently $5,000). Failing to file or withhold can result in the organization being held liable for the tax.
Alcoholic Beverage Law
North Carolina law addresses the sale or consumption of alcoholic beverages in connection with a game of chance. Sale or consumption of alcohol cannot occur in the same room while a raffle or bingo game is "being conducted." The statute does permit a drawing to occur in an adjacent room where alcohol is not sold nor consumed. Specifically, no alcohol may be sold, served or consumed in a room when any of the following activities are ongoing: when a "prize is won," a "random drawing by name or number" occurs, a person "purchases chances," winners are announces, or prizes are awarded.
Time to Play!
By complying with the applicable state and federal laws, an organization can reap the benefits of a game without the risks. An expert who knows these rules and how to implement them can help an organization quickly and efficiently plan an event that will be fun and effective for everyone.

photo by torbakhopper / foter

Raleigh Attorney Matt Cordell has been named among the best lawyers in North Carolina by numerous organizations and peer surveys. 


July 3, 2015

What Does It Mean To Be "Certified" In Privacy And Information Security?

I recently became certified by the IAPP in information privacy and received the CIPP/US designation. "What does that mean?" you ask? Good question!

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws. Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states

Why did you decide to get the CIPP/US certification?

More and more people are claiming to be privacy experts these days, including a number of lawyers. Although very few law firms advertised a privacy practice group as of just a few years ago, almost all large law firms do now...with varying degrees of credibility. Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context. They are nonetheless re-branding themselves as "privacy" lawyers. While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between. The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security.

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice.  Furthermore, there are very accomplished lawyers in these spaces who are not certified by IAPP.   However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.

The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.

* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law.  There is no specalization available from the N.C. State Bar for privacy, information security, or any related field of law.