by Daniel J. Solove
Since 2000, I have taught a law school course in information privacy law. When I started teaching, I could count the number of law schools that had such a course on one hand.
Today, by my rough estimate, I believe that the course is offered in about 40-50 law schools.
Although one should normally be pleased with nearly ten-fold growth, I am quite disappointed. There are roughly 200 law schools in the United States, so only about 20-25% of them have a course in information privacy law.
These figures are so disappointing because every law school should have a course in information privacy law. And not just one course — several courses! Why? There are three primary reasons:
1. There’s a huge demand of jobs in the field, which keeps growing at an astronomical pace even during a weak legal market.
2. The amount of privacy laws has grown to be quite extensive, and privacy and security issues arise in nearly every company and every industry.
3. Privacy issues are becoming more and more essential to the business of companies, and privacy is an issue of profound societal importance.
In 2000, there were only a few chief privacy officers in companies. Today, nearly every financial institution, healthcare institution, and mid-to-large size company has a privacy or data protection officer, and often has a team of people working in these areas.
The number of law firms with privacy practices has expanded tremendously. Here are just some of them: Alston & Bird, Arnall Golden Gregory, Arnold & Porter, Baker & Hostettler, Baker & McKenzie, Buckley Sandler, Cooley, Covington, Davis & Gilbert, Davis Wright & Tremaine, Debevoise & Plimpton, Dentons, DLA Piper, Edwards Wildman Palmer, Foley & Lardner, Goodwin Proctor, Greenberg Traurig, Hogan Lovells, Holland & Knight, Hunton & Williams, InfoLawGroup, Jenner & Block, Jones Day, Kelley Drye & Warren, Kilpatrick Townsend & Stockton, Latham & Watkins, Loeb & Loeb, Manatt, Phelps & Phillips, Mayer Brown, McDermott Will & Emery, Morrison & Foerster, Nixon Peabody, Patton Boggs, Paul Hastings Perkins Coie, Pillsbury Wintrop Shaw Pittman, Proskauer Rose, Reed Smith, Ropes & Gray, Ropers Majeski, Sheppard Mullin Richter & Hampton, Sidley & Austin, Venable, Wiley Rein,WilmerHale, Wilson Sonsini, Winston & Strawn, and ZwillGen. There are many more.
There are privacy offices in nearly every government agency. Numerous government agencies regulate privacy, including the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, the Department for Health and Human Services, the National Labor Relations Board, and the Department of Education, among others. Within various agencies are privacy oversight departments, such as the Department of Homeland Security.
The International Association of Privacy Professionals (IAPP) is the leading organization of privacy professionals and has about 20,000 members now. It is growing at a staggering rate per year.
There are also very sizable privacy practices at auditing and advisory firms such as PwC, Deloitte, Booz Allen, and KPMG.
An Extensive and Complicated Web of Laws
Privacy law has expanded dramatically throughout the years. With co-author Professor Paul Schwartz, I have a casebook in information privacy law, now in its 5th edition. The book now spans 1200 pages. I can’t even cover half of it in my class.
For some topics, we put in an excerpt from a law review article in early editions of the book because there were no cases or laws. Now, with each edition, we face the painful choice of which cases to exclude in order to prevent the book from growing too long.
And this law is complicated, involving numerous very complex federal statutes and regulations such as ECPA, FISA, CFAA, HIPAA, FCRA, FERPA, GLBA, VPPA, TCPA, CAN-SPAM, COPPA, DPPA, CCPA, the Privacy Act, and more. The FTC regulates privacy and has developed an extensive number of requirements under the FTC Act Section 5.There are more than 2000 state privacy laws. There are four common law privacy torts, along with the breach of confidentiality tort, intentional infliction of emotional distress, libel and slander, and negligence cases involving privacy. There are criminal laws too — Peeping Tom laws, electronic surveillance laws, and more. There are data breach notification laws in more than 90% of the states. There is privacy law in countless countries, presenting challenges for sharing data across borders.
Increasingly it is hard for just one lawyer to know all the privacy laws and to keep up. Privacy lawyers often specialize, focusing on HIPAA, financial privacy, employment privacy, EU privacy, communications privacy, marketing privacy, consumer privacy, electronic surveillance, national security, and data security. For a large company, it takes a team of privacy lawyers to cover all the issues.
Privacy Is Essential to Business and to Society
Nearly every company has issues to face with personal data because they have data everywhere — data about employees, customers, vendors, and others. Countless devices and things are becoming connected to the Internet and are gathering personal data. Many companies now have apps and are developing a wide array of products and services that involve the collection and use of personal data.
Privacy protection is essential in many cases because without it, companies cannot do business. For example, companies cannot receive protected health data from hospitals and health plans unless they are compliant with HIPAA. In many cases, companies cannot transfer data across boarders internationally unless they comply with the laws of other countries in addition to the U.S. Because a data breach of privacy incident at a vendor can create liability, regulatory sanctions, and reputational harm to a company, companies are requiring strong privacy protections in their contracts with vendors.
Regulatory fines are increasing. There are numerous regulatory “cops on the beat” at both the federal and state level — plus internationally too. Breach notification laws also impose huge costs. There will be lawsuits to fend off in the event of an incident. And reputational damage to deal with.
The Sony breach is a great illustration. The damage it caused was monumental. The C-Suite saw their personal emails exposed to the world. Sony illustrated just how essential data protection issues can be. C-Suites are waking up to the fact that privacy and security incidents can cause severe threats — sometimes even existential ones.
Beyond business, privacy is an issue of immense social importance, and lawyers are needed in NGOs and think tanks to help ensure that privacy is adequately protected.
Why Aren’t More Law Schools Teaching Information Privacy Law?
With all this, why aren’t most law schools teaching information privacy law? The answer stems from a pathology in the way law schools go about planning the curriculum. There is often very little study and analysis of what various fields are developing, expanding, or contracting. Occasionally, a field gets hot, such as intellectual property law, and law schools go on a hiring binge and stack up courses in these areas. But most of the time, if a professor in criminal law or constitutional law retires, schools almost reflexively seek to replace them. What often doesn’t happen is the faculty examining the state of various fields and building a curriculum around where the legal market is heading.
I have not seen many law schools seek to hire a professor primarily to cover information privacy law. Typically, schools hire based upon required first year courses or well-known areas such as tax, international law, intellectual property, environmental law, and other areas. Privacy just isn’t in the mix. I think the reason is that many professors and deans outside the privacy law field just don’t realize what’s going on inside the field. If they peered through the window, they’d see that the field is teeming with opportunity and growing faster than Jack’s beanstalk. The main reason why the number of law schools offering privacy law courses has grown is because professors hired primarily to cover another area have wanted to teach a privacy law course too.
We need to do better. Students need deep coverage about these issues for the very rapidly growing careers relating to information privacy. When law schools offer privacy law courses, interest is sizable. There are internships and job opportunities. Breaking into the field can sometimes be tricky, but once in the door, there is an enormous demand and a short supply of privacy lawyers.
Law schools should take a good close look at the privacy law field. If they were to do so, they would quickly realize the great need and value of offering a privacy law course.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 890,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter