When Paige Boshell and Josh Torres got out of law school, few attorneys were interested in the area of privacy law.
“My first job out of law school was with the Social Security Administration, and that’s where I became aware of privacy law and started thinking about it,” says Torres, corporate privacy and regulatory counsel for iCIMS, a talent acquisition software company.
Boshell, too, began working early on in privacy, has focused on it for more than 20 years and now runs a Birmingham-based firm called Privacy Counsel.
Boshell and Torres are among a handful of attorneys who hold the privacy law specialty, which the Alabama Bar Association began certifying in 2018.
“We are at an incredibly important crossroads with privacy right now on a worldwide scale,” Boshell says. “Look at China’s use of facial recognition tech and San Francisco’s banning of it. Look at ‘smart cities,’ where privacy decisions have implications for civil rights and the democratic process. It’s exciting.”
Torres agrees, saying that data and other privacy breaches have piqued the interest of people who might not have even been aware of the potential problems before.
“When I got out of law school, there were not a lot of people paying attention to this area,” he says. And that has changed in the 10 years he’s been practicing. “This area of the law is growing astronomically because the demand far exceeds the supply.”
What that means is there is more demand for attorneys like Boshell and Torres, both based in Birmingham, to help companies navigate the often-treacherous waters of privacy law.
“It is critical for businesses to be mindful of the consumer data that they collect and share and that they deploy privacy practices — in addition to security measures — to protect it,” Boshell says.
Many businesses don’t even realize they need to beware of data and how it’s collected, according to Boshell.
“In Alabama, business privacy maturity is about where cyber security maturity was five or so years ago,” she says. “Many businesses are not subject to either the comprehensive European or California privacy laws, so owners and executives are wondering if and why privacy matters to them and how to decide what sort of financial and resources commitment to make to an issue that doesn’t readily show a return on investment. If you are in business, you are in the tech business and the data business, which means you are already in the privacy business, whether you know it or not. This is especially true if you collect, use, process, maintain or share consumer information.”
The first thing a business should do is inventory its data and methods of collection, Boshell says.
“You need to know what data you have, why you have it, how you are getting it, and who has access to it,” she says. “If you don’t need the data, delete it. If you have it on multiple systems, consider consolidating the data or coordinating the systems. If someone has access to it that doesn’t need it, eliminate the access.”
Torres says that’s sometimes more difficult than it seems like it should be and that, while CEOs of companies can easily tell you about the financial dealings of their companies, data is another matter.
“If you were to ask the CEO of many companies what data do you have and how do you process it, I don’t think they would know how to get to that data,” he says, citing Apple CEO Tim Cook as one of the exceptions. “He does have a view and eye toward privacy along those lines.”
In addition to the data inventory outlined by Boshell, Torres says it’s imperative that companies be transparent with consumers about the information they’re collecting.
“We should be clearly telling individuals what we’re going to collect, how we’re going to use it and how we’re going to share it,” he says.
And though the public may be worn out when it comes to hearing about data breaches, that’s another area that businesses need to be concerned with.
“How can we prevent a data breach, and, in the event of one, how do we eradicate and contain the data breach, and then how do we notify people about it?” Torres says.
Boshell believes in the importance of privacy law so much that she left a Birmingham law firm — where she had co-chaired its privacy and cyber security practice — after 27 years in April 2018 and started Privacy Counsel.
“Working on my own allows me to focus directly on cyber and privacy, rather than having it be incidental to other legal practices and client business needs,” she says. “Most of my clients are financial institutions and tech vendors, and most are out of state. I love being a lawyer, and I especially love privacy law. Privacy is a universal value that impacts a variety of legal disciplines. It’s a relatively new practice, so there aren’t many of us who have been doing this for 20-plus years.”
To receive the Privacy Law Specialist certification, which is authorized by the American Bar Association and certified by the International Association of Privacy Professionals, Torres and Boshell had to be members in good standing of at least one Alabama law practice, to hold several other certifications and to pass an ethics exam.
Torres says that most who hold the privacy certification are, like him, working for businesses, either in-house or at a law firm. “In the next decade, though, I think you’ll see attorneys on the plaintiff’s bar getting the certification.” In other words, attorneys will specialize in privacy, similar to what they do now with car wrecks, disability cases and other specialties.
Also in the next few years, Torres anticipates more law schools introducing privacy law into their curriculums. “Very few even have a class on this topic right now,” he says.
And the specialty also will probably result in more attorneys leaving their practices.
“They’ll join leadership positions in technology from what they’ll gain in knowing about privacy and data security,” Torres says. “The business title that’s most applicative is chief privacy officer.”
Consumers shouldn’t forget their role in privacy matters, either.
“It’s imperative that consumers educate themselves,” Torres says. “You wouldn’t give your money over to a bank if you didn’t know what they were going to do with it. So why do we do that with our data? You can never get it back once you give it. Consumers have got to get more educated.”
Alec Harvey and Art Meripol are freelance contributors to Business Alabama. Harvey
is based in Auburn and Meripol in Birmingham.