In the May 2021 edition of the American Bar Association's Science & Technology Law Section ePrivacy Committee monthly newsletter, Kirk J. Nahra is featured with an interview as part of the “Meet Our Members” segment.
Where do you work and what is your position?
I am a Partner at WilmerHale in Washington, D.C., where I am the co- chair of our firm’s global Cybersecurity and Privacy Practice, along with being the co-chair of our Big Data Practice. I work with a great team of lawyers specifically in our practice, and also work with practice areas across the firm (e.g., corporate, litigation, investigations, employment and pharmaceutical) and around the world. I tell my partners that every one of their clients—no matter what industry or where they are—needs help from our group.
How did you become a lawyer focusing on privacy?
My path to becoming a privacy lawyer is really kind of odd (and I have written about it more extensively here). I certainly did not set out to become a privacy lawyer (and that would have been a silly thing to set out to do when I graduated from law school—no one was a privacy lawyer at that time). I did work on insurance fraud issues, which led me to health care fraud issues, which led me to learning about state laws related to mental health records in a litigation/investigation context.
When Gramm-Leach-Bliley and HIPAA passed, I had clients who were covered by both (mainly health insurers), I knew a little bit of law in an area where no one really knew anything, and I was off to the races. I helped these companies figure out these laws from the beginning, and then have expanded to address virtually every new issue that has arisen in the privacy and security space. It was easy for me to learn each new thing as it came along—it’s much tougher in the field now because of how much law there is, but there are also an enormously broad range of opportunities.
Why did you become a lawyer focusing on privacy?
So, I started in the field because I had some opportunities, in a new and developing area. I stayed in it because it is so interesting—it’s been fascinating to be on the ground floor of this area of law, as it developed from something that only impacted financial services and health care to an issue that now impacts virtually every company of any size at all, in any industry, virtually anywhere in the world.
It’s a fascinating mix of law and business and strategy and technology. Our job as lawyers is part lawyer, part business strategist, part PR firm, part client relations, part public policy advocate. It’s a great area to work in, with enormous growth potential going forward. It’s also been a great area to teach for the past half decade, something I look forward to doing for the remainder of my career. I make sure that my students think about all of the issues not only as lawyers but also as the individuals about whom their clients are collecting data.
Do you have any tips for law students or lawyers that want to get into the privacy field?
A couple of thoughts. First, law firms are often not the best/easiest way to go to get into this field. While law firms can be good places to learn privacy law, there are not that many firms that do a lot of actual privacy work that involves particularly younger lawyers. Lots of law firm “privacy” work is really data breach class action litigation, which is fine, but teaches you class action litigation more than privacy law. A lot of privacy counseling work involves judgment, experience and broad knowledge—and doesn’t really lend itself to work for younger attorneys. The clients want my advice, not legal research. Second, students in particular should not shy away from a first job that involves other kinds of employers beyond law firms—government, companies directly, or consulting firms. These jobs are harder to learn about, but often provide direct privacy experience. I would make sure to even consider these employers for a privacy job that isn’t necessarily a formal legal job—lots of privacy jobs require lawyer-like skills, and lawyers are really good at the jobs, even if the position isn’t formally a lawyer position (it’s a dirty little secret that consultants and lawyers do much of the same thing in privacy counseling).
Third, it is clear that the privacy field is looking for people with experience – but the demand exceeds the supply.
So, you want to get your feet wet in some kind of privacy job to start—and then you can use your 1–2 years of experience to leap into a job that may on paper seek a lot more experience. People can rise very quickly in this field with skills and knowledge.
What are your favorite resources for privacy professionals?
IAPP provides an enormous number of fabulous resources (and some of them—like the single best resource I know, the Daily Dashboard—don’t even require membership). There are lots of good twitter feeds (including mine I hope—@kirkjnahrawork) that do a lot of curated privacy information. Some of the publications that charge for their work publish a lot of interesting stuff on twitter for free.
Why do you like being a part of the ABA's Science and Technology Law Section ePrivacy Committee? What are the benefits that you have personally received from being a member in our Committee?
I’ve been involved in a variety of ABA committees over the years, as my practice has evolved. Privacy has been a tricky issue for the ABA, as it developed as a practice area late and therefore doesn’t fit well into the existing ABA structure.
spent a lot of years focusing my attention on privacy and security activities related to the Health Law Section, as I had been involved in that group with my prior career doing health care fraud and abuse work. The Science and Technology section has a much broader focus, and is a great place to get exposed to the broader range of privacy and security activities beyond just health care (although the health care issues are incredibly interesting and challenging).
How can other members get the most benefit from being a part of our Committee?
Great information, lots of good analysis, and interesting, talented people.
