The King County March member newsletter of Washington Women Lawyers showcased a Q&A with Lane Powell Counsel to the Firm Magdalena Bragun. Read through the exchange below:

Can you share with us your journey into specializing in data security, privacy, and corporate matters? What were some of the key challenges you faced, and how did you overcome them?

One of the greatest challenges in my career was embracing the unknown. When I first started practicing law, privacy was not on my radar at all. I began my career in 2008 as a litigation attorney with Lane Powell's Creditors' Rights Team. The attorneys I worked with were the ultimate models of professionalism, and I learned the true meaning of excellence while practicing with them every day. But the downside of loving the people you work with is that you may lose sight of what you actually want to do with your professional life. It's very hard to step away from a healthy work environment where you learn a lot and have excellent mentors. Ironically, or perhaps serendipitously, life made that decision for me when a family situation forced me to leave Lane Powell after the first few years in private practice. With some distance, I realized that what I wanted and needed at that time was moving more towards transactional work, so when I was recruited by a global decentralized law firm, Rimon PC, I felt lucky to be able to follow those interests.

Working with a variety of commercial agreements in a transactional setting not only rounded out my practice but also expanded my horizons — I was exposed to all kinds of contracts, including data processing agreements, and I started paying close attention to privacy issues coming up in various settings. Privacy became huge in Europe when GDPR went into effect in 2018, and thanks to spending a part of each year in Europe during that timeframe as an EU citizen, I was getting uniquely familiarized with the European privacy and data protection rules. I started seeking out more privacy and data governance matters, and the more I zoomed in on this work, the more passionate I became about it. Soon, it became obvious that I found my niche.

In hindsight, the greatest challenge I faced on my journey was embracing the uncertainty that's inherently present in making a change. Stepping into corporate law was not something I saw myself doing after dedicating several years to creditors' rights litigation. But without taking that step, I may have never discovered my passion for privacy and data security. It was that transactional background and exposure to a number of commercial contracts that opened the door to specializing in privacy. Sometimes life invites us to take a risk and step away from the beaten path. Embracing those moments is critical to finding what you really want in life.

How has your CIPP/U.S. certification enhanced your ability to serve your clients? Would you recommend this certification to other attorneys interested in privacy law?

I would highly recommend pursuing the CIPP/U.S. certification to anyone who is interested in privacy and data security work. CIPP/U.S. stands for Certified Information Privacy Professional/U.S., and it is awarded by the International Association of Privacy Professionals. The privacy laws in the U.S. are a patchwork of state and federal rules and regulations that vary significantly depending on the sector. Some sectors, like health care and finance, are regulated heavily on a federal level. However, unlike most developed countries, the U.S. has no federal comprehensive privacy law, which leaves it to the states to decide how to regulate this field. This, in turn, creates a multitude of inconsistencies, ambiguities, and sometimes conflicts between various states' comprehensive and specialized privacy laws. Pursuing a CIPP/U.S. training and certification is a great way to gain a comprehensive understanding of this complex privacy and data protection landscape.

Where do you see the field of privacy and data security law heading in the next five years, and what emerging issues should lawyers be preparing for?

Privacy and data security will continue to develop rapidly in the next five years. We are witnessing an unprecedented growth in this field — privacy and cybersecurity have become massive recurring expenses for businesses in all industries. This trend will continue, particularly in light of the AI-related privacy challenges. AI creates risks of data reidentification, deanonymization, and bias, which means that businesses will need to invest even more time, energy, and funds to comply with the future AI-driven privacy laws as well as to shield data from AI-assisted cybercrime.

Children's privacy protections are likely to get much more attention in the coming years, both from the government and from the parents pursuing class actions for social media addiction and similar claims. Courts have started certifying such class actions recently and we can expect that this tendency will continue in the coming years. We are also likely to see a nationwide trend toward specificity of consent for sharing and selling information relating to children.

Specificity of consent, as a trend, may also be visible in the health data protection realm. Washington's My Health My Data Act (MHMD) is the first law in the country to require separate and distinct consents for collection, sharing, and sales of health-related data that is not subject to HIPAA and similar laws. MHMD will go into effect in March/June 2024 and will require substantial compliance efforts from businesses in many industries entirely unrelated to health care. Many expect that other states will enact laws similar to MHMD in the coming years to protect health-related information of their residents.

Washington Women Lawyers is Washington's largest organization dedicated to furthering the full integration of women in the legal profession and promoting equal rights and opportunities for women.