Cyber and Privacy Professor

A hallmark of the online MLS program is its blend of legal, technical, and business training. The program teaches how to translate legal requirements–which can be technical–into operational requirements, with a focus on real-world skills. The online MLS faculty have deep industry knowledge, connections, and expertise.

Cyber and Privacy Professor Kirk Herath, who teaches in the online Master of Legal Studies program, is one example. Trained as a lawyer, Herath says a series of developments in the privacy landscape shaped his career. Similar opportunities exist in the data privacy and cybersecurity fields now, as witnessed by the rapid expansion of related laws and regulations in the U.S. and globally. We recently sat down with Professor Herath during a live webinar to hear more about the evolution of data privacy and the expanding career opportunities in this field.

The Evolution of Data Privacy and Cybersecurity Concerns

“In the beginning of my career,” says Prof. Herath, “I was not a privacy professional–there were no privacy professionals.” “Cybersecurity did not really exist outside of a very, very small boutique part of  information technology, and it was generally not very well coordinated.”

Prof. Herath was a federal lobbyist for Nationwide Insurance during the 1990s and was involved with the development of HIPAA (the Health Insurance Portability and Accountability Act). 

HIPAA is the major health regulation that, among many other things, includes extensive privacy and security obligations, as you learn about in our program.

HIPAA, explained Prof. Herath, was designed to make healthcare efficient, affordable, and portable. It addressed making health records electronic and facilitating their use across various systems. Issues related to protecting the resulting data, which necessarily involved security and privacy, started to grow in prominence as an issue during this timeframe, around 1992 through 1994. 

Subsequently, in 1995 the European Union passed the EU Data Protection Directive, which is a data privacy directive that was the predecessor of the EU General Data Protection Regulation (GDPR).  

Next, in 1999 the United States passed the Gramm–Leach–Bliley Act, which had almost nothing to do with privacy; it addressed financial services and how financial services companies can affiliate. But the byproduct, explained Herath, was the creation of massive companies with enormous amounts of data. “And, as we saw with HIPAA, where there is data there are proponents of protecting the privacy of the data. Also, there are obviously issues of security, because you cannot have privacy without security.” 

“I worked with and developed expertise about HIPAA, the Gramm-Leach-Bliley Act, and, to some degree, the European Data Protection Directive because my employer had a presence in Europe,” Prof. Herath told us. “When Gramm-Leach-Bliley passed in late ‘99 and had privacy obligations for financial service companies, I was asked, because I had worked on the bill, to lead a privacy compliance program.” 

Prof. Herath explained that this period marked the expansion of the cybersecurity functions within organizations. In almost all cases, he said, the cybersecurity and information security functions ultimately overshadowed the data privacy function in organizations by orders of magnitude–by five to ten times the size of the privacy function in any organization. 

Eventually, the functions became centralized within organizations. “A lot of us,” Prof. Herath explained, “became effectively the legal and compliance advisors for our information security and technology partners in our companies. That’s where you see the merging of privacy and cybersecurity from a legal perspective.” 

Corporate Leadership to Public Policy and Legislative and Regulatory Affairs

Ultimately, Herath became responsible, at Nationwide, which is a Fortune 100 financial services company, for all legal issues related to data privacy, information security, data governance, technology and information systems, contracts and supply services management, third-party risk, confidentiality, and data integrity. He was responsible for corporate privacy policy, data and security incident management, and implementing privacy across all lines of business. 

Under Prof. Herath’s leadership, Nationwide was selected as one of the Top 10 Most Trusted Companies for Privacy six times by the prestigious Ponemon Institute. Prof. Herath also has significant additional industry, public policy, and legislative and regulatory affairs experience, as described in his bio.

Cyber and Privacy Professor Shares Real-World Experience in the Classroom

Prof. Herath’s industry experience informed the design of the Privacy Law and Management course, which he built for the program and also teaches. The course teaches students how to understand the law and the obligations the law makes upon an organization, and how organizations respond to those obligations. 

The course teaches a functional management framework, says Prof. Herath, that shows how organizations can use data responsibly. “This can be a win for the consumer, who wants products and services,” he explains, “and it can be a win for  the company, who wants to market and sell those services.”

Prof. Herath notes that many students enter with no technical background, and the program is designed to give students the key skills they need, despite a lack of technical experience (learn how in our conversation with Professor Spence Witten). “We teach you how to access and use the resources you’ll need,” says Prof. Herath. “We expose you to ways of thinking about those resources. You’ll have the tools you need to keep learning on the job.” The online MLS program and faculty prepare you, he added, to “hit the ground running” as you build or advance your career in privacy or cybersecurity.

Professor Brian Ray, director of CSU College of Law’s Center for Cybersecurity Protection and founder of the CSU College of Law’s MLS program, emphasized the opportunity for personal interaction with faculty. Although all courses are primarily asynchronous, he noted the opportunities for optional live interaction with faculty and other students in the program. 

“In the program,” Prof. Ray said, “students come from all different fields and at all different points in their careers.” “We’re excited to work with you, get to know you, and give you advice. People like Professor Herath have deep industry experience, and they can advise you on what you may want to do next or which organizations may be useful to target in your career search. We’re committed to this personal dimension.”

CSU College of Law’s Master of Legal Studies in Cybersecurity and Data Privacy

CSU College of Law’s innovative online Master of Legal Studies (MLS) in Cybersecurity and Data Privacy takes an integrative approach to education, preparing professionals to understand the technical and business dimensions of cybersecurity and privacy as well as current laws and regulations. The part-time and fully online program is led by faculty from the Center for Cybersecurity and Privacy Protection at Cleveland State University College of Law and other leading practitioners in the field, with a focus on relevant, real-world experience. Also, the MLS degree is designed for professionals who need to understand the significant legal and business risks posed by cybersecurity and data privacy. Lastly, the program prepares graduates with the knowledge and necessary skills to enter these fast-growing fields and to advance to senior positions within organizations.