Michael Fitzpatrick MS CRS ’19 spent nearly a decade working on counterterrorism and privacy matters as an embedded attorney in the New York City Police Department (NYPD)’s Intelligence Bureau. As security threats online multiplied, Fitzpatrick felt a growing need to better understand the rapidly evolving cyber landscape. When he learned of a new Master of Science in Cyber Risk and Strategy (MS CRS) program offered by NYU Law in partnership with the Tandon School of Engineering, Fitzpatrick says he knew it would be the perfect fit for his interests. “I think I applied that night,” says Fitzpatrick, who was the first applicant to be accepted to the program.
After earning his master’s degree, Fitzpatrick became the privacy officer for the NYPD, and was appointed by the US Secretary of Homeland Security to a three-year term on the US Department of Homeland Security (DHS)’s Data Privacy and Integrity Advisory Committee, where he provides guidance to the DHS on technology and privacy-related matters. In April 2022, Fitzpatrick was appointed by Mayor Adams as the chief privacy officer for the City of New York.
In this Q&A, Fitzpatrick discusses his first experiences in the security field, how his master’s degree expanded his understanding of privacy and cybersecurity issues outside of the law, and what he enjoys about his new role.
How did you first become interested in the law and matters of security, in particular?
I’m the first lawyer in my family, but my family has a long history of public service. Law school struck me as a natural opportunity to continue that tradition of public service but in a new and different way.
As an undergrad at Manhattan College, I was fortunate enough to get a summer internship with the NYPD legal bureau. That experience was significant in providing me with foundational knowledge and exposure to the legal profession.
As a 1L at Fordham Law when I was trying to figure out my summer work plans, I went to NYU Law’s Public Interest Law Center Fair, where I ran into an attorney that I had interacted with during my undergrad internship with the NYPD, and they took my resume and later extended me a legal internship offer. Because I had familiarity with the office, they offered me an internship working on matters that were more sensitive than interns normally handle, assigning me to the embedded legal team within the NYPD intelligence bureau.
At the conclusion of that summer, the head of the office offered me the opportunity to stay on during the academic year, which I accepted. Counterterrorism security as a practice area became a passion, and that ultimately led to a full-time position immediately after graduation.
What did you enjoy about your work with the intelligence bureau? How did you decide to pursue a master’s degree?
As an embedded attorney within the intelligence bureau, I had a front row seat to very cutting-edge legal issues surrounding the intersection between municipal and federal law enforcement and how they overlay across the landscape of counterterrorism. The NYPD was on the front lines of how those issues were evolving: that meant daily assessments of what the threat landscape is from a counterterrorism perspective and seeing the shift over time how the internet can be used for mobilization to violence. My role was to support lawful threat identification and investigation in furtherance of protecting the safety and security of New York City.
Over time, I got more detailed exposure to the universe of internet investigations. I recall sitting down with one of the many exceptionally talented detectives that the NYPD employs who had a background in computer programming and networking and provided me with explanations of the dark web, different cyber-attack methods such as distributed denial-of-service attacks, and risk mitigations. I tried to soak up as much of that as I could, but I really felt that, while I was getting all of this practical experience, I really wanted to take my knowledge on these matters a step further.
What was your experience like as the first class of the MS CRS program? How did it impact your career?
It was extraordinary. NYU obviously has an exceptional faculty, and I was completely taken aback when I saw the roster for the program: Randy Milch [’85], former general counsel of Verizon, covering cybersecurity, governance, and regulation; and Judy Germano, former assistant US attorney, taking you through not just cybercrime but incident response. I also have to mention Sam Rascoff, one of the chairs of the program, who led discussions on national security issues. Sam was also a former NYPD director of intelligence analysis—we actually missed each other by a couple of years at the department.
My cohort also had exceptional backgrounds, and I was able to dissect and discuss the latest cybersecurity regulatory issues with perspectives from professionals at Facebook, Bank of America, and the Manhattan District Attorney’s Office to name a few. It wasn’t just lawyers either; there were technologists, communications, and law enforcement professionals, among others. It was a really novel thing and, across the board, everybody could feel that it was something special.
In April 2022, you became the chief privacy officer for the City of New York. What do you like or find challenging about that role?
In the earliest days of [New York City] Mayor Adams’s administration, an executive order was issued to improve government operations and services to benefit the city and its residents by consolidating technology and technology-related authorities in one place, the newly created New York City Office of Technology and Innovation (OTI), led by the city’s chief technology officer, Matthew Fraser. OTI is where my office, the Office of Information Privacy, is located.
Through that consolidation, there are significant and exciting opportunities for collaboration in the technology space that didn’t exist before. For example, I work very closely with the city’s chief information security officer, Kelly Moan, to align the intersection of privacy and information security policy, in addition to partnership in the investigation of potential security incidents citywide. The foundational structure of OTI allows me to leverage the skills from the MS CRS program heavily. I’m not an information security professional. I’m not an IT professional. But by virtue of my time in MS CRS program, I understand the perspectives of those professionals and the issues, and I am able to effectively do my job as chief privacy officer while also facilitating and coordinating discussion to drive better and more effective services for all New Yorkers. I’m very happy to be a part of this administration as chief privacy officer and humbled by my selection for the role.
This interview has been edited and condensed. Posted September 22, 2022.