Global Privacy Summit 2013


Use these links to jump to the topic you’re interested in:




Am I a Data Broker?

Moderator: Colin O’Malley, CSO, Evidon
Jeanette Fitzgerald, Senior Vice President and General Counsel, Epsilon
Maneesha Mithal, Director, Division of Privacy and Identity Protection, Federal Trade Commission
Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati

Last year, the FTC declared that a new class of companies, called “data brokers,” were collecting large troves of data without consumer transparency, and they would be subjected to greater scrutiny. In the FTC report Protecting Consumer Privacy in an Era of Rapid Change, the FTC made a pitch for additional legislation to address data brokers, and their Spokeo settlement later the same year was seen as evidence that the commission stood ready to back up standards in the space with regulatory action. But while the industry is abuzz, confusion still reigns. What exactly is a data broker? Is there a standard test to help you understand whether or not your company is in or out? What is the potential harm of current practice in the industry, and what can you do to manage risk? Is the precedent set by FCRA and elsewhere useful here? Can the successes of the DAA self-regulatory program be a model for proactive industry action? More broadly, where are standards for data brokers going in 2013, and how will this impact the industry? Join leading authorities with legal and commercial perspectives for an in-depth discussion of these questions and more.

What you’ll take away:

  • An understanding of the definition of data broker
  • The current obligations of data brokers, including precedents
  • Guidance on how definitions and requirements are likely to evolve in 2013 and beyond

Big Data, Not Big Brother: Best Practices for Data Analytics

Jennifer Barrett Glasgow, CIPP/US, Global Privacy and Public Policy Executive, Acxiom Corporation
Peter Leonard
, Partner, Gilbert & Tobin Lawyers

Companies are awash with data, some generated by their customers or systems, some by third parties. Data retention is growing so fast—by about 2.5 billion gigabytes a day—that 90% of the stored data in the world today has been created in just the past two years. Big data is the confluence of a number of technology trends: big transaction data, big interaction data, big data processing, growth of processing power and more sophisticated analytic techniques, and the pervasiveness of the Internet and data sharing through public and private clouds. Big data is therefore not just about the volume of data, spooky Big Brother or privacy, it is about gaining new insights and delivering business and service benefits, and one of the key challenges is reconciling the benefits with the legitimate concerns of individuals concerning access to, and use of, their personal information. And the challenge will become even greater as more standardized data management facilitates the matching of anonymized data sets across organizations, and as the Internet becomes dominated by machine-to-machine applications (where devices communicate without conscious action by humans). For privacy pros at organizations seeking to reduce transactional costs and derive efficiencies, this challenge is an immediate one. Join us to explore how businesses are responding to the challenge within the bounds of consumer advocate expectations and a range of privacy and data protection laws. Using case studies, we’ll discuss recent data sharing and analytics joint ventures between organizations in sectors as disparate as retail and banking and how these ventures have been structured to address such concerns.

What you’ll take away:

  • Understand trends in use, types and sources of data
  • Understand how to maximize use of big data to drive cost and operational efficiencies
  • Case studies of recent data sharing and analytics joint ventures between organizations and how these ventures have been structured to overcome consumer advocate expectations

Presentation 1, Presentation 2

Closing the Deal—Global Cloud Contracts and EU Requirements

Lokke Moerel, Partner ICT, De Brauw Blackstone Westbroek

In the EU, global cloud contracts have been concluded between major multinationals and major U.S. cloud providers. Join this session to hear a legal risk analysis in respect of such global contracts. Two global deals will be discussed in practical terms, and we’ll look at how the EU requirements have been addressed or mitigated and the concessions made by the U.S. cloud suppliers to their standard offerings and terms to accomodate these requirements.

What you’ll take away:

  • A framework for creating a risk analysis regarding cloud computing
  • Practical solutions for addressing EU cloud requirements
  • Market knowledge on how major U.S. suppliers are prepared to address EU requirements

Presentation 1

Drawing Lines in the Cloud: Jurisdictional Access to Data

Mary Ellen Callahan, CIPP/US, Partner, Jenner and Block
Nancy Libin, Partner, Wilkinson Barker Knauer LLP

As more and more organizations move their assets to the cloud, it’s essential to understand what the rewards and risks are. Does the location of the cloud service or service provider impact the type and scope of information that can be requested by law enforcement? And what is the legal process? Find out in this timely and insightful discussion.

What you’ll take away:

  • Understanding of cloud computing jurisdictional issues
  • Understanding of law enforcement obligations with regard to access to information based in the cloud
  • Insight on protecting organization assets, to the extent possible, from law enforcement access

Presentation 1



Conversations in Privacy: Crawlers, Scrapers and Bots—Is Online Data Up for Grabs?

Interviewer: Tracy Pulito, CIPP/US, Vice President, Deputy Chief Privacy Officer, Starwood Hotels & Resorts Worldwide, Inc.
Ken Dreifach, Counsel, ZwillGen
Eric Heath
, Director, Legal-Global Privacy, LinkedIn Ireland Limited

An increasing number of companies are marketing data sourced from online sites and services, and marketers are demanding that data. Some websites occasionally invoke their own proprietary rights to their data (e.g., craigslist v. PadMapper and Facebook v. Power Ventures), but the privacy aspects of this public data mining are not often explored—apart from a 2010 Wall Street Journal article on Nielsen's scraping of health data from certain websites. The emergence of powerful scraping engines and the desire of companies for real-time social media and other online data are in danger of colliding with consumer expectations about how their public posts are used cross-channel and for cross-purposes. Don’t miss what’s sure to be an exciting exploration of this very relevant and current topic.

Conversations in Privacy: Data Protection as a Fundamental Right

Anita L. Allen, Henry R. Silverman Professor of Law and Philosophy, University of Pennsylvania Law School
Giovanni Buttarelli
, Deputy European Data Protection Supervisor, EDPS
Alan Charles Raul, Partner, Sidley Austin LLP

Conversations in Privacy: Effective Data Protection in the 21st Century

Interviewer: Fred H. Cate, Distinguished Professor and C. Ben Dutton Professor of Law, Indiana University
Julie Brill, Commissioner, Federal Trade Commission
Stanley W. Crosley, Esq., CIPP/US, Director, IU CLEAR Health Information, Crosley Law Offices, LLC
Peter Cullen, CIPP/US, Chief Privacy Strategist, Microsoft Corporation

The evolution of modern data privacy laws around the world to place increasing responsibility on the individual—to read privacy notices, to consent to the collection of personal data, to oversee uses of data through access and correction provisions and to instigate enforcement actions—has proved problematic and seemingly unworkable, particularly in the face of embedded computers, ubiquitous data surveillance and big data. To address the challenge of updating privacy law, Microsoft sponsored a series of regional dialogues and a summit in 2012, where leading regulators, industry executives, public-interest advocates and academic experts gathered to talk frankly about alternative models for providing better protection for both individual privacy and valuable data flows. Join us to address some of the key insights and revelations from these meetings.

Conversations in Privacy: Facebook and Your Organization—What Every CPO Should Know

Interviewer: Jules Polonetsky, CIPP/US, Co-Chairman and Director, Future of Privacy Forum
Erin M. Egan, Chief Privacy Officer, Policy, Facebook, Inc.
Edward Palmieri, CIPP/US, Associate General Counsel, Privacy, Facebook, Inc.

Conversations in Privacy: How Will a Changing of the Guard in the U.S. Impact Privacy Law and Policy?

Interviewer: Christopher Wolf, Co-chair Privacy and Data Security Practice Group, Hogan Lovells US LLP
William E. Kovacic, Global Competition Professor of Law and Policy, George Washington University School of Law
Michael Nelson, Analyst on Technology Policy, Bloomberg Government
Daniel Weitzner, Former White House Deputy Chief Technology Officer, Associate Administrator, U.S. Department of Commerce

After any election, there are big changes at the top. What will these changes mean for privacy law and policy? Explore how new leaders at the FTC and in Congress will look at privacy, and hear the panel contrast the expected approaches of the new leadership with those of the old. Will there be more or different enforcement actions? Will Congress continue to shine the light on privacy issues? What will happen to the proposals for a privacy bill of rights? How will the new order in Washington affect international relations, especially with privacy hawks in the EU? These and related topics will be addressed by Washington insiders who follow the privacy scene closely.

What you’ll take away:

  • How the new leaders in Washington are likely to address privacy law and policy
  • What the risks of FTC enforcement likely will be
  • What the role of Congress will be in addressing privacy law and policy

Conversations in Privacy: A Talk with Commissioner Ohlhausen

Interviewer: Andrew Serwin, CIPP/US, CIPP/E, CIPP/G, Attorney/Partner, Foley & Lardner LLP
Maureen Ohlhausen, Commissioner, Federal Trade Commission



Around the Financial Services World in 90 Minutes

L. Richard Fischer, Partner, Morrison & Foerster LLP
Lynn A. Goldstein, CIPP/US, Senior Vice President, Privacy General Counsel & Chief Privacy Officer, JP Morgan Chase
Russell Schrader
, CPO and Global Enterprise Risk Counsel, Visa, Inc.
Melanie Shillito, CIPP/E
, Director, Promontory Financial Group (UK) Limited

Join international financial services experts to explore developments around the world and discuss their potential impact on the financial services industry. We’ll review the proposed EU Data Protection Regulation, which would replace the current directive and would establish new standards and requirements for data protection and harmonize privacy laws across the member countries. If implemented, what impact could the provisions have on financial institutions? We’ll focus on provisions surrounding scope, consent, data portability, transfer restrictions and breach notification. And could what happens in the EU have an impact on what happens in the U.S., even though sectors such as financial services are already regulated? We’ll review the Obama administration framework, which calls for a baseline privacy bill of rights that could be implemented through enforceable codes of conduct or legislation. Although the administration does not recommend modifying existing federal statutes, could provisions impact financial services? We’ll focus on the framework’s provisions on individual control, transparency and focused collection. Could what happens to other sectors in the U.S. impact the financial services sector? In this interactive session, the audience and panel will discuss practical examples and explore possible solutions.

What you’ll take away:

  • Understanding of provisions of legislative proposals
  • The possible impact these proposals could have on financial institutions
  • Potential actions that could be taken in response

Presentation 1

Demystifying SEC Guidance on Cybersecurity Risk

Moderator: James Shreve, CIPP/US, Attorney, BuckleySandler LLP
Christopher T. Pierson, CIPP/US, CIPP/G
, EVP, Chief Security Officer and Compliance Officer, LSQ Holdings
Thomas A. Sporkin, Partner, Government Enforcement and Litigation Attorney, BuckleySandler LLP

The SEC’s Division of Corporate Finance has issued guidance on when and how cybersecurity risks and incidents should be reported in filings by public companies, but the guidance raises questions in addition to answering them. How will the SEC enforce the guidance? How do the filing requirements interact with security breach notice laws? Will there be coordination with other regulators for banks, insurance companies, healthcare providers and other regulated entities? This panel brings together a former SEC enforcement attorney and head of the Office of Market Intelligence, an in-house compliance counsel and an outside privacy and data security counsel to examine the SEC guidance, consider compliance issues and discuss how the guidance may be enforced by the SEC.

What you’ll take away:

  • Understand the SEC Division of Corporate Finance guidance
  • Discuss compliance issues under the guidance
  • Understand how the SEC may take actions to enforce the guidance

Presentation 1

Navigating Your Way in a Financial Service Data Breach

Christine M. Frye, CIPP/US, SVP Privacy Compliance Executive, Bank of America
Dana L. Simberkoff, CIPP/US, Vice President, Risk Management and Compliance, AvePoint, Inc.

Financial services providers deal with highly sensitive information as a matter of course. In this session, learn how a structured approach to data breach prevention and response, including engagement with stakeholders and regulators, will help you navigate the challenge.

Presentation 1

What the SEC Needs You to Know Now

James DeGraw, Partner, Ropes & Gray LLP

Security laws and disclosure requirements are essential considerations for data privacy professionals. Join us for a discussion of the importance of keeping the language of your 10-K disclosures and privacy policies aligned with your data collection and security practices (and certifications). You’ll also learn what additional risks non-alignment might create for your company and its board.

Presentation 1



Beyond Europe—The BCR as a Universal Translator

Chantal Bernier, Assistant Privacy Commissioner, Office of the Privacy Commissioner of Canada
Eduardo Ustaran, CIPP/E
, Partner and Head of the Privacy and Information Law Group, Field Fisher Waterhouse

The use of binding corporate rules (BCRs) is a recognized mechanism for overcoming restrictions on exports of personal data from Europe. However, there is a growing number of non-EU jurisdictions that also place restrictions on data transfers. This session will explore how BCRs can be used to overcome such restrictions from non-EU countries and provide a truly global approach to privacy compliance.

What you’ll take away:

  • An understanding of how BCRs can be used to overcome data transfers restrictions from non-EU countries
  • Insights on the stance of different non-EU countries in this area
  • Practical steps that can be taken to use BCRs in this global context

Handout 1, Presentation 1

Complex, Nuanced and Evolving—Privacy Developments in Asia

Kenny Chooi, Senior Director, Yeo-Leong & Peh LLC
Miriam H. Wugmeister
, Partner, Morrison & Foerster LLP

Privacy is changing rapidly in Asia. Several new laws have been adopted (in Taiwan, Malaysia, the Philippines), and several are on the horizon or have been recently updated (in Singapore, Korea, Hong Kong). We will cover the major elements in all of the key Asian countries as well as discuss practical realities for organizations seeking to comply with the obligations in the region. We will also discuss the implications and impact of the APEC framework on the region.

What you’ll take away:

  • Understanding of the complexities of compliance in Asia
  • Appreciation of the nuance of the differences between the countries in Asia
  • Exposure to practitioners from Asia

Presentation 1

An Interview with Peter Schaar

Interviewer: Jean Gonié, Director of Privacy, EMEA Policy, Microsoft
Peter Schaar
, Federal Commissioner for Data Protection and Freedom of Information

In this illuminating interview, you’ll hear Federal Commissioner for Data Protection and Freedom of Information Peter Schaar respond to key questions about the impact of European data protection reform. Some areas we’ll explore include the following:

  • How robust are the reforms, from a DPA perspective?
  • What are the current and future roles of DPAs in Europe, including the extent to which they may exercise their authority (particularly regarding large, global organizations)?
  • How can European DPAs play a role in transparency in the era of big data and cloud computing?
  • What role can Europe play in relation to the rest of the world regarding utilizing the best practices for transparency?

Privacy on the Ground in the U.S. and Europe

Kenneth Bamberger, Professor of Law, University of California Berkeley, Co-Director, Berkeley Center for Law and Technology
Deirdre K. Mulligan, Assistant Professor, School of Information, University of California Berkeley

UC Berkeley Law Professor Ken Bamberger and UC Berkeley Information Professor Deirdre Mulligan have engaged in multi-year research to investigate privacy on the ground—how privacy protection actually works in corporations, and how it is (or is not) shaped by legal, social and other forces—in the U.S. and Europe. Moving away from traditional research focusing only on formal laws “on the books,” their work has involved over 50 interviews of chief privacy officers in the U.S., Germany, France, Spain and the UK, as well as discussions with regulators, lawyers and other corporate managers. Their comparative findings reveal the ways that different regulatory approaches promote or hinder effective privacy practices, as well as the important role of privacy professionals in shaping the “new privacy” by spreading best practices within and across borders.

Privacy in India: Attitudes and Awareness Version 2.0

Ponnurangam Kumaraguru, Assistant Professor, Indraprastha Institute of Information Technology (IIIT), Delhi, India

India, world’s largest democracy, has witnessed enormous development in information technology over past few years. A developing country with a collectivist society, India has different expectations of privacy than many developed nations. The concept of privacy in India has not been investigated in detail, and we lack empirical data with respect to privacy perceptions among Indian citizens. Join a discussion of the study U2P2, which focuses on understanding privacy perceptions and expectations of Indian citizens in India. Using knowledge from interviews and focus group studies, we designed an online survey to collect quantitative data across different parts of India, amassing 10,440 responses from individuals in various cities throughout the country. We investigated privacy issues related to mobile phones, credit cards, online social networks and government. Join us to hear an analysis of the data and discuss some of the inferences being drawn from it.

What you’ll take away:

  • Indian perceptions of privacy
  • Insight on the interaction between your brand and your cookie policy
  • How India fits into global privacy landscape

A Side-by-Side Comparison of EU-U.S. Data Transfer Options

Moderator: Christopher Cwalina, CIPP/US, Partner, Co-Chair, Privacy and Data Security Team, Holland & Knight LLP
Christopher Graham, UK Information Commissioner
Krysten B. Jenci, CIPP/US, Director, E-Commerce, International Trade Administration, U.S. Department of Commerce
Hugh Stevenson, Deputy Director of International Consumer Protection, Federal Trade Commission

The 1995 EU Data Protection Directive regulates transfers of personal data to non-EU countries. Mechanisms that exist to carry out data transfers from the EU to the U.S. include model contracts, binding corporate rules (BCRs) and the U.S.–EU Safe Harbor framework. The U.S.–EU Safe Harbor framework, which has been in place since November 2000, is a mechanism that has been used by more than 3,500 companies. Join us to hear expert panelists, taking into account the past dozen years of experience, discuss how these mechanisms compare, both from government and commercial perspectives. You’ll leave with real-world insights on how these various options have worked in practice to promote data flows and protect privacy.

What you’ll take away:

  • Understanding of the different mechanisms and the pros and cons of each
  • Insights on the costs and benefits to businesses and consumers
  • Updates on the work that is underway

Handout 1, Handout 2, Presentation 1, Presentation 2



How to Get a Gold Star in Privacy Governance at Your Organization

Moderator: Ann Killilea, Counsel, McDermott Will & Emery LLP
Michael C. McNeil, Global Chief Privacy & Security Officer, Medtronic, Inc.
Kenneth P. Mortensen, Esq., CIPP/US, CIPP/G, Vice President, Assistant General Counsel & Chief Privacy Officer, CVS Caremark Corporation

When it comes to privacy governance, there are often more questions than answers. At what point should a company put into place a chief privacy officer, and how should the privacy competency be organized? Who should report to whom? Who should be accountable for what? What structure can help an organization move up the privacy maturity scale? What structure can help prove to regulators that the company is serious about privacy compliance and protecting employee and customer privacy concerns? In this enlightening session, we’ll examine the corporate privacy management structures being utlized utilized today, and we’ll use academic studies and testimony from “gold star” privacy organizations to find answers to these questions and more.

What you’ll take away:

  • An understanding of organizational options for instituting a corporate privacy program
  • An understanding of how to build and support a business case for instituting a corporate privacy program
  • The ability to articulate for corporate management the reasons why a privacy function is critical to corporate core values

Handout 1, Presentation 1

Information Governance: A Key Ingredient in Your Compliance Strategy

Diane Carlisle, Executive Director of Content, ARMA International

An often overlooked component in an organization’s compliance program is information governance. Yet, effective information governance makes compliance easier to implement and manage, and helps you substantiate compliance to regulatory authorities. ARMA International’s Generally Accepted Recordkeeping Principles (known as “the Principles”) outline a comprehensive framework for effective information governance—regardless of type or size of organization. This session will provide an overview of the Principles and ARMA’s Maturity Model for Information Governance, and will show how the framework supports a compliance and litigation readiness strategy.

Presentation 1

Preventing the Pitfalls of Data Gone Wild: Data Governance Done Right

Peg Kuman, Vice Chairman, Relevate
Rachel Nyswander Thomas, CIPP/US, Vice President, Government Affairs, Direct Marketing Association

“Data governance” is a big buzz phrase these days, but what does it really mean? Learn how thought leaders successfully navigate a sea of changing technology, innovative data use and complex regulations to create data governance game plans that integrate privacy, data security and marketing functions. You’ll leave with the tools you need to steer your organization toward sustainable compliance in an increasingly data-driven world.

What you’ll take away:

  • An understanding of what data governance is and why it is critical
  • The foundational tenets of data governance and how they apply to your organization
  • Tools for developing a cross-functional data governance game plan

Presentation 1

Risky Business: Integrating Social Media into the Workplace

Rebecca H. Davis, CIPP/US, Assistant General Counsel, Wal-Mart Stores, Inc.
Lisa Thurber, Senior Manager, Web/Digital Communications, Wal-Mart Stores, Inc.

No company is free from managing risks inherent to social media. This is true whether a company leverages social media to accomplish its business goals, allows (or even requests) employee participation in social media on company time, provides an internal social media platform or foregoes social media entirely. Join us for an overview of various social media platforms and functionality and the legal and business risks associated with each. You’ll learn best practices and risk management strategies you can put to use at your organization.

What you’ll take away:

  • Ability to spot and manage risks with new and current social media
  • An understanding that social media risks exist even for organizations that decline to participate
  • Insight on designing internal social media platforms intentionally to avoid or mitigate risk\

Presentation 1



The 411 on Cybersecurity, Information Sharing and Privacy

Emily Andrew, CIPP/US, CIPP/G, Senior Privacy Officer, National Protection and Programs Directorate, U.S. Department of Homeland Security
Maya A. Bernstein, CIPP/US, CIPP/G, Privacy Advocate, U.S. Department of Health & Human Services
Aaron J. Burstein, Policy Advisor, National Telecommunications and Information Administration, U.S. Department of Commerce

Cyberspace enables more communication, commerce and interdependencies among organizations and individuals. New, more frequent and increasingly sophisticated cyber threats pose significant risks to our critical infrastructures, the working of government and our individual privacy. The U.S. government is working along several fronts to reduce the risks of cyber attacks, including promoting more mature network security, partnering with the private sector and proposing new cyber strategies and legislation. What are the best practices for network security? How does the government partner with key stakeholders, and how are different types of data (e.g., personally identifiable information, medical records, intellectual property, privileged information) handled? Join our expert panel for an overview of the government’s ongoing efforts to improve cybersecurity through information sharing, insights on the structures in place to help protect privacy and a discussion of some major legal and policy issues that public- and private-sector players are grappling with as the cybersecurity landscape evolves.

What you’ll take away:

  • A description of the three levels of a network security program
  • Understanding of the major federal efforts underway to protect cybersecurity by legislation, executive order and administrative rule
  • A summary of the major legal and policy issues arising in the implementation of the national cybersecurity program

Presentation 1

Covering All the Angles: How the DoD Integrates Privacy from the Top Down

Samuel P. Jenkins, CIPP/G, Director for Privacy, Defense Privacy and Civil Liberties Office, United States Department of Defense

The Department of Defense (DoD) is a global organization with a presence in virtually every country, and it is challenged with integrating a privacy program in the private and public sectors. Effectively integrating the program must start at the top of the government and work down through the entire workforce. In this session, we’ll address questions including: 1) how federal and commercial regulatory authorities compare, 2) how access to sensitive information may have financial repercussions in the private sector, but could hold national security implications in the public sector, and 3) how, during a breach, the breached PII of a commercial VIP could lead to corporate embarrassment, but the breached PII of a federal leader could have major national security implications. You’ll leave with lessons learned and best practices from a federal privacy program.

What you’ll take away:

  • Insight on how effectively integrating a public-/private-sector privacy program must start at the top
  • An understanding of how federal and commercial privacy regulatory authorities differ
  • How a breach of PII can have very different ramifications in the public and private sectors

Handout 1, Handout 2, Presentation 1

Who's Watching the Drones?

Christopher Calabrese, Legislative Counsel, American Civil Liberties Union
Christopher S. Lee, CIPP/US, CIPP/G, Directorate Privacy Officer, Science & Technology Directorate, Department of Homeland Security

Unmanned aircraft systems, better known as drones, are making their way from surveilling overseas battlefields to our backyards and public spaces. Find out what Congress and the federal government are doing to identify and mitigate drone privacy risks.

What you’ll take away:

  • Insight on the growing use of drones in the U.S.
  • An understanding of legal authority to regulate the use of drones in the U.S.
  • Predictions on congressional actions and delegated authorities

Presentation 1



Healthcare Data Breaches Can Have Nine Lives!

Annemarie Boyan, Associate General Counsel, The Children’s Hospital of Philadelphia
Katherine M. Keefe, Breach Response Services Director, Beazley Group

Healthcare data breaches can come back to life if not handled effectively. Brand-new data breach regulations have been issued and place new burdens on healthcare organizations. The pressure on the healthcare industry to safeguard patient data has never been greater. The OCR, OIG, FTC, state AGs and private plaintiffs are much more sophisticated and aggressive in reacting to data breaches; their involvement extends the life of a breach and now frequently brings negative consequences. The number and severity of enforcement actions and penalties is on the rise, as are instances of fines being levied as the result of small breaches. These realities are sobering, but proactive steps can keep a healthcare data breach from springing back to life in a nasty way. Join us for a discussion of the new data breach regulations, the enforcement climate and the actions that healthcare organizations can take to prepare for and effectively manage data breaches in order to stay a step ahead of regulators and plaintiffs.

What you’ll take away:

  • How the newly issued HIPAA/HITECH regulations impact breach responses
  • Trends in enforcement and lawsuits
  • Common-sense compliance approaches to reduce your healthcare organization’s exposure

Presentation 1

Healthcare in the Cloud—Navigating HIPAA's Stormy Weather

Adam Greene, Partner, Davis Wright Tremaine LLP

One of the big IT buzzwords of the moment is the “cloud.” In many circumstances, cloud computing services offer healthcare providers significant information technology savings opportunities and increased flexibility. Of course, such opportunities also come with potential risks and challenges. Join Healthcare Information and Management Systems Society (HIMSS) Cloud Security Workgroup chair Adam Greene to analyze the information security and HIPAA compliance issues associated with healthcare providers leveraging cloud computing services. We’ll explore potential steps for incorporating cloud computing into your information security program, including moving beyond vendor claims of HIPAA compliance and asking the right questions, cloud computing risks and vulnerabilities to incorporate into your risk assessment, issues to address in business associate agreements, privacy issues such as accounting for disclosures and access by cloud providers, and challenges created by different cloud computing use cases.

What you’ll take away:

  • The security challenges associated with an IT solution involving multiple cloud providers
  • How to implement the use of cloud computing services into an information security risk analysis
  • Required and optional elements of a business associate agreement with a cloud provider

Lessons Learned from OCR Privacy and Security Audits

Verne Rinker, Health Information Privacy Specialist, HHS Office for Civil Rights
Linda Sanches, Senior Advisor, HIPAA Privacy, HHS Office for Civil Rights

The Department of Health and Human Services Office for Civil Rights (OCR) has implemented the HITECH Act’s requirement to establish a program of audits to ensure that covered entities are complying with the Privacy and Security Rules and breach notification standards. Join us to hear how the program was implemented, a summary of findings from audits of 115 covered entities and insights on OCR's plans for future audits.

What you’ll take away:

  • Details about the audits
  • A summary of audit findings based on reviews of 115 covered entities
  • Answers to your questions about the audit program and OCR’s plans for future audits

Presentation 1

The New HIPAA Era: What's New, What's Different and What's Actually Important

Kirk J. Nahra, CIPP/US, Partner, Wiley Rein LLP
Leon Rodriguez, Director, U.S. Department of Health and Human Services, Office for Civil Rights

HHS has finally released the final HIPAA/HITECH rules, almost four years from the passage of the HITECH law. There is time to get into compliance, but the rules will affect the healthcare industry and its business partners in meaningful ways. Explore what's actually important about these new rules, particularly the key areas where your organization will need to revise behavior, change strategy or take new kinds of actions. Plus, have your questions answered during a Q&A.

Handout 1, Presentation 1

Repeat Session: Handout 1, Presentation 1

Who's on First? Second? Third? Enforcement Interplay After a Breach

Robin B. Campbell, CIPP/US, Attorney, Crowell & Moring LLP

Join this discussion of how to respond to a breach in a manner that protects your organization during the investigation and litigation that may follow. We’ll discuss the enforcement interplay between federal and state regulators and private lawsuits when a breach occurs. You’ll learn about the authority for multiple actions or fines stemming from a single incident, as well as best practices for breach response while anticipating regulatory enforcement or litigation. Find out when and how to assert privilege during a breach investigation, and how to remediate without exposing your company in litigation. You’ll also explore how to coordinate internally and fight multiple fronts at the same time with a consistent message.

What you’ll take away:

  • How to incorporate litigation and investigation risks into your breach response plan
  • Creating a plan of action in advance for a coordinated response in all areas
  • Insight on protecting against litigation while responding to and remediating a breach

Presentation 1



Do You Know Where Your Data Is? Regaining Control in the Cloud

Chad Costello, General Counsel, Dachis Group
Tony Frey, CEO, Skyence, Inc.

The past five years have seen unprecedented growth in the adoption of cloud-based products and services. Initially, these services were adopted by IT as a way to cut costs and reduce internal infrastructure. More recently, however, there has been a dramatic surge in services that are being used within the business by employees without the consent of IT. This consumerization of IT has had dramatic consequences. Businesses have lost the ability to ask who, what and where with regard to their business information. Massive adoption of cloud services has led to a huge degree of data proliferation, with the same data often residing in three or more systems, each with different terms of service, SLAs and privacy policies. In this session, we’ll cover examples of different terms of services from popular cloud providers and how they affect the data you store in them, as well as legal considerations for storing your data in the cloud. Additionally, you’ll learn how different systems and policies can give you better management of data without impacting the benefits of the cloud.

What you’ll take away:

  • Understand privacy, security and legal issues associated with using cloud services
  • Identify best practices and policies for using cloud services

It Takes Data to Protect Data: A Privacy Pro’s Primer on Security Technology

Michelle Dennedy, CIPP/US, Chief Privacy Officer, McAfee, Inc.
Jonathan Fox, CIPP/US, Director of Data Privacy, McAfee, Inc.
Paola Zeni, CIPP/US, Director, Global Privacy, Symantec/Vontu

Security software works to reduce data security threats in three key ways: 1) by analyzing data sent to your devices for signs of risk or suspicious activity, 2) by assessing the reputation of the sending device to see whether access should be allowed and 3) by adapting responses to new threats based on intelligence. In other words, security software depends on a constant stream of data and ongoing analysis to predict threats and protect computers and electronic devices from spam, virus, malware, bots and data loss. Get inside the world information security in this illuminating session, where you’ll learn why it takes data to protect data, what you need to know about security technologies and what questions you should ask your information security teams when deploying these technologies.

What you’ll take away:

  • How privacy pros should team with information security in deploying security technology solutions
  • How anti-spam, anti-virus, data loss prevention and firewall software works
  • The complexity created by defining IP address as personally identifiable information

Presentation 1

When Disaster Strikes: Essentials for Dealing with Global Data Security Incidents

Brian Hengesbaugh, CIPP/US, Partner, Privacy, Information Technology and Commerce, Baker & McKenzie LLP
Paul Luehr, Managing Director, Stroz Friedberg LLC

Join us for an update on rapidly expanding global data breach notification requirements and cybersecurity risks, including prevention, preparation for incident response, and crisis management issues in the midst of an actual global incident.

Presentation 1

You Want to Implement BYOD Where? A Case Study from the World’s Largest Employer

Elizabeth H. Johnson, Partner and Practice Group Leader, Privacy and Information Security, Poyner Spruill
Anthony Martin, Senior Associate General Counsel, Privacy and Security, Wal-Mart Stores, Inc.

Can a company with more than two million employees successfully implement BYOD (and should it even try)? Are the risks too great to tolerate, or is the cost savings too big to ignore? Does it actually cost more to manage a BYOD program than to issue company-owned devices? Learn the answers to these questions and others as we explore the implementation of BYOD at Wal-Mart Stores, Inc. You’ll hear about the inspiration for the program, the competing concerns raised (e-discovery challenges, breach potential, etc.), the compliance issues that were vetted (PCI, HIPAA, etc.) and what final decisions the company reached in order to enable BYOD. The speakers will share the pros and cons of BYOD in general and how Wal-Mart weighed and addressed them in its own implementation. We’ll also review several forms of BYOD that resulted from this implementation (MDM, VDI, etc.), adoption rates and the perceived success of the program.

What you’ll take away:

  • Privacy and security compliance and risk inherent in BYOD implementation
  • Insight into the vetting process that took place at a Fortune 500 company
  • Takeaways regarding the different forms of BYOD that exist and some pros and cons of each

Presentation 1



Do Not Track: Where It’s Going, Where It’s Been

Moderator: D. Reed Freeman, Jr., CIPP/US, Partner, Morrison & Foerster LLP
Mike Hintze, CIPP/US, CIPP/C, CIPP/G, CIPP/IT, Associate General Counsel, Microsoft Corporation
Stuart Ingis, Partner, Venable LLP
Aleecia M. McDonald, Senior Privacy Researcher, Mozilla
Maneesha Mithal, Director, Division of Privacy and Identity Protection
Peter P. Swire, CIPP/US, C. William O’Neill Professor of Law, Moritz College of Law

Have questions about Do Not Track? Join us to explore what Do Not Track (DNT) is, including how it is represented in major browsers and what signals it sends and to whom. We will also address the status of various efforts to define the meaning of a consumer’s preference not to be tracked, whether through a DNT signal or otherwise. You’ll learn what DNT accomplishes, what it does not accomplish and where the industry is in terms of adoption and compliance, including with complimentary self-regulatory initiatives. You’ll also hear how FTC staff will likely evaluate industry’s implementation of DNT and similar initiatives.

What you’ll take away:

  • An understanding of what DNT is and how it works
  • Identification of other, similar self-regulatory efforts that allow consumers to express their tracking preferences
  • Insight on where the DNT process is now, including the key policy issues that are involved with making it work for all stakeholders

Location, Location, Location: Risks and Rewards of Location-based Services

Karen Neuman, Partner, St. Ledger-Roty Neuman & Olson, LLP
Michelle M. Shanahan, Senior Associate General Counsel, National Public Radio
S. Jenell Trigg, CIPP/US, Member, Lerman Senter PLLC

Join us to learn about the benefits of geo-location tracking for the delivery of advertising, promotions, couponing and other commercial location-based services via mobile applications and devices, and gain a practical overview of the various technologies used for tracking purposes and the laws and regulations that govern such use. You’ll hear lessons learned from state and federal government proceedings and class action lawsuits alleging unauthorized use of location-based information, and explore the different consent mechanisms and requirements of various mobile application platforms, as well as the self-regulatory guidelines related to location-based services issued by the Mobile Marketing Association, Electronic Frontier Foundation, Future of Privacy Forum and Center for Democracy & Technology, CTIA - The Wireless Association and others. Plus, you'll take part in an interactive exercise identifying due diligence requirements and negotiating contract agreements with third-party service providers and app developers.

What you’ll take away:

  • How to identify legal issues related to location-based services
  • How to execute informed express prior consent for location-based service use
  • Knowledge of requisite due diligence and contract provisions for service providers/app developers, best practices and self-regulatory guidelines

Presentation 1

Protecting Your Brand in Cyberspace: The Dos and Don’ts

Abhishek Agarwal, CIPP/US, Information Risk, Security Compliance Manager & Privacy Leader, Kraft Foods

Today’s organizations are constantly facing threats that could lead to a significant loss of revenue resulting from breaches. Get the ins and outs of brand protection in cyberspace as we explore the history of breaches and incidents leading to brand reputation damage and loss. A special emphasis will put on organizations that are not regulated by security and privacy regulations such as GLBA and HIPAA but have equal, if not greater, reputational risks. We’ll look at key drivers for protecting brands in cyberspace, such as business risks, compliance and governance risks and IT security risks. We’ll also explore establishing a brand protection program. You’ll hear real-world tips on establishing brand protection, including insights on framework, methodology, process and key matrices, accompanied by board and management dashboards. Finally, we’ll review a real-life case study, and you’ll walk away with a list of must-haves, dos and don’ts you can put to use at your organization.

What you’ll take away:

  • List of business, regulatory and reputation risks
  • Must-haves, dos and don’ts
  • Snapshots of board and executive management dashboards

Presentation 1

You Must Be at Least 13 Years Old to Attend This Session: Changes to Children’s Privacy Laws

Christian Genetski, Senior Vice-President and General Counsel, Entertainment Software Association
Mamie Kresses, Attorney, Division of Advertising Practices, Bureau of Consumer Protection, Federal Trade Commission
Lindsey L. Tonsager, Associate, Covington & Burling LLP

Changes to the FTC’s rule implementing COPPA and the proposed EU Data Protection Regulation could significantly alter how companies may process data from children. In this session, learn the answers to the following questions and more: What entities are regulated? (Hint—it’s not just child-directed sites and services.) How are companies preparing for these changes? Are any best practices emerging? What role can parental controls and other technology tools play in protecting children’s privacy? At what point should companies be building children’s privacy protections into their products and services? How are the U.S. and EU approaches the same, and how are they different?

What you’ll take away:

  • New laws in the U.S. and the EU could greatly expand the number of companies subject to children’s privacy requirements
  • Legal compliance is complicated by the use of third parties, such as ad networks and plugin providers, that make an organization’s sites and services more engaging and relevant
  • Parental controls and other technology tools are one way to help provide parents simple, accessible means to exercise control over their children’s online activities

Presentation 1



Bank on It: Privacy and Data Security in Mobile Banking

Mercedes Tunstall, Of Counsel, Ballard Spahr LLP

Join this timely discussion of the privacy and data security implications and concerns tied to mobile financial services applications. We’ll explore everything from text banking, mobile banking and mobile wallets to person-to-person payments.

What you’ll take away:

  • An understanding of the variety of mobile technologies being used to manage financial service accounts
  • How to apply existing privacy laws to the mobile channel
  • Data security concerns specific to mobile technologies and best practices for addressing such concerns

The Mobile Majority: Building Privacy by Design into Mobile Apps

Clarissa Cerda, EVP, Chief Legal Officer and Secretary, LifeLock
Kimberly Cilke, CIPP/US, Deputy General Counsel, Go Daddy Operating Company, LLC
Timothy Sparapani, Vice President, Law, Public Policy & Government Relations, Application Developers Alliance & Principal, SPQR Strategies, PLLC

With the explosion of mobile computing, there has been intense focus on the privacy safeguards built into mobile applications and, in some cases, the unfortunate lack of such safeguards. In 2012, the California attorney general made news for entering into an agreement with top technology companies to set baseline standards for mobile app privacy, the FTC released privacy guidelines for mobile app developers and the White House kicked off meetings on its Consumer Privacy Bill of Rights with a discussion of mobile applications. Further administrative, legislative and industry efforts are expected in 2013. Join this review of the current status of mobile app privacy regulation, where you’ll learn what's on the horizon and gain practical tips to ensure that your organization’s mobile apps comply with consumer privacy expectations while still providing a robust user experience. Case studies from Go Daddy's own experiences in building and supporting popular mobile applications will be shared.

What you’ll take away:

  • A summary of current and pending legislation and administrative and industry standards for mobile app privacy
  • A list of the key privacy-related elements that should be incorporated into every organization's mobile apps
  • Tips for working with your organization's mobile app developers to ensure that Privacy by Design is included in each new app and app update

Presentation 1

Zen and the Art of BYOD Implementation

Ruby Zefo, CIPP/US, Legal Director of IT, Privacy & Security and Trademarks, Intel Corporation

BYOD programs are proliferating like Internet-enabled rabbits, much faster than guidance on finding an appropriate privacy and security balance. Don’t be left behind—or worse, left with bootleg devices on your network from employees who crave choice in the devices they use. Join us for a whirlwind tour of launching a BYOD program worldwide, across smart phones, tablets and laptops. In this interactive session, you’ll learn about finding the right balance between employee privacy rights and security of company information, legal and regulatory requirements, a satisfactory user experience, other employee policies (for example social media, software licensing, code of conduct) and cost. You’ll leave with practical solutions that can be applied globally to BYOD programs, as well as similar types of services that invoke employee monitoring.

What you’ll take away:

  • Tips for managing the balance between employer data security and employee data privacy
  • Tips for managing legal and regulatory requirements that may be invoked by global BYOD programs
  • Types of clauses to consider in BYOD program agreements and policies

Handout 1, Presentation 1



The Good, the Bad and the Ugly of Data Flow Mapping

Kristen Knight, CIPP/US, Privacy Director, Philips Electronics North America

In this session, you’ll hear firsthand insights on undertaking an organization-wide data flow mapping effort. Starting at the beginning, we’ll discuss the motivations for the undertaking and move on to the methodology used, the project details and lessons learned—both good and bad. You’ll hear methodology specifics, including risk-based prioritization, review interview and questionnaire templates, discuss how the project was driven from the corporate level down into the various parts of the business and explore the insights gleaned from the project. In this how-to session, you’ll gain practical tips and an understanding of a “day in the life” of the project manager responsible for driving the project. We’ll also and discuss the challenges and benefits of the initiative.

What you’ll take away:

  • A practical view into one company's approach to data flow mapping
  • Ideas for methodology, approach and execution of data flow mapping
  • An understanding of the benefits that can be gained

Handout 1, Handout 2, Presentation 1

Privacy Engineering: Bridging the Gap between Policy and Code

Michelle Dennedy, CIPP/US, Chief Privacy Officer, McAfee, Inc.
Peggy Eisenhauer, CIPP/US, Founder, Privacy & Information Management Services
Jonathan Fox, CIPP/US, Director of Data Privacy, McAfee, Inc.
Constantine N. Karbaliotis, CIPP/US, CIPP/C, CIPP/IT, Americas Privacy Officer, Mercer

Drawing on case studies, we’ll provide tools you can use to implement Privacy by Design (PbD), and offer insight on translating the guiding light of FIPPs, GAPP and PbD into concrete concepts that organizations, software engineers and system administrators/owners can understand and apply throughout the product or process lifecycle—regardless of development methodology—from inception to retirement, including data deletion and destruction. We’ll also explore the emerging role of the privacy architect; how to team with user experience/interface designer; how avoid being overly (data) retentive; and how to align with product security reviews to accelerate the privacy review process and be more efficient.

What you’ll take away:

  • How to make the business case for privacy engineering focus and PbD
  • Tips for providing training to engineers and system administrators/owners and embedding privacy in product lifecycle processes
  • Job descriptions for privacy architects, and strategies for teaming with UI/E, data retention and information security teams
  • Understanding of tools and policies that address the data lifecycle

Handout 1, Handout 2, Handout 3, Handout 4, Handout 5, Presentation 1, Presentation 2

Let’s Make a Deal: Hot Topics in Mergers and Acquisitions

Lara Kehoe Hoffman, CIPP/US, Global Privacy & Data Security Counsel, Autodesk, Inc.
Peter M. Lefkowitz, Vice President,, Chief Privacy Officer, Oracle
Christine E. Lyon, Partner, Morrison & Foerster LLP

If your company isn’t already looking to buy or sell a business, it may just be a matter of time. You need to be prepared to guide your organization through each stage of the deal process. Preparation: How do you prepare to evaluate, review and integrate employee, marketing and customer data in acquisitions? Who will handle privacy, data protection and associated regulatory issues? Due diligence: Are there limitations on the sale of customer data? What employee data can be shared and when? Negotiation: What contractual assurances might be sought regarding privacy and data security? What are potential consequences of disclosing non-compliance? Integration: When can the buyer or affiliates start marketing to the seller’s mailing lists? What types of updated notices or consents may be required? In this interactive session, you’ll learn ways to add value to the deal team, regardless of whether you have prior M&A experience or not.

What you’ll take away:

  • An increased awareness of privacy concerns most likely to become deal-breakers
  • Knowledge of common privacy issues arising at each stage of the deal process
  • A better understanding of the value you can provide during the deal process, and strategies for increasing your visibility and involvement

Presentation 1

Where There's Smoke There's Fire—Assessing Your Vendors

Sheila Colclasure, CIPP/US, Americas Privacy and Public Policy Director, Acxiom Corporation
Michael McCullough, Vice President, Enterprise Information Management & Chief Privacy Officer, Macy’s, Inc.

Your vendor is your proxy. Your vendor, and the work they do for you, may well be where the rubber really meets the road. Do you have a view into who your vendor is? Are they stable, credible, reliable? Do they walk the walk or just talk the talk? Are they all hat and no cattle? Credentialing your vendors and then maintaining vendor compliance is a critical piece of an effective privacy program. This session will walk you through vendor credentialing and vendor compliance, explain what you’re looking for, discuss what vendors may keep hidden and explain how to look under the covers and pull back the curtain.

What you’ll take away:

  • The ingredients of a vendor credentialing and vendor compliance program
  • Credentialing tools and checklists
  • How to implement an effective program

Presentation 1

Where the Rubber Hits the Road: Operationalizing Privacy by Design

Bojana Bellamy, CIPP/E, Director of Data Privacy, Accenture
Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario
Brendon Lynch, CIPP/US, Chief Privacy Officer, Microsoft Corporation

Sure, Privacy by Design (PbD) is emerging as a worldwide gold standard for data protection and privacy, but how do you take it from theoretical construct to concrete practice? Join our panel of renowned privacy leaders to learn exactly how organizations have successfully transitioned PbD from a general framework to a concrete way of doing business. In this engaging, interactive session, you’ll hear the secrets behind the success of multiple organizations’ implementation of PbD. Privacy practitioners from industry will share their own experiences and ideas for implementing PbD within an organization. Privacy neophytes and seasoned privacy veterans alike will enjoy this refreshingly plainspoken approach to taking PbD from principle to practice.

What you’ll take away:

  • How to make privacy the default mode in your processes/products
  • A big-picture perspective on how the seven foundational principles of PbD are being operationalized across a broad cross-section of industries
  • A wealth of resources aimed at maximizing your organization's privacy program



At the Ready: Preparing U.S. Organizations for the Proposed EU Regulation

Uwe W. Fiedler, CIPP/E, Global Privacy Officer & VP, PAREXEL International Corporation
Tanya Madison Cunningham, CIPP/US, Financial Privacy Counsel, eBay Inc.  
Edward R. McNicholas
, Global Coordinator for Privacy, Data Security and Information Law, Sidley Austin LLP

In January 2012, a proposal for an EU regulation on data protection was published by the European Commission. Once adopted, it will replace the current EU Data Protection Directive and will have a significant impact on U.S. organizations by introducing new rights, such as a right to be forgotten and a right of data portability, as well as new obligations, such as privacy by design and by default, requirements to retain detailed documentation, the use of privacy impact assessments and mandatory-appointment data protection officers, as well as introducing fines of up to 2% of the annual worldwide turnover. Join us to discuss the latest developments on the EU regulation and the impact to U.S. organizations.

What you’ll take away:

  • A timeline of when the EU regulation will apply to U.S. companies
  • Tips for preparing your organization
  • Insight on the impact of the EU regulation on data transfers between the EU and the U.S., including Safe Harbor
  • An understanding of the significant changes for FCPA and other investigations and cross-border litigation
  • Information on the mandatory appointment of data protection officers
  • Details on enforcement, fines and collective redress

Presentation 1

Going Mobile—An Employee–Employer Face-off

Moderator: Murray Johnston, Director, Government Affairs and Public Policy, Experian
Orrie Dinstein, CIPP/US, Chief Privacy Leader and Senior IP Counsel, GE Capital
Daniel VanBelleghem, Chief Security Architect, NCI Information Systems

Is the mobile workforce erasing traditional boundaries? With BYOD and cloud computing becoming the new norm, companies are increasingly forced to develop strategies that enable a mobile workforce. However, many companies have been slow to develop and effectively communicate commensurate security controls. Join us for a mock debate between employee and employer that will address the lack of physical boundaries associated with mobile devices, the challenges of enterprise policy on non-company owned devices (BYOD, the cloud) and the boundaries for managing employee behaviors.

What you’ll take away:

  • An understanding of risks and primary challenges associated with BYOD programs
  • Strategies for implementing controls that address the security risks associated with BYOD
  • Possible tools and techniques available for personal user devices integrating with enterprise security architectures

Presentation 1

HIPAA and the HITECH Changes: A Candid Conversation with the Regulator

Marcy J. Wilder, Partner, Hogan Lovells US LLP
Sue McAndrew, Deputy Director for Health Information Privacy, U.S. Department of Health and Human Services

The new HITECH regulation modifies HIPAA and changes how healthcare information is regulated in the United States. Join us for a candid conversation with Sue McAndrew, the current HHS lead for HIPAA policy and enforcement and Marcy Wilder, the former HHS Deputy General Counsel responsible for advising on the original HIPAA regulations. Learn the regulators perspective on what the HITECH changes really mean, what needs to be done to protect patient information, what the changes to the data breach rules require and what to expect from future enforcement efforts. Time will be reserved for Q&A.

The Legal Side of Cybersecurity

Sherry Ramsey, CIPP/US, AVP-Public Policy, AT&T
Alan Charles Raul
, Partner, Sidley Austin LLP

While achieving best cybersecurity practices involves primarily IT and technical protocols, numerous legal considerations also apply. Hear an expert panel discuss the current U.S. and international laws, court decisions and legal standards that govern or affect an organization’s cybersecurity compliance risks. Instead of focusing on data breach notification requirements applicable to compromise of consumer or other personal information, we’ll focus on the legal dimensions of network penetrations or threats involving critical infrastructure (including telecom, finance, energy, etc.), exfiltration of intellectual property, trade secrets or corporate activity, incidents affecting the defense industrial base and business-to-business relationships. We’ll also explore how existing laws facilitate or inhibit the ability of organizations to collaborate with government authorities or take cybersecurity countermeasures on their own initiative.

A New Angle on EU-U.S. Privacy/Data Protection Compatibility: The Coming Negotiations for an EU-U.S. Free Trade Agreement

Tim Bennett, Director-General, Transatlantic Business Council
Christopher Wolf
, Co-chair Privacy and Data Security Practice Group, Hogan Lovells US LLP

In his State of the Union, President Obama announced forthcoming negotiations over an EU-U.S. Free Trade Agreement. Privacy and data protection are expected to be issues that are front and center in the negotiations, as the goal is regulatory harmonization and interoperability. Does this new round of talks offer an opportunity for mutual recognition, interoperability and a finding of adequacy by the EU of the U.S. privacy framework? This panel will explain the roadmap of the negotiations, how they might affect consideration of the EU General Data Protection Regulation and what the potential is for greater trans-Atlantic cooperation on privacy rules.

What you’ll take away:

  • An understanding of the Free Trade Agreement process
  • Insight on why regulatory harmonization is important to the negotiation process
  • The effect the negotiations may have on the developing privacy frameworks in the U.S. and the EU
  • Steps stakeholders can take before and during the negotiations to provide input to the process

Privacy and the Cybersecurity Crisis

Stewart A. Baker, Partner, Steptoe & Johnston LLP

Many nations, and even criminal gangs, are investing heavily in the penetration of computer networks. And those investments are paying off. Find out why no network owner can say with confidence that their network has not been penetrated.

Privacy and Ethics—Key Challenges Facing In-house Counsel in 2013 MCLE Ethics Credit Eligible!

James L. Calis, Associate General Counsel and Deputy Chief Privacy Officer, Global Tel*Link Corporation
James A. Merklinger
, Vice President and General Counsel, Association of Corporate Counsel
Marty Provin, CIPP/US
, Executive Vice President, Jordan Lawrence
Mercedes Tunstall
, Of Counsel, Ballard Spahr LLP

The growing acceptance of bring your own device (BYOD) and social media is reshaping business and raising a number of ethical questions for in-house counsel. Join us to hear diverse perspectives on how hot privacy topics impact in-house counsel's ethics obligations, including social media use internally and externally and BYOD policies. This session is MCLE ethics credit eligible and is a must for in-house counsel and outside attorneys that advise companies in these areas.

What you’ll take away:

  • Ethical questions counsel should be considering
  • Perspective from the world’s largest in-house bar association
  • Real-life examples and analysis
  • Considerations of ABA guidelines

Presentation 1

Protecting Sensitive Data in the Post-PC World

Tim Choi, Sr. Director of Product Marketing and Strategy, WatchDox, Inc.

As the use of tablets and personally owned devices has proliferated, the issue of protecting sensitive data has jumped to the forefront of many CIOs’ and CPOs’ minds. Whether sanctioned by IT or not, employees have begun to access and share private and sensitive data on post-PC devices, often via file-syncing applications like Dropbox and as e-mail attachments. There are a variety of approaches to protecting this data, including mobile device management (MDM), mobile application management (MAM), application containerization, virtual desktops, backhauling traffic and building security into the data itself. Join this discussion of the pros and cons of the various approaches, including case studies on organizations that have met challenges around file sharing, collaboration and data protection.

Presentation 1

Putting Accountability into Practice

Paula Bruening, Vice President Global Policy, Centre for Information Policy Leadership, Hunton & Williams LLP
Barbara Bucknell
, Strategic Policy Analyst, Legal Services, Policy and Research Branch, Office of the Privacy Commissioner of Canada
Brendon Lynch, CIPP/US
, Chief Privacy Officer, Microsoft Corporation
Eduardo Ustaran, CIPP/E
, Partner and Head of the Privacy and Information Law Group, Field Fisher Waterhouse LLP

Accountability has been a globally recognized principle of data protection for more than three decades. But in recent years, an important effort has been underway to clearly define what accountability—and the related concept of responsibility—means for organizations that collect, store and process personal information. This work was recently advanced when Canadian privacy commissioners published guidance to help businesses effectively manage their obligations under Canadian law. Similar guidance for French companies has recently been published by the Commission nationale de l’informatique et des libertés (CNIL). Mechanisms such as the APEC Cross-Border Privacy Rules and EU binding corporate rules enable the movement of personal data across national boundaries for organizations that have demonstrated accountability for privacy and data protection. Join us to explore how the accountability principle is evolving, including how it relates to proposed legislation (such as the proposed EU Data Protection Regulation) and how organizations can implement and operate their privacy programs to help demonstrate accountability.

Reengineering Privacy Law

Annie I. Anton, Chair and Professor, School of Interactive Computing, Georgia Institute of Technology
Peter P. Swire, CIPP/US, C. William O’Neill Professor of Law, Moritz College of Law
Omer Tene, Associate Professor, College of Management School of Law

As the second wave of global privacy legislation dawns, with the revision of the framework in Europe, the OECD and the U.S., we’ll examine whether the legal framework has kept up with the rapidly evolving technological landscape. Particularly, we look at the concept of de-identified data and assess its viability and scope in a big data environment. Anonymization, or de-identification, was once perceived as a silver bullet, allowing organizations to “have its cake and eat it too.” Over the past decade, it has become clear that in a world of big data, de-identification is increasingly challenged by re-identification techniques applied by clever adversaries. Join us to explore how new concepts in the computer science literature, such as differential privacy and crowd blending, can be introduced into law and how privacy enhancing technologies can be harnessed to minimize privacy risks.

What you’ll take away:

  • Understanding of strategies and techniques for effective de-identification
  • Awareness of the interplay between privacy law and engineering
  • Answers and insights from leading scholars in the field of computer science and law

Show Me the Money: How to Secure Funding for Your Privacy Projects

John Bruce, CIPP/US, CEO, Co3 Systems, Inc.
Michelle Dennedy, CIPP/US, Chief Privacy Officer, McAfee, Inc.

In this economic climate, securing budget for any project is harder than ever. With the increased emphasis on regulation, compliance and data breaches, corporate focus may be turning to privacy but budgets haven’t followed suit. Privacy officers are faced with increasing challenges and insufficient resources. Knowing how to successfully apply for appropriate funding is as critical to a privacy officer’s success as what regulations may apply to particular personal information. Every company has its own approval process, but there are tried-and-tested ways to increase the likelihood of a successful application for funding. Don’t miss this essential crash course on how to get the funding you’re looking for this year.

What you’ll take away:

  • Laying the groundwork for successful applications
  • How to make your case for a particular project
  • Ensuring your next application is also well received