image

 

In March 2011, more than 1,800 privacy professionals from around the world gathered in Washington, DC for the largest-ever Global Privacy Summit.

The Summit featured 200 speakers and more than 68 educational sessions on privacy’s most pressing issues as well as several opportunities for professional networking.  

We also heard thought-provoking keynotes on the complex notion of choice from Sheena Iyengar, author of The Art of Choosing; Barry Schwartz, author of The Paradox of Choice: Why More Is Less; and Eric Johnson, Norman Eig Chair of Business, Columbia Business School, Columbia University. The Summit ended with a departing keynote from Ontario’s Information and Privacy Commissioner, Ann Cavoukian, on one of privacy’s hottest topics, the concept of Privacy by Design.

Thank you to everyone who made the Global Privacy Summit 2011 such a success!

View the full brochure for the IAPP Global Privacy Summit (PDF 2,545KB)

 

Thursday, March 10
10 – 11 a.m.

The Art of Choosing

Sheena Iyengar’s high-voltage curiosity and penetrating insights exponentially expand an understanding of the central role choice plays in our lives and in answering the core business questions we all face in this increasing competitive world. In a rapid-fire, multi-faceted presentation that is at once personable and commanding, she explains our “biological need for choice and control,” the decision process, and the myriad influences that dictate everything from purchasing choices to career moves, voting, medical decisions and marriage.

Sheena Iyengar
Author, The Art of Choosing,
S.T. Lee Professor of Business in the Management Division of the Columbia Business School

The EU Privacy Directive Review Process

The European 1995 Data Protection Directive is one of the most important and influential legislative frameworks in the field of privacy. The European Commission has recently undertaken to review and revise the Directive and intends to propose new legislation in 2011. Last November, the Commission released a document, which was informed by the results of a public consultation, setting forth its proposed strategy for revisions to the Directive. Among the issues highlighted in the strategy document were the creation of a “right to be forgotten”; improvements in procedures for database registration and international data transfers; introduction of an “accountability” principle; and enhancement of international cooperation among regulatory authorities. Hear from leaders of the review process about what changes can be anticipated; how U.S. businesses can engage in the process; and how the contemplated principles may play out in practice.

Moderator: Omer Tene, Associate Professor, College of Management School of Law, Israel
Peter Hustinx, European Data Protection Supervisor
Jacob Kohnstamm, Chairman of the Article 29 Data Protection Working Party and President, Dutch Data Protection Authority
Artemi Rallo Lombarte, Director, Spanish Data Protection Authority and Vice-Chairman of the Article 29 Data Protection Working Party

Handout 1 (PDF 61KB)

Networking Session: “Mommy, I Want My Privacy”

Come hear senior privacy leaders, online experts and parents discuss the need for heightened privacy awareness for all ages in this networking session. The discussion will include practical rules and tips for talking to your children about privacy, and engaging in larger-scale educational efforts around online and personal privacy.

Facilitator: Parry Aftab, Executive Director, WiredSafety
Facilitator: Joyce Brocaglia, CEO, Alta Associates; Founder, Executive Women's Forum on Inforamtion Security, Risk Management & Privacy
Facilitator: Peggy Eisenhauer, CIPP, Founder, Privacy & Information Management Services
Facilitator: Patrice Ettinger, CIPP, Senior Counsel, Global Privacy, Avon
Facilitator: Nuala O'Connor Kelly, CIPP, CIPP/G, Senior Counsel, Information Governance & Chief Privacy Leader, General Electric
Facilitator: Christine Sadlouskos, CIPP, Privacy Compliance Leader, GE Champion, GE’s CyberSecurity School Challenge Commitment

Privacy by Design: How to Translate Privacy Law Provisions into Technical Solutions

New technology solutions and products are providing unthinkable possibilities for interaction between people and the environment. The drawback is that these technologies are fed with a significant amount of personal information, often collected covertly and once shared with others, is forever out of one’s control. The dichotomy between technology benefits and data privacy can be overcome only with a tight interaction between lawmakers and technicians. From Privacy Enhancing Technology to privacy by design, it is clear that the only viable solution is to translate legislative provisions into technical terms. Hear firsthand personal experiences from the legal partners of three research projects founded by the EU Commission in the ICT area aimed at designing privacy aware technologies in the field of network monitoring and ubiquitous pervasive technology.

Francesca Rubina Gaudino, Associate, Baker & McKenzie
Jan Seedorf, Senior Researcher, NEC Laboratories Europe

Presentation 1 (PDF 1,875KB)

Privacy Issues in Consumer and Patient Online Health Products and Systems

Join a lively discussion on the wide variety of consumer health information available online—including personal health records and patient Web sites that collect personal information, and the United States’ efforts to create a secure, nationwide, interoperable health information infrastructure that will connect providers, consumers and others involved in supporting health and healthcare. Explore the various ways in which consumer and patient information is transmitted online, discuss consumer consent and summarize the privacy issues involved and options for mitigating these risks.

Melissa Bianchi, Partner, Hogan Lovells
Jens Weber
, Associate Professor and Software Engineering Program Director, University of Victoria, BC, Canada

Presentation 1 (PDF 771KB), Presentation 2 (PDF 70KB)

The Realities of Smart Grid Privacy

There is growing anxiety that the nascent power grid infrastructure, the Smart Grid, is heralding the end of consumer and household privacy. Stories surface daily, proposing novel ways in which hackers, thieves and even neighbors could steal the energy-use data of homeowners. Having witnessed the security issues of the Internet, many individuals believe that the Smart Grid will provide a similar vehicle for identity theft, financial fraud and scams. Keeping in mind that no public network is impenetrable, the technology behind the Smart Grid is being designed from the ground up to incorporate security and privacy for consumers. This panel of experts will shed light on the realities of the privacy concerns in the Smart Grid implementation, and share how they see privacy principals and best practices, such as Privacy by Design, within the current Smart Grid rollouts.

Moderator: Ryan Vinelli, CIPP, Legal Privacy Fellow, General Electric
Ann Cavoukian, Ph.D.
, Information and Privacy Commissioner of Ontario
John D. McDonald
, Director, Technical Safety & Policy Development, GE Energy T&D
Jules Polonetsky, CIPP
, Co-Chairman and Director, Future of Privacy Forum

Handout 1 (PDF 517KB), Handout 2 (PDF 3,092KB)

Top 10 Tips for Working with National Privacy Commissioners to Make the Case for Your Privacy Policies, Reduce Your Risk and Sustain Your Reputation

If your business is international, you need a strategy for protecting the privacy aspects of your corporate reputation and brand value in each country. If you think of personal data as the currency of your information system, you want to ensure that your organization does not get into debt over your privacy policy and practices. After working with national privacy commissioners for more than 25 years, Stewart Dresner, Chief Executive of Privacy Laws & Business brings you his top 10 tips for working with them. Understand the important differences between national privacy laws, how they are interpreted and enforced, and how to make your case. This is an opportunity for you to share your experiences: What are the relative merits of locating your global privacy manager in the country where your headquarters is located versus in another region? How do you keep up to date without drowning in the details?

Stewart Dresner, Chief Executive, Privacy Laws & Business
Billy Hawkes
, Data Protection Commissioner, Ireland
Isabelle Falque Pierrotin
, Vice President, CNIL

Presentation 1 (PDF 208KB), Presentation 2 (PDF 291KB)


Thursday, March 10
11:15 a.m. – 12:15 p.m.

Best Practices for Balancing Compliance with Inclusive, Open and Transparent Government

The mandate across U.S. government to create a participatory, transparent and collaborative environment, and to implement Web 2.0/Gov 2.0 strategies, creates a compliance balancing act. Transparent and participatory government must be accessible and available to everyone—truly reinforcing the principal of citizen-centric government. Gov 2.0 technologies like social networking, blogging, Wikis, etc. can help governments engage more effectively, efficiently and directly with its citizens; however, they do not negate the obligation of the government to protect private and sensitive information. Explore how government agencies can meet their obligations to provide citizen-centered solutions while maintaining statutory and regulatory compliance requirements using Microsoft SharePoint 2010 and compliance automation.

Javier Salido, CIPP, CIPP/IT,Senior Program Manager, Trustworthy Computing Group, Microsoft Corporation
Dana Simberkoff, CIPP
,Vice President, Business Development, HiSoftware, Inc.

Handout 1 (PDF 721KB)

Networking Session: Champagne Privacy on a Beer Budget

Privacy and data security compliance obligations and risks are on the rise while budgets and staff are frozen or shrinking. Share your tips and tricks (and perhaps free materials) for effective compliance solutions and strategies for doing more with less in this challenging economy. Topics on the agenda include: controlling costs and increasing efficiencies, leveraging existing and available resources, strategizing use of outside consultants and focusing on top priorities. A list of free and publicly available privacy templates and resources will be provided.*

Facilitator: Mike Hintze, CIPP, CIPP/C CIPP/G, Associate General Counsel, Microsoft Corporation
Facilitator: Susan Lyon, CIPP, Of Counsel, Perkins Coie LLP

Reopening of the EU Directive, Review of the U.S. Privacy Framework: Toward Greater Cooperation

At the moment of intense reconsideration of the U.S. and EU privacy frameworks, FTC Chairman Jon Leibowitz and EU Data Protection Supervisor Peter Hustinx will engage in an in-depth discussion of coming changes in both frameworks. Hear their insights into: similar features likely to appear in both frameworks; treatment of privacy by design standards (how they are likely to evolve and whether they will likely lead toward harmonization or further divergence and trade barriers); self-regulation; and, as a practical matter, how the FTC/U.S. Department of Commerce and the European Commission, respectively, can realize the policy changes described in the FTC Privacy Framework and the EC Communication.

Moderator: Jim Halpert, Partner, Communications, E-Commerce and Privacy, DLA Piper LLP (US)
Peter Hustinx
, European Data Protection Supervisor
Jon Leibowitz
, Chairman, Federal Trade Commission

Risk Assessments and HITECH: A 360° View from the Trenches

Join this interactive discussion of practical ideas for risk assessments and compliance under the HITECH Act. With the publication of recent HITECH Act regulations, including the Breach Notification Interim Final Rule, what lessons have been learned for successful privacy and security risk assessments and compliance implementation? Get practical advice for approaching these challenges using real-world examples, as well as how the meaningful use regulations can cross over to HITECH Act compliance efforts.

Moderator: Ozzie Fonseca, CIPP, Director, Experian Data Breach Resolution
M. Peter Adler, CIPP
, Chief Privacy and Cyber Security Legal Compliance Officer, SRA International
Derek Woo
, Managing Director, Sinaiko Healthcare Consulting

Presentation 1 (PDF 3,051KB)

Tales from Two Aspiring CPOs: Mistakes We've Made, Lessons We've Learned and Resources We Use

Two veteran privacy officers share their professional experiences on the path toward the CPO title, comparing and contrasting the mistakes they've made and the lessons they've learned in building formalized privacy programs from scratch and on a tight budget. Debra Farber will detail her experiences transitioning from a public-sector privacy consultant to an in-house privacy officer in the healthcare industry. Heidi Wachs will share her experiences as a higher education privacy officer who survived a major data breach and lived to tell the tale. Learn from their stumbles and achievements, and follow two different career paths focused on being a privacy professional. Gain practical insights as they share resources and materials they use on a daily basis to further their maturing privacy programs.

Debra Farber, CIPP, CIPP/G, Privacy Officer, The Advisory Board Company
Heidi Wachs, CIPP
, Director of IT Policy & Privacy Officer, Georgetown University Information Services

Presentation 1 (PDF 963KB), Handout 1 (PDF 108KB), Handout 2 (PDF 11KB), Handout 3 (PDF 40KB)

Texts, Tweets and Torts: The Dos and Don'ts of Mobile Marketing

Are you up to speed with legal and industry best practices for marketing via mobile devices? Hear expert panelists discuss federal and state laws, from the CAN-SPAM Act to state Child Protection Registries, as well as lessons learned from judicial decisions and class action lawsuits regarding text messaging, tweets, pre-recorded calls, bluecasting and other location-based marketing. This session will also discuss how the laws apply to different technology, in addition to the regulatory requirements and best practices for bounce back messages, couponing, contest/sweepstakes and other mobile marketing efforts.

Scott Delacourt, Partner, Wiley Rein, LLP
Lois Greisman
, Associate Director, Division of Marketing Practices, Bureau of Consumer Protection, Federal Trade Commission
Joanne McNabb, CIPP, CIPP/IT, CIPP/G
, Chief, California Office of Privacy Protection
S. Jenell Trigg, CIPP
, Member, Lerman Senter PLLC

Presentation 1 (PDF 769KB)

What Does All the Accountability Talk from Washington and Brussels Really Mean for Companies Like Yours?

The European Commission and Article 29 Working Party have both issued documents calling for privacy principles to be put into effect by creating an accountability principle. Congress is discussing accountability based legislation. Leaders in the Pacific Rim are debating how to measure accountability. What does it all mean for your organization? How do responsible companies build out an accountability based program? Get answers to these and other daunting questions.

Moderator: Marty Abrams, Senior Policy Advisor, Hunton & Williams LLP
Jennifer Barrett, CIPP
, Global Privacy and Public Policy Executive, Acxiom Corporation
Bojana Bellamy
, Director of Data Privacy, Accenture
Richard Thomas
, UK Information Commissioner (2002-9)


Thursday, March 10
1:45 – 2:45 p.m.

The Data Retention Knot: Privacy Interests, Law Enforcement Interests and Operational Realities

Concerned about data retention obligations? Internet usage data that can be linked to a specific device or individual is a hot topic. Privacy advocates say keep less for shorter periods. Law enforcement advocates say keep more and for longer periods. Document retention schedules and legal hold obligations often conflict, and operational realities make it hard to know what's really going on. Learn the various positions taken by privacy and law enforcement advocates, examine the applicable document retention principles and preservation obligations, and find out how these conflicting notions might play out on a real set of data that gets used and analyzed by different work groups.

Andy Holleman, CIPP, Chief Privacy Officer, Qwest

Early Preview: Results from ANSI Working Group on Financial Impact of Unauthorized Disclosure of PII & PHI

What is privacy worth to your organization? An American National Standards Institute (ANSI) & Santa Fe Group–sponsored effort has been exploring the financial impact of the unauthorized disclosure of PII & PHI. The intent of this working group is to develop a framework for the financial assessment of such disclosures, so that this analytical approach may be used by organizations to drive ROI-based justifications for investments in security and privacy of PHI. Review the goals of the working group, the approaches taken to evaluate different dimensions of the problem, and reveal initial conclusions and insights derived from this influential and prominent group within the privacy community.

Rick Kam, CIPP, President, Co-Founder, ID Experts

Networking Session: Interacting with the FTC

In December 2010, the FTC issued a report indicating that it plans to actively pursue an ambitious, comprehensive privacy protection agenda. Join an informal, free-wheeling exploration of the FTC’s approach to online, financial, health and international privacy, as well as other privacy-related issues. Discover strategies for building a positive and proactive relationship with the FTC. Familiarize yourself with the FTC’s consumer complaint process; advocacy group petition process; access letters; investigations; and how best to communicate with the media, Congress, company boards of directors and even shareholders when interacting with the FTC.

Facilitator: Robert Belair, Partner, Arnall Golden Gregory LLP
Facilitator: Jessica Rich, Deputy Director, Bureau of Consumer Protection, Federal Trade Commission

Keeping Your Data Promises: Stewardship and Customer Trust

Collecting data is one thing. Protecting it is another. But perhaps the most important thing is using data in a way your customers/clients/users find useful and in keeping with the trust placed in you. Learn about Intuit’s Data Stewardship principles, with an emphasis on transparency and accountability for how Intuit uses data on behalf of its customers.

Barbara Lawler, CIPP, Chief Privacy Officer, Intuit

Presentation 1 (PDF 3,644KB)

NAFTA Privacy: What You Need to Consider When Doing Business in North America

The North American Free Trade Agreement (NAFTA) was designed to eliminate barriers of trade and investment between the United States, Canada and Mexico. Despite the harmonization of many laws, NAFTA members have distinctly different approaches to the protection of personal information. Join this session to examine the differences in the national approaches to privacy (and the similarities), and explore the impact on commerce and communication across the North American borders and in the borderless world of the Internet. Topics for discussion will include the newest Mexican privacy law that went into effect July 6, the Canadian approach to privacy under PIPEDA, the U.S. “harms-based” approach, and whether global harmonization on the protection of personal privacy is likely or possible. Hear from the continent’s leading voices and experts on privacy as they offer insights on the future of privacy, and what it means for consumers, business and government.

Moderator: Nuala O'Connor Kelly, CIPP, CIPP/G, Senior Counsel, Information Governance & Chief Privacy Leader, General Electric
Moderator: Christopher Wolf, Co-Chair, Privacy, and Data Security Practice Group, Hogan Lovells
Ken Anderson
, Assistant Commissioner of Privacy, Information and Privacy Commissioner of Ontario
Julie Brill, Commissioner
, Federal Trade Commission
Ann Cavoukian, Ph.D.
, Information and Privacy Commissioner of Ontario
Jacqueline Peschard Mariscal
, President Commissioner, Federal Institute for Access to Information and Data Protection, Mexico

Presentation 1 (PDF 1,558.KB), Handout 1 (PDF 193KB), Handout 2 (PDF 116KB), Handout 3 (PDF 32KB), Handout 4 (PDF 214KB), Handout 5 (PDF 478KB), Handout 6 (PDF 2,631KB), Handout 7 (PDF 3,427KB), Handout 8 (PDF 9,096KB), Handout 9 (PDF 5,376KB)

Privacy Related Consumer Complaints—Kid Glove Care

Handling consumer complaints in today’s escalated privacy environment can be challenging. Explore the comparison of complaint rates and types for different industries, and discover the recipe for successful handling and resolution. You’ll walk away with a detailed plan on successfully dealing with an incident-level spike of complaints coming into your organization.

Sheila Colclasure, CIPP, Americas Privacy and Public Policy Director, Acxiom Corporation
Stanley Crosley, CIPP
, Director, IU CLEAR Health Information, Crosley Law Offices, LLC

Presentation 1 (PDF 1,535KB)

Territorial Privacy in the Age of Surveillance

Join industry experts for a look at practical solutions for addressing privacy concerns related to security technologies, such as access control systems, CCTV cameras and biometric systems. Get tips on how manufacturers can build privacy into the design of security products, steps integrators can take before installing security systems, and issues end users, such as employers, should consider when deploying security systems.

Kathleen Carroll, CIPP, CIPP/G, Director of Government Relations, HID Global
Sam Docknevich
, National Business Development Manager, Siemens Security Solutions

Presentation 1 (PDF 113KB), Presentation 2 (PDF 1,299KB)


Thursday, March 10
3:15 – 4:15 p.m.

Canadian Regulators Panel

Canadian privacy law has always been viewed admirably by those in other countries. One of the strongest aspects of the Canadian approach is the collaborative and forward-thinking approach taken by the regulators. In this session, federal and provincial regulators will have a candid conversation about their approach, why it works and potential changes in the future. Get the inside scoop straight from the regulators as they discuss the topics and issues their offices will be paying particular attention to in the short and long term. This is a fantastic opportunity for professionals dealing with multi-national privacy issues to hear what is going on in the heads of some the most influential data protection authorities in the world.

Moderator: Kris Klein, CIPP/C, Managing Director, IAPP Canada
Ann Cavoukian, Ph.D.
, Information and Privacy Commissioner of Ontario
Elizabeth Denham
, Information and Privacy Commissioner of B.C.
Jennifer Stoddart
, Commissioner, Office of the Privacy Commissioner of Canada
Frank Work
, Information and Privacy Commissioner, Office of the Privacy Commissioner of Alberta

Presentation 1 (PDF 229KB)

Networking Session: Did You See Something and Say Something? What Does the Government Do with that Information?

Across the country, the U.S. Government is telling citizens if they see something suspicious, then they should report it. An observant person noted the would-be Times Square Bomber’s car looked suspicious. But what happens when the picture of the Hoover Dam you took on your last vacation exposes something suspicious? Come discuss the roles of the U.S. government and the public in today’s terror-filled world, how privacy protections are embedded into the Nationwide Suspicious Activity Reporting Initiative (NSI), and whether these protections are sufficient.

Facilitator: Mary Ellen Challahan, CIPP, Chief Privacy Officer, Department of Homeland Security
Facilitator: Michael German, Policy Counsel, American Civil Liberties Union
Facilitator: Dave Lewis, Chief Technology Officer, Nationwide SAR Initiative

Privacy Compliance for SEC-regulated Entities

In many ways, privacy and data security compliance is more difficult for SEC-regulated entities than for other financial institutions. These entities are subject to multiple privacy regulators with some requirements overseen by the SEC and others by the FTC. Further complicating compliance is that Regulation S-P, the primary SEC privacy regulation, has been in a proposed form with significant changes for nearly two years. Join this session for an examination of privacy and data security compliance for SEC-regulated institutions, including data sharing, affiliate marketing, safeguarding and security breach notice requirements. Dive into the applicable laws and regulations, the unique issues faced by these financial institutions, the requirements of the proposed Regulation S-P, and the effects of the Dodd-Frank Act, and explore how the structural arrangement of SEC-regulated entities, particularly with regard to broker-dealers, may often pose unique challenges under information sharing requirements.

Anne Marie Duffy, Vice President and Counsel, Putnam Investments
Nancy Hansbrough
, Assistant Chief Counsel, Office of Compliance Inspections and Examinations, Securities and Exchange Commission
James Shreve, CIPP
, Attorney, Goodwin Procter LLP

Presentation 1 (PDf 302KB), Handout 1 (PDF 253KB), Handout 2 (PDF 419KB), Handout 3 (PDF 415KB)

Privacy on the Ground

Join this panel of academics and corporate privacy officers as they discuss corporations’ internal privacy structures and activities, and how they are shaped by national differences in regulation, non-governmental activity and professionalization. The panel will pull from qualitative interviews with leading privacy and data protection officers in the U.S., France, the UK and Canada.

Kasey Chappelle, CIPP, Global Privacy Counsel, Vodafone Group
Peter Cullen, CIPP
, Chief Privacy Strategist, Microsoft Corporation
Jeff Green, CIPP/C
, Vice President Global Compliance Governance & Chief Privacy Officer, Royal Bank of Canada
Deirdre Mulligan
, Assistant Professor, School of Information; Director, Berkeley Center for Law and Technology

Handout 1 (PDF 29KB), Handout 2 (PDF 121KB)

Privacy vs. Security: Achieving Balance in an Ever-Changing World of Social Networks, Terrorism and Cyberattacks

Commentators often describe privacy and security as being two sides of the same coin. As Internet growth exploded, concerns over privacy rose accordingly. We continue to grapple with shifting models and new technology, but renewed interest in security has risen in part due to terrorist activity, legislation, cyber-harassment, social networking and increasingly volatile cyberattacks. The challenge is maintaining privacy for data subjects while simultaneously providing products/services that don’t introduce vulnerabilities—for example, can an organization be compliant when employees have unlimited access to Facebook or LinkedIn? In some cases, privacy/security tradeoffs need to be made. Join this interactive discussion for an understanding of the tensions that exist, utilizing case studies to examine good and bad privacy solutions with security implications. Come away with a better understanding of the balance that must be struck between privacy and security.

Kenneth Mendelson, CIPP, Managing Director, Stroz Friedberg LLC
Randy Sabett
, Partner, Co-Chair, Internet & Data Protection Practice, SNR Denton

Presentation 1 (PDF 11,779KB)

This Is Not Your Grandmother’s HIPAA: Understanding the Anatomy of a Complex Healthcare Breach

HITECH has altered our approach to healthcare privacy and security breaches. HITECH’s breach notification and enforcement requirements are made even more challenging by the tangled web of changing and sometimes conflicting state laws, amplified media scrutiny and an increased number of regulatory authorities charged with enforcement. Using a case study approach, this session will examine the anatomy of complex healthcare breaches from the perspective of a provider, a payer and a business associate. Gain the tools and strategies you need for navigating state and federal laws, agency and media reporting, individual direct and substitute notification requirements and opportunities, and the current enforcement environment.

Andrea Leeb, CIPP, Privacy Officer, Public & Senior Markets Group, UnitedHealth Group
Ann Tobin
, Senior Privacy Counsel, UnitedHealth Group

Presentation 1 (PDF 204KB), Handout 1 (PDF 17KB), Handout 2 (PDF 17KB), Handout 3 (PDF 1,068KB)

Three Tips for Protecting Employee Privacy in an Age of Personal Mobile Devices

In an effort to accommodate personal preferences and flexibility, companies are increasingly allowing employees to use personal devices for corporate use. This practice blurs the barrier between personal and business content and as such introduces risks to individual privacy. Does your corporate backup strategy infringe on the rights of your employees? Could you invade personal privacy during a forensic investigation? Do your security procedures protect what they should? Join in a discussion exploring three top risks to employee privacy as employees conduct business over their personal mobile devices.

Dave Dobrotka, Director, Information Risk Management, UnitedHealth Group
Karriem Shakoor
, Senior Director, Systems Operations, Blue Cross Blue Shield of Michigan
Sean Wessman, CIPP
, Manager, Ernst & Young

Presentation 1 (PDF 371KB), Handout 1 (PDF 1,569KB), Handout 2 (PDF 1,318KB), Handout 3 (PDF 1,569KB)


Thursday, March 10
4:30 – 5:30 p.m.

Networking Session: 5-Minute Mixer

Don't know anyone at the conference? The 5-minute mixer is a fast and fun way to meet other privacy pros. You'll get the opportunity to have one-on-one meetings that last five minutes each. Each meeting is a chance to share your professional background and find out more about your colleagues. Don't forget to bring your business cards!

Facilitator: Chris Zoladz, CIPP, CIPP/G, Founder, Navigate LLC

Commercial Privacy Law Globalization, FIPS and Treaties: What U.S. Companies Should Prepare and Wish For

The U.S. Commerce Department invited companies to comment on its recent report on commercial privacy and innovation. This comes at a time when U.S. companies are facing increasing difficulties competing internationally because of foreign concerns and restrictions on data processing and privacy standards in the United States. Join this practical overview and address implications of various current international privacy law conflict challenges, harmonization discussions, policy proposals and expected changes for which U.S. companies need to prepare. Discuss practical strategies to navigate current divergent privacy expectations and legal compliance requirements around the world.

Brian Hengesbaugh, CIPP, Partner, Privacy/Information Technology/Commerce, Baker & McKenzie LLP
Marc Berejka
, Senior Policy Advisor, Department of Commerce

Presentation 1 (PDF 2,222KB), Presentation 2 (PDF 63KB)

The Death of SAS 70: SOC It to Me

Many businesses function more efficiently and profitably by outsourcing tasks or entire functions to other organizations that have the personnel, expertise, equipment or technology to accomplish them. Businesses are also increasingly interested in cloud computing as a potential solution to capacity challenges. The threat of data breaches due to the use of third party, application hosting and software-as-a-service providers has heightened the need for organizations to demonstrate that they have addressed customer concerns related to the privacy of their personal information. Historically, the marketplace has turned to SAS 70, but recently, the AICPA replaced SAS 70 with SSAE No. 16, Reporting on Controls at a Service Organization. Discover the types of reports available with the new attestation standard that replaces SAS 70 and its impact on your organization from a privacy perspective.

Rena Mears, CIPP, Global & National Service Line Leader, Deloitte & Touche LLP
Doron Rotman, CIPP
, National Privacy Service Leader, KPMG LLP

Presentation 1 (PDF 288KB), Handout 1 (PDF 243KB), Handout 2 (PDF 786KB)

FTC Preliminary Privacy Report: Key Takeaways for Business

FTC Commissioner Julie Brill and J. Howard Beales, former director of the FTC's Bureau of Consumer Protection, will address the FTC's preliminary staff report on privacy, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers." This interactive discussion will center around three key elements of the report: “privacy by design”; a simplified and more robust choice mechanism; and improved transparency of information practices. The session will also cover the FTC’s support of a "do not track" mechanism, including how such a mechanism might be implemented, followed by a Q&A.

Moderator: D. Reed Freeman, Jr., CIPP, Partner, Morrison & Foerster LLP
J. Howard Beales
, Associate Professor of Strategic Management and Public Policy, George Washington University; former Director of the FTC’s Bureau of Consumer Protection
Julie Brill
, Commissioner, Federal Trade Commission

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms

What ethical and legal obligations do law firms face when dealing with data privacy? What can and should your law firm do to accommodate applicable law and increasing client demands in this area? Join top experts as they flesh out these daunting and important questions and help you build a practical framework for compliance for your law firm.

Joseph DeMarco, Partner, DeVore & DeMarco
Lauren Shy, CIPP
, Assistant General Counsel, Fragomen, Del Rey, Bernsen & Loewy, LLP
Aaron Simpson
, Partner, Hunton & Williams LLP

Presentation 1 (PDF 181KB), Handout 1 (PDF 64KB)

Litigation Risks of Sharing Internet User Data with Third Parties: How to Avoid Becoming a Class Action Defendant

The plaintiffs’ class action bar has shown a recent propensity toward filing suits against companies that share their online users’ data with third parties. Companies like Blockbuster and Zappos.Com have been forced to defend a class action based on their business deal with Facebook. Others, including Disney Internet Group and Warner Brothers Records, were sued in a class action based on their affiliation with Clearspring Technologies. Amazon.com and Visa were named as defendants in a class action based on their business relationship with Webloyalty.com. Explore these lawsuits and others in order to learn how your company can minimize its chances of being sued in a class action based on third-party relationships that involve sharing of Internet user data.

Tonia Klausner, Partner, Wilson Sonsini Goodrich & Rosati

Presentation 1 (PDF 1,186KB)

To make the most of this session, it was recommended that participants review the Supplemental Reading prior to attending the conference. Click here to obtain a copy of the Supplemental Reading.

Monitoring Staff Communications—Just an Employment Issue . . .?

There are significant employment law considerations when an organization seeks to roll out communication monitoring tools across its global operations. These include rights to privacy of correspondence, consultation and non-discrimination, and restrictions on the purposes for which employee data can be monitored. For several years, these considerations have overshadowed a wide range of other equally significant factors—such as restrictions on the interception of communications under telecommunication and privacy laws, customer rights to privacy and confidentiality and professional duties of secrecy, and restrictions on the right to install monitoring software on end user computer terminals. Although historically considered a European issue, these restrictions are evident on every continent. Find out how to balance these restrictions against regulatory or operational requirements to monitor staff performance and record transactions, such as those imposed upon financial services companies and remote-working operations.

Moderator: Lynn Goldstein, CIPP, Senior Vice President, Chief Privacy Officer, JPMorgan Chase
Julian Cunningham-Day
, Partner, Linklaters LLP

Presentation 1 (PDF 876KB)


Friday, March 11
10:30 – 11:30 a.m.

EU Cookies under Siege

The humble little text file developed to maintaining state on the Internet is now under siege on two continents. The European Union is implementing a new directive that may result in express consent requirements, the Federal Trade Commission has announced support for a do not track mechanism, members of Congress are considering do not track legislation, and Microsoft has announced that a do not track mechanism is being incorporated into Internet Explorer 9. What does all this mean for online commerce and for advertising’s support of free content? How will all of this shake out in 2011 and beyond? Join us for a a dynamic exploration of the issues in an interactive session.

Moderator: Miriam Wugmeister, Partner, Morrison & Foerster, LLP
Alex Fowler
, Chief Privacy Officer, Mozilla
Mike Hintze, CIPP, CIPP/G, CIPP/C
, Associate General Counsel, Microsoft Corporation
Maneesha Mital
, Attorney/Associate Director, FTC

Navigating Financial Privacy Compliance in a Post–Dodd-Frank World

What will the passage of the Dodd-Frank Act and its creation of the Consumer Financial Protection Bureau mean for financial privacy? What new technology and practices regarding consumer data might regulators focus on in the near future? Join this discussion to see how the new CFPB may affect the regulation of privacy and data security and how evolving technology creates new privacy and data security challenges. Explore the implications for your privacy program and successfully address new consumer expectations.

Elizabeth Khalil, Associate, Hogan Lovells
Linnea Solem, CIPP, CIPP/C
, Chief Privacy Officer, Deluxe Corporation

Presentation 1 (PDF 605KB)

The Paradox of Choice

A central aim of public policy in a democratic society should be improving the welfare of its citizens. Even when resources are plentiful, this is an extremely challenging task, because of the difficulty of determining what “welfare” consists in. Thus, collective welfare requires freedom, freedom entails choice, and choice is enhanced by wealth. The more choice people have, the better. But though the logic of choice may be compelling, there is growing evidence that the psycho logic is not. Indeed, there is growing evidence that for many people, increased choice produces decreases in satisfaction—sometimes even misery; that it sometimes produces paralysis, not liberation.

Barry Schwartz, Author, The Paradox of Choice: Why More is Less,
Professor of Social Theory and Social Action, Swarthmore College

Privacy Considerations When Vetting Third Party Vendors, Suppliers and Agents

Join this discussion on best practices for understanding and assessing the efficacy of privacy compliance within third party vendors, suppliers and agents as it relates to how they will do business with your organization.

Robert Gratchner, CIPP, Director of Privacy, Microsoft Corporation
Amanda Mayhew, CIPP
, Global Privacy Counsel and Senior Consultant, EthicsPoint, Inc.

Presentation 1 (PDF 324KB), Handout 1 (PDF 22KB), Handout 2 (PDF 81KB)

Privacy vs. Anti-Piracy: How to Balance Rights in an Era of Online Copyright Infringement

How accountable is an individual for his or her online activity? As the theft of copyrighted content online continues to bedevil and economically injure the content industry, how can bad actors be detected and policed without invading their privacy and the privacy of others? Industry experts will explore the state of the law globally in dealing with the tension between privacy and anti-piracy efforts. Hear the latest status of the ACTA treaty negotiations, the proposed role of ISPs in fighting online piracy, and the results of the "three strikes" laws in Europe. Share in lively discussion of the general issue of privacy/anonymity as a shield used by wrongdoers of all kinds, and whether/when privacy rights should yield.

Bruce Boyden, Assistant Professor of Law, Marquette University Law
Steve Marks
, General Counsel, Recording Industry Association of America
Christopher Wolf
, Co-Chair Privacy and Data Security Practice Group, Hogan Lovells US LLP

To make the most of this session, it was recommended that participants review the Supplemental Reading prior to attending the conference. Click here to obtain a copy of the Supplemental Reading.

What Ever Happened to Privacy and Civil Liberties Oversight?

Take part in discussion about the current state of oversight for privacy and civil liberties in the Executive Branch. Some of the topics to be covered include: the empty Privacy and Civil Liberties Oversight Board; the Department of Justice’s IG reports on FBI activities; the role of the DOJ’s National Security Division; and the activities of the privacy officers at DNI, NSA and CIA.

Alan Raul, Partner, Sidley Austin LLP
Marc Rotenberg
, President, EPIC

Handout 1 (PDF 35KB), Handout 2 (PDF 1,031KB)

Networking Session: What's New in Consumer Privacy Research?

The CUPS Laboratory at Carnegie Mellon University is conducting leading edge research on how consumers make decisions related to privacy. Recently they have studied social network posts that users regret, social network privacy setting usability, approaches to nudging users to protect their privacy, user attitudes toward behavioral advertising, misrepresentation of Web site privacy policies through P3P compact policies and more. Join leading CUPS privacy researchers to explore what their research means for your organization and engage in an open forum for discussion and debate.

Facilitator: Alessandro Acquisti, Associate Professor of IT & Public Policy, Heinz College, Carnegie Mellon University
Facilitator: Lorrie Cranor, Associate Professor, Carnegie Mellon University


Friday, March 11
11:45 a.m. – 12:45 p.m.

Cookies in Europe: The Truth behind the Consent Rule and How to Get It Right

By May 2011, Web sites using cookies in the EU will need to seek the consent of Internet users. Explore the scope of this potentially lethal legal obligation and how Internet businesses can operate in Europe without breaking the law.

Rosa Barcelo, Senior Lawyer, European Data Protection Supervisor
Eduardo Ustaran
, Partner and Head of the Privacy and Information Law Group, Field Fisher Waterhouse, LLP
Justin Weiss, CIPP
, International Privacy Director, Yahoo! Inc.

Presentation 1 (PDF 223KB), Presentation 2 (PDF 129KB)

To make the most of this session, it was recommended that participants review the Supplemental Reading prior to attending the conference. Click here to obtain a list of the Supplemental Reading.

Notions of Health Privacy as a Function of Technology, Law and Policy

As medical records move from paper charts to databases, notions of privacy in the area of healthcare area have changed significantly, and will continue to do so. Legal rights and responsibilities regarding health information have emerged, and policymakers have contended with competing stakeholder interests. Explore how technology has made health privacy both more and less possible, and has created new questions regarding health privacy, especially in a time when new media and social networking have made private lives more public. This session will examine how legal rights and responsibilities regarding health privacy have emerged from legislatures, prosecutors and courts, and how government has had to balance patient perspectives with the interests of health providers, health plans, the IT community and other stakeholders.

Jodi Daniel, Director, Office of Policy and Planning, Office of the National Coordinator for Health Information Technology, HHS
Demetrios Kouzoukas
, Of Counsel, Covington & Burling LLP; Former Deputy General Counsel, U.S. Department of Health & Human Services
Kerry Weems
, Senior Vice President and General Manager, Health Solutions, Vangent, Inc.; Former Administrator, Centers for Medicare & Medicaid Services

Presentation 1 (PDF 796KB)

Privacy by Design: Guidance for Mobile Technologies

This session is the official introduction of the self-regulatory framework being developed by the ASU Privacy by Design research center to assist organizations with identifying privacy challenges and pairing them with potential Privacy by Design solutions. Privacy by Design seeks to build privacy directly into the design specifications, architecture and technology used by an organization. Get an overview of the PbD model, as defined by Ontario’s Information and Privacy Commissioner Ann Cavoukian, and background on the key privacy issues in a mobile computing environment as well as the ASU