IAPP Privacy Academy 2013
  • I learned something valuable at every session, the networking opportunities were fantastic, and the keynote speakers were really great too.
  • The entire structure of the program is outstanding. Good speakers, great networking opportunities and good exhibits. One of the best conferences.
  • Very well organized, privacy-specific education, and great networking opportunities. Great educational resource as well.
  • Valuable information.
  • Maybe one of the best [experiences] I’ve had. Great to see some prior colleagues, and meet some new ones.
  • Great format and content.
  • I enjoyed the diversity of the speakers’ topics and professional backgrounds.
  • Hard choice to make for breakout sessions.
  • Overall experience was great!
  • The breakout sessions I attended were informative and interesting.
  • Fantastic gathering of privacy professionals.
  • Great topic range, knowledgeable and skilled professionals, great networking.
  • Solid conference. Great content and networking.

Breakout Sessions


Use these links to jump to the subjects you’re interested in:


For session times and to view a complete conference schedule, visit the At-A-Glance.



Practical Learnings on Cloud Contracts for In-house Counsel and Decision-makers

Shahab Ahmed, CIPP/US, Program Management Director, Microsoft Corporation
Jeffrey D. Bridges, Associate Director of Information Governance, Boehringer Ingelheim Pharmaceuticals, Inc.

For many organizations, cloud computing is becoming a popular option to use and host applications and other IT infrastructure. In this session, we will share practical guidance on data protection related to cloud contractual and compliance issues. You’ll hear new perspectives on contract terms and discuss practical guidance in assessing different clouds.

What you’ll take away:

  • Understanding of cloud and how it differs from traditional IT outsourcing
  • Understanding of key data protection and privacy related issues in cloud environments
  • Consideration of key terms and key criteria to assess different clouds

Handout, Presentation

A Sensitive Issue: A Case Study on Moving Sensitive Data to the Cloud under EU Law

Fabian Niemann, Partner, Bird & Bird LLP Frankfurt (Germany)

Come explore how cloud computing engages EU privacy, in particular where HR and/or health data are concerned. An expert in international cloud computing, the speaker will present a case study and share lessons from two recent pan-European projects (one for a U.S. provider and one for a global customer) on enabling cloud outsourcings of HR and health data, as well as reviewing papers from regulators and local law requirements in all major EU countries. You’ll hear firsthand about the experience of advising on cloud computing to the German and UK governments and industry associations, and gain valuable practical advice based on real-life experience, as well as insider information from leading authorities and think tanks in Europe.

What you’ll take away:

  • Identification of the real issues surrounding cloud computing
  • Practical solutions for U.S. companies
  • Inside views into governments and data protection authorities


Viva la Cloud

Varun Badhwar, Vice President, Product Management, CipherCloud

Chris Zoladz, CIPP/US, CIPP/E, CIPP/G, CIPP/IT, Founder, Navigate LLC 

There are legitimate and real security and privacy risks surrounding the cloud that are further complicated by cross-border data flow restrictions. However, despite the seemingly endless discussion of these risks, there is no doubt about it, the cloud is here to stay and will thrive. Why such a bold statement? Because just as previous technologies—such as mobile computing and storage devices and smart phones with cameras—posed new privacy and security risks, the issues were addressed, and the cloud is no different. Your organization is probably already using the cloud, as many cloud applications are deployed directly by departments or end-users, completely bypassing traditional controls in a stealth fashion. Much of the discussion of the cloud to date has focused disproportionately on the security and privacy risks and not on solutions. This session will be different, it will be a full discussion of not only the risks but also how companies are successfully mitigating these risks and realizing the benefits.

What you’ll take away:

  • An understanding of the real versus perceived security and privacy related risks of using the cloud
  • Tips for effectively managing the risks of using the cloud




The 3 Keys to Mastering BYOD

Chuck Cosson, CIPP/US, Senior Corporate Counsel, Privacy, T-Mobile

Need some practical guidance on BYOD? Join this informative session focused on counseling businesses, non-profits or other organizations where staff or guests seek to use personally-owned devices with provided infrastructure and services (such as building Wi-Fi networks, active directory or mail exchange servers, or CRM databases). We’ll hone in on these three areas: issues to watch for, employee privacy and acceptable use policies, and privacy and information security. By working through case studies of specific BYOD scenarios, you’ll gain valuable insight on issue-spotting and the key elements of company policies that you need to know.

What you’ll take away:

  • How to draft an employee privacy policy that protects your company in a BYOD scenario
  • Key elements of acceptable use policies for personal devices that connect to company services
  • Key elements of an employee privacy policy that protects your company in a BYOD scenario

Handout 1, Handout 2, Handout 3, Presentation

Big Data Goes Mobile

Christy Kunin, CIPP/US, Senior Corporate Counsel, Privacy, T-Mobile USA
Robert Stankey
, Partner, Davis Wright Tremaine LLP

What does big data mean in the mobile environment? Come get the perspective of a wireless carrier on the legal and practical challenges of privacy for mobile services and apps. You’ll learn about the types of devices and service data that carriers have and use, and you’ll gain an understanding of the complexity of the new ecosystem of apps, smartphones and cloud services. We’ll explore the following questions: How do laws in the U.S. and key regions such as Europe and Asia affect the mobile environment? What is the role of the privacy policy? How do you manage disclosures? And how can wireless carriers provide their customers with innovative, value-added services while ensuring privacy by design?

What you’ll take away:

  • An understanding of how wireless carriers use customer and network data in the new environment of smartphones, M2M and 4G
  • Practical perspective on how wireless carriers are managing disclosures and consents
  • Legal trends and industry initiatives that are shaping the use of big data in mobile


Do Not Track: Past, Present and Future

Moderator: Joseph Lorenzo Hall, Senior Staff Technologist, Center for Democracy & Technology
D. Reed Freeman, Jr., CIPP/US, Partner, Morrison & Foerster, LLP
Brendon Lynch, CIPP/US, Chief Privacy Officer, Microsoft Corporation
Lee Tien, Senior Staff Attorney, Electronic Frontier Foundation

Do you have questions about Do Not Track (DNT)? Come discuss what DNT is, where it came from and where it’s headed. We’ll explore, among other things, the promise of DNT, its perceived benefits and shortcomings and where the industry is in terms of adoption, compliance and complementary self-regulatory initiatives in respect to online behavioral advertising. You’ll leave with a range of perspectives on this timely topic, including those of the Federal Trade Commission.

What you’ll take away:

  • An understanding of the DNT debate and how it could impact online practices
  • A sense of how the self-regulatory and standards initiatives focusing on DNT are faring
  • Predictions of how DNT initiatives may look in the near-term and long-term

Lights, Camera, Action! Video Privacy in the U.S.

Moderator: Stephen P. Satterfield, Associate, Covington & Burling LLP 
Alison Howard, CIPP/US
, Senior Attorney, Microsoft Corporation
Douglas R. Miller, CIPP/US, Vice President and Global Privacy Leader, AOL Inc.

The proliferation of online video content and advertising has reinvigorated discussions around the regulation of video privacy in the U.S. Statutes such as the Video Privacy Protection Act (VPPA) that were intended for the bygone era of brick-and-mortar video rental stores recently have been invoked in lawsuits against providers of online video services and have even attracted the attention of Congress, which last year amended the VPPA to bring it more into line with new technologies. Video privacy has thus become a key area of privacy compliance for a wide variety of companies. Join a discussion of the most significant issues in this increasingly important area of the law.

What you’ll take away:

  • An understanding of the legal framework governing video privacy in the U.S.
  • Insight on the unique compliance challenges that this framework poses for providers of online video content and entities that integrate video content into their online services
  • Perspective from leading online service providers on confronting these challenges


The Mobile Privacy Standards Melting Pot

Moderator: D. Reed Freeman, Jr., CIPP/US, Partner, Morrison & Foerster, LLP
Brian R. Chase, General Counsel, Foursquare
Eduardo Ustaran, CIPP/E
, Partner and Head of the Privacy and Information Law Group, Field Fisher Waterhouse, LLP

Join us as we focus on the proliferation of mobile privacy standards and best practices that have been released recently, or that will be released soon, by the Federal Trade Commission, the Department of Commerce's Multistakeholder Process, the Mobile Marketing Association, the California attorney general and the Article 29 Working Party. We will discuss where the standards overlap and where they differ, and offer practical guidance on complying with this developing area of the law.

What you’ll take away:

  • The landscape for mobile privacy in the U.S., Europe and Asia
  • Practical takeaways for staying compliant in this developing area of the law

Mobile Devices, Marketing, Money and Class Actions: A Practical Guide for Achieving Privacy Compliance in the Age of Multiple Mobile Privacy Guidelines

Moderator: Dominique Shelton, CIPP/US, Partner, Alston & Bird LLP 
Theodore Lazarus
, Director, Legal, Google Inc.
Robert M. Sherman,
Manager, Privacy and Public Policy, Facebook, Inc.
Karen Zacharia, CIPP/US
, Chief Privacy Officer, Verizon

Mobile privacy has emerged as one of the most important digital advertising issues of the year. In addition to multiple class actions that have been filed in recent months, there has been heightened regulatory enforcement and interest in privacy disclosures for mobile apps. 2013 has been the year for no less than four regulatory mobile privacy guidance, state AG enforcement and multiple mobile class actions. We all know that the California attorney general, the FTC, the Article 29 Working Party, the Department of Commerce’s National Telecommunications and Information Administration and many others have issued mobile privacy guidance documents in 2013. Join this lively roundtable discussion from privacy leaders in the in-house community as they provide practical suggestions for how to take a close look, from a practical legal and business perspective, at this evolving topic and discuss what you need to know to help your clients comply with best practices and avoid the myriad class action lawsuits and regulatory enforcement actions that have been flying left and right in 2013.

What you’ll take away:

  • The baseline requirements from the various guides
  • Best practices for compliance


Smarter Approaches to the Smart Grid Ecosystem

Joanne B. Furtsch, CIPP/US, CIPP/C, Director of Product Policy, TRUSTe
Megan J. Hertzler, CIPP/US, Director of Information Governance, Xcel Energy
Jules Polonetsky, CIPP/US, Co-chair and Director, Future of Privacy Forum 

Millions of homes now have smart meters, providing a system for a more effective use of data to manage the energy grid. Consumers are able to access this data to enable new services to manage and control their energy use through smart home services, creating a new set of privacy concerns and challenges. All involved stakeholders (utilities and third parties alike) have a shared responsibility for protecting customer information accessible via the energy grid (Smart Grid). Through a joint effort to promote and take part in responsible privacy practices, consumers can expect a safe and secure customer experience throughout the ecosystem. Come learn key stakeholder perspectives and roles in implementing an integrated privacy-protective approach to handling privacy and protecting consumer data. Learn how the Future of Privacy Forum worked with Candi Controls, San Diego Gas & Electric and TRUSTe on developing and implementing the first privacy certification for the Smart Grid.

What you’ll take away:

  • An understanding of Smart Grid privacy implications
  • Identification of the key stakeholders in the ecosystem and their roles and responsibilities
  • Firsthand insight on the live implementation of Smart Grid privacy certification


Too Smart for Our Own Good? Privacy in the Information Age

Rebecca Herold, CIPP/US, CIPP/IT, CIPM, The Privacy Professor, Compliance Helper
Megan J. Hertzler, CIPP/US
, Director of Information Governance, Xcel Energy
Jules Polonetsky, CIPP/US
, Co-Chair and Director, Future of Privacy Forum

New technologies are rapidly entering the consumer market, creating new and exciting services—and new challenges for privacy professionals. Huge amounts of patient data are collected and stored within bio-med devices. The Smart Grid is attaching homes with utilities, smart appliance vendors, PEV owners and others to gain insights into living experiences. Consumers are now walking cash-registers, paying for goods by simply swiping their smartphones. Smart cars transmit data about location and driving habits. Retailers track the movements of shoppers, and digital billboards and mannequins interact with consumers. Join this lively session to hear experienced privacy pros offer an overview of leading-edge data uses, associated big data analytics, the privacy challenges and mitigation possibilities.

What you’ll take away:

  • An understanding of the major new ways in which data is being created, collected and shared throughout and between numerous industries using new technologies and networks
  • A better understanding of the challenges of not just protecting privacy in this environment, but also how to simply identify privacy risks and be able to answer consumer questions about those privacy risks
  • The ways in which big data analytics provide benefits using data from these new technologies and networks, but also how the associated privacy risks must be addressed




Healthcare Breach Triage

Theodore P. Augustinos, CIPP/US, Privacy and Data Protection Group Steering Committee, Edwards Wildman Palmer LLP
Kenneth P. Mortensen, CIPP/US, CIPP/G, CIPM, Esq.
, Vice President, Assistant General Counsel & Chief Privacy Officer, CVS Caremark Corporation

This session will identify challenges and techniques particular to breaches involving healthcare providers and other covered entities and their business associates, including the new regulatory requirements, the interplay of federal and state requirements and the sensitivities surrounding various types of information often implicated: patient medical records, healthcare billing information, photographic and videographic information and records shared among related practices. You’ll explore challenges including investigations, legal analysis, issues for business associates, decision points for notifications and other communications and enforcement issues. Mini case studies will highlight judgment calls and decision-making in responding to a healthcare breach.

What you’ll take away:

  • Prior planning will improve outcome
  • Response team must be experienced, organized and coordinated
  • Key decision-makers must be involved


Next Generation Healthcare Privacy

Kirk J. Nahra, CIPP/US, Partner, Wiley Rein LLP

Now that the HITECH rules are finally in place, the healthcare industry will turn to thinking about the next generation of healthcare privacy issues. This session will focus on what's next for healthcare privacy. We will look at the remaining loose ends from the HITECH statute, the evolving enforcement environment and, more significantly, how healthcare privacy rules and gaps are having an impact on a wide variety of other healthcare activities, including reform efforts, health information exchanges, mobile applications and other healthcare technology activities.

What you’ll take away:

  • A checklist of final steps for HITECH compliance
  • An understanding of likely next steps for healthcare privacy
  • Insight on where privacy developments will affect your healthcare business


Top 3 Privacy Issues in the Medical Device Industry

Peter Blenkinsop, Secretariat to the Medical Device Privacy Consortium
Michael C. McNeil
, Global Chief Privacy & Security Officer, Medtronic
Bill Stewart, CIPP/US
, Privacy Officer, Product Security Officer, Phillips Healthcare Sales & Service - Americas

Join us to address three of the top data privacy and security issues faced by the medical device industry. Among the questions we’ll address are: What is the industry doing to secure devices and mitigate information security threats and vulnerabilities? What are the best practices with regard to patient access to the data stored on or generated by their devices? And how is patient privacy protected when devices are serviced remotely, and patient information is transferred? During a series of three mini debates, each with a moderator and two speakers, you’ll be encouraged to speak up, ask your own questions and share your perspectives.

What you’ll take away:

  • In the healthcare context, it is important to balance privacy and security with healthcare delivery practicalities and needs
  • The medical device industry is evolving rapidly and so are associated privacy and security issues
  • As in other industries, globalization is making medical device data flows and corresponding data privacy issues complex




I Spy with My Corporate Eye: Employee Services

Ruby A. Zefo, CIPP/US, CIPM, Chief Privacy & Security Counsel, Intel Corporation

It’s a conundrum: Companies want employees to be satisfied with their corporate services, but great user experiences require a certain amount of employee monitoring that could affect privacy. Even M doesn’t really want to know whether James Bond prefers his martini shaken, not stirred, but it may be incidental to the CCTV cameras in the MI6 café that keep assassins at bay! In this interactive session, you will hear about the many global employee services offered by Intel and how the organization manages the trade-off between employee privacy, company security and user experience, including services such as ergonomic wellness tools, BYOD programs, context-aware apps and call monitoring for quality assurance.

What you’ll take away:

  • Examples of a variety of employee services that can create happier employees but invoke privacy concerns
  • An overview of some key global laws regarding employee monitoring
  • A draft employee agreement for certain types of employee programs

Handout, Presentation

An Order of Magnitude Greater—The Challenges of Cross-border Employee Investigations

M. James Daley, CIPP/US, Partner, Daley & Fey, LLP
Scott M. Giordano, CIPP/US, CIPP/E, CIPP/IT
, Corporate Technology Counsel, Exterro, Inc.
Kelly Jerkovich, Vice President, Global Privacy, Wyndham Worldwide Corporation

Cross-border e-discovery presents a host of challenges, including resolving blocking statutes and similar laws. But when the matter involves investigations of employees as part of a larger internal investigation, the challenges become an order of magnitude greater. Nearly every aspect of the investigation is impacted by privacy laws, and counsel must become adept at navigating these waters. In this interactive session, we'll explore common challenges associated with cross-border investigations and offer some potential options for privacy officers and counsel alike.

What you’ll take away:

  • Common challenges associated with cross-border litigation and investigations
  • A look at changing regulations that will impact corporate legal practices
  • Real-world examples of how enterprises are addressing these cross-border issues




Bye, Bye Botnets

Gabriel Ramsey, Partner, Orrick, Herrington & Sutcliffe LLP
Craig Spiezle, Executive Director, Online Trust Alliance
Timothy Wallach, Supervisory Special Agent, Federal Bureau of Investigation

Botnets are used by criminals to compromise servers and devices, increasingly targeting mobile users. Used for everything from sending illicit e-mail and spam to stealing personal data, taking over accounts and enabling identity theft, they are an ever-present threat that every data security and privacy professional should be aware of. Over the last several years, teams of investigators worldwide have used old-fashioned detective work and civil law to identify, target and ultimately dismantle some of the largest botnets on the Internet. Come learn what botnets are, how they spread, how they threaten information security and proprietary and personal data, and what you can do to fight back. We’ll explore how businesses can work with law enforcement, including civil law methods that have been used to identify and neutralize a growing list of botnets and efforts by governments worldwide to help prevent, detect and remediate the threats.

What you’ll take away:

  • An understanding of the basics of botnets
  • Insight on how botnets can be identified, targeted and taken down using cyber-investigative techniques and civil litigation
  • Knowledge of how Microsoft has successfully taken down some of the most notorious botnets operating on the Internet, including Rustock and Zeus


From Citizen to Cybermilitia in 60 Minutes: Connecting the Cybersecurity Dots

Siobhan MacDermott, Chief Policy Officer, AVG Technologies

Join one of the foremost experts on the future of IT, consumer dynamics, cybersecurity and privacy to gain a unique perspective on the relationship between consumer privacy, security and cyber warfare. We’ll begin by making the case for a “third-way,” a consumer-empowered privacy model focused on protecting and controlling individual digital reputation. Then, we’ll focus on a new model the speaker has developed called the “cybermilitia,” which proposes a cybersecurity framework anchored in collective security against cyber attack—enhancing both the areas of privacy and security by connecting cyber crime and cyber war.

What you’ll take away:

  • How to protect your own individual digital reputation
  • The arguments for a collective cybersecurity approach
  • The way both approaches may represent the future of privacy


Privacy Issues in APT Defense: Beware the Dragons

Kevin Charles Boyle, CIPP/US, Partner, Latham & Watkins LLP
Scott J. Stein, Managing Director, Stroz Friedberg, LLC

Advanced persistent threats (APT) are the current poster child for information security concerns. Traditional boundary defenses can’t fully mitigate the risk they present, so IT organizations are increasingly looking to tools that monitor systems for signs of nefarious activity. In addition to watching system logs for network devices, these systems watch physical access control systems, document management systems, e-mail and other communications systems, among others, and in some cases scan the content of traffic within as well as leaving the local network. The privacy compliance implications of these systems vary from jurisdiction to jurisdiction. Come learn about APT-driven enhancements to security, and hear a comparative analysis of legal implications in major economies worldwide.

What you’ll take away:

  • Responding to APTs is critical for security and privacy, but there are privacy implications raised by using typical tools
  • Planning, disclosure and localization can help organizations avoid the pitfalls
  • The risks of avoiding these tools outweigh the related privacy compliance risks 


What’s Important (and What’s Not) for Your InfoSec Program

Moderator: Boris Segalis, CIPP/US, Partner, InfoLawGroup LLP
Michael Dolan, Senior Counsel, IT, Information Security & Privacy, GE Capital, Americas 
Carolyn Holcomb, CIPP/US, Partner, PwC
Lydia Parnes
, Partner, Wilson Sonsini Goodrich & Rosati LLP

State and federal laws, regulators and regulations, self-regulatory programs and clients require businesses to implement risk-based information security programs. There is no surprise then that these oft-spoken terms denote different concepts to those who impose the requirements, in-house IT personnel, in-house and outside counsel and the regulators who enforce the requirements. To be successful, an information security program must recognize, reconcile and balance these different perceptions. In a substance-focused discussion, the panelists will first explain from which perspectives (those of in-house, outside counsel and regulator) they approach information security. Then, from their respective perspectives, articulate the necessary, practical elements of an information security program, the elements they view as the most important and the elements they view as providing highest ROI. The panelists will explain their views on how privacy professionals can work in cross-functional teams to develop and operationalize information security programs, and discuss hot topics that currently represent data security challenges to organizations, counsel and regulators, and what practical steps should be taken to address those challenges, as well as the latest technical tools.

What you’ll take away:

  • An understanding of how various stakeholders interpret risk-based information security
  • Elements of information security programs that in-house and outside counsel and regulators view as important and representing highest ROI
  • Practical steps companies should take to address the latest information security challenges, including BYOD and the cloud 

Is the Best Defense a Good Offense?

Christopher T. Pierson, CIPP/US, CIPP/G, EVP, Chief Security & Compliance Officer, LSQ Holdings
James T. Shreve, CIPP/US, CIPP/IT
, Attorney, BuckleySandler LLP

You have decided you are not going to take it anymore and are looking to take the fight to those who have invaded your system (or to those who may). Instead of playing defense and whack-a-mole, you are going to take action. Where is the line drawn when it comes to hacking back? What types of techniques may you legally use? Have you identified the correct invader? What happens if you have incorrectly determined attribution? Stuxnet and other publicized offensive actions may inspire those in the private sector to proactively address threats. Through fact patterns, we’ll consider the ethical, legal, privacy and other issues you should consider when devising an offensive defense strategy. Given the Presidential Cybersecurity Executive Order, now is the time to learn the nuances so you can guide your organization in the right direction.

What you’ll take away:

  • How to determine what active defense scenarios are legal and illegal
  • How to implement certain active defense measures within your company
  • The privacy, legal and ethical issues that are a part of this analysis




Caring for Acquisitions: They Need Privacy Love Too!

Daniel K. Christensen, CIPP/US, CIPP/IT, Senior Privacy and Security Counsel, Intel Corporation

Raising an adopted child is a daunting task. Enhancing the privacy maturity of your stock or asset acquisitions (or even internal business units) presents some of the same unique challenges. Fostering a culture of privacy in your new acquisition really starts at the “adoption agency,” where the right privacy questions must be asked in due diligence. This is where most trainings end—but due diligence is only the start. Next, you must translate due diligence answers into privacy requirements reflected in the “adoption papers” (acquisition documentation). But the most critical part of successfully rearing your acquisition is in the third stage—integration and development, which requires a privacy maturity assessment resulting in a compliance plan of record (CPOR) for your acquisition’s integration and development. You’ll leave with sample privacy due diligence questions, as well as tools like the privacy maturity model and CPOR.

What you’ll take away:

  • Sample privacy due diligence questions and a high-level understanding of their relative importance during due diligence
  • A sample privacy maturity model and an understanding of how to assess relative privacy strengths and weaknesses of your acquisitions (and business units)
  • A sample privacy CPOR and an understanding of how to build a privacy roadmap with empirically measurable deliverables

Handout 1, Handout 2, Handout 3, Handout 4, Handout 5, Presentation

From Privacy Pro to Professor—Teaching Privacy Awareness

Steven Conrad, Managing Director, MediaPro, Inc.
Michelle Wraight
, Vice President & Chief Privacy Officer, Pershing LLC

Employees are often the “weakest link” in terms of data protection and privacy. Effective education is essential to managing your insider risks. Here, we’ll focus on successful approaches to adult learning, and you’ll learn tried-and-tested ways of delivering awareness information.

What you’ll take away:

  • How adult learning differs from the traditional lecture format
  • Specific approaches to delivering awareness information
  • Key elements of a privacy/data protection education and awareness program


How to Get the C-Suite on Board (and Make Them Think It Was Their Idea)

Bret Arsenault, Chief Information Security Officer, Microsoft Corporation
Aaron K. Weller, CIPP/US, CIPP/IT,
Managing Director, PricewaterhouseCoopers, LLP

How do privacy leaders get the attention of the board and executives about privacy risks and challenges? Based on recent surveys, many boards and executives do feel that privacy is a top-10 risk to their organization, but there are ongoing challenges in clearly communicating what that means and what action needs to be taken. In our experience, executives often confuse security and privacy and hence may not fully understand specific privacy risks across the full data lifestyle, or assume that the security organization has them covered. Discover good practices that have worked for a variety of clients across industries and geographies, helping them communicate privacy effectively at the board level without employing fear, uncertainty and doubt.

What you’ll take away:

  • Key themes and messages to present to the C-suite regarding privacy
  • What not to do and pitfalls to avoid
  • How to move from “privacy is a risk” to getting buy-in on action 

A Practical Guide to Privacy Risk Assessment

Eric Dieterich, CIPP/US, Partner, Sunera LLC
Janice Schuck, CIPP/US
, Chief Privacy Officer, Holy Cross Hospital

The process of establishing and maintaining a privacy program is complex and requires constant adjustments to accommodate new business goals, technologies and changing regulatory requirements. The performance of a privacy risk assessment helps ensure that privacy program objectives are aligned with the organizational privacy risks. Using actual case studies, this interactive and advanced session will provide you with a framework and the knowledge required to perform an enterprise privacy risk assessment. We’ll focus on how to determine the potential threats and identify the privacy risks throughout the enterprise. Leveraging a collaboration tool through SMS text messages and a mobile website, you’ll be able to submit real-time responses to questions at key points throughout the session. Attendee responses will be summarized and discussed, so you can see and understand how your peers are addressing these risks at their organizations.

What you’ll take away:

  • Knowledge of how to perform a cost-effective and scalable enterprise privacy risk assessment utilizing quantitative and qualitative analysis, including insight on scoring the inherent risks and risk mitigation factors
  • An overview of how to create a risk catalog for the processes that collect, process and store personal information at your organization
  • Understanding of how to utilize the results of the privacy risk assessment to drive the direction of the organization’s privacy program
  • Methodologies and tools that can assist with the evaluation of an organization’s privacy risks

Handout 1, Handout 2, Handout 3, Handout 4, Presentation

The Secrets to Success: Building Accountability into a Global Organization

Jennifer Harkins Garone, CIPP/US, CIPP/IT, IT Privacy Manager, Microsoft Corporation
Marisa R. Rogers, CIPP/US
, Sales & Marketing Privacy Manager, Microsoft Corporation
Ruby A. Zefo, CIPP/US, CIPM
, Chief Privacy & Security Counsel, Intel Corporation

You built the foundation of your privacy program: Now what? Learn how to build privacy accountability by design in a global organization by leveraging the accountability drivers in your organization to help bring your program to life. Learn some secrets of success from Microsoft and the former director of data privacy at Accenture, and share your insights—both wins and failures—as we build a collective list of best practices to take back to your organization.

What you’ll take away:

  • Tips and tricks for engaging with accountability drivers
  • Metrics and scorecard targets


Surviving the App-ocalypse

Valerie Warner Danin, CIPP/IT, General Counsel & Privacy Officer, MailChimp
Mason A. Weisz, CIPP/US
, Counsel, ZwillGen

“Baking in” privacy is a great idea, but what if you don’t discover the project until the baking is done and it’s heading to market? Using the surprise release of an enigmatic mobile app as a case study, we’ll present a proven system for strategically investigating new technology, prioritizing risks and creating a remediation plan that leverages an imminent launch date instead of working against it. The latest law, regulatory guidance and industry consensus in the mobile app space will be applied to improve your skills in two areas: 1) efficiently investigating and remediating the next generation of mobile apps and emerging technology in general, and 2) addressing privacy emergencies when you have little room to maneuver. With this knowledge, your next data surprise won’t feel like the end of the world.

What you’ll take away:

  • A toolkit of technology investigation strategies, with insight on how to customize it for use at your organization
  • Tips for fixing the back end (e.g., the database that houses the app’s data) when it’s too late to fix the front end (e.g., the mobile app that a million consumers downloaded)
  • An understanding of how risks can be prioritized not only by severity but also by how long they will take to remediate, and tips for leveraging that information 


Topography 101: Creating and Maintaining Data Maps

David Ray, CIPP/IT, Senior Consultant, Contoural, Inc.

In order to ensure your organization is in compliance with contracts, applicable law or its risk-management plans, it is important for you to understand what personal data is collected and where it lives within the organization. However, this is often easier said than done. A data map tracks personal information held within in an organization and key data points such as how it's used, for what purposes and who has access to it. This session will identify best practices in data mapping for privacy, compliance, e-discovery and records management purposes. We’ll discuss the four different types of data maps, how privacy content maps can leverage litigation and application/infrastructure data maps, and smart strategies for keeping existing data maps current.

What you’ll take away:

  • The elements a data map should capture for privacy, as well as e-discovery and application data maps
  • The different types of data maps and how to choose the right one for you
  • Tips for maintaining your data maps


Watch Your App: Best Practices for Mobile and Social Media Applications

Laura Hamady, CIPP/US, Senior Corporate Counsel, Regulatory & CPO, Groupon
Gregory P. Silberman
, Partner, Jones Day

Mobile and social media applications provide a tremendous opportunity to collect a wide variety of user data (location, relationships, daily schedule, likes and interests), and the availability of cloud-based storage and on-demand computational power allows for the creation of detailed profiles. Developing policies and procedures to govern the collection and processing of information via these technologies poses a variety of challenges beyond that of the typical website. While companies want to provide innovative and useful services tailored to the individual, consumer groups and enforcement agencies are concerned about the invasiveness of such data collection and processing. This concern has been highlighted by recent guidelines and enforcement actions by the Federal Trade Commission and the California attorney general. Our focus will be to highlight the issues and present a framework for the development of privacy policies and procedures, taking into account new technologies and emerging trends in enforcement.

What you’ll take away:

  • How to evaluate new technologies and services for privacy and security issues
  • How to address privacy and security issues during design
  • How to implement technical, legal and operational policies, procedures and guidelines to enhance privacy and security compliance




Brick and Mortar Is Back! Emerging Privacy Issues in Physical Retail Settings in the U.S.

Yaron Dori, Partner, Covington & Burling LLP

Over the last decade, concerns over privacy have arisen primarily in connection with the collection, use and disclosure of online data. In many ways, the online world has provided an ideal setting for collecting information to best cater to the needs of consumers. But advances in technology and competitive pressures have promoted many brick-and-mortar retailers to look for new ways to get to know their customers, promote their wares and manage their operations. This has resulted in a wave of new privacy concerns, as in-store data collection, device tracking, surveillance cameras and other monitoring activities are becoming increasingly ubiquitous. This session will identify the most prominent trends in the physical retail environment that are raising privacy concerns and explore ways to manage associated legal and regulatory risk.

What you’ll take away:

  • A summary of key data collection practices in physical retail settings
  • An understanding of the laws and regulations that govern such practices in the U.S.
  • Methods for assessing legal and regulatory risk in this area and ways to mitigate it


Culture, Values and Process: Privacy and Trust as a Way Rather than a Goal MCLE Ethics Course

Gerard M. Stegmaier, CIPP/US, Attorney, Wilson Sonsini Goodrich & Rosati LLP

Just because it is legal is it right? Join us as we look at ethical and legal considerations for privacy professionals. Attendees will learn about the intersection of ethical and legal requirements for professionals and organizations, examine frameworks and models for ethics and code of conduct reporting and compliance and survey fiduciary duties and state professional licensing obligations and considerations. Using the case study method, you’ll leave better equipped to help your organization do well by doing good using principle-based leadership.


Deconstructing Data Privacy Class Actions

Clifford A. Cantor, Law Offices of Clifford A. Cantor, P.C.
Grace E. Tersigni
, CIPP/US, Partner, KamberLaw, LLC

Come learn how data privacy class actions arise, are litigated or remediated and are resolved. First, exploring investigation, we’ll identify practices and technologies that form the basis for class claims and discover plaintiffs’ motivations. In looking at litigation, we’ll survey class actions involving the mobile ecosystem, online video streaming services, website and software tracking, ISP redirection of customer communications, and data breaches (emphasis on medical). We’ll explore the common claims, ECPA, CFAA, VPPA (emphasis on 2012 amendments), state consumer protection statutes (emphasis on trends in unfairness allegations) and various state privacy and information security regulations. Then, we’ll review strategies to remediate risks, including complying with the evolving data privacy legal landscape and avoiding litigation (e.g., effectiveness of class action waivers in arbitration clauses). Lastly, we’ll explore resolution, including strategies for settling a case for injunctive relief or monetary damages, and how settlements, class notice programs, attorneys’ fees and cy pres and incentive awards are fashioned and approved.

What you’ll take away:

  • Awareness of practices that make companies prime targets for data privacy class actions
  • Comprehensive understanding of claims and defenses in data privacy class actions and tips for mitigating risk of class actions
  • Insights on how and when to resolve a class action and how to be selected as proposed recipient of cy pres award


Deception, Unfairness and Manipulation: Protecting Consumer Privacy Today and Tomorrow

Ryan Calo, Assistant Professor, University of Washington School of Law
Woodrow Hartzog, Assistant Professor, Cumberland School of Law, Samford University
Daniel J. Solove, John Marshall Harlan Research Professor of Law, George Washington University Law School

Everything costs $9.99—and no one cares. Companies already take advantage of a general understanding of how consumers can be coaxed out of money. But increasingly, companies can use big data and other techniques to uncover and even trigger consumer frailty at an individual level. Join our expert panel to discuss the privacy-related jurisprudence of the FTC, and explore an important theory of behavioral economics for the digital age, revealing the limits of consumer protection law and exposing concrete economic and privacy harms that regulators will be hard-pressed to ignore.

Paper, Presentation

Determining True Data Breach Risk: From the Identification of Lost PHI/PII to the Right-sized Consumer Remedies

Moderator: Jason Straight, CIPP/US, Managing Director, Kroll
Jonathan Fairtlough
, Managing Director, Kroll
David Navetta, CIPP/US
, Partner, InfoLawGroup LLP
Cynthia Snyder
, Director, Information Privacy, Health Net, Inc.

When an information security incident occurs, organizations frequently turn to computer forensics to investigate and understand what happened. It’s also the first step toward being able to confirm the presence of lost or stolen PII or PHI that will trigger notification requirements. When managed and executed properly, the process of identifying sensitive information and creating a list of affected individuals for a data breach event can be efficient, accurate and completed within statutorily-defined timelines for notification. This solves one problem—correctly identifying the PII/PHI involved—but how does an organization get from there to offering the notification population a remedy that meets their needs based upon the type of data lost? We’ll explore the methodology involved with taking a risk-based approach to remediation, and the benefits to both organization and individual when resources are targeted to areas where they are needed the most, thus increasing their effectiveness.

What you’ll take away:

  • The secret six: Three categories into which lost data may be grouped for optimum risk analysis, and the three types of personnel/skill levels best suited to examine each set
  • The four factors: Four integrated decision elements that methodically guide selection of consumer solutions in a breach, and why risk-based remedies for individuals should displace credit monitoring as the de facto offer


EU and U.S. Cybersecurity Legislation: A Side-by-Side Comparison

Joe Petro, Managing Director, Promontory Financial Group LLP
Mark Watts
, Partner, Bristows
Jody Westby
, CEO, Global Cyber Risk LLC

Recent denial of service attacks on major financial institutions has reawakened legislative and regulatory interest in cybersecurity legislation and regulation in both the U.S. and EU, with the goal of enhancing the protection of personally identifiable information and protecting key infrastructures. The paradigm is clearly changing with regard to what constitutes effective cybersecurity. Join our expert panel to explore the range of proposed legislation and regulatory guidance that is emerging in the U.S. and EU, and get a side-by-side comparison of what is being proposed and current legislative and regulatory requirements. 

What you’ll take away:

  • Passwords and authentication, firewall technology, encryption standards
  • Current cross-industry and law enforcement information exchange and collaboration mechanisms and models
  • Malware, anti-virus, root-kit and botnet detection tools
  • Application and software development: vulnerability testing and review
  • Data loss prevention and employee training

Presentation 1, Presentation 2, Presentation 3

EU Data Privacy Essentials: Current Enforcement, Future Regulation

Ruth Boardman, Partner, Bird & Bird LLP
Billy F. Hawkes
, Data Protection Commissioner of Ireland
Simon McDougall, CIPP/E
, Managing Director, Promontory Financial Group

A new EU data privacy regulation is on the horizon—with tougher requirements and sanctions and more powers of enforcement. Join us to look at the lessons to be learned from current enforcement trends in Europe: Are certain activities riskier than others, and how do regulators differ in their approaches? We’ll review how the regulation tackles areas of higher regulatory priority, and we’ll discuss the new powers that the regulation gives the authorities.

What you’ll take away:

  • Lessons learned from current enforcement trends in Europe
  • An understanding of how the regulation tackles areas of high regulatory priority
  • Insight on the new powers the regulation gives regulators


Find Your Silver Lining: Navigating Your Way in a Financial Service Data Breach

Christine M. Frye, CIPP/US, CIPM, Senior Vice President, Chief Privacy Officer, Bank of America
Dana L. Simberkoff, CIPP/US
, Vice President, Risk Management and Compliance, AvePoint, Inc.

Financial services providers deal with highly sensitive information as a matter of course. Today’s global financial services organizations face unprecedented challenges in an ever-changing regulatory and hyper-competitive environment. Against the backdrop of industry-wide human capital churn, drastic cost cuts, and disruptive technology trends of Bring Your Own Device (BYOD), enterprise social, private cloud, and big data access, a comprehensive approach to addressing compliance is critical. In this session, learn how a structured approach to data breach prevention and response, including engagement with stakeholders and regulators, privacy impact assessments, and a best practices enterprise compliance management strategy will help you navigate the challenge – particularly as more organizations are utilizing cloud computing in their enterprise collaboration initiatives.


The Global Implementation of a Bring Your Own Device Program

Amy de la Lama, Of Counsel, Baker & McKenzie LLP

In this discussion on the global implementation of a bring your own device (BYOD) program, we’ll explore key issues related to security and privacy, and steps your organization can take to balance both issues.

What you’ll take away:

  • Key differences between company owned devices and personal devices
  • Key legal considerations and how such considerations might differ depending on whether the implementation is U.S. or global in nature
  • Strategies to manage risk


Global Interoperability and Privacy: Can It Work?

Moderator: Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati LLP
Billy F. Hawkes
, Data Protection Commissioner of Ireland
Maureen Ohlhausen
, Commissioner, Federal Trade Commission
Erika Rottenberg
, Vice President, General Counsel and Secretary, LinkedIn

Multinational companies face serious challenges as they attempt to harmonize their data practices globally. It is increasingly important that these companies understand the ever-evolving privacy rules of the road in the U.S. and in other key jurisdictions such as the EU. More specifically, they need to know: What are the current and emerging standards in these key jurisdictions? Who are the enforcers, and how do they coordinate policy development and enforcement? What are best practices for addressing the challenges to domestic and global data management, and how can they be implemented? This panel of leading experts will provide actionable advice on these important issues and more.

What you’ll take away:

  • Insight into the current state of “hot” privacy issues in the EU and U.S.
  • How regulators in the U.S. and EU coordinate policy development and enforcement
  • Practical advice and best practices for companies that operate on a global scale

How to Work with Your European Data Protection Authority

Moderator: Harriet P. Pearson, CIPP/US, Partner, Hogan Lovells US LLP
Billy F. Hawkes, Data Protection Commissioner of Ireland

Understanding how to work with European data protection regulators has never been more important to organizations of every size and type. The European Union is the largest unified economy in the world, and thousands of businesses—whether headquartered in the Americas, Asia or Europe itself—interact with the personal data of European individuals. Come to this session to hear firsthand what works when it comes to interacting with a DPA—from making well-received filings, to establishing a relationship with the authority’s staff, to working through an audit, to initiating a binding corporate rule application and more.

What you’ll take away:

  • Whether and how to position your organization on the regulator’s radar
  • How to make use of the compliance resources many DPAs make available
  • How to make a successful regulatory filing
  • How to handle a complaint or other challenging situation
  • How to earn the trust and respect of your DPA(s)

Is There a Technology Arms Race?

Moderator: Marc M. Groman, CIPP/US, Executive Director & General Counsel, Network Advertising Initiative
Alan Chapell, CIPP/US, President, Chapell & Associates, LLC
Joshua Koran
, Senior Vice President, Product Management, Turn
Lydia Parnes
, Partner, Wilson Sonsini Goodrich & Rosati

Over recent months there have been countless articles, columns, speeches and blog posts suggesting that the advertising industry is engaged in a technological arms race with browser companies, privacy advocates and others. Citing moves by Microsoft to turn on Do Not Track headers by default in Internet Explorer, Apple’s statements at W3C and Mozilla’s announcement that Firefox will block third-party cookies, some commentators and industry thought leaders lament what they see as a counterproductive and potentially detrimental game of chess with the Internet and online advertising ecosystem. Moreover, debates seem to focus on the difference between first parties and third parties, rather than on shared values of promoting privacy and a robust marketplace for online advertising and ad-supported content. This panel will explore these issues from the perspective of third-party technology companies and intermediaries. Are we truly in an arms race? How did we get here? What is the potential impact on competition, innovation and, most importantly, consumers? Is there a responsible resolution that is win-win for everyone?

Keeping Up with Emerging Standards for Mobile Privacy

Joanne B. McNabb, CIPP/US, CIPP/G, CIPP/IT, Director of Privacy Education & Policy, Office of the Attorney General, California Department of Justice
Tim Tobin
, Partner, Hogan Lovells LLP

As the world increasingly goes mobile, companies continue to struggle to stay on top of regulatory expectations and developments in the mobile space. In 2013, the California attorney general, Federal Trade Commission (FTC), and the EU Article 29 Working Party all issued guidance for those in the mobile app ecosystem, and the FTC’s revisions to its COPPA rule to specifically account for mobile apps took effect. A number of organizations have developed self-regulatory standards while the NTIA has pursued its process to achieve broad multi-stakeholder self-regulatory standards. Hear from an expert panel on how your organization can navigate the tension between privacy compliance and the customer experience.

What you’ll take away:

  • Understanding of mobile application privacy issues
  • Understanding the applicable legal framework in the U.S. (and EU)
  • Compliance strategies


Managing the Top 5 Complications in Resolving a Data Breach

Michael Bruemmer, CIPP/US, Vice President, Data Breach Resolution, Experian
Alex Ricardo, CIPP/US
, Director Breach Response Services, Beazley Group

The impact of a data breach can be critical to an organization. Many organizations understand the basic regulatory and compliance requirements for data breach resolution but may not be aware of complications that go well beyond those requirements and which require additional planning consideration. For example, how can consumers without credit files receive identify theft protection? What happens when your business associate or third party was the cause of the breach? How do you insure the consumer is really protected against fraudulent activity? Do you assume external stakeholders understand risk posed by the breach; and what level of explanation may be required? These are just a few of the trending considerations that privacy practitioners should identify and prepare for. Join us to explore the real-life issues experienced by several companies while resolving a breach, and gain a practical overview of how to anticipate and manage the impact of unique data breach resolution complications.

What you’ll take away:

  • Awareness of common complications in data breach resolution
  • Tips for effectively handling unique problems from an incident


No More Finger Pointing: Working with Third-Party Advertising Technology Providers in a Responsible and Transparent Manner

Moderator: Meredith B. Halama, CIPP/US, Senior Counsel, Perkins Coie LLP
Lael E. Bellamy, CIPP/US, Chief Privacy Officer, The Weather Channel
Angelique M. Okeke, Senior Counsel, Lotame Solutions Inc

Website and app providers work with third parties, including ad networks, analytics providers and social network plugins to increase traffic to their websites and apps, to bring users back to their sites and services and to help bring CRM data online to target ads across the web. As a result, popular websites and apps often host ads targeted to users’ interests, increasing the value of their inventory. Consumers get a more relevant online experience, retailers get additional clicks and conversions and website publishers get more revenue. But these advertising relationships have received substantial regulator scrutiny and are often plagued by distrust and complicated questions about how to ensure compliance with regulation and self-regulatory principles. In this lively panel, we will hear the regulatory perspective on this issue and discuss best practices for ensuring that users are provided appropriate notice and choice with respect to interest-based advertising from experienced in-house counsel representing a leading ad technology company as well as a major publisher.

What you’ll take away:

  • An understanding of the current regulatory and self-regulatory landscape governing third-party data collection on websites and mobile apps
  • Tips on what questions to ask of third-party technology provides to ensure compliance with regulatory and self-regulatory initiatives
  • Practical takeaways for allocating responsibility for compliance between retailers, third-party ad technology providers and website publishers


Participant-level Clinical Trials Data: Implications of Mandatory Sharing

Mark Barnes, Partner, Ropes & Gray LLP

Over the past several years, patient advocacy groups, medical journals and some pharmaceutical companies have advocated for greater disclosure of clinical trials data. In the U.S., these concerns have led to the creation of ClinicalTrials.gov, a public database on which sponsors are required by law to register many of their trials and report the results of those trials. The European Medicines Agency (EMA) is now proposing, effective January 2014, to push clinical trial disclosure requirements far beyond those embodied in ClinicalTrials.gov by mandating the public availability of anonymized, participant-level clinical trials data, as well as the identities of research team members at each clinical trial site. While the EMA policy has not yet been finalized, it will undoubtedly have a profound impact on the planning and conduct of clinical trials by pharmaceutical companies, as well as by academic medical centers that conduct investigator-initiated trials. The prospect that all participant-level data, even if anonymized, may be available to broad categories of the public, academia and industry likely will also influence institutional review board and investigator decisions about whether and how to reflect this in the informed consent process. Moreover, given the increasing availability of parallel public databases, the sharing of de-identified participant-level data may in fact allow re-identification of at least some participants and poses challenges to the very idea of a de-identification safe harbor under HIPAA and other privacy laws.

What you’ll take away:

  • Privacy concerns associated with disclosure of participant-level data, including possible protective measures
  • Changes needed to participant consent forms to anticipate such disclosure
  • Whether data will be made available to all who want access or subject to a gatekeeping process, and who might play the role of gatekeeper
  • Possible anticompetitive effects within the pharmaceutical industry
  • Possible inadvertent impacts on the regulatory processes of the EMA, FDA and similar national drug approval authorities

Privacy Leaders Answer Your Questions

Moderator: J. Trevor Hughes, CIPP, President & CEO, IAPP
Brendon Lynch, CIPP/US
, Chief Privacy Officer, Microsoft Corporation 
JoAnn C. Stonier
, EVP, Global Information Governance & Privacy Officer, MasterCard Worldwide
Hilary M. Wandall, CIPP/US, CIPP/E
, AVP, Compliance and Chief Privacy Officer, Merck & Co., Inc.

As privacy issues continue to evolve in the marketplace and you look for best practices to guide your company’s solutions approach, we invite you to participate in a Q&A with privacy leaders from major companies—executives that must address privacy as a significant part of their business. From internal structuring and governance to broader industry themes like Do Not Track and mobile privacy, the issues vary widely and continue to create challenging privacy questions. Join this panel of privacy executives as we explore the state of privacy in the modern world and give you the opportunity to get straight answers on how to tackle the hard questions you grapple with on a daily basis.

Privacy vs. Digital Marketing—Bridging the Gap May Be Easier Than You Think!

Vinay Goel, CIPP/US, Privacy Product Manager, Adobe Systems Incorporated
Lynsey Sayers, Legal Counsel, Adobe Systems Incorporated

Privacy is focused on the protection of consumer data. Successful digital marketing, in contrast, is driven largely by the optimization of consumer data. As the volume of consumer data and concerns about its use grow, privacy professionals have to bridge the gap between privacy demands and marketing objectives to remain successful. To do this, you need to first speak the same language your marketers speak.

What you’ll take away:

  • Learn exactly what marketers mean when discussing analytics, targeting, personalization, omni-channel marketing, tag management and cross-device stitching
  • Understand the related privacy concerns and best practices to address them
  • Learn how to successfully work with marketers and protect consumer data


Taming Big Data

Moderator: Omer Tene, Vice President, Research and Education, IAPP
Jennifer Barrett Glasgow, CIPP/US
, Global Privacy and Public Policy Executive, Acxiom Corporation
Boris Segalis, CIPP/US
, Partner, InfoLawGroup LLP
JoAnn C. Stonier
, EVP, Global Information Governance & Privacy Officer, Mastercard Worldwide

Big data brings immense benefits to individuals, businesses and society while at the same time posing sizable privacy and data security risks. It has been called the oil of the information age, duly capturing its unlocked value as well as the threat of spills and contamination. In their day-to-day decisions, privacy practitioners must tame and mold big data into the lifeblood of companies. In this session, join a CPO of a major financial services company, an outside privacy counsel and an academic for a discussion of big data’s legal and operational risks, present and future legal requirements, and practical steps that companies must take to cast data into business models in a fair, transparent and privacy-protective manner. You’ll hear examples of actual choices big data companies have to make, and you’ll be challenged to address two big data vignettes to reveal if they have what it takes to run a big data business.

What you’ll take away:

  • An understanding of the nature of big data dilemmas for business and society
  • Insight on assessing risk vs. rewards
  • Practice with the decision-making process in real-life situations

The Widening Gyre of State AGs

Moderator: Divonne Smoyer, Partner, Dickstein Shapiro LLP State AG Practice
Kimberley Overs, CIPP/US
, Assistant General Counsel, Pfizer Inc. 
Joanne B. McNabb, CIPP/US, CIPP/G, CIPP/IT, Director of Privacy Education & Policy, Office of the Attorney General, California Department of Justice
William H. Sorrell
, Attorney General, State of Vermont

State attorneys general (AGs) enforce many federal data privacy laws, as well as their own states’ privacy, data breach notification and consumer protection laws. Beyond recent changes in state law, it is critical for privacy professionals to understand the scope of AGs’ authority and current enforcement trends. Join this expert panel for a discussion of the AGs’ focus on data privacy, the NAAG presidential initiative and recent state enforcement actions. You’ll leave with recommended strategies on how best to anticipate and prepare for increased attention by states on data privacy matters.

What you’ll take away:

  • A general overview of the offices of attorneys general
  • An understanding of the importance of state AGs’ enforcement authority over privacy laws
  • Strategies for anticipating and preparing for increased attention by states on data privacy matters

Wrong Number: Hot Topics in TCPA Compliance and Litigation

Yaron Dori, Partner, Covington & Burling LLP
Julie O’Neill, Of Counsel, Morrison & Foerster, LLP
Nancy Thomas
, Partner, Morrison & Foerster, LLP

If your company makes telemarketing or debt collection calls, or if it sends text messages, it would be hard to miss the recent tidal wave of Telephone Consumer Protection Act (TCPA) class action litigation and increased regulatory focus on TCPA compliance issues. All types of calls made by autodialers, including the delivery of text messages, are in the crosshairs, and non-compliance creates the risk of statutory penalties of $500–$1,500 per violation. In this session, we will be discussing recent developments in TCPA law, including new regulations scheduled to take effect in October 2013, recent class action decisions and how your company can avoid becoming a target.

What you’ll take away:

  • An overview of the key provisions of the TCPA and the new FCC regulations
  • What “prior express consent” and “prior express written consent” are and why they are important
  • Recent trends in TCPA and texting litigation
  • Tips on avoiding regulatory scrutiny and litigation on TCPA issues