Schedule 2015

The information below is an archive from our 2015 event. The 2016 Forum will be held October 24-26, 2016 in Washington, DC.

Pre-Conference Workshops

Wednesday, October 21, 2015

Participants choose one concurrent session during each time slot.

8:00am – 9:00am Breakfast and Introductory Remarks
9:00am – 10:30am Concurrent Workshop 1 (Part 1 of 2)
10:30am – 11:00am Break
11:00am – 12:30pm Concurrent Workshop 1 (Part 2 of 2)
12:30pm – 1:30pm Lunch
1:30pm – 3:00pm Concurrent Workshop 2 (Part 1 of 2)
3:00pm – 3:30pm Break
3:30pm – 5:00pm Concurrent Workshop 2 (Part 2 of 2)

Day 1

Thursday, October 22, 2015

8:00am – 9:00am Breakfast and Introductory Remarks
9:00am – 10:30am Concurrent Session 1
10:30am – 11:00am Break
11:00am – 12:30pm Concurrent Session 2
12:30pm – 1:30pm Lunch
1:30pm – 3:00pm Concurrent Session 3
3:00pm – 3:30pm Break
3:30pm – 5:00pm Concurrent Session 4

Day 2

Friday, October 23, 2015

8:00am – 9:00am Breakfast and Introductory Remarks
9:00am – 10:30am Concurrent Session 5
10:30am – 11:00am Break
11:00am – 12:30pm Concurrent Session 6
12:30pm – 1:30pm Lunch
1:30pm – 3:00pm Concurrent Session 7
3:00pm – 3:30pm Break
3:30pm – 5:00pm Concurrent Session 8

General Readings


Conference guide listing sessions and session descriptions.


Workshops provide a broad overview or a more intensive background on a topic. Workshops are 3 hours long, with a 30-minute break.

Instructional Sessions

These sessions instruct participants about particular areas of law or technology. Instructors will provide practical takeaways.

Policy Sessions

These sessions involve policy discussions about how privacy and security should be regulated.

Culture & Media Sessions

These sessions involve experts providing information about interesting resources and sharing their insights and perspectives.

Level 1

This level is for foundational knowledge about a topic.  However, sessions at the 101-level are not simplistic, as our goal is to have all sessions be substantive and rigorous.

Level 2

This is the intermediate level. Foundational knowledge is presumed and is not covered. The focus of Level 201 sessions is to go more into depth about a topic.

Level 3

This level is for advanced exploration of issues. A deep knowledge is presumed.


California Privacy Law

In our California Privacy Law workshop, we will cover case studies and concrete compliance tasks and enforcement scenarios under California privacy laws, including (1) a jurisdictional overview (national and international applicability and preemption), (2) a selection of key California Privacy Laws, (3) how to establish or update a company’s compliance program, (4) how to draft…

Data Security Law: Foundations

An overview of data security law – from HIPAA to GLBA to the FTC to Massachusetts to data breach notification. Learn about the different approaches that laws and regulations take to data security and the similarities and differences in each approach. Lisa Sotto, Partner, Hunton & Williams LLP, Daniel Solove, Professor at George Washington University…

Data Security: Foundations

This workshop could also be titled: “Everything Privacy Professionals Should Know About Security But Were Afraid to Ask.”  It will cover common terms, various security standards, and key things that privacy professionals should know about technology. David Rusting, CISO at U.C. Office of the President Ronise Zenon, Mgr, Postmaster & IT Policy at U.C. San…

EU Privacy Law: Foundations

This workshop will provide an overview of EU privacy law, with a focus on the EU Data Protection Directive, US-EU Safe Harbor, BCRs, and the implications of the coming EU Privacy Legislation.  For privacy professionals, this workshop will provide the foundation to understand what is going on in the EU.  For security professionals, this workshop…

Information Privacy Law: Foundations

This workshop will provide a short overview of information privacy law, demonstrating how various areas such as health privacy, consumer privacy, communications privacy, financial privacy, and data security are related.  For privacy professionals, this is a great way to understand the whole field and fill gaps in your knowledge.  For security professionals, this is a…

Understanding the FTC on Privacy and Data Security

This workshop will provide an in depth introduction to the FTC, examining how the FTC works, its various areas of jurisdiction, and its extensive body of consent decrees. Woodrow Hartzog, Professor at Samford University Cumberland School of Law Kevin Moriarty, Senior Attorney at Bureau of Consumer Protection, FTC Room 309


General Privacy and Security

Are Good Security Measures Always Good for Privacy? A Discussion of NIST Frameworks

While implementing security measures is important for privacy, they can also create risks which can undermine individuals’ privacy. Panelists will discuss the Framework for Improving Critical Infrastructure Cybersecurity and how it balances the potential conflict. Session attendees will also hear about the latest NIST privacy risk management tools that can be used in concert with…

Do CPOs Need to Learn How to Code? The Skills Needed to Bridge the Law/Technology Divide

In this session, a law professor who previously worked as a computer programmer and the chief technologist of a consumer privacy organization will discuss what privacy professionals would benefit from knowing about technology. Paul Ohm, Professor at Georgetown University Law Center Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology Room 302

Future Trends in Privacy and Security

Our invited experts will bring along their crystal balls and peer into the future.  What will be the top five privacy and security trends of the near future?  What steps should organizations take now to prepare themselves? Mike Hintze, Chief Privacy Counsel, Microsoft Lance Cottrell, Chief Scientist, Ntrepid Corporation Kirk Nahra, Partner, Wiley Rein LLP…

Getting to Accountability: Effective Privacy and Security Management

This session provides you with the knowledge, resources and a plan to maximize the level of accountability. Accountability is the most important component of effective privacy and security management, yet it is often insufficiently developed in many programs. We will discuss privacy and security management activities throughout the organization not typically considered as part of…

Privacy and Security in the Public vs. Private Sector: A Comparison

In this session, privacy officers with experience in both government privacy programs and corporate privacy programs will compare and contrast their experiences.  What are the similarities and differences?  What can each sector learn from the other? Peter E. Sand, Executive Director of Privacy, MGM Resorts Int’l John Kropf, Corporate Privacy Executive, Northrop Grumman Corp. Yael…


Cybersecurity Policy: The Role of the Government

Cybersecurity is a shared challenge between the private sector and government — neither community has all the tools, but both bring necessary resources. What is the government’s role? What information or resources does it provide that the private sector can’t access? What risks does government engagement bring? What should the government do to protect private…

Human Security Risks: How to Detect and Deal with Malicious Insiders, Chinese Espionage, and Other Threats

Trusted Insiders can pose a significant threat to the intellectual property of an organization. Security professionals must not only look outward when securing a system, they must become spy hunters, looking for internal exploits and penetrations that may not be easy to detect. This session will be led by Eric O’Neill, the former FBI Counterintelligence…

The FTC and Data Security

This session will consist of a detailed discussion about the FTC’s data security jurisprudence, with analysis of all ~55 cases and FTC reports and guidance. Terrell McSweeny, FTC Commissioner Woodrow Hartzog, Professor at Samford University Cumberland School of Law Grand Ballroom

Privacy and Security Engineering and Design

Privacy and Security by Design

Despite the enthusiasm of privacy regulators, privacy by design (PbD) has only achieved mixed acceptance in the marketplace. This session will analyze the activities of industry leaders, who rely on engineering approaches and related tools to implement privacy principles throughout the product development and the data management lifecycles. It will explore how companies can develop…

Privacy Engineering

This session will explore privacy engineering, exploring in detail how to build privacy and security into products, processes, applications, and systems.  How can principles and standards be practically leveraged to create a common methodology to address privacy and security challenges?  This session is designed for both technologists as well as non-technologists.  Participants should have a…

Privacy, Security, and Fairness by Design: What the FTC Does (and Doesn’t Do)

Important privacy and security considerations are implicated in the design of various products and services.  How do regulators approach such issues?  In this session, FTC Commissioner Julie Brill and privacy attorney Kurt Wimmer will explore how the FTC has dealt with these issues by discussing the relevant FTC cases and writings. Maneesha Mithal, Bureau of…

Communications Privacy and Security

Education Privacy and Security

Health Privacy and Security

Health Data Breaches and OCR Investigations

This session will explore complex data breaches involving PHI and the OCR investigations and negotiations that take place in the aftermath. How do breaches involving PHI differ from breaches involving other data? How should OCR investigations be navigated? How should the negotiations be handled? What role should privacy officers and security officers play in the…

New Health Information Technologies: Privacy and Security Risks

Medical information technology is rapidly evolving, including through innovative medical mobile applications, electronic health records, patient/physician online portals, and a variety of health monitoring devices.  The emerging technologies offer great promise for preventive health care, medical treatment, data analytics, and research.  But collecting, storing, and sharing personal health data through such technologies poses new privacy…

The World Beyond HIPAA

More and more laws around the world are being amended and interpreted to regulate the collection, use, disclosure and disposal of health-related data, and the definition of what qualifies as health-related data can vary greatly. It is common to think of HIPAA first and foremost when thinking of health-related data, but HIPAA is only part…


The Impact of Government Surveillance Law on Business

This session will focus on how government surveillance law is affecting businesses. Recently, in the Schrems case, the Safe Harbor Arrangement was deemed invalid because of the failure of U.S. law to reign in NSA surveillance. ECPA is in dire need of reform, a cause championed by many businesses. Microsoft is fighting government information gathering…

International Privacy and Security

Consumer Privacy and Security

Designing User Interfaces

Designing User Interfaces for Privacy In this interactive workshop, we’ll explore how to design user interfaces with privacy in mind. Participants will work through a scenario to design a real-life product experience that educates people on privacy and controls and provides important privacy information in context. Rob Sherman, Deputy Chief Privacy Officer, Facebook Morgan Reed, Executive…

Privacy and Security Self-Regulation 2.0

There have been self-regulatory endeavors since the early days of privacy and security, but these days there are significant new challenges. How should self-regulation be kept up to date with rapidly advancing industries? How should self-regulation encourage best practices, privacy by design, and the interplay between emerging technologies and interconnected industries, especially those involving the…

Privacy and Trust

Privacy rules are important not just for compliance with legal requirements, but also in establishing trust between companies and those people whose data they hold. In this session, a law professor (Richards), a tech company in-house counsel (Brown), and a cloud executive (King) will talk about privacy and trust, and how privacy rules can be…

Tracking and Targeting: Online, on Mobile Devices, and in Social Media

This session will focus on legal and self-regulatory compliance challenges faced by companies whose business models focus on tracking and targeting advertisements and content to consumers. It will explore different tracking and targeting business models and the thorny legal issues that they sometimes raise. D. Reed Freeman, Partner, WilmerHale Heather Zachary, Partner, WilmerHale Brad Weltman, Senior Director…

The Internet of Things

Designing Notice and Consent into the Internet of Things: A Hands-on Workshop

Privacy notices are often long, difficult to understand, and don’t appear at opportune times. Constrained interfaces on mobile devices, wearables, and smart home devices exacerbate the issue. In this workshop Professor Lorrie Cranor and privacy researcher Dr. Florian Schaub offer concrete guidelines on how to select the most effective notice and consent mechanisms for a…

Big Data

Big Data and Discrimination

This session will explore the ways in which Big Data can have discriminatory effects.  Even without discriminatory intent, Big Data can affect different groups of people in ways that have a significant impact on how they are treated, how decisions are made about them, opportunities available to them, or the kinds of messages they are…

Third Party Relationships

Vendor Management

What are the key parts of privacy and security vendor management? What role does a privacy office, a security office, a procurement office, and counsel play in the process? What level of vendor oversight is the government looking for, what level is best practice, and how does an organization focus limited resources to best reduce…

Culture and Media

Privacy and Security Fiction  Club

Many novels, such as Orwell’s 1984, have informed the policy debate about privacy and security.  This session will feature top experts discussing their favorite novels and stories about privacy and security, including old classics and new hits. Peter Winn, Assistant U.S. Attorney, U.S. DOJ and Lecturer, University of Washington School of Law Joseph Jerome, Policy…

Privacy and Security Film and TV Club

This session features top experts discussing films and TV series with privacy and security themes.  Are privacy and security portrayed realistically?  What is the best privacy or security movie of all time? James Aquilina, Executive Managing Director, Stroz Friedberg Paul Schwartz, Professor at UC Berkeley School of Law Lara Kehoe Hoffman, Global Director of Data…

Privacy and Security Non-Fiction Club

What are the best non-fiction books and writings about privacy and security?  What are the new and classic must-reads?  This session will feature leading experts discussing the non-fiction works they deem to be essential to one’s library. Frank Pasquale, Professor at U. Maryland Carey School of Law Evan Selinger, Professor, Dep’t Philosophy, Rochester Institute of…

Risk Mitigation and Incident Response

Conducting a Privacy Investigation

This session examines both general investigations of possible misconduct as well as the investigations of privacy violations, including data breaches. In general investigations of misconduct, how can a company investigate potential misconduct without running afoul of data protection laws?  How does a cross-border investigation affect that calculus?  How does one deal with US governmental agencies demanding…

Cyber Insurance: How It Works, How to Select a Policy, and Emerging Trends and Practices

This session will discuss the history of cyber insurance, including the evolution of cyber insurance products and judicial interpretations of cyber insurance policies. It will also review information system risks, measures that can mitigate those risks, the role of cyber insurance in transferring any remaining risks, and the types of cyber insurance coverage currently available.…

Data Breach Liability

This session will examine when various parties are liable in private lawsuits arising from a data breach and to whom. How do plaintiffs meet the causation requirements? What are the successful and unsuccessful theories of liability? How do plaintiffs demonstrate the harm, how is it quantified, and is it even required? When might companies be…