Schedule 2015

The information below is an archive from our 2015 event. The 2016 Forum will be held October 24-26, 2016 in Washington, DC.

Pre-Conference Workshops

Wednesday, October 21, 2015

Participants choose one concurrent session during each time slot.

8:00am – 9:00am Breakfast and Introductory Remarks
9:00am – 10:30am Concurrent Workshop 1 (Part 1 of 2)
10:30am – 11:00am Break
11:00am – 12:30pm Concurrent Workshop 1 (Part 2 of 2)
12:30pm – 1:30pm Lunch
1:30pm – 3:00pm Concurrent Workshop 2 (Part 1 of 2)
3:00pm – 3:30pm Break
3:30pm – 5:00pm Concurrent Workshop 2 (Part 2 of 2)

Day 1

Thursday, October 22, 2015

8:00am – 9:00am Breakfast and Introductory Remarks
9:00am – 10:30am Concurrent Session 1
10:30am – 11:00am Break
11:00am – 12:30pm Concurrent Session 2
12:30pm – 1:30pm Lunch
1:30pm – 3:00pm Concurrent Session 3
3:00pm – 3:30pm Break
3:30pm – 5:00pm Concurrent Session 4

Day 2

Friday, October 23, 2015

8:00am – 9:00am Breakfast and Introductory Remarks
9:00am – 10:30am Concurrent Session 5
10:30am – 11:00am Break
11:00am – 12:30pm Concurrent Session 6
12:30pm – 1:30pm Lunch
1:30pm – 3:00pm Concurrent Session 7
3:00pm – 3:30pm Break
3:30pm – 5:00pm Concurrent Session 8

General Readings

Brochure

Conference guide listing sessions and session descriptions.

Workshops

Workshops provide a broad overview or a more intensive background on a topic. Workshops are 3 hours long, with a 30-minute break.

Instructional Sessions

These sessions instruct participants about particular areas of law or technology. Instructors will provide practical takeaways.

Policy Sessions

These sessions involve policy discussions about how privacy and security should be regulated.

Culture & Media Sessions

These sessions involve experts providing information about interesting resources and sharing their insights and perspectives.

Level 1

This level is for foundational knowledge about a topic.  However, sessions at the 101-level are not simplistic, as our goal is to have all sessions be substantive and rigorous.

Level 2

This is the intermediate level. Foundational knowledge is presumed and is not covered. The focus of Level 201 sessions is to go more into depth about a topic.

Level 3

This level is for advanced exploration of issues. A deep knowledge is presumed.

Workshops

California Privacy Law

In our California Privacy Law workshop, we will cover case studies and concrete compliance tasks and enforcement scenarios under California privacy laws, including (1) a jurisdictional overview (national and international applicability and preemption), (2) a selection of key California Privacy Laws, (3) how to establish or update a company’s compliance program, (4) how to draft…

Data Security Law: Foundations

An overview of data security law – from HIPAA to GLBA to the FTC to Massachusetts to data breach notification. Learn about the different approaches that laws and regulations take to data security and the similarities and differences in each approach. Lisa Sotto, Partner, Hunton & Williams LLP, Daniel Solove, Professor at George Washington University…

Data Security: Foundations

This workshop could also be titled: “Everything Privacy Professionals Should Know About Security But Were Afraid to Ask.”  It will cover common terms, various security standards, and key things that privacy professionals should know about technology. David Rusting, CISO at U.C. Office of the President Ronise Zenon, Mgr, Postmaster & IT Policy at U.C. San…

EU Privacy Law: Foundations

This workshop will provide an overview of EU privacy law, with a focus on the EU Data Protection Directive, US-EU Safe Harbor, BCRs, and the implications of the coming EU Privacy Legislation.  For privacy professionals, this workshop will provide the foundation to understand what is going on in the EU.  For security professionals, this workshop…

Information Privacy Law: Foundations

This workshop will provide a short overview of information privacy law, demonstrating how various areas such as health privacy, consumer privacy, communications privacy, financial privacy, and data security are related.  For privacy professionals, this is a great way to understand the whole field and fill gaps in your knowledge.  For security professionals, this is a…

Sessions

General Privacy and Security

Are Good Security Measures Always Good for Privacy? A Discussion of NIST Frameworks

While implementing security measures is important for privacy, they can also create risks which can undermine individuals’ privacy. Panelists will discuss the Framework for Improving Critical Infrastructure Cybersecurity and how it balances the potential conflict. Session attendees will also hear about the latest NIST privacy risk management tools that can be used in concert with…

Congruence and Tension: Where Privacy and Security Align and Where They Don’t

A session that will map out where privacy can help further security goals and vice versa. The session will proceed systematically, issue-by-issue. Dennis Devlin, CISO, CPO and SVP of Privacy Practice for SAVANTURE Stacey Halota, Vice President, Information Security and Privacy, Graham Holdings Room 405

Do CPOs Need to Learn How to Code? The Skills Needed to Bridge the Law/Technology Divide

In this session, a law professor who previously worked as a computer programmer and the chief technologist of a consumer privacy organization will discuss what privacy professionals would benefit from knowing about technology. Paul Ohm, Professor at Georgetown University Law Center Joseph Lorenzo Hall, Chief Technologist, Center for Democracy & Technology Room 302

From the Economics to the Behavioral Economics of Privacy

In this session, Professor Acquisti will discuss his extensive empirical research in the behavioral economics of privacy and security. He will synthesize his wide body of work and highlight his most surprising and important findings, which reveal that many of our common assumptions about people’s attitudes and behavior regarding privacy and security are wrong —…

Future Trends in Privacy and Security

Our invited experts will bring along their crystal balls and peer into the future.  What will be the top five privacy and security trends of the near future?  What steps should organizations take now to prepare themselves? Mike Hintze, Chief Privacy Counsel, Microsoft Lance Cottrell, Chief Scientist, Ntrepid Corporation Kirk Nahra, Partner, Wiley Rein LLP…

Getting to Accountability: Effective Privacy and Security Management

This session provides you with the knowledge, resources and a plan to maximize the level of accountability. Accountability is the most important component of effective privacy and security management, yet it is often insufficiently developed in many programs. We will discuss privacy and security management activities throughout the organization not typically considered as part of…

Legislating Privacy and Security: Lessons from the Legislative Process

This session will discuss lessons learned from inside and outside the legislative process. Why have many recent privacy and security laws failed to pass? What are the characteristics of successful privacy and security legislation? How can industry and legislators work together to find workable solutions? Is it conceivable for the US to break away from…

Privacy and Data Security Harms and Standing

This session will discuss the various approaches for defining privacy harms and how courts are reacting to them. The issue of standing will be covered extensively. What is the future of privacy and data security litigation for incidents?   Is there a way to recognize harm, provide appropriate remedies to individuals who are harmed significantly, and…

Privacy and Security in the Public vs. Private Sector: A Comparison

In this session, privacy officers with experience in both government privacy programs and corporate privacy programs will compare and contrast their experiences.  What are the similarities and differences?  What can each sector learn from the other? Peter E. Sand, Executive Director of Privacy, MGM Resorts Int’l John Kropf, Corporate Privacy Executive, Northrop Grumman Corp. Yael…

Switch Hitters: Learning from Professionals Who Do Both Privacy and Security

In this session, professionals who serve in roles in both privacy and security or who have served in each of these roles in prior positions, will discuss what they have learned from their experiences. Al Raymond, Head of U.S. Privacy & Social Media Compliance, TD Bank Ruby Zefo, VP & Chief Privacy & Security Counsel, Intel David…

When Lawyers Talk With Engineers: Avoiding the Lost In Translation Problem

In this session, a software engineering professor and a law professor will demonstrate how engineers and lawyers can better communicate. Why does communication between lawyers and engineers often break down? Where is each side coming from? How does each side think? Through concrete exercises, this session will teach participants how to build a multi-disciplinary team…

Security

Authentication and Control Frameworks: Operationalizing a Safeguard

Authentication is one of the bedrocks of a secure environment. It is also explicitly required by nearly every standard, framework and regulation dealing with protecting data. But while authentication may appear to be a discreet control mechanism, it is most successfully deployed as part of a control framework. Without focusing on one particular standard, the…

Cybersecurity Policy: The Role of the Government

Cybersecurity is a shared challenge between the private sector and government — neither community has all the tools, but both bring necessary resources. What is the government’s role? What information or resources does it provide that the private sector can’t access? What risks does government engagement bring? What should the government do to protect private…

Human Security Risks: How to Detect and Deal with Malicious Insiders, Chinese Espionage, and Other Threats

Trusted Insiders can pose a significant threat to the intellectual property of an organization. Security professionals must not only look outward when securing a system, they must become spy hunters, looking for internal exploits and penetrations that may not be easy to detect. This session will be led by Eric O’Neill, the former FBI Counterintelligence…

What We Can Learn from DefCon – Hacking Comes in All Varieties

DEF CON is one of the oldest and largest hacker conventions around, and this year had demos and presentations of hacking into a new Tesla and stopping it while running; hacking cell phones through vulnerable apps and reaching employer networks; cracking access codes to medical devices which can then compromise hospital systems; and accessing GPS…

Privacy and Security Engineering and Design

Engineering for Privacy: What Is Easy? What Is Difficult?

Privacy lawyers will ask engineers for seemingly easy things to do, such as “Please delete the data!” or “Let’s access the audit logs.”  For engineers, such requests are often made without an understanding of how easy or difficult certain things are to do.  In this session, engineers explain why some things are easy and other…

Privacy and Security by Design

Despite the enthusiasm of privacy regulators, privacy by design (PbD) has only achieved mixed acceptance in the marketplace. This session will analyze the activities of industry leaders, who rely on engineering approaches and related tools to implement privacy principles throughout the product development and the data management lifecycles. It will explore how companies can develop…

Privacy Engineering

This session will explore privacy engineering, exploring in detail how to build privacy and security into products, processes, applications, and systems.  How can principles and standards be practically leveraged to create a common methodology to address privacy and security challenges?  This session is designed for both technologists as well as non-technologists.  Participants should have a…

Privacy Impact Assessment Scenario Exercise

The privacy impact assessment is the heart of the privacy professional’s job.  Conducting a PIA well is critical in managing privacy risks and ensuring successful outcomes.  In this audience participatory session, you will be given an initial set of facts and help guide an interview of an engineer.  Through the exercise, you will learn how…

Privacy, Security, and Fairness by Design: What the FTC Does (and Doesn’t Do)

Important privacy and security considerations are implicated in the design of various products and services.  How do regulators approach such issues?  In this session, FTC Commissioner Julie Brill and privacy attorney Kurt Wimmer will explore how the FTC has dealt with these issues by discussing the relevant FTC cases and writings. Maneesha Mithal, Bureau of…

Communications Privacy and Security

Communications Privacy and Security and FCC Enforcement

This session will involve a detailed discussion about FCC privacy and security enforcement and the current goals and direction of the FCC on these issues. Travis LeBlanc, Chief of the Bureau of Enforcement at the Federal Communications Commission Sherrese Smith, Partner, Paul Hastings LLC Christopher Yoo, Professor at University of Pennsylvania Law School Room 405

Education Privacy and Security

Student and Children’s Data: FERPA, COPPA, and Beyond

This session will help organizations that handle student data and children’s data identify priority areas for compliance, with a focus on new technologies in schools and advertising and marketing practices for children’s data in general. We will discuss updates to the FTC COPPA rule FAQs, FERPA, new state laws, new self-regulatory measures, and efforts to…

Health Privacy and Security

Current and Future HHS Initiatives in Health Privacy

This session will focus on current and future initiatives at HHS: access guidance, the new portal, the upcoming audit, and cloud guidance. Deven McGraw, Deputy Director for Health Information Privacy at HHS Office for Civil Rights Adam Greene, Partner, Davis Wright Tremaine LLP Kim Green, Chief Information Security & Privacy Officer at Zephyr Health Room 407

Health Data Breaches and OCR Investigations

This session will explore complex data breaches involving PHI and the OCR investigations and negotiations that take place in the aftermath. How do breaches involving PHI differ from breaches involving other data? How should OCR investigations be navigated? How should the negotiations be handled? What role should privacy officers and security officers play in the…

New Health Information Technologies: Privacy and Security Risks

Medical information technology is rapidly evolving, including through innovative medical mobile applications, electronic health records, patient/physician online portals, and a variety of health monitoring devices.  The emerging technologies offer great promise for preventive health care, medical treatment, data analytics, and research.  But collecting, storing, and sharing personal health data through such technologies poses new privacy…

The FTC and Cross-Sector Enforcement in Health, Education, and Other Domains

The U.S. has a sectoral approach to privacy and security, with specific laws governing each sector.  However, the FTC has jurisdiction that reaches beyond any one sector.  This session will explore how the FTC regulates across sectors, with a special focus on its role with health data and education data. Maneesha Mithal, Bureau of Consumer…

The Future of Research: What HIPAA Changes is Congress Proposing? What Should Be Changed?

HIPAA and Research – it’s like the weather; everyone complains about it, but no one does anything about it. Well, now Congress is proposing to do something. The bipartisan 21st Century Cures Act passed by the House contains provisions targeted at easing specific barriers to research. Are these the right fixes? In a complex, rapidly…

Surveillance

Data and Goliath: A Conversation with Bruce Schneier on Surveillance

This session will involve a conversation between Becky Richards, Peter Swire, and Bruce Schneier about Schneier’s new book Data and Goliath on corporate and government surveillance. Then the audience will have a chance to engage in Q&A with Schneier and the speakers. A major topic of discussion will be NSA surveillance. Bruce Schneier, Fellow at…

Federal and State Electronic Surveillance Laws and Their Impact on Organizations

This session will explore how ECPA and state electronic surveillance laws like CalECPA impact businesses and other organizations. To what extent does federal law (ECPA and others) preempt more protective state laws and when must companies comply with state laws? How do the constitutional cases interact with the statutory rules in this area? State electronic…

The Electronic Communications Privacy Act and Access to User Data: Advanced Issues

This session will focus on how the Electronic Communications Privacy Act (ECPA) applies to various ways in which the government and third parties have sought access to user data in new ways not envisioned by Congress when the law was passed in 1986. How does ECPA govern third-party access to user accounts after the user…

The Impact of Government Surveillance Law on Business

This session will focus on how government surveillance law is affecting businesses. Recently, in the Schrems case, the Safe Harbor Arrangement was deemed invalid because of the failure of U.S. law to reign in NSA surveillance. ECPA is in dire need of reform, a cause championed by many businesses. Microsoft is fighting government information gathering…

International Privacy and Security

Defining “Reasonable Data Security” and “Personal Data” Across Borders

How does one achieve “reasonable data privacy and security” when handling big data?  Jurisdictions around the world differ in their definitions for “personal data” and what is considered “reasonable” when it comes to data usage and protection.  What is the best way to secure big data in a way that satisfies the relevant standard, but also…

EU Data Protection Regulation: What Will Change? What Remains the Same?

The EU Data Protection Regulation is a game-changer. It will be directly binding once enacted and appears headed to make important changes to the substantive and procedural law of EU privacy. This up-to-date session will explore how the EU Data Protection will alter the current status quo and identify practical steps companies can take now…

Interoperability and Cross-Border Data Transfer:  APEC, EU BCRs, and Beyond

The publication of the EU-APEC Referential document in 2014 marked a significant step towards greater global interoperability of international data transfer frameworks and opened up the possibility of achieving dual certification under both APEC Cross Border Privacy Rules and EU Binding Corporate Rules. But how do you know if this is the right route for your…

The Sunken Safe Harbor: The ECJ’s Decision and Beyond

What has changed for American companies after the ECJ’s dramatic decision on October 6, 2015 invalidating the Safe Harbor?  This panel will discuss the meaning of this decision, steps for American companies to take now, and likely future developments ahead in European data protection. Lothar Determann, Partner, Baker & McKenzie LLP Andrea Glorioso, Counsellor for…

Consumer Privacy and Security

Designing User Interfaces

Designing User Interfaces for Privacy In this interactive workshop, we’ll explore how to design user interfaces with privacy in mind. Participants will work through a scenario to design a real-life product experience that educates people on privacy and controls and provides important privacy information in context. Rob Sherman, Deputy Chief Privacy Officer, Facebook Morgan Reed, Executive…

FTC Privacy and Security Alumni: Reflections and Insights

A group of privacy and security professionals who used to work at the FTC on privacy and security issues will discuss their experiences at the FTC and the insights they learned about the agency and more generally. Joel Winston, Partner, Hudson Cook LLP Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati Debbie Matties, Vice President,…

Privacy and Security Self-Regulation 2.0

There have been self-regulatory endeavors since the early days of privacy and security, but these days there are significant new challenges. How should self-regulation be kept up to date with rapidly advancing industries? How should self-regulation encourage best practices, privacy by design, and the interplay between emerging technologies and interconnected industries, especially those involving the…

Tracking and Targeting: Online, on Mobile Devices, and in Social Media

This session will focus on legal and self-regulatory compliance challenges faced by companies whose business models focus on tracking and targeting advertisements and content to consumers. It will explore different tracking and targeting business models and the thorny legal issues that they sometimes raise. D. Reed Freeman, Partner, WilmerHale Heather Zachary, Partner, WilmerHale Brad Weltman, Senior Director…

Understanding the FTC: Lessons from FTC Investigations and Other Experiences

What should one do when the FTC knocks on the door? What works best when dealing with an FTC investigation?   In this session, we will learn how to understand the FTC and how it operates.   We will work through a concrete example of how to interact with the FTC. Jamie Hine, Bureau of Consumer Protection,…

Understanding the Internet’s Hidden Digital Architecture

As digital marketing has grown–with over $40 Billion annually spent in the US–the invisible plumbing has grown increasing complex.  This session will break down this architecture into an easy to understand overview and will also discuss how it will change in the coming years, and what opportunities and risks that evolution entails. Todd Ruback, Chief…

The Internet of Things

Designing Notice and Consent into the Internet of Things: A Hands-on Workshop

Privacy notices are often long, difficult to understand, and don’t appear at opportune times. Constrained interfaces on mobile devices, wearables, and smart home devices exacerbate the issue. In this workshop Professor Lorrie Cranor and privacy researcher Dr. Florian Schaub offer concrete guidelines on how to select the most effective notice and consent mechanisms for a…

Security Risks with the Internet of Things: Lessons from a Live Demonstration

During this session we will do a hands on demo using open-source tools and custom scripts to (1) conduct reconnaissance of real IoT devices in a test environment and (2) conduct denial of service attacks on these devices using open-source tools and custom scripts.  We will then analyze the results in terms of legal requirements…

Big Data

Big Data and Discrimination

This session will explore the ways in which Big Data can have discriminatory effects.  Even without discriminatory intent, Big Data can affect different groups of people in ways that have a significant impact on how they are treated, how decisions are made about them, opportunities available to them, or the kinds of messages they are…

Third Party Relationships

Control in the Information Ecosystem: Who Has it? Does It Exist?

In today’s business environment, with third-party data services growing exponentially, multi-layer outsourcing of data needs is becoming more and more common. Yet regulators such as the FTC, the NY Department of Financial Services, and the Securities and Exchange Commission have taken the position that this outsourcing does not mean an outsourcing of the primary businesses’…

High-Risk Data in the Cloud and the Internet of Things: What Really Works?

Cloud computing naturally diminished transparency and collaboration between customers and vendors, but the issues of trust, transparency and collaboration with vendors have become more critical with new data uses and threats , and never more so than as the world hurtles into the more complex networks of the Internet of Things.    What are the most…

Culture and Media

Privacy and Security Fiction  Club

Many novels, such as Orwell’s 1984, have informed the policy debate about privacy and security.  This session will feature top experts discussing their favorite novels and stories about privacy and security, including old classics and new hits. Peter Winn, Assistant U.S. Attorney, U.S. DOJ and Lecturer, University of Washington School of Law Joseph Jerome, Policy…

Privacy and Security Film and TV Club

This session features top experts discussing films and TV series with privacy and security themes.  Are privacy and security portrayed realistically?  What is the best privacy or security movie of all time? James Aquilina, Executive Managing Director, Stroz Friedberg Paul Schwartz, Professor at UC Berkeley School of Law Lara Kehoe Hoffman, Global Director of Data…

Privacy and Security Non-Fiction Club

What are the best non-fiction books and writings about privacy and security?  What are the new and classic must-reads?  This session will feature leading experts discussing the non-fiction works they deem to be essential to one’s library. Frank Pasquale, Professor at U. Maryland Carey School of Law Evan Selinger, Professor, Dep’t Philosophy, Rochester Institute of…

Risk Mitigation and Incident Response

Complex Legal Challenges with Data Breach Response and Cyber Forensics

When responding to a data breach, security professionals must often deal with very complicated challenges created by data security law. Providing individual notice can be challenging when certain data is encrypted. Investigating a breach might involve dealing with systems in the EU and having to deal with EU data protection laws. In this session, a…

Conducting a Privacy Investigation

This session examines both general investigations of possible misconduct as well as the investigations of privacy violations, including data breaches. In general investigations of misconduct, how can a company investigate potential misconduct without running afoul of data protection laws?  How does a cross-border investigation affect that calculus?  How does one deal with US governmental agencies demanding…

Cyber Insurance: How It Works, How to Select a Policy, and Emerging Trends and Practices

This session will discuss the history of cyber insurance, including the evolution of cyber insurance products and judicial interpretations of cyber insurance policies. It will also review information system risks, measures that can mitigate those risks, the role of cyber insurance in transferring any remaining risks, and the types of cyber insurance coverage currently available.…

Data Breach Fallout: The Legal and Ethical Considerations Concerning Stolen Data

Data breach prevention and response are widely-discussed, but less studied are the legal and ethical considerations that apply to stolen data after it has been removed from the private to the public domain. What legal options are available to organizations seeking to contain a post-breach data feeding frenzy? And what limits should apply to the…

Data Breach Response Scenario Exercise

What is the best way to handle a data breach?  What are factors that affect the timing of informing law enforcement, federal and state privacy regulators, and affected customers?  When and how should lawyers engage outside vendors (such as forensic experts and PR firms) in a response?  This session will present a variety of different…

The Role of Privilege in Privacy and Security Investigations

Should portions of breach investigations be privileged? If so, what should be privileged and how? Is outside counsel needed, or will involvement of internal counsel suffice? Can a risk analysis (e.g., consistent with NIST 800-30) be privileged? Can a compliance assessment (e.g., an evaluation of compliance with one or more privacy or security regulations) be…