DAY 1 – Wednesday, February 1, 2012
9:45 Main Conference Registration & Coffee Served
10:10 Co-Chairs’ Welcoming Remarks
Russell Schrader
Chief Privacy Officer & Global Enterprise Risk Counsel
Visa, Inc.
Nancy Baran
Vice President, Privacy Office
The Prudential Insurance Company of America
10:15 What’s Next from the Federal and State Regulators?: Integrating New and Anticipated Legislative, Regulatory, and Enforcement Initiatives Into Your Privacy and Compliance Programs
Ryan Mehm
Attorney, Division of Privacy and Identity Protection
Federal Trade Commission
Kris Easter
Branch Chief, Office of Compliance Inspections and Examinations
US Securities and Exchange Commission
Christine Nielsen
Assistant Attorney General
Consumer Fraud Protection
Office of the Illinois Attorney General
Barbara Anthony
Undersecretary Office of Consumer Affairs and Business Regulation,
Executive Office of Housing and Economic Development
Commonwealth of Massachusetts
Esther Chavez
Assistant Attorney General
Texas Attorney General’s Office
Mark Doggett
Chief Information Officer
Assistant Director, Information Technology
Texas Department of Public Safety
Nancy Baran
Vice President, Privacy Office
The Prudential Insurance Company of America
Moderator:
Divonne Smoyer
Partner
Dickstein Shapiro LLP
- Where federal agencies are heading in data privacy & security
- Upcoming and current Congressional inquiries on privacy
- Impact of pending and changing legislation:
- The Commercial Privacy Bill of Rights Act of 2011
- “do not track legislation”
- Children’s Online Privacy Protection Act
- Updates to the Electronic Communications Privacy Act
- Pending data breach security notification bills
- The initiatives and impact of the CFPB
- FTC settlement and enforcement trends:
- FTC priorities in the area of consumer privacy protection
- How the FTC is responding to issues related to social networking and behavioral advertising
- Tweaking your compliance plan for new state laws
- Scrutinizing different state notification statues
- What state AGs are currently focusing on
- How are states reacting to threats to consumer privacy brought on by new advancements in technology?
- How are state AGs working with the CFPB under the Memorandum of Understanding
- Recent state settlement and enforcement trends
- Handling multi-state investigations and enforcement activities
- Effective methods for communicating with state AGs
- Navigating the waters between private litigation and state investigations stemming from privacy suits
11:45 Cloud Computing: Evaluating the Threat, Mitigating the Risk, and Incorporating the Latest Security Controls and Protocols
Debra Hampson
Assistant Vice President and Assistant General Counsel
The Hartford
Christopher Pierson, Ph.D., J.D
Senior Vice President and Chief Privacy Officer
Citizens Financial Group, Inc.
Joshua Gold
Partner
Anderson Kill & Olick, P.C.
David C. Keating
Partner
Alston & Bird LLP
- Ensuring protection when using cloud computing
- Understanding the risks involved in using the cloud
- Who is responsible for this data
- Balancing costs and benefits with privacy concerns
- Protecting against threats that exist “in the cloud”
- Adapting to the increased security controls and protocols necessary when utilizing cloud computing
- Litigation issues arising from cloud use
- Understanding the issues revolving around privacy and cross-border data transfers in “the cloud”
- The interplay of state, federal, and international data privacy regulations in “the cloud”
- Educating employees on the use of cloud computing
12:45 Networking Luncheon for Speakers and Delegates
1:45 Anticipating and Resolving Privacy and Security Problems with Third Parties and Vendors Through Effective Due Diligence and Contract Negotiation
Katrina Blodgett
Attorney, Division of Privacy and Identity Protection
Federal Trade Commission
Stephen Scharf
Global Chief Information Security Officer
Experian
Sara Wood
Director, Enterprise Privacy
Best Buy
Frances Rao
Executive Director, Compliance and Ethics Office
Medco Health Solutions, Inc.
Ann Teynor
Senior Counsel, Privacy
Target Corporation
Michelle Perez
Senior Counsel, Privacy
Philips Electronics North America Corporation
- Conducting proper due diligence when selecting third-party vendors and service providers: checklist and what to ask/look for•
- Factors to consider when assessing third parties prior signing a contract
- Certifying/verifying third parties
- Appreciating the risks when using a third party vendor
- Key contractual provisions, limitations and rights
- Contractual provisions to include to shield yourself
- How to ensure that vendors and service providers properly screen and train employees on privacy policies
- Examples of monitoring/auditing systems that should be used
- The on-site visit: what should you be looking for?
- Assessing your vendors’ privacy policies and procedures – and whether they are actually followed
- Determining the appropriate standards for data transmission and data storage
- What indemnification requirements are necessary? Advisable?
- Allocating risk, compliance obligations, liability, privacy requirements and control in a vendor contract
- Ensuring sensitive information is handled carefully and managed properly by third parties and vendors
- How to address global agreements
2:55 Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures
Cora Tung Han
Attorney, Division of Privacy and Identity Protection
Federal Trade Commission
Michael T. Spadea, JD, CIPP
Privacy Manager
Microsoft Corporation
Kirk Herath
Vice President, Associate General Counsel and Chief Privacy Officer
Nationwide Mutual Insurance Company
Marc Loewenthal
Senior Vice President, Chief Security Officer/ Privacy Officer
LPL Financial
Moderator:
Philip L. Gordon
Shareholder
Littler Mendelson P.C.
Awareness
- Increase employee awareness of the risks of being mobile, such as the consequences of misplaced or stolen laptops, cameras, Blackberries, iPhones, and USB drives
- Educate employees who regularly encounter sensitive data about privacy and regulatory requirements
Security & Breach Management
- Employ security tools to protect company-owned phones and other portable devices
- Prevent wireless-enabled removable media such as laptops, blackberries, iPads, USB drives and other portable devices from serving as a breach vector
- Enable network oversight to detect and respond to breaches without compromising employee privacy rights
Risk Management
- Manage risks around allowing employees to connect to corporate networks via multiple personal devices
- Balance proper limitations on employee use with employees’ rights
- Minimize risks incurred by off-site workers utilizing remote access points
Policy & Procedure
- Establish HR procedures to support proper access controls, including immediate revocation upon termination and accounting for transfers
- Strengthen your data security program by creating and implementing corporate mobility policies and device management
4:00 Afternoon Refreshment Break
4:05 Managing a Multinational Privacy Program and Preparing for Data Breaches in a Global Environment
Mark Faber
Vice President, Corporate Counsel
The Prudential Insurance Company of America
Frank Bria
Vice President and Assistant General Counsel
General Reinsurance Corporation
Lynn Goldstein
SVP and Chief Privacy Officer
JPMorgan Chase
Miriam Wugmeister
Partner
Morrison & Foerster
- Effective strategies for implementing an incident response plan
- Navigating breach notification laws abroad
- Creating a multinational privacy compliance program
- Complying in the face of conflicting and converging privacy regulations both at home and abroad
- Methods for resolving variances
- Updates from abroad regarding foreign data privacy regulations and enforcement regulators
- Where are things headed with the EU?
- On-line cookies regulations
- India’s new and updated privacy act
- Mexico: recent privacy laws and the effects
- Assessing the possibility of global privacy standards
- Managing cross-border data transfers
- Compliance with European data protection rules relating to marketing and data retention
- International vs. National vs. Localized response planes: Does “one size fit all” or should a company have different response plans in place depending on the location of a breach?
- Methods for resolving some of the most common conflicts
- Fitting corporate rules in the framework of international privacy regulatory requirements in a way that is practical, compliant, and cost-effective
- What to watch out for in emerging markets
- U.S. government efforts to convince EU of America’s enforcement of its laws as adequate protection of data
5:05 Litigation Round-Up: Using Lessons Learned from Recent Class Actions to Your Advantage As You Shape Your Data Privacy & Information Security Compliance Program
Ian C. Ballon
Shareholder
Greenberg Traurig LLP
Andrew B. Serwin
Founding Chair of Foley & Lardner’s Privacy,
Security and Information Management Practice
Foley & Lardner LLP
James R. Patterson
Founder
Patterson Law Group
Gene J. Stonebarger
Founder
Stonebarger Law
- Litigation trends: what is the future of these class actions and how will the decisions shake out state by state
- Monitoring the emergence of plaintiff claims under California’s Song-Beverly Credit Card Act under California’s unfair business practices act
- Types of harms and injuries that have been alleged by plaintiffs, and what has led courts to hold breached companies liable for these injuries:
- concerns over “non-economic” harms
- negligence claims and establishing a duty owed a breach of that duty, and actual damages
- breaches of fiduciary duty
- emotional distress stemming from fears of identity theft
- reimbursement for credit monitoring and other incidental consumer costs
- Analyzing what defense techniques have been successful in dismissing plaintiff suits
- Insights on where plaintiff claims are going, and how to effectively combat them
6:00 Adjourns
DAY 2 – Thursday, February 2, 2012
7:30 Continental Breakfast
8:00 Company & Employee Usage of Social Media: The Privacy Implications for Businesses and Consumers and How to Craft the Right Policies to Alleviate the Latest Regulatory Concerns
Kathleen Timm
Privacy Counsel
The Hartford
Albert De Leon
Head of Compliance Advisory & Monitoring
Zurich North America
Orrie Dinstein
Chief Privacy Leader & Senior Counsel - IT & IP
GE Capital
Apalla U. Chopra
Partner
O’Melveny & Myers LLP
- Privacy issues and concerns involving social networking sites
- Crafting the right policies and tools to have social media access for business purposes and proper restrictions for personal use
- How to tap into social media benefits while maintaining protection and security of customers and employees
- What is the line between public and private life as it relates to social media?
- Proper employee training and policing of bad behavior
- Concerns over employee usage of social media, and possible negative impact on a company
- Company use of social media for business purposes – what information is your company collecting via social media outlets and what are the legal pitfalls to avoid?
- Regulatory concerns over social media
- Blogging and social networking policies
- New restrictions on criminal history and credit checks, checks of applicants and employees through social media
9:05 Implementing a Culture of Privacy Compliance: Preparing for and Responding to a Data Breach
Laurie Banducci Klip
Senior Director
Gap Inc
Heather Enlow-Novitsky
VP, Assistant General Counsel, Legal Department
Bank of America Merchant Services
Korin Neff
Group Vice President - Global Privacy
Wyndham Worldwide Corporation
Lisa J. Sotto
Partner
Hunton & Williams LLP
Ronald Raether Jr
Partner
Faruki Ireland & Cox LLP
Douglas H. Meal
Partner
Ropes & Gray LLP
Moderator:
Lydia Parnes
Partner
Wilson Sonsini Goodrich & Rosati
- Crafting and implementing an incident response plan that anticipates and deals with varying notification requirements
- Effective methods for incorporating privacy controls into IT systems and throughout the entire business process
- Being proactive to avoid the scramble after a breach occurs
- Drafting policies and guides that are workable and readable
- Ensuring workable policies are in place, providing guidance to employees
- Risk assessment and prioritization
- Determining what information is collected & how it’s used
- Access and privilege decisions
- Types of breaches; specific compromised information: what triggers notification?
- establishing whether data has become identifiable to an individual
- factors for determining whether data is “unreadable or unusable”
- Where to draw the line and what to consider when determining the existence of “a reasonable risk of harm”
- Coordinating the timing/content of notification to law enforcement, customers, credit bureaus, & businesses
- Post-breach communications to those affected
- Effectively dealing with regulators, lawsuits, and the privacy community
- Developing an ongoing outreach strategy
- Presenting a positive image in the media
- What we can learn about vulnerabilities from recent breaches?
- State of the art criminal activity: where are the next technology threats coming from?
- Technology advancements: the latest and greatest
- Mergers and Acquisitions: preparing for integration to ensure a preexisting privacy issue is not acquired
10:20 Morning Break
10:30 Ensuring Advertising and Marketing Initiatives Meet Privacy Compliance Requirements
Emilio W. Cividanes
Partner
Venable LLP
Benita A. Kahn
Partner
Vorys, Sater, Seymour and Pease LLP
- What is
behavioral advertising and how do companies utilize it?
- How to properly market while staying within guidelines
- On-line advertising and Flash cookies
- What are the legal and privacy risks associated with behavioral advertising and other similar marketing techniques?
- How are regulators reacting to behavioral advertising?
- Understanding the latest business models
- How do companies evaluate legal and brand risk?
- What are marketing departments and engineers envisioning and how does this conflict with legal and compliance concerns?
- Protecting brand name through carefully chosen media partnerships
- The latest on industry self-regulation initiatives
- Navigating the affiliate marketing rule:
- information sharing: opt-out requirements and methods
- triggers for opt-out
- notice and disclosure requirements:
- documentation required to satisfy the rule
- building in new customer notification procedures for shared information
- Do-not-call registries: reconciling the conflicts that arise among state and federal regulations regarding telemarketing
- Social marketing
11:15 HIPAA, the HITECH Act and Privacy Compliance: Not Just for the Healthcare Industry Anymore
Daniel Walden
Senior Vice President - Compliance and Privacy Officer
Medco Health Solutions, Inc.
Patrick J. Hatfield
Partner
Locke Lord Bissell & Liddell LLP
David S. Szabo
Partner
Edwards Angell Palmer & Dodge LLP
- What constitutes a “business associate” that falls within the scope of HIPAA
- What entities are most affected by the broadened reach of HIPAA after the HITECH Act
- Determining whether subcontractors open an entity up to liability under HIPAA
- How new and proposed amendments to HIPAA will impact companies in various industries
- Methods for the handling of Protected Health Information
- Practical steps for compliance with HIPAA
12:00 The Fundamentals of Cyber and Data Risk Insurance: What Privacy and Compliance Officers and Attorneys Now Need to Factor in for Data Breach Cost Assessment
Jeffrey Portis
Cyber Specialists
Chubb Specialty Insurance
Max Perkins
Underwriter, Specialty Lines
Beazley Group
Laura A. Foggan
Partner
Wiley Rein LLP
- What is Cyber insurance? And why isn’t my current insurance enough?
- Why traditional insurance policies such as the CGL don’t work;
- Why your current property insurance may not cover the direct costs of the data breach
- How cyber and data risk insurance really workso\
- Basics of cyber insurance policies
- What should they expect to see (first and third party coverages)
- What common limitations/exclusions are found
- Understanding the language used in the policies to better communicate to your clients
- Key provisions to look for (coverage, definitions and exclusions)
- Overview on guidance from claim to post-breach costs
- Types of damages a company may face
- Difference in costs, loss mitigation, etc when a plan is in place to handle a breach event versus no plan
- Answers to your basic coverage questions
- Why this coverage is important, even if you are not selling anything over the internet or actively collecting data over the internet
12:50 Overcoming Challenges and Cost-Effective Strategies for Achieving PCI-DSS Compliance
Russell Schrader
Senior VP & Associate General Counsel
Visa USA, Inc.
Diana Greenhaw
Head of Global Data Security Policies and Standards Company
Visa, Inc.
- The latest updates on required PCI compliance standards
- International concerns and outlook for PCI compliance
- New authentication approaches by payment networks and PCI validation requirements
- Data Protection legislation and PCI
1:30 Conference Ends – Lunch for Master Class B
Conference Details