Conference Details
Event Categories
Browse C5 Companies

C5 Group
www.C5groupinc.com

The Canadian Institute
www.canadianinstitute.com

C5 (UK)
www.C5-online.com
Privacy and Security of Consumer & Employee Information

American Conference Institute’s 9th National Advanced Forum on

Privacy and Security of Consumer & Employee Information

Protecting and Managing Sensitive Data in an Increasingly Portable and Changing Marketplace

Tuesday, January 26 to Wednesday, January 27, 2010

DAY 1: January 26, 2010

8:00 Registration Desk Opens and Continental Breakfast Served

9:00 Co-Chairs’ Opening Remarks

Russell Schrader
Chief Privacy Officer & Global Enterprise Risk Counsel
Visa Inc.
(San Francisco, CA)

Keith Enright
Chief Privacy Officer
Macy’s Inc.
(Cincinnati, OH)

9:15 Compliance with the FACT Act Red Flags Rules: Regulator and Industry Perspectives on How They are Working So Far — and What’s Next

Cora Tung Han
Attorney, Division of Privacy and Identity Protection
Federal Trade Commission
(Washington, DC)

Britton Murray
Chief Privacy Officer
Freddie Mac
(McLean, VA)

Nancy Perkins
Arnold & Porter LLP
(Washington, DC)

With “creditor” broadly defined in the Rules, the FTC considers not only financial institutions, but utility companies, health care providers, telecommunications companies and others to fall with the ambit of the rules. Join a discussion on the scope of the rules, what aspects of the business will be affected, and how compliance will be impacted in this valuable session. Topics will include:

  • Post-deadline status report from the FTC
    • where does the FTC see shortcomings?
    • activities being scrutinized
  • Administering the program: determining who to make the key players within the organization and what roles they should play
  • Determining which aspects of the business the rule impacts
    • successfully facilitating a cohesive effort for compliance
    • recognizing and restoring broken lines of communication
  • Maintaining and updating your list of red flags and identity theft methods
  • Methods for ensuring your program is periodically updated
  • Evaluating the cost of implementation v. actual benefit to consumer for identity theft prevention
  • How effective is your program? FTC perspective on evaluating how well it is working

10:30 Coffee Break

10:45 Integrating New State Legislation into Your Privacy Compliance Program

Lynn Goldstein
Senior Vice President, Chief Privacy Officer
JP Morgan Chase Bank, NA
(Chicago, IL)

Zoe Strickland
Chief Privacy Officer
Wal-Mart
(Bentonville, AR)

Agnes Bundy-Scanlan
Goodwin Procter LLP
(Boston, MA)

Robert Ellis Smith
Publisher, Privacy Journal
(Providence, RI)

The nature of internet use means new laws and regulations in various states might as well be national laws. Join us for a session that provides valuable information on new state initiatives — and how they will specifically impact your privacy compliance programs.

  • Massachusetts’ new requirements for creation of information security program
    • vendor requirements
    • encryption requirements
  • Nevada’s new PCI requirements
  • Connecticut’s implementation of SSN protections
  • Maine’s new legislation on data collection and marketing to minors
  • Spotting the trends: tweaking your compliance plan to stay abreast of new state laws while aligning it with brand and policies

11:45 Understanding Where the Latest Cyber Threats are Coming From to Protect Your Organization from Attack

Linda Betz
Director, IT Policy & Info Security Global Infrastructure
IBM Corporation
(Poughkeepsie, NY)

  • What we can learn about vulnerabilities from recent breaches?
  • State of the art criminal activity: where are the next technology threats coming from?
  • Managing and lessening the risks of phishing and pharming and social engineering
  • Protecting email messages and other information sent over the internet from breaches
  • Technology solutions: the latest and greatest
    • firewalls
    • encryption: what works?
    • software
  • Ensuring consumer information is deleted and unrecoverable
  • Monitoring physical access to information
    • security measures and video surveillance
  • Conducting vulnerability scanning and penetration testing

12:45 Networking Luncheon for Delegates and Speakers

2:00 Best Practices for Minimizing Risk and Protecting Information Provided to Third Parties

Nancy Baran
Vice President, Privacy Office
Prudential
(Newark, NJ)

Miriam Wugmeister
Morrison & Foerster
(New York, NY)

  • Selecting third-party vendors and service providers
    • initial considerations
    • complying with the “due diligence” requirement
  • Factors to consider when assessing third parties prior signing a contract
  • Certifying/verifying third parties
  • Key contractual provisions, limitations and rights
  • Contractual provisions to include to shield yourself in case a breach occurs
  • How to ensure that vendors and service providers properly screen and train employees on privacy policies
  • Examples of monitoring/auditing systems that should be used
  • The on-site visit: what should you be looking for?
  • Ensuring the appropriate protections in case the relationship is terminated

3:00 Afternoon Refreshment Break

3:15 Anticipating and Resolving Privacy and Security Problems that Arise in Vendor Relationships

Jana Klopp
US Affiliate Privacy Officer
Eli Lilly and Company (Indianapolis, IN)

Orrie Dinstein
Chief Privacy Leader & Senior Counsel – IT & IP
GE Commercial Finance
(Stamford, CT)

  • Applying the GLB standard
    • translating the regulatory language into must-have contractual protections
    • what to ask and look for when conducting due diligence
  • Assessing your vendors’ privacy policies and procedures – and whether they are actually followed
  • Reviewing and verifying the business reputation of vendors: when, how and where to obtain objective data
  • Background screening requirements of vendor employees
  • Determining the appropriate standards for data transmission and data storage
  • Getting audit rights and audit trails into the contract: what to ask for
  • Encryption requirements and other data security measures: what needs to be on paper?
  • When to use agreements on sub-contracting and what should be in them
  • What indemnification requirements are necessary? Advisable?
  • Confidentiality provisions
  • Renewals: requirements for re-evaluation
  • Legacy contracts: having the vendor comply with new requirements and corporate integrity agreements
  • Termination and exit strategies that provide appropriate protections

4:15 Protecting Data in the Hands of Your Employees: Security Measures for Workforces in an Increasingly Mobile Environment

Nuala O’Connor Kelly
Chief Privacy Leader
General Electric
(Washington, DC)

Campbell Tucker
Director of Privacy Office
Wachovia
(Charlotte, NC)

  • Implementing proper policies and procedures to address changing ways that employees handle information
  • Protecting removable media from breaches such as laptops, blackberries, Ipods, and other portable devices using wireless networks
  • Combating attacks without severely interfering with employee privacy
  • Getting the privacy message out to employees who use sensitive data on a day-to-day basis
  • Creating and implementing corporate mobility policies and device management into your data security program
    • identifying information being assessed
    • determining access: privileged v. not privileged
    • gaining control of the devices being used by employees
    • balancing security with usability
  • Educating employees on the consequences of misplaced or stolen laptops, USB sticks, and thumb drives
  • Strategies for getting employees to follow privacy protocols
  • Immediate and proper removal of employee access to the system once they have been terminated
  • Preventing employees from downloading personal information and ensuring access through protective passwords
  • Implementing an audit-trail for sensitive information
  • Keeping employees informed about the current schemes to gain inappropriate access to sensitive information

5:30 Day One Concludes

DAY 2: January 27, 2010

7:30 Continental Breakfast

8:30 Co-Chairs’ Remarks

8:45 Preparing for and Responding to a Data Breach: Assessing Breach Scope, Notification Requirements, Appropriate Responses and Mitigation

Carol DiBattiste
SVP Privacy, Security, Compliance, and Government Affairs
LexisNexis
(Washington, DC)

Joanne McNabb
Chief, California Office of Privacy Protection
(Sacramento, CA)

Lisa J. Sotto
Head, Privacy & Information Management Practice
Hunton & Williams
(New York, NY)

  • Types of breaches; specific compromised information: what triggers notification?
    • establishing whether data has become identifiable to an individual
    • factors for determining whether data is “unreadable or unusable”
    • Where to draw the line and what to consider when determining the existence of “a reasonable risk of harm”
  • Coordinating notification requirements that now exist in 45+ states
  • Tools for determining the scope of what you are providing notice of
    • assessing the size of the problem
    • criteria for deciding how soon you must act
  • Coordinating the timing and content of notification to law enforcement, customers, credit bureaus, and other affected businesses
  • Crafting and implementing an incident response plan that anticipates and deals with varying notification requirements
  • What is considered “unreasonable delay” when notifying customers, employees or the relevant agencies?
  • When and how to implement substitute notification, via media outlets, company website or via telephone/fax or email
  • Post-breach communications to those affected
    • proper language to include in your notification letter
    • ensuring that individuals read and understand notification letters
    • examples of letters based on the content of information that has been compromised
  • Effectively dealing with regulators, lawsuits, and the privacy community
  • Developing an ongoing outreach strategy
  • Presenting a positive image in the media
    • what makes a breach media-worthy
    • how to control the post-breach media frenzy
    • limiting company exposure once news hits
    • what to tell the press and employees
    • minimizing the negative impact on management and employees in the day-to-day operations

9:45 Coffee Break

10:00 Preparing for the Future: What’s Next from the Federal Regulators?

Alain Sheer
Senior Attorney, Division of Privacy and Identity Protection
Federal Trade Commission
(Washington, DC)

John H. Walsh
Chief Counsel, Office of Compliance
Inspections and Examinations
U.S. Securities and Exchange Commission
(Washington, DC)

William H. Henley, Jr.
Director, IT Examinations
Office of Thrift Supervision
(Washington, DC)

Moderator:

Brian Hengesbaugh
Baker & McKenzie
(Chicago, IL)

  • Where federal agencies are going in terms of the next steps for privacy
  • Upcoming and current congressional inquiries on privacy
  • Areas in which regulators will focus their privacy enforcement efforts in the next year
  • FTC enforcement activity:
  • HR 2221: federal data protection legislation
  • Other new developments/initiatives of significance to privacy professionals

11:00 Ensuring Marketing Initiatives Meet Privacy Compliance Requirements

Nancy Callahan, CPCU, CIPP
Vice President, Executive Liability
Chartis Insurance
(New York, NY)

Keith Enright
Chief Privacy Officer
Macy’s Inc.
(Cincinnati, OH)

David Medine
WilmerHale
(Washington, DC)

  • Navigating the affiliate marketing rule:
    • information sharing: opt-out requirements and methods
    • triggers for opt-out
    • notice and disclosure requirements:
    • documentation required to satisfy the rule
    • building in new customer notification procedures for shared information
  • Do-not-call registries: reconciling the conflicts that arise among state and federal regulations regarding telemarketing
  • Behavioral/social marketing: how Facebook, Twitter and other social networking sites fit in

12:00 Networking Luncheon for Delegates and Speakers

1:15 Implementing and Managing a Multinational Privacy Program For Compliant Collection, Use and Transfer of Data Internationally

Michael Spadea
Privacy Counsel, Legal and Compliance
Barclays LLC
(London, UK)

Zoe Strickland
Chief Privacy Officer
Wal-Mart
(Bentonville, AR)

David Keating
Alston & Bird LLP
(Atlanta, GA)

  • Analysis of problem areas where EU, APAC, US, Canada and other privacy regulations converge and conflict
  • Methods for resolving some of the most common conflicts
  • Fitting corporate rules in the framework of international privacy regulatory requirements in a way that is practical, compliant, and cost-effective
  • Cross-border data flow: understanding the fine-tuning regarding varying definitions and resolving the ambiguities
    • what constitutes a data controller v. data processor and the legal implications for each
    • when have you performed a data transfer
    • identifying v. de-identifying data

2:15 Networking Refreshment Break

2:30 Overcoming the Challenges Associated With Implementing the Payment Card Industry Data Security Standard

Russell Schrader
Chief Privacy Officer & Global Enterprise Risk Counsel
Visa Inc.
(San Francisco, CA)

  • What is the state of PCI-DSS compliance today?
  • Can you be compliant and still be breached?
  • The outlook internationally for PCI-DSS
  • How to determine which contracts and transmissions will be affected
  • Decoding the vague security guidelines: how is a “secure network” verified?
  • Encryption: From the register to transmittal over wireless networks
  • Educating and training employees at all levels of the organization about PCI-DDS compliance
  • Consequences of non-compliance

3:30 Conference Concludes

Home | About Us | Registration | Publications | CLE Help Center | Contact Us
Press Room | Privacy Policy