Tuesday, April 20
11 a.m. – 12 p.m.

APEC Privacy Framework: A 2010 Perspective
Lynn A. Goldstein, CIPP, Senior Vice President & Chief Privacy Officer, J.P. Morgan Chase
Robin R. Layton, Director, Office of Technology and Electronic Commerce, Manufacturing and Services, International Trade Administration, U.S. Department of Commerce
Scott Taylor, Chief Privacy Officer, Hewlett-Packard Company

Balancing Privacy and Security: The Role of Privacy and Civil Liberties in the Information Sharing Environment
Samuel Jenkins, Director, Defense Privacy Office, U.S. Department of Defense
Alexander Joel, CIPP, CIPP/G, Civil Liberties Protection Officer, Office of the Director of National Intelligence

Beyond Compliance: Operationalizing Privacy under the HITECH Act and HIPAA
Kenneth P. Mortensen, CIPP, CIPP/G, Chief Privacy Officer, Boston Scientific Corporation
Amy Yates, CIPP, Director, Privacy & Data Protection, Deloitte & Touche LLP

Enable Your People! How to Leverage Your Resources to Support Your Privacy Objectives
Virginie Hupé, Senior Solution Manager, Microsoft Corporation

Exploring the Big Issues in U.S. Federal Privacy Legislation
Michael Hintze, CIPP, Associate General Counsel, Microsoft Corporation
Ari Schwartz, Vice President and Chief Operating Officer, Center for Democracy and Technology

Gramm-Leach-Bliley: 10 Years Later
David Hale, CIPP, Chief Privacy Counsel, TD Ameritrade
Andrew Serwin, Partner, Chair of the Privacy, Security & Information Management Practice,  Foley & Lardner LLP

The Evolution of Data Security Requirements: From "Reasonable" to "Specific"
James Covington, CIPP, Senior Staff Information Security Analyst, Information Security & Risk Management, Qualcomm, Incorporated
Lothar Determann, Partner, Baker & McKenzie LLP

Government agencies and businesses around the world have been subject to data privacy and security legislation for decades. Historically, most laws have focused on consent and notification requirements as well as substantive limitations on the collection, use and transfer of personal data. But, when California enacted the world’s first data security breach notification law in 2003 and companies started reporting security breaches en masse, the threat became abundantly clear. Since then, lawmakers in the U.S. and other countries have started prescribing very specific technical and organizational measures intended to ensure that companies take more comprehensive steps to prevent security breaches and protect the data and privacy of consumers, employees and others. Join this session and learn what you need to know about these constantly evolving rules and leave with practical recommendations for complying with applicable laws and mitigating the risks of devastating security breaches.

Tweets, Blogging and Buzz:  Protecting Your Company from Privacy Risks When Using Social Media in Marketing, Advertising and Promotions
Kimberly Cilke, Assistant General Counsel, The Go Daddy Group, Inc.

When Catastrophe Strikes: Managing Privacy in Times Disaster
Peggy Eisenhauer, CIPP, Founder and Principal, Privacy and Information Management Services
Jonathan Fox, CIPP, Director, Global Privacy, eBay Inc.

Tuesday, April 20
1:15 – 2:15 p.m.

Awareness Done Right: Polishing the Message and the Brand
Steven Conrad, Managing Director, MediaPro, Inc.

Operational Risk in Processing Confidential Data in a Multinational Environment
John Landwehr, Director of Security Solutions and Strategy, Adobe Systems
Rena Mears, CIPP, Partner, Deloitte & Touche, LLP
Randy Sabett, Partner, Sonnenschein Nath & Rosenthal LLP

The Essential Elements of Accountability and Baking Them into a Privacy Business Process
Martin Abrams, Executive Director, CIPL
Scott Taylor, CIPP, Chief Privacy Officer, Hewlett-Packard Company

The OECD guidelines first established accountability as a principle 30 years ago; APEC has adopted accountability as a principle and it is the first principle in PIPEDA. Now, for the first time a distinguished group of international experts that includes data protection authorities, academics, advocates and business has developed the essential elements of accountability as part of a project to improve the global privacy governance. Learn the essential elements of accountability and get practical guidance on how to build an accountable program through a demonstration of a program built to the essential elements.

Understanding the Risks and Dangers Associated with Medical Identity Theft
Larry Ponemon, CIPP, Chairman and Founder, The Ponemon Institute

In this session, Dr. Ponemon will review his study results on the real risks and dangers of medical identity theft. He will discuss the study’s key findings and unexpected results. He will further highlight steps that those in the medical community and consumers can take to better safeguard information against this prevalent crime. 

U.S. Government Cross-Border Information Sharing
Jonathan R. Cantor, CIPP, CIPP/G, Executive Director, Office of Public Disclosure, Social Security Administration
John Kropf, CIPP, CIPP/G, Deputy Chief Privacy Officer, U.S. Department of Homeland Security
Deborah Wolf, CIPP, CIPP/G, Director, Privacy, Information Protection and Data Security, Internal Revenue Service

The U.S. government engages in information sharing with foreign governments for a wide range of purposes, including national security, international trade and administration of taxes and Social Security benefits. Engage with senior government experts to explore how agencies, including Homeland Security, Department of Treasury, and the Social Security Administration employ federal privacy law and agency policies to deliver solutions for effective data privacy and assurance of individuals’ privacy when sharing information with international partners.

Web 2.0: Investigations, Digital Evidence and e-Discovery on Social Networking Sites
John Reed Stark, Managing Director, Stroz Friedberg LLC

What Do You Mean by “Anonymous”?
Michael Hintze, CIPP, Associate General Counsel, Microsoft Corporation
Paul Ohm, CIPP, Associate Professor of Law, University of Colorado Law School

Tuesday, April 20
2:30 – 3:30 p.m. 

Even with the most robust compliance program in place, some level of residual risk always remains. Typically, the residual risk is accepted as part of normal business activities; but, there is another option: liability insurance. Learn how the application process for liability insurance works, including key risk factors for many of the leading insurance companies and what you can do to help lower your organizations risk profile. Also, find out how to perform an assessment of your privacy and security practices before your organization begins the insurance application process and leave with a pre-application “checklist” that can help you reduce your premiums.

Privacy Strategy for the Multi-Channel Retailer
Keith Enright, CIPP, CIPP/G, Vice President, Privacy and Chief Privacy Officer, Macy's Inc.

The Customer Rules: Best Practices for Overhauling Your Privacy Policy
Sherry Ramsey, CIPP, AVP - Public Policy, AT&T Inc.

In June 2009, AT&T unveiled its new unified privacy policy, which replaced 17 separate privacy policies for various AT&T companies, products or services. AT&T built the policy and its communications on industry best practices and direct feedback from consumers. Join AT&T executives for a discussion around building and launching a streamlined, easy-to-understand privacy policy, including focus group testing, incorporating customer feedback throughout the process, third-party validation and finding new ways to present policies to customers.

The Essential Rose of a Strong Privacy Program in Global Outsourcing
Cynthia Smith-Durham, Managing Corporate Counsel, Operations, Alcatel-Lucent

A strong privacy program is one of the most critical elements for implementing a successful global outsourcing program. In this session, get an overview of how global outsourcing transactions work; learn which elements are essential for enabling a lawful global outsourcing transaction (binding corporate rules/intercompany agreement approved by DPAs, mapping data flows, Works Council agreements, etc.); and better understand the requirements and recommended strategies for evaluating and dealing with potential outsourcing vendors. Finally, get expert advice on how to navigate the difficult task of executing on the data protection elements of a complex global outsourcing program.

The Future of Privacy Regulation at the Federal Trade Commission
Moderator: D. Reed Freeman Jr., CIPP, Partner, Morrison & Foerster LLP
Marc Groman, CIPP, Chief Privacy Officer, formerly detailed to House Commerce Committee, Federal Trade Commission
Lydia Parnes, Partner, Wilson Sonsini Goodrich & Rosati
Jessica Rich, Deputy Director, Bureau of Consumer Protection, Federal Trade Commission

Join a panel of legal and government experts to explore the evolution of the FTC’s privacy framework, beginning in 1995 through the privacy roundtables that will extend into 2010, to gain a holistic view of the FTC's view of privacy under Section 5 of the Federal Trade Commission Act. Get valuable insight into how that framework may evolve in years to come as the Commission takes a closer look at how best to protect consumer privacy while supporting beneficial uses of data and innovation, especially in the areas of social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications and other diverse businesses.


The Impact of Regulations and Culture on Global Privacy Strategy
David Kuo, Senior Manager, Accenture LLP
Larry Ponemon, CIPP, Chairman & Founder, Ponemon Institute
    
Public and private sector organizations need to understand how cultural and regulatory issues in various countries affect ther ability to achieve privacy and data security goals. Join us for a dynamic session in which you’ll receive guidance on creating a global privacy strategy based on real-world examples and Ponemon Institute research, including findings from Ponemon’s “Accenture Global Data Privacy & Protection Survey”—The first truly global study that compares how organizations in different nations view or respond to privacy and data protection cultural and regulatory challenges.


The Influence of Works Councils in European Data Privacy Management
Pascale Gelly, Lawyer, Cabinet Gelly
Judy Schmitt, Manager, HR Data Privacy and Protection, United Technologies Corporation

Protection of personal data is a fundamental right in Europe. When Works Councils’ responsibilities include the protection of employee rights, management must communicate with new participants about the requirements for protection of employee personal data, especially when it is transferred out of the country. Join this session for a practical look at practices that have been used by some companies to successfully integrate the requirements of the data protection law with the requirements of the labour law in European countries.


Update on Social Media Risks to Enterprise Data
Constantine Karbaliotis, CIPP, CIPP/C CIPP/IT, Information Privacy Lead, Symantec Corporation

Social media and software are of increasing interest to both private and public sector organizations. While these technologies offer exciting new opportunities to share information and to interact with customers, they also represent a new area of risk for the exposure of confidential and personal information. Get an update on the changes being brought about by social media in response to regulators’ and consumers’ concerns, and learn the latest strategies for minimizing risks to organizational security and reducing liability.


When Bureaucrats Met a Twitter: Balancing Risks and Opportunities of Social Media

Alberta Education, one of the provincial ministries in the Government of Alberta, Canada, supports the needs of students, parents, teachers and administrators from K to Grade 12. Not only does the Ministry develop and assess curricula for K-12 students, it also oversees education policy and regulations. In order to meet those business needs, promoting, using and maintaining a wide variety of communication channels is essential. It was natural, therefore, for the Ministry to pay close attention to a range of online social networking tools that were gaining momentum rapidly, such as Facebook, LinkedIn, blogs, wikis, Youtube and Twitter. However, it was quite a different matter to figure out how to make the most of these tools for more effective and efficient communications, while ensuring adequate privacy protection. Get a first-hand account of the right and wrong steps the Ministry took and lessons learned in the course of adopting social media tools. This session will also introduce you to a variety of ways to help establish which social networking tools to use for business needs and how to use them, including decision tree diagrams, social media policies, and procedural guides for specific tools.

NETWORKING SESSIONS

Tuesday, April 20
4 – 5:30 p.m.

A New Generation of Privacy: A Preview to the 2010 International Conference of Data Protection Commissioners
Facilitator: Yoram Hacohen,The Head of the Israeli Law, Information and Technology Authority (ILITA)
Facilitator: Jules Polonetsky, CIPP, Co-Chairman and Director, Future of Privacy Forum
Facilitator: Omer Tene, Associate Professor, College of Management School of Law

Participants will hear from the host of the 2010 Commissioners’ Conference and share what they think should be on the agenda.

The 32nd Annual Data Protection Commissioners’ Conference will be held in October 2010 in Jerusalem. Hear from the conference host about the main themes of the event and share what you think should be the top issues for data regulators globally. What does the future of privacy hold for today’s digital natives? What are the challenges facing the next generation and what lessons can be drawn from the past? What do privacy professionals think regulators should be making their focus as technology continues to create new opportunities and challenges for privacy?


Building a Successful Privacy Practice: Advice from Freelance Privacy Pros
Facilitator: Alan Chapell, CIPP, President, Chapell & Associates, LLC

So you'd like to start your own privacy firm. You've told your family, your friends and your entire rolodex of work contacts that you've setup shop. Now what? What are the most important things to be thinking about and doing? What are the pitfalls to avoid? How are you planning on generating business? Share your insights and ask questions about some of the key dilemmas facing independent privacy consultants: How do you market yourself as an “indie” privacy professional? How do you figure out who your customer is? What is the right price point? How do you position yourself against the larger firms? How can you evaluate partnerships to minimize interactions with time wasters?

Data Breach Risks and the HITECH Act: Best Practices for Risk Assessments, Notification and Compliance
Facilitator: Rick Kam, President & Co-founder, ID Experts

With enforcement of HITECH Act data breach provisions beginning in February 2010, it’s critical to understand the actions and best practices you can take to reduce your organization’s risk of data breach and ensure proper compliance with data breach monitoring and notification requirements in the HITECH Act. This session will provide insight into the implications of the HITECH Act breach regulations for the unauthorized disclosure of personal information in healthcare, and draw upon real-world examples of best practices regarding data breach prevention, risk assessments, notification and compliance that you can begin implementing in your organization today.  

Latest Developments in the Implementation of International Standards on the Protection of Privacy
Facilitator: Rafael García Gozalo, Head of the International Department, Spanish Data Protection Agency
Facilitator: Artemi Lombarte Rallo , Director, Spanish Data Protection Agency

The 31st International Conference of Data Protection and Privacy Commissioners, held in Madrid in November 2009, adopted a Resolution on International Standards of Privacy. The resolution, which contains a set of principles, rights, obligations and procedures, was the work of a Working Group that composed of public and private organizations and entities. The resolution also creates a Promotion Group with the goal of disseminating and promoting this Joint Proposal to relevant private entities, experts and national and international authorities as a basis for further work towards the development of a binding international convention. Find out in detail the work carried out by this group and the progress in this area.

Monitoring by Design: Using Tools for Tracking and Reporting Your Privacy Program
Facilitator: Marilyn Prosch, CIPP, Associate Professor, Arizona State University
Facilitator: Sagi Leizerov, CIPP, Senior Manager, Ernst & Young

Privacy programs increasingly use technology to organize and report on risk and compliance areas. Governance, Risk and Compliance (GRC) tools are used for automating dashboards that report on objectives and issues, and are customized for tracking incidents and their mitigation processes. Continues Controls Monitoring (CCM), a subject matter that emerged from the finance and accounting operations, is expanding to include controls over personal information. Spend this hour and a half discussing these topics in depth, and share your experiences and lessons from designing and using technological tools for tracking and monitoring privacy in your organization.  

Privacy in Western Civilization: From the Hebrews and Greeks to the Digital Age
Facilitator: Alan Westin, Professor Emeritus Public Law, Columbia University


Recent Changes in Health Information Privacy
Facilitator: Ann Waldo, CIPP, Partner, Oldaker, Belair & Wittie

By the time the Summit convenes, a number of new regulations and changes in healthcare privacy will be in place. HHS will have released additional privacy regulations and guidance, a new federal CPO position at HHS will have been filled, the new head of the Office of Civil Rights will have been in place for some time, the PHR and Related Entities study will have been completed, and Covered Entities and Business Associates will be well on their way to absorbing the impact of the major ARRA changes. Get an update on the most recent changes and discuss your questions, concerns and thoughts about this rapidly evolving environment.


The Future of the Privacy Profession
Facilitator: Harriet Pearson, CIPP, Vice President, Security Counsel & Chief Privacy Officer, IBM Corporation

The IAPP is celebrating its 10-year anniversary in 2010. In honor of this milestone, we commissioned a study team, chaired by Harriet Pearson, CIPP, to understand where the privacy profession is heading in the next decade and how IAPP members can prepare themselves for the changes ahead. Come to this special networking session to discuss the findings, which include in-depth interviews with a wide range of privacy leaders, as well as an exclusive survey of IAPP's membership. Don't miss this opportunity to understand how to position yourself for personal growth and greater impact.


What’s New in Consumer Privacy Research?
Facilitator: Alessandro Acquisti, Associate Professor of Information Technology and Public Policy, Heinz College, Carnegie Mellon University
Facilitator: Mary Culnan, Slade Professor of Management & IT, Bentley University

The CUPS Laboratory at Carnegie Mellon University is conducting leading edge research on how consumers make decisions related to privacy. Recently they studied the willingness of consumers to pay for privacy, and developed and tested a “nutrition label” for privacy. Join leading CUPS privacy researcher Alessandro Acquisiti to explore what the research means for your organization.  

Wednesday, April 21
11 a.m. – 12 p.m.

Beyond Technology: Fine-tuning Your Information Protection Efforts
Javier Salido, CIPP, Senior Program Manager, Trustworthy computing Group, Microsoft Corporation

Find out how Microsoft has improved the security of all types of sensitive information through its comprehensive data governance framework for information protection. The framework, and this session, go beyond technology and examine the roles and responsibilities that come into play in a data governance effort, including those that reside outside of IT. The discussion will also address the framework’s technology tools and guidance, and how they can be used to improve your organization's data protection and regulatory compliance efforts.

Conducting a Forensic Accounting Investigation
Hugo Teufel III, CIPP, CIPP/G, Practice Co-leader, Privacy & Identity Theft, PriceWaterHouseCoopers, LLP

Forensic accounting investigations run on information and rely upon information technology to pull together and make sense of the information. With the dawn of the information society, vast amounts of information are available to you to search for and provide context to the information relevant to the investigation. This data may include sensitive information, such as human resource files, home addresses, personal checking and savings accounts, social security numbers, and health information. Learn what you need to know about conducting a forensic accounting investigation, including how to ensure you take into account the relevant jurisdictions’ privacy or data protection laws, and tips for working with counsel to ensure that your organization is not exposed to greater risk or liability during the investigation and any related litigation.

Contractual Solutions for Cross-Border Data Transfers: Dealing with the Practical Problems
Donald A. Cohn, Corporate Counsel, E.I. DuPont de Nemours and Company
Robert L. Rothman, President, Privacy Associates International, LLC

The laws of almost all jurisdictions that regulate cross-border transfers of personal information provide for some sort of contractual basis under which the transfer may go forward. These agreements may be relatively fixed, as in the EU standard clause agreements, or more flexible, as is the case in Australia and Argentina. Companies wishing to utilize these contractual solutions may face a number of practical problems, for example, the sheer number of agreements required to create free transferability among the subsidiaries of an average-sized multinational, varying levels of specificity required in the contracts by different DPAs, and dealing with changes in the underlying commercial arrangement that affect the contracts, just to name a few. This session will dive into these quandaries and suggest some practical simplification strategies, including multi-party Web-based contracts, single contracts addressing the requirements of multiple jurisdictions, use of powers of attorney and more.


Cybersecurity, Network Infrastructures and Privacy
James A. Baker, Associate Deputy Attorney General, U.S. Department of Justice
Moderator: Alan Charles Raul, Partner, Sidley Austin LLP
Moderator: Philip Reitinger, Deputy Undersecretary, National Protection & Programs Directorate, U.S. Department of Homeland Security

Cybersecurity and protection of critical infrastructure is an urgent imperative for government computer networks and private sector networks in finance, telecom, energy and transportation. The U.S. government has dedicated enormous new resources to this issue, and the White House has made clear that private industry has a substantial duty to protect critical cyber-infrastructure as well. And recently, the Department of Justice has released OLC opinions regarding the use of Deep Packet Inspection to support the “EINSTEIN 2.0” computer intrusion detection system. Hear from senior government officials about the latest threats and responses and participate in a moderated Q&A session about the privacy and civil liberties issues implicated in government and private sector efforts to stay a step ahead of criminal, enemy and terrorist intruders in key computer networks and databases.


Damages: Calculating the Cost of Noncompliance and Assessing Risk
Yaron Dori, Partner, Covington & Burling LLP

Complying with all privacy laws and regulations is always ideal. But what do you do when the cost of compliance is prohibitive, or when budgetary or business imperatives require you to be less than fully compliant for a temporary period? What is the cost of noncompliance? Find out how the FTC, state attorneys general and courts approached the issue of fines and damages and learn how this information can help you assess the risk of noncompliance when full compliance may be cost prohibitive, technologically infeasible, or simply beyond your organization’s immediate capabilities.  


From Notice to Awareness: Consumer Education and Behavioral Advertising
Charles Curran, CIPP, Executive Director and General Counsel, Network Advertising Initiative
Moderator: Douglas Miller, CIPP, Executive Director, Consumer Advocacy and Privacy, AOL Inc.
Jules Polonetsky, CIPP, Co-Chairman and Director, Future of Privacy Forum
Anne Toth, Vice President, Global Policy and Head of Privacy, Yahoo! Inc.

Online behavioral advertising continues to top the list of hot privacy issues in 2010. Self-regulatory regimes and individual companies face the challenge of moving beyond notice to a combination of enhanced notice and consumer education that presents consumers with information about not just how their data is collected and used, but why. What are the benefits, potential tradeoffs and choices available, and how do we engage consumers in the discussion? Join this session for unique perspectives on the latest innovative approaches to consumer engagement and controls, and the shift from passive notice to active awareness.


HIPAA Goes HITECH on Your BA: The Direct Application of HIPAA to Business Associates
Kelly Hagan, Attorney, Schwabe, Williamson & Wyatt, P.C.

In the past, vendors to the healthcare industry only concerned themselves with HIPAA to the extent that they were parties to a business associate agreement. However, effective February 17, 2010, HITECH will apply most of the privacy and security requirements of HIPAA directly to business associates, including civil and criminal penalties. In this session, you’ll get a practical explanation of how HIPAA Privacy and Security rules apply to privacy professionals who are business associates, from regulatory requirements to risk management concepts to peculiar privacy issues arising in the medical, hospital and health insurance industries. You’ll also leave with concrete business methods, business associate agreement provisions and compliance strategies for business associates in the privacy industry.


Moving HR Functions Online: Confronting Domestic and Global Privacy Challenges
Philip Gordon, Shareholder, Littler Mendelson
Jessica Ohle, Partner, Kliemt & Vollstädt

As more and more multi-national companies go online with their HR functions, they confront myriad legal and operational challenges posed by domestic and foreign data protection laws. These challenges run the gamut, from compliance with domestic and foreign privacy protections for job applicants and employees; to negotiating agreements with vendors who provide cloud computing services; to obtaining the agreement of European works councils; to legitimizing international data transfers. Join this session for practical solutions for overcoming these obstacles so that your organization can enjoy the full benefit of global HR database solutions.


Recent Privacy and Data Protection Developments in Latin America: The Impact on North American and European Multinational Companies
Renato Opice Blum, Chief Executive Officer and Founding Partner, Opice Blum Advogados Associados
Cedric Laurant, Independent Privacy and Information Policy Consultant
Katitza Rodríguez, Director, International Privacy Program, EPIC

This session offers an analysis of the most important data protection and privacy developments in Latin America in the last year. Learn how new developments in the EU and the U.S. are influencing the public policy debate over privacy in the Latin American region, and how and why multinational companies should take these developments into account when doing business in Latin America. Some of the topics to be discussed include: the concept of “adequate protection” as it is currently being discussed in Mexico and Uruguay with the European Commission; new legislation on transborder data flows and financial information in Colombia; and the evolution of “habeas data” in recent case law of Latin American courts.

Wednesday, April 21
12:15 – 1:15 p.m.

Controllers, Processors and Sub-processors, Oh My!  Managing Evolving Relationships in the Cloud
Stephen Bolinger, CIPP, CIPP/G, Attorney, Microsoft Corporation
Mark Watts, Partner, Head of Privacy & Data Protection, Bristows

Among the myriad privacy challenges raised by cloud computing, one that is less often discussed is the challenge of clearly defining and closely managing changing business relationships. Service providers want to offer standardized cloud computing services; customers want to retain control over their data; and everyone wants to comply with regulatory obligations. Dive into a discussion of the evolving legal challenges this presents (including the new set of Controller-to-Processor Model Clauses from the Article 29 Working Party) and explore options for managing these obligations and the issues you should consider as a customer, vendor or sub-contractor before entering into a cloud services contract. Note, this session is intended for those with baseline understanding of cloud computing and EU data protection law.

Data Can Be Good: Exploring Alternatives to Data Minimization for Protecting Privacy
Fred Cate, Distinguished Professor, Indiana University and CIPL
Stan Crosley, CIPP, Chief Privacy Officer, Eli Lilly and Co.
Moderator: Jane Horvath, CIPP, CIPP/G, Senior Privacy Counsel, Google, Inc.
Paul Schwartz, Professor of Law; Director, Berkeley Center for Law & Technology

Certain uses of data require extended retention. Join in a discussion examining uses of data that depend upon its retention, and explore models other than data minimization to protect privacy based upon transparency, consumer control and accountability
 

Effective Privacy Incident Lifecycle Management in U.S. Government Agencies
Mary Frazier, Chief Privacy Officer, U.S. Census Bureau
Paul Hasson, Privacy Officer, US-VISIT, Program/NPPD, Department of Homeland Security
Naqi Sayed, CIPP, CIPP/G, Senior Information Privacy and Security Engineer, The MITRE Corporation

U.S. federal government agencies are obligated per OMB guidance to report incidents involving PII to the U.S. Computer Emergency Readiness Team (US-CERT) and assess and respond to incidents using a prescribed risk-based framework. However, there is ample room for agencies to implement creative and cohesive processes that can be effectively executed in the event of a privacy incident. The session will focus on various measures that assist in the quick identification, reporting and containment of, plus recovery from, privacy incidents. Learn about technical controls that help prevent, detect and analyze incidents, including privacy-enhancing technologies (PETs), and management controls—e.g., charters and policies, risk-based analytical frameworks, collaborative security/privacy incident response teams, and escalation plans that have been implemented processes across several government agencies.


EU Enforcement: Myth vs. Reality
Hazel Grant, Partner, Bristows
Sophie Louveaux, Administrator/Legal Officer Coordinator DPO relations and Prior Checks, European Data Protection Supervisor
Rocco Panetta, Partner, Panetta & Associati

With recent high-profile cases of enforcement actions involving heavy fines—and event criminal penalties—against corporations and their executives in the EU, it is critical to have a clear understanding of the enforcement regime in key EU jurisdictions. This session will take you through the theoretical and actual risk in the UK, France, Germany, Spain and Italy, as well as highlights of enforcement practices in the rest of the EU. Leave with an understanding of the risk profile in different jurisdictions, in order to determine how and where to best spend your resources to prevent serious enforcement.


Lessons from Lehman: Managing the Cost of a Privacy Program During Organizational Change
Mandar Rege, CIPP, Senior Director, Alvarez and Marsal
    
Organizations today are aggressively exploring all available means to reduce cost and streamline operations—which can often lead to restructurings, mergers, acquisitions or bankruptcies. As privacy officers respond to the demands of these organizational changes, they face unique challenges when it comes to managing information risks and protecting the personal information of employees, business partners and stakeholders. Using first-hand experience working with the Lehman Brothers bankruptcy, this session will provide valuable perspectives on how CIOs, CPOs and CSOs can mitigate these challenges.


Making Federated Identity Management Work: Balancing Privacy Rights and Legal Obligations
Thomas J. Smedinghoff, Partner, Wildman, Harrold, Allen & Dixon LLP

Identity management typically requires the disclosure, verification, storage and communication of personal information. This session will focus on the privacy and liability issues surrounding the growing use of federated identity management systems. In particular, it will explain the underlying concepts of federated identity management; identify the legal issues of concern in a federated identity management system; examine the privacy implications of the collection, verification, storage, communication and disclosure of personal information required for a trustworthy federated identity management process; and finally, explore the role of federated identity management in addressing the legal and risk-based obligations of business to authenticate remote parties.

Monitoring What You Do at Home: Privacy Challenges of the Smart Power Grid
Rebecca Herold, CIPP, Owner & Principal, "The Privacy Professor”®, Rebecca Herold & Associates, LLC
Jules Polonetsky, CIPP, Co-Chairman and Director, Future of Privacy Forum
Kenneth Washington, Vice President and Chief Privacy Leader, Lockheed Martin Corporation
Moderator: Christopher Wolf, Co-chair, Privacy and Data Security Practice Group, Hogan & Hartson
    
Smart Grid technologies have the potential to revolutionize the electricity industry and benefit society. But will your household devices reveal private information about what you do in your home? These technologies have the potential to usher in an unprecedented new level of home monitoring if utilities and device-makers choose to harness the power of the data that will be collected along the electrical system. This session will explore the current state of the Smart Grid, discuss how companies are currently implementing privacy protections into their Smart Grid technologies, and present recommendations for how all stakeholders in the Smart Grid—regulators, utilities, device-makers and consumer advocates—can make data privacy a chief consideration in this area of innovation.

Revisiting the Safe Harbor a Decade Later
Damon Greer, CIPP, Director, U.S. -  EU and Swiss Safe Harbor Framework, U.S. Department of Commerce
Lisa Sotto, Partner & Head, Privacy and Information Management Practice Hunton & Williams LLP
JoAnn Stonier, Global Privacy & Data Usage Officer, MasterCard Worldwide

The Safe Harbor program, which was developed jointly by the U.S. Department of Commerce and the European Commission, is celebrating its tenth anniversary this year.  After a relatively slow start, the Safe Harbor framework has gained significant popularity as a key mechanism by which to legally transfer personal data from the EU to the U.S. Join our panel for a discussion of how the Safe Harbor program has developed over the course of a decade and the reasons for its current popularity. The session will also examine a case study in Safe Harbor certification and explore how Safe Harbor certification provides a competitive edge for companies that adhere to the Safe Harbor principles.

Wednesday, April 21
2:30 – 3:30 p.m.

Anonymous Patient-Level Data: The Newest Trend in Healthcare Privacy
Kimberly Gray, CIPP, Chief Privacy Officer Americas Region, IMS Health
Kirk Nahra, CIPP, Partner, Wiley Rein LLP

Health plans, providers and research institutions rely upon their PHI data assets to help plan for the future. However, de-identified (anonymized) patient-level data can be a reliable substitute for PHI and can accomplish the same goals with much less risk. Learn how your organization can utilize de-identified patient-level data for healthcare operations and research initiatives, while offering patients even greater assurances regarding their privacy. This session will also explore safeguards against re-identification and optimizing security protections around all data—both PHI and de-identified data.


EU vs. U.S. on Privacy, Data Protection and Identity Theft: A Context for Differences in Regional and Cultural Approaches to Privacy
Eduard F. Goodman, CIPP, Chief Privacy Officer, Identity Theft 911, LLC

The EU and the U.S. take different approaches to privacy—each with their own strengths and weaknesses. This session will provide a comparison of the privacy, data protection and identity theft differences in both systems by analyzing three key areas: 1) government and legislative structures; (2) the view and history of “privacy” as a “fundamental” human right; and (3) consumer credit systems. The analysis will focus on how these differences have resulted in vastly different consumer privacy protection regimes.


Integrating Non-Personal Data with Personal Information  
Ben Isaacson, CIPP, Privacy & Compliance Leader, Experian

Historically, Web site publishers only tracked, reported or shared their Web site visitors anonymously or in the aggregate. In recent years, Web analytics and other software has made it common to personalize Web content for unique visitors as well as integrate Web visitor traffic with user registrations, prior transactions, e-mail communications or other online marketing efforts. Explore the key privacy and compliance issues at stake when companies combine non-personal behavior collected from Web site visitors with collected personal information, whether for anonymous purposes or for direct marketing efforts.



Lessons Learned: They’re Only Valuable if They Become Lessons Implemented
Rick Shaw, President and Chief Executive Officer, Awareity

TJ Maxx, CVS, Heartland Payment Systems, Virginia Tech...they all had policies, plans and procedures in place, but failed when it came to the most critical step: implementation. Just because an organization has a plan or policy in a binder or does once-a-year general training, it doesn’t mean that the plan or policy has been implemented. Management, employees, partners, contractors and vendors all need to understand and accept responsibility for implementing plans and policies so they can become a layer of security and preparedness rather than the weak link. In this session, take a look at real-world case studies to learn how you can avoid critical gaps that lead to expensive and embarrassing incidents, and learn proven steps to improve customized information-sharing in your own organization.  

Policing Privacy on the Net: How Regulators Can Address New Global Challenges
Jennifer Stoddart, Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Privacy on the Internet has become one of the most important and complex challenges facing data protection regulators around the world. The global nature of the Web and varied approaches to consumer privacy are raising tricky legal issues, jurisdictional questions and other practical matters as regulators work to protect the privacy of citizens in their respective countries. Canada’s Privacy Commissioner, Jennifer Stoddart, whose investigation into Facebook highlighted several concerns about how the social networking site managed privacy issues, will share her thoughts on future directions for enforcing privacy rights on the Internet.


USA PATRIOT Act: Sunset/Sunrise
Edward McNicholas, Partner, Sidley Austin LLP
Brian Nelson, Acting Chief of Staff and Counsel to the Assistant Attorney General for National Security, U.S. Department of Justice
    
Significant provisions of the controversial USA PATRIOT Act sunset on Dec. 31, and material revisions pose new challenges for financial institutions, telecommunications, and other entities subject to National Security Letter and similar authorities. Join this session to find out exactly what was enacted and what was not enacted, and get practical guidance for dealing with the kind of privacy issues that can land your organization on the front page if handled poorly. Our experts will help you understand when to comply, when to question, and how to explain this provision if challenged by overseas business partners and regulators who frequently use inaccurate interpretations of the USA PATRIOT Act to undercut bids for international work involving sensitive personal data.


The New Transparency Requirements in Privacy Disclosures
Dorothy Atwood, Senior Vice President - Public Policy and Chief Privacy Officer, AT&T
Robert Belair, Partner, Oldaker Belair & Wittie
Christopher Wolf, Co-chair, Privacy and Data Security Practice Group, Hogan & Hartson
    
Every day, privacy professionals are faced with the challenge of communicating privacy practices to consumers in clearer, more meaningful and more timely ways. For instance, in the area of behavioral advertising, there has been significant attention given to where and when privacy notices appear, what they say and what options consumers are given. In this session, you’ll hear about the new and emerging legal and regulatory requirements for greater transparency; the current state of play—on both the legislative and regulatory fronts—and review best practices for communicating privacy protections to consumers, whether through layered approaches, video or other new techniques. Finally, in light of the FTC’s order in the Sears case, the panel will examine whether the old paradigm of privacy policies containing legal jargon and boilerplate can withstand scrutiny.