IAPP SUMMIT 2007 -- Program

Preconference Program: Wednesday, March 7
Preconference sessions are intensive training programs held the day before the full conference begins. These four-hour intimate programs typically range in size from 20-50 participants. Preconference Sessions: $545 each or choose two for an additional $150.

Understanding Enterprise Data Flows and Classifications
Earl Porter, Director Information Security, Transamerica
Chris Lucado, Manager, KPMG
Orson Lucas, Senior Associate, KPMG
This workshop will guide the participants through the process of identifying sensitive enterprise information that is critical to the organization, as it's defined by applicable regulatory requirements and customer data breach notification laws. We will begin by explaining how to identify the sensitive data flows in an organization. * This session is 2 hours, start time 10 a.m.

**This session is best paired with Privacy Professional Bootcamp and Third Party Assessments - Criteria for Evaluations

AICPA/CICA Privacy Framework: Building and Auditing Privacy Programs
Ken Askelson, Senior IT Audit Manager, JC Penney
Sagi Leizerov, CIPP, Senior Manager – Privacy Assurance and Advisory Services, Ernst & Young LLP
Rena Mears, CIPP, Partner – Global Privacy Services Leader, Deloitte & Touche LLP
Doron Rotman, CIPP, National Privacy Advisory Service Leader, KPMG LLP
Members of the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) will provide a hands-on tutorial on developing and auditing a privacy program using the AICPA/CICA Generally Accepted Privacy Principles (also known as the Privacy Framework).

**This session is best paired with Third Party Assessments - Criteria for Evaluations

Wednesday Afternoon, 1 p.m. - 5 p.m.

Higher Education: A Privacy Workshop
Ross T. Janssen, Privacy and Security Officer, University of Minnesota
John T. Jensen, Security Coordinator, University of Minnesota
David Lindstrom, Chief Privacy Officer, Penn State University
Frank Maurer, Privacy Officer and Director – Privacy and Information Security Compliance, Weill Medical College – Cornell University
Jane Rosenthal, Privacy Officer, University of Kansas
Lauren Steinfeld, CIPP, Chief Privacy Officer, University of Pennsylvania
Join privacy professionals from colleges and universities to discuss critical and core components of a higher education privacy program. This Precon will focus on elements of an effective privacy structure in higher education, strategies for privacy training online and off, regulatory compliance programs, as well as specific privacy issues such as website privacy policies, security breach response, privacy assessments, and social networking.

Privacy Professional Bootcamp
Trevor Hughes, CIPP, Executive Director, International Association of Privacy Professionals
Kirk Nahra, CIPP, Partner, Wiley Rein & Fielding LLP
Peter Petrusky, Co-Leader – Privacy Practice, PricewaterhouseCoopers
Nils Zacharias, Senior Associate – Privacy Practice, PricewaterhouseCoopers
This workshop is designed to introduce privacy to those new to the field. Our experts will explain the fundamentals of privacy (fair information practices) and explore the myriad of legislative standards that face all privacy professionals. Additionally we will discuss the creation, management and monitoring of an effective privacy program.

**This session is best paired with Understanding Enterprise Data Flows and Classifications

Third Party Assessments - Criteria for Evaluations
Rena Mears, CIPP, Partner – Global Privacy Services Leader, Deloitte & Touche LLP
Don Sheehy, Senior Manager – Enterprise Risk, Deloitte & Touche LLP
Mark Steinhoff, Northeast Privacy Principal, Deloitte & Touche LLP (Moderator)
This workshop will address the demand for an operational framework that can be used when evaluating third party compliance, such as the AICPA's Generally Accepted Privacy Principles (GAPP). The purpose of this panel will be to discuss the role of GAPP as criteria for evaluation, as well as other industry-specific initiatives such as the BITS Financial Institution Shared Assessments Program (FISAP).

**This session is best paired with Understanding Enterprise Data Flows and Classifications and AICPA/CICA Privacy Framework: Building and Auditing Privacy Programs

State of Spyware Issues - Protecting Yourself and Your Organization
Rich Baldry, Head of Strategic Alliances, Sophos
Jerry Dixon, Deputy Director – US-CERT, Department of Homeland Security
Gerhard Eschelbeck, Chief Technology Officer, Webroot
David Fewer, Staff Counsel, CIPPIC
Andre Gold, Director – Information Security, Continental
Drew Maness, Chief Information Security Officer, Disney
Ross Schulman, Program Associate, Center for Democracy & Technology
Ari Schwartz, Associate Director, Center for Democracy & Technology
Jeff Williams, Director of Anti-Spyware Outreach, Microsoft
This training session will review the current state of spyware issues, potential privacy harms and then focus most of our time on what enterprises are doing to protect themselves. Speakers will include representatives from the federal government, CISOs and security experts.

A Global Perspective on Data Security Breaches and Enforcement
Malcolm Crompton, Managing Director, Information Integrity Solutions Pty Ltd
Mark Grantz, Special Agent, U.S. Secret Service
Billy Hawkes, Data Protection Commissioner, Ireland
William E. Kovacic, Commissioner, U.S. Federal Trade Commission
Christopher Kuner, Partner, Hunton & Williams LLP
Dr. José Luis Piñar Mañas, Data Protection Commissioner, Spain
Lisa J. Sotto, Partner, Hunton & Williams LLP
Data security breach laws are changing the way organizations manage information worldwide. Many data security breaches have a global effect -- a breach in the U.S. can affect European data. This panel will, also examine real-world data security breaches to provide a timely discussion and exploration of the following topics: overview of laws and current environment, Global perspective on data breach notification: cooperative global enforcement, managing various and competing constituencies and risks and lessons learned.

* All sessions will have a 20 minute break

Thursday Morning Breakout Sessions, 11:30am – 12:30pm
(60 minute sessions)

GENERAL
Meet the Regulators – Office of the Comptroller of the Currency
April Breslaw, Director - Division of Supervision and Consumer Protection, FDIC
Maureen Cooney, Privacy and Information Management Practice and Senior Policy Advisor for Global Privacy Strategies - Center for Information Policy Leadership , Hunton & Williams LLP (Moderator)
Amy Friend, Associate General Counsel, Office of the Comptroller of the Currency
Stephanie Martin, Associate General Counsel, Federal Reserve Board
Sarah Otte, Office of International Affairs, U.S. Securities and Exchange Commission
This series provides opportunities for those in the regulated community to meet with those setting the standards. Good compliance with the law is critical to doing business and gaining customer respect. Learn about new rules that affect your operations, how compliance is going, and why ensuring good compliance is in your best interest.

GENERAL
Privacy in China
Martin Abrams, Executive Director, Center for Information Policy Leadership (Moderator) Manuel Maisog, Hunton & Williams Beijing
Ann Waldo, CIPP, Chief Privacy Officer, Lenovo
What is the environment for American companies doing business in China? What are the current data protection laws and how are they evolving? This session will discuss where China is at with Privacy and how that may affect your efforts to do business there.

GENERAL
Social Security Numbers and State Law Restrictions – 10 Things You Need to Know
Lael Bellamy, Director of Legal, The Home Depot
Mike Drobac, CIPP, Chief Privacy Officer, Merrill Lynch & Co., Inc.
Jim Koenig, CIPP, Co-Leader, Privacy Practice, Price Waterhouse Coopers
Most companies have been focusing on state security breach notification law compliance, in response to over 30 state laws that have emerged. However, at the same time, in the last few years, state restrictions on the use of Social Security Numbers have more than doubled. Unlike the Security Breach Notification laws, which only require notification of security breaches involving personal information, the Social Security Number restrictions directly impacts how you conduct business. In this session, you will learn about: specific proposed and current legislation, approaches companies are taking to meet the diverse state law requirements, and efforts that are being undertaken by leading companies to eliminate or minimize the use of social security numbers in critical business and HR operations.

ADVANCED
Pretexting 360
Betsy Broder, Assistant Director – Division of Privacy and Identity Protection, Federal Trade Commission
Nancy Delogu, Littler Mendelson, P.C.
Philip Gordon Esq., Shareholder, Littler Mendelson, P.C.
Andrew Serwin, Partner, Foley & Lardner
Companies have faced a number of issues relating to the improper gathering of information to investigate employee misconduct, including through a process called pretexting, particularly regarding collection of telephone records. This panel would cover the laws regarding federal wiretap and stored communications, pretexting, state identity theft laws, state restrictions on phone records and private investigators, as well as give guidance on what permissible steps can be taken in investigations.

Organizations can not meet their legal obligations to protect privacy and ensure data security without employees who can be trusted. Many data protection regimes expressly or implicitly require that employers vet the trustworthiness of job applicants and employees, and an increasing number of businesses are refusing to permit employees of vendors and sub-contractors to access physical facilities or data without assurances that those employees are trustworthy. As a result, data stewards are under increasing pressure to verify the trustworthiness of their and their vendors’ workforce. Background checks, drug tests, location tracking, and blog searches are just some of the available tools for ensuring that employees are not engaging in conduct in their "private lives" that jeopardizes the organization's privacy and information security program and potentially exposes data stewards to the high cost of security incident response and class action litigation. At the same time, using these tools and disclosing the potentially damaging information that these tools generate can expose employers to a host of claims, including discrimination, invasion of privacy, defamation, and violations of the Fair Credit Reporting Act (FCRA).

In this session you will learn about: (a) how to conduct lawful background checks and how to lawfully take adverse action based upon the results of such checks; (b) how to implement a lawful drug testing program; (c) the limits on monitoring employees’ off-duty conduct through the use of private investigators, location-tracking devices, and searches of employee blogs; (d) the legal rules that govern sharing the fruits of these monitoring techniques with clients, business partners and government agencies; and (e) how to lawfully reject job applicants and terminate employees who may pose a threat to an organization’s privacy and information security program.

ADVANCED
E-Discovery: Privacy in Complex Multi-National Litigation
Stanley Crosley, Esq., CIPP, Chief Privacy Officer, Eli Lily & Company
Peggy Eisenhauer, CIPP, Attorney & Principal, Privacy & Information Management Services
Dale Skivington, CIPP, Assistant General Counsel & Former Chief Privacy Officer, Eastman Kodak Company
Many US companies face litigation in the US that requires searching, storage and production of all electronic records, including emails, instant messages, and electronic documents that have been created by or contain sensitive information about employees inside and outside of the US. To facilitate compliance with discovery and production orders, companies can implement systems that scan and index all electronic records. These systems can also retain copies of electronic records, when litigation needs override typical document retention/destruction policies. This session will explore the tension that multi-national companies face when preparing for and responding to discovery and document production orders in US litigation, and when the discovery/production requests encompass information maintained by the company in countries with data protection laws. In particular, the panel will address: The legal conflicts between US e-discovery obligations and international data protection laws; Possible exceptions that companies can use to process information when required for discovery; Production and other legal compliance purposes; Practical considerations involved in managing discovery in human resources litigation and commercial disputes (such as product safety litigation); Utility of consent for processing and production of employee records, including emails, outside of the US, including proactive preservation strategies; Negotiation tips for dealing with US courts and international data protection authorities on the scope of e-discovery and production orders.

GENERAL
Online Marketing: Industry Innovation and Government Enforcement
Christine Varney, Partner, Hogan & Hartson LLP
James Harper, Director of Information Policy Studies, CATO Institute
Jeffrey Rosen, Professor, George Washington University Law Center
In the past year, adware companies have engaged in numerous technological and marketing innovations—in part, to respond to the industry’s many critics in the privacy arena and law enforcement, and, in part, as a natural evolution of the industry. This session will examine the extent to which those industry advancements are effectively addressing privacy concerns. The session will also highlight recent government enforcement actions in this area and examine whether the industry can survive in the face of government enforcement. Finally, the session will consider and identify new challenges that adware is likely to face as a result of innovation in the industry and whether more regulation is necessary.

ADVANCED
The Future of Healthcare
Kim Gray, CIPP, Chief Privacy Officer, Highmark Inc.
Kirk Nahra, CIPP, Partner, Wiley Rein & Fielding LLP
This session will look at emerging issues related to health care privacy, including privacy issues raised by electronic health records, the involvement of new players (such as banks) in the health care system, the use of research and genetic information, employers' increasing role in monitoring health care costs, and the variety of issues related to privacy and security issues for the health care industry and beyond related to health care information. The goals of this session are: to raise awareness of new issues facing the health care and industry and others related to health care information, to explore gaps in the current privacy system for health care information, and to educate those in the health care industry and beyond about potential uses and issues related to health care information

Thursday Afternoon, 1:30 – 3:00pm Workshops
(90 minute sessions)

GENERAL
Meet the Regulators – Federal Trade Commission
Erin M. Egan, Partner, Covington & Burling LLP (Moderator)
Mary Engle, Associate Director- Division of Advertising Practices, Bureau of Consumer Protection
Lois Greisman, Associate Director - Division of Marketing Practices, Bureau of Consumer Protection
Eileen Harrington, Deputy Director, Bureau of Consumer Protection
Joel Winston, Associate Director - Division of Privacy and Identity Protection, Bureau of Consumer Protection
This series provides opportunities for those in the regulated community to meet with those setting the standards. Good compliance with the law is critical to doing business and gaining customer respect. Learn about new rules that affect your operations, how compliance is going, and why ensuring good compliance is in your best interest.

ADVANCED
Managing Investigations and Litigation in the European Union
Erik Laykin, Director, Discovery Services / Information Technology Investigations, Navigant Consulting
This session will cover:
• How can US corporations comply with both US courts and the EU Privacy Directive
• Best Practices for Electronic Document preservation and collection for US business operating in the EU
• Overview of the US Department of Commerce Safe Harbor
• Case Studies

GENERAL
Mock Privacy Incident: Investigation and Response Techniques
Ken DeJarnette, CIPP, NorPac Privacy Principal, Deloitte & Touche LLP
Gary Terrell, CIPP, Information Security Officer, Adobe
In the real world, companies that have experienced a privacy incident firsthand are better prepared to respond to future incidents. Come join experts from Deloitte & Touche, Adobe Systems, Inc., as we stage a mock privacy incident focusing on the investigation and response of an incident that could be a potential threat to any organization doing business today.

The mock incident we will be staging will be a "tabletop" exercise, one in which IAPP members can actively participate with colleagues from other industries and discuss the actions they would take to respond to different scenarios, without being faced with the pressures of a real incident. Attendees will have an opportunity to participate in an investigation/response and develop the "muscle memory" needed to respond to an incident beyond the theoretical comprehension gained in a typical learning environment.

As the roles and responsibilities required for investigation and response vary greatly, the mock incident will be broken into two separate sessions: part one focusing on investigating a privacy incident (what data was compromised, how, and scope of data subjects impacted), with part two dealing with responding to a privacy incident (response strategy, notification, laws and regulations). Each session will end with a post-mortem detailing the outcome of the event.

ADVANCED
Authentication and Identity Management in an Age of Social Engineering
Allen Brandt, CIPP, Associate Director of Privacy, Graduate Management Admission Council
Chris Morris, Director of Technology Performance Improvement Practice, PricewaterhouseCoopers LLP (Moderator)
Russ Pierce, Chief Security Architect, CVS Corporation
World events and the increasing incidence of identity theft and fraudulent documentation are supporting the need for accurate biometric identity authentication and verification. In response, governments and industries are utilizing recent advancements in credentialing and biometric technologies to authenticate and verify an individual’s identity. Such initiatives, if not implemented appropriately, could compromise individuals’ privacy rights.
Topics of discussion to include:
• Challenges associated with deploying biometric technology that sustains and does not erode privacy protections relating to the use, collection, and disclosure of personally identifiable information
• Overarching methods to balance security, privacy and business needs
• Instituting user outreach and communication programs in order to address privacy issues
• Conducting a comprehensive Privacy Impact Assessment (PIA) on systems containing personally identifiable information consistent with applicable laws and best practices
• Writing, publishing, and maintaining a clear and comprehensive privacy policy
• Providing appeals procedures for those who are denied a credential or whose credentials are revoked
• Instituting strong and swift penalties for violating privacy policies
• Continuous auditing for compliance with stated privacy policies and practices

GENERAL
Privacy Career Planning: Guidance from Successful Privacy Leaders
Jennifer Barrett, Global Privacy Officer, Acxiom Corporation
Ruth Hill Bro, Partner, Baker & McKenzie LLP
Alan Chapell, CIPP, President, Chapell & Associates LLC
Jay Cline, CIPP, President, Minnesota Privacy Consultants
Nuala O’Connor Kelly, CIPP/G, Chief Privacy Leader, General Electric Company
Brian Tretick, CIPP, Executive Director, Ernst & Young
Chris Zoladz, CIPP, Vice President Information Protection, Marriott International
How do you become CPO of a Fortune 100 company? What is life like as a privacy auditor, privacy consultant, and privacy attorney? What other roles can a privacy career lead to? Panelists will review their career paths, the ups and downs of their current role, and where they see things heading in the future for aspiring privacy pros.

Goals of the Session: To help attendees understand how “green” the grass really is on the other side, and seek the right experiences to keep their privacy career moving toward where they will find the most personal satisfaction

GENERAL
Implementing an Effective Global Privacy Training Program: Lessons Learned
John Block, Director Privacy Security & Curriculum, MediaPro Inc.
Dean Forbes, CIPP, Global Privacy Officer, Global Compliance & Business Practices Group, Schering-Plough Corporation
Robert Posch, Senior Director, Global Compliance Training, Schering-Plough Corporation
Richard Purcell, CIPP, Chief Executive Officer, Corporate Privacy Group
Schering Plough has developed a Compliance Curriculum that seeks to align behaviors with their Standards of Global Business Practices. How we manage PII is a central concept that is addressed in the Curriculum and for which the company has applied resources to model and align behaviors. The Corporate Privacy Office has partnered with Global Compliance Training, MediaPro and Corporate Privacy Group to form a cross functional Team to support the Privacy Training Curriculum.

The overall goal was to develop a program that not only raised awareness but began to foster certain behavior changes that signified a Privacy Aware Culture.
Multiple audiences and global reach were significant challenges encountered during this initiative. Learn how we approached these challenges and developed strategies to assure a successful implementation.

The goals of this session are to learn how to collaborate with multiple stakeholders to develop a Privacy Training Awareness Program, learn how to deploy a Global privacy initiative and implement its component parts, learn about strategies needed to address variable target throughout their employee base, has become a landmark offering from his company.

ADVANCED
Preparing for Privacy Audits – What You Need to Know
Charles Barley, CIPP, Senior Manager, Ernst & Young
Mary Ellen Callahan, CIPP, Partner, Hogan & Hartson LLP
Sheri Gates McGaughy, Senior Counsel, The Weather Channel
Jason Slibeck, Vice President of Operations, Verified Identity Pass
Recently, the actions taken by company’s third party contractors and vendors have been scrutinized as of the vendor were acting on behalf of the client. Furthermore, under certain laws, companies are obligated on behalf of their vendors and third party contractors’ use of personally identifiable information. How do companies oversee these contracts, what contractual rights and restrictions should be in the contacts, and how are they enforced.
With growing concern over the misuse of personal information, companies increasingly require third parties to provide assurances over their handling of proprietary and personal information. The highest level of that assurance is the privacy examination—commonly referred to as an audit—that is performed by an independent third party. The panel will present the key areas that companies who are facing an audit need to keep in mind in preparation for the audit. Among the topics to be covered are understanding audit criteria, use of SAS 70s, privacy controls, sampling considerations, testing of privacy controls, and the determination of control deficiency that can lead to “failing” the audit.

Thursday Afternoon, 4-5pm Breakout Sessions
(60 minute sessions)

GENERAL
Meet the Regulators – Health and Human Services
Susan McAndrew, DHHS/OCR
Kirk Nahra, CIPP, Partner, Wiley Rein & Fielding LLP (Moderator)
Jim Poolman, Commissioner, North Dakota Insurance Department
This series provides opportunities for those in the regulated community to meet with those setting the standards. Good compliance with the law is critical to doing business and gaining customer respect. Learn about new rules that affect your operations, how compliance is going, and why ensuring good compliance is in your best interest.

GENERAL
Federal Legislative Developments in the 110th Congress
Bob Belair, Partner, Oldaker, Biden & Belair
Stu Ingis Esq., Partner, Venable LLP
The Congress will tackle a myriad of privacy related legislation in the 110th Congress. Included will be proposals by certain legislators on "comprehensive" or "omnibus" privacy legislation. Additionally, issues carried over from the 109th Congress will receive significant attention including "pretexting" and CPNI, spyware, security breach notification, and data security. This presentation would discuss the specifics of these various proposals as well as evaluate their likelihood of passage. The panel would include the leading Congressional staff working on these issues in both the House and the Senate. The goal of the panel would be to educate the IAPP attendees on the prospects for new legal obligations that will impact the practices of their businesses and to hear firsthand from those most involved in the day-to-day deliberations on these issues. In addition to the subject listed, the discussion would also address "data retention."

GENERAL
Operationalizing Privacy: From Policy to PIAs
Toby M. Levin, CIPP/G, Senior Advisor, Privacy Office, U.S. Department of Homeland Security
Kenneth P. Mortensen, CIPP/G, Acting Chief of Staff, Privacy Office, U.S. Department of Homeland Security
Rebecca Richards, CIPP/G, Director, Privacy Compliance, Privacy Office, U.S. Department of Homeland Security
Peter E. Sand, CIPP/G, Director, Privacy Technology, Privacy Office, U.S. Department of Homeland Security
This panel looks to explore the compliance and operational frameworks required to integrate privacy protections into any organization. The panel would look at the concept of a system of records notice, not only in a federal government context, but also as a mechanism to understand how an organization is implementing the fair information principles. In addition, the panel would examine how to research, prepare, and write a Privacy Impact Assessment (PIA) and Privacy Threshold Analysis (PTA) in connection with a program or system. These discussions would be followed up with a discussion on how to apply these concepts to not only an operational environment, but also a research and development one.

ADVANCED
Remote Information Security: Protecting Data in the Hands of your Outsourcing Vendors, Agents or other Business Partners, and Scattered Field Personnel
Jessica Rich, Assistant Director – Division of Privacy and Identity Protection, Federal Trade Commission
Ed McNicholas, Partner, Sidley, Austin, Brown, & Wood LLP (Moderator)
Darla Nykamp, Global Privacy Lead, IBM Global Services
Companies frequently share data with "remote" parties such as vendors, franchisees, brokers, agents or other business partners, field employees, etc., in order to conduct business operations efficiently. Outsourcing business process applications and customer service to third party vendors, relying on agents to develop business or perform services, or deploying a widely dispersed and decentralized field staff are all examples of business relationships that demand special attention to "remote information security." In each of these cases, the company's own internal standards, procedures and technical measures will not suffice to protect data. In many contexts, federal or international regulatory -- and/or liability -- regimes require companies to impose certain information security standards on these remote entities and, in all cases, recognizing the special vulnerabilities of remote data is a sound business practice. This program will discuss both what is required and what is prudent with respect to promoting "remote information security." The goals of this session are: to address best practices and regulatory requirements regarding information security risks presented when a company's data is maintained outside of the safety of the company's own systems.

GENERAL
Privacy Challenges for the Next Decade, How Technology Trends Are Upending Existing Privacy Concepts
Peter Fleischer, Privacy Counsel - Europe, Google
Nicole Wong, Associate General Counsel – Products & IP, Google
The point would be to provide expert insights into future technology trends from Google's perspective, some examples of what we're doing about them, and some calls to action from the compliance and from the policy-making points of view. My view is that most privacy professionals do not understand how radically technology will change our common assumptions over the next decade, and this talk would try to provoke the community into facing these trends. I think I can also show people some "wow" moments in terms of imminent technology developments.

ADVANCED
Responsible Affiliate Marketing: How to Ensure Your Third-Parties are Meeting Privacy Obligations
Mary Ellen Callahan, CIPP, Partner, Hogan & Hartson LLP
Quinn Jalli, Esq. Privacy Officer and VP of ISP Relations, Datran Media
In recent news, marketers have seen the devastating effects of neglecting privacy obligations when leveraging affiliate channels. Often times, trouble arises simply because affiliate marketers do not understand their responsibilities and how to enforce compliance through their chain of affiliates. Unfortunately, ignorance is not bliss, as breaches in consumer privacy from third-parties can cause irreparable damage to the marketer’s brand and reputation.

This presentation will educate attendees on the common affiliate pitfalls and how to avoid them, best practices of successful affiliate marketers, and the tools and techniques needed to properly manage suppression lists, CAN-SPAM compliance, integration and more. Attendees will walk away with insight, helpful guidelines and a complete view of current compliance and privacy requirements of affiliate marketing.

In this session you will learn:
• To educate attendees on the best practices of affiliate marketing
• To highlight and explain how to avoid the common mistakes that can lead to privacy concerns
• To overview the current regulations, compliance standards and requirements of affiliate marketing
• To overview the tools and technologies available to help marketers ensure compliance through affiliate channels

GENERAL
Privacy/Security A Marriage Made in Heaven
Levena Bailey, Vice President - Operations Security, AOL
Mark Chamberlain, Systems Officer, Information Security, Nationwide Financial
Danny Grider, Director Information Security, Walmart
Kirk Herath, CIPP/G, Associate Vice President, Chief Privacy Officer, Assistant General Counsel, Nationwide
Jules Polonetsky, CIPP, Chief Privacy Officer & Senior Vice President Consumer Advocacy, AOL
Richard Purcell, CIPP, Chief Executive Officer, Corporate Privacy Group
Zoe Strickland, CIPP/G, Vice President, Chief Privacy Officer, Walmart
Can CPO's & CSO's live happily ever after? Or will this be a case of 'til death do you part? We'll explore how privacy and security share their dreams, hopes, and ambitions - or not - in our version of the "Newlywed Game" featuring privacy and security officers from retail, finance, and Internet companies. They will be tested on the major privacy/security issues of the day and we will all see if they need marriage counseling. The panel will conclude with each team discussing their hot button issues, as well as their greatest areas of synergy and differences.

Friday, 11:00am – 12:00pm Sessions
(60 minute sessions)

GENERAL
Getting Your House in Order: Strategic Spring Cleaning on Global Privacy Issues
Ruth Hill Bro, Partner, Baker & McKenzie LLP
Brian Hengesbaugh, Partner, Baker & McKenzie LLP
Theo Ling, Partner, Baker & McKenzie LLP
Companies exchanging personal data across borders--whether of employees, suppliers, or customers --must often implement strict protection measures that comply with multiple countries' laws. The result can be a real mess, with inconsistent solutions that don't provide much coverage. Baker & McKenzie attorneys will provide insights on where to begin, what to watch out for, and how to strategically put your company's global "privacy house" in order.

ADVANCED
Information Sharing
Jane Horvath, Chief Privacy and Civil Liberties Officer, United States Department of Justice
Alexander Joel, CIPP/G Civil Liberties Protection Officer, Directorate of National Intelligence
This session will cover two distinct areas, The President’s Information Sharing Environment and the Sharing of Information Between Foreign Countries. The privacy impact of information sharing has been getting increasing attention from civil liberties and privacy advocates recently. The theme of this discussion will demonstrate the steps that the public sector has taken to protect privacy and civil liberties while increasing information sharing. The goals of this session are to alleviate misperceptions about information sharing, and educate the audience about how the Government is protecting privacy and civil liberties while sharing more information between agencies.

ADVANCED
2010: A Privacy Odyssey?
Fred Cate, Distinguished Professor and Director, Indiana University
Malcolm Crompton, Managing Director, Information Integrity Solutions Pty Ltd
Richard Thomas, UK Commissioner
Privacy law everywhere is unstable. The communiqué at the conclusion of the 28th International Data Protection Conference is a confirmation that new approaches and new or revised laws are required. Data transfers will be a center piece of change. Richard Thomas, UK Commissioner and Malcolm Crompton will join Fred Cate in a discussion of Privacy 2010.

GENERAL
(ISC)2 Presents: Security, Privacy and the Incident Lifecycle
Rich Baich, Principal – Security and Privacy Practice, Deloitte & Touche LLP
Tom Kellerman, Director of Security Awareness, Core Security
The increase in reported security incidents has exerted new pressures on both security and privacy professionals. Expert evaluation and forensic analysis are essential to ascertaining the facts around a security incident. Just as important is an understanding of the relevant state and federal regulatory requirements around notification and compliance. This session will explore the need for increased coordination between an organization’s security and privacy teams from incident detection and analysis through system monitoring and auditing, compliance and awareness. It is offered in alliance with the IAPP by the International Information Systems Security Certification Consortium / (ISC)2, the world’s leading certifying body in information security.

GENERAL
Embedding Privacy Initiatives: Making the Most of Your Privacy Dollars
Lynn Bunn, Privacy Team Lead, Booz Allen Hamilton
The rapid changes in the privacy landscape, both from increased awareness and new federal regulations, are forcing agencies to make difficult decisions on how to spend their privacy dollars. As more privacy breaches are revealed daily, organizations are quickly learning the extremely high costs, both monetarily and psychologically, of not taking privacy seriously. However, the rush to implement new privacy initiatives as quickly as possible can lead to the inefficient use of limited agency resources without significantly decreasing vulnerabilities. As a result, it is essential that federal agencies understand the most cost-effective and efficient means of achieving their privacy compliance goals.

This session will identify ways in which to leverage existing information technology resources and policy structures that are key to achieving the greatest privacy compliance returns on investment. The discussion will include how many mandatory information security processes can be effectively co-opted to substantially enhance an agency’s privacy posture without busting the IT budget. Some examples include, incorporating privacy modules into security training, integrating Privacy Impact Assessments into the Certification and Accreditation process, joint capital planning, and combining privacy and security controls. The ways in which agencies can effectively employ these existing resources to their maximum potential for strengthening privacy protection throughout the organization will also be discussed.

Goals of the Session:
• Educate attendees on strategies for embedding privacy controls and compliance initiatives, and the benefits of integration in making the most of your privacy dollars
• Highlight specific case studies applied in government settings
• Provide a methodology for apply privacy integration with a security initiative mandate and the ROI associated with that strategy

GENERAL
New Media Channels and Privacy Implications
Mike Hintze, Senior Attorney, Microsoft
Tim Jucovy, Associate – Privacy & Data Security, Covington & Burling LLP
Steve Weiswasser, Partner, Covington & Burling LLP
Kurt Wimmer, Senior Vice President & General Counsel, Gannett Co., Inc.
This session explores the relationship between privacy and the rapidly evolving media. The conversation begins with an overview of privacy in the traditional media (e.g., broadcast and print), including hidden cameras and microphones, electronic and telephone communications and the role of consent; then discuss how these principles have been and could be applied to new media.