Agenda

WaldorfAstoriaLobby

 Agenda

7:00 – 8:20         Breakfast and Check-in

8:20 – 8:30         Welcome Remarks

8:30 – 9:30         Counseling a Corporation After a Data Security Incident

Workflow.  Data breach response workflow and coordination requires careful navigation because, among other things, the legal, public communications, and compliance ramifications of any failure can be devastating and value destructive for both public and private companies. It can also cost corporate executives their jobs. This panel will explore that, just like any other independent and thorough investigation, the work relating to a cyber-attack will involve a team of lawyers with different skill-sets and expertise (e.g., regulatory, e-discovery, data breach response, privacy, litigation, law enforcement liaison, and public communications). The panel will focus especially on the critical coordination role that is played by the legal function as well as regulatory response aspects of IR as well as the national security implications that lurk in the background of just about every corporate decision.

Legal Issues of Digital Forensics.  Cyber attackers have become increasingly innovative in their techniques and execution. This panel covers the latest methods and practices of cyber-attackers, which is critical for legal and practitioners to understand. For instance, during the aftermath of a data breach, an expert forensic team will typically present its findings to the legal team leading the incident response. The legal team will then determine the nature and substance of any contractual, statutory (federal and state) or other requirements triggered by the attack. Without understanding the nature of the latest attacks and threats, a legal or compliance team can stumble (badly) concerning this critical responsibility and cannot effectively carry out one of the most critical aspects of data breach response — remediation.

Industry Particularities.  This panel will also explain the different dynamics of data security involving: 1) financial firms (where there exist unique issues pertaining to the U.S. Securities and Exchange Commission, the Financial Industry Regulatory Authority and various law enforcement agencies); 2) retail firms (where there is a trigger of PCI-DSS compliance, and the unique investigative and remedial workflow involving the PCI-DSS can be extremely costly, cumbersome and disruptive.) and 3) health care organizations (where the confidentiality and sensitivity of personal health information (PHI) has evolved into a highly regulated and increasingly important area of government concern.  Especially relating to the Federal Health Information Technology for Economic and Clinical Health (HITECH) Act and the the privacy protections afforded under Health Insurance Portability and Accountability Act of 1996 (HIPAA)).

9:30 – 9:45  Break

9:45 – 10:45     Counseling a Corporation Before the Inevitable Data Security Incident

Although data breaches are inevitable, companies should still take important and thoughtful preemptive measures to meet their compliance obligations and to help prepare themselves to respond. This panel will focus on preemptive steps that legal and compliance professionals should implement today to not only insure adequate preparation for the latest types of data breaches, but also to assure adequate compliance amid increasing regulatory scrutiny. Topics will include:

Incident Response Planning. Privacy laws begin not with the federal government but with the states: There is no one unifying privacy-based federal statutory regime. Privacy laws vary by jurisdiction, are interpreted unpredictably and are in a constant state of flux. Some are based broadly, while others cover specific elements of industry sectors, such as medical records, financial transactions, credit cards, debt collectors, insurers or even library records. As the regulatory protections afforded to so-called personally identifying information (PII) continue to expand, so do the risks in acquiring, storing and transmitting such information. What are best practices?

C-Suite and Board Responsibilities. What cyber-related actions should corporate boards be undertaking and more importantly, what should corporate secretaries, general counsels, outside lawyers and other corporate advisors be telling their corporate board clients regarding cyber? This panel will cover realistic, concrete, pragmatic, detailed, sensible and effective vision for corporate board behavior, designed to tackle head-on the mounting and potentially devastating risks that flow from cyber-attacks and other data security incidents. The panelists will also address issues including how cybersecurity risk has clearly elevated itself to the top of corporate agendas; the implications of the SEC’s 2018 Statement on Cybersecurity Interpretive Guidance as it relates to the duties and responsibilities of corporate boards and corporate officers; why corporate directors must now must consider themselves “on notice” when it comes to cybersecurity; and why corporate boards must now take tangible steps to translate their high-level concerns around cybersecurity risks into specific behaviors and precise actions that are identifiable, capable of being readily implemented and heavily documented.

Cyber-Insurance. Companies have begun taking into account cybersecurity concerns when considering overall enterprise risk management and insurance risk transfer mechanisms, just as they do with other hazards of doing business. Clearly, cyber insurance will eventually become yet another basic element of a company’s insurance coverage, just like property insurance and health insurance. Many companies might even find their customers demanding that the company carry cyber insurance as a matter of good business practice.


10:45 – 11:00  Break

11:00 – 12:00   National Security, International Compliance and Data Breach Response

This panel focuses on the international threat of cyber-attacks and the international aspects of data security. For legal and compliance professionals, understanding the international dynamic of cyber-threats is critical to adequately represent the interest of corporate clients – especially in the context of regulatory compliance and privacy protections.

When a data security incident occurs, the ramifications are rarely confined by physical borders. Cyber concerns for Incident Response teams typically cross borders and are global in nature – mandating additional attention, expertise and oversight.

Along those lines, this panel also covers the emerging challenges of the General Data Protection Regulation (GDPR), a regulation in European Union (EU) law on data protection and privacy for all individuals within the European Union and the European Economic Area (EEA). The GDPR standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII).  It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive, and went into force on May 25, 2018. This panel will focus on the many essential items in the regulation, including increased fines, breach notifications, opt-in consent and responsibility for data transfer outside the EU. As a result, the impact to businesses is tremendous and will permanently change the way customer data is collected, stored, and used.

Details

When: Wednesday, Feb. 6, 2019
7:00 am - 8:20 am (breakfast & registration)
8:30 am - 12:00 pm (panel discussions)
Where: Waldorf Astoria Beverly Hills
9850 Wilshire Blvd
Beverly Hills, California, 90210
CLE Credit: 3 hours (pending in CA)
Presented by: Cybersecurity Docket 

CLE Info and Forms

SEF2014 CLE -smCLE forms available here.

Materials

Links to materials available here.

Corporate Sponsors

Kroll 230

Ankura 230x60

CrypsisLogo

JRS230

Law Firm Sponsors

Debevoise230v2

Lewis Brisbois 230

MWE 230 v2

Munger Tolles

Orrick 230 v2

WSG&R