Cybersecurity Law: Risk, Resiliency and Compliance

Helena Engfeldt, CIPP/US, Partner, Baker McKenzie
Benjamin Meyer, Supervisory Special Agent, San Diego Field Office, Federal Bureau of Investigation
Ian Richardson, Partner, Paul Weiss
Stacey Schesser, CIPP/US, CIPM, Supervising Deputy Attorney General, California Department of Justice
Cobun Zweifel-Keegan, CIPP/US, CIPM, Managing Director, D.C., IAPP

Cybersecurity obligations for both data custodians and infrastructure operators are changing rapidly. So is the threat environment, as attackers continue to innovate. This workshop, presented by the IAPP Cybersecurity Law Center, will offer lawyers and non-lawyers critical updates on the rising tide of cybersecurity obligations. It will focus on three areas of ongoing change under U.S. law: ransomware response, where cooperation with law enforcement and collaboration among internal teams and external resources is critical; lessons learned from the first six months under the new Department of Justice rule on transactions involving bulk sensitive U.S. personal data and U.S. government-related data; and state enforcement of cybersecurity requirements, including the newly cybersecurity audit rule adopted by the California Privacy Protection Agency.

What you will learn:

• Trends in cybersecurity enforcement at the federal and state level.
• Practical advice on incident response, including ransomware payment.
• Contracting strategies for compliance with the DOJ sensitive data rule.

13:30-14:30
FBI Cyber Criminal Threat Landscape
Benjamin Meyer, Supervisory Special Agent, San Diego Field Office, Federal Bureau of Investigation

Malicious ransomware actors continue to innovate, so senior leadership of victimized entities, their attorneys, and their data governance teams need to innovate their responses as well. This session will offer the latest insights in incident reporting and notification (to the SEC, regulators, and data subjects), cooperation with law enforcement, forensic and recovery strategies that anticipate likely litigation, and the crucial question of whether to pay or not pay.

14:30-15:00
The DOJ's Sensitive Data Rule: Part I
Ian Richardson, Partner, Paul Weiss

On July 8, the U.S. Department of Justice began enforcement of key provisions of its rule regulating international flows of bulk sensitive U.S. personal data and U.S. government-related data. The remaining provisions of the rule take effect on Oct. 6. This session will review compliance strategies and offer lessons from the early months of the rule's implementation, including insights on structuring investment, employment, and investment relationships that might fall under the rule.

15:00-15:30
Networking break

15:30-16:00
The DOJ’s Sensitive Data Rule: Part II
Ian Richardson, Partner, Paul Weiss
Cobun Zweifel-Keegan, CIPP/US, CIPM, Managing Director, D.C., IAPP

16:00-17:00
California Developments: AG Enforcement and the California Cybersecurity Audit Rule
Kristen Anderson, Attorney, California Privacy Protection Agency
Helena Engfeldt, CIPP/US, Partner, Baker McKenzie
Stacey Schesser, CIPP/US, CIPM, Supervising Deputy Attorney General, California Department of Justice

State attorneys general continue to serve as major data security enforcers. This session will review the latest enforcement trends, as seen through the eyes of the California attorney general's office. In addition, the California Privacy Protection Agency is expected to adopt the first-in-the-country state-level rule requiring businesses to conduct annual cybersecurity audits. While the rule does not become effective for several years, the time to start planning is now. This session will introduce the rule's requirements and discuss how to leverage existing risk assessments to comply.