U.S. National Privacy Legislation Podcast

This episode features risk management leader Tracey Swift, Editor-in-Chief of a new publication, HigherEdRisk. Previously, Tracey was Executive Director of Risk Management at Arizona State University, where she led the university's risk management and insurance functions. In this episode we explore the differences between academia and corporations in managing privacy, cybersecurity, and AI risks, the role of the board of trustees and university leadership, and the challenges associated with open networks, collaborative research, shadow IT, and resource pressures. AI has opened up new opportunities and challenges and academia has been one of the first to feel its impact, making higher education more advanced in AI governance than many private sector organizations. Tracey shares her thoughts on the role of insurance in higher ed risk management and the importance of cross-organizational teams in addressing privacy, cybersecurity, and AI risk management.

In this episode of the ADCG Privacy & Cybersecurity Podcast, host Jody Westby is joined by former Magistrate Judge Ronald J. Hedges, a legal thought leader in the areas of electronic discovery and artificial intelligence and the law. Jody and Ron discuss how AI is driving legislative and regulatory action, including action within the judiciary and ethics rules and guidance from bar associations. In addition to discussing issues with admissibility and discovery of evidence, Ron discusses how the work of three bar associations regarding the use of AI in the legal profession could be a model for professionals in other industry sectors. Ron is a member of the New York and New Jersey state bar associations' AI Task Forces, and is Chair of the Court Technology Committee of the ABA Judicial Division. He is principal at Ronald J. Hedges LLC.

In this episode of ADCG's Privacy and Cybersecurity Podcast, Jody Westby interviews Jean Camp, Director of the Center for Security and Privacy in Informatics, Computing, and Engineering and Professor of Informatics at University of Indiana. Prof. Camp is a renowned thought leader in privacy and cybersecurity and has conducted meaningful research on issues related to SBOMs and how they could be more effective. In this podcast, we explore the role of SBOMs in cybersecurity, what limits their effectiveness, and the Federal Government's role in advancing the use of SBOMs, developing tools to ease the use of SBOMs, and international efforts to create a harmonized approach to the development and use of SBOMs. Links to some of Prof. Camp's work in this area is available on the ADCG website.

This week the ADCG Privacy & Cybersecurity Podcast is pleased to have Shoshana Rosenberg, CEO and Founder of SafePorter and one of the most respected names in the field of privacy and a thought leader at the intersection of privacy and Diversity, Equity & Inclusion ("DEI"). We discuss her groundbreaking work analyzing how principles governing privacy and DEI can influence the development and use of AI technologies, including how privacy and bias concerns shape the conversation around AI, how the evolving landscape of AI is challenging our traditional understanding of privacy and inclusion, and how advancements in AI both challenge and embrace our ability to uphold DEI principles…and more!

This week's episode of ADCG's Privacy & Cybersecurity Podcast features a discussion with Jeff Jockisch about his new company, Avantis Privacy, which specializes in data deletion services. Jeff is a renowned privacy researcher, the CEO of PrivacyPlan and CPO of Avantis Privacy. In this episode, we discuss the daunting prospect of managing one's personal data, data brokers and what they do, and the process of requesting personal be deleted. Jeff discusses the approach taken by Avantis Privacy and offers thoughts on anonymization and what is driving this type of service.

This episode features Donata Stroink-Skillrud, Co-Founder and President of Termageddon, a software service that specializes in the identification of privacy laws applicable to an organization and the development of privacy policies, terms of service, and end user license agreements for that organization. Donata is an attorney who also represents the American Bar Association's Section of Science and Technology Law on the ABA President's Cybersecurity Legal Task Force (CLTF). In this episode, we discuss the CLTF, its purpose, topics and issue areas it addresses, and the cybersecurity resources the CLTF has created for attorneys and law firms (which are free and applicable to many other organizations). We also discuss recent Resolutions that CLTF has put forward for adoption by the ABA, including is AI Resolution. Links to CLTF resources are provided on the ADCG website for this episode.

This episode features Dr. Peter Trim, a Reader in Marketing and Security Management at the University of London's Birkbeck Business School. Dr. Trim has published a dozen books, and his most recent (2023) focuses on Strategic Cyber Security Risk Management. Cybersecurity best practices began in the UK with British Standard 7799, which morphed into ISO 27001/002. Dr. Trim discusses the necessity for a collective approach in cybersecurity and the need to maintain an international perspective. His work endeavors to link cyber risk management theory with practical application through use cases and simulation exercises. We explore the need for improved private sector interaction with academia and the need to integrate cybersecurity risk management content in interdisciplinary curricula.

In this episode of ADCG on Privacy & Security podcast, host Jody Westby is joined by Sabrina Gross, regional director of strategic partners at Veridas. Sabrina has worked globally and spent 15 years working with law enforcement agencies in Europe, the Middle East, and Africa. At Veridas, Sabrina focuses on cutting-edge technologies that are used for authentication and to prevent identity fraud. We discuss the importance of having a choice of authentication options, limitations of various devices, the pros and cons of facial recognition, fingerprints, and voice as authentication methods, what companies should look for in a biometrics provider, security factors, customer preferences, and more. We drill down into the role of state privacy laws and the circumstances under which a business should consider multiple, layered verification methods.

This episode of the ADCG Privacy and Cybersecurity Podcast features Ken Westin, Field CISO for Panther Labs. Ken has been in the cybersecurity field for over 15 years, working with companies to improve their security posture through threat hunting, insider threat programs, and vulnerability research. We discuss how the lack of good application and data inventories impact incident response. When data is spread across data centers, clouds, and SaaS providers, it becomes difficult to track and trace an incident and understand its impact, but it becomes especially hard if the data involves confidential or proprietary business data that is not tracked by privacy officers or if it includes sensitive data that may involve regulators. The recent MOVEit breach, which involved software used to transfer sensitive data between servers, systems, and applications, provided rich lessons in the need for data asset inventories and SIEMs that can correlate data across providers and platforms.

This episode features Scott Giordano, former vice president and general counsel for Spirion who has more than 25 years of legal, technology, and risk management expertise and was one of the first attorneys to jump into artificial intelligence. We will discuss the implications of AI for privacy and information security, current US state laws, the EU AI Act, and what companies can do to prepare for “AI everywhere.” Scott also discusses the recent “Career Essentials in Generative AI” course he took, which is offered by Microsoft and LinkedIn.

In this episode, Jody Westby interviews Gerry Stegmaier, a partner in ReedSmith's Tech & Data Group. Gerry focuses on digital issues, corporate governance, incident response, privacy, and cybersecurity matters, plus other areas. We discuss the new SEC Cybersecurity Risk Management Rule for public companies, how it differs from the proposed rule, key requirements and compliance deadlines, and the practical impact on cyber incident disclosures, identifying and disclosing material cyber risks, and how boards and C-suites will approach cyber governance.

This week's podcast episode features Steve Britt, Counsel at Parker Poe and privacy expert to discuss the five state privacy laws that went into effect in 2023 and the TEN that have been enacted in 2023, how they vary, what they have in common, and this new “trend” to protect consumer health data (not HIPAA data). Steve also discusses the new requirement for Data Protection Assessments, expanded protections for children's data, and regulatory risk factors and triggers. He ends with key takeaways and has provided a slide deck for listeners to download and follow along as they listen to the podcast (see adcg.org/podcast for supplemental materials on this episode).

This episode features Peter Halprin, a partner in the New York City office of Pasich LLP in New York, representing commercial policyholders in complex insurance coverage matters, including cyber. We discuss the price increases in coverage and the scrutiny given claims under property and casualty, cyber, and corporate general liability policies, the risks in the application process, new technology risks associated with biometrics and AI, cyberwar exclusions, and possible changes to policy language to help manage claim risks to carriers.

This podcast episode features Mark Rasch, a renowned privacy and cybersecurity attorney, to discuss the SEC's investigation into the SolarWinds incident and the “Wells notices” it sent to the company's CISO and CFO. The Wells notices indicate the SEC is conducting a civil investigation of those individuals and they may be facing enforcement actions. The news sent tremors through the CISO community and brought back thoughts of Joe Sullivan's criminal prosecution — and conviction — for the way he handled a breach while CISO at Uber. The SEC's action is civil, but it targets certain individuals. We discuss what this means for CISOs, what they can do to protect themselves, and generally how the implementation of cyber governance programs can help protect CISOs by making cyber risk management a responsibility of all officers and directors.

In this episode we discuss privacy rights with Tom Kemp, a Silicon Valley-based author, entrepreneur, investor, and policy advisor who helped get the CPRA adopted and is author of the California Delete Act of 2023. His forthcoming book, Containing Big Tech: How to Protect our Civil Rights, Economy, and Democracy, published by Fast Company Press, focuses on the use of AI with personal data and the concentrated power of large Big Tech companies and how this paradigm impacts our personal privacy and lives. As an angel investor, Tom also discusses the types of privacy and cybersecurity companies that he is attracted to and the need for more technical solutions that can help manage privacy compliance. Here is an additional resource for you to post. Plus his book is available on pre-order at https://www.amazon.com/Containing-Big-Tech-Protect-Democracy/dp/1639080619

This week our guest is Sam DeNormandie, Senior Account Director with Silver Sky Security, a Managed Detection and Response (MDR) firm primarily servicing the small and mid-sized business (SMB) market. Sam is a seasoned cybersecurity expert with experience at Cylance, Blackberry, and Cyvatar and understands the security needs of the small to mid-sized business. This episode discusses the challenges faced by SMBs, in part due to the difficulty they have in hiring the people they need and managing the vulnerabilities they face. The MDR industry is growing at CAGR 18.1% and is expected to be $22B by 2030. What does that growth mean for MSSPs? Join us for this episode and learn how companies are struggling to keep pace with the threat environment and how MDRs are filling a void.

This week our guest is Susan Israel, principal of Susan Israel Law, and one of the most respected privacy professionals in the field. Susan has a pre-law background in broadcast news and publishing and has become one of the foremost experts on privacy compliance in the field of advertising technology. We discuss key aspects of AdTech compliance, such as cookies, location data, and IP addresses, the issues associated with them, and trends in legal frameworks and regulatory approaches. Susan also delves into industry groups playing a large role in AdTech and US and EU government perspectives.

This week's podcast guest is Chris Jay Hoofnagle, professor of law in residence at the University of California, Berkeley and affiliated faculty with the Simons Institute for the Theory of Computing. We discuss Chris and Simson Garfinkel's new book, Law and Policy for the Quantum Age, what quantum technologies are, the consequential implications of quantum technologies, actions within the White House and Congress supporting quantum R&D, and geopolitical issues in the race to develop quantum technologies.

This episode features Berit Anderson, COO of Future in Review and Strategic News Service, and Evan Anderson, CEO of INVNT/IP. Both Berit and Evan are geopolitical analysts, tech thought leaders, and media executives. We discuss the issue of whether TikTok will be banned in the U.S. and examine the data that could be collected, how it can be a rich source for open intelligence, and how it could be used for election interference. Strategic News Service coined the term CRINK — China, Russia, Iran, and North Korea, and Berit and Evan discuss the geopolitical aspects of TikTok (including CRINK) and how it could be a threat to national security and cybersecurity.

This week our guest is Heather West, Silicon Valley rock star and Senior Director of Cybersecurity Services at Venable LLP. We explore artificial intelligence (AI) and chatbots, such as ChatGPT, and discuss what these technologies can do, who will be early adopters and beneficiaries of AI, whether articles or answers generated by AI can be trusted, and look at some of the privacy and security risks associated with AI. Heather is policy and tech translator, product consultant, and long-term Internet strategies working at the intersection of emerging technologies, culture, governments, and policy. Prior to joining Venable, Heather had stints at Meta and Mozilla.

Lauren Wallace, Chief Privacy Officer and General Counsel for RadarFirst, a leading tool for cyber incident management joins our host, Jody Wesby, on episode 86 of ADCG on Privacy & Cybersecurity. Building off our last podcast with Violet Sullivan, we discuss how privacy and cybersecurity incidents are converging and the difficulty large companies are having in managing the vast array of data involved in incident response, especially as it relates to U.S. and global privacy and cybersecurity compliance requirements. We also delve into the complexity of notification requirements, involving law enforcement, consumer protection agencies, attorneys general, regulators, and victims and how incident response tools can help manage the notification process and decrease notification. Lauren Wallace is a digital privacy subject matter expert, working at the intersection of technology and data subject rights. A senior privacy and technology counsel, Lauren has significant real-world experience in enterprise technology transactions, data protection, partnerships, and product.

This week we are joined by Violet Sullivan, Vice President of Client Engagement for Redpoint Cybersecurity, and incident response expert. Violet discusses how incident response has changed over the past five years, how ransomware has changed IR plans and how companies respond to attacks, and how cyber insurance has pushed revisions to incident response. We also discuss the role incident response plays in litigation management, and what companies can do to improve their response and reduce risk.

In this episode, Mark Graham, Director of the Wayback Machine of the Internet Archive discusses his work backing up the Internet, TV, radio, chats, etc. around the globe, and the role it plays in preserving not only data, but cultures of countries. Mark describes the value of having content preserved and accessible from a source where governments can't take it down and discusses the Internet Archive's project in backing up and scanning data important to Urkaine's culture, which is getting destroyed in the Russia-Ukraine conflict. Archive.org and the Wayback Machine are live and freely accessible to research, journalism, academia, businesses, and ordinary people. Additional Resources: • https://archive.org/web/ • https://www.theguardian.com/books/2022/dec/04/our-mission-is-crucial-meet-the-warrior-librarians-of-ukraine • https://www.washingtonpost.com/politics/2022/09/29/russia-nord-stream-tucker-carlson-fox-news/ • http://blog.archive.org/2019/10/29/weaving-books-into-the-web-starting-with-wikipedia/ • https://www.youtube.com/watch?v=BWfqV_adW54&t=19842s

In this episode, we are joined by Matthew Esworthy, partner at Bowie-Jensen LLP, to discuss geofence warrants and their use by law enforcement in investigating the January 6 insurrection. Geofence warrants involve court issued warrants for geolocation data from Google. These warrants were sealed and have only recently come to light through motions to suppress the evidence obtained from the geofence warrants. We explore Google's process for responding to the 10,000 warrants it receives annually and the constitutional and legal issues swirling around them.

This week we are joined by Ron Raether, co-lead of the Privacy + Cyber team at Troutman Pepper, and explore aspects of the recent criminal conviction of Uber's former CISO and fallout from Twitter's former CISO turning whistleblower. The “culture of fear” that has developed in CISO offices nationwide has dramatically increased risk for companies that have such a culture. Ron Raether discusses how organizations can better support their CISOs and how the general counsel and outside counsel can help influence change in organizations for better governance and cyber risk management. We also explore how CISOs can gain more C-suite visibility and board access.

This week we are joined by Rachel Briggs and Richard Brinson from Savanti, a UK-based cybersecurity consulting entity. Richard Brinson is CEO of Savanti, has been CISO at several large corporations, including Unilever and Sainsbury's. He was named one of the top CISOs in the world and has over 20 years of experience in the field. Rachel Briggs is an Executive Adviser to Savanti and a leading expert on security and regularly advises large multinationals and governments. She is an Associate Fellow and Chatam House and was awarded the OBE in 2014. Richard and Rachel have just authored The Future of Cyber Security Leadership Series and their first publication is “Cyber Security Leadership is Broken: Here's how to fix it.”

In this episode, two incredible guests discuss Cyber Command, its role and jurisdiction, and what it can do in cyber conflict situations and how it may help the private sector when under nation state attacks. Gary Corn is director of the Technology, Law & Security Program at American University's Washington College of Law and former career military with his last position as the Staff Judge Advocate (General Counsel) to U.S. Cyber Command. Jamil N. Jaffer is the Founder and Executive Director of the National Security Institute, and an Assistant Professor of Law and Director of the National Security Law & Policy Program and the nation's first Cyber, Intelligence, and National Security LLM at the Antonin Scalia Law School at George Mason University. Jamil is also affiliated with Stanford University's Center for International Security and Cooperation and served on the leadership teams of the Senate Foreign Relations Committee as Chief Counsel and Senior Advisor and as Senior Counsel to the House Permanent Select Committee on Intelligence.

This week we are joined by Carlos Solari, ADCG Advisory Board Member and VP of Product for SecureG, Inc., a company developing universal security technologies for 5G, industrial IoT and other critical infrastructure.We discuss 5G availability, how an orchestrated 5G attack could occur, how to rethink the security problem with 5G, and how 5G is connected to national security.  

This episode features Cory Simpson, Founder & CEO of Gray Space Strategies Inc., who discusses the relationship between privacy, cybersecurity, and national security. He draws upon his experience as Senior Director and lead for the U.S. Cyberspace Solarium Commission and discusses whether the U.S. Government and private sector are prepared for conflict involving critical infrastructure. Cory also describes how national security has evolved over the past several decades and looks at how some privacy protections in the American Data Privacy & Protection Act may be important national security considerations.

This episode features Andrew Grosso, a former Assistant U.S. Attorney and tech lawyer whose practice focuses on whistleblower complaints. We take a look at the legal framework for whistleblowers and protections afforded them and then delve into the Twitter whistleblower case in which their former CISO handed over evidence to the DOJ, FTC, and SEC detailing gaps in Twitter's cybersecurity practices. We discuss whether we are on the edge of a new trend...tech whistleblowers who will expose privacy and cybersecurity gaps within the companies they work for.

In this episode we interview David Navetta, vice chair of Cooley LLP's cyber/data/privacy practice and a prominent leader in privacy, information security and technology law. We discuss the differences between cybersecurity governance and privacy governance, what are the critical activities in privacy governance, what actions are the hardest for organizations to implement, and how privacy governance will evolve in the future. David is a frontrunner in privacy and security and shares his decades of experience and insights into what lies ahead in these fields.

This week our guest is Peter Halprin, a partner in Pasich LLP's New York office. Peter has helped clients pursue insurance coverage for a wide range of cyber incidents. We discuss the lack of standardized applications, premium hikes no matter how good your cybersecurity program is, nation state-sponsored cyber attacks and the war exclusion clause, and regulators running rampant. Learn insights from a master in the field!

In this podcast episode, host Jody Westby discusses the impact that privacy, cybersecurity, and governance issues are having on businesses with ADCG's new leaders, Patrick J. Kennedy, Jr. and Dub Sutherland of Kennedy Sutherland LLP. We discuss proposed federal of these issues are also covered. Patrick Kennedy and Dub Sutherland are lawyers with an entrepreneurial perspective who take a macro level view of the business challenges associated with current privacy laws, a looming cyber threat environment, and a lack of cyber governance by many boards and C-suites.

This week our guest is Keith Cheresko, Principal of Privacy Associates International LLC and former general counsel of the Ponemon Institute, a privacy research organization, to discuss the increasing tangle of contractual compliance obligations in privacy laws. From mandated contractual obligations to standard contract clauses for forward transfers, companies are finding it increasingly difficult to manage — and meet — contractual obligations associated with privacy laws and regulations.

This week we are honored to have Rob Shavell, CEO and Co-Founder of DeleteMe, join us to discuss the threat of publicly available PII to individuals and companies, the types of threats they are encountering, the need for companies to protect executives and employees, and how individuals and organizations can address these issues, using both technological and legal/policy approaches. Rob is a privacy expert who has been quoted in The Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).

This week we have Violet Sullivan, Vice President of Client Development for Redpoint Cybersecurity, as our guest to discuss incident response, gaps that are costly, using external resources, bottlenecks that can take time, interacting with vendors, and successful approaches to tabletops. Violet also serves as a professor of Cybersecurity & Privacy Law for Baylor Law School's LLM program where she focuses on litigation management. On the podcast, she offers tips on incident response that can help organizations manage future litigation related to the incident.

This week we are joined by Leslie Lamb, Director of Global Risk Management for Flex, Inc. and former Head of Global Risk & Resiliency Management for Cisco. We discuss the current cyber insurance market, getting boards and C-suites engaged, working across the organization and with CISOs and CPOs, and developing a cyber resiliency plan.

This week we are joined by Mark Rasch, Adjunct Professor at George Washington University Law School and former DOJ prosecutor of cybercrimes, to discuss the DOJ's recent change to its policy for charging good faith security research cases under the Computer Fraud and Abuse Act. We explore the types of actions that fall within the new policy and those that do not and linkages to the Register of Copyrights definition of “good faith research.” In addition, the episode weaves in a discussion of the recent Ninth Circuit opinion in HiQ v. LinkedIn and Supreme Court decision in Van Buren v. U.S.

This week we are joined by Jeff Jockisch, Data Privacy Researcher and founder of PrivacyPlan. We discuss the Data Collaboration Alliance, the concept of “zero copy integration,” data ownership, and the "Privacy Brain” that Jeff and others have under development. We also weave in a discussion of the recent Ninth Circuit opinion in HiQ v. LinkedIn and the impact that case could have on privacy and copying of data.

This week, we're joined by Michael Robinson, Chairman & CEO of The Montgomery Strategies Group. We explore the new SEC cybersecurity requirements from the communications, brand, and regulatory management perspective and more.

This week, we're joined by Anthony Matyjaszewski, Vice President and Chief Compliance Officer of the Network Advertising Initiative. We explore the world of digital advertising, the impact of ad tech, how state privacy laws are impacting the use of digital data for advertising, and how the industry is adapting to advertising changes from companies like Apple and Google. And more….

This week, we're joined by Steven Francesco, Chairman and CEO of Cohere Cyber Secure, a managed service provider (MSP), managed security service provider (MSSP), and consultant to the small and mid-sized business market. We explore the IT and cybersecurity needs of mid-sized businesses, what motivates them, and how they manage privacy and cybersecurity compliance requirements. We also explore whether mid-sized companies leverage vendors better than big business.

This week, we are joined by three cybercrime experts, John Bandler, Scott Giordano, and John Bates, to discuss how the FBI is obtaining court orders to enter companies' computers and seize harmful malware — and take other actions — in a new approach to countering cybercrime. The FBI's Cyber Division coordinated with the UK and private companies to disrupt a two-tiered global botnet of infected devices controlled by a cybercriminal aligned with the Russian Intelligence Unit GRU. This episode's guests are: John Bandler, Founder, Bandler Law Firm PLLC John G. Bates, Manager, Ernst & Young LLP, Cybersecurity Scott M. Giordano, V.P., Corporate Privacy, and General Counsel

This week, we're joined by Jamey Cummings, a partner at JM Search and a member of the Firm's Cybersecurity and IT Executives Practice. Jamey will discuss the hunt for cybersecurity personnel, and give us his inside view of the cybersecurity job market, what companies need, and how new laws and regulations and global events are impacting the cybersecurity search market. JM Search is the premier retained executive search firm for private equity firms, venture capital firms, portfolio companies, and the Fortune 1000.

Welcome Back! In our podcast episode today, we will discuss the new SEC proposed cybersecurity rules for registered advisers and funds, potential issues with the proposed rules and anticipated benefits. Our guest will be Frank Jones from Ariel Investments. Frank Jones is Vice President, Infrastructure and Information Security Officer for Ariel Investments. He leverages his experience in establishing cybersecurity programs and meeting financial industry compliance requirements in discussing the proposed SEC cybersecurity rules.

Contact us:Jerry Buckley | jbuckley@buckleyfirm.comJody Westby | westby@globalcyberrisk.comADCG | info@adcg.org

Contact us:Jerry Buckley | jbuckley@buckleyfirm.comJody Westby | westby@globalcyberrisk.comADCG | info@adcg.org

Contact us:Jerry Buckley | jbuckley@buckleyfirm.comJody Westby | westby@globalcyberrisk.comADCG | info@adcg.org

Contact us:Jerry Buckley | jbuckley@buckleyfirm.comJody Westby | westby@globalcyberrisk.comADCG | info@adcg.org

Contact us:Jerry Buckley | jbuckley@buckleyfirm.comJody Westby | westby@globalcyberrisk.comADCG | info@adcg.org

Contact us:Jerry Buckley | jbuckley@buckleyfirm.comJody Westby | westby@globalcyberrisk.comADCG | info@adcg.org