27 March 2017

Privacy Law: Scanning the Legal Horizon...

As our new knowledge-based organizations begin the startup phase, the thought of all of the implications of collecting and storing information may be secondary to raising capital.  However, once you have the core team in place and the business begins to scale, maybe it is time to look over the horizon.

Once you have reached the point in your companies growth curve to consider the hiring of a CFO and even an outside "General Counsel", the regulatory engine must be established within the enterprise.  Today, even the CISO in any major business across the United States has been challenged by rapidly changing digital privacy laws the past two years.

Especially in California, the CalECPA went into effect January 1, 2016 and in general is focused on law enforcement:
The landmark California Electronic Communications Privacy Act bars any state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to track the location of electronic devices like mobile phones, or to search them.
The simple fact that a company is doing business in the State of California and has employees operating there, puts a significant set of requirements and compliance issues that are top of mind.  This is why you see technology-oriented companies who have their Headquarters based here, developing robust guides for working within federal and state privacy laws.

A "Chief Information Security Officer" is not only charged with protecting the data within a confidentiality, integrity and assurance framework, but also working in tandem with the General Counsel and a Chief Privacy Officer.  The standards and the laws have significant hurdles that also require prudent Operational Risk Management strategies.

Now take all of this into consideration as your begin to plan for implementing an "Insider Threat Program" (InTP) within your organization.  The addition of a Human Resources component, Chief Information Officer and even perhaps 3rd Party Cloud supply chain vendors will all be in play.

So What?

So what is the legal profession in California focused on these days?  Just take a look at the Agenda for a March 2017 event at Berkeley Law:

Cybersecurity Regulatory Enforcement

New regulators, new laws, and new norms are causing cybersecurity responsibilities to proliferate. This discussion will feature insights on how cybersecurity lawyers navigate the growing thicket of information security rules from the perspective of both companies pursued by the FTC and multinationals operating under different legal regimes. It will consider challenges posed by insider breaches and obligations arising from the General Data Protection Regulation.


Practitioners Panel

Privacy practitioners from leading law firms and major online companies will share insights on how to stay afloat in increasingly turbulent waters.

Privacy Award

BCLT is proud to bestow its annual Privacy Award this year on

Susan Freiwald, University of San Francisco Law School
Nicole Ozer, ACLU of California

in recognition of their leadership in securing passage of CalECPA, which establishes the “gold standard” of a judicial warrant for government access to communications, location data and other information about our daily lives.


Keynote: Too Close for Comfort – AI, Cloud Computing, and Privacy 

Recent advances in artificial intelligence, robots, and machine learning are enabled by big data, digital cameras, and cloud computing. These advances open an enormous Pandora’s box in terms of security and privacy. Groundbreaking AI researcher Ken Goldberg will present potential responses, such as a concept for “Respectful Cameras,” a privacy-preserving system for industrial automation. He will explain why claims of an impending “Singularity” are greatly exaggerated and will propose an alternative, “Multiplicity,” where diverse groups of humans work together with diverse groups of machines to innovate and to solve complex problems.

Government Access

With digital evidence central to an increasing number of criminal and foreign intelligence investigations, government demands for access seem to steadily increase. From varying perspectives, this panel will explore emerging issues in government access to data stored with third parties.

Artificial Intelligence and the Right to an Explanation

The General Data Protection Regulation requires that organizations explain to individuals the logic behind decisions rendered by algorithms. This policy is aligned with growing efforts in the machine learning community to improve the interpretability of outputs. This panel will examine a broad range of efforts to address interpretability and potential biases in complex algorithmic systems.

Consent and Contract under EU Data Protection Law


EU privacy regulation continues to have worldwide relevance, especially affecting U.S.-based companies. This session will examine how consumer data can continue to be collected and used given the different approaches in the EU and U.S. to consensual mechanisms for authorizing personal data processing.


The CISO and the entire team of Operational Risk Management professionals at your organization, should be monitoring and creating new strategies to protect the organization.  Scanning the legal horizon on what the new challenges are and how to prepare, is the sign of a sound business strategy.