Sidley’s Third Annual Privacy and Cybersecurity Roundtable

On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups.

The first Panel focused on privacy and GDPR implementation. Giovanni Buttarelli, European Data Protection Supervisor, keynoted the discussion, and participated on the panel. Other participants on the panel included Facebook’s Privacy and Public Policy Manager, Emily Sharpe; Cam Kerry, senior counsel in Sidley’s Washington D.C. office; and William Long, leader of Sidley’s EU data protection practice from Sidley’s London office.  Colleen Brown, a partner in Washington, D.C., led the EU discussion as moderator.

The second panel focused on cybersecurity, senior corporate leadership, board oversight and disclosure of data breaches in SEC filings. Panel participants  included Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection at the FTC; Kathleen McGee, Chief of the Bureau of Internet and Technology at the Office of the Attorney General of the State of New York; Andrea Shandell, General Counsel at Gannett Co., Inc.; Edward McNicholas, partner at Sidley’s Washington D.C. office and a global coordinator of the privacy practice; and Tom Kim of Sidley’s Securities and Corporate Governance practice, also in the D.C. office. Alan Raul, a partner in Washington, D.C., moderated the discussion of board-level leadership and oversight of cybersecurity.

Is It Too Late to Prepare for the EU General Data Protection Regulation?

The first panel started the discussion of the EU General Data Protection Regulation (“GDPR”) by emphasizing that GDPR compliance is something one cannot improvise and that deliberate preparation and attention to forthcoming guidance will be important.

Panel participants agreed that if a company has not already started preparing for the GDPR, time will be tight to obtain input from key decision makers, obtain the necessary resources, and revise vendor agreements.  Preparing for GDPR is not merely a “compliance project”—the process is likely to involve revising consent, determining whether data and systems may be used for different purposes, negotiating new agreements with vendors, and mapping data flows.

For companies beginning or already in the midst of preparations for the GDPR, panel participants pointed out several areas to monitor for future developments as the GDPR takes final shape.  In particular, beyond enforcement trends, participants focused on developments in three key areas:

  • profiling provisions (which will have profound implications for analytics, big data usage, and machine learning),
  • consent (and the ways in which being able to prove consent will change business processes), and
  • requirements related to pseudonymization.

Cybersecurity for Boards and General Counsel

The second panel highlighted the significant role of boards of directors and general counsel in protecting the corporation from the significant business costs, lawsuits, and regulatory actions that can results from cybersecurity incidents.  Panel participants also offered their individual viewpoints on how boards and general counsel can help reduce and manage cybersecurity risk.

Participants also discussed the importance of developing a strong relationship between the board, the general counsel, and senior cybersecurity team members.  If dashboards are used to report to the board on cybersecurity preparedness, panel participants advised that the dashboards reflect measurable and consistent standards, such as those contained in the NIST Cybersecurity Framework.  The panel also discussed the need to disclose cybersecurity risks in SEC filings.

Above all, in addressing cybersecurity at the board level, the panel emphasized that effective communication at the outset is of the utmost importance.  Uncertainty and risk are inherent and perpetual components of cybersecurity.  Especially in incident response situations, the decision-making process will typically require balancing evidence and probabilities.  Developing a communication pattern that clearly communicates the evidence and probabilities without inciting undue haste or hesitancy in decision-making will help boards become valuable participants in the cybersecurity process.