Keily Blair Partner, Cyber, Privacy & Data Innovation, Government Investigations and Enforcement Actions
Webinar | September.30.2021Online
Heather Sussman, Keily Blair, Emily Tabatabai and Hannah Levin led panels on cyber supply chain attacks and dark patterns during the Privacy + Security Forum Fall Academy hosted by the Privacy + Security Academy.
Cyber - Supply Chain Attacks - Risk Identification, Mitigation and Response
Due to globalization, decentralization and outsourcing of supply chains, the number of cybersecurity exposure points for any organisation has increased - and continues to increase - exponentially over time. As such, understanding the cybersecurity risk associated with your supply chain should be a key area of focus for all organisations. In this panel we consider how you can proactively (and pragmatically) identity and triage cyber security risk in your supply chain, and how an organisation should react when facing a cyber security incident in its supply chain.
Dark Patterns: The Privacy Hot Topic of 2021
"Dark Patterns" keep popping up in all corners of the privacy space. While deceptive acts and practices have long been prohibited by the FTC Act, the amorphous concept of "dark patterns" has been a recent focus of the FTC, consumer advocate organizations and state legislators. But what are "dark patterns" and when does user interface design cross over from "optimized" to "manipulative" or "deceptive"? This panel will explore the existing legal frameworks as well as legislative proposals that seek to define and regulate dark patterns, highlight recent enforcement actions and consumer complaints, and help your business stay on the right side of the emerging law.
Keily Blair heads up the Cyber, Privacy & Data Innovation Group in London. Keily works with her clients as a "strategic business partner" to navigate privacy and cyber security crises to achieve better commercial, regulatory and judicial outcomes.
Keily's litigation and enforcement background provides her a different perspective on cybersecurity and data privacy issues. She has led the response to investigations by the United Kingdom’s Information Commissioner’s Office (UK ICO), the Irish Data Protection Commission, the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Serious Fraud Office (SFO), Parliamentary Select Committees and United States (U.S.) regulators, including the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI) and the Securities and Exchange Commission (SEC). Keily has also acted as external legal counsel for privacy and financial service regulators.
On cybersecurity issues, Keily directs cybersecurity incidents and investigations across multiple jurisdictions and incident types from simple business email compromises, to enterprise-wide network intrusions and cyberattacks with national security implications. Keily has worked with national and international law enforcement and is called upon to act as external legal counsel to security and forensics firms when engaging with regulators.
In the civil arena, Keily has led on a number of high profile privacy litigation matters, including civil damages claims and collective actions following personal data breaches and privacy-related judicial reviews. She frequently counsels clients on the growing risk of privacy-related class actions and interventions by privacy advocates in the UK and the European Union.
Keily uses the insights from her litigation and enforcement practice to inform her advisory work, where she regularly advises stakeholders from legal, information security, privacy and the C-suite on a host of privacy and cybersecurity governance, risk mitigation and regulatory engagement strategies. This understanding of what matters to regulators and the courts is at the heart of her approach to privacy advisory and compliance work. According to clients Keily has the "subject matter expertise and ability to understand and interact with companies' culture and capabilities, recognising a one size fits all approach doesn't work".
She is ranked as a key practitioner in data protection, privacy and cybersecurity in The Legal 500 and has represented the private sector at the United Nations and the European Criminal Bar Association. Keily also sits on the Law360's 2020 Editorial Advisory Board on Cybersecurity & Privacy and leads the IAPP Cyber & Privacy Investigations, Enforcement & Litigation Affinity Group. She is committed to improving diversity and social mobility in the legal sector.
Prior to joining Orrick, Keily led the Contentious Data Privacy, Law & Strategy practice at PwC having been a litigator at two international law firms before this.
Washington, D.C.; Houston
Washington, D.C.; Houston
Emily S. Tabatabai is a partner and founding member of Orrick’s global Cyber, Privacy & Data Innovation Group, which was named Privacy/Data Security Law Firm of the Year by Chambers USA in 2019. She has been recognized by The Legal 500 for her "extraordinary depth of knowledge in student data privacy matters," and by Chambers USA as "an invaluable resource to have when it comes to data privacy and security."
Emily advises clients on an array of privacy and data management matters, helping clients navigate the complex web of privacy laws, rules, regulations and best practices governing the collection, use, transfer and disclosure of data and personal information. Emily works closely with client business teams and in-house counsel to assess and manage privacy risks, design and deploy compliance programs and implement privacy-by-design approaches to address key compliance objectives while supporting each client’s data innovation strategies and the development and use of cutting-edge digital technologies. She frequently guides child- and student-directed service providers through the complexities of compliance with the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), California’s Student Online Personal Information Protection Act (SOPIPA) and similar state student privacy laws and advises companies across the industry spectrum as they work towards compliance with the California Consumer Privacy Act (CCPA). She also represents clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including under Section 5 of the Federal Trade Commission Act (FTC Act), COPPA, the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), the California Online Privacy Protection Act (CalOPPA) and others.
To make the CCPA more accessible, Emily developed Orrick's CCPA Readiness Assessment Tool. The tool provides companies an opportunity to test their compliance with the CCPA and similar laws as a first step to constructing their strategic compliance roadmap.
Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on interest-based advertising, sweepstakes and marketing promotions, retail sales and e-commerce platforms, advertising substantiation, new media and social media integration, and SMS text messaging and telemarketing, including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA), the Restore Online Shoppers’ Confidence Act (ROSCA) and state and federal consumer protection statutes.
Emily is a Certified Information Privacy Professional in both U.S. and European privacy law (CIPP/US and CIPP/E) and member of the International Association of Privacy Professionals (IAPP) Publications Advisory Board. She is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech. She was featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA 2018, 2019, and 2020 and Chambers Global – USA 2020. Clients tell Chambers,“she's been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and ed-tech matters, Chambers reports that clients regard her as “very knowledgeable and truly and expert in this space,” with some saying, “On the student data side, she is unmatched.”
Hannah Levin advises clients on security incident response and state and federal investigations and enforcement actions. Hannah coordinates breach responses for companies across diverse sectors and represents clients in front of the Federal Trade Commission (FTC) and state regulators for privacy, cybersecurity, and consumer protection issues. She also counsels on all aspects of privacy and data security compliance.
Hannah provides guidance on state and federal regulations, including state data breach laws and notification requirements, the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA), and the advertising industry’s self-regulatory regimes. She also helps clients navigate consumer protection issues, including the Restore Online Shoppers’ Confidence Act (ROSCA) and federal and state consumer protection statutes.
Hannah also has broad civil and criminal litigation experience. She has worked on complex class action and commercial litigation matters, government enforcement actions and internal corporate investigations. She has represented clients facing liability under a variety of state and federal laws, including federal and state consumer protection statutes.
Prior to entering private practice, Hannah served as a law clerk to the Honorable Lynne A. Battaglia of the Maryland Court of Appeals.
Heather Egan Sussman is head of Orrick's global Cyber, Privacy & Data Innovation Group. She focuses on privacy, cybersecurity and information management, and is ranked by Chambers USA, Chambers Global and The Legal 500 United States as a leader in her field. Chambers explains companies turn to Heather because she “understands all the business issues and the dynamics of how to implement privacy programs [and is] extraordinarily thoughtful, very pragmatic and responsive.”
Heather routinely guides clients through the existing patchwork of laws impacting privacy and cybersecurity around the globe. In the U.S. this includes advising on federal and state laws that include:
Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes. She drafts online privacy notices for global rollout and implements data transfer mechanisms for the free flow of data worldwide.
Heather also helps clients develop and achieve their data innovation strategies, so they can leverage the incredible value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs and solidify brand and consumer trust.
Heather devotes a significant part of her practice to helping clients reduce the risk of privacy and security incidents, and she offers a comprehensive menu of services designed to do just this. In the event of a privacy or security breach, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. Companies routinely rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.
Heather guides clients through comprehensive privacy and cybersecurity assessments worldwide, vets privacy and security risks in corporate transactions, conducts internal investigations stemming from data incidents, and she drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data.
Her clients come from diverse business sectors, including technology, financial services, retail, consumer products, energy and infrastructure, healthcare and life sciences, manufacturing, food and beverage, media, academic institutions, service industries.
Heather frequently writes on current privacy and information security issues before trade and legal organizations and has been quoted in hundreds of major news outlets, including MSNBC.com, ABCNews.com, The New York Times, The Los Angeles Times, Bloomberg BusinessWeek, The San Francisco Chronicle, Washington Times, Houston Chronicle.