Privacy + Security Forum Spring Academy: Hot Topics in State Privacy Laws Compliance and Advertising Challenges in the Healthcare Context

Speaking Engagement | May.10.2023 - May.12.2023

George Washington University Student Center, Washington, DC

Members of Orrick's Cyber, Privacy & Data Innovation team will lead panels on recent developments in U.S. privacy laws and advertising challenges in the healthcare context during the Privacy + Security Forum Spring Academy hosted by the Privacy + Security Academy.

Before the Next Wave: Hot Topics in State Privacy Laws Compliance
Thursday, May 11, 2023: 02:30 PM-03:30 PM EST

As the CPRA’s enforcement and other state laws’ effective dates draw near, this panel will walk through compliance “hot topics”, trends and predictions regarding the U.S. state comprehensive privacy laws that go into effect this year (with more likely to come).

Sulina Gabale, Partner, Orrick, Herrington & Sutcliffe
Lisa Barksdale, Director of Privacy Compliance, Zillow Group
Arlene Mu, Assistant General Counsel & Chief Privacy Officer, Lowe’s Companies
Jon Knight, Senior Corporate Counsel, Deltek

Advertising Challenges in the Healthcare Context
Friday, May 12, 2023: 10:10 AM-11:10 AM EST

Are you operating in the healthcare space and worried about recent FTC enforcement actions, OCR guidance, and class action litigation and demand letters arising from the use of online ad trackers, such as the Meta Pixel and Google Analytics? Come join our panel to learn about the recent developments in this space and how to manage the risks their use present.

Thora Johnson, Partner, Orrick, Herrington & Sutcliffe
Sundeep Kapur, Senior Associate, Orrick, Herrington & Sutcliffe
Andrew Shaxted, Managing Director, FTI Consulting

The Inside Job – Cyber Threats from Inside Your Own Organization
Friday, May 12, 2023: 11:30 AM-12:30 PM EST

Insider threats can have a significant impact because they involve actors who know where to locate and leverage sensitive data and how to cover their tracks in the process, even long after they’ve left the organization. In fact, the 2022 Unit 42 Incident Response Threat Report noted that 75% of insider threat cases were caused by disgruntled ex-employees who left with or destroyed company data or accessed company networks after their departure. This session will include tales of corporate espionage, how we track criminal activity through forensic investigations, the potential impact of an economic downturn on cybercriminal activity by insiders, how the usual suspect threat actors can leverage former employees and their credentials to conduct illicit activities, and steps to take now to reduce the risk of this evolving threat.

Joseph Santiesteban, Partner, Orrick, Herrington & Sutcliffe
Kevin Faulkner, Vice President, Unit 42 by Palo Alto Networks

Learn more

Contacts

Sulina Gabale Partner, Cyber, Privacy & Data Innovation, Internet of Things

Washington, D.C.

See my bio

D:+1 202 339 8420
E: sgabale@orrick.com

Practice:

Cyber, Privacy & Data Innovation
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sulina Gabale Partner

Washington, D.C.

As innovation pushes the limits of technology, those ideas challenge the boundaries of what is considered “personally identifiable information.” Sulina answers the question - how can we create tomorrow’s technology with yesterday’s privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing and product, HR and customer service teams – to gain a true understanding of their goals and the data they’re collecting, using and sharing. She places herself in her client’s shoes as well as in consumers’ mindset to devise creative privacy-by-design solutions, ensuring her client’s business and data innovation strategies withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including:

California Online Privacy Protection Act (CalOPPA)
Children’s Online Privacy Protection Act (COPPA)
Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Section 5 of the Federal Trade Commission Act (FTC Act)
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Sulina advises companies of all sizes on the development and deployment of cutting-edge technologies and services, including ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions and more. Sulina began her legal career focusing on consumer protection. She continues to counsel clients on marketing and promotional issues, including interest-based ads; sweepstakes and promotions; automatic renewal and subscriptions; advertising substantiation; influencer programs and social media; SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA)); and other state and federal consumer protection laws.

Sulina’s practice is industry-agnostic. She has represented clients ranging from start-ups to Fortune 500s, non-profits, academic institutions and city governments across a range of industries from fashion and ecommerce, financial services, retail, food and beverage and technology services. Prior to law school, Sulina worked in the highly interactive fields of journalism, entertainment and digital media. This well-rounded background helps her connect with clients on a personal level, and ensure her advice integrates legal solutions with business practicality.

Before joining Orrick, Sulina was a member of the Privacy & Data Security Group; Entertainment & Media Group; and IP, Information & Innovation Group at Reed Smith, LLP in New York and Washington, D.C.

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Sundeep Kapur Partner

Washington, D.C.

See my bio

D:+1 202 339 8402
E: skapur@orrick.com

Practice:

Technology & Innovation Sector

vCard

See full bio

Sundeep Kapur Partner

Washington, D.C.

Sundeep is also a leading advisor in the rapidly evolving advertising ecosystem and possesses an in-depth technical and legal understanding of adtech across all channels (e.g., connected TV, linear TV, over-the-top media, desktop, mobile web, mobile app). He participates in adtech working groups and is a key contributor to the development of industry-wide privacy compliance solutions. He advises on compliance with self-regulatory regimes developed by the Network Advertising Initiative (NAI), the Interactive Advertising Bureau (IAB), and the Digital Advertising Alliance (DAA). The IAB named him Outstanding Contributor to Legal Affairs in 2024 for his significant impact on the adtech ecosystem through his work on such industry-wide initiatives.

Sundeep is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US). He is also a member of Law360's 2025 Cybersecurity & Privacy Editorial Advisory Board.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: jsantiesteban@orrick.com

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises companies and executives in connection to regulatory investigations, class actions, enforcement actions, and other disputes that frequently flow from privacy and cybersecurity incidents.

Joe helps clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly skilled at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on effective communications strategies. He draws on this experience to help companies proactively prepare for an incident through creative strategies that foster engagement and collaboration between legal, security, communications and leadership teams. This includes building and improving incident response programs through response plans, simulated incidents, threat workshops, and training. In addition, Joe assists clients in practically evaluating the legal risk of security decisions in a variety of transactions and across the product lifecycle.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on Orrick’s Finance and Audit and Pro Bono Committees. A leader and advocate for diversity and inclusion initiatives, Joe is the co-head of Orrick’s Latinx Inclusion Network and was selected as a 2024 Rising Star by the Minority Corporate Counsel Association (MCCA). He was also named to Lawdragon's 2024 500 X Next Generation Rising Stars List and an Rising Star by the Minority Corporate Counsel Association (MCCA). He is a member of the Washington Latino Bar Association and the Hispanic National Bar Association.