Privacy + Security Forum Spring Academy: Hot Topics in State Privacy Laws Compliance and Advertising Challenges in the Healthcare Context

Speaking Engagement | May.10.2023 - May.12.2023

George Washington University Student Center, Washington, DC

Members of Orrick's Cyber, Privacy & Data Innovation team will lead panels on recent developments in U.S. privacy laws and advertising challenges in the healthcare context during the Privacy + Security Forum Spring Academy hosted by the Privacy + Security Academy.

Before the Next Wave: Hot Topics in State Privacy Laws Compliance
Thursday, May 11, 2023: 02:30 PM-03:30 PM EST

As the CPRA’s enforcement and other state laws’ effective dates draw near, this panel will walk through compliance “hot topics”, trends and predictions regarding the U.S. state comprehensive privacy laws that go into effect this year (with more likely to come).

Sulina Gabale, Partner, Orrick, Herrington & Sutcliffe
Lisa Barksdale, Director of Privacy Compliance, Zillow Group
Arlene Mu, Assistant General Counsel & Chief Privacy Officer, Lowe’s Companies
Jon Knight, Senior Corporate Counsel, Deltek

Advertising Challenges in the Healthcare Context
Friday, May 12, 2023: 10:10 AM-11:10 AM EST

Are you operating in the healthcare space and worried about recent FTC enforcement actions, OCR guidance, and class action litigation and demand letters arising from the use of online ad trackers, such as the Meta Pixel and Google Analytics? Come join our panel to learn about the recent developments in this space and how to manage the risks their use present.

Thora Johnson, Partner, Orrick, Herrington & Sutcliffe
Sundeep Kapur, Senior Associate, Orrick, Herrington & Sutcliffe
Andrew Shaxted, Managing Director, FTI Consulting

The Inside Job – Cyber Threats from Inside Your Own Organization
Friday, May 12, 2023: 11:30 AM-12:30 PM EST

Insider threats can have a significant impact because they involve actors who know where to locate and leverage sensitive data and how to cover their tracks in the process, even long after they’ve left the organization. In fact, the 2022 Unit 42 Incident Response Threat Report noted that 75% of insider threat cases were caused by disgruntled ex-employees who left with or destroyed company data or accessed company networks after their departure. This session will include tales of corporate espionage, how we track criminal activity through forensic investigations, the potential impact of an economic downturn on cybercriminal activity by insiders, how the usual suspect threat actors can leverage former employees and their credentials to conduct illicit activities, and steps to take now to reduce the risk of this evolving threat.

Joseph Santiesteban, Partner, Orrick, Herrington & Sutcliffe
Kevin Faulkner, Vice President, Unit 42 by Palo Alto Networks

Learn more

Contacts

Sulina Gabale Partner, Cyber, Privacy & Data Innovation, Internet of Things

Washington, D.C. Office

See my bio

D:+1 202 339 8420
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sulina Gabale Partner

Washington, D.C. Office

Sulina Gabale is a Partner and founding member of the Cyber, Privacy & Data Innovation practice, named Privacy & Data Security Law Firm of the Year by Chambers USA in 2019.

As innovation pushes the limits of technology, those ideas challenge the boundaries of what is considered “personally identifiable information.” Sulina answers the question - how can we create tomorrow’s technology with yesterday’s privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing and product, HR and customer service teams – to gain a true understanding of their goals and the data they’re collecting, using and sharing. She places herself in her client’s shoes as well as in consumers’ mindset to devise creative privacy-by-design solutions, ensuring her client’s business and data innovation strategies withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including:

California Online Privacy Protection Act (CalOPPA)
California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA)
Children’s Online Privacy Protection Act (COPPA)
Biometric privacy laws such as the Illinois Biometric Information Privacy Act (BIPA) and other
Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Section 5 of the Federal Trade Commission Act (FTC Act)
Virginia Consumer Data Protection Act (VCDPA)

Sulina advises companies of all sizes on the development and deployment of cutting-edge technologies and services, including ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions and more. Sulina began her legal career focusing on consumer protection. She continues to counsel clients on marketing and promotional issues, including interest-based ads; sweepstakes and promotions; automatic renewal and subscriptions; advertising substantiation; influencer programs and social media; SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA)); and other state and federal consumer protection laws.

Sulina’s practice is industry-agnostic. She has represented clients ranging from start-ups to Fortune 500s, non-profits, academic institutions and city governments across a range of industries from fashion and ecommerce, financial services, retail, food and beverage and technology services. Prior to law school, Sulina worked in the highly interactive fields of journalism, entertainment and digital media. This well-rounded background helps her connect with clients on a personal level, and ensure her advice integrates legal solutions with business practicality.

Before joining Orrick, Sulina was a member of the Privacy & Data Security Group; Entertainment & Media Group; and IP, Information & Innovation Group at Reed Smith, LLP in New York and Washington, D.C.

Thora Johnson Partner, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C. Office

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C. Office

Thora Johnson is co-chair of Orrick's Life Sciences Group. She helps clients navigate emerging and traditional regulatory challenges in the biotechnology, healthcare and pharmaceutical sectors. She advises on cybersecurity, privacy and healthcare regulatory matters.

Thora has extensive experience counseling clients on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Price transparency and surprise billing rules applicable to hospitals and health plans

Sundeep Kapur Senior Associate

Washington, D.C. Office

See my bio

D:+1 202 339 8402
E: [email protected]

Practice:

Technology & Innovation Sector

vCard

See full bio

Sundeep Kapur Senior Associate

Washington, D.C. Office

Sundeep Kapur advises on regulatory compliance and investigations, incident response and remediation, commercial transactions and other data initiatives involving complex or emerging technologies. He provides tailored and practical guidance to clients, from startups to global corporations, on various privacy laws and regulatory frameworks, including the FTC Act, California Consumer Privacy Act of 2018 (CCPA), California Privacy Rights Act (CPRA), and the General Data Protection Regulation (GDPR).

Sundeep also possesses an in-depth technical and legal understanding of the advertising technology (adtech) ecosystem (e.g., connected TV, linear TV, over-the-top media, desktop, mobile). He participates in adtech working groups and is a key contributor to the development of industry-wide privacy compliance solutions. He advises on compliance with self-regulatory regimes developed by the Network Advertising Initiative (NAI), the Interactive Advertising Bureau (IAB), and the Digital Advertising Alliance (DAA).

Sundeep is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US).

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 617 880 1845
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

Joseph Santiesteban is a trusted cyber law advisor. He regularly advises clients regarding incident response, as well as litigation and government enforcement that commonly arise from privacy and cybersecurity incidents. He uses this experience to offer clients practical advice regarding their data innovation and incident preparedness strategies.

Joseph regularly advises companies regarding privacy and cybersecurity incident response, including directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations, and advising regarding communications strategies. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

Joseph uses his experience to help clients leverage the value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs, and solidify brand and consumer trust. This includes guiding clients through the complexity of federal privacy and cybersecurity laws and regulations, including the Electronic Communications Privacy Act (ECPA), the Federal Trade Commission Act (FTC Act), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA), state privacy and cybersecurity laws, including the California’s Consumer Privacy Act (CCPA), international laws such as the European Union General Data Protection Regulation (GDPR), and self-regulatory frameworks, including those covering online advertising and payment card processing. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.