Wednesday, May 21
Registration and Continental Breakfast
Sponsored by Cooley LLP
Welcome and Overview
Lawrence J. Center, Assistant Dean, Georgetown University Law Center
William M. Treanor, Dean, Georgetown University Law Center
Keynote Address: The Promises and Perils of Cybersecurity in Daily Life
Nuala O'Connor, President and Chief Executive Officer, Center for Democracy and Technology
Enterprise Security Programs
All companies are expected to have security programs to manage the risks to their digital assets. The development and maintenance of a security program involves integrating best practices and standards, compliance requirements, and numerous business factors. This session will cover the key activities of a security program and discuss the interaction points and activities that involve legal counsel. It will also include a discussion onhow legal counsel can help ensure that the security programs of vendors (including cloud providers and law firms) support a company's security requirements and approaches for effective governance by boards and senior executives.
Moderator: Christina Ayiotis, Adjunct Faculty, Department of Computer Science, the George Washington University; former Deputy General Counsel, Computer Sciences Corporation
Panelists: M. Peter Adler, Chief Privacy Officer, SRA International, Inc.; Charles Beard, Principal, PricewaterhouseCoopers LLP; Bill Sieglein, Founder, CISO Executive Network
Sponsored by Stroz Friedberg
10:50 am–12:05 pm
Cybersecurity Frameworks: The Legal and Practical Implications of Voluntary Industry and Government Standards
Companies today contend with an increasing number of data security and privacy regulations and contractual obligations, which on their own are challenging enough for counsel to interpret and help their clients apply. Now voluntary standards and frameworks are also increasingly central to organizational efforts to understand what is reasonably expected of their cybersecurity risk management programs. Panelists will describe the major industry and governmental standards and frameworks, outline the substantive legal implications of the existence as well as use of these standards and frameworks, and share practical implementation insights and experiences. Standards and frameworks to be addressed include those issued by the National Institute of Standards and Technology (NIST), International Standards Organization (ISO), and the Payment Card Industry (PCI).
Moderator: Harriet Pearson, Hogan Lovells
Panelists: Brian J. Peretti, Financial Services Critical Infrastructure Program Manager for the Office of Critical Infrastructure Protection and Compliance Policy, U.S. Department of the Treasury (Invited); Ron Ross, Fellow, National Institute of Standards and Technology; Russell Schrader, Senior Vice President and Chief Privacy Officer, Visa Inc.
Box Lunch Distribution
Sponsored by Deloitte
Luncheon Speech: The Role of Government in Cyber Affairs: The Case of Estonia
Her Excellency Marina Kaljurand, Ambassador of Estonia to the United States
General Counsel Perspective: The Evolving Role of Legal Counsel in Cybersecurity
The role of legal counsel in establishing and maintaining enterprise security programs is rapidly evolving from one of simply identifying compliance requirements to one that requires leadership and decision making in key activities, including incident response. This panel of chief legal officers of major corporations will share their thinking on how general counsel can and should approach cybersecurity risk. With such topics now routinely on the board and management agendas, the role of counsel has never been more central to organizational decision making on this topic.
Moderator: William J. Haynes II, Executive Vice President and General Counsel, SIGA Technologies, Inc.
Panelists: Gregory S. Gallopoulos, Senior Vice President and General Counsel, General Dynamics Corporation; Brian A. Miller, General Counsel and Corporate Secretary, AES Corporation; Leslie T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. & Washington Gas Light Company
Sponsored by SRA International, Inc.
Insuring Against Cybersecurity Risk
Insurance in the cyber context is becoming more important as corporations look to mitigate and manage information risk. This panel will explore the state of the cyber insurance market, the scope of typical cyber insurance coverages, and best practices regarding the procurement and use of insurance products. It will review relevant cases to clarify the growing role of cyber insurance in the context of breaches, Advanced Persistent Threats (APTs), and other cyber threats. Finally, the panel will discuss how implementing standards (such as the 20 critical controls) can positively impact a company's risk posture (and even lower premiums).
Moderator: Adam Sills, Managing Director, Capitol Insurance Companies
Panelists: John D. Dempsey, Managing Director and Global Practice Leader, Aon Global Risk Consulting; Tom Finan, Senior Cybersecurity Strategist and Counsel, U.S. Department of Homeland Security; Lorelie S. Masters, Jenner & Block LLP
Networking Cocktail Reception
Sponsored by Hogan Lovells
Thursday, May 22
Sponsored by Stroz Friedberg
Keynote Address: Cybersecurity Challenges in the 21st Century
Hon. Robert Mueller, Former Director of the FBI; Executive-in-Residence at Georgetown University
Meet the Regulators and Enforcers
With the continued push for companies to report cyber crimes to law enforcement, and the increase in regulatory inquiries in response to publicized breaches, companies that have suffered a breach often end up working with different components of government with very different agendas. In addition, because of the increasing awareness of cybersecurity risk and new standards and guidance, regulators across a wide array of industries (e.g., insurance, medical device manufacturing, automotive) are proactively inquiring about companies' cybersecurity practices, governance, and disclosures. This panel brings together key law enforcement and regulatory officials to outline current agency priorities and discuss their roles in data security and working with, or investigating, compromised entities.
Moderator: Lisa Branco, Global Privacy & Data Protection Officer, CEB
Panelists: Hon. Julie Brill, Commissioner, U.S. Federal Trade Commission; Matt Fitzsimmons, Chair – Privacy Task Force, Assistant Attorney General, Connecticut Office of the Attorney General; John Lynch, Chief, Computer Crime & Intellectual Property Section, U.S. Department of Justice (Invited)
10:50 am–12:20 pm
Potential Legal Exposure/Aftermath of a Breach: A Simulation
Security breaches continue to create significant legal exposure for victim companies in the immediate and longer-term aftermath of an incident due to numerous factors, including the deep levels of access sometimes maintained by sophisticated threat actors in the victim's environment despite the best efforts of IR teams and continued media attention given to these events. This panel will focus on the wide-ranging legal exposure in the aftermath of a data breach, which often results from customer contractual liability, plaintiff privacy, and other types of class actions, regulatory inquiries, and potential reputational damage. This panel will provide practical tips on steps to minimize such exposure before a breach occurs, including adequate consideration of breach risk in the enterprise risk management program, appropriate contractual coverage, education and training, and cyber insurance.
Moderator: Kimberly Peretti, Alston & Bird LLP
Panelists: Thomas J. Hibarger, Managing Director, Stroz Friedberg LLC; Pablo Martinez, Managing Director, Global Investigations and Cyber Crime, Citi; Joseph P. Moan, Senior Managing Counsel, Employment, The Coca-Cola Company; Greg Schaffer, Chief Security Strategist, The Circumference Group
Lunch (on your own)
Global Incident Management & Legal Considerations: A Simulation
Cybersecurity incidents for global companies increasingly affect servers, employees, and business operations inside and outside of the United States. As a result, the compromise impacts the process by which the investigation is conducted and information may be collected, transferred, and analyzed. It also may trigger an evergrowing list of applicable laws, guidance, and recommendations that require notifications to regulators and customers in many countries. This panel will address the implications of, and outline strategies for, global data breach preparedness and response, from both a legal compliance and an investigatory forensics perspective.
Moderator: Andrew Tannenbaum, Cybersecurity Counsel, IBM Corporation
Panelists: Michael Bruemmer, Vice President – Data Breach Resolution, Experian; Linda Clark, Senior Counsel, Data Security and Compliance, Reed Elsevier; Jeffrey C. ("JC") Dodson, Vice President, Information Security, BAE Systems, Inc.; Edward P. Gibson, Senior Director, Alvarez & Marsal Holdings, LLC; Timothy P. Ryan, Managing Director, Cyber Practice Leader, Kroll Advisory Solutions
Offensive Cyber Operations or Cyber Self-Defense: A Simulation
Although much uncertainty surrounds "active defense," one thing is certain – people will continue to disagree about what is permissible and what is not. People can't even agree on a definition – some view it as active cyber response (i.e., taking active steps to legally protect a company's IP and gather information on the attacker but short of any kind of "counterattacks"). Others view any activity outside of an entity's network as illegal and "hacking back." This lack of clarity can create risks for uninformed companies. In the past, general counsel have not been involved in cyber incident response. Legal counsel needs to understand the issues and risks in order to engage in incident response decisions and manage legal risks. Because active defense covers a range of issues and is multidisciplinary, this session has been structured as a simulated scenario enacted by a diverse set of stakeholders. We will explore several areas, including: what happens when a company comes under attack, potential active defense measures, interactions with law enforcement, legal risks, and jurisdictional differences.
Moderator: Jody R. Westby, President and Chief Executive Officer, Global Cyber Risk LLC
Panelists: Richard Bejtlich, Chief Security Strategist, FireEye; Hilary L. Hageman, Vice President & Deputy General Counsel, CACI International, Inc.; Mark Rasch, Chief Privacy Officer, SAIC; Randy V. Sabett, Special Counsel, Cooley LLP; Prof. Melanie Teplinsky, American University Washington College of Law; Trent R. Teyema, Inspector, Federal Bureau of Investigation