Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC.  The conference will be in full swing tomorrow, and I will report on various panels and topics of interest.  In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:

  • How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy?  It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano.  Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing).  It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
  • HIPAA/HITECH and Medical Identity Theft:  Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
  • "Reasonable Security":  What does Massachusetts think?  What does the FTC think?  What in the world is it and how in the world can organizations comply?
  • On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent.  What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
  • Social media:  how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
  • The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
  • Breaches, breaches, and more breaches.  Of course.

A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.

Stay tuned, I will endeavor to post developments on a daily basis.