Information Privacy Law
Michael Cohen and Vanita Banks
This course surveys the privacy law landscape with a primary focus on United States federal privacy laws from a commercial perspective. The course will introduce students to federal regulations in multiple sectors, as well as an introduction to international data protection and localization laws in Canada, EMEA, LATAM, and APAC regions.
- Articulate how a standard of care to protect and secure personal information applies under various statutes, including state, federal, and international statutes
- Identify the varied regulatory systems that apply to industries maintaining personal information
Information Governance and Security Risk Management
This course will introduce participants to the tenets of information security and information privacy risk management, including information risk governance, metrics and management reporting; and common frameworks for identifying, treating, and managing risk. This course will describe how to develop a security program, draft policies, and conduct internal, external, and vendor risk assessments. Additionally, this course will address proactive security design and testing techniques to reduce downstream risk; security contract negotiations to reduce the potential for future liability; and standard operational processes businesses need to effectively manage ongoing risk. This course will also cover privacy program operations, including policies, privacy notices, and conducting privacy impact assessments/data protection impact assessments.
- Understand and use a variety of risk frameworks to build a cybersecurity program
- Draft a security process and create a security control framework to assess potential risks
- Determine when third party assessments are required, and be able to conduct a third-party assessment
- Describe the role of external audits and assessments
- Articulate the role of privacy documents, including privacy policies, notices, and other disclosures
- Articulate the function of privacy by design
Information Technology Systems and Security Controls
This course exposes participants to information security controls. The course will cover technology controls through a wide variety of foundational topics of information security; cyber security; application, data and operating system security; securing virtual environments; cloud and mobile security; network security; the Internet of Things; and staying safe online. The course will also use case studies to explore current cyber threats including phishing scams, zero day exploits, man-in-the-middle (MiTM) attacks, IP spoofing, malware and Trojan exploits, and physical security exploits. By the end of the course, participants will have an understanding of critical information security topics, and will be able to make strategic decisions and advise on issues and trends.
- Articulate the fundamental concepts of information technology security
- Identify information technology security controls and opportunities to mitigate security issues
- Identify information technology security threats and how controls are used
- Identify information technology assets and examine some of the vulnerabilities they contain
- Evaluate data breach case studies and how controls could be used to minimize their risk
- Evaluate the human role in breaching systems
Incident Management and Response
This practical course guides participants through the steps necessary to develop an incident response plan to enable a company to minimize loss and speed recovery after a data breach or network intrusion. Specific topics include establishing proactive relationships before an attack occurs, tailoring a response plan to evolving and emerging threats, and understanding the protections afforded by attorney-client privilege.
- Identify what an incident is
- Difference between an incident and a breach
- Prepare an enterprise for Incident Management
- Identify the sequence of events when an incident happens
- Implement recovery procedures post incident
- Manage customer perception post incident
Liability and Enforcement Authorities
Erich P. Rice
This course examines the potential liability and reporting requirements of a company following a data breach, including class actions, contracts litigation, shareholder derivative lawsuits, and government imposed investigations and sanctions. Course materials are drawn from recent high-profile cases.
- Explain the various legal liabilities a company may face following a cybersecurity breach. This will include both civil liability and criminal liability.
- Analyze the facts of a particular incident through a legal lens.
- Apply the law (types of liability) as described in lectures to a set of particular facts to identify potential legal liability.