Defining “Reasonable Security” Standards: Understanding Current Cybersecurity Threats, Data Transfers Rules, and AI Compliance with Data Privacy Laws

Rachel V. Rose | Rachel V. Rose – Attorney at Law, PLLC

Rachel V. Rose, JD, MBA is a Principal with Rachel V. Rose – Attorney at Law, P.L.L.C. (Houston, TX)

Ms. Rose has a unique background, having worked in many different facets of healthcare, securities, cybersecurity, as well as international law and business throughout her career. For nearly a decade, her practice has focused transactional, compliance, and litigation matters related to cybersecurity, health care, securities, and Dodd-Frank/False Claims Act whistleblower claims. Ms. Rose worked on Capitol Hill when HIPAA passed in 1996 and worked at HHS in 2009 when the HITECH Act was being implemented.

In addition to being extensively published and a sought-after presenter and quoted expert, Ms. Rose holds an MBA with minors in healthcare and entrepreneurship from Vanderbilt University, and a law degree from Stetson University College of Law, where she graduated with various honors, including the National Scribes Award and The William F. Blews Pro Bono Service Award.

Ms. Rose is licensed in Texas and is a Fellow of the Federal Bar Association. Currently, she is the Chair of the Federal Bar Association’s Government Relations Committee, a board member of the Federal Bar Association’s Qui Tam Section, the co-editor of the American Health Lawyers Association’s Enterprise Risk Management Handbook for Healthcare Entities (2nd Edition), as well as a co-author of the ABA’s books The ABCs of ACOs and What Are International HIPAA Considerations?

She has been named consecutively to the Texas Bar College, the National Women Trial Lawyers Association’s Top 25, Houstonia Magazine’s Top Lawyers (healthcare), the National Trial Lawyers Association’s Top 100, as well as 1st Healthcare Compliance’s 2019 Top Presenter. Ms. Rose is also an Affiliated Member with the Baylor College of Medicine’s Center for Medical Ethics and Health Policy, where she teaches bioethics.

Federal Court Admissions: Supreme Court of the United States, CO, DC, SDTX, NDTX, EDTX and WDTX.

Brittany M. Bacon | Hunton Andrews Kurth LLP

Brittany is co-head of the Firm’s Technology Industry Group. She is a partner in the firm’s top-ranked global privacy and cybersecurity practice and advises clients in identifying, evaluating and managing complex global privacy and information security risks and compliance issues. Brittany is ranked in Chambers USA, Chambers Global and Legal 500, and was named a New York Law Journal “Rising Star,” a Law360 “Rising Star” in privacy and cybersecurity, and one of Global Data Review’s 40 Under 40 data lawyers. Chambers USA quotes clients who call her “very diligent, intelligent and hard-working” and “very clientfocused, attentive and responsive.” Chambers USA also quotes a client who calls her “one of the very best individuals I have worked with on privacy-related matters.” Legal 500 refers to Brittany as “the best at what she does,” recommending her for cyber law (including data privacy and data protection) and fintech.

Brittany assists clients in identifying, evaluating and managing a panoply of global privacy and information security risks and compliance issues. A significant aspect of her practice is advising large, multi-national companies on catastrophic cybersecurity incidents. Brittany served as a lead attorney on the two largest reported breaches in history (affecting over three billion user accounts) and has managed hundreds more. Her cybersecurity practice includes advising clients on data breach notification responsibilities; counseling them on responding to multi-jurisdictional regulatory investigations; and providing strategic advice in the breach context for managing ransomware attacks, as well as inquiries from Boards of Directors, consumers, media and potential acquiring companies in a deal setting. Brittany also helps companies design and build privacy and data security governance programs and conduct proactive breach preparedness activities, including developing workable incident response plans and legal breach notification procedures, ransomware playbooks and legal primers, running executive-level tabletops with data breach hypotheticals, and engaging third-party experts (such as forensic investigation firms, ransomware specialists, credit monitoring services, PR firms and call centers) in advance of an incident.

In relation to her privacy compliance practice, Brittany advises clients on the California Consumer Privacy Act of 2018, GLB, CAN-SPAM, and other U.S. state and federal privacy requirements, and global data protection laws (including those in the EU, Asia and Latin America). She routinely conducts privacy impact assessments and advises companies on managing risk in connection with extensive and innovative data collection and use, including with AI and machine learning technologies. She also regularly negotiates privacy and data security provisions of complex commercial and technology-related contracts and helps companies design robust vendor management programs.

Dhara Shah | Uber

Dhara Shah is AI Legal Counsel at Uber Technologies, an IAPP certified AI Governance Professional (AIGP), and a licensed attorney. In her role, Dhara leads cross‑functional initiatives to operationalize AI responsibly, including authoring and rolling out AI policies, standards, and playbooks; establishing model inventories and documentation; and partnering with business, technical, and legal teams to design internal AI governance committees and decision-making structures.

Beyond her work at Uber, Dhara actively contributes to shaping the field of AI governance. She serves as Chair of the IAPP AI Governance Affinity Group and has previously served as a Working Group Member for both the NIST Generative AI Working Group and the EU AI Act Code of Practice.

Dhara also brings extensive U.S. consumer privacy law expertise, helping organizations align AI and data practices with evolving regulatory requirements. With prior experience in BigLaw and a technical foundation in programming, she bridges stakeholders across legal, product, engineering, and safety functions. Dhara holds a B.S. in Computer Information Systems, a B.A. in Business Law, and a J.D. focused on emerging technology law.

Julia B. Jacobson | Squire Patton Boggs

Julia B. Jacobson is a partner in the Data Privacy, Cybersecurity & Digital Assets Practice. Julia offers practical and tactical counsel on privacy and cybersecurity compliance strategies, data breach response, technology transactions and marketing initiatives for national and multinational organizations.

A significant portion of Julia’s practice is devoted to advising clients on an array of privacy, cybersecurity, data breach and data governance matters. She assists clients with the design and development of privacy-sensitive policies for the collection and use of personal data. Julia regularly advises businesses on the privacy and cybersecurity aspects of environmental, social and governance (ESG) programs, ethical data use, machine learning and artificial intelligence, vendor contracting and management and business sales, combinations and acquisitions. She has helped her clients design, develop and implement compliance programs to meet the challenges of the evolving privacy and cybersecurity law landscape, including the California Consumer Privacy Act and other US state privacy and cybersecurity laws, the EU’s General Data Protection Regulation, the UK Data Protection Act 2018, cross-border personal data transfers and New York Department of Financial Services Cybersecurity Regulations, as well as to align with industry standards, including the National Institute of Standards and Technology (NIST) cybersecurity and privacy frameworks, and ESG standards and frameworks Julia also serves as the data breach coach for several national and international clients.

Julia helps clients maximize the value of their strategic relationships by drafting and negotiating a wide range of commercial contracts, particularly technology-centric agreements and the deployment of machine learning and artificial intelligence. For both product and service providers and users, she structures and negotiates contracts and develops customized template agreements and tools for vendor screening and assessments.

Julia’s practice spans a wide array of issues associated with consumer marketing and promotional campaigns. She is skilled at establishing effective compliance programs and regularly counsels clients on the risks surrounding mobile marketing and text messaging, email marketing and telemarketing, social media, and sweepstakes and contests. Her work also includes helping clients navigate the digital advertising ecosystem and deploy emerging technologies. Increasingly, her practice focuses on supporting clients in designing data practices that consider stakeholder expectations and data ethics. On behalf of brands, agencies and marketing technology providers, she routinely structures and negotiates co- branding, sponsorships, and commercial co-venture and other agreements associated with the marketing and promotion of products and services.

Sammuel Kim | Squire Patton Boggs

Sammuel Kim is an associate in the Data Privacy, Cybersecurity & Digital Assets practice of Squire Patton Boggs. He focuses his practice on data privacy, cybersecurity, artificial intelligence, and advertising and marketing laws, as well as technology, corporate, and commercial transactions. Prior to joining Squire Patton Boggs, Sammuel practiced at other international law firms, where he advised a multitude of clients across industries, including financial institutions, health and insurance providers, B2B and B2C technology providers, retail and ecommerce businesses, nonprofits, and critical infrastructure and government contractors.

Session I – Managing Risks in Today’s Cybersecurity Landscape | 12:00pm – 1:00pm

• Examine the current cybersecurity threat environment
• Trends in the cybersecurity landscape
• Learn best practices for data breaches
• Notification obligations and regulatory reporting timelines
• Prepare for the inevitable by taking proactive steps to minimize risks

Break | 1:00pm – 1:10pm

Session II – Cybersecurity Expert: What Reasonable Security Looks Like and Why Breaches Still Happen | 1:10pm – 2:10pm

• Defining “reasonable security” standards
• Common causes of data breaches despite security programs
• Cyber risk assessment in transactions and vendor management

Break | 2:10pm – 2:20pm

Session III – The Sensitive Bulk Data Transfer Rules | 2:20pm – 3:20pm

• Determining when data and a data transaction are in scope for the Bulk Data Rule
• Evaluating covered data transactions as prohibited or restricted
• Assessing vendors and vendor contracts for covered data transactions
• How the Bulk Data Rule relates to state consumer privacy laws and other laws, and how the Bulk Data Rule has been used in lawsuits
• Assessing and uplifting current compliance policies and procedures

Break | 3:20pm – 3:30pm

Session IV – Legal Compliance and Enforcement Trends at the Intersection of AI & Data Privacy | 3:30pm – 4:30pm

• How AI laws translate into internal AI governance requirements
• Privacy compliance as the foundation for AI governance programs
• Enforcement hotspots and early signals from regulators
• Common governance failure modes regulators are targeting
• Practical compliance steps for tracking laws and implementing controls in large organizations