Defining “Reasonable Security” Standards: Understanding Current Cybersecurity Threats, Data Transfers Rules, and AI Compliance with Data Privacy Laws

Rachel V. Rose | Rachel V. Rose – Attorney at Law, PLLC

Rachel V. Rose is a seasoned attorney whose practice sits at the crossroads of cybersecurity, healthcare law, securities, and regulatory compliance. As Principal of her Houston-based firm, she brings nearly a decade of focused transactional, compliance, and litigation experience to matters involving HIPAA, the HITECH Act, the False Claims Act, Dodd-Frank whistleblower claims, and emerging cybersecurity threats — making her one of the most versatile and sought-after voices in health law and data security.

Education & Credentials

• Rachel holds a Juris Doctor from Stetson University College of Law, where she served as Editor of The Journal of International Law and Aging, and a Master of Business Administration with minors in healthcare and entrepreneurship from Vanderbilt University. She earned her Bachelor of Arts in History from The Pennsylvania State University, and completed an Executive Education Certification in the Program on Negotiation & Leadership at Harvard Law School. She is licensed in Texas and admitted to practice before the Supreme Court of the United States, as well as the CO, DC, SDTX, NDTX, EDTX, and WDTX federal courts.

Recognition & Leadership

• Rachel’s accomplishments have earned consistent national recognition. She is a Fellow of both the Federal Bar Association and the American Bar Association, and has been named to the Texas Bar College every year from 2018 through 2025. She has appeared on the National Trial Lawyers Top 100 list from 2019 through 2024, the National Women Trial Lawyers Association’s Top 25 from 2018 through 2024, and the National Association of Distinguished Counsel’s Nation’s Top One Percent from 2022 through 2025. She has also been recognized by SuperLawyers (2023–2025), Houstonia Magazine’s Top Lawyers in Healthcare Law (2018–2019), and received both the National Scribes Award and The William F. Blews Pro Bono Service Award during her legal education.

Professional Involvement

• Rachel serves as a Director on the Federal Bar Association’s National Board and sits on its Government Relations Committee. She is also a board member of the Federal Bar Association’s Qui Tam Section and an Affiliated Member of the Baylor College of Medicine’s Center for Health Policy and Medical Ethics, where she teaches bioethics. She is co-author of two American Bar Association publications — The ABCs of ACOs and What Are International HIPAA Considerations? — and co-editor of the American Health Lawyers Association’s Enterprise Risk Management Handbook for Healthcare Entities (2nd Edition).

Experience

• Rachel’s career trajectory is genuinely distinctive. Before founding her firm, she worked on Wall Street and at a Big Four consulting firm, produced for the Chairman of the Reform and Oversight Committee on Capitol Hill, interned at the Department of Health and Human Services, compiled policy papers at the Royal College of Nursing in London, and clerked for the Honorable Linda R. Allan of Florida’s 6th Judicial Circuit. She also served as a top-performing representative in the pharmaceutical and medical device industry before becoming Director of Business Development and Assistant General Counsel for a healthcare advisory company. Today, she is extensively published and a nationally recognized presenter on cybersecurity, HIPAA/HITECH, qui tam, physician reimbursement, anti-kickback and Stark laws, and a broad range of healthcare compliance topics.

Brittany M. Bacon | Hunton Andrews Kurth LLP

Brittany M. Bacon is one of the country’s foremost authorities on privacy and cybersecurity law. As a partner and co-head of the Technology Industry Group at Hunton Andrews Kurth — home to one of the world’s top-ranked global privacy and cybersecurity practices — she advises multinational companies on the full spectrum of data protection challenges, from catastrophic breach response to proactive governance program design. With a client roster spanning gaming and hospitality, financial services, energy, healthcare, retail, and consumer goods, Brittany brings exceptional depth and real-world experience to every engagement.

Education & Credentials

• Brittany holds a Juris Doctor from Washington University in St. Louis School of Law (2009) and a Bachelor of Arts, earned cum laude, from the University of Notre Dame (2006). She is admitted to practice in New York.

Recognition & Leadership

• Brittany’s reputation in the field is reflected in an extensive and sustained record of national and international recognition. She has been ranked as a Leader in Privacy & Data Security by Chambers USA (2018–2025) and Chambers Global (2020–2026), and recognized by Legal 500 United States as a Leader for Cyber Law and FinTech (2021–2025), having previously been named a Next Generation Partner (20172020). She was honored by Euromoney’s Rising Stars Awards Americas for Privacy and Data Protection (2020–2022), named a Rising Star by both Law360 and the New York Law Journal in 2018, and selected for Global Data Review’s inaugural 40 Under 40 Data Lawyers list that same year. She is also a recipient of the City Bar Justice Center’s Jeremy G. Epstein Award for Pro Bono Service (2016).

Professional Involvement

• Brittany is a member of the New York Bar Association and serves on the Board of Directors of the City Bar Fund, the nonprofit arm of the New York City Bar Association. She also volunteers as an attorney with Volunteer Lawyers for the Arts and is a member — and former Global Teen Director — of Teenangels. A prolific author and speaker, she has published widely on topics including ransomware, the EU AI Act, SEC cybersecurity disclosure, CCPA, and board-level cyber governance, and has presented at leading forums including PLI, the IAPP Conference, the Edison Electric Institute, and the Blackstone Portfolio CISO Summit, among many others.

Experience

• Brittany’s practice centers on two pillars: incident response and privacy compliance. On the incident response side, she has served as lead counsel on the two largest reported data breaches in history — collectively affecting more than three billion user accounts — and has managed hundreds of additional incidents across industries. Her breach work encompasses regulatory investigations across multiple jurisdictions, ransomware response, Board of Directors briefings, consumer and media communications, and M&A deal contexts. She also builds comprehensive breach preparedness infrastructure for clients, including incident response plans, ransomware playbooks, and executive-level tabletop exercises. On the compliance side, she advises on CCPA, GLB, CAN-SPAM, GDPR, and a broad array of U.S. and global data protection laws, conducts privacy impact assessments, counsels clients on AI and machine learning governance programs, and negotiates privacy and data security provisions in complex commercial contracts and vendor agreements.

Dhara Shah | Uber

Dhara Shah is a forward-thinking attorney and technologist operating at the convergence of artificial intelligence, data privacy, and regulatory compliance. As AI Legal Counsel at Uber Technologies, she leads enterprise-wide efforts to operationalize AI responsibly — building the governance infrastructure, policies, and cross-functional structures that allow one of the world’s most complex technology companies to deploy AI at scale while managing legal and regulatory risk across jurisdictions. With a background that spans BigLaw, programming, and emerging technology law, Dhara brings a rare combination of legal rigor and technical fluency to one of the most rapidly evolving areas of practice today.

Education & Credentials

• Dhara holds a Juris Doctor with a focus on emerging technology law, a Bachelor of Arts in Business Law, and a Bachelor of Science in Computer Information Systems — a multidisciplinary foundation that directly informs her ability to bridge legal, product, engineering, and safety teams. She is also an IAPP Certified AI Governance Professional (AIGP), reflecting her deep commitment to the development and application of responsible AI governance frameworks.

Recognition & Leadership

• Dhara has been recognized as one of 19 AI Governance Leaders Transforming Business, a distinction that highlights her influence in shaping how organizations approach AI risk and oversight. Her perspective on governance — that it should function as a continuously evolving practice rather than a static compliance exercise — has made her a sought-after voice in industry forums and regulatory working groups alike.

Professional Involvement

• Dhara serves as Chair of the IAPP AI Governance Affinity Group, where she helps shape the professional community’s approach to AI governance standards and best practices. She has also served as a Working Group Member for the NIST Generative AI Working Group and the EU AI Act Code of Practice, contributing directly to the development of two of the most significant AI governance frameworks in the world. She is a frequent speaker at industry events, including the AI & Big Data Expo North America, and is widely published on topics spanning AI policy, consumer privacy law, and enterprise compliance strategy.

Experience

• At Uber, Dhara leads cross-functional initiatives to operationalize AI responsibly across the enterprise. Her work includes authoring and deploying AI policies, standards, and playbooks; establishing model inventories and documentation practices; and partnering with business, technical, and legal teams to design internal AI governance committees and decision-making structures. Prior to her in-house role, she gained experience in BigLaw advising clients across a range of technology, privacy, and compliance matters. She also brings extensive U.S. consumer privacy law expertise, helping organizations align AI and data practices with evolving regulatory requirements — making her particularly well-positioned to counsel inhouse teams navigating the intersection of existing privacy frameworks and emerging AI obligations.

Julia B. Jacobson | Squire Patton Boggs

Julia B. Jacobson is a seasoned privacy and cybersecurity partner whose practice spans the full lifecycle of data risk — from proactive compliance program design and technology contracting to breach response and regulatory enforcement. With more than two decades of experience advising national and multinational organizations, she brings exceptional practical depth to some of the most consequential issues facing businesses today: AI governance, crossborder data transfers, vendor risk management, digital advertising compliance, and the rapidly expanding landscape of U.S. state privacy law. Her clients range from B2B and B2C technology providers to manufacturers, retailers, and organizations in the highly regulated financial services, health, and health tech sectors.

Education & Credentials

• Julia holds an LL.M. and a J.D., both from Boston University School of Law (2001 and 1999, respectively), and a Bachelor of Arts from the University of Michigan (1988). She is admitted to practice in Massachusetts. Julia is also a Fellow of Information Privacy with the International Association of Privacy Professionals (IAPP), holding both the CIPP/US and CIPM certifications, and earned a Data Ethics Certificate from the Data Institute at the University of San Francisco in 2021.

Recognition & Leadership

• Julia is a recognized leader in her field across multiple professional organizations. She serves on the Board of Directors of iTechLaw and co-chaired the organization’s 2022 World Technology Law Conference. She co-chairs the Boston chapter of the IAPP KnowledgeNet and sits on the Privacy, Cybersecurity & Digital Law Steering Committee of the Boston Bar Association. She has moderated panels at the IAPP Global Privacy Summit and presented at premier industry forums including the ANA Masters of Advertising Law Conference, the RSA Conference, Compliance Week’s Cyber Risk & Data Privacy Summit, and the ABA Business Law Fall Meeting, among many others.

Professional Involvement

• Julia is a prolific author and speaker, contributing regularly to leading publications including Bloomberg Law, OneTrust DataGuidance, Legal Tech News, and Competition Policy International. She has co-authored pieces on AI policy, dark patterns, state consumer privacy laws, and ESG risk, and has presented hundreds of CLE programs for organizations including Strafford, myLawCLE, the Federal Bar Association, the American Bar Association, and the Boston Bar Association. She also serves as the data breach coach for a number of national and international clients, providing hands-on guidance when incidents occur.

Experience

• Julia’s practice operates across three interconnected pillars. In privacy, cybersecurity, and incident response, she advises clients on privacy notices, policies, and procedures; privacy risk assessments; data sharing and licensing transactions; consumer rights requests; and the privacy and cybersecurity dimensions of AI and emerging technology deployment. She has particular depth in cross-border data transfers, proactive cybersecurity risk management, and assessing whether security practices meet the “reasonable” standard under applicable law. In technology transactions and AI, she draws on 20+ years of experience to negotiate complex technology agreements, develop vendor screening tools, and counsel clients on balancing risk and opportunity in machine learning and AI contexts. In marketing and promotions, she advises brands, agencies, and marketing technology providers on mobile marketing, email and telemarketing compliance, sweepstakes and contests, digital advertising, co-branding, and commercial co-venture agreements — with an increasing focus on data ethics and stakeholder-centered data practices.

Sammuel Kim | Squire Patton Boggs

Sammuel Kim is a rising voice in data privacy, cybersecurity, and artificial intelligence law. As an associate in the Data Privacy, Cybersecurity & Digital Assets Practice at Squire Patton Boggs, he brings a holistic and pragmatic approach to the complex compliance challenges facing businesses operating in today’s rapidly evolving regulatory environment. With a client base spanning financial institutions, health and insurance providers, B2B and B2C technology companies, retail and e-commerce businesses, marketers, publishers, AdTech intermediaries, schools and universities, and critical infrastructure and government contractors, Sammuel delivers tailored, forward-thinking counsel across a wide range of industries and legal contexts.

Education & Credentials

• Sammuel holds a Juris Doctor from Vanderbilt University Law School (2022) and a Bachelor of Science, earned cum laude, from Fordham University (2019). He is admitted to practice in New York (2022) and the District of Columbia (2023).

Recognition & Leadership

• Sammuel has been selected to serve on the City Bar Justice Center’s Pro Bono Leadership Council for 20252026, reflecting both his commitment to access to justice and his standing within the New York legal community. He maintains an active pro bono practice dedicated to serving veterans, small businesses, nonprofits, and other individuals in need of legal assistance.

Professional Involvement

• Sammuel is an engaged member of the data privacy and cybersecurity legal community, regularly contributing his expertise to client advisories, compliance education, and industry discussions at the intersection of privacy, AI, and emerging technology law. His pro bono work through the City Bar Justice Center further reflects a commitment to using his legal skills in service of broader community needs.

Experience

• Prior to joining Squire Patton Boggs, Sammuel practiced at other international law firms where he advised clients across a broad range of industries on data privacy, cybersecurity, AI, and advertising and marketing law matters, as well as technology, corporate, and commercial transactions. At Squire Patton Boggs, he focuses on helping clients navigate U.S. federal and state privacy laws — developing, evaluating, and enhancing data privacy and compliance programs — and has extensive experience conducting diligence and negotiating transactions in the data privacy, IT, AI, and cybersecurity space. He also counsels clients on cybersecurity risk management, including preparedness activities and incident response planning. Also counsels clients on cybersecurity risk management, including preparedness activities and incident response planning.

Session I – Managing Risks in Today’s Cybersecurity Landscape | 12:00pm – 1:00pm

• Examine the current cybersecurity threat environment
• Trends in the cybersecurity landscape
• Learn best practices for data breaches
• Notification obligations and regulatory reporting timelines
• Prepare for the inevitable by taking proactive steps to minimize risks

Break | 1:00pm – 1:10pm

Session II – Cybersecurity Expert: What Reasonable Security Looks Like and Why Breaches Still Happen | 1:10pm – 2:10pm

• Defining “reasonable security” standards
• Common causes of data breaches despite security programs
• Cyber risk assessment in transactions and vendor management

Break | 2:10pm – 2:20pm

Session III – The Sensitive Bulk Data Transfer Rules | 2:20pm – 3:20pm

• Determining when data and a data transaction are in scope for the Bulk Data Rule
• Evaluating covered data transactions as prohibited or restricted
• Assessing vendors and vendor contracts for covered data transactions
• How the Bulk Data Rule relates to state consumer privacy laws and other laws, and how the Bulk Data Rule has been used in lawsuits
• Assessing and uplifting current compliance policies and procedures

Break | 3:20pm – 3:30pm

Session IV – Legal Compliance and Enforcement Trends at the Intersection of AI & Data Privacy | 3:30pm – 4:30pm

• How AI laws translate into internal AI governance requirements
• Privacy compliance as the foundation for AI governance programs
• Enforcement hotspots and early signals from regulators
• Common governance failure modes regulators are targeting
• Practical compliance steps for tracking laws and implementing controls in large organizations