News Releases
December 11, 2024

Insights Beyond the Conference: Expert Perspectives on Digital Governance and Privacy Law

Article

As the digital landscape continues to evolve, privacy and cybersecurity challenges are becoming increasingly complex. In this exclusive interview, Caitlin Fennessy, Vice President and Chief Knowledge Officer at the International Association of Privacy Professionals, and Peter Lefkowitz, Founder of Amity Digital Risk, LLC, share actionable insights for in-house counsel as well as their perspectives on digital governance, collaboration, and the future of privacy law.

Boston Bar Association: What are the top three items that all in-house counsel should have on their digital governance checklists? 

Caitlin Fennessy: In-house counsel should help company leaders understand how digital risks and rules create a need to restructure, resource and report in the coming year.

1. Restructure: Organizations’ governance structures are ill-equipped for the digital age. They are built for legacy risks with stove-piped reporting lines which create duplicative work and gaps in visibility on digital risks where privacy, cybersecurity, safety, AI governance, intellectual property, competition, finance and other domains intersect. In-house counsel should help c-suite leaders and boards develop a more coherent and cohesive governance structure that leverages resources across teams to identify and address emerging legal and technological risks.

2. Resource: According to IAPP’s annual governance survey, 80 percent of privacy teams have taken on new work beyond the traditional privacy sphere in the past year. This includes work in AI governance, cybersecurity law, data governance, platform liability and more. For many, new resources have been slim. In-house counsel should help company leaders identify the most urgent legal risks as new digital and data-related laws enter into effect and target sparse new resources accordingly.

3. Report: SEC rules now require public companies to report material cybersecurity incidents, risks and governance responses, including management’s role and board of directors’ oversight. With the SEC on the beat, the cost for getting this wrong is heightened. In-house counsel should look to 8K and 10K reporting across their sector and guide their businesses toward industry benchmarks, ensuring governance structures and resourcing are effective to address current cyber threats.

Peter Lefkowitz: I want to lean into Caitlin’s number 3, Report, and suggest that this is an avenue for in-house counsel to provide tremendous value at the highest corporate ranks. The SEC rules require that company leadership and board be well informed about cyber and that they report out associated risks and events to investors. Data governance attorneys are uniquely positioned to collect and aggregate information about digital risk and to frame this information in a way that is meaningful for leadership and ultimately for investors. All of the skills developed over the past 20+ years of privacy impact assessments and privacy risk matrices can now be brought to AI and cyber and, thanks to the SEC, the board will look to data protection counsel to make sense of why and how it impacts their overall corporate risk posture in light of the latest law, guidance, and judicial or regulatory decisions.

BBA: Effective digital governance requires collaboration across departments. What are some ways in-house attorneys can build stronger internal teams to improve overall data and cyber security?  

Peter: Become best friends with your CISO, your head of audit, and your chief risk officer. Find out, shine a light on, and help fix the tough cyber issues that affect privacy, like missing multi-factor authentication, unpatched networks and machines, and failure to check for malware on the way in and corporate content on the way out. Help the risk team with AI assessments that are practical and gated, focused on key issues like bias testing, identifiable PII and corporate IP leaking out the LLM, and hallucinations. And make absolutely certain that your reports to management have the names of all of these teams at the top.

BBA: Cybersecurity threats are a notable concern for organizations. What are the top two threats In-House Lawyers should be aware of?

Peter: “There’s a shark near the crowded beach: what are the top two risks?” (Answer: The shark has not had breakfast and you are a slow swimmer.) Cyber risks will continue to evolve and become more complex and, as data becomes more valuable, stealing it will become more lucrative for criminals and nation-states. The best we can do, as data governance professionals, is to continue to focus on the OECD privacy principles: collect only what you need, keep it for only as long as you need it, make sure it is used only for specified and legitimate purposes, and build layered defenses to assure that the bad guys find you a less worthy target.

BBA: What should practitioners expect from the new Congress and Administration?

Caitlin:

  • Expect the unexpected. While it’s safe to predict a broad deregulatory agenda across practice areas, we should expect fair bit of uncertainty.
  • Content moderation sits on a political fault line. This Administration will favor a hands-off approach. While that will be a major shift, it will affect relatively few companies.
  • Privacy and cybersecurity policy by contrast have long been bipartisan and have much broader impact. Companies may see the next two years as their best opportunity in decades to secure a more industry-friendly federal privacy law to replace the growing patchwork of comprehensive state privacy laws. If they do, longstanding bipartisan support coupled with a Republican majority in both houses of Congress could help it over the finish line.
  • During the Biden Administration, federal agencies began considering more prescriptive cybersecurity rules to ensure failure to implement reasonable security practices did not create vulnerabilities that became national security threats. If greater threats emerge, longstanding Republican support for national security priorities could help those rules advance.
  • Data transfers policy is another unknown. While some worry the Executive Order underpinning the EU-U.S. Data Privacy Framework could be undone, that seems unlikely for several reasons. First, much of the Framework was negotiated under the first Trump Administration. Second, it contains a reciprocity mechanism, which was a key priority during the first Trump Administration. Third, the Framework is critically important to industry and their support for it and its predecessors has been voiced loudly and quickly across successive Administrations, providing durability (on the U.S. side at least) regardless of who sits in the White House. However, anti-trade inclinations coupled with national security concerns could lead to targeted restrictions on more sensitive data transfers, continuing the shift begun under the Biden Administration.

Peter: Caitlin describes the situation well. There are so many cross-currents that it is hard to make any one prediction, apart from the idea that issues around privacy, security and AI will become ever-more central to domestic and international public policy, including international trade.

BBA: Looking ahead, what major developments or challenges do you anticipate in privacy law over the next 5 years?

Caitlin:

  • If a federal privacy law is not forthcoming, states will continue to innovate and legislate. We will see greater divergence across state privacy laws as civil society and industry target lobbying resources at the states and vie for influence. Which state and even city you live in will determine the privacy rights you have, adding to the complexity businesses face.
  • In the next several years, states will also focus legislative activity on AI governance. Expect a lot more sectoral and comprehensive state AI governance rules, making the privacy patchwork seem tame.

Peter: I don’t anticipate a federal privacy law in the next two years and in my view that is a huge loss. It already was difficult navigating the difference between CPRA and GDPR. Now needing to correlate and find a consistent approach to dozens of state laws and regulations around privacy, cybersecurity, AI governance, bias, health data, biometric data and financial data (the list goes on) is a huge drain on resources, with little obvious benefit. My advice is to attend the BBA privacy, security and digital law conference; go to IAPP conferences and take IAPP trainings; and join the Future of Privacy Forum for deep dives on policy. Continue to learn and adapt and continue to press legislators and regulators to keep their eyes on the ball of protecting a swim-lane for practical and beneficial uses of data.