News Releases
December 17, 2024

Shaping the Future of Privacy and Cybersecurity: Highlights from the 2024 Boston Bar Association Digital Law Conference

Article

By Ashley Fisher, Associate, Holland & Knight LLP

On December 5, 2024, the Boston Bar Association held its annual Privacy, Cybersecurity and Digital Law Conference.  The program featured discussion about the latest trends, legal updates, and challenges shaping the future of digital governance, privacy laws, AI solutions, and cybersecurity.

Leading off as the keynote speakers, Caitlin Fennessy, VP and Chief Knowledge Officer at the International Association of Privacy Professionals (IAPP), and Peter Lefkowitz, Principal at Amity Digital Risk, engaged in a fireside chat on “Navigating Digital Governance.”  The conversation included a discussion around the importance of adopting digital governance structures within an organization that expand beyond the bounds of what is traditionally regarded as “privacy.”  Having a structure to address the growing number of diverse data-related obligations is vital in avoiding what they described as “digital entropy”—using the scientific term for a state of disorder and uncertainty.  Caitlin and Peter also discussed how roles are changing within and outside of privacy compliance groups, the need for privacy and cybersecurity experts on boards of directors, and ways to focus on high-risk areas when addressing challenges around data governance.

In “International Cybercrime: What to Be Alert for in 2025,” Seth Kosto, Chief, Securities, Financial, and Cyber Fraud Unit, U.S. Attorney’s Office for the District of Massachusetts, Peter Manning, Managing Director, Naxo, Adam J. Bookbinder, Co-Chair Government Enforcement & Compliance, Choate Hall & Stewart, and Linn F. Freedman, Partner, Chair Data Privacy & Cybersecurity, Robinson + Cole, highlighted new and growing cybersecurity risks and schemes.  These included hack-to-trade conspiracies, a form of insider trading premised on material non-public information obtained through hacking; cryptocurrency and blockchain crimes; and nation-state attacks.  The panelist shared cautionary tales along with warnings around uses of social media.

Nick Farnsworth, Senior Associate, Orrick, Rachel Marmor, Partner, Data Strategy, Privacy, and Security, Holland & Knight LLP, and Jared Klebanoff, Assistant General Counsel, Privacy at Marqeta, provided guidance on how to prepare for upcoming privacy laws in “Big Data is Watching (Are You?): Hot Topics and Trends in Privacy.”  Noting five new state comprehensive privacy laws going into effect in January 2025, the panelists emphasized the importance of documentation in the face of a growing privacy landscape.  Areas noted as ripe for additional legislation included artificial intelligence, children’s data, and protection of reproductive health information.  With regard to AI, the panelists suggested risk assessment is likely to be the focus of enforcement of AI legislation, regulators requiring companies to show they are being diligent in their implementation of AI solutions and taking the time to think through the relevant issues.  The panelists also cautioned that a lack of media coverage around enforcement actions does not suggest a lack of action by regulators.

In “Contracting for AI Solutions Against an Evolving Regulatory and Compliance Landscape,” Kisha Wilson, Associate, Holland & Knight, Beatrice Botti, Vice President, Chief Privacy Officer, DoubleVerify, Kyle J. Glover, Partner, Pierce Atwood, and Eric Mueller, Managing Director, Chief Operating Officer & Head of North America, D2 Legal Technology, discussed the growing ubiquity of and questions presented by artificial intelligence.  While there are emerging compliance risks around new AI laws, the panelists highlighted that use of AI will be governed by whatever law would govern the activity if it were conducted by an employee.  Concerns regarding the quality and accuracy of the underlying code, the risk of bias, and the light in which customer-facing chatbots might represent the company were also mentioned.  On the topic of contracts, the importance of reviewing existing contracts—and the immense effort needed to do so comprehensively—was acknowledged with the advice to review all contracts, at minimum, upon renewal, and to recognize that contracts signed even within the last year might not adequately address AI concerns.  Internally, companies should consider appropriate uses of AI, identify individuals responsible for implementation, and think about internal controls that can be put in place.

In the concluding panel, “Regulatory Roundup: New England Regulators Discuss the Latest in Data Protection,” which was moderated by Kevin Angle, Senior Counsel, Holland & Knight, Stephen Provazza, Unit Chief, Consumer and Economic Justice Unit at Rhode Island Office of the Attorney General, Brandon Garod, Senior Assistant Attorney General, Chief of Consumer Protection and Antitrust Bureau, New Hampshire Attorney General, and Kaitly Karpenko, Assistant Attorney General, Massachusetts Attorney General, discussed ways to engage with their offices around privacy compliance, and what their offices were doing to prepare for enforcement of applicable privacy laws, including the new, comprehensive laws in New Hampshire and Rhode Island.