Keeping it Real (current): I’m back

im back 2Hello everyone! I am back. I wasn’t sure I would be, but based on comments this week at the Privacy, Security, Risk conference in Austin by IAPP – some people have missed me. I’m so sorry.

I thought blogs were out of style (Should I do YouTube or podcast?), but apparently, a couple of people do like to read what I write.

So here we are.

Today, I had the honor to moderate a panel of fantastic professionals – all women. All so very fabulous. The session was on Leadership and Privacy – and beyond featuring Agnes Bundy Scanlan (Treliant Risk Advisors), Liisa Thomas (Sheppard Mullin Richter and Hampton), and Katie Licup (Discover).  The session was centered around these women and what they have learned in their practices over the years. Seriously – Agnes hired Trevor Hughes, president and CEO of IAPP, 16 years ago when she was the first chair of IAPP.  Liisa had some great advice that she had received in law school from one of her favorite professors who told her to always shoot for the best job and the right pay. If she doesn’t, she is jeopardizing everyone else. And given that her professor himself aimed for the best job and made it…. President of the U.S. (Barack Obama) – she takes that advice to heart. So do I.

Other great programs. Surrounded by privacy peeps. The world doesn’t get much better. Well, until I went to eat Cooper’s BBQ. WOW. and gluten free. I was in brisket heaven.

So I will write. or I will video. or I will cast?  If either of you are reading this, let me know your thoughts.

How to break into Privacy as a Career

This topic seems to be more important than ever given the global demand (okay, mainly the European demand) for experienced privacy professionals. But how do you get experience if no one will hire you – and how do you get hired without having experience?

For privacy in particular, the IAPP has stepped up its efforts – recognizing the need to train professionals quickly and maintain quality. They offer online training in the General Data Protection Regulation and European data protection, available online and in person.  In addition, there is a Privacy Law Specialist recognized through the American Bar Association (squeee – very excited for this).

But what if you are not a member of the IAPP?  First, join it. There are people who have personal issues with either the IAPP or with certifications, but frankly, with very little else in the world to compete with this recognition – it’s pretty much the only game in town. There are other certifications and groups, don’t get me wrong – there are health care privacy certifications, research certifications, ISO27k certifications, CISSP, and many more. But still, CIPP, is what companies look for when looking for someone skilled in privacy.

Does being certified in information privacy mean you are an expert – no. But it is a way of demonstrating that you passed an objective measurement that indicates that you have a baseline knowledge. Call me old-fashioned, but to me, if you have been measured and found acceptable, then I expect you to demonstrate that knowledge. I am often disappointed – don’t get me started on registered nurses, doctors, and attorneys that I consider to be incompetent. That’s a whole ‘nother blog.

Back to the point of the post – you can break into the privacy field, whether you are an attorney or not. Play to your strengths and enter through a related position. If you are a litigator, start litigating on privacy issues. If you work in a bank, get into the privacy office. If you are in insurance . .. well, you should get the point. Contact the people in the privacy area of where you work, or want to work, and be upfront with them.

Make connections. Network. And keep in mind that networking, while you hope it will benefit you at some point, is not about you. It is about the person you want to know.  What can you do for them?  And then don’t be afraid to use your network to help others. Good deeds will come around.

Be active in discussion groups. Comment on stories that people post. Engage others – and on intellectual points, not in arguments. Get your name out there.

Start writing articles for industry publications. They love new blood and insight.

Join committees and work.  Don’t just lurk. Work.

And most of all, pay attention. Right now, the application for the Privacy Law Specialist is due. Today.  And I completely missed the news on it, being heavily engaged in actual working. So… sigh. I won’t be in the inaugural group, which sucks. But it underscores a key point – pay attention and execute on a timely basis.

Make sure your name, when called, is meaningful.

If you have other suggestions, please comment. If you have questions, please ask.


Why Work in Privacy?

top 5Often, when asked what I do, the person is totally flummoxed when I respond that I am a privacy attorney. Sometimes, they will even ask – what does that mean? Well, if I said I was a contract attorney or a patent attorney, they would understand, right? It means I handle contracts or patents – or specifically in my case, I handle privacy.

Ah – that’s the problem, they don’t understand privacy. I mean, seriously, how do I find enough work to fill 40 hours a week?

Privacy is the concept that information about ourselves is only shared to individuals/companies  whom we want to know those things about us.

Simple, right? Not so much.

So why would anyone want to work in privacy? All day long, every day, the whole year, for decades, we fight a battle that few people ever see. It’s like starring in a vampire drama – there’s a fight happening in a world that most people don’t see and would not believe. And like vampires, we typically work in the dark, our emergencies happen at night, and we live off a critical element that is very personal to people….data. And to most of our colleagues, we’re the boogie men who come to steal your profits while you’re sleeping (or when you’re bad).

So why work in privacy?

My top five reasons:

  1. I’m such a geek rebel that I C# and bleed java. I am building a complete Padme parade dress costume for ComicCon. My UAV isn’t even registered. I speak in movie quotes. And Sheldon is my hero. Bazinga!
  2. Unlike most corporate attorneys, I may work for the company, but my job is to protect the little guy. I always did go for the underdog – I liked Tom Wopat not John Schneider and I preferred Larry Wilcox to Eric Estrada. I may look like a heartless corporate attorney, but really…I’m all squishy inside.
  3. The field is growing by leaps and bounds. Everywhere you turn, there is data being collected, used, shared, abused, lost, forgotten, manipulated, and more! Technology is getting smaller, stronger, and can  hold more data.
  4. The privacy field is a gender neutral one.  Perhaps because of the way it grew up, women tend to  have equal pay and leadership roles.
  5. My ADD (Attention Deficit Disorder) has free reign! I am  never bored; I can work on 46.3 projects at a time; and given how fast the field changes – if I don’t like something, it is likely to be different tomorrow.

Being a privacy professional is a calling for certain people and requires flexibility, rampant curiosity, thick skin, and a relentless gift for persuasion. If you don’t love it – don’t get in it. It is not a profession for those seeking glory or an easy desk job.

IAPP Global Privacy Summit 2015: session highlights and closing session

In this post, I won’t go into details about each day or every session. You can see the schedule and descriptions here. However, I do want to touch on some key points.

With over 3,000 attendees, several sessions were standing room only. The venue worked with the IAPP to move some of the more popular sessions to larger rooms, but nearly every session I went to had ten-fifteen people standing in the back and along the sides.

In general, the sessions were staffed with qualified professionals, albeit not necessarily gifted speakers. Sometimes, it really is their experience and knowledge we crave, so we can tolerate a lack of creativity and speaking skill.  I will say though, that after one of my speaking sessions, all of my co-panelists and I were stopped over the next two days by attendees and profusely thanked for the quality of our session – entertaining and informative. As a speaker, there is no better compliment. Additionally, there were quite a few really good speakers in sessions that I attended.

On the other hand, there was one session I attended that I enjoyed the speakers, enjoyed the session, smiled, clapped, and walked out of there wondering what I actually learned. I even went back to the program guide to see what I was supposed to have learned.

Closing general session: Google guy. not impressed (very sorry, I wanted to be and I am sure he is a heck of a qualified professional). I probably just blew any chance of a job at Google. I really wanted to be impressed. I was interested. Google is a huge topic of interest in the privacy world. But sadly, this one simply did not hit the mark.

Sarah Lewis. Blown away. Fabulous speaker. Great topic. Hit the delivery spot on. An amazing presence. Had us laughing, listening, and enthralled. She spoke about creativity and gave examples such as Samuel Morse, J.K. Rowling, Albert Einstein, and Charles Lund Black, Jr. – whose meeting with Louis Armstrong entrenched his interest in civil rights.

And last, Oren Yakobovich a social entrepreneur who uses cameras to capture violations of human rights.  He co-founded Videre, an NGO which equips people in oppressed communities with cameras to uncover information. He showed us some videos – the gain of which endangers the lives of those who wear the cameras – cameras hidden in clothes, wood, stones. He was poised, passionate, and persuasive. He humbled us all.

In conclusion of this short three-part series, I met wonderful professionals, learned a lot of information, and reconnected with people I seem to never see outside the conferences. The IAPP serves such a true purpose – to give both roots and branches to those of us in privacy. Beyond a doubt, the IAPP has moved this profession forward by huge leaps. I am a raving fan. If you have a chance to get involved (if you like privacy), take advantage of the opportunity.

Pre-conference Workshops – an overview (IAPP Global Privacy Summit 2015)

if you are interested in privacy, pay attention to IAPP and attend the conferences. Don’t write off the pre-conferences. They are powerful, informative, valuable sessions well worth your time and money. Read further to learn more.

In the first post to this series, I discussed the location, venue, attendees, and opening session of the IAPP Global Privacy Summit 2015. In this post, I will briefly discuss the pre-conference workshops.

The IAPP designates the day before its summit as the “pre-conference” day. I was honored and delighted to participate in the pre-conference this year, so I cannot speak directly to the content and quality of this year’s workshops – but I have attended some previous pre-conference workshops of the same topics. And some I have not.

In addition to workshops, the pre-conference day includes training sessions for the IAPP certifications, several KnowledgeNet meet-ups, and various networking events – such as peer-to-peer roundtables, young professionals, and 5-minute mixers.

In general, the workshops all seem highly relevant to privacy professionals and seem to contain valuable information. The IAPP does charge extra to attend the pre-conferences, but every year, there are quite a number of people who attend.

Half-day morning workshops: There were three workshops presented on Wednesday from 9 am to 1 pm:
– the Data Breach Notification Bootcamp,
– the EU Privacy Bootcamp, and
– Piecing Together the Privacy Engineering Puzzle.

  • Given the number of breaches in the recent past, the first workshop was probably a popular one. Ponemon Institute named 2014 as the Year of the Mega Breaches.
  • The EU Privacy Bootcamp is also popular with anyone whose company does business in the European Union. The EU is the strongest multinational privacy regime in the world and is thus a topic that a global company – or simply one who is active in the EU – should know quite well.
  • The last session on the privacy engineering is not one with which I am familiar, but OH MY GOODNESS, I should have been there. (my excuse was inshlepping back and forth from the Mayflower, but seriously, I should have just got my sillybutt up and attended). Here are some excerpts of the description:
    • Include privacy considerations in the systems engineering and development process.
    • …a survey of the evolution of “privacy engineering” and how it can be used to achieve Privacy by Design objectives…
    • …explore the current efforts underway to define the privacy engineering discipline, including the status of the federal privacy engineering model the National Institute of Standards and Technology (NIST) is developing…


Half-day afternoon workshops: there were three sessions presented on Wednesday afternoon from 2 pm – 6 pm:
– Globalizing Your Privacy Program: The Hot Buttons,
– Healthcare Privacy—Diagnosis vs. Prognosis of Hot-button     Topics in Healthcare, and
– Privacy Bootcamp.

  • Globalizing a privacy program sounds like an incredibly practical and useful workshop. I recognize some of the names presenting and know them to be very knowledgeable and practical.
  • Healthcare privacy was the one in which I spoke. Trust me, it was riveting! Seriously, good speakers and great material. We did not get to discuss some of the topics in depth because our fabulous audience was highly engaged.
  • Privacy bootcamp is a successful annual workshop presented by Trevor Hughes, president and CEO of IAPP and Kirk Nahra, partner with Riley Wein and frankly, one my favorite privacy attorneys ever. ’nuff said.

And last, there is one full day workshop, Privacy in the Cloud with a Silver Lining. Cloud services are always a controversial topic for privacy professionals, so it was likely a packed house.

I apologize that I cannot give you summaries of the sessions nor true feedback on their value. The purpose was to give you an overview on the offerings and some insight into whether attending the IAPP’s pre-conference workshops is valuable.

IAPP Global Privacy Summit 2015

I love conferences. I had a boss who told me he did not like conferences, they were just big parties. I found that to be odd – all the conferences I had ever gone to – whether with the IAPP, HCCA, the Equal Justice Conference with the ABA, etc. – I had been subsumed with attending the sessions and learning. Then I attended the ACC, which is incredibly informative and educational – but for those it appeals to, there is definitely an opportunity to participate in social events and networking.

Let’s break down the IAPP Global Privacy Summit 2015. I’ll do this in a few posts as I have more to say than should be shared in one post.

First: location. This conference is always in DC in the Early spring. March seems to be a little too early, more late winter than early spring. It’s been freaking cold COLD the past couple of years. Last year was my first year to come to the Global Privacy Summit and there was ice and snow on the ground then, too.  I have heard rumors that they are moving it to April for 2016. I hope so!

Hotel: The venue was moved to the Mariott Marquis this year and it was wonderful. Well…other than those who were here on Monday were shifted to the Mayflower for the night. Now the Mayflower is supposed to be awesome, but it fell way short of that. The floor I was on was being renovated, including the room next to mine. I dealt with construction noises and fumes the entire time I was there. I am horribly allergic to chemicals, so I was miserable. The Marriott was pleasant. The movement from floor to floor for sessions was easy. Even schlepping over to the huge ballroom for the opening and closing sessions was fine.

Attendees: The IAPP has reached over 20,000 members and over 3,000 of them were at this conference. There were not enough seats for meals and people were eating at vendor booths, standing in hallways, etc. But that was a minor inconvenience. There were a huge number of IT/Information Security professionals there which was truly encouraging for the collaboration between the fields. Also, one of the big draws for this summit is the number of government personnel and foreign privacy professionals who attend. I met quite and few. Discussions tend to range from personal to professional, privacy to education, kids to processes – seriously, the scope and breadth of topics individually and in small groups was enormous – thought-provoking and entertaining. Networking is like breathing. Never met a privacy professional I did not like.


Opening session was typical. Trevor Hughes, president and CEO of IAPP, is exactly what one would expect for such a group. He is engaging, informative, and enthusiastic. (I had a couple of personal minutes with him as he was locked out of his room and waiting for security. He really is as human as the rest of us.)

Hilary Wandall, Associate Vice President, Compliance and Chief Privacy Officer of Merck & Co., Inc., current Vice Chair for the IAPP Board of Directors served as emcee for the event. I had the opportunity to meet her later during the conference and was surprised that she knew my names – and of course responded with my typical complete lack of sophistication. I only have one time to make a first impression so I sure hope her impression was formed long before we met! She is charming, quite intelligent, composed, and a wonderful public speaker.

Glenn Greenwald, journalist, who authored No Place to Hide, a book detailing his coverage of the NSA scandal and Edward Snowden’s disclosures. He is an excellent speaker – and no matter your opinion on NSA, Snowden, US surveillance – he is in the thick of exposing privacy and security concerns. He is not an inspiring speaker, but his words are riveting.

Next up was Michael Sandel, Anne T. and Robert M. Bass Professor of Government, Harvard University. Now here is an interesting speaker. He is obviously a law professor – he has a charming habit of leaning on the podium at times that makes him seem like an average joe…kinda. It is evident by his words that he is far from average. He engaged the audience directly – calling out questions, seeking impressions, and near-Socratically delving further into a speaker’s opinion.

Tune in for the next installment of the pre-quel to the opening sessions, the pre-conference.