Categories
Great Women in Compliance

Great Women in Compliance: Privacy and AI Compliance – A Principled Approach

In this episode of the Great Women in Compliance podcast, Hemma and Ellen host a roundtable with Hope Anderson, a partner in White & Case’s Data, Privacy & Cybersecurity Practice, and Jean Liu, Assistant General Counsel, Privacy, Safety, and Regulatory Affairs who joined Microsoft in 2023 as part of the Nuance Communications, Inc. acquisition.

Hope and Jean have a wealth of experience advising on privacy, AI, and data governance compliance issues, and they are well-positioned to leverage this experience in the wake of a rapidly evolving regulatory landscape. Hemma and Ellen didn’t waste a minute mining these two experts for practical tips and recommendations for those of us looking to get smart quickly and grapple with what seems like a behemoth task of keeping up with developments in technology and legislation while at the same time, making sure we don’t get left behind in learning to leverage AI in our functions.

Join us for an engaging ride through the ups and downs of privacy and AI compliance, and be inspired as we were by the great opportunities to develop new and exciting use cases while mitigating risk and the chance to unlock the power of responsible and ethical AI for our businesses.

Key Highlights:

  • Getting up to speed with the rapidly evolving regulatory landscape

  • The role of AI principles vs policies and procedures

  • Human Rights, Bias, and AI

  • Keeping the “Human in the Loop”

  • Thoughts on a US Federal AI or Privacy Law

  • Leveraging AI for Ethics and Compliance

  • Key resources and recommendations

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Guest Bios:

Hope Anderson is a partner in White & Case’s Data, Privacy & Cybersecurity Practice, based in Los Angeles. She has extensive experience advising on all aspects of privacy and is at the forefront of Generative AI, advising on the technology’s legal implications and practical applications. A member of the Firm’s Global Technology Industry Group, Hope has extensive experience in privacy and product counseling. She advises on e-commerce, privacy by design, Generative AI, AR/VR, biometrics, analytics, and issues implicating consumer protection, marketing, and advertising laws.

Jean C. Liu is an Assistant General Counsel in the Privacy, Safety, and Regulatory Affairs division and joined Microsoft in 2023 as part of the Nuance Communications, Inc. acquisition. Immediately before its acquisition, Jean served as Nuance’s Vice President and Chief Legal, Compliance, and Privacy Officer, leading the global legal, compliance, and privacy functions. She developed and implemented data privacy policies and practices to ensure that customer and business data, including protected health information, is strictly governed and privacy is maintained. Jean has over 29 years of experience leading compliance and privacy programs, successfully managing data incidents, including regulatory investigations, and implementing best governance and risk management practices across multiple industries.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance: Episode 28 — CZ v. SBF Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

In this episode, Tom and Kristy take on a wide variety of compliance related topics.

One of the key issues they look at are reports suggesting China is strategically relocating forced labor from the Uyghur region to different parts of the country in an attempt to bypass US laws prohibiting goods sourced from areas associated with forced labor.

This could trigger wider limitations on goods originating from China, stressing the necessity for intensive audits and transparency in business operations. This issue has sparked bipartisan concern, hinting at potential upcoming legal actions.

Tom stresses the need for companies to react effectively to reduce risks, possibly through on-the-ground audits and increased accountability in business operations in China. Kristy underscores the need for thorough audits and proactive measures in response to the risks associated with forced labor in China. She raises the possibility of legal consequences for companies found to be misleading about their involvement with forced labor. Both perspectives serve to underline the gravity and complexity of this issue.

Highlights Include:

  • An ex-McKinsey partner says he was scapegoated. (Reuters)
  • CFTC names its first AI Chief. (WSJ)
  • CZ gets 4 months. (WSJ)
  • FCPA violator Ericsson bemoans ‘over-regulation’.  (FT)
  • Corporate investigations are under scrutiny.   (FT)
  • China Moving Forced Laborers Amid U.S. Crackdown, Biden Official Says (WSJ)
  • Robinhood Crypto gets Wells notice from US SEC (Reuters)
  • Report Spotlights Privacy Access Requests (Radical Compliance)
  • Why Employee Bonuses Do Not Work (and What to Do Instead) (Inc.)
  • A Florida man runs to the police for help after committing a crime and ends up behind bars. (Aol.)

Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Sunday Book Review

Sunday Book Review: July 16, 2023 – The Privacy Edition

In the Sunday Book Review, I consider books that would interest the compliance professional, the business executive, or anyone who might be curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. In today’s edition of the Sunday Book Review, now that summer is fully upon us, we look at books on privacy.

·      Privacy’s Blueprint by Woodrow Hartzog

·      Re-Engineering Humanity by Brett Frischmann and Evan Selinger

·      No Place to Hide by Glenn Greenwald

·      Why Privacy Matters by Neil Richards

Resources

The TOP 21 Books in Privacy & Data Protection That You Must Read ASAP in Privacy Whisperer

Categories
Compliance Into the Weeds

Compliance Issues & Events We Are Looking at for 2023

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, Matt and I consider a list of compliance issues and events worth watching in the next 12 months, likely to happen in the coming year, that will be most consequential for corporate compliance and audit professionals.

For 2023 (at least at this point), it is the following:

·      SEC rules on greenhouse gases.

·      PCAOB enforcement.

·      The FTC and privacy enforcement.

·      Fallout from the Oracle FCPA enforcement action.

·      New DOJ corporate crime enforcement policies.

·      An ESG controller.

·      Crash and burn of Elon Musk-style corporate governance.

 Resources

Matt Kelly in Radical Compliance

Categories
Uncovering Hidden Risks

Ep 4 – How Compliance, Data Protection, and Privacy Come Together

Alym Rayani, general manager for compliance and privacy marketing at Microsoft, joins host Erica Toelle and guest host Hammad Rajjoub on this week’s episode of Uncovering Hidden Risks. Alym works closely with engineering leadership to drive product strategy and roadmap while overseeing the product value proposition, marketing efforts, and customer experience. Due to these changes in regulations and increased cybersecurity risk, these areas are converging. Erica, Hammad, and Alym are taking a closer look at a top industry trend: convergence of compliance, data protection, and privacy requirements, and discussing what this means for Chief Information Security Officers.

In This Episode You Will Learn:

  • What areas create quick wins for organizations that create momentum for larger initiatives
  • What the answer is for CISOs to stay in compliance with regulations
  • Risks CISOs will face focusing on data protection without considering compliance and privacy

Some Questions We Ask:

  • What challenges are CISOs, privacy officers, and CCOs seeing from this convergence?
  • How are data protection and privacy changing the way CISOs approach new problems?
  • What should CISOs look for in a data protection technology solution?

Resources:

View Alym Rayani on LinkedIn

View Hammad Rajjoub on LinkedIn

View Erica Toelle on LinkedIn

Related Microsoft Podcasts:         

Listen to: Afternoon Cyber Tea with Ann Johnson 

Listen to: Security Unlocked

Listen to: Security Unlocked: CISO Series with Bret Arsenault

Learn More

Categories
Integrity Through Compliance

Dionne Lomax and Kelly Graf Take a Look at Privacy and Cybersecurity Issues for 2021

Recorded before the recent Colonial Pipeline Ransomware attack, Affiliated Monitors, Inc.’s Managing Director, Dionne Lomax, sat down with Dentons’ Kelly Graf to discuss Privacy and Cybersecurity Issues for 2021 and Beyond. Kelly shares with our listeners how mature their security programs need to be in light of ransomware, phishing, and a post-COVID-19 Work From Home data protection environment. Now that cybersecurity is in the news more than ever, this conversation couldn’t be more relevant.
 

 
They cover topics including:
• The multi-trillion dollar growth in this criminal industry over the last decade
• The importance of remote working standards and network segmentation
• Class action lawsuits regarding large scale data breaches
• Ongoing trends in FTC enforcement of COPPA
• The modern sophistication of phishing and social engineering attacks
• The perverse incentives created by, and the unintended consequences of, the growing cybersecurity insurance industry
• The creative ways that lawyers have used outdated privacy laws to bring data security lawsuits
 
 

Categories
The Compliance Life

The CCO and Privacy with Russ Berland


Tom Fox chats with Russ Berland about how his certification in privacy has facilitated him in his role as CCO.
Another Form Of Risk Management
A number of Russ’ clients needed to address privacy issues; however, the available resources were mostly European. He gained the Certified Information Privacy Professional certification so that he could meet the market need. Russ says that he looks at privacy as another form of risk management. We need to create a framework to comply with privacy laws, as well as investigate any potential violation.
Russ comments that privacy laws in the US are not as comprehensive as the EU’s GDPR. Privacy is generally seen as consumer protection in the US, while it is considered a human right in the EU.
Meeting State Standards
Tom comments that there is no national privacy law in the US at this point. He asks Russ how Aventiv thinks through crafting a privacy policy that might potentially have to satisfy 50 different state privacy laws. At present, Russ says, nine states have created privacy laws. Aventiv’s strategy is to meet the most stringent standards, and make that the national standard. Usually if you meet California’s standards, you can comply with the other states. Russ is pleased with Aventiv’s willingness to embrace compliance as a driver of their company culture.
Resources
IAPP.org

Categories
Everything Compliance

Episode 48-Trump Administration and Compliance, Half-Year Report, Part 1

Welcome to the only roundtable podcast in compliance. In this episode, we begin a two-part episode where we consider the Trump Administration and Compliance, Part 1. This episode includes Sarah Hadden, Mike Volkov and Matt Kelly. Our next episode will feature Jay Rosen, Jonathan Armstrong and your host, Tom Fox.

  1. Sarah Hadden bemoans the death of privacy and explains how the Number 7 has come to haunt her in the modern world of advertising algorithms. Sarah shouts out to the resistance to the Surveillance State and Surveillance Capitalism.
  2. Matt Kelly considers both where the SEC has been and is headed in its rollback of SEC 404 protections and the SEC changes to its whistleblower provisions under Dodd-Frank. Matt treats us to a double shot of rants today as he cannot control himself on the subject of the Trump Administration calling sub-regulatory guidance from the DOJ worthless “paper” while continuing to issue Guidance such as the 2019 Guidance for Compliance Programs. He also rants about the Dutch Data Protection Authority who violated GDPR in a recent release of data and then failed to timely report said breach (to themselves).
  3. Mike Volkov goes hyperbolic in his discusses of the new OFAC compliance program and the current state of OFAC sanctions. Mike rants about the petty criticism of the DOJ’s Evaluation of Corporate Compliance Programs.

The members of the Everything Compliance are:

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Day 16 of One Month to Better Investigations and Reporting – Privacy Concerns in Internal Investigations

Schrems’ decision by the European Court of Justice, US-based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However, the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question. In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the company’s property. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available. I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that the only way at this point was to obtain the consent of the investigated person. However, obtaining such consent raises a host of other problems. He said, “Can I get consent for an internal investigation? Can I speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid, the European legislation has to be fully explained, it has to be honest, and it can’t be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails, and I have to inform you that you have the right not to consent, and if you don’t consent, there’s no way I can investigate you. Could you sign the form, please?” As Armstrong went on to note, “What answer is he likely to give in an internal investigation, and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?” With these two key components of any best practices compliance program, hotlines, and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU-sourced information, I believe additional pressure will be put on the compliance function. Any US company with EU-based operations will have to take steps immediately to ring-fence such data originating in Europe. It may also mean locally based-compliance practitioners must head any inquiries. Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company seeking cooperation credit because such a company is required to turn over any information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use. Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it improbable that anyone, European or otherwise, would give such consent, but in the unlikely event such consent is given, you have told the target they are the target, and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] allegedly lost the case on how the US firm involved conducted the investigation. They will have, rightly, I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It will need much careful thought to structure data transfers and interviews. How do you move those interview notes? How do you look at emails? All this stuff will be critical so that you don’t break data privacy data protection laws and tip off witnesses, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.” How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard, it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to prescription of any FCPA violations. Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel, and the VW emissions-testing scandal, the Schrems decision will change the need for a more robust compliance program from now on to help protect a company. 

Three Key Takeaways:

  1. The Schrems decision significantly impacted US-based internal investigations.
  2. Study the privacy laws of the country where you are performing your investigation.
  3. Informed consent is difficult to obtain, but it may be critical for your investigation.

 Take care to protect privacy concerns when performing investigations outside the US.