Paul Hastings continues to expand its Chambers ranked Data Privacy and Cybersecurity Group by welcoming Jeremy Berkowitz as a Senior Director of our Solutions Group. Aaron Charfoos, Global Chair of the Data Privacy and Cybersecurity Group, had a chance to speak with Jeremy about his background and what unique solutions he can provide to Paul Hastings’ Clients as well as privacy-related developments to watch in the coming months.

Jeremy, first, welcome to the firm. Tell us a little bit about your background.

Thank you Aaron, it is a pleasure to be part of the Paul Hastings team. I am a licensed attorney, but have spent the past 13 years working for several large management consulting firms – including the Promontory Financial Group and Deloitte – on different privacy and cybersecurity compliance, operational, and technical issues. I have worked with clients across industries to understand where their privacy programs have compliance gaps with various laws (e.g. GDPR, CPRA), and risk frameworks (e.g. NIST, ISO). I have also assisted clients with remediating their gaps including: 1) drafting privacy notices and policies, 2) establishing data subject request protocols, and 3) developing procedures for managing cross-border data, an increasingly challenging environment, given all the different rules in each country, such as data localization requirements.

I have spent a large amount of time also helping clients understand how to build or enhance privacy governance functions, creating new structures and roles/responsibilities that can better help organizations meet privacy regulatory and risk requirements. I have also assisted clients in assessing the best technology solutions for their privacy needs. I think there’s a tendency for a lot of organizations to procure “commercial off the shelf solutions” to manage their privacy programs, but that is not always what they necessarily need, particularly if their data footprint is smaller or limited to specific jurisdictions.

What kind of skills do you think are most relevant to our Solutions Group clients?

I think our clients recognize that best practices around privacy and cybersecurity are broader than “check the box” compliance exercises. Many organizations are seeking to integrate privacy/cybersecurity best practices into their risk management strategies. They recognize the risks to their organizations of a potential data breach or mishandling of personal data beyond the requirements laid out by any law or framework. Additionally, they are increasingly seeing the benefits of being pro-active on these issues. Understanding the types of data that they are collecting, and the risks associated with certain types of processing activities, can help them become more organized and efficient in the long-term. They are then able to make better use of their data to continue to grow and innovate.

What are the key areas of data privacy and cybersecurity that you are looking for in 2023?

Compliance: I’ll be watching state legislatures and Congress closely to see where further legislation may take effect. A federal privacy law along the lines of the ADPPA (introduced in the last Congress) could be a game changer, and while it may be a lot of work to address compliance issues in the short-term, one federal law with some form of preemption language will provide more long-term certainty for stakeholders than 50 state laws. 

Additionally, there will be a lot of activity at the executive branch level. The Federal Trade Commission with a 3-2 majority now will likely pick up the pace of consent decrees against “unfair or deceptive acts” and also continue work on its privacy rulemaking. The Securities Exchange Commission and Consumer Financial Protection Bureau both have active rulemakings that will affect privacy and security programs for organizations that fall under their purviews.

First and Third Party Tracking: Many organizations are still not completely aware of what cookies or other identifiers are on their websites and apps. The growing number of regulatory actions by data protection authorities in this space has forced organizations to account for tracking activity, but also think long-term about their marketing and digital governance strategies. The decline in advertising revenue by many organizations prompted by a growing number of individuals who are opting out of tracking, is forcing key players to reevaluate the use of cookies and other identifiers. Maintaining a balance between respecting the privacy of individuals while still employing a robust marketing strategy is going to be a big challenge for organizations going forward.

Artificial Intelligence (AI): Governments and the private sector continue to release rules and guidance regarding the use of AI and how to best protect the data companies collect through automated processes and machine learning. The proliferation of AI chatbots in the last few months has only amplified the concerns about what these tools can collect about users activities, thoughts, and their locations.  Privacy functions are increasingly playing a role in accounting for the use of AI in the collection of personal data, but also driving long-term strategy within their organizations.

Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws and their regulations like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.