Stephen Bush

Georgia Data Security and Privacy Symposium led by O&A’s Stephen Bush

The Privacy and Cybersecurity Law Section of the Atlanta Bar Association, founded by O&A, P.C., senior counsel Stephen Bush,  hosted its first Data Security and Privacy Symposium at the State Bar of Georgia Conference Center. The Symposium was well-attended, by both in-house and outside counsel, as well as law students, and covered a wide variety of topics pertinent to today’s technology-centric environment.  

Established in 2020 in the midst of the pandemic by Bush, with the assistance from current Section Chair Dorian Simmons (Alston & Bird LLP), the Privacy and Cybersecurity Section was born with the intention of creating an awareness for non-privacy focused attorneys within all areas of the legal industry that data security and privacy issues are not only here to stay, but are increasingly ubiquitous in today’s world.  

February’s Symposium was a successful culmination of those efforts over the past three years, and stayed true to that goal of creating a source of knowledge for the average practitioner’s benefit and understanding. The symposium featured five panels over the course of the day, beginning with an overview of U.S. data privacy and security law by Simmons. Simmons’ presentation provided the latest updates on current and emerging state comprehensive privacy laws, including the California Privacy Rights Act and the Colorado Privacy Act. He also detailed the status of federal privacy legislation and provided an overview of established federal laws, such as the Gramm-Leach-Bliley Act and the Children’s Online Privacy Protection Act. Simmons’ presentation included a discussion of the emergence of specialized legislation governing artificial intelligence, biometrics, and children’s privacy.

The symposium continued with a presentation by Cheri Bessellieu (CEB Advising, LLC), Sara Guercio (Alston & Bird LLP) and Benjamin K. Jordan (Kent) (King & Spalding LLP) on selecting and working with third-party vendors. The panelists discussed vendor contractual requirements imposed by current and emerging data security and privacy law, practical considerations for selecting vendors, tips for effectively working with vendors, issues that can arise when working with vendors, and strategies for mitigating risks arising from such issues.

The next two panels focused on data security incident preparedness and response. Shannon M. Sprinkle (Stites & Harbison PLLC) moderated a discussion among Edward Alden (Alden & Associates, Inc.), Jon Powell (Moore Colson CPAs and Advisors) and Sarah C. Spurlock (Stites & Harbison PLLC) on developing an incident response program. The panelists covered a variety of topics, including the need for businesses to assess vulnerabilities in, and capabilities of, their information technology systems and operations, legal obligations that may arise from security incidents, planning an incident response program, and issues related to cyber insurance.

The incident preparedness and response panel was followed by a panel on testing cyber-attack readiness and responsiveness through table-top exercises. Scott Hilsen (Cox Automotive) led a discussion between Sam Casey (Cox Automotive) and Nick Jones (Cox Automotive), covering topics including the types of cyber-attacks, the benefits of conducting cyber tabletop exercises, and planning and conducting tabletop exercises. The panelists concluded with best practices for conducting table-top exercises, such as involving multiple and key stakeholders, leveraging resources from outside counsel and consultants to enhance the incident scenarios and provide feedback, and making the scenarios as real as possible.

The last panel, a conversation among O&A’s Bush, Michael Jones (Riskonnect, Inc.) and Michael Young (Morris, Manner & Martin LLP), discussed conducting data security and privacy due diligence in mergers and acquisitions.. The panelists walked through a comprehensive guide for engaging in M&A transactions, and discussed transaction structures, preparing for and conducting due diligence, considerations for revising merger agreements, and actions to take post-merger to mitigate data security and privacy risks.

The symposium concluded with a happy hour and networking session during which attendees had the opportunity to meet and reflect on the symposium. Given the success of the first annual data security and privacy symposium and the rapid development of data privacy and security law, the Privacy and Cybersecurity Law Section looks forward to the second annual symposium next year.

Remaining consistent with the principles behind the founding of the Privacy and Cybersecurity Section, and even more so now, issues of privacy and data security remain widely varied and affect the day-to-day business of professionals in every sector, in every geographic locale. Whether you are dealing with commercial agreements for licensing technology, preparing for a potential merger or acquisition of your business, or just starting forming your company, it remains increasingly important to keep one’s guard up for these ever-evolving issues. O&A P.C. has the experience and expertise to help you through these concerns and help your startup to thrive in an increasingly digital universe.