Americans today are accustomed to seeing cybersecurity in the news. Indeed, data has become a prized commodity that’s transforming the way businesses and institutions operate. But information privacy is more than a headline – it’s a dynamic, high-growth field facing a severe shortage of trained professionals. That’s why Maine Law offers a series of summer courses on critical and current information privacy issues.

Existing attorneys can leverage the session to earn CLE credits or venture into a growing and dynamic new practice area; current J.D. candidates can develop a valuable specialty while still in school. Whether you’re deeply familiar with information privacy law or new to the subject, this summer session could change your career.

2020 Information Privacy Summer Institute

The Center for Law + Innovation at the University of Maine School of Law hosted its annual summer institute in privacy and information security law from May 26 – June 12, 2020. The eleventh annual event was held virtually and featured courses taught by leading privacy professionals. A special one-day Privacy in Practice Conference was also held virtually on May 29, 2020 as part of the Summer Institute.

Summer 2020 Course Offerings

In 2020, leading privacy scholars gathered at our 11th annual Information Privacy Summer Institute to discuss:

2 credits (12 CLEs)
May 26 – 29, 2020

Course description:

Personal data has become the raw material for business models in industries ranging from online advertising, social networking, cloud computing, health and financial services. Governments, too, rely on personal data for purposes such as national security and law enforcement, urban planning and traffic control, public health and education. Emerging technologies greatly enhance data collection, storage and analysis. In this context, privacy laws strain to continue to protect individual rights. This course will place privacy within a social and legal context and will investigate the complex mesh of legal structures and institutions that govern privacy at state, national and international levels. Students will be taught how to critically analyze privacy problems and make observations about sources of law and their interpretation, with an emphasis on the global nature of data. Students will be provided with the technological details needed to explore information security and management issues in domestic and international contexts. The final grade will be based on class participation, attendance and an exam.

Professor Bio:

Professor Gabe Maldoff is an associate in the Privacy and Cybersecurity group at Covington & Burling LLP.  He advises global clients on privacy, data protection, and technology law issues, with particular focus on international frameworks, cross-border transactions, and the privacy implications of emerging technologies.  Before joining the Washington, DC, office, Gabe worked for three years in a top-ranked European data protection practice in London, UK, where he advised technology clients on compliance with the General Data Protection Regulation (GDPR) and European telecommunications and marketing laws.  Gabe also served as a Westin Fellow at the International Association of Privacy Professionals.  His research on U.S., Canadian and European privacy and national security laws has featured in journals in the U.S. and Europe.  Gabe continues to write and speak widely on issues related to privacy and data protection, and to represent industry associations and non-profits on matters of public policy.  Gabe holds a J.D. from the University of Maryland Law School and a B.Sc. from McGill University in his hometown of Montreal, Canada.  In his spare time, you’ll find him on his bike, on his skis, or looking for a mountain to climb (even if it’s just the steps to the Lincoln Memorial these days).  He currently serves as a member of the Arbitration Panel for the EU-U.S. Privacy Shield Framework.

1 credit (6 CLEs)
June 1-2, 2020

Course Description:

The only federal privacy or data security “regulation” that applies to all businesses regardless of industry is Section 5 of the FTC Act, which prohibits “unfair and deceptive acts and practices.”  Every state also has some form of “Little FTC Act” which operates in parallel to the FTC and is usually enforced by the State Attorney General. Together these are called UDAP laws. But what does unfairness and deception mean when applied to privacy and data security? That’s the question. There is very little caselaw to provide answers. In the absence of guidance from the courts, the FTC and AG’s have developed a “common law of settlements” in which each settlement with a company for violating UDAP law gives guidance to businesses as to what is within and outside of bounds for privacy and data security.

Professor Bio:

Professor Ryan Kriger (CIPP/US) is an Assistant Attorney General in the Vermont Office of the Attorney General’s Public Protection Division.  He handles antitrust and consumer protection issues with a focus on technology and data security.  Mr. Kriger has investigated several local and national security breaches, led multistate investigations, and frequently testifies before the state legislature on issues involving privacy, competition and consumer protection.  He worked extensively on Vermont’s Data Broker Regulation laws. Mr. Kriger has also worked on telecomm issues and patent trolling, among other areas. He is a lecturer on consumer protection law & policy and privacy issues at the University of Vermont and is on the Vermont Governor’s Cybersecurity Advisory Team and the Board of Advisors for the University of Vermont’s Center for Computer Security and Privacy.

Prior to joining the Attorney General’s Office, Mr. Kriger practiced for several years in New York City, working for both corporate defense firms and class action plaintiffs’ firms and focusing on antitrust complex litigation and commercial litigation, as well as electronic discovery and legal ethics.

1 credit (6 CLEs)
June 3-4, 2020

Course Description:

One of the most heavily regulated areas of information privacy law is in the health care industry, where privacy and data security issues are of paramount importance. This course explores the key data privacy and security issues facing health care enterprises and their vendors (and the broad variety of other entities that use and disclose health care information), including compliance with HIPAA and a broad variety of other state and federal privacy and data security laws applicable to healthcare data and the healthcare industry. We will discuss how health care privacy and data security law is evolving, what the key policy issues are for this debate and will provide practical advice on evaluating and applying law, regulations and best practices to the creation, use and disclosure of health care data.

Professor Bio:

Professor Kirk Nahra is a partner at Wiley Rein in Washington, D.C., where he specializes in privacy and information security litigation and counseling, along with a variety of health care, insurance fraud, and compliance issues. He assists companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally. He also works with insurers and health care industry participants in developing compliance programs and defending against government investigations into their practices. A long-time member of the Board of Directors of the International Association of Privacy Professionals (IAPP), he is the editor of The Privacy Advisor, the monthly newsletter of the IAPP. He was named as the Co-Chair of the Confidentiality, Privacy, and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC) on privacy and security issues arising from health information technology.

2 credits (12 CLEs)
June 8,9,11,12, 2020

Course Description:

Privacy lawyers – whether in-house or outside counsel – commonly draft, review and negotiate business-to-business contracts where personal data will be transferred, including across national borders. These agreements are heavily influenced by changes in privacy laws, including the European Union’s General Data Protection Regulation, the California Consumer Privacy Act, and a variety of U.S. state laws that highlight the importance of protecting the consumer’s data along the supply chain. They are not new – HIPAA influenced the creation of relatively standardized Business Associate Agreements long ago – but the variety of new comprehensive privacy laws has heightened the risk of vendor agreements and increased the workload on attorneys. Indeed, privacy counsel is often involved at the vendor selection phase, well before the contract is negotiated, to help characterize the vendor (processor, co-controller, service provider, third party) as well as to help assess its trustworthiness as a recipient of personal information. This course will cover the cases and statutes that highlight the risks associated with data transfers to vendors, provide opportunities for students to create and deploy vendor vetting tools, and dive into the details of contracts between typical parties to transactions involving personal information. It will leave students with a solid understanding of the roles the parties play and the importance of terminology in characterizing these roles, as well as a tool kit for negotiating vendor agreements (including cross-border data transfer issues) globally.

Professor Bio:

Professor Rita Heimes is General Counsel and Privacy Officer for the International Association of Privacy Professionals. She joined the staff of the IAPP in November 2015 as its first Research Director, following a 14-year career on the faculty of the University of Maine School of Law, where she served as a clinical professor, director of the Center for Law + Innovation, and associate dean for academic affairs. Rita continues to hold a position as a Senior Fellow with the Law School, which involves organizing and teaching in the Information Privacy Summer Institute. She has also held several positions in private practice, working in intellectual property law and commercial litigation. Rita received her JD with honors from Drake University School of Law, and a BA in journalism with honors and highest distinction from the University of Iowa. Rita is a member of the Maine bar and lives in Portland with her husband and two of their four children.