Skip to content

Privacy Summer Institute to be held May 23 – June 10



The University of Maine School of Law will host its annual Summer Institute in Privacy and Information Security Law from May 23 – June 10, 2022. The courses are tailored for existing attorneys who can leverage the session to earn CLE credits or venture into a dynamic new practice area as well as current J.D. candidates looking to develop a valuable specialty while still in school. Courses will include topics in global privacy law, cybersecurity law, health information privacy, and security risks involved in data sharing.

The institute will culminate in a one-day Privacy in Practice Conference, which will be open to institute attendees as well as those interested in registering for the one-day event. The conference will feature an array of speakers on topics from privacy in law enforcement practices to regulatory obligations of governments in cybersecurity issues. Maine Senator Angus King will deliver the conference’s keynote address at the start of the conference. Registration for the event is $295.

2022 Information Privacy Summer Institute Course Offerings

Global Privacy Law (2 credits)

Monday, May 23 – Thursday, May 26, 9 a.m. – 4:30 p.m.

Personal data is the raw material for business models in industries ranging from online advertising, social networking, cloud computing, health, and financial services. Governments, too, rely on personal data for purposes such as national security and law enforcement, urban planning and traffic control, public health, and education. Emerging technologies greatly enhanced data collection, storage, and analysis. In this context, public and commercial interests strain against individual rights, with privacy law serving as the mediator. This course will place privacy within a social and legal context and will investigate the complex grid of legal structures and institutions that govern privacy at state, national, and international levels. Students will be taught how to critically analyze privacy problems and make observations about sources of law and their interpretation, with an emphasis on the global nature of data. The final grade will be based on class attendance/participation and a take-home exam.

Professor Bio:

Gabe Maldoff is a senior associate in Goodwin’s Data, Privacy, and Cybersecurity practice. Gabe counsels clients in a variety of sectors on privacy, cybersecurity, and other emerging data regulations, with particular focus on international frameworks, cross-border transactions, artificial intelligence regulation, augmented and virtual reality, and other data-driven technologies. Before joining Goodwin, Gabe worked for top-ranked law firms in London, U.K., and Washington, D.C. Gabe also served as a Westin Fellow at the International Association of Privacy Professionals. His research on U.S., Canadian and European privacy and national security laws has featured in journals in the U.S. and Europe. Gabe holds a J.D. from the University of Maryland Law School and a B.Sc. from McGill University in Montreal, Canada. He currently serves as a member of the Arbitration Panel for the EU-U.S. Privacy Shield Framework.

Cybersecurity Law (1 credit)

Tuesday, May 31 & Wednesday, June 1, 9 am – 4:30 pm

This course will explore the key state, federal and international legal regimes addressing cybersecurity risks, including creating written information security plans, assigning risk contractually with business partners, and guiding companies through a data breach. It will provide students with a solid introduction to the role lawyers play in reducing risk prior to, during and after a cyber security incident.

Professor Bio

Stephenie Handler is Director, Cybersecurity Strategy and Digital Acceleration at McKinsey & Company, where she has also served as associate general counsel for cybersecurity. Stephenie has a JD from Stanford Law School, an MS in National Security Studies from Georgetown University, and is a graduate of the US Naval Academy, following which she served as a Captain in the Marine Corps for 7 years. She practiced law with Gibson, Dunn & Crutcher and Hogan Lovells before joining McKinsey in 2019. Stephenie recently moved to Freeport, Maine with her family.

Health Information Privacy (1 credit)

Thursday, June 2 & Friday, June 3, 9 am – 4:30 pm

Data is everywhere in the health care industry, and is being used by a broader range of entities for a broader range of purposes every day.  This phenomenon is present in virtually all industries (thanks to the principles of “big data,” artificial intelligence and the Internet of Things), but the health care industry presents the most evolved legal and regulatory structure for the privacy and security of personal data that exists.  Health care lawyers and compliance professionals must understand – and lawyers and compliance professionals for all other industries can learn from – the key principles surrounding the use and disclosure of personal data when providing virtually all aspects of legal advice to healthcare companies, including compliance, mergers and acquisitions, litigation and the full range of specific privacy and data security laws and regulations.

This course will explore the primary legal and policy principles surrounding the use and disclosure of personal data across the health care industry – the key privacy and security laws, regulations and principles that govern how the health care industry operates.  This analysis will serve as a baseline for consideration of all other privacy and data security laws around the country and around the world. This course will emphasize the primary privacy and information security principles set out in the Health Insurance Portability and Accountability Act (“HIPAA”) as a baseline framework for compliance, and will explore how these rules apply in theory and in practice.  We will discuss the best approaches for overall HIPAA compliance.  We also will explore emerging areas for privacy and information security, including new enforcement principles, issues related to security breaches and breach notification, the emergence of “non-HIPAA” data as a new challenge to the privacy and data security regulatory structure and the increasing complexity of overall health privacy because of the broad range of laws impacting health information.  .  We also will assess how these issues affect the business of health care, including a broad range of strategic and compliance issues affecting health care companies and others that use personal data.

The goal is to understand the key principles of the developing law in this area, but also to teach what a lawyer and compliance professional/privacy officer does on these issues and the need to combine legal knowledge with practical analysis and an understanding of business implications.  Class sessions will review and evaluate a broad range of regulations as an initial framework, coupled with specific examples of recent developments, compliance challenges and the ongoing evolution of the HIPAA privacy and data security rules.  In addition to this review of the HIPAA Privacy, Security, and Breach Notification Rules, this course will survey other potentially applicable laws that create compliance obligations for the health care industry, including state law (and the impact of preemption), and other relevant federal laws.   We also will examine new developments in health care privacy and data security, including the evolving principles governing healthcare research, the privacy and data security challenges arising from mobile applications and the emerging implications of “big data” principles on privacy rights and the health care industry.   We also will evaluate how best to revise health care privacy law in the future, in the context of a national privacy law or otherwise.

Professor Bio:

Kirk Nahra is a partner with WilmerHale in Washington, D.C., where he Co-Chair of the firm’s global Cybersecurity and Privacy Practice as well as Co-Chair of the Big Data Practice.  He assists companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally. He teaches both Information Privacy Law and Health Care Privacy and Data Security Law as an adjunct professor at the Washington College of Law at American University, and teaches and guest lectures on these and other privacy topics at a variety of other law schools.  He currently serves as a fellow with the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis and as a fellow with the Institute for Critical Infrastructure Technology.  He received the 2021 Privacy Vanguard Award from IAPP in recognition of his “exceptional leadership, knowledge and creativity in privacy and data protection.”

Privacy and Security Risks of Data Sharing (2 credits)

June 6-7, June 9-10, 9 am – 4:30 pm

Enterprises share personal data of their customers and employees extensively – with cloud service providers, business partners, acquiring businesses, and so on. Anticipating this, comprehensive privacy laws (like the GDPR and the CCPA) place obligations on organizations to take steps to reduce the risks to data subjects when data is shared with other entities. This course will explore the legal issues raised by data sharing. It will expose students to real-world situations and put them in the seat of the privacy lawyer whose client(s) plan to enter into data-sharing arrangements with other entities.  We will walk through vendor selection and risk assessment, negotiating the contract, preparing the data processing agreement, and using the correct international data transfer instrument.  Students will be exposed to and build their own tools for risk mitigation and legal compliance. Grading will be based 60% on class participation (doing the exercises and contributing to discussion) and 40% on a final project. The final day of the class will be the annual conference, covering legal issues in cybersecurity, June 10, 2022, for which attendance is mandatory.

Professor Bio:

Rita Heimes is General Counsel and Chief Privacy Officer of the International Association of Privacy Professionals (IAPP), a non-profit membership association serving the privacy profession globally. Prior to joining the IAPP in 2015 as its first Research Director, Rita served as the Director for the Center for Law + Innovation at the University of Maine School of Law for 14 years, where she is still a Senior Fellow and adjunct professor, hosting and teaching in the annual Information Privacy Summer Institute. She also had a career in private practice with law firms in Seattle, Boulder and Portland, focusing principally on intellectual property law. Rita enjoyed a clerkship with the US Court of Appeals for the Ninth Circuit following graduation from Drake University School of Law, which she attended after receiving her BA from the University of Iowa. She has lived in Portland, Maine, since 1998.