She Said Privacy/He Said Security

Julia Shullman is the General Counsel and Chief Privacy Officer at Telly, the world's first dual-screen smart TV fully paid for by advertising. Prior to Telly, Julia was General Counsel and Chief Privacy Officer at TripleLift, through its $1.4B acquisition by Vista Equity Partners. She also held various leadership positions, including Chief Privacy Counsel and Lead Attorney, Publisher Technology Group at AppNexus, through its $1.6B sale to AT&T. Before advertising, Julia spent a decade in mergers and acquisitions at both Latham & Watkins and UBM. She is recognized as an industry leader at the intersection of privacy, products, advertising, policy, and strategy. In this episode… Navigating the intersection of privacy, product, and advertising demands strategy. Companies need to view privacy as integral to their operations and growth, especially in highly regulated industries like AdTech. Without effective privacy programs, companies face potential deal disruptions, diminished valuations, and reputational damages. For early-stage companies in particular, failing to integrate privacy into their operations can hinder growth, derail funding opportunities, and even lead to regulatory scrutiny. How can organizations ensure that privacy is both a priority and an enabler of success? Developing effective privacy programs requires a tailored, pragmatic approach. Leaders need to educate their teams on privacy obligations and integrate privacy practices into business processes. This includes fostering collaboration among privacy experts and cross-functional departments, such as engineering and marketing, while adapting to industry-specific nuances. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Julia Shullman, General Counsel and Chief Privacy Officer at Telly, about building privacy programs that drive business success. Drawing from her extensive experience in M&A, privacy, and AdTech, Julia offers insights into balancing privacy with business monetization goals. She discusses the importance of understanding industry dynamics and the role of privacy in facilitating successful exits and partnerships. Julia emphasizes the value of cross-departmental collaboration and education in creating privacy solutions that resonate with a company’s culture and business objectives. She also provides tips on how organizations can align their privacy programs with broader business strategies to build trust, ensure compliance, and drive innovation.

Arjun and Abhijay Bhatnagar are Co-founders of Cloaked, a consumer privacy company. As developers and privacy advocates, they have created a secure, all-in-one privacy platform that gives consumers control over their personal information while helping reshape how industries access, use, and think about data. In this episode… The digital world often exposes individuals to risks through seemingly simple data points like phone numbers and emails. These identifiers can reveal a lot of personal information, making users vulnerable to phishing, spam, identity theft, and malicious AI-driven impersonation. As companies collect, share, and sell personal information more than ever, there is a pressing need for solutions that prioritize user control, privacy, and security. What steps can you take to safeguard your personal information? Companies like Cloaked are changing the game and offering individuals a way to regain control over their personal information by allowing users to create unique identifiers, like emails, phone numbers, and passwords, for every digital interaction. The platform also enables users to clean up past data footprints and limit future vulnerabilities while employing a siloed database architecture that keeps personal information secure even in the event of a system breach. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Arjun and Abhijay Bhatnagar, Co-founders of Cloaked, about how their platform addresses critical privacy challenges and empowers users to reclaim control of their personal information. Arjun and Abhijay share how Cloaked's features, like identity masking and password and passcode manager tools, help users navigate today’s privacy and security complexities easily and confidently. They also provide actionable privacy tips, such as limiting permissions, and discuss how Cloaked aims to combat AI misuse.

Alan Chapell is the President of Chapell & Associates, a law firm serving the interactive technology, media, and advertising industries. He has served for 20 years as an outside counsel and privacy advisor to VC-funded AdTech and MarTech companies. Alan is also the Principal Analyst for The Chapell Report, a monthly continuous information research tool that helps investors and compliance teams understand the key privacy, competition, and regulatory trends driving the advertising and media marketplace. In this episode… Businesses often struggle to balance their privacy programs with the demands of evolving privacy laws and operational obligations. Privacy programs often reveal hidden vulnerabilities — what some call the “privacy underbelly” — that can expose companies to risks. With a growing patchwork of state privacy laws, businesses need to adopt flexible, proactive strategies to maintain compliance while aligning with business objectives. How can privacy and business teams collaborate to build strategic privacy programs? Privacy professionals need to bridge the gap between compliance and operational goals by clearly explaining liability risks to business teams while aligning privacy initiatives with organizational objectives. Leveraging privacy resources like The Chapell Report can provide actionable insights into evolving regulations, helping privacy and business teams simplify complex concepts to collaborate effectively and build trust with each other. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Alan Chapell, President of Chapell & Associates, about balancing privacy programs with business priorities and compliance obligations. Alan discusses strategies for navigating complex privacy regulations, finding hidden vulnerabilities in privacy programs, and aligning privacy efforts with business goals. He also explains the need to push back against his concept of “McPrivacy” — an oversimplification of privacy measures that can create risks in privacy programs.

Allie Hunter, author of Mothers Against Cyber Crime, is a cybersecurity awareness advocate, advisory board member at Savvy Cyber Kids, and mother. With a background in psychology, marketing, and behavioral science, she empowers parents to protect their families online. Her work blends storytelling with practical insights, making cyber safety accessible to everyone. In this episode… Cybersecurity awareness is not just for businesses — it’s also essential for families navigating today’s complex digital world. Children’s online activities can expose families to cyber threats like hacking, data breaches, and privacy intrusions, with many parents unaware of the potential risks in everyday technology and digital platforms. From the overlooked risks of unsecured smart devices to gaming platforms and the rising threats of deepfakes and social engineering scams, parents face new threats impacting their children’s safety and privacy. So, how can parents proactively take control of cybersecurity measures while fostering a safer online environment? Simple, yet actionable steps, like enabling two-factor authentication, regularly updating passwords, and fostering open communication with children about online activities are vital for managing their online presence safely. Combining these practices with cybersecurity awareness education equips parents with the tools they need to protect their children in today’s ever-changing digital landscape. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Allie Hunter, author of Mothers Against Cybercrime and a cybersecurity advocate, about how parents can protect their children from cyber threats. Allie highlights common but underestimated threats, such as unsecured smart devices and online gaming vulnerabilities, offering practical tips for enhancing security measures at home. She also discusses her work with Savvy Cyber Kids and shares insights into the development of her “Hunter Method,” a unique training approach that leverages real-life scenarios to help parents identify and respond to cyber threats effectively.

Alan L. Friel is Chair of Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets Practice. He is tier-1 ranked by Chambers, and BTI Consulting Group has named Alan a Client Service All-Star, recognizing lawyers who stand above all others in delivering exceptional client service. In this episode… Evolving privacy regulations like the California Consumer Privacy Act (CCPA) are reshaping the way companies approach data management and compliance. CCPA’s proposed draft regulations would require certain businesses to conduct cybersecurity audits, privacy risk assessments, and implement governance surrounding automated decision-making and AI technologies. While these frameworks help protect consumer data, they also introduce operational challenges and increased expenses for companies. How can companies prepare for compliance while effectively managing data and reducing costs? Privacy compliance is more than a legal requirement — it’s a vital part of sound business strategy. Navigating compliance obligations requires companies to adopt a proactive approach to data governance. Businesses need to implement good data hygiene practices and conduct privacy risk assessments to identify and mitigate risks. These processes help businesses maintain their data inventory, respond to consumer privacy rights requests, and manage information assets. However, the legal landscape remains complicated, with questions about whether some regulatory requirements may conflict with First Amendment protections. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Alan Friel, Chair of the Data Privacy, Cybersecurity & Digital Assets Practice at Squire Patton Boggs, about the costs, benefits, and legal implications of regulatory compliance. Alan explains why businesses should adopt privacy risk assessments as a best practice, regardless of ongoing legal uncertainties, and discusses the intersection of privacy regulations with free speech rights under the First Amendment. He emphasizes the importance of proactive data management practices and governance to navigate compliance challenges and position businesses for long-term success in a shifting regulatory environment.

Anna Hall is an educator, mother of two, and Co-founder of Embody, a privacy-forward menstrual health and wellness app. In this episode… As awareness grows around health data privacy, misconceptions about protecting menstrual health data remain widespread. That’s because menstrual health data is often commodified and can be shared or sold without explicit user consent, exposing sensitive information to third parties. With recent legal changes affecting reproductive rights, there is a greater need than ever for secure, user-controlled solutions. What steps should companies take to prioritize and protect sensitive health data? In a rapidly changing health tech landscape, most regulations haven’t adapted to cover personal wellness apps effectively, especially those designed for menstrual health tracking. Companies like Embody address this by implementing local encryption and avoiding default cloud storage, which safeguards privacy and encourages a user-first approach. By eliminating the need for logins and accounts, Embody limits data access, allowing users to track personal health information privately and securely. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Anna Hall, Co-founder of Embody, about developing a privacy- and security-focused menstrual health app. Anna shares the story behind Embody and how the app prioritizes user privacy by eliminating user logins and passwords, keeping user data stored offline and locally on user devices. She highlights misconceptions about menstrual health data privacy and shares how Embody’s design directly addresses these challenges. With features like local encryption and plans to open-source their code, Embody aims to provide secure, user-controlled health tracking that upholds privacy standards.

Christin McMeley is the SVP and Chief Privacy and Data Strategy Officer at Comcast, a role that involves partnering across Comcast's business units and spearheading the execution of enterprise privacy and data governance strategies, focusing on responsible use of data and artificial intelligence. As an attorney, Christin is experienced in privacy compliance, public policy, and government affairs. In this episode… As companies navigate the fast-changing landscape of privacy regulations, many are focusing on integrating privacy practices into business strategies, made more complex by the rise of new technologies like generative AI. To maintain consumer trust and ensure compliance, companies need to understand how to align privacy obligations with business innovation. How can privacy and business teams collaborate to navigate this evolving space? For businesses to succeed, privacy can’t work in isolation — it needs to be integrated with broader business strategies. Embedding privacy by design principles and fostering a culture of consumer trust are key to achieving this. Educating teams on privacy principles and building strong internal relationships ensures privacy becomes a natural part of the business workflow rather than an afterthought. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Christin McMeley, SVP & Chief Privacy and Data Strategy Officer at Comcast, about how privacy teams can collaborate with business units to address privacy risks. Christin highlights the importance of practices like privacy tabletop exercises, which allow teams to proactively address privacy concerns during product and service development. She stresses that integrating privacy into the company culture, along with the right mix of automation and human oversight, is key to long-term success.

Nick Kakolowski is the Senior Research Director at IANS Research, where he specializes in the managerial, leadership, risk management, privacy, and regulatory compliance components of the company’s curriculum. In this episode… The role of the Chief Information Security Officer (CISO) is expanding. Many CISOs are now responsible for more than just security — they are also managing privacy, AI risk, and other critical business functions. Organizations like IANS are helping security teams navigate these changes by providing critical data on CISO compensation, budget trends, and organizational structures through its research and surveys. So, how can companies ensure their security leadership is equipped to align with broader business goals while managing these new responsibilities effectively? IANS focuses on helping CISOs and their teams address real-world security challenges through its faculty of industry practitioners. Through its annual CISO Compensation and Budget Survey, conducted in partnership with Artico Search, IANS uncovers valuable insights into compensation disparities, evolving CISO responsibilities, and how security roles are expanding to include privacy and AI risk management. By leveraging real-world data, IANS equips businesses with the information they need to build more resilient security programs and infosec teams. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Nick Kakolowski, Senior Research Director at IANS, about the CISO’s expanding role. Nick shares valuable insights from IANS’ research, highlighting how CISOs are taking on new responsibilities in areas like privacy, AI, and security governance. He underscores the growing importance of business and leadership skills for CISOs and emphasizes the need for collaboration across teams as boards increasingly turn to CISOs for security governance and risk management.

Jennifer Miller is Grammarly’s General Counsel. She focuses on enabling Grammarly to grow and innovate while carefully managing business risk. Her responsibilities include navigating AI and regulation and scaling the company’s managed business. Suha Can is Grammarly’s CISO and VP of Engineering, leading global security, privacy, compliance, and identity for the company. He’s dedicated to securing the data of Grammarly’s over 30 million users and 70,000 teams at enterprises and organizations worldwide. In this episode… As AI continues to reshape the tech landscape, companies like Grammarly are navigating new challenges in balancing innovation with privacy and security. With advanced AI tools, businesses can improve user experiences, but they also need to manage privacy and security risks that come with it. Grammarly, known for its communication assistant that leverages AI, strongly emphasizes user trust by embedding transparency and user control at the core of its privacy and security strategy. So, how can companies in the AI space adopt similar practices, innovate responsibly, and stay ahead of evolving privacy and security risks? Grammarly champions transparency and has built a privacy and security program centered on user trust and control. By establishing governance frameworks, regularly reviewing their products for privacy, security, and AI-related risks, and maintaining collaborative communication between legal and technical teams, Grammarly proactively mitigates risks while staying compliant with regulations. The company also offers clear privacy practices through its public-facing web pages and ensures its contracts with customers and third-party vendors reflect the same principles of transparency. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Jennifer Miller, General Counsel, and Suha Can, CISO, of Grammarly about how the company has built a privacy and security program centered on trust and transparency. Jennifer and Suha discuss how they navigate AI advancements and regulatory challenges by prioritizing user control, conducting privacy and security audits, and fostering collaboration between legal and technical teams. They also emphasize the importance of proactive governance and responsible AI practices to keep pace with evolving regulatory landscapes.

Joe Jones serves as the Director of Research and Insights at the IAPP. Previously, he served as the UK Government’s Deputy Head of Digital Trade, where he was responsible for digital policy. Joe also served as a private practice lawyer on international data issues. In this episode… Companies are grappling with the challenges of managing privacy, security, AI, and data governance in an increasingly complex regulatory environment. The IAPP’s Organizational Digital Governance Report highlights the challenges businesses face due to “digital entropy” — caused by overlapping laws, rapid technological shifts, and cultural and socio-technical differences, emphasizing the need for organizations to align their governance structures to address these challenges. How can companies navigate these complexities while maintaining compliance and operational efficiency? The IAPP’s digital governance report provides insights into how companies can adapt their structures and processes to meet the growing demands of digital governance. It outlines three varying approaches companies are using to navigate digital entropy: the analog model, where companies use their current structures while adding more tasks to existing teams; the augmented model, where companies create new committees or cross-functional teams to define overarching terms for digital governance and policy; and the aligned model, where companies have dedicated roles for digital governance. The report underscores the importance of moving toward a more aligned model, where privacy, security, and AI governance are streamlined under cohesive leadership. This involves empowering privacy teams, implementing regular audits, fostering collaboration across departments, and avoiding reliance on ad hoc committees to align with evolving privacy regulations. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Joe Jones, Director of Research and Insights at IAPP, about how companies can leverage insights from the IAPP Organizational Digital Governance Report to improve their digital governance frameworks. Joe explains how companies can stay ahead of regulatory changes by embracing more structured governance models. He also emphasizes the need for privacy professionals to act as enablers within organizations, offering guidance on leveraging data responsibly while navigating the growing complexity of privacy regulations.

Daniel B. Rosenzweig is the Founder and Principal Attorney at DBR Data Privacy Solutions, a boutique data privacy law firm. He advises clients on legal and technical compliance with data protection and privacy laws and counsels clients on the responsible use of AI, AdTech, and privacy-enhancing technologies. Dan’s legal practice is unique in that he also codes and develops technical solutions to enhance his legal services. In this episode… As the AdTech landscape evolves, companies are facing new challenges with cookie alternatives like server-side technologies and alternative IDs. While these new tools offer improved targeting capabilities, they also bring risk, especially when it comes to managing opt-outs and tracking user consent. To preserve consumer trust and drive revenue, businesses need to fully understand how these advanced technologies work while adhering to applicable privacy laws. So, how can companies stay compliant while leveraging these technologies? Adopting alternative IDs, advanced matching, and server-side technologies offers new opportunities for businesses to enhance targeting while maintaining consumer trust. Still, companies need to carefully assess the risks and ensure proper implementation. Establishing a proper governance process, conducting regular audits and testing, maintaining transparency in privacy notices, and avoiding dark patterns are crucial steps for regulatory compliance and protecting consumer privacy. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Daniel Rosenzweig, Founder and Principal Attorney at DBR Data Privacy Solutions, about the challenges of balancing data privacy with AdTech solutions. Dan explains how businesses can implement these technologies without sacrificing consumer privacy by effectively managing consent platforms, auditing and testing technologies, and ensuring transparent data practices that align with regulations. He also emphasizes the importance of regular collaboration between legal, marketing, and technical teams to stay compliant with evolving regulations.

Rob Black is the Founder of Fractional CISO and has guided numerous companies in enhancing their security postures. With extensive experience in product and corporate security roles at prominent companies like PTC, Axeda, and RSA Security, Rob is recognized as a trusted authority in risk management and cybersecurity innovation. In this episode… As companies face increasing pressure to meet security and compliance demands, many are turning to AI to enhance their governance, risk, and compliance programs. Tools like ChatGPT and Claude can streamline processes such as summarizing reports and generating responses to security questionnaires. While these tools can improve efficiency, they can also produce inaccuracies, underscoring the importance of human oversight. How can companies use AI responsibly to enhance these programs? AI tools can save security teams a ton of time, but they’re not reliable enough to replace human oversight. This means that companies need to establish clear guidelines and governance frameworks on AI usage to protect sensitive information and mitigate risks. By integrating these strategies, companies can build more resilient and compliant programs. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels talk with Rob Black, the Founder of Fractional CISO, about integrating AI into governance, risk, and compliance programs. Rob explores the benefits and risks of utilizing AI in these programs, emphasizing the need to blend AI with human oversight. He also emphasizes the need for companies to have a security-first mindset when implementing AI tools to reduce risk and ensure long-term success.

Arsen Kourinian is a Partner in Mayer Brown’s AI Governance and Cybersecurity & Data Privacy practices. He advises clients on data privacy and AI laws and frameworks. Arsen has published numerous articles regarding nuanced issues in these fields, including a forthcoming book entitled Implementing a Global Artificial Intelligence Governance Program. In this episode… The growing number of global and state privacy laws and AI regulations is prompting companies to integrate fundamental frameworks into their AI governance programs. While the US lacks a comprehensive federal AI law, states like Colorado have begun implementing AI regulations that could serve as a model for future state-level standards. With seemingly fragmented regulations, how can companies effectively develop an AI governance program? A multi-regulatory approach to AI governance can be challenging for companies to navigate with regulations like the EU AI Act, Colorado's Artificial Intelligence Act, and international standards like ISO and NIST. While the regulatory landscape is patchy, harmonizing across various regulations and frameworks can help companies meet compliance obligations and reduce risk. This includes forming an AI governance committee, implementing a data governance plan, conducting risk assessments, documenting accountability with policies and procedures, and continuous monitoring and oversight of AI vendors. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels speak with Arsen Kourinian, Partner at Mayer Brown, about developing an AI governance program amid emerging global and state regulations. Arsen emphasizes incorporating key components and frameworks from various laws to develop AI governance programs. He also delves into the departments that assume responsibility for these programs and offers guidance on completing AI impact assessments, highlighting the importance of risk mitigation and understanding practical harms.

Darren Abernethy is a Shareholder in Greenberg Traurig's data, privacy, and cybersecurity practice. As an AdTech and data privacy attorney, he is licensed to practice law in California, New York, and Washington, DC. Darren holds seven IAPP Certified Information Privacy Professional, Manager, and Technologist certifications. In this episode… Talks about shifting away from third-party cookies is pushing companies to rethink their advertising strategies and adopt cookieless alternatives. As many companies explore other AdTech solutions like first-party data collection strategies, they need to evaluate their advertising practices to ensure alignment with evolving state and global privacy laws. How can businesses effectively implement alternative AdTech solutions while adhering to evolving compliance requirements? First-party data collection, contextual advertising, and CRM-based approaches present opportunities for businesses to refine their ad targeting strategies. However, these alternatives also require companies to ask probing questions when evaluating new technologies, such as how these solutions fit within evolving privacy laws and what vendor safeguards are needed. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Darren Abernethy, Shareholder at Greenberg Traurig, about the future of AdTech and data privacy in a world transitioning away from third-party cookies. Darren explains how businesses can take a privacy-first approach to implementing new AdTech solutions by proactively managing vendors and keeping privacy programs up to date. He underscores the importance of modernizing vendor assessments, updating contracts regularly, and maintaining proper documentation in case of regulatory scrutiny to build trust and mitigate risks.

Shanti Ariker is the Chief Legal Officer of JFrog (NASDAQ: FROG), where she leads the company’s global legal policy development and compliance. She is a solution-creator with global legal expertise, leveraging more than 20 years of experience working with high-growth technology companies to act as a trusted business advisor to CEO and executive teams and public company Boards of Directors. In this episode… The rise in cyber risks is placing increased pressure on companies to closely examine their software and codes and integrate security measures into every stage of the software development process. And, with the SEC cyber rule requiring publicly traded companies to report material breaches, there’s an increased need for companies to perform thorough due diligence on their vendors, especially those incorporating AI into their products. So, how can businesses protect their supply chains in such a volatile environment? Supply chain security is not a one-time task but an ongoing process that demands continuous integration of security throughout the software lifecycle. Companies like JFrog, a software supply chain platform, recognize this and utilize a security by design approach to help companies reduce cyber risk by embedding security protocols into every stage of its software design process, securing each piece of code at the binary level before it reaches the end user. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Shanti Ariker, the Chief Legal Officer at JFrog, about the complexities of securing the software supply chain in today’s tech and regulatory landscapes. Shanti explains how JFrog embeds security by design principles into every stage of software development to help companies mitigate cyber risks, while enabling companies to conduct thorough due diligence on their suppliers' cybersecurity, legal, IT, and privacy practices. She also emphasizes the need for companies to implement a robust AI review process, particularly for third-party vendors incorporating AI into their products to gain a holistic review of the cybersecurity, data privacy, and regulatory compliance implications.

Omer Tene is a Partner in Goodwin’s Technology group and Data, Privacy, and Cybersecurity practice. For the past two decades, he has consulted governments, regulatory agencies, and businesses on privacy, cybersecurity, and data management. Omer is also an Affiliate Scholar at the Stanford Center for Internet and Society and a Senior Fellow at the Future of Privacy Forum. Before Goodwin, he was the Chief Knowledge Officer at the IAPP. In this episode… The US privacy landscape is rapidly evolving, as more states enforce privacy regulations similar to California’s comprehensive privacy law. In 2025, eight new privacy laws will come into force — even states without comprehensive privacy laws are imposing regulations to protect consumer data. Notably, New York, where the New York Attorney General recently established guidelines around cookies and tracking technologies emphasizing the need for companies to properly categorize cookies and configure consent mechanisms. The NY AG has also proposed regulations surrounding kids' privacy, like the Child Data Protection Act, that will impact how companies process children’s data. As the US privacy landscape becomes an increasingly complex web of regulations, how can companies prepare for what lies ahead? Beyond New York, privacy regulations around kids' data are gaining momentum across the US, with laws like the California’s Age-Appropriate Design Code aiming to protect minors from harmful content. Regulations on kids' privacy include everything from age verifications that restrict the sale of minors’ data to design codes that protect children from exposure to harmful internet content. These guidelines have garnered pushback in states like California, where businesses claim violation of the First Amendment, consequently delaying enforcement. Regardless, companies should prepare to respond to these regulations that govern the collection, processing, and sale of children's data. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels welcome Omer Tene, a Partner at Goodwin, to explore the complexities of evolving privacy regulations, specifically on children’s data. Omer shares his insights on the nuances of various privacy regulations, ethical challenges surrounding children’s data protection, and the potential future of privacy legislation. Omer maintains that although some regulations have not yet been enforced, companies should take a proactive approach adapting to these new regulations as the privacy landscape shifts.

Shoshana Rosenberg is the Senior Vice President, Chief AI Governance and Privacy Officer at WSP, one of the world’s leading engineering and professional services firms. She is also the Founder of SafePorter, Co-founder of Women in AI Governance, and a Strategic Program Advisor at Logical AI Governance. Shoshana is a seasoned attorney with over 16 years of experience in international data protection law, a US Navy veteran, and a passionate advocate for social entrepreneurship and inclusion. In this episode… In the ever-evolving and largely unsettled AI landscape, one certainty remains — the need for companies to develop governance programs to navigate and address the organizational impacts of AI. Such governance accounts for client, stakeholder, and employee expectations for AI use, as well as risk management and overarching visions for innovation. But the process involves more than simply understanding AI tools and vendors. So where do companies begin when developing AI governance programs? AI governance isn’t another compliance program where decisions are made in a vacuum. Instead, it’s about building a centralized intelligence function across various teams to identify and understand AI tools, use cases, and vendors. A sustainable AI governance program evolves with the changing regulatory and technology landscape and is monitored and evaluated by the governance committee and other organizational stakeholders. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Shoshana Rosenberg, the SVP, Chief AI Governance and Privacy Officer at WSP, to talk about how companies can build an AI governance program in an evolving landscape. Shoshana emphasizes the need for a proactive approach to AI governance and recommends regularly evaluating AI tools and use cases while creating and adapting associated risk profiles. This establishes a foundation that allows companies to keep moving forward, regardless of how business needs change and the AI landscape shifts.

Amy Bogac is the Chief Information Security Officer at Elevate Textiles. As a seasoned security leader, she has over 20 years of experience in information security, IT governance, and compliance. She holds an MBA from Lake Forest Graduate School of Management and a CISSP certification from ISC2. Previously, Amy was the CISO for The Clorox Company during a significant cyber incident. In this episode… The concept of disaster recovery has evolved significantly in recent years, urging companies to evaluate their security capabilities and infrastructure to plan for cyber events and specific scenarios. While publicly traded companies have some measures in place to restore data and minimize disruptions, privately held companies may not be as prepared. And, as new SEC cyber disclosure rules target third-party risk management, this places pressure on privately held companies to disclose breaches. How can companies maintain strong data resilience and incident response planning? With cyber events becoming increasingly disastrous, having a business disaster recovery plan that can recover data and resume operations is more critical than ever. Yet, sometimes the affected data isn’t always trustworthy, especially if the breach occurred among third-party vendors. In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Amy Bogac, the CISO at Elevate Textiles, about the critical need for businesses to revisit their disaster recovery plans and integrate data resilience strategies. Amy stresses going back to the basics by regularly reviewing and updating DR plans and ensuring that all business processes are documented and tested. She also explains the magnitude of risks companies face today, highlighting the need for stakeholder and company-wide involvement in training and incident response planning.

Ralph Pasquariello is a Senior Partner at The Tech Collective, a technology solutions company. He works with the FBI, GBI, and US Secret Service on the Atlanta Cyber Fraud Task Force. Ralph is also the former Executive Committee Chairman for the Tech400 Cyber Symposium and an advisor to the Georgia Tech Research Institute. He has served and chaired on numerous boards and organizations. Ralph’s cyber liability expertise has qualified him to present at over 100 events. For the past 14 years, he has moderated and spoke at dozens of conferences and panels on cyber liability and data breach risk management. He’s hosted educational seminars on cyber exposure for professional associations of all industries, including operational technology and intellectual technology. In this episode… When a company undergoes a cyber attack, the repercussions are costly. From remediation and replacement costs to third-party damages and operational interruptions, cyber insurance aims to cover expenses businesses incur and help them stay afloat after a cyber event. Cyber insurance is a crucial part of security, yet many businesses remain underinsured, believing that compliance with third-party vendors and/or client contracts is sufficient. What coverage might your company be missing, and how can you ensure it’s optimal? Cyber insurance coverage may include more than basic security provisions, encompassing additional elements such as commercial crime, social engineering, ransomware, and fraudulent transfers. As cyber insurance requirements have become increasingly strict over the years — The Tech Collective helps companies navigate complex insurance applications, analyze optimal insurance coverage based on business-specific needs and risks, and perform a comparative industry analysis. In this week’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels welcome Ralph Pasquariello, Senior Partner at The Tech Collective, to talk about how companies can ensure optimal cyber insurance coverage. Ralph emphasizes that business security measures and contractual compliance are not equivalent to proper cyber insurance coverage. He also shares instances where insurance companies may deny claims and provides insight into carriers changing requirements.

Alexandria (Lexi) Lutz is the Senior Corporate Counsel at Nordstrom, where she advises the company on legal matters related to privacy, cybersecurity, and AI. Prior to Nordstrom, Lexi worked for a large national hotel brand and an international food service company. She is a Certified Information Privacy Professional in the US and Europe and holds the Charlotte Business Journal award for Outstanding Corporate Counsel in a large company. In this episode… 19 states have passed privacy laws, fundamentally altering how companies collect, share, and sell consumer data. And, as consumers become more aware of their privacy rights and how companies and their third-party vendors handle their data, retailers are at the forefront adapting their privacy programs, due diligence processes, and third-party contractual agreements to meet compliance requirements and maintain customer trust. What’s more, the new SEC cyber rules place even more security requirements on retailers’ relationships with third-party vendors, further complicating expectations. How can retailers navigate this complex regulatory landscape while providing the best experiences for their customers? Adapting privacy programs to evolving regulations is an intricate process requiring a company to evaluate its operations, size, and resources. No matter the circumstances, it’s crucial to maintain control over consumer information and ensure all third-party vendor contracts are up to date and transparent. And as retailers incorporate generative AI into their online and in-store shopping experiences, they should take extra steps to ensure personalization, efficiency, and protection are not lost. In this week’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels chat with Alexandria (Lexi) Lutz, the Senior Corporate Counsel at Nordstrom, how retailers can navigate privacy challenges, leverage AI, and maintain consumer trust in an increasingly complex regulatory environment. Lexi highlights how these regulations — including the SEC cyber rules — impact everything from third-party vendor due diligence and contractual requirements to in-house privacy programs and consumer data sharing and selling. She also discusses the implications of generative AI in retail, maintaining that it should enhance the shopping experience rather than replace human input.