20-Year Federal Cyber Attorney: We're Close to Tipping Point in Privacy

Helen Goff Foster, partner, Davis Wright Tremaine (Courtesy photo)

Helen Goff Foster, the newest partner in the privacy and security practice at Davis Wright Tremaine, believes a slew of new U.S privacy and cybersecurity laws are on the horizon. But she worries that legislatures may do more harm than good when trying to protect their constituents' data.

Foster isn't the type one would expect to doubt government's role in privacy matters. After all, over the past two decades, she has worked as a senior attorney at the Federal Trade Commission, senior director of privacy policy and advocacy at the Department of Homeland Security, director for privacy and civil liberties in the Obama administration, deputy assistant secretary for privacy at the U.S. Department of Transportation and, most recently, chief privacy and FOIA officer at the U.S. Department of Housing and Urban Development.

Legaltech News caught up with Foster on the heels of her move to Davis Wright to discuss her concerns with legislating privacy, her views on international data regulations and why she believes the U.S. is at a tipping point when it comes to data protection laws.

Legaltech News: Why leave the government service to join the private sector?

Helen Goff Foster: To me, I don't see a lot of distinction between one or the other. I go for a challenge, and I want to keep myself sharp, so private practice was the right step for me. I'm not saying I wouldn't go back, because you never know, but this was the right step for me as a professional.

What will you be up to at Davis Wright?

As one of the senior partners in the privacy and security group, we have all kinds of institutional private sector clients that need privacy and cybersecurity advice and advice on handling enforcement actions by regulators, state attorneys general and others in that space.

What do you believe is the biggest privacy or cybersecurity threat facing the private sector today?

The biggest threat is a rush toward “one-size-fits-all” solutions from every side of the debate. People have become very concerned about privacy and cybersecurity over the last few years, and anxiety has been increasing. It kind of produces this environment where we have to jump in and legislate, where we have to have a solution for this particular problem.

In the U.S. business model, innovation has always been the key to success. Privacy and cybersecurity requirements have to enable that—they can't fetter innovation, they can't be in the way of technology or convenience or service delivery. They have to be a part of innovation.

How did the privacy policies you helped implement at the Department of the Treasury and HUD relate to the EU's General Data Protection Regulation?

The federal Privacy Act of 1974 is what controls the government's use and collection of personal data. It's very different from what you see on the private sector side, because it's about how the government interacts with individuals. It is the spiritual predecessor of GDPR: It is a broadly applicable statue that evidences the same principles, like the right of access and the ability to correct inaccuracies, with an emphasis on transparency and responding to individual complaints.

When I picked up GDPR for the first time and read it, I had this déjà vu moment of, “This is what I do right now.”

EU lawmakers have talked about invalidating the Privacy Shield because of insufficient U.S. privacy practices. Do you think this will happen?

I avoid making predictions, but I absolutely think the U.S. and EU are going to work this out, because they both want to work this out. We have a long history in the privacy and cybersecurity space of finding solutions with the EU and finding collaborative solutions.

There are dozens of examples. The one I am most familiar with is the Terrorist Finance Tracking Program agreement, where everybody thought it was not going to happen. And you know what? The EU and U.S. rolled up their sleeves, and we got it done, and it was a great agreement that I was proud work to on.

This is going to go the same way. We'll have to grapple with it and it will be messy and hard, but at the end, the interested parties are all aligned and everyone wants to get it done.

Do you believe GDPR-like state privacy laws, like the one recently passed in California, will become more widespread in the years to come?

I have spent a lot of time with the California law already, even though it will not become effective until 2020. It is clear to me that, with the entire debate that went on in California and the discussion that's still going on, that we are a critical tipping point here.

Privacy and data security are in the foremost of people's minds in a way that hasn't happened in a long time. It's creating this kind of anxiety over what we are going to do, and in the absence of federal legislation, states will act. The best example of that is the data breach notification laws we now have all 50 states.