MARY ELLEN CALLAHAN, Partner Mary Ellen Callahan, Chair of Jenner & Block’s Privacy and Information Governance Practice, has unique and broad experience advising clients at the interface of privacy protection with cybersecurity and national security issues. A nationally recognized privacy attorney with a decade and a half of outside counsel experience, she served as Chief Privacy Officer of the U.S. Department of Homeland Security from 2009 until August 2012. She is a prolific writer and speaker on cutting-edge commercial privacy issues. She provides advice and counsel to an array of clients in industries that include media, public health and health care, manufacturing, online retail, government contracts, energy and other critical infrastructure sectors. Since returning to private practice, Ms. Callahan has assisted over two dozen clients on privacy- and cybersecurity-related matters. Her work includes providing up-front guidance on establishing compliance programs that reflect privacy policy and industry best practices. She has counseled companies on data governance issues, including use of customer and advertising data. She has advised industry associations on future privacy issues and measures to address cybersecurity vulnerabilities. In the rapidly growing area of mobile privacy, she has advised and written on privacy best practices and evolving standards and approaches. She counsels frequently on the Children's Online Privacy Protection Act, the Video Privacy Protection Act, compliance with the European Union Data Protection Directive and the implications for businesses of the emerging White House Framework on Critical Infrastructure Cybersecurity. Ms. Callahan regularly advises clients on requirements and protocols associated with data breaches. In 2015, Ms. Callahan was recognized by The National Law Journal as a “Trailblazer” in the areas of cybersecurity and privacy, as well as regulatory and compliance. In 2013, she accepted the highest award in the privacy industry, the Privacy Vanguard Award, given by the International Association of Privacy Professionals. The award honors the privacy professional who has demonstrated outstanding leadership, knowledge and creativity in privacy and data protection. In 2011, she received the select Federal 100 Award, which recognizes individuals in government and industry who have played pivotal roles in the federal government information systems community. Ms. Callahan’s work on integrating cybersecurity, transparency and privacy at the Department of Homeland Security was cited as the reason for her Federal 100 recognition. She is a prolific writer and speaker on privacy issues, including having testified before Congressional Committees numerous times in her capacity as Department of Homeland Security Chief Privacy/Chief FOIA Officer. Ms. Callahan has served as Vice-Chair of the American Bar Association's Privacy and Information Security Committee of the Antitrust Division; Co-chair of the Privacy Committee of the CIO Council, the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, sharing, and performance of Federal information resources; and Co-chair of the Privacy and Civil Liberties Subcommittee of the Information Sharing and Access Interagency Policy Committee. She is a Certified Information Privacy Professional/United States (CIPP/US).

MARY ELLEN CALLAHAN Partner WASHINGTON, DC Office: 202 639-6064 Fax: 202 661-4921 Email: [email protected] PRACTICE GROUPS Antitrust and Competition Law Consumer Law Content, Media & Entertainment Intellectual Property Litigation Nordic Practice Privacy and Information Governance INDUSTRY GROUPS Cybersecurity Education Energy EDUCATION University of Chicago Law School, J.D., 1997 University of Pittsburgh, B.Phil., 1990; magna cum laude, Truman Scholar (PA, 1988) ADMISSIONS District of Columbia, 1999 New York (inactive), 1998 COURT ADMISSIONS U.S. Supreme Court U.S. Court of Appeals, D.C. Circuit U.S. District Court, District of Columbia

©Copyright 2017 Jenner & Block LLP. Jenner & Block is an Illinois Limited Liability Partnership including professional corporations.

Prior to joining the Department of Homeland Security in 2009, as a partner in the DC office of an international law firm, Ms. Callahan focused on privacy, security, data protection, consumer protection, and e-commerce issues across a wide variety of industries including retail, technology, entertainment, financial services, health care, telecommunications and government contracts. She advised businesses, including multinational companies, on a variety of privacy and information governance issues, including privacy and security policies; performed audits of clients’ privacy and security policies as related to relevant state and federal legislation and created and implemented requisite compliance strategies and programs; and drafted website privacy policies and terms of use. Ms. Callahan is also experienced as a litigator and has represented clients before federal administrative agencies, in federal and state courts in the District of Columbia and in federal courts in Virginia and New York. She serves the firm as a member of the Diversity & Inclusion Committee and is a co-chair of the firm's Women's Forum Steering Committee. Her pro bono legal work has included assisting in the development of privacy policies, terms of use and communications strategies for non-profit entities. Representative matters include: Advice on privacy protections for biometric-based transportation screening program, and on its proposal to the Transportation Security Administration on a passenger-screening program. Counsel to major trade association on cybersecurity vulnerabilities in hospitals, development of association-wide educational campaign on cybersecurity and hospital assets, and development on standards following the 2013 Executive Order on Cybersecurity. Counsel to major Real-Time Bidding advertising platform on collection and use of information worldwide. Advice regarding mobile best practices, Children’s Online Privacy Protection Act, compliance with EU e-Privacy Directive and related Member State cookie laws, geo-location, Do-Not-Track, and novel approaches to ad serving. Advise a wide range of consumer-facing clients on privacy best practices and industry standards associated with the use of information, such as mobile application data including geolocation data, or home use products such as cable set-tops or energy smart meters Strategic advice to trade associations on major future privacy issues for online games and gaming developers; advice and analysis on mobile application best practices, multi-stakeholder processes, and Children’s Online Privacy Protection Act. Advise and assist major online companies in organizing its electronic assets, systematizing its use of customer, mobile, web, and vendor data; establishing standardized procedures for the introduction of new products or services. Additional advice on compliance with payment card industry data security standards (PCI-DSS), Children’s Online Privacy Protection Act, Video Privacy Protection Act, counseling on compliance with the European Union Data Protection Directive. Assist major media company in developing and establishing a Data Governance Council to encompass holistic data governance decisions including use of customer data, mobile application data, and advertising data; continuing counsel on how the decisions can be implemented. Additional advice on Children’s Online Privacy Protection Act, Video Privacy Protection Act, and compliance with the European Union Data Protection Directive. Advise and help structure a web data extraction program for a company developing a social media software prioritization service. Draft End User License Agreement, Service Provider Agreement, and Terms of Use. Develop social media acceptance use policies. Develop social media training. Counsel to major media company on data integration plans for newly-acquired assets; perform privacy reviews of assets prior to acquisition. Review of mobile applications and compliance with privacy policy and industry best practices. Review and analysis of international web properties, compliance with local laws, and compliance with worldwide privacy policy. Additional advice on Children’s Online Privacy Protection Act, mobile privacy standards,

2

and behavioral advertising. Awards Chambers USA Privacy and Data Security (Nationwide), 2007, 2008, 2014, 2015, 2016 Federal Computer Week Federal 100 Award, 2011 International Association of Privacy Professionals (IAPP) 2013 Privacy Vanguard Award Jenner & Block Mentorship Award, 2015 Legal 500 Media, Technology and Telecoms - Telecoms - Technology - Data Protection and Privacy, 2007, 2008, 2016 (Leading Lawyer) Media, Technology and Telecoms - Cyber Law, 2016 Member, Irish Legal 100, 2014, 2015 National Law Journal Regulatory and Compliance Trailblazer, 2015 Cybersecurity & Privacy Trailblazer, 2015 Washingtonian Magazine Best Lawyers, National Security, December 2013 Tech Titan, May 2013 Best Lawyers, Cybersecurity, December 2015 Community ABA Privacy and Information Security Committee, Antitrust Section, Vice Chair, 2013-2014 Capital Partners for Education, Board of Directors, 2013 - Present University of Pittsburgh Board of Trustees Trustee, 2009-Present International Association of Privacy Professionals (IAPP) Board of Directors, 2015 - Present Publications FTC Files Complaint Against D-Link, Alleging Failure to Take Reasonable Measures to Secure Routers and Internet Cameras, January 9, 2017 “Open House: Connected Homes and the Curtilage,” North Carolina Journal of Law & Technology, October 2016 Co-Author, “Consider Guidance on Wearable Devices,” Daily Journal, September 29, 2016 Co-Author, “HIPAA Enforcement Reaches Historic Levels,” Daily Journal, July 19, 2016

3

Client Alert: Bridging the Gap on Transatlantic Data Flows: European Commission Approves U.S. – EU Privacy Shield, Preparing for Implementation in August 2016, July 12, 2016 Co-Author, “FAA Final Rule Doesn’t Advance Drone Debate,” Daily Journal, June 29, 2016 Client Alert: TRACKED: FTC Enters Consent Decree with Ad Network InMobi Due to Geolocation Use, June 27, 2016 Client Alert: Hamburg DPA Assesses Fines for Non-Compliance with German Data Protection Law, June 6, 2016 Co-Author, “Class Certification Will be More Difficult, For Now,” Daily Journal, May 24, 2016 Client Alert: First Circuit Refuses to Narrow Free App User's Privacy Claims Under the VPPA, May 10, 2016 Co-Author, “What Sort of Risk is Enough to Place Information Under Seal?” Daily Journal, April 14, 2016 Co-Author, “FTC Reins in #misrepresentation,” Daily Journal, March 31, 2016 Co-Author, “Will the Judicial Redress Act Address Europeans’ Privacy Concerns?” IAPP Daily Dashboard, March 3, 2016 Co-Author, “Expect More ‘Ransomware’ Attacks in 2016,” Daily Journal, March 2, 2016 Client Alert: Transatlantic Agreement Translated: Language of U.S. - EU Privacy Shield Released, February 29, 2016 Client Alert: "Shielded: U.S. and EU Reach Political Agreement on New Framework for Transatlantic Data Flows", February 2, 2016 Co-Author, “Going Native with the FTC,” Daily Journal, January 14, 2016 Client Alert: "Key Provisions of Cybersecurity Act of 2015", December 18, 2015 Co-Author, “Big Deals Increasingly Mean Big Data,” Daily Journal, December 9, 2015 Co-Author, “Defense Department Imposes New Cyberobligations on Contractors,” Thomson Reuters’ Westlaw Journal, December 7, 2015 Co-Author, “Cyber Threat Info-Sharing Bill Advances,” Daily Journal, October 30, 2015 Data Transfer From The EU Just Got More Complicated, October 7, 2015 Co-Author, “When Is Computer Hacking Fraud?” Daily Journal, October 2, 2015 Co-Author, “Go Fourth! Cell Location Data Needs a Warrant,” Daily Journal, August 19, 2015 Client Alert: Final Pay Ratio Rule Doubles Down on Latitude for Companies; Requires Cross Border Privacy Analysis for Data of Foreign Employees, August 7, 2015 Co-Author, "St. Louis Picked Off Trying To Steal," Daily Journal, June 18, 2015 Client Alert: The More Things Change... More Amendments to State Data Breach Notification Laws, June 9, 2015 Client Alert: What's in Store? FTC Demands Accurate Privacy Promises From Retail Analytics, April 29, 2015 “Rulings Narrow Video Privacy Actions,” Daily Journal, April 23, 2015 “Data Breach Laws in Motion,” Daily Journal, March 18, 2015 “Better Privacy Through Identity Management,” Daily Journal, February 24, 2015

4

Hospitality and Gaming Legal Review 2015, February 5, 2015 “President Obama Kicking Up Cybersecurity Focus,” Privacy Perspectives, January 20, 2015 Client Alert - President Obama Announces New Privacy and Consumer Protection Initiatives, Highlights Student Privacy, January 13, 2015 Co-Author, “For Cybersecurity, Share and Share Alike,” Daily Journal, December 22, 2014 Staying the Course: FTC to Mediate with Wyndham on Data Security Practices, November 18, 2014 “Data Security Has a New Sheriff in Town,” Daily Journal, November 17, 2014 “Once More into the Breach (Report),” Daily Journal, November 7, 2014 “Higher Education Faces Unique Cybersecurity Challenges,” Edelman, October 14, 2014 Co-Author, “Cybersecurity Begins with the C-Suite,” Daily Journal, October 1, 2014 “Verizon Settlement Signals FCC’s Growing Privacy Focus,” Law360, September 11, 2014 Client Alert: Verizon Privacy Settlement Signals FCC’s Growing Privacy Focus, September 9, 2014 “Data Breach Déjà Vu,” Daily Journal, August 14, 2014 “‘Microlocating’ Shoppers and Privacy,” Daily Journal, August 8, 2014 “Mining for Big Data: What is Next for Data Brokers?” Daily Journal, June 25, 2014 Snap to It: Context Matters for Mobile App Developers’ Privacy and Security Promises, May 14, 2014 “Hulu Privacy Class Action Breathes New Life into an Old Law,” Daily Journal, May 6, 2014 “Heartbleed Hotel: Managing Internet Security Flaws,” Daily Journal, April 17, 2014 Co-Author, “How Do You Engineer Privacy? NIST Seeks Answers,” Privacy Perspectives, April 16, 2014 Client Alert: All Is Fair For The FTC: Court Upholds FTC’s Authority To Bring Claims For Unfair Data Security Practices, April 8, 2014 Client Alert: FTC Ratchets Up Data Security Standards Obligations for Mobile App Developers, April 1, 2014 "Is SEC Cybersecurity Guidance Working," Privacy Perspectives, March 28, 2014 Client Alert: Congress Considering SAFETY Act Amendment to Provide Liability Protection for Cyber Attacks, March 3, 2014 Hospitality and Gaming Legal Review 2013, February 25, 2014 NIST Releases First Cybersecurity Framework, but Questions Remain for Implementation, February 24, 2014 “SEC and Cybersecurity—What Publicly Traded Companies Need to Know,” Privacy Perspectives, February 5, 2014 “Dissecting the NIST Preliminary Cybersecurity Framework,” Financial Fraud Report, January 2014 What All The Privacy Reform Recommendations Really Mean, January 31, 2014 Client Alert: TICK TOCK: Deadline to Comply with California’s New Privacy Disclosures Nears, December 26, 2013

5

Client Alert: FTC Signals 2014 Enforcement Priorities: Mobile Apps and Native Advertising, December 11, 2013 Client Alert: New DFARS Rule Issued on Safeguarding Unclassified Controlled Technical Data, November 21, 2013 Client Alert: Dissecting the NIST Preliminary Cybersecurity Framework: What It Means, What’s Next, and What Companies Should Consider Before Adoption, October 23, 2013 “For Federal Privacy Programs, the Final Fair Information Practice Principle Is Crucial,” Privacy Perspectives, August 28, 2013 Client Alert: Mobile Privacy Landscape Shifts Again: Three New Codes Suggest Three Consensus Points and Three Themes for Consideration, August 6, 2013 “Mobile Privacy Initiatives and Actions Cloud the Future, Creating a Patchwork Landscape of Policy and Regulatory Prospects,” Communications Lawyer, June 2013 Client Alert: Pay to Play? New FTC Guidance Warns of Mixing Paid and Natural Search Results, July 8, 2013 “Child Privacy and Online Business,” Daily Journal, June 14, 2013 “Designing Privacy Everywhere: Whirlwind Excursions Discussing Privacy Integration,” Privacy Perspectives, May 10, 2013 Client Alert: Is Your Organization Adequately Protected Against Liability Under The New HIPAA “Omnibus” Regulations—Risk Mitigation Considerations, May 2, 2013 "Oh, the Places You’ll Go! Mobile Privacy Developments and Paths for Companies," IAPP Privacy Perspectives, March 13, 2013 Client Alert: FTC on the Move: Mobile Enforcement and Policy Recommendations Demonstrate Heightened Interest in Mobile Privacy Issues, February 21, 2013 Client Alert: President Obama Issues Executive Order on Cybersecurity; Cyber Threat To Critical Infrastructure A Matter Of National Security, February 13, 2013 “Both Sides of the Atlantic Reconsider Privacy,” Privacy Trends 2013: The Uphill Climb Continues, February 2013 Client Alert: California Attorney General Released Comprehensive Mobile Privacy Recommendations that Affect the Entire Mobile Industry, January 10, 2013 Client Alert: Tenth Circuit Decision Limits ECPA Liability of ISPs for Privacy Violations by Third Party Partner, January 8, 2013 Client Alert: What Contractors Should Know About The FY 2013 National Defense Authorization Act, January 7, 2013 Client Alert: TCPA Allows One-Time Text Messages to Cell Phones Confirming Opt-Out, December 5, 2012 Client Alert: Mobile Application Developers Beware: California Attorney General Sending Notices to Major Developers on Non-Compliance with CA Law, November 9, 2012 “EU and US Eye Privacy in Parallel," The Lawyer, September 17, 2012

6

Speaking Engagements Panelist, “Do We Know What Reasonable Security Is Now?” International Association of Privacy Professionals’ Practical Privacy Series, December 07, 2016 Panelist, “The Future of Antitrust – A Preview from the U.S. Presidential Transition Task Force,” American Bar Association Fall Forum, November 17, 2016 “Privacy Basics for Contracting Professionals,” Federal Publications Seminars, November 17, 2016 Panelist, “Secure Flight: Assessing and Assuring Aviation and Airport Security,” American Bar Association’s Forum on Air &Space Law, September 15, 2016 Panelist, “Practical Solutions for Managing an International Privacy Program," reprise, June 21, 2016 “Privacy Basics for Contracting Professionals,” Federal Publications Seminars, May 18, 2016 Panelist, “Briefing on Assessment Processes to Achieve Assurance that Data Use is Legitimate and Not Unfair,” Information Accountability Foundation, May 12, 2016 Panelist, “Cloud Computing 2016: Key Issues and Practical Guidance,” Practising Law Institute, May 09, 2016 Moderator, “Privacy and Civil Liberties Interim Guidelines,” ABA Public Contract Law Section’s Cybersecurity, Privacy and Data Protection Committee, May 03, 2016 Panelist, Global Privacy Summit 2016, IAPP, April 05, 2016 Moderator, 8th annual Global Ethics Summit, Ethisphere, March 09, 2016 Keynote Speaker, “OPEN HOUSE: Connected Homes and the Curtilage of the Home,” 2016 Symposium: Privacy of the Home and the Internet of Things, February 19, 2016 Panelist, “On the Digital Battlements – Dealing with Hackers, Enemy States, and the U.S. Government,” 13th Annual Entertainment and Media Law Conference, January 14, 2016 Panelist, “One (Private) Life to Live,” Chicago CISO Executive Summit, December 02, 2015 Moderator, “Emerging Technology and Executive Order 12333,” 25th Annual Review of the Field of National Security Law, November 06, 2015 “Privacy Basics for Contracting Professionals,” Federal Publications Seminars, November 05, 2015 “Privacy Bridges,” 37th International Privacy Conference, October 29, 2015 Moderator, “An EU Court Just Sank the US Digital Safe Harbor: Must Congress Pass an Internet Privacy Law Now?” Congressional Internet Caucus Advisory Committee and the Congressional Internet Caucus, October 16, 2015 Panelist, “Current Data Breaches and Their Lessons for RIM,” ARMA International 60th Annual Conference and Expo, October 07, 2015 Panelist, Cybersecurity panel, KOMO-TV, September 15, 2015 “Developing Issues in Global Privacy and Risk Management,” Lawline, August 13, 2015 “Cyber Security Hot Topics: Perspectives from In House Counsel and Division Counsel for the FBI,” Minnesota State Bar Association, May 28, 2015

7

Moderator, “Insider Threats & Monitoring: Privacy, Civil Liberties & Wiretap Issues,” Georgetown Law Continuing Legal Education, May 20, 2015 “Cloud Computing 2015: Key Issues and Practical Guidance,” Practising Law Institute, May 11, 2015 “Competition Law Issues Around Big Data,” 63rd American Bar Association Section of Antitrust Law Spring Meeting, April 15, 2015 “Hot Topics in Privacy and Data Protection,” 20th Annual Litigators Forum, April 14, 2015 “Cybersecurity and Privacy: Complementary – Not Mutually Exclusive – Concepts,” Computing Community Consortium, March 19, 2015 Third Annual Information and Cyber Governance, Data Analytics and Privacy Briefing, March 18, 2015 “Big Data and Discrimination,” Wal-Mart, January 28, 2015 “Women Partner Branding 201: Taking it to the Next Level,” Professional Development Institute, December 04, 2014 “A High Stakes Balancing Act: The Ethical Considerations of Managing the Attorney Client Privilege in a Data or Security Breach,” ConAgra Foods Institute on Law and Policy, December 03, 2014 “Data Breach and Cyber Security – Why Wholesalers Should Care,” National Association of Wholesalers-Distributors Billion Dollar Company CIO Roundtable, December 03, 2014 “Think Like a Lawyer, Talk Like a Geek 2014: Get Fluent in Technology,” Practising Law Institute, November 17, 2014 “Privacy and Information Security Update,” American Bar Association Section of Antitrust Law, October 21, 2014 “Data Breach 911: Reality Check on Your Cyber Incident Response Planning,” Jenner & Block, October 15, 2014 “The SEC and Cybersecurity: What Every Publicly Traded Company Must Know,” D.C. Bar, October 08, 2014 “Integrating Security and Privacy Considerations into Client Services, Products and Day-To-Day Operations,” Washington Metropolitan Area Corporate Counsel Association’s Data Privacy & Security Conference, September 16, 2014 “Privacy, Cyber-security and Ethical Concerns,” Practising Law Institute, September 10, 2014 “First Chair Awards Conference,” First Chair, Chicago, IL, August 27, 2014 “Cloud Computing 2014: Key Issues and Practical Guidance,” Practising Law Institute, June 09, 2014 "FTC v. Wyndham and the Future of the FTC's Unfairness Doctrine Applied to Data Breaches," Practising Law Institute, June 03, 2014 “Cut Through the Fluff & Tackle the Critical Stuff – Privacy and Data Security," Practising Law Institute, May 09, 2014 “Behaviour: Privacy in Perspective," Contagious Magazine 2014 Now/Next/Why Conference, May 08, 2014 “Data Transfer in Multi-National Companies – Ensuring Compliance Across Jurisdictions," Association of Corporate Counsel, May 07, 2014 Moderator, “White Collar Crime ǀ Corporate Governance,” Law Bulletin Seminar, April 17, 2014 “Corporate Counterterrorism: The Role of Private Companies In National Security,” Washington College of Law’s Business Law Review, March 28, 2014

8

Panelist, ABA Antitrust Spring Meeting, March 26, 2014 Panelist, ABA Federal Procurement Institute, March 21, 2014 Panelist, “Managing Reputation Fallout After a Data Breach,” Edelman, March 11, 2014 Panelist, The 2014 IAPP Privacy Summit, March 07, 2014 Panelist, RSA Conference USA 2014: NSA And Privacy, February 27, 2014 Panelist, Milken Institute Associates Speaker Series, November 07, 2013 “The Innovation Economy: Information Revolution - A Policy Forum on the Use of Big Data in Homeland Security,” Bipartisan Policy Center and Intel Corp, October 30, 2013 “Protecting Your Business From Within,” TechLaw Group, Inc. and Jenner & Block, October 09, 2013 to October 11, 2013 "Emerging Technology and Privacy Questions,” National Foundation for Judicial Excellence’s 9th Annual Judicial Symposium, July 20, 2013 TechLaw Spring Meeting; GlobSec 2013, April 19, 2013 to April 20, 2013 “Cybersecurity: Protecting Government, Financial and Critical Infrastructure,” National Association of Attorneys General, April 15, 2013 “The Government and Your Personal Information – Balancing Privacy, National Security and the Public Interest,” 8th Annual Privacy and Data Security Symposium, March 20, 2013 “Drawing Lines in the Cloud: Jurisdictional Access to Data,” IAPP Global Privacy Summit, March 07, 2013 “Charting the Future: What to Expect from Big Data,” Journal of National Security Law & Policy and Center on National Security and the Law Symposium, February 27, 2013 ACI conference; ABA conference, February 05, 2013 to February 07, 2013 “Privacy Risks in Social Media Marketing,” Metrowest Privacy Group, January 11, 2013 Privacy and Information Security Monthly Update - ABA Section of Antitrust Law-Privacy & Information Security, Corporate Counseling, Consumer Protection, and Private Advertising Litigation Committees, November 30, 2012 "Extent of Burdens and Expenses in Complying with Conflicting EU Privacy and US Discovery Laws," and "Recent Developments in EU and Other Regions’ Privacy Laws," Duke Protected-Privacy Data Conference, Duke University School of Law’s Center for Judicial Studies, November 29, 2012 "Privacy Regulation and Policy Perspectives," The John Marshall Law School 20th Belle R. and Joseph H. Braun Memorial Symposium: The Development of Privacy Law from Brandeis to Today, Chicago, IL, September 28, 2012 "Accountability in Complex Organizations," International Association of Privacy Professionals Teleconference, September 27, 2012 "Service Provider Risks: How to Protect Your PII When Dealing with Third Parties," International Association of Privacy Professionals, Los Angeles, CA,

9