arrow-double-right arrow-noline-right arrow-lrg-left arrow-lrg-right arrow-med-down arrow-med-left arrow-med-right arrow-med-up arrow-sml-right checkmark close close-sml contact-card event-clock linkedin menu minus outbound-link phone plus print search-lrg search-sml twitter winthrop-mark
Corporate & Transactions
Corporate & Transactions

Data Privacy, Cybersecurity & Artificial Intelligence

With data breaches and new technologies making headlines, Winthrop & Weinstine’s Data Privacy, Cybersecurity & Artificial Intelligence (AI) Practice helps clients navigate the most complex and most current data privacy legislation and regulations to manage their data privacy and cybersecurity risk.

Our Approach

Our experienced team of attorneys combines up-to-date legal acumen with the technological know-how to provide successful cybersecurity solutions. Members of our practice include attorneys recognized as Certified Information Privacy Professional/United States (CIPP/US), Certified Information Privacy Professional/Europe (CIPP/E), and Certified Information Privacy Manager (CIPM). In addition, our interdisciplinary team advises clients on the full range of matters that may arise in relation to data privacy and security, spanning counseling, regulatory compliance and enforcement by regulatory authorities, as well as litigation, should it arise.

Counseling and Compliance

Our team of experienced data privacy professionals work closely with clients on the front end to develop policies and procedures to enhance and protect security, reduce risk, and assess preparedness should a data security incident occur. We advise clients on the appropriate ways to collect, maintain, and use data for their businesses while still complying with the numerous data privacy laws in the United States and globally.  We understand the complex laws that apply to businesses handling consumer data, as well as the growing number of regulations that now apply to employee data as well.

In addition, with the rise in adoption of artificial intelligence for both business and personal uses, we work with organizations to review and evaluate the terms and conditions of technology implemented from the legal side, and advise on the varied risks inherent in using AI technology by the business and its employees. Our experienced attorneys work closely with clients to develop generative AI policies and guidelines, tailoring each to the specific business needs and risk appetite.

  • Develop and implement privacy policies and procedures, including:
    • Consumer-facing website privacy policies
    • Acceptable use policies
  • Counsel on collection, maintenance, use, and retention of customer data
  • Advise on HR data compliance, including:
    • Employee privacy notices and rights
    • The use of artificial intelligence in the workplace and for employment-related decisions
  • Review, negotiate and draft contracts and other agreements (vendor agreements, cloud computing, SaaS agreements, data processing agreements (DPAs), and business associate agreements (BAAs))

Data Breach Response

We advise clients of ways to try to minimize the risks of a data breach.  But if an incident does occur, we are ready to quickly respond and guide clients through complex investigative and notification requirements.  We are also able to assist with coordination with forensics support, law enforcement, and internal company IT resources.


We guide clients who may be the subject of investigation by regulatory authorities, whether they have experienced a breach or not. We help clients respond to requests and interact with regulatory agencies, relying on our extensive experience that includes time working in the Attorney General’s office, as well as before a wide range of agencies, and the knowledge of strict policies and procedures that come along with audits and complaints.

  • Gramm-Leach-Bliley Act (GLBA)
  • Stored Communications Act (SCA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Fair Credit Reporting Act (FCRA)
  • Computer Fraud and Abuse Act (CFAA)
  • Do Not Call Registry
  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Trade Commission’s Red Flag Rule
  • The Fair and Accurate Credit Transactions Act (FACTA)
  • Automatic Renewal Laws (ARL)
  • Telephone Communications Protection Act (TCPA)
  • California Consumer Privacy Act 2018 (CCPA)
  • California Privacy Rights Act (CPRA)
  • Standard Contractual Clauses for data transfers under the GDPR
  • Minnesota Health Records Act (MHRA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • 42 CFR Part 2
  • Section 5 of the Federal Trade Commission Act
  • State consumer protection laws
  • Freedom of Information Act (FOIA)
  • Minnesota Government Data Practices Act
  • NAIC Insurance Data Security Model Law

Notable Experience

  • Represent corporate travel technology startup in connection with implementing policies and practices required by the GDPR
  • Represent international wearable IoT company in connection with HIPAA compliance
  • Drafted and reviewed HIPAA Security Manual for health care client
  • Advise direct mail marketing company regarding privacy and security issues in contracts and as required by applicable law in multiple jurisdictions
  • Created employee privacy notice and internal policies regarding HR data for international technology company
  • Advise incident response team of an international food manufacturing company
  • Assist regional engineering company in responding to ransomware incident, including coordination between multiple forensics vendors
  • Defended client in litigation brought in relation to a Business Email Compromise incident
  • Defend multiple clients in privacy-related litigation, including California Invasion of Privacy Act (CIPA) claims
  • Advised a digital marketing firm on developing a generative AI use policy
  • Evaluated AI tools to provide a risk assessment for a wellness wearable company