arrow-double-right arrow-noline-right arrow-lrg-left arrow-lrg-right arrow-med-down arrow-med-left arrow-med-right arrow-med-up arrow-sml-right checkmark close close-sml contact-card event-clock linkedin menu minus outbound-link phone plus print search-lrg search-sml twitter winthrop-mark
Corporate & Transactions
Corporate & Transactions

Data Privacy, Cybersecurity & Artificial Intelligence

Winthrop & Weinstine provides a wide range of data privacy and security legal services as cybersecurity threats mount around the world. With data breaches making headlines, Winthrop & Weinstine’s Data Privacy, Cybersecurity & Artificial Intelligence (AI) Practice helps clients navigate the most complex and most current data privacy legislation and regulations, including global privacy regimes such as the General Data Protection Regulation (GDPR), to manage their data privacy and cybersecurity risk.

Our Approach

Our experienced team of attorneys combines up-to-date legal acumen with the technological know-how to provide successful cybersecurity solutions. Members of our practice include attorneys recognized as Certified Information Privacy Professional/United States (CIPP/US), Certified Information Privacy Professional/Europe (CIPP/E), and Certified Information Privacy Manager (CIPM). In addition, our interdisciplinary team advises clients on the full range of matters that may arise in relation to data privacy and security, spanning counseling, regulatory compliance and enforcement by regulatory authorities, as well as litigation, should it arise.


Our team of experienced data privacy professionals work closely with clients on the front end to develop policies and procedures to enhance and protect security, reduce risk, and assess preparedness should a data security incident occur. We advise clients on the appropriate ways to collect, maintain, and use data for their businesses while still complying with the many-and-increasing data privacy laws in the United States and globally.

In addition, with the rise in adoption of artificial intelligence for both business and personal uses, we work with organizations to review and evaluate the terms and conditions of technology implemented from the legal side, and advise on the varied risks inherent in using AI technology by the business and its employees. Our experienced attorneys work closely with clients to develop generative AI policies and guidelines, tailoring each to the specific business needs and risk appetite.

  • Develop and implement policies and procedures
  • Assess preparedness and advise on changes
  • Counsel on collection, maintenance, use, and retention of data
  • Review, negotiate and draft contracts and other agreements (vendor agreements, cloud computing, SaaS agreements, and business associate agreements)
  • Website privacy policies
  • Generative AI use policies
Compliance and Investigations

Privacy laws apply to nearly everyone who controls personal data – including your business. With the alphabet soup of state, federal and international laws, often with overlapping and different requirements, it can be challenging to keep up with all of the compliance needs. Our team is well-versed in these laws, and advises clients on appropriate protection of personal information, protected health information, and other private data under those laws. In addition, we guide clients who may be the subject of investigation by regulatory authorities, whether they have experienced a breach or not. We help clients respond to requests and interact with regulatory agencies, relying on our extensive experience that includes time working in the Attorney General’s office, as well as before a wide range of agencies, and the knowledge of strict policies and procedures that come along with audits and complaints.

  • Gramm-Leach-Bliley Act (GLBA)
  • Stored Communications Act (SCA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Fair Credit Reporting Act (FCRA)
  • Computer Fraud and Abuse Act (CFAA)
  • Do Not Call Registry
  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Trade Commission’s Red Flag Rule
  • The Fair and Accurate Credit Transactions Act (FACTA)
  • Automatic Renewal Laws (ARL)
  • Telephone Communications Protection Act (TCPA)
  • California Consumer Privacy Act 2018 (CCPA)
  • California Privacy Rights Act (CPRA)
  • Standard Contractual Clauses for data transfers under the GDPR
  • Minnesota Health Records Act (MHRA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • 42 CFR Part 2
  • Section 5 of the Federal Trade Commission Act
  • State consumer protection laws
  • Freedom of Information Act (FOIA)
  • Minnesota Government Data Practices Act
  • NAIC Insurance Data Security Model Law

Notable Experience

  • Represent corporate travel technology startup in connection with implementing policies and practices required by the GDPR
  • Represent international wearable IoT company in connection with HIPAA compliance
  • Drafted and reviewed HIPAA Security Manual for health care client
  • Advise incident response team of an international food manufacturing company
  • Assisted communications company with a potential data security incident
  • Defended client in litigation brought in relation to a Business Email Compromise incident
  • Advised a digital marketing firm on developing a generative AI use policy
  • Evaluated AI tools to provide a risk assessment for a wellness wearable company