Data Privacy, Cybersecurity & Artificial Intelligence

With data breaches and new technologies making headlines, Winthrop & Weinstine’s Data Privacy, Cybersecurity & Artificial Intelligence (AI) Practice helps clients navigate the most complex and most current data privacy legislation and regulations to manage their data privacy and cybersecurity risk.

Our Approach

Our experienced team of attorneys combines up-to-date legal acumen with the technological know-how to provide successful cybersecurity solutions. Members of our practice include attorneys recognized as Certified Information Privacy Professional/United States (CIPP/US), Certified Information Privacy Professional/Europe (CIPP/E), and Certified Information Privacy Manager (CIPM). In addition, our interdisciplinary team advises clients on the full range of matters that may arise in relation to data privacy and security, spanning counseling, regulatory compliance and enforcement by regulatory authorities, as well as litigation, should it arise.

Counseling and Compliance

Our team of experienced data privacy professionals work closely with clients on the front end to develop policies and procedures to enhance and protect security, reduce risk, and assess preparedness should a data security incident occur. We advise clients on the appropriate ways to collect, maintain, and use data for their businesses while still complying with the numerous data privacy laws in the United States and globally. We understand the complex laws that apply to businesses handling consumer data, as well as the growing number of regulations that now apply to employee data as well.

In addition, with the rise in adoption of artificial intelligence for both business and personal uses, we work with organizations to review and evaluate the terms and conditions of technology implemented from the legal side, and advise on the varied risks inherent in using AI technology by the business and its employees. Our experienced attorneys work closely with clients to develop generative AI policies and guidelines, tailoring each to the specific business needs and risk appetite.

Develop and implement privacy policies and procedures, including:
- Consumer-facing website privacy policies
- Acceptable use policies
Counsel on collection, maintenance, use, and retention of customer data
Advise on HR data compliance, including:
- Employee privacy notices and rights
- The use of artificial intelligence in the workplace and for employment-related decisions
Review, negotiate and draft contracts and other agreements (vendor agreements, cloud computing, SaaS agreements, data processing agreements (DPAs), and business associate agreements (BAAs))

Data Breach Response

We advise clients of ways to try to minimize the risks of a data breach. But if an incident does occur, we are ready to quickly respond and guide clients through complex investigative and notification requirements. We are also able to assist with coordination with forensics support, law enforcement, and internal company IT resources.

Investigations

We guide clients who may be the subject of investigation by regulatory authorities, whether they have experienced a breach or not. We help clients respond to requests and interact with regulatory agencies, relying on our extensive experience that includes time working in the Attorney General’s office, as well as before a wide range of agencies, and the knowledge of strict policies and procedures that come along with audits and complaints.

Gramm-Leach-Bliley Act (GLBA)
Stored Communications Act (SCA)
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act (FCRA)
Computer Fraud and Abuse Act (CFAA)
Do Not Call Registry
Family Educational Rights and Privacy Act (FERPA)
Federal Trade Commission’s Red Flag Rule
The Fair and Accurate Credit Transactions Act (FACTA)
Automatic Renewal Laws (ARL)
Telephone Communications Protection Act (TCPA)
California Consumer Privacy Act 2018 (CCPA)
California Privacy Rights Act (CPRA)
Standard Contractual Clauses for data transfers under the GDPR
Minnesota Health Records Act (MHRA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
42 CFR Part 2
Section 5 of the Federal Trade Commission Act
State consumer protection laws
Freedom of Information Act (FOIA)
Minnesota Government Data Practices Act
NAIC Insurance Data Security Model Law

Notable Experience

Represent corporate travel technology startup in connection with implementing policies and practices required by the GDPR
Represent international wearable IoT company in connection with HIPAA compliance
Drafted and reviewed HIPAA Security Manual for health care client
Advise direct mail marketing company regarding privacy and security issues in contracts and as required by applicable law in multiple jurisdictions
Created employee privacy notice and internal policies regarding HR data for international technology company
Advise incident response team of an international food manufacturing company
Assist regional engineering company in responding to ransomware incident, including coordination between multiple forensics vendors
Defended client in litigation brought in relation to a Business Email Compromise incident
Defend multiple clients in privacy-related litigation, including California Invasion of Privacy Act (CIPA) claims
Advised a digital marketing firm on developing a generative AI use policy
Evaluated AI tools to provide a risk assessment for a wellness wearable company

Dedicated Attorneys and Professionals

Shareholder

Lisa B. Ellingson P / 612.604.6573 E / [email protected]

Shareholder

Gerald H. Fornwald P / 612.604.6584 E / [email protected]

Shareholder

Nadeem W. Schwen P / 612.604.6456 E / [email protected]

Counsel

Jacob S. Woodard P / 612.604.6775 E / [email protected]

Associate

Emily A. Lauer P / 612.604.6774 E / [email protected]