On March 2, 2021, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act. In doing so, Virginia became the second state to enact a comprehensive consumer privacy law.
As Chair of Fredrikson & Byron’s Data Protection & Cybersecurity group, Sten partners with clients to address two of their most significant risks — cybersecurity and privacy.
Sten assists clients in proactively mitigating the risk of cybersecurity incidents and data breaches, including by developing information security programs and policies. And in the event a client suspects a data breach, he leads and coordinates the breach response, counsels the client on notification obligations to affected individuals, customers or third parties, and assists in the response to legal and regulatory inquiries. Sten also helps clients navigate the myriad legal obligations relating to the data they process, such as complying with national and international data privacy laws, developing and implementing security and privacy policies and procedures, and evaluating security and privacy risks associated with company practices, corporate mergers and acquisitions, and new products and technologies (including those involving big data and artificial intelligence). Sten is a Certified Information Privacy Professional accredited by the International Association of Privacy Professionals and serves as counsel to the Firm on privacy and security issues.
Sten’s litigation practice involves representing clients in data protection, privacy and cybersecurity-related disputes. Sten has tried cases in state and federal courts and represented clients before various appellate courts.
Sten has received numerous accolades during his career, including being named an “Attorney of the Year” in 2015 by Minnesota Lawyer and a “Rising Star” from 2012-2017 by Super Lawyers magazine. Sten also led a team of Fredrikson lawyers in a high-profile pro bono human trafficking lawsuit, for which the team was awarded the Global Pro Bono Dispute of the Year and Global Citizenship Awards by The American Lawyer magazine.
Cyber Incident Planning, Investigation, and Response
Sten has assisted myriad clients in preparing for and responding to cybersecurity incidents. Through such matters, Sten has assisted clients in navigating the breach notification laws for all 50 states, Canada, and the European Union, and has formed strong working relationships with law enforcement, IT security vendors, and public relations companies. Some of Sten’s representative experience includes:
- Represented manufacturing company in responding to a phishing attack involving in the potential compromise of sensitive HR data relating to 15,000+ employees located throughout the U.S. and Canada, which occurred during the company’s acquisition by a third party.
- Advised major franchisee in responding to sophisticated compromise involving servers containing data on 5000+ current and former employees located in multiple states.
- Assisted public company in resolving a wire transfer fraud with seven-figure losses as the result of a spearphishing campaign against a vendor.
- Served as outside cybersecurity counsel to device company on various issues, including updating its incident response plan and procedures, preparing cyber risk disclosures for the Company’s SEC filings, and navigating critical infrastructure vulnerability sharing requirements.
As a Certified Information Privacy Professional, Sten regularly advises clients regarding state, federal, and international laws pertaining to the privacy of personal information. Some of Sten’s representative experience includes:
- Served as outside privacy counsel to dozens of consumer business across industries in analyzing, developing, and coordinating compliance plans for the CCPA and GDPR. By way of example, counsel to major managed services and utility companies in CCPA assessment and compliance efforts.
- Assisted advertising, marketing and ad-tech companies in assessing implication of, and complying with, privacy laws relating to personal information processing practices.
- Represented numerous clients in drafting and negotiating privacy- and security-related provisions for vendor and service provider contracts.
- Assisted major non-profits and ed-tech companies in compliance with privacy laws relating to children and students, including COPPA and FERPA.
Data Privacy and Security-Related Mergers and Acquisitions
Sten has assisted clients in analyzing and mitigating potential data privacy and security risks in connection with hundreds of M&A deals across industries, as well as advising on post-closing remediation and compliance strategies.
Articles & Presentations
February 24, 2021
On February 22, 2021, Representative Steve Elkins introduced a major new privacy bill (HF 1492) in the Minnesota House of Representatives containing significant privacy obligations for businesses to which it applies.
July 20, 2020
The European Union’s sweeping privacy law, the General Data Protection Regulation, prohibits transfers of personal data to the United States unless the company transferring the data has provided legally-appropriate safeguards. One mechanism that many companies—over 5,000 in total—have relied upon to safeguard such transfers is the EU-U.S. Privacy Shield framework. That safeguard is no longer valid.
June 5, 2020
Do I need to worry about employee privacy if I implement health screenings, contact tracing or similar protective measures when my employees return to work?
May 20, 2020
What should companies do to mitigate the security risks of a remote workforce?
September 4, 2018
By Karla L. Reyerson & Sten-Erik Hoidal
Community banks are no strangers to privacy and data security laws. The latest trends in privacy laws, however, are not limited to certain industries, and they include privacy rights for consumers that could have a significant impact on how companies treat customer information.
July 3, 2018
On June 28, California enacted a sweeping new privacy law that will have significant implications for companies across the country.
March 9, 2018
On February 21, the SEC adopted new interpretive guidance (the Guidance) to assist public companies in preparing disclosures about cybersecurity risks and incidents.
July 17, 2017
New cybersecurity regulations impacting broker-dealers and investment advisers in Colorado went into effect over the weekend.
March 10, 2015
It’s an unfortunate fact of modern life—hacks happen. And they will continue to happen. For companies, the risks cybersecurity incidents pose to both business and brand cannot be underestimated. Given the sharp increase in such incidents during 2014—up at least 50 percent, with some experts estimating as many as 42.8 million incidents—there is a growing expectation that companies have the right tools in place to respond effectively.
PUBLICATIONS & PRESENTATIONS
- Presenter, “Cybersecurity Basics: What Every Health Care Lawyer Should Know about Current Threats,” Fredrikson & Byron’s Health Law Webinar Series, January 19, 2022
- Author, “Businesses Face New Obligations Under Web of Privacy Laws,” Star Tribune, May 4, 2021
- Presenter, “Targeting the C-Suite: Business Email Compromises – Prevent, Identification, and Response,” 2020 Midwest Legal Conference on Privacy & Data Security, February 14, 2020
- Co-presenter, “Cybersecurity Due Diligence in M&A,” DealLawyers.com Webcast, January 23, 2020
- Panelist, “Privacy and Security in Cross-Border Investigations,” Fredrikson & Byron’s Cross-Border Investigations Seminar, November 12, 2019
- Presenter, “Mergers and Acquisition Trends: What You Need to Know about Privacy & Security,” Association of Corporate Counsel, Iowa Chapter, May 31, 2019
- Co-presenter, “GDPR, CCPA, and the Coming Wave of Privacy Regulations: Risk or Opportunity?,” Minnesota High Tech Association Annual Spring Conference, May 9, 2019
- Co-presenter, “The Rise of Privacy: Oversight, Compliance and Management,” Fredrikson & Byron program co-hosted with Baker Tilly, March 8, 2019
- Co-presenter, “The Rising Tide of Individual Privacy Rights: What Does It Mean for Minnesota Businesses?,” Association of Corporate Counsel Minnesota Lunch & Learn, January 17, 2019
- Co-presenter, “Focus on Privacy and Data Security within a Healthcare Transaction,” Health Law Practicum, December 10, 2018
- Quoted in “Navigating State Patient Data Privacy Laws Will Only Get More Challenging,” MedCity News, November 13, 2018
- Co-presenter, “What’s Trending in the World of Advertising Law?,” Fredrikson & Byron program co-hosted with Ad Fed, September 13, 2018
- Presenter, “Hot Topics: What You Need to Know Now – GDPR,” Fredrikson & Byron program co-hosted with Ad Fed, September 13, 2018
- Co-presenter, “M&A Transactions: Due Diligence, Reps and Warranties Related to Data Privacy and Cyber Security,” Minnesota CLE, September 7, 2018
- Moderator, “Don’t be Caught Off Guard: Strategies to Manage Risk for Investment Advisors,” Fredrikson & Byron program co-hosted with Charles Schwab and BMO Global Asset Management, June 26, 2018
- Panelist, “Data as Asset, Key Issues Driving the M&A Market,” Fredrikson & Byron Seminar, June 19, 2018
- Co-presenter, “New SEC Guidance on Cybersecurity Disclosures,” Strafford Webinar, June 12, 2018
- Co-presenter, “M&A Transactions: Due Diligence, Reps and Warranties Related to Data Privacy and Cybersecurity,” 2018 Midwest Legal Conference on Privacy and Data Security, January 26, 2018
- Co-presenter, “Protecting your practice: A cybersecurity roundtable,” BMO Global Asset Management, December 13, 2017
- Presenter, “Cyber Insurance,” Minnesota Bar Association, 2017 Technology Law Institute, November 15, 2017
- Presenter, “A Primer on Cybersecurity Risk Mitigation and Incident Response,” ISBA Business Law Section/University of Iowa College of Law Business Law Symposium, November 3, 2017
- Speaker, “Data Security Series: Developing and Implementing a Data Breach Response Plan – Best Practices to Minimize the Impact of a Breach,” Minnesota CLE, October 17, 2017
- Moderator, “Cybersecurity Risk Management – What Boards Need to Know,” Society for Corporate Governance, Twin Cities Chapter Meeting, October 5, 2017
- Co-presenter, “The Three Most Overlooked Cybersecurity Risks: Human Factors, Information Control and Third-Party Vendors,” Association of Corporate Counsel Minnesota Lunch & Learn, September 12, 2017
- Co-presenter, “Cyber Liability: What the Board Needs to Know,” Minnesota High Tech Association Spring Conference, May 9, 2017
- Panelist, “Practical Steps to Minimize Risks and Respond to Breaches,” Fredrikson & Byron Strategies to Manage Cybersecurity Risks for the Financial Industry Seminar, February 1, 2017
- Co-presenter, “Avoiding an Incident Response Hangover: Data Breaches and Departing Employees,” Cybersecurity and Trade Secrets Group Event, Surly Brewing, May 17, 2016
- Co-presenter, “Insider Threats: Identifying and Deterring Company Information Theft,” Fredrikson & Byron’s 31st Annual Employment & Labor Law Seminar, November 6, 2015
- Co-presenter, “Protecting Your Company From A Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact,” Iowa Association of Corporate Counsel, Corporate Counsel Forum, October 30, 2015
- Presenter, “Developing and Implementing a Data Breach Response Plan: Best Practices to Minimize the Impact of a Breach,” Minnesota CLE, Data Breach Preparedness and Response Seminar, October 2, 2015
- Co-author, “Ten Actions You Can Take Now to Protect Your Company’s Trade Secrets,” Networked Lawyers Blog, May 2015
- Co-presenter, “Protecting Trade Secrets and Confidential Information: What Businesses Can and Should Be Doing from Prevention to Enforcement,” Business Law Institute, May 4, 2015
- Panel Member, “Computer Crime: How Are We Vulnerable?,” Lockton, May 1, 2015
- Co-presenter, “Insulate Your Company from a Cyber Breach – Proactive Steps to Minimize Breach Risks & Impact,” Association of Corporate Counsel – Minnesota Chapter, February 19, 2015
- Panel Member, “Trade Secret Theft from Prevention to Enforcement,” Minnesota IP Institute, September 19, 2014
- Presenter, “Practical Perspectives: Trade Secret Theft from Prevention to Enforcement,” February 27, 2014
- Presenter, “You Love it, You Hate it. Now you Have to Live With it,” William Mitchell College of Law e-Discovery Conference, October 4, 2013
- Presenter, “Data Protection: How Employers Can Ensure a New Hire Isn’t Bringing Data from a Previous Employer,” Association of Corporate Counsel – Minnesota Chapter, October 1, 2013
Honors & Education
- University of Minnesota Law School, J.D., cum laude
- The Colorado College, B.A. Environmental Science, cum laude
- Minnesota, 2006
- New York, 2005 (inactive)
- U.S. District Court, District of Minnesota, 2006
- Eighth Circuit Court of Appeals, 2007
- Minnesota Super Lawyers, Rising Star, 2012-2017
- Minnesota Lawyer, Attorney of the Year, 2015
- Minnesota State Bar Association, North Star Lawyer, 2013-2015
- Minnesota Law Review, Managing Editor 2003-2004; staff member 2002-2003
- Alpha Lambda Delta Honor Society, Member
- Volunteer Lawyers Network, Board Member and Housing Clinic Volunteer
- Federal Bar Association
- Minnesota State Bar Association
- HandsOn Twin Cities, Board Member 2009-2012; Treasurer 2011-2012
- Legal Assistance to Disadvantaged, former Committee Member
- Dedicated more than 50 hours to pro bono matters in each of the past 6 years