The European Union’s sweeping privacy law, the General Data Protection Regulation, prohibits transfers of personal data to the United States unless the company transferring the data has provided legally-appropriate safeguards. One mechanism that many companies—over 5,000 in total—have relied upon to safeguard such transfers is the EU-U.S. Privacy Shield framework. That safeguard is no longer valid.
Data Protection & Cybersecurity
Are data protection, privacy and cybersecurity issues keeping you up at night? Regardless of your industry, let us help you by assessing risk, recommending preventative measures and helping if trouble appears.
What We Do
Fredrikson & Byron’s Data Protection & Cybersecurity Group partners with all manner of corporate clients—from emerging growth companies to large financial and healthcare institutions—to address and resolve issues relating to the ever-changing online environment including:
- Cybersecurity and Privacy Assessments, Counseling, and Compliance Programs
- Vendor Contracting and Management
- Data Breach Planning and Response
- Privacy Litigation and Regulatory Investigations
- Cybersecurity and Privacy Diligence for Mergers and Acquisitions
As the headlines demonstrate, companies face unprecedented challenges in protecting sensitive information and minimizing cybersecurity risks. Utilizing an experienced team of litigation, health care, financial services, transactional, employment and internet technology attorneys, the Data Protection & Cybersecurity Group is uniquely poised to help clients meet and overcome these challenges.
Fredrikson attorneys have deep experience across a broad range of industries, acquired through our work on compliance and litigation matters for organizations ranging from large public entities to emerging growth companies. Our attorneys provide practical and strategic advice to help our clients mitigate risk, manage security breaches and handle litigation and matters before key agencies and courts. Our experience includes:
Financial Services, banking and credit cards
- Confidentiality requirements for former investment advisors;
- Customer information sharing requirements among affiliates and non-affiliates;
- Document destruction requirements and policies;
- Foreign outsourcing requirements;
- Industry standard privacy practices;
- Information Security policy and procedure audits;
- Joint marketing program requirements;
- Ownership of financial client files;
- Payment Card Industry Data Security Standards;
- Prescreened customer marketing requirements;
- Privacy notice requirements including delivery and amendment related rules;
- Responses to regulatory subpoenas and other inquiries;
- Spousal financial privacy obligations;
- State banking and insurance customer financial privacy requirements;
- Vendor management and related contractual provisions.
Collecting and protecting consumer data
- Drafting privacy policies for websites, apps, and internal policies and procedures;
- Advising on privacy notice requirements;
- Facilitating cross border transfer of personal data;
- Developing COPPA (Childrens’ Online Privacy and Protection Act) policies and practices for online sales directed to children;
- Coordinating risk mitigation involving internet and computer insurance issues for data losses.
Data protection issues in information technology
- Developing diligence questionnaires to assess the capabilities of vendors who handle personal data and competitively sensitive information;
- Developing standard contractual provisions addressing privacy and security of data for vendors handling personal data and competitively sensitive information;
- Negotiating contractual protections for customers purchasing services from vendors handling personal data or proprietary information;
- Addressing data rights in ‘Big Data’ created through shared and aggregated data bases.
Data breach and breach response
- Developing cybersecurity incident response plans and breach notification practices;
- Drafting and auditing cybersecurity policies;
- Advising on Federal and State cyber breach notification requirements;
- Negotiating regulatory enforcement actions following an information security breach;
- Advising on responding to regulatory subpoenas and other information requests following an information security breach.
Employment and trade secrets
- Creating policies and procedures to address BYOD (Bring your own device, and privacy issues associated with BYOD);
- Creating policies and procedures for managing sensitive HR data, including benefits data;
- Litigating and advising on employee disputes involving theft of company information and trade secrets;
- Advising on employee disputes involving monitoring of employee activity and privacy implications of that monitoring activity;
- Developing of social media, confidentiality, codes of conduct and appropriate use policies;
- Creating strategies for managing movement of employee data across borders;
- Advising clients on identifying, marking, and protecting trade secret information, including data protected by privacy statutes;
- Litigating claims related to employee data theft, including data protected by privacy statutes.
- Handling diligence requests to avoid inadvertent disclosures of protected personal data;
- Conducting diligence on privacy and security practices, including cloud-based vendor diligence, to assess risk;
- Drafting and negotiating key protections in transactional documents to limit exposure on past ‘bad acts’;
- Providing advice to integrate acquired protected data into existing systems.
Third party claims, investigations and litigation including:
- Litigating claims related to electronic fraud;
- Negotiating with third parties regarding reimbursement of unauthorized payments.
Data Loss Litigation
- Enforcing of vendor and indemnification agreements in the wake of security breaches;
- Litigating allegations of inadequate cybersecurity and data protection measures;
- Litigating breaches of privacy policies;
- Litigating claims related to alleged failure to ensure reasonable and appropriate protection of consumer information or protected health information.
HIPAA, Medical and Health Information
We have worked with dozens of healthcare clients (and their business associates) to develop their internal policies and procedures to try to head off potential privacy problems before they start. We have worked with clients on privacy breaches large and small, including responses to HIPAA breaches and responses to investigations by the Office for Civil Rights and state Attorneys General related to disclosures or losses of protected health information.
We have worked to shepherd clients through investigations and/or criminal enforcement actions brought by the Department of Justice for alleged violations of criminal privacy protection laws including the Computer Fraud & Abuse Act, the Stored Communications Act, the Wiretap Act, the Foreign Intelligence Surveillance Act, and the Economic Espionage Act.
News & Articles
June 5, 2020
Do I need to worry about employee privacy if I implement health screenings, contact tracing or similar protective measures when my employees return to work?
May 20, 2020
What should companies do to mitigate the security risks of a remote workforce?
July 3, 2018
On June 28, California enacted a sweeping new privacy law that will have significant implications for companies across the country.
March 9, 2018
On February 21, the SEC adopted new interpretive guidance (the Guidance) to assist public companies in preparing disclosures about cybersecurity risks and incidents.
July 17, 2017
New cybersecurity regulations impacting broker-dealers and investment advisers in Colorado went into effect over the weekend.
May 10, 2017
With cyber intrusions becoming more common and sophisticated, the New York State Department of Financial Services has implemented a new regulation to combat these ever-increasing dangers.
May 9, 2017
By Ann M. Ladd
The Federal Trade Commission has created a new online resource designed to give small businesses practical guidance on avoiding cyber risks and online scams.
February 3, 2017
By Ann M. Ladd
Like it or not, ransomware is happening, and will continue to happen with increasing frequency. In fact, a recent survey indicates that 93 percent of phishing emails contain ransomware.
Top Trends in Data Protection and Cybersecurity in 2017: Third Party Vendors Will Cause Data Security Incidents
January 14, 2017
By Ann M. Ladd
Do you give vendors access to your networks and systems? Use a third party to host your website, records, or an app? Use cloud-based services to store or process personal or confidential information? If so, a third party likely has access to personal data about your customers, employees, or other valuable company information. Moreover, they may have sent your information further downstream to their own service providers. Using state of the art cybersecurity controls in your IT systems will not minimize your risks of a data breach if you don’t also consider protections for your data in the hands of third parties. Do you know where your data is right now?
Top Trends in Data Protection and Cybersecurity in 2017: Boards Will Continue to Put Cybersecurity On the Top of Their Agenda
January 13, 2017
By Ann M. Ladd
Given the increasing frequency of cybersecurity incidents, and the growing impact of those incidents on business operations, reputation and assets, a board of directors’ oversight activities should include ensuring the adequacy of a company’s cybersecurity measures. The issues are complicated, and there are no simple solutions. But there are things Boards and management can do to begin to quantify and mitigate the risks.
December 5, 2016
On November 7, 2016, China’s Standing Committee of the National People’s Congress adopted the Cybersecurity Law of the People’s Republic of China (Cybersecurity Law). The Cybersecurity Law will take effect on June 1, 2017.
April 18, 2016
On Tuesday, May 17, 2016, participants learned best practices for responding to a loss of sensitive company information, whether caused by a data breach or a thieving employee.
Are you sure it’s from the CEO? 5 Ways to Protect Your Company from Business Email Compromise (BEC) Crimes
October 27, 2015
By Asmah Tareen
Last week, a successful Minnesota company fell victim to a crime increasingly being aimed at companies with a global presence and traveling executives. According to FBI reports, a growing number of businesses, particularly those conducting international business, are defrauded by “business email compromise” (BEC), crimes. Here five actions to take to protect your business from falling prey to these types of crimes.
October 8, 2015
The Court of Justice of the European Union effectively invalidated the E.U. – U.S. “Safe Harbor” program in a decision released on Tuesday.
March 10, 2015
It’s an unfortunate fact of modern life—hacks happen. And they will continue to happen. For companies, the risks cybersecurity incidents pose to both business and brand cannot be underestimated. Given the sharp increase in such incidents during 2014—up at least 50 percent, with some experts estimating as many as 42.8 million incidents—there is a growing expectation that companies have the right tools in place to respond effectively.
- “Targeting the C-Suite: Business Email Compromises – Prevent, Identification, and Response,” 2020 Midwest Legal Conference on Privacy & Data Security, Sten-Erik Hoidal (presenter), February 14, 2020
- “Cybersecurity Due Diligence in M&A,” DealLawyers.com Webcast, Sten-Erik Hoidal (presenter), January 23, 2020
- “Privacy and Security in Cross-Border Investigations,” Fredrikson & Byron’s Cross-Border Investigations Seminar, Sten-Erik Hoidal (panelist), November 12, 2019
- “Mergers and Acquisition Trends: What You Need to Know about Privacy & Security,” Association of Corporate Counsel, Iowa Chapter, Sten-Erik Hoidal (presenter), May 31, 2019
- “GDPR, CCPA, and the Coming Wave of Privacy Regulations: Risk or Opportunity?,” Minnesota High Tech Association Annual Spring Conference, Sten-Erik Hoidal (presenter), May 9, 2019
- “The Rise of Privacy: Oversight, Compliance and Management,” Fredrikson & Byron program co-hosted with Baker Tilly, Sten-Erik Hoidal (presenter), March 8, 2019
- “Legal Leaders’ Perspectives on Privacy and Data Security,” 2019 Midwest Legal Conference on Privacy & Data Security, Steven Helland (presenter), January 31, 2019
- “The Rising Tide of Individual Privacy Rights: What Does It Mean for Minnesota Businesses?,” Association of Corporate Counsel Minnesota Lunch & Learn, Sten-Erik Hoidal (presenter), January 17, 2019
- “Focus on Privacy and Data Security within a Healthcare Transaction,” Health Law Practicum, Sten-Erik Hoidal and Briar Andresen (co-presenters), December 10, 2018
- “What’s Trending in the World of Advertising Law?,” Fredrikson & Byron program co-hosted with Ad Fed, Sten-Erik Hoidal (presenter), September 13, 2018
- “Hot Topics: What You Need to Know Now – GDPR,” Fredrikson & Byron program co-hosted with Ad Fed, Sten-Erik Hoidal (presenter), September 13, 2018
- “M&A Transactions: Due Diligence, Reps and Warranties Related to Data Privacy and Cyber Security,” Minnesota CLE, Sten-Erik Hoidal (presenter), September 7, 2018
- “Latest Privacy Laws Provide Expanded Protections,” Sten-Erik Hoidal and Karla Reyerson (co-authors), FredNEWS: Bank & Finance, September 2018
- “California Passes Groundbreaking New Privacy Law,” Sten-Erik Hoidal (author), FredNEWS: Data Protection & Cybersecurity, July 2018
- “Don’t be Caught Off Guard: Strategies to Manage Risk for Investment Advisors,” Fredrikson & Byron program co-hosted with Charles Schwab and BMO Global Asset Management, Sten-Erik Hoidal (moderator), June 26, 2018
- “Data as Asset, Key Issues Driving the M&A Market,” Fredrikson & Byron Seminar, Sten-Erik Hoidal (panelist), June 19, 2018
- “New SEC Guidance on Cybersecurity Disclosures,” Strafford Webinar, Sten-Erik Hoidal (presenter), June 12, 2018
- “M&A Transactions: Due Diligence, Reps and Warranties Related to Data Privacy and Cybersecurity,” 2018 Midwest Legal Conference on Privacy and Data Security, Sten-Erik Hoidal and Asmah Tareen (co-presenters), January 26, 2018
- “Data Security Series: Developing and Implementing a Data Breach Response Plan – Best Practices to Minimize the Impact of a Breach,” Minnesota CLE, Sten-Erik Hoidal (speaker), October 17, 2017
- “Cybersecurity Risk Management – What Boards Need to Know,” Society for Corporate Governance, Twin Cities Chapter Meeting, Sten-Erik Hoidal (moderator), October 5, 2017
- “There has been a Material Adverse Change – What Happens Now? (How to deal with cyber security or data breach during a transaction),” Transaction Advisor’s Chicago M&A Conference, Ann Ladd (presenter), September 14, 2017
- “The Three Most Overlooked Cybersecurity Risks: Human Factors, Information Control and Third-Party Vendors,” Association of Corporate Counsel Minnesota Lunch & Learn, Sten-Erik Hoidal (co-presenter), September 12, 2017
- “Cyber Liability: What the Board Needs to Know,” Minnesota High Tech Association Spring Conference, Sten-Erik Hoidal (co-presenter), May 9, 2017
- “Strategies to Manage Cybersecurity Risks for the Financial Industry,” Fredrikson & Byron and Charles Schwab Cybersecurity Program, Surly Brewing, Sten-Erik Hoidal, Ann Ladd, Terrence Fleming and Sandra Smalley-Fleming (co-presenters), February 1, 2017
- “Avoiding an Incident Response Hangover: Data Breaches and Departing Employees,” Cybersecurity and Trade Secrets Group Event, Surly Brewing, Sten-Erik Hoidal, (co-presenter), May 17, 2016
- “Data Security: Is Your Data Safe,” Association for Corporate Growth – Minnesota Chapter, Monthly Luncheon and Panel Discussion, Beau Hurtig (panelist), October 20, 2015
- “Privacy and Security Risks in Vendor and Supply Chain Contracts,” Midwest Privacy & Data Security Conference, Minnesota Bar Association, Steven Helland (presenter), January 14, 2016
- “Insider Threats: Identifying and Deterring Company Information Theft,” Fredrikson & Byron’s 31st Annual Employment & Labor Law Seminar, Sten-Erik Hoidal (presenter), November 6, 2015
- “Protecting Your Company From A Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact,” Iowa Association of Corporate Counsel, Corporate Counsel Forum, Sten-Erik Hoidal and Ann Ladd (co-presenters), October 30, 2015
- “Developing and Implementing a Data Breach Response Plan: Best Practices to Minimize the Impact of a Breach,” Minnesota CLE, Data Breach Preparedness and Response Seminar, Sten-Erik Hoidal (presenter), October 2, 2015
- “Lessons Learned from Recent HIPAA and Big Data Breaches,” Fredrikson & Byron Health Law Webinar, Briar Andresen, Katherine Ilten and Ann Ladd (co-presenters), August 12, 2015
- “Computer Crime: How Are We Vulnerable?,” Lockton, Sten-Erik Hoidal (presenter), May 1, 2015
- “Insulate Your Company from a Cyber Breach – Proactive Steps to Minimize Breach Risks & Impact,” Association of Corporate Counsel – Minnesota Chapter, Ann Ladd and Sten-Erik Hoidal (co-presenters), February 19, 2015
- “Legal Guide to Privacy and Data Security,” Minnesota State Bar Association CLE, Legal Guide to Privacy and Data Security, Steven Helland (presenter), August 18, 2014
- “Data Privacy & Security, Legal and Financial Implications,” Trust Executive Round Table, Steven Helland and Teresa Thompson (co-presenters), June 26, 2014
- “Fredrikson & Byron HIPAA Training: Direct Training Session for Health Care Staff,” Fredrikson & Byron Health Law Webinar, Briar Andresen and Katherine Ilten (co-presenters), September 11, 2013
- “Countdown to HIPAA Enforcement Date: Checklist of Last Steps for Complying with New HIPAA Regulations,” Fredrikson & Byron Health Law Webinar, Briar Andresen and Katherine Ilten (co-presenters), July 10, 2013
- “Data & Health: The New and Necessary Frontier,” The Collaborative’s Tech.2013: Data, the Cloud, Commerce, Social, Platforms, Niche Tech, Enterprise & Health, Ann Ladd (presenter), May 2, 2013
- “Data Privacy & Security: A View from the Board Room and C-Suite,” Data Privacy and Security for In-House Counsel, Steven Helland (presenter), March 21, 2013
- “Data Privacy & Security in M&A Transactions,” Data Privacy and Security for In-House Counsel, Ann Ladd (presenter), March 21, 2013
- “Revenge of HIPAA: What You Need to Know About the New HIPAA Regulatory Scene,” Fredrikson & Byron Health Law Webinar, Briar Andresen and Katherine Ilten (co-presenters), February 13, 2013
- “Business Associates,” 2010 Twin Cities Privacy Professionals Retreat, Ann Ladd (presenter), February 26, 2010
- “Data Privacy for Small Business,” Data Privacy & Security Conference, Minnesota Better Business Bureau, Ann Ladd (presenter), September 2009