2025 MIDWEST LEGAL CONFERENCE ON DATA PRIVACY & CYBERSECURITY
Institute
ITEM #:  1049222501   |   EVENT CODE:  520725
MEMBER PRICE
$495.00
STANDARD PRICE
$595.00
MSBA MEMBER, NEW LAWYER, AND OTHER DISCOUNTS, IF APPLICABLE, WILL BE APPLIED DURING CHECKOUT.

MINNEAPOLIS

Thursday, February 6, 2025 - Friday, February 7, 2025

9:00 AM - 4:30 PM   |   Check-In:  8:30 AM

Minnesota CLE Conference Center

600 Nicollet Mall # 370

3rd Floor, City Center

Minneapolis, MN 55402

WATCH: Preview

2025 Midwest Legal Conference on Data Privacy & Cybersecurity

New Developments, Practical Guidance, Expert Insights – In a Fun Event Atmosphere!

The 2025 Midwest Legal Conference on Data Privacy and Cybersecurity Will Feature – 

  • A Powerhouse Faculty Lineup with Diverse Practice Perspectives
  • Up-to-the-Minute, New Content
  • New Developments, Summarized and Applied
  • Practical Tips and Strategies to Get Better Results
  • Customizable Schedule So You Get What You Need
  • A Fun Time to Catch Up with Colleagues and Friends
  • 14 Total CLE Credits (11 at the Conference and 3 for Bonus Post-Conference Webcasts)
  • And Much More!


Today’s data privacy and cybersecurity landscape is immensely interesting – and incredibly challenging – due to the pace of technological advancements and the demand to identify and mitigate risks in a rapidly evolving legal landscape. The comprehensive, practical content of the 2025 Midwest Legal Conference on Data Privacy and Cybersecurity is the trusted, convenient way to get the real-world, real-time guidance you need. It’s also a highly efficient and one-of-a-kind chance to compare your practices with what the team of Institute faculty members are advising their clients!


Why This Conference Is Right for You – 

  • Perhaps you’re a data privacy and cybersecurity law expert. 
  • Maybe you’re looking to become one. 
  • Or, perhaps your role requires the ability to pinpoint these challenges and seek external guidance when needed.

Whichever category you fit, it’s critical that you stay current in this fast-paced practice area. At the Midwest Legal Conference on Data Privacy and Cybersecurity, you choose from an array of breakout session topics to create a meaningful, custom experience. Because of its flexibility, this Conference is a go-to resource for timely, topical education for experts and non-experts alike.

Day 1 –  Thursday, February 6, 2025


8:30 – 9:00 a.m.
CHECK-IN & CONTINENTAL BREAKFAST


9:00 – 9:05 a.m.
WELCOME & ANNOUNCEMENTS


9:05 – 9:35 a.m.
2025 Federal Privacy Law Update
Get up to speed on the latest developments in federal privacy law with this annual update. Topics include proposed comprehensive privacy legislation; current FTC enforcement trends; and FTC and FCC rulemaking under the FTC Act, CAN-SPAM, TCPA, and other key industry-agnostic frameworks. Gain insights into how the transition to a new presidential administration could shape rulemaking priorities and enforcement strategies.
– Megan A. Bowman


9:35 – 10:20 a.m.
The New Wave of U.S. State Privacy Laws – Key Themes and Differences
Hear from a senior in-house counsel and a seasoned privacy consultant on new state privacy laws. They’ll explore common themes like expanded consumer data rights (access, deletion, correction, portability) and heightened transparency requirements. Maggie and Joe also will highlight key differences across state laws and provide practical strategies for navigating compliance, equipping attendees to advise on state-specific mandates and anticipate future privacy trends.
– Joe Cuffel & Maggie Lassack


10:20 – 10:30 a.m.
BREAK


10:30 – 11:15 a.m.
Cybersecurity Update – The Current Threat Landscape and Key U.S. Cybersecurity Legal Developments
An expert look at today’s cybersecurity landscape. In addition to insights on the current risks such as recent ransomware trends, topics will include the latest federal and state developments shaping cybersecurity law in the United States. The session will highlight significant enforcement actions, such as the FTC’s settlements with Marriott and Blackbaud over alleged data security failures and the HHS’s actions against health care providers for HIPAA violations following ransomware attacks. The discussion also will identify recent regulatory initiatives like the SEC’s guidance on Form 8-K cyber reporting and state cybersecurity regulations that are being replicated across jurisdictions and industry sectors. Additionally, Lisa will highlight states’ new and amended cybersecurity laws including provisions for breach notification.
– Lisa Sotto


11:15 a.m. – 12:00 p.m.
The New Minnesota Consumer Data Privacy Act – Compliance Essentials
Gain valuable insights into the new Minnesota Consumer Data Privacy Act from attorney Nadeem Schwen, who was consulted throughout the multi-year legislative process. This session explores the law’s key provisions, including traditional privacy rights like data access and deletion, as well as its unique approach to automated decision-making, location data, mandatory privacy assessments, and enforcement priorities. Learn practical compliance essentials and discuss potential amendments to this groundbreaking legislation.
– Nadeem W. Schwen


12:00 – 1:00 p.m.
LUNCH BREAK (on attendees’ own)


1:00 – 2:00 p.m.
BREAKOUT SESSION A

001
Website AdTech Compliance – Mitigating Legal Risks in Modern Marketing Practices

In the rapidly evolving landscape of advertising technology (AdTech), companies must navigate new laws and the novel application of existing statutes to emerging technologies. Get concrete, practical guidance for mitigating legal risks associated with modern marketing practices such as use of cookies, pixels, session replay, chats, and artificial intelligence.
– Katherine E. Graf, Justin Kay & Andrew Taylor

002
New State Privacy Laws – A Deeper Dive

Building on the plenary session, this in-depth breakout further explores the new state privacy laws. Dive deeper into the commonalities and variations among states, and gain additional helpful insights into compliance in this complex and rapidly changing area.
– Joe Cuffel, Maggie Lassack & Abigail Stark

003
Data Mapping – Why and How to Build a Comprehensive Roadmap of the Personal Data Your Client Holds

To comply with data privacy regulations, organizations must have a clear understanding of the personal data they hold, its source, how it is processed, where it is stored or transferred, who it is shared with and for what purpose, and for how long it is retained. This session will focus on practical approaches for creating and maintaining accurate data maps, understanding the types of data being collected, and ensuring that critical data is properly secured and easily accessible for audits or regulatory inquiries.
– Brad Hammer


2:00 – 2:15 p.m.
BREAK


2:15 – 3:15 p.m.
BREAKOUT SESSION B

101
Safeguarding Minors Online and on Mobile Apps – Evolving Privacy Laws to Protect Teens and Pre-Teens

As online platforms and mobile apps continue to engage users of all ages, legal requirements around data privacy and the need for age-appropriate experiences for minors are evolving rapidly. This session will provide an in-depth, practical look at the laws governing the collection and use of minors’ data, including compliance with COPPA (Children’s Online Privacy Protection Act). This session also will provide an overview of expansions in some states’ laws that extend privacy protections to teenagers, not just pre-teen users. Practical approaches to compliance will be covered.
– Melissa J. Krasnow & Denise Tayloe

102
Today’s Cyber Liability Insurance Standards and Carve-Outs, Including AI Implications

This session will provide insights from an in-house attorney, a risk advisor as to assessment of cyber liability insurance, and an outside legal counsel on key trends in policy terms and what constitutes a carve-out. Additionally, the session will examine how recent systemic data breaches have impacted the negotiations for coverage. The panel will also discuss how the industry anticipates AI-related risks to affect coverage, with a focus on emerging challenges and best practices for addressing these complexities. Attendees will gain practical strategies for aligning cyber insurance with organizational needs in today’s risk environment.
– Katheryn A. Andresen, Leigh DeBiasse & Daniel Hanson

103
Vendor Contracts – Negotiating Key Provisions Regarding Data Privacy

Repeated at #403
Vendor agreements play a crucial role in protecting data. Agreements with parties that handle personal data are also increasingly covered by data privacy laws such as the CCPA/CPRA that mandate agreements with certain service providers, contractors, and other third parties. This session will provide a deep dive into what is required to assure compliance with various data privacy laws including contract provisions that are necessary to safeguard personal data. Participants will learn how to draft and negotiate reasonable agreements that limit liability and ensure compliance with data privacy laws.
– Michael R. Cohen


3:15 – 3:30 p.m.
BREAK


3:30 – 4:30 p.m.
BREAKOUT SESSION C

201
Avoiding Death by a Thousand Cuts – Taking the Privacy by Design Approach

With hundreds of laws and regulations on the books and thousands of individual requirements, taking a compliance approach to privacy does not scale for businesses and can quickly overwhelm a small privacy team. Privacy by design offers a holistic approach, in which privacy considerations are built into the business operations in a way that helps companies address the vast majority of privacy regulations with steady consistent effort. In this session you’ll learn: (1) how to identity privacy risks that cut across regulation; (2) how to mitigate those risks through technical and process controls; and (3) how to integrate privacy into the business.
– Kerry L. Childe & R. Jason Cronk

202
AI Data Stewardship Framework – How Stakeholders Can Use This Critical Tool

The AI Data Stewardship Framework (AI-DSF) sets standards for generating, supplying, protecting, and using high-quality data for training algorithms. It serves multiple stakeholders, such as data brokers, consumers, AI developers, regulators, and lawmakers. The AI-DSF is a key resource for enterprise AI applications, as well. Join Eran Kahana for practical insights into AI-DSF’s three-part control structure for organizations.
– Eran Kahana

203
Cross-Border Data Transfer Primer – Deciphering the Alphabet Soup of SCCs, DPAs, BCRs, and More!

This session provides a clear, practical introduction – or refresher – to key data transfer tools and terms, including standard contractual clauses (SCCs), data processing agreements (DPAs), binding corporate rules (BCRs), and more. We’ll go beyond a mere recitation of definitions, with the presenters breaking down each term in plain English – cutting through the jargon to explain what these concepts really mean, why they matter, and when and how to use them.
– Kellie Johnson & Jodie Nielsen


4:30 – 6:00 p.m.
RECEPTION AT THE CAPITAL GRILLE
Reception courtesy of Lathrop GPM
Food, Fun and a Chance to Win Prizes!
Thursday’s reception will take place nearby at The Capital Grille. Register for a chance to win a fun prize! The prize drawing will take place at the reception on Thursday, February 6, and you must be present at the reception during the prize drawing to win. Any person may receive and submit an entry form on Thursday, February 6, at the conference registration desk until the reception begins at 4:30 p.m. Registration for the 2025 Midwest Legal Conference on Data Privacy and Cybersecurity is not required. The following individuals are not eligible to win: employees of Minnesota CLE and the Minnesota State Bar Association, as well as family members of those employees.



Day 2 –  Friday, February 7, 2025


8:30 – 9:00 a.m.
CONTINENTAL BREAKFAST


9:00 – 9:05 a.m.
WELCOME & ANNOUNCEMENTS


9:05 – 9:50 a.m.
Lions and Tigers and Bears, oh my! Legal Risks in Cybersecurity Investigations
Companies experiencing global ransomware and cyberattacks need to grapple with three categories of legal risks: 1. lions (mandatory incident notification obligations), 2. tigers (legal restrictions on data collection, use, and transfer), and 3. bears (potential conflicts of law for disclosures to authorities). Seasoned external counsel with 25 years of experience offers practical guidance on identifying these risks, updating incident response procedures, and strengthening privacy and cybersecurity programs to address global legal challenges.
– Brian L. Hengesbaugh


9:50 – 10:00 a.m.
BREAK


10:00 – 11:00 a.m.
Artificial Intelligence – A Holistic Approach to Managing Interconnected Risks
AI’s widespread adoption – at organizational, third-party, and individual-employee levels – requires an integrated approach to legal issue-spotting and advice-giving regardless of practice area. Gain practical strategies for navigating this interconnected landscape with real-world examples and insights, with particular focus on intersections with data privacy, cybersecurity, and information governance considerations.
– Elaine De Franco Olson & Elimu Kajunju
– Paul H. Luehr (moderator)


11:00 – 11:10 a.m.
BREAK


11:10 – 11:40 a.m.
Inside the California Privacy Protection Agency – Enforcement Priorities and Processes
With insights from a member of the California Privacy Protection Agency’s Enforcement Division, you’ll hear about the Agency’s top priorities, current enforcement trends, and how the complaints process operates.
– Celine Guillou (appearing remotely) & Chiara Portner


11:40 a.m. – 12:45 p.m.
LUNCH BREAK (on attendees’ own)


12:45 – 1:45 p.m.
BREAKOUT SESSION D

301
Beyond GDPR: EU Data Privacy and Security Developments – Practical Steps for Compliance

The EU continues to lead the way shaping the global landscape of data regulations, setting ambitious standards influencing privacy, cybersecurity, and digital innovation worldwide. This session covers developments such as the EU AI Act, Data Act, NIS2 Directive, Cyber Resilience Act, Digital Services Act, and Digital Markets Act. Key session takeaways: (1) distillation of the elements of these laws and whether GDPR efforts can be used for future compliance; (2) clear guidance on scope, impact, and coverage; and (3) practical steps for updating policies, systems, processes, and strategies.
– Brad Hammer

302
California Data Privacy Law: Important New Legislative and Enforcement Developments

Building on the plenary session, this in-depth breakout further explores what’s new in California data privacy requirements, including recently enacted laws related to artificial intelligence. Explore the requirements of these new laws, effective dates, what the governor vetoed, and what all of this means for covered entities, legal compliance, and enforcement moving forward.
– Tedrick A. Housh & Chiara Portner

303
Mitigating Cybersecurity Risk Across the Supply Chain – A Proactive Approach

Cybersecurity risks can emerge from any link in a company’s supply chain, making it vital to assess and mitigate potential vulnerabilities. This session will cover strategies for identifying risks related to third-party, fourth-party, and beyond vendors and suppliers, conducting effective risk assessments, and implementing best practices to ensure that external partners maintain strong cybersecurity practices. Attendees will learn the latest regulator expectations on third-party risk management and how to work across departments to create comprehensive risk management strategies that address both direct and indirect cybersecurity threats.
– Dan Ongaro


1:45 – 2:00 p.m.
BREAK


2:00 – 3:00 p.m.
BREAKOUT SESSION E

401
Guarding Sensitive Data – Managing Legal Risks in Data Transfers to or from China, Russia, and Other Foreign Jurisdictions

With rising restrictions on data transfers to or from certain foreign jurisdictions such as China, Russia, and Venezuela, this session provides practical strategies for assessing the legality of such cross-border transfers and mitigating compliance risks. Explore key provisions of the new Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA) and 2024’s Executive Order 14117, which limit sensitive data transfers to countries of concern. Additionally, this session will examine how China’s Personal Information Protection Law (PIPL) and other data privacy related rules impact assessment of data transfers.
– Ray Liu (appearing remotely) & Dave Townsend

402
Inherited Data Risks – Post-Closing Remediation Strategies for Buyers in M&A Transactions

In mergers and acquisitions, buyers often inherit the seller’s data privacy and security risks, leading to potential liabilities that can undermine the deal’s value. This practical session helps data privacy and security lawyers navigate these challenges post-closing. Participants will gain actionable insights into developing effective remediation strategies. Through case studies, this session will concretely apply the how-to’s to real-world post-closing remediation so that attendees will leave better equipped to protect their organizations and clients from the pitfalls of inherited data liabilities.
– Sten-Erik Hoidal

403
Vendor Contracts – Negotiating Key Provisions Regarding Data Privacy

Repeat of #103
Vendor agreements play a crucial role in protecting data. Agreements with parties that handle personal data are also increasingly covered by data privacy laws such as the CCPA/CPRA that mandate agreements with certain service providers, contractors, and other third parties. This session will provide a deep dive into what is required to assure compliance with various data privacy laws including contract provisions that are necessary to safeguard personal data. Participants will learn how to draft and negotiate reasonable agreements that limit liability and ensure compliance with data privacy laws.
– Michael R. Cohen


3:00 – 3:15 p.m.
BREAK


3:15 – 4:15 p.m.
Supporting Lawyer Well-Being in the High-Stakes World of Data Privacy and Cybersecurity Law
1.0 mental health/substance use credit applied for
Legal professionals in data privacy and cybersecurity face unique stressors, including the relentless pace of technological advancements, high-stakes decision-making, and the constant pressure to manage and mitigate risks in a rapidly evolving legal landscape. There is a clearly recognized continuum where unresolved chronic stress becomes a predictor for substance use problems and mental illness, particularly depression and anxiety. By understanding this continuum, the impact of our exposure to trauma, and the facts about addiction and mental illness, data privacy and cybersecurity lawyers can reduce their risk and, hopefully, get help earlier when there is a mental health, substance use, or related problem. By knowing these risks, we can also support each other. This program will present signs, symptoms, risk factors, and recovery regarding these challenges, along with well-being tools. The presenter will also provide information on Lawyers Concerned for Lawyers and other resources.
– Joan Bibelhausen




Free Bonus Webcasts in March

Attendees of the 2025 Midwest Legal Conference on Data Privacy & Cybersecurity may view the following webcasts for FREE after the conference! Instructions on how to register for free will be provided to in-person attendees at the conference and online replay viewers by email after the replay.


Friday, March 21, 2025
9:00 – 10:00 a.m. (CDT)
Ethics 3.0 – Attorney Responsibility in the Age of Generative AI
1.0 ethics CLE / IAPP CPE credit applied for
Complying with legal ethics obligations in the age of generative AI requires more than safeguarding client confidentiality, verifying AI-generated content, and communicating in permissible ways. Lawyer use of generative AI must align with these legal ethics rules, but remaining competent under those rules also requires staying informed about and compliant with the broader duty to stay abreast of current technology and to comply with applicable data privacy and security regulations, FTC endorsement guidelines, truth-in-advertising standards, and more. In this webcast, Jon M. Garon – a nationally recognized expert in technology law and information privacy – offers practical insights on how to meet your professional responsibilities in this rapidly evolving landscape.
– Jon M. Garon


Friday, March 21, 2025
12:00 – 1:00 p.m. (CDT)
Understanding Privacy and Data Security Laws and Requirements in Agreements
1.0 standard CLE / IAPP CPE credit applied for
You will learn about: Analyzing and responding to privacy and data security addenda and letter agreements from others; Recent developments involving agreements, including the California Privacy Rights Act and Minnesota Consumer Data Privacy Act; Interaction of privacy, data security and incident and breach notification provisions with other commercial agreement provisions; How to avoid potential pitfalls; and Resources and tools for managing privacy and data security laws and requirements in agreements.
– Melissa J. Krasnow


Wednesday, March 26, 2025
12:00 – 1:00 p.m. (CDT)
2025 Data Privacy and Cybersecurity Litigation Update
1.0 standard CLE / IAPP CPE credit applied for
Experienced litigators – one plaintiff side and one defense – share their insights on significant privacy and data breach litigation developments from the past year. Learn about major federal and state court decisions, high-profile settlements, and critical trends that are shaping the legal landscape for privacy professionals.
– Joe Hashmall & Jeff Justman

LIVE IN-PERSON
Thursday & Friday, February 6-7, 2025
Minnesota CLE Conference Center
600 Nicollet Mall, Suite 370
Seventh Street & Nicollet Mall, Third Floor City Center
Minneapolis, Minnesota

ONLINE REPLAY
Monday & Tuesday, March 3-4, 2025
Attend online
Online replay includes all plenary and breakout sessions. A moderator will be available to answer questions by email.

$495 MSBA members / $495 paralegals / $595 standard rate

Other discounts that may apply:

Scholarships available!
Need-based scholarships are available for in-person and online seminars. For further information or to obtain a scholarship application, contact us at 800-759-8840 or customerservice@minncle.org.

CREDITS – CONFERENCE:
Minnesota CLE is applying to the Minnesota State Board of CLE for 11.0 CLE credits, including 1.0 mental health/substance use credit for the concluding plenary. The maximum number of total CLE credits attendees may claim for this program is 11.0 credits.

The IAPP has approved this conference for 10.0 CPE credits.


CREDITS – FREE POST-CONFERENCE WEBCASTS:

  • For the Ethics 3.0 webcast, Minnesota CLE is applying to the Minnesota State Board of CLE for 1.0 ethics credit.
  • For the Understanding Privacy and Data Security Laws and Requirements in Agreements webcast and the 2025 Data Privacy and Cybersecurity Litigation Update webcast, Minnesota CLE is applying for 1.0 standard CLE credit each.
  • Minnesota CLE also is applying to the IAPP for CPE eligibility for all three webcasts.
SPONSORED BY:
MEMBER PRICE
$495.00
STANDARD PRICE
$595.00
MSBA MEMBER, NEW LAWYER, AND OTHER DISCOUNTS, IF APPLICABLE, WILL BE APPLIED DURING CHECKOUT.
ADDITIONAL RECOMMENDATIONS FOR YOU (10 items):