MINNEAPOLIS
Thursday, February 6, 2025 - Friday, February 7, 2025
9:00 AM - 4:30 PM | Check-In: 8:30 AM
Minnesota CLE Conference Center
600 Nicollet Mall # 370
3rd Floor, City Center
Minneapolis, MN 55402
The 2025 Midwest Legal Conference on Data Privacy and Cybersecurity Will Feature –
Today’s data privacy and cybersecurity landscape is immensely interesting – and incredibly challenging – due to the pace of technological advancements and the demand to identify and mitigate risks in a rapidly evolving legal landscape. The comprehensive, practical content of the 2025 Midwest Legal Conference on Data Privacy and Cybersecurity is the trusted, convenient way to get the real-world, real-time guidance you need. It’s also a highly efficient and one-of-a-kind chance to compare your practices with what the team of Institute faculty members are advising their clients!
Why This Conference Is Right for You –
Whichever category you fit, it’s critical that you stay current in this fast-paced practice area. At the Midwest Legal Conference on Data Privacy and Cybersecurity, you choose from an array of breakout session topics to create a meaningful, custom experience. Because of its flexibility, this Conference is a go-to resource for timely, topical education for experts and non-experts alike.
8:30 – 9:00 a.m.
CHECK-IN & CONTINENTAL BREAKFAST
9:00 – 9:05 a.m.
WELCOME & ANNOUNCEMENTS
9:05 – 9:35 a.m.
2025 Federal Privacy Law Update
Get up to speed on the latest developments in federal privacy law with this annual update. Topics include proposed comprehensive privacy legislation; current FTC enforcement trends; and FTC and FCC rulemaking under the FTC Act, CAN-SPAM, TCPA, and other key industry-agnostic frameworks. Gain insights into how the transition to a new presidential administration could shape rulemaking priorities and enforcement strategies.
– Megan A. Bowman
9:35 – 10:20 a.m.
The New Wave of U.S. State Privacy Laws – Key Themes and Differences
Hear from a senior in-house counsel and a seasoned privacy consultant on new state privacy laws. They’ll explore common themes like expanded consumer data rights (access, deletion, correction, portability) and heightened transparency requirements. Maggie and Joe also will highlight key differences across state laws and provide practical strategies for navigating compliance, equipping attendees to advise on state-specific mandates and anticipate future privacy trends.
– Joe Cuffel & Maggie Lassack
10:20 – 10:30 a.m.
BREAK
10:30 – 11:15 a.m.
Cybersecurity Update – The Current Threat Landscape and Key U.S. Cybersecurity Legal Developments
An expert look at today’s cybersecurity landscape. In addition to insights on the current risks such as recent ransomware trends, topics will include the latest federal and state developments shaping cybersecurity law in the United States. The session will highlight significant enforcement actions, such as the FTC’s settlements with Marriott and Blackbaud over alleged data security failures and the HHS’s actions against health care providers for HIPAA violations following ransomware attacks. The discussion also will identify recent regulatory initiatives like the SEC’s guidance on Form 8-K cyber reporting and state cybersecurity regulations that are being replicated across jurisdictions and industry sectors. Additionally, Lisa will highlight states’ new and amended cybersecurity laws including provisions for breach notification.
– Lisa Sotto
11:15 a.m. – 12:00 p.m.
The New Minnesota Consumer Data Privacy Act – Compliance Essentials
Gain valuable insights into the new Minnesota Consumer Data Privacy Act from attorney Nadeem Schwen, who was consulted throughout the multi-year legislative process. This session explores the law’s key provisions, including traditional privacy rights like data access and deletion, as well as its unique approach to automated decision-making, location data, mandatory privacy assessments, and enforcement priorities. Learn practical compliance essentials and discuss potential amendments to this groundbreaking legislation.
– Nadeem W. Schwen
12:00 – 1:00 p.m.
LUNCH BREAK (on attendees’ own)
1:00 – 2:00 p.m.
BREAKOUT SESSION A
001
Website AdTech Compliance – Mitigating Legal Risks in Modern Marketing Practices
In the rapidly evolving landscape of advertising technology (AdTech), companies must navigate new laws and the novel application of existing statutes to emerging technologies. Get concrete, practical guidance for mitigating legal risks associated with modern marketing practices such as use of cookies, pixels, session replay, chats, and artificial intelligence.
– Katherine E. Graf, Justin Kay & Andrew Taylor
002
New State Privacy Laws – A Deeper Dive
Building on the plenary session, this in-depth breakout further explores the new state privacy laws. Dive deeper into the commonalities and variations among states, and gain additional helpful insights into compliance in this complex and rapidly changing area.
– Joe Cuffel, Maggie Lassack & Abigail Stark
003
Data Mapping – Why and How to Build a Comprehensive Roadmap of the Personal Data Your Client Holds
To comply with data privacy regulations, organizations must have a clear understanding of the personal data they hold, its source, how it is processed, where it is stored or transferred, who it is shared with and for what purpose, and for how long it is retained. This session will focus on practical approaches for creating and maintaining accurate data maps, understanding the types of data being collected, and ensuring that critical data is properly secured and easily accessible for audits or regulatory inquiries.
– Brad Hammer
2:00 – 2:15 p.m.
BREAK
2:15 – 3:15 p.m.
BREAKOUT SESSION B
101
Safeguarding Minors Online and on Mobile Apps – Evolving Privacy Laws to Protect Teens and Pre-Teens
As online platforms and mobile apps continue to engage users of all ages, legal requirements around data privacy and the need for age-appropriate experiences for minors are evolving rapidly. This session will provide an in-depth, practical look at the laws governing the collection and use of minors’ data, including compliance with COPPA (Children’s Online Privacy Protection Act). This session also will provide an overview of expansions in some states’ laws that extend privacy protections to teenagers, not just pre-teen users. Practical approaches to compliance will be covered.
– Melissa J. Krasnow & Denise Tayloe
102
Today’s Cyber Liability Insurance Standards and Carve-Outs, Including AI Implications
This session will provide insights from an in-house attorney, a risk advisor as to assessment of cyber liability insurance, and an outside legal counsel on key trends in policy terms and what constitutes a carve-out. Additionally, the session will examine how recent systemic data breaches have impacted the negotiations for coverage. The panel will also discuss how the industry anticipates AI-related risks to affect coverage, with a focus on emerging challenges and best practices for addressing these complexities. Attendees will gain practical strategies for aligning cyber insurance with organizational needs in today’s risk environment.
– Katheryn A. Andresen, Leigh DeBiasse & Daniel Hanson
103
Vendor Contracts – Negotiating Key Provisions Regarding Data Privacy
Repeated at #403
Vendor agreements play a crucial role in protecting data. Agreements with parties that handle personal data are also increasingly covered by data privacy laws such as the CCPA/CPRA that mandate agreements with certain service providers, contractors, and other third parties. This session will provide a deep dive into what is required to assure compliance with various data privacy laws including contract provisions that are necessary to safeguard personal data. Participants will learn how to draft and negotiate reasonable agreements that limit liability and ensure compliance with data privacy laws.
– Michael R. Cohen
3:15 – 3:30 p.m.
BREAK
3:30 – 4:30 p.m.
BREAKOUT SESSION C
201
Avoiding Death by a Thousand Cuts – Taking the Privacy by Design Approach
With hundreds of laws and regulations on the books and thousands of individual requirements, taking a compliance approach to privacy does not scale for businesses and can quickly overwhelm a small privacy team. Privacy by design offers a holistic approach, in which privacy considerations are built into the business operations in a way that helps companies address the vast majority of privacy regulations with steady consistent effort. In this session you’ll learn: (1) how to identity privacy risks that cut across regulation; (2) how to mitigate those risks through technical and process controls; and (3) how to integrate privacy into the business.
– Kerry L. Childe & R. Jason Cronk
202
AI Data Stewardship Framework – How Stakeholders Can Use This Critical Tool
The AI Data Stewardship Framework (AI-DSF) sets standards for generating, supplying, protecting, and using high-quality data for training algorithms. It serves multiple stakeholders, such as data brokers, consumers, AI developers, regulators, and lawmakers. The AI-DSF is a key resource for enterprise AI applications, as well. Join Eran Kahana for practical insights into AI-DSF’s three-part control structure for organizations.
– Eran Kahana
203
Cross-Border Data Transfer Primer – Deciphering the Alphabet Soup of SCCs, DPAs, BCRs, and More!
This session provides a clear, practical introduction – or refresher – to key data transfer tools and terms, including standard contractual clauses (SCCs), data processing agreements (DPAs), binding corporate rules (BCRs), and more. We’ll go beyond a mere recitation of definitions, with the presenters breaking down each term in plain English – cutting through the jargon to explain what these concepts really mean, why they matter, and when and how to use them.
– Kellie Johnson & Jodie Nielsen
4:30 – 6:00 p.m.
RECEPTION AT THE CAPITAL GRILLE
Reception courtesy of Lathrop GPM
Food, Fun and a Chance to Win Prizes!
Thursday’s reception will take place nearby at The Capital Grille. Register for a chance to win a fun prize! The prize drawing will take place at the reception on Thursday, February 6, and you must be present at the reception during the prize drawing to win. Any person may receive and submit an entry form on Thursday, February 6, at the conference registration desk until the reception begins at 4:30 p.m. Registration for the 2025 Midwest Legal Conference on Data Privacy and Cybersecurity is not required. The following individuals are not eligible to win: employees of Minnesota CLE and the Minnesota State Bar Association, as well as family members of those employees.
8:30 – 9:00 a.m.
CONTINENTAL BREAKFAST
9:00 – 9:05 a.m.
WELCOME & ANNOUNCEMENTS
9:05 – 9:50 a.m.
Lions and Tigers and Bears, oh my! Legal Risks in Cybersecurity Investigations
Companies experiencing global ransomware and cyberattacks need to grapple with three categories of legal risks: 1. lions (mandatory incident notification obligations), 2. tigers (legal restrictions on data collection, use, and transfer), and 3. bears (potential conflicts of law for disclosures to authorities). Seasoned external counsel with 25 years of experience offers practical guidance on identifying these risks, updating incident response procedures, and strengthening privacy and cybersecurity programs to address global legal challenges.
– Brian L. Hengesbaugh
9:50 – 10:00 a.m.
BREAK
10:00 – 11:00 a.m.
Artificial Intelligence – A Holistic Approach to Managing Interconnected Risks
AI’s widespread adoption – at organizational, third-party, and individual-employee levels – requires an integrated approach to legal issue-spotting and advice-giving regardless of practice area. Gain practical strategies for navigating this interconnected landscape with real-world examples and insights, with particular focus on intersections with data privacy, cybersecurity, and information governance considerations.
– Elaine De Franco Olson & Elimu Kajunju
– Paul H. Luehr (moderator)
11:00 – 11:10 a.m.
BREAK
11:10 – 11:40 a.m.
Inside the California Privacy Protection Agency – Enforcement Priorities and Processes
With insights from a member of the California Privacy Protection Agency’s Enforcement Division, you’ll hear about the Agency’s top priorities, current enforcement trends, and how the complaints process operates.
– Celine Guillou (appearing remotely) & Chiara Portner
11:40 a.m. – 12:45 p.m.
LUNCH BREAK (on attendees’ own)
12:45 – 1:45 p.m.
BREAKOUT SESSION D
301
Beyond GDPR: EU Data Privacy and Security Developments – Practical Steps for Compliance
The EU continues to lead the way shaping the global landscape of data regulations, setting ambitious standards influencing privacy, cybersecurity, and digital innovation worldwide. This session covers developments such as the EU AI Act, Data Act, NIS2 Directive, Cyber Resilience Act, Digital Services Act, and Digital Markets Act. Key session takeaways: (1) distillation of the elements of these laws and whether GDPR efforts can be used for future compliance; (2) clear guidance on scope, impact, and coverage; and (3) practical steps for updating policies, systems, processes, and strategies.
– Brad Hammer
302
California Data Privacy Law: Important New Legislative and Enforcement Developments
Building on the plenary session, this in-depth breakout further explores what’s new in California data privacy requirements, including recently enacted laws related to artificial intelligence. Explore the requirements of these new laws, effective dates, what the governor vetoed, and what all of this means for covered entities, legal compliance, and enforcement moving forward.
– Tedrick A. Housh & Chiara Portner
303
Mitigating Cybersecurity Risk Across the Supply Chain – A Proactive Approach
Cybersecurity risks can emerge from any link in a company’s supply chain, making it vital to assess and mitigate potential vulnerabilities. This session will cover strategies for identifying risks related to third-party, fourth-party, and beyond vendors and suppliers, conducting effective risk assessments, and implementing best practices to ensure that external partners maintain strong cybersecurity practices. Attendees will learn the latest regulator expectations on third-party risk management and how to work across departments to create comprehensive risk management strategies that address both direct and indirect cybersecurity threats.
– Dan Ongaro
1:45 – 2:00 p.m.
BREAK
2:00 – 3:00 p.m.
BREAKOUT SESSION E
401
Guarding Sensitive Data – Managing Legal Risks in Data Transfers to or from China, Russia, and Other Foreign Jurisdictions
With rising restrictions on data transfers to or from certain foreign jurisdictions such as China, Russia, and Venezuela, this session provides practical strategies for assessing the legality of such cross-border transfers and mitigating compliance risks. Explore key provisions of the new Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA) and 2024’s Executive Order 14117, which limit sensitive data transfers to countries of concern. Additionally, this session will examine how China’s Personal Information Protection Law (PIPL) and other data privacy related rules impact assessment of data transfers.
– Ray Liu (appearing remotely) & Dave Townsend
402
Inherited Data Risks – Post-Closing Remediation Strategies for Buyers in M&A Transactions
In mergers and acquisitions, buyers often inherit the seller’s data privacy and security risks, leading to potential liabilities that can undermine the deal’s value. This practical session helps data privacy and security lawyers navigate these challenges post-closing. Participants will gain actionable insights into developing effective remediation strategies. Through case studies, this session will concretely apply the how-to’s to real-world post-closing remediation so that attendees will leave better equipped to protect their organizations and clients from the pitfalls of inherited data liabilities.
– Sten-Erik Hoidal
403
Vendor Contracts – Negotiating Key Provisions Regarding Data Privacy
Repeat of #103
Vendor agreements play a crucial role in protecting data. Agreements with parties that handle personal data are also increasingly covered by data privacy laws such as the CCPA/CPRA that mandate agreements with certain service providers, contractors, and other third parties. This session will provide a deep dive into what is required to assure compliance with various data privacy laws including contract provisions that are necessary to safeguard personal data. Participants will learn how to draft and negotiate reasonable agreements that limit liability and ensure compliance with data privacy laws.
– Michael R. Cohen
3:00 – 3:15 p.m.
BREAK
3:15 – 4:15 p.m.
Supporting Lawyer Well-Being in the High-Stakes World of Data Privacy and Cybersecurity Law
1.0 mental health/substance use credit applied for
Legal professionals in data privacy and cybersecurity face unique stressors, including the relentless pace of technological advancements, high-stakes decision-making, and the constant pressure to manage and mitigate risks in a rapidly evolving legal landscape. There is a clearly recognized continuum where unresolved chronic stress becomes a predictor for substance use problems and mental illness, particularly depression and anxiety. By understanding this continuum, the impact of our exposure to trauma, and the facts about addiction and mental illness, data privacy and cybersecurity lawyers can reduce their risk and, hopefully, get help earlier when there is a mental health, substance use, or related problem. By knowing these risks, we can also support each other. This program will present signs, symptoms, risk factors, and recovery regarding these challenges, along with well-being tools. The presenter will also provide information on Lawyers Concerned for Lawyers and other resources.
– Joan Bibelhausen
Attendees of the 2025 Midwest Legal Conference on Data Privacy & Cybersecurity may view the following webcasts for FREE after the conference! Instructions on how to register for free will be provided to in-person attendees at the conference and online replay viewers by email after the replay.
Friday, March 21, 2025
9:00 – 10:00 a.m. (CDT)
Ethics 3.0 – Attorney Responsibility in the Age of Generative AI
1.0 ethics CLE / IAPP CPE credit applied for
Complying with legal ethics obligations in the age of generative AI requires more than safeguarding client confidentiality, verifying AI-generated content, and communicating in permissible ways. Lawyer use of generative AI must align with these legal ethics rules, but remaining competent under those rules also requires staying informed about and compliant with the broader duty to stay abreast of current technology and to comply with applicable data privacy and security regulations, FTC endorsement guidelines, truth-in-advertising standards, and more. In this webcast, Jon M. Garon – a nationally recognized expert in technology law and information privacy – offers practical insights on how to meet your professional responsibilities in this rapidly evolving landscape.
– Jon M. Garon
Friday, March 21, 2025
12:00 – 1:00 p.m. (CDT)
Understanding Privacy and Data Security Laws and Requirements in Agreements
1.0 standard CLE / IAPP CPE credit applied for
You will learn about: Analyzing and responding to privacy and data security addenda and letter agreements from others; Recent developments involving agreements, including the California Privacy Rights Act and Minnesota Consumer Data Privacy Act; Interaction of privacy, data security and incident and breach notification provisions with other commercial agreement provisions; How to avoid potential pitfalls; and Resources and tools for managing privacy and data security laws and requirements in agreements.
– Melissa J. Krasnow
Wednesday, March 26, 2025
12:00 – 1:00 p.m. (CDT)
2025 Data Privacy and Cybersecurity Litigation Update
1.0 standard CLE / IAPP CPE credit applied for
Experienced litigators – one plaintiff side and one defense – share their insights on significant privacy and data breach litigation developments from the past year. Learn about major federal and state court decisions, high-profile settlements, and critical trends that are shaping the legal landscape for privacy professionals.
– Joe Hashmall & Jeff Justman
LIVE IN-PERSON
Thursday & Friday, February 6-7, 2025
Minnesota CLE Conference Center
600 Nicollet Mall, Suite 370
Seventh Street & Nicollet Mall, Third Floor City Center
Minneapolis, Minnesota
ONLINE REPLAY
Monday & Tuesday, March 3-4, 2025
Attend online
Online replay includes all plenary and breakout sessions. A moderator will be available to answer questions by email.
$495 MSBA members / $495 paralegals / $595 standard rate
Other discounts that may apply:
Scholarships available!
Need-based scholarships are available for in-person and online seminars. For further information or to obtain a scholarship application, contact us at 800-759-8840 or customerservice@minncle.org.
CREDITS – CONFERENCE:
Minnesota CLE is applying to the Minnesota State Board of CLE for 11.0 CLE credits, including 1.0 mental health/substance use credit for the concluding plenary. The maximum number of total CLE credits attendees may claim for this program is 11.0 credits.
The IAPP has approved this conference for 10.0 CPE credits.
CREDITS – FREE POST-CONFERENCE WEBCASTS: