Heidi Salow

Heidi Salow is a Partner in the firm’s Privacy and Cybersecurity practice. Ms. Salow has two decades of experience advising entities of all sizes, including start-ups, Fortune 500 companies and non-profit organizations. Ms. Salow specializes in matters involving cybersecurity, data governance, data ethics, data privacy and data protection, employment-related privacy, healthcare privacy and security, insider threat management, mobile technologies, corporate risk management and social media.

Ms. Salow has served as a strategic advisor to entities seeking to develop and implement legally compliant U.S. and global data protection programs in the information technology, media, telecommunications, retail, financial, healthcare and legal services industries. She established the first Global Privacy Office function for a $13B corporation and has counseled clients in the aftermath of 75-plus data breaches and data security incidents.

Ms. Salow provides virtual/fractional Chief Privacy Officer (CPO) services. She also routinely advises clients on a wide range of issues involving the Australian Privacy Act and Australian Privacy Principles (APPs), California Consumer Protection Act (CCPA)/California Consumer Rights Act (CPRA), Canadian Anti-Spam Law (CASL), European Union (EU) General Data Protection Regulation (GDPR), UK Data Protection Act 2018, U.S. CAN SPAM Act, U.S. Fair Credit Reporting Act (FCRA), U.S. Health Information Technology for Economic and Clinical Health (HITECH) Act, U.S. Health Insurance Portability and Accountability Act (HIPAA), U.S. Telephone Consumer Protection Act (TCPA) and Telemarketing Sales Rule (TSR), NIST Privacy Framework, NIST 800-53, as well as other U.S. and global data privacy, direct marketing and consumer protection laws.

A frequent author and lecturer in the areas of data privacy, data protection and cybersecurity, Ms. Salow holds the following certifications: Certified Information Privacy Professional/ U.S. (CIPP/US); Certified Information Privacy Manager (CIPM) and Certified Information Privacy Professional /Europe (CIPP/E). She has participated in legislative and regulatory proceedings on a multitude of privacy, data security, advertising, marketing, and IP issues. She has worked with staff members of U.S. federal agencies, as well as the U.S. Congress, Scottish Parliament and Scottish government.

Prior to joining Potomac Law, Ms. Salow was the Chief Privacy Officer for Leidos, a U.S. federal government contractor with 400 locations in 30 countries. Before joining Leidos, she served as Vice President & Senior Privacy Officer at Thomson Reuters, a Canadian multinational information and media conglomerate which then operated in 94 countries.

Representative Experience

• Created wide-reaching strategic plan for implementing Privacy by Design at a large corporation with multiple lines of business.
• Developed and launched several new types of assessments, including HIPAA Risk Assessments, Privacy Threshold Assessments and Global Data Protection Assessments.
• Spearheaded new Data Subject Access Request (DSARs) processes for a large company.
• Negotiated 50-plus data processing, data sharing, data transfer, software licensing and HIPAA Business Associate Agreements.
• Advised corporate security team on designing legally compliant insider risk management program.
• Helped implement global data protection program for a multinational conglomerate with internal entities in the EU, U.S., Australia, Canada, Asia, Australia, and LatAm.
• Conducted due diligence related to the acquisition and divestiture of various legal entities.
• Advised Information Security Risk Management (ISRM) teams on newly implemented Data Loss Prevention (DLP) governance programs to help them grapple with uncharted legal and regulatory issues.
• Served as Executive Sponsor of various corporate working groups tasked with data classification, data governance, records management and data ethics.
• Drafted global data transfer and processing mechanisms, including data processing and transfer contract provisions, intra-group Data Transfer Agreements and Binding Corporate Rules (BCRs) for multinational companies with complex corporate structures.
• Advised clients on the applicability and impact of various U.S. laws such as the California Consumer Privacy Act (CCPA), as amended by the California Consumer Rights Acts (CPRA), CAN SPAM Act, Digital Millennium Copyright Act (DMCA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, Electronic Communications Privacy Act (ECPA), Fair Credit Reporting Act (FCRA) and Family Educational Rights and Privacy Act (FERPA), Telephone Consumer Protection Act (TCPA) and Telemarketing Sales Rule (TSR).
• Prepared past EU-U.S. Safe Harbor certifications for several clients including a wireless industry trade association, multinational shipping company, non-profit organization, and mobile software company.
• Advised clients on the applicability and impact of various global privacy and data protection laws and regulations, including the Australian Privacy Act and Australian Privacy Principles (APPs), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), UK Data Protection Act 2018 and European Union General Data Protection Regulation (EU GDPR).
• Developed FACTA Red Flag identity theft prevention programs for financial institutions and companies offering consumer credit.