Heidi Salow is a Partner in the firm’s Privacy and Cybersecurity practice. Ms. Salow has two decades of experience advising entities of all sizes, including start-ups, Fortune 500 companies and non-profit organizations. Ms. Salow specializes in matters involving cybersecurity, data governance, data ethics, data privacy and data protection, employment-related privacy, healthcare privacy and security, insider threat management, mobile technologies, corporate risk management and social media.
Ms. Salow has served as a strategic advisor to entities seeking to develop and implement legally compliant U.S. and global data protection programs in the information technology, media, telecommunications, retail, financial, healthcare and legal services industries. She established the first Global Privacy Office function for a $13B corporation and has counseled clients in the aftermath of 75-plus data breaches and data security incidents.
Ms. Salow provides virtual/fractional Chief Privacy Officer (CPO) services. She also routinely advises clients on a wide range of issues involving the Australian Privacy Act and Australian Privacy Principles (APPs), California Consumer Protection Act (CCPA)/California Consumer Rights Act (CPRA), Canadian Anti-Spam Law (CASL), European Union (EU) General Data Protection Regulation (GDPR), UK Data Protection Act 2018, U.S. CAN SPAM Act, U.S. Fair Credit Reporting Act (FCRA), U.S. Health Information Technology for Economic and Clinical Health (HITECH) Act, U.S. Health Insurance Portability and Accountability Act (HIPAA), U.S. Telephone Consumer Protection Act (TCPA) and Telemarketing Sales Rule (TSR), NIST Privacy Framework, NIST 800-53, as well as other U.S. and global data privacy, direct marketing and consumer protection laws.
A frequent author and lecturer in the areas of data privacy, data protection and cybersecurity, Ms. Salow holds the following certifications: Certified Information Privacy Professional/ U.S. (CIPP/US); Certified Information Privacy Manager (CIPM) and Certified Information Privacy Professional /Europe (CIPP/E). She has participated in legislative and regulatory proceedings on a multitude of privacy, data security, advertising, marketing, and IP issues. She has worked with staff members of U.S. federal agencies, as well as the U.S. Congress, Scottish Parliament and Scottish government.
Prior to joining Potomac Law, Ms. Salow was the Chief Privacy Officer for Leidos, a U.S. federal government contractor with 400 locations in 30 countries. Before joining Leidos, she served as Vice President & Senior Privacy Officer at Thomson Reuters, a Canadian multinational information and media conglomerate which then operated in 94 countries.
- Created wide-reaching strategic plan for implementing Privacy by Design at a large corporation with multiple lines of business.
- Developed and launched several new types of assessments, including HIPAA Risk Assessments, Privacy Threshold Assessments and Global Data Protection Assessments.
- Spearheaded new Data Subject Access Request (DSARs) processes for a large company.
- Negotiated 50-plus data processing, data sharing, data transfer, software licensing and HIPAA Business Associate Agreements.
- Advised corporate security team on designing legally compliant insider risk management program.
- Helped implement global data protection program for a multinational conglomerate with internal entities in the EU, U.S., Australia, Canada, Asia, Australia, and LatAm.
- Conducted due diligence related to the acquisition and divestiture of various legal entities.
- Advised Information Security Risk Management (ISRM) teams on newly implemented Data Loss Prevention (DLP) governance programs to help them grapple with uncharted legal and regulatory issues.
- Served as Executive Sponsor of various corporate working groups tasked with data classification, data governance, records management and data ethics.
- Drafted global data transfer and processing mechanisms, including data processing and transfer contract provisions, intra-group Data Transfer Agreements and Binding Corporate Rules (BCRs) for multinational companies with complex corporate structures.
- Advised clients on the applicability and impact of various U.S. laws such as the California Consumer Privacy Act (CCPA), as amended by the California Consumer Rights Acts (CPRA), CAN SPAM Act, Digital Millennium Copyright Act (DMCA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, Electronic Communications Privacy Act (ECPA), Fair Credit Reporting Act (FCRA) and Family Educational Rights and Privacy Act (FERPA), Telephone Consumer Protection Act (TCPA) and Telemarketing Sales Rule (TSR).
- Prepared past EU-U.S. Safe Harbor certifications for several clients including a wireless industry trade association, multinational shipping company, non-profit organization, and mobile software company.
- Advised clients on the applicability and impact of various global privacy and data protection laws and regulations, including the Australian Privacy Act and Australian Privacy Principles (APPs), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), UK Data Protection Act 2018 and European Union General Data Protection Regulation (EU GDPR).
- Developed FACTA Red Flag identity theft prevention programs for financial institutions and companies offering consumer credit.
Honors & Awards
Chambers Legal 500, 2009
Pro Bono and Community Involvement
Volunteer, Lost Dog and Cat Rescue Foundation
Memberships and Affiliations
- Certified Information Privacy Professional/U.S. (CIPP/US)
- Certified Information Privacy Manager (CIPM)
- Certified Information Privacy Professional /Europe (CIPP/E)
- International Association of Privacy Professionals (IAPP) Diversity in Privacy Advisory Board, 2022 - Present
- Sedona Working Group 11, 2018 - 2021
- Global Information Security Working Group, U.S. Chamber of Commerce, 2016 - 2017
- Global Privacy Working Group, U.S. Chamber of Commerce, 2016 - 2017
- Software Information Industry Association, 2014-2017
- Co-Chair, International Association of Privacy Professionals Knowledge Net, 2012 - 2015
- IAPP Publications Advisory Board, 2009 - 2011
Selected Publications and Speeches
- “Best Practices in Data Governance: What’s Worked, What Has Not,” Consero, November 2022
- “Advice From a CPO on Balancing Insider Threat Management and Privacy” (interviewed by Jill Abitbol, Cybersecurity Law Report), April 2022
- “C-Suite Perspectives,” Corporate Counsel Business Journal Podcast Interview (aired Spring 2021)
- Contributor, “Privacy Law, Regulation, and Business” course, Cornell Law School, 2020
- “Privacy in the New Normal,” Corporate Counsel Business Journal webinar, November 2020
- “Regulatory, Behavioral and Political Implications of COVID-19,” Corporate Counsel Business Journal webinar, October 2020
- “Understanding Privacy’s Value to the IT and Infosec teams,” IAPP/TRUSTe Webinar, March 2016
- “Cybersecurity: Preparing for and Responding to Data Security Incidents,” Georgetown Law Corporate Counsel Institute, March 2015
- “When the Regulators Come Knocking or Other Bad Stuff Happens,” IAPP, September 2014
- “The Privacy Class Action Landscape,” American Bar Association (ABA), August 2014
- “Privacy and Data Breaches,” (Speaker with FTC Commissioner Brill), Conference of Western Attorneys General, July 2014
- “Biometric Data - Overview of U.S. Federal and State Laws,” Nymity News, November 2013
- “9th Annual Conference on Privacy and Public Access to Court Records,” Center for Legal & Court Technology, William & Mary Law School, October 2013
News, Events & Insights
University of Baltimore Law School, J.D.
George Washington University Law School, LL.M Program (all but thesis), Intellectual Property
McGill University, B.A.
- Leidos, Chief Privacy Officer
- Thomson Reuters, Vice President & Senior Privacy Officer
- Greenberg Traurig, Shareholder
- DLA Piper, Of Counsel
- Sprint Nextel Corporation, Senior Counsel & Director
Areas of Practice
- District of Columbia