log in
Print | Back

Lowenstein Sandler LLP

Mary J. Hildebrand

Mary J. Hildebrand

Partner
Founder and Chair, Privacy & Cybersecurity

Lowenstein Sandler LLP
New Jersey, U.S.A.

tel: 973.597.6308
Send an Email

Local Time: Mon. 02:08

Profile

For more than 30 years, Mary has drawn on her deep experience in privacy and data security, tech, and intellectual property to handle sophisticated technology deals from concept to conclusion.

Mary regularly serves as lead counsel to both public and private companies in complex commercial matters involving:

  • Digital and social media
  • Software
  • Clean tech
  • Renewable energy
  • Public utilities
  • Financial services
  • Medical devices
  • Entertainment
  • E-commerce
  • Transportation
  • Universities
  • Not-for-profit organizations 


Additionally, she counsels startups on the transactions and foundational legal structures needed to launch their businesses.

As a leading intellectual property lawyer, Mary has achieved an enviable track record in commercializing, protecting, and managing intellectual property, technology, and database assets around the world. She is also a recognized authority on EU and U.S. data privacy and information security laws.

A highly regarded "top-notch," "hugely responsive," and "skilled, bright and knowledgeable" practitioner, Mary has been consistently recognized by Chambers USA (2009-2019) for her successful handling of complex transactions involving significant IP assets. Her clients commend her as "a phenomenal client manager" who gives "useful, pragmatic, practical advice."

Mary has served as a member of Lowenstein Sandler's board of directors and Strategic Planning Committee, as well as chair of the firm's Diversity and Inclusion Committee.

Bar Admissions

    New Jersey

Education

Duke University School of Law (J.D. 1984)
Union College of Union University (B.A. 1980), magna cum laude
Areas of Practice
Professional Career

Significant Accomplishments

Speaking Engagements

Cathy Serafin and Mary Hildebrand will present a webinar entitled "Insurance Issues in Commercial Contracts: Addressing Unique Risk Profiles for Your Deal." The presentation will discuss specific insurance issues to take into consideration when negotiating your next commercial contract. The speakers will cover how to draft specific provisions to protect your company or client's best interests in numerous situations that nearly all businesses routinely face.

Mary Hildebrand will speak on a panel entitled "EU GDPR and Privacy Shield" at The New EU Data Protection Regulation: Transnational Enforcement and its Effects on US Businesses Symposium. The annual Seton Hall Law Review Symposium brings together members of the judiciary, practicing lawyers, and legal scholars to explore important and timely aspects of the law and society. This is also the inaugural event of the newly established Seton Hall Institute for Privacy Protection.

In early 2018, the European Union will replace its entire privacy framework with the GDPR, which governs any organization that processes the personal data of an EU citizen regardless of geographic location. GDPR has immediate ramifications for U.S. organizations, including those that do not have any affiliates or locations in the EU. We are hosting the first installment of a two-part breakfast series on GDPR focused on the key practical issues associated with implementation and avoidance of penalties. Mary Hildebrand and Matt Oliver, CIPP/US, will speak on a panel in our AVL Center that includes Linda Rush, CIPP/US/C, CIPM, Privacy Officer and Associate General Counsel, AvisBudget Group Inc.

The EU is slated to replace its entire data protection structure in May 2018 with implementation of the General Data Protection Regulation (GDPR). GDPR has jurisdiction over any organization that collects or processes the personal data of EU citizens without regard to the organization's geographic location, so the impact of this complex legislation is worldwide. GDPR is not limited to tech companies – it applies to every private sector organization and many in the public sector.

In December 2016, the EU's Article 29 Working Party (WP29) released guidance on several key provisions of GDPR.

On Wednesday, February 1, we are hosting an update to our two-part GDPR series last fall focused on the new WP29 Guidance. Mary Hildebrand, CIPP/US/E, and Linda Rush, CIPP/US/C, CIPM, Privacy Officer and Associate General Counsel, Avis Budget Group, Inc., will discuss the impact of WP29s guidance, including what's covered and what's not, and recommend practical integration strategies. The February 1 session will be held in our New Jersey office, with similar sessions scheduled in our New York and Washington, D.C. offices.

Lowenstein and the New Jersey Chapter of the Association of Corporate Counsel (NJACC) will team up to host the 3rd Annual Cyber Day at One Lowenstein Drive. Cyber Day is a half-day program designed to help companies navigate current cybersecurity and data privacy issues, two themes that continue to generate press headlines, as well as client concern.

Lowenstein and NJ LEEP will team up to host a free CLE presentation on Blockchain Technology, Smart Contracts, and Cryptocurrency at One Lowenstein Drive from 5-7pm. The presentation will feature a one hour panel discussion moderated by Mary Hildebrand, with panelists Philip Decker, Vice President and Senior Counsel, Legal Affairs; Jason Mark Anderman, Vice President and Senior Counsel, Technology and Digital Law; and Emily Goodman Binick, Vice President and Senior Counsel, Cryptocurrency, all of American Express. The presentation will be followed by networking and refreshments.

Lowenstein and the New Jersey Chapter of the Association of Corporate Counsel (ACCNJ) will team up to host "The Deep, Dark Web – What is it – and how does it impact your business," a CLE presentation focused on the Dark Web, the local, national, and international repercussions, and how to protect your data from ending up on the deep, dark web. The program will feature a two hour discussion lead by Mary Hildebrand, CIPP/US/E, Founder and Chair, Privacy and Information Security Practice; Partner, The Tech Group; Christine Hoffman, Deputy Director, Division of Criminal Justice in NJ; and Mark Spencer, Regional Sales Manager, AccessIT Group, Inc.

For more information, email [email protected]

 

Please join us as our panel of specialists from Lowenstein Sandler and ACA Compliance Group lead a discussion of real-time developments related to the following:

  • Data Privacy and GDPR Concerns for Investment Managers
  • The Advertising Rule - Compliance Advice and Practical Approaches
  • Recent SEC Enforcement Actions and Trends


For more information, email 
[email protected]

Lowenstein's Zarema A. Jaramillo introduces opening keynote speaker Valerie Jarrett, former Senior Advisor to the Obama Administration, and Lynda A. Bennett and Mary J. Hildebrand are panel moderators at the Women, Influence & Power in Law conference. 

October 4, 2018

9:15 a.m.: Opening Keynote: Fireside Chat | Staying Nimble, Taking Risks, and Empowering Women to Lead With Authenticity and Confidence

  • Introduction of keynote speaker: Zarema A. Jaramillo, Partner, Lowenstein Sandler LLP
  • Keynote speaker: Valerie Jarrett, former Senior Advisor, Obama Administration

Empathy, intuition, and collaboration are the qualities people are looking for in their leaders today. In this session, hear from our keynote speaker on how she has taken risks to breakthrough gender bias with confidence, authenticity, and effectiveness in her professional journey.

11 a.m.-12 p.m.: GDPR: Assessing Your Organizational Competence and Risk in a Data-Driven World 

  • Moderator: Mary J. Hildebrand, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Panelists:
    • Li Reilly, Vice President & Deputy General Counsel, Fareportal
    • Ilona Levine, Senior Corporate Counsel, Privacy, Data Protection, Cybersecurity and Compliance, OVH US
    • Jo Ann Lengua Davaris, Chief Privacy Officer, Mercer

The implementation of GDPR–and the potential for regulatory enforcement actions, private causes of action and legal challenges from various quarters–exemplifies the uncertainty that permeates the privacy and cybersecurity world. How can you manage your legal, compliance, and business risks to achieve the best outcome for your organization? This panel will discuss the practical implications of managing against the new organizational requirements, such as accountability measures, breach notification requirements, data subject rights, and processing system assessments.

October 5, 2018

10-11 a.m.: How to Evaluate Exposure to Personal Liability Arising from Recent Enforcement Actions Against Corporate Counsel

  • Moderator: Lynda A. Bennett, Partner; Chair, Insurance Recovery Group, Lowenstein Sandler LLP
  • Panelists:
    • Patricia Barbieri, Senior Vice President, General Counsel and Secretary, Daiichi Sankyo, Inc.
    • Lynn Feldman, EVP and General Counsel, Clear Channel Outdoor
    • Shirin Saks, Assistant General Counsel, Litigation and Employment, Dun & Bradstreet

Corporate counsels are an organization's ethics watchdogs, yet they are often asked to give strategic business advice. This can put in-house lawyers in awkward positions, jeopardize attorney-client privilege, and potentially expose the company and its leaders to liability. This session will provide an ethical framework and best practices to help navigate this dual role, and focus on how to protect corporate counsel and other executives against potential liability risks through insurance coverage and other innovative risk management techniques.

Mary J. Hildebrand speaks alongside Richard Ledgett, Former Deputy Director, National Security Agency, at World Sevices Group's (WSG) 2018 Annual Meeting, scheduled for September 19-21, 2018. The conference features engaging guest speakers and panel perspectives while offering several opportunities for delegates to network among professionals across the WSG Network.

Join us for our 4th Annual Cyber Day. This half-day program features sessions led by Lowenstein lawyers and other industry leaders who will discuss how companies can navigate cybersecurity, blockchain, and data privacy issues as well as the cyber insurance market in order to operate in a post-GDPR business landscape.

Topics include:

  • Cyber Risks: Where to Find Coverage and How to Maximize Recovery for Cyber Claims 
  • A Global Perspective: Status Report on the Impact of GDPR and What You Need to Know About the Evolving U.S., Federal, and State Data Privacy Laws
  • Government Investigations: How to Prepare and What to Do
  • Beyond Bitcoin: An Introduction to Blockchain

Lowenstein speakers include: 

The program runs 7:30 a.m.-2 p.m. Program location: Lowenstein Sandler LLP, One Lowenstein Drive, Roseland, New Jersey 07068; 973.597.2500. CLE credit available.

In response to GDPR and Privacy Shield changes, Mary J. Hildebrand participates in a webinar panel regarding next steps for entities in the financial services industries that have completed initial gap analyses and modified their public-facing privacy policies.

This session will focus on what these heavily regulated industries will have to do in the next 60 days to establish and maintain a legally defensible position with respect to privacy and security of personal data — not only to comply with regulation but to be poised to do business in the 21st century.

Panelists:

  • Mary J. Hildebrand, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Ray Ford, Founding Member, GDPR Institute
  • Mark Rasch, Chief Legal Counsel, Digital Risk Management Institute; former head, United States Department of Justice, Cyber and High Technology Crime Unit
  • David Morris, early pioneer in cybersecurity; Managing Partner, Morris Cybersecurity

GDPR recently commanded headlines – and commandeered corporate resources – throughout the world. Several new U.S. state and federal data protection laws create a “one-two punch” for organizations already implementing GDPR and impose new obligations on companies that are out-of-scope for GDPR. This session will discuss these developments and strategies for aligning GDPR with the evolving U.S. privacy landscape. 

Speakers:

  • Mary J. Hildebrand, CIPP/US/E, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Sundeep Kapur, CIPP/US, Associate, Lowenstein Sandler LLP
  • Mark Faber, Vice President, Corporate Counsel, Cyber and Privacy Law, Prudential Financial

This one-hour webinar takes place at 2 p.m. ET.

This panel discussion will address the impact of the recent U.S. Supreme Court decision, Carpenter v. United States, and its effect on privacy law and law enforcement's ability to track historical or real-time cell phone location. The panelists will also explore how other types of electronically gathered information, such as data stored by wearable technologies and location tracking applications, will be affected in the post-Carpenter era.

This program is co-sponsored by the Rutgers Law School Center for Corporate Law and Governance (cclg.rutgers.edu), the Rutgers Computer and Technology Law Journal (rctlj.org), and Rutgers Institute for Professional Education (rutgerscle.com).

Panelists:

  • Mary J. Hildebrand, CIPP/US/E, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Douglas S. Eakeley, Of Counsel, Lowenstein Sandler LLP
  • Ronald K. Chen, University Professor, Rutgers Law School
  • Sabrina G. Comizzoli, Assistant U.S. Attorney, U.S. Attorney’s Office, District of New Jersey  
  • Todd Schulman, Associate General Counsel, Verizon

Time: 4-6 p.m.; a networking reception follows the presentation.

Location: Rutgers Law School, Baker Trial Courtroom (Room 125), Center for Law and Justice, 123 Washington Street, Newark, NJ 07102

NJ CLE information: This program has been approved by the Board on Continuing Legal Education of the Supreme Court of New Jersey for 2.4 hours of total CLE credit.



Professional Associations

The International Association of Privacy Professionals (IAPP)
  • CIPP/US/E
Liberty Science Center, Founder and Member of Board of Directors of the Women’s Leadership CouncilLicensing Executives Society, New Jersey Metro Chapter
  • Co-chair
American Bar AssociationNew Jersey State Bar AssociationExecutive Association of New Jersey
  • Past President and Chair of the Board of Trustees

Professional Activities and Experience

Accolades
  • Chambers USA (2009-2019) - Mary Hildebrand
  • The Best Lawyers in America - Mary Hildebrand

Blogs

Capital Markets Litigation
Lowenstein Sandler LLP 

Litigation News for the Global Financial Community

Articles

New York on Verge of Passing Landmark Data Security Legislation
Lowenstein Sandler LLP, June 2019

What You Need To Know: If signed into law, New York’s SHIELD Act will broaden the definition of protected information to include biometric data, email addresses, and corresponding passwords or security questions and answers. Unauthorized access, and not just unauthorized acquisition, to protected information would trigger breach notification requirements...

Top Cyber-Risk Issues -- Takeaways from the National Center of Cybersecurity Excellence Speaker Series
Lowenstein Sandler LLP, May 2017

I recently had the good fortune of participating in an excellent Speaker Series sponsored by the National Center of Cybersecurity Excellence (NCCoE)*. Our program, which included representatives from industry, the technology sector and trade associations, focused on Cyber-Risk in the Hospitality Industry...

Is Cybersecurity at the Top of Your List for 2017? If So, You're on the Right Track.
Lowenstein Sandler LLP, January 2017

When Yahoo recently disclosed that information on over a billion user accounts had been stolen back in 2013, the news capped off a year of big, bad data breaches. Security and privacy issues have been so front-and-center, in fact, that the Yahoo incident wasn’t the most newsworthy cybersecurity story by a long shot — despite its being the biggest data breach in history. Hacks of presidential campaigns and subsequent data leaks underscored just how pivotal a breach can be...

Additional Articles

It’s easy for philosophical differences between the United States and Europe to seem like intellectual abstractions -- right up until the moment they entail immense financial loss. The European embrace of a right to privacy, a capital “R” Right akin to any that we have enshrined in the Bill of Rights, might not appear to be of consequence to most Americans. However, given pending EU legislation, you could violate this right and incur huge fines without ever setting foot on the continent. Depending on the final shape of a new regulation currently working its way through the European Union, simply advertising online to Europeans in a manner that utilizes their purchasing history could incur a fine equivalent to two percent of your annual global revenues. While this concept may seem far-fetched, if you’re about to conduct any commerce in Europe, you should make it your business to monitor and understand the new regulation.

A recap from Lowenstein Sandler and ACC New Jersey’s 4th Annual Cyber Day Conference.

On October 10, I was delighted to welcome an overflow crowd of in-house counsel for lively discussions on navigating this increasingly complex regulatory and business landscape. As Chair of Privacy & Cybersecurity at Lowenstein, I see first-hand how new U.S. state and federal data protection laws have created a “one-two punch” for companies implementing GDPR (which became effective on May 25 of this year), and imposed new obligations on companies that are out-of-scope for GDPR. Aryeh Friedman, VP, Associate GC and CPO of Dun & Bradstreet, and I addressed these key takeaways on our panel.

GDPR Compliance is a Work in Progress: Surveys show that about 12% of US entities and 27% of EU entities surveyed believe they are ‘fully compliant’ with GDPR. Putting aside for the moment that there’s no consensus on exactly what ‘fully compliant’ means for GDPR, many US-based entities are still in process, and others are just coming to the realization that they are in-scope.

New California Law is a Game-Changer: It’s not a “mini-GDPR,” but the California Consumer Privacy Act (“CCPA”) reflects similar principles and grants broad control to California residents over their personal information. Entities that comply with GDPR need a gap analysis to determine what’s required of them under CCPA, and non-GDPR entities must evaluate their data practices in light of CCPA. With substantial fines and a private cause of action for data breach, CCPA challenges the status quo. US states are acting to fill the void created by the absence of comprehensive federal data protection laws (25% of the states recently adopted new or amended statutes). At this pace, state data protection statutes could go the way of data breach laws – 50 different laws across the country.

Get Ready For More Disruption: A year from now the data protection landscape is likely to be vastly different. Among other things –

  • GDPR started a global trend, with Brazil and India already falling in line and there’s more to come.
  • The Privacy Shield’s second annual review is happening now, and its future is not assured. Just shy of 4,000 companies currently depend on Privacy Shield to transfer data from Europe to the US. If the Privacy Shield is invalidated there are very few other options especially for B2C businesses. At the same time, standard contractual clauses (a/k/a, Model Contracts) are the subject of a hotly contested legal challenge by Max Schrems (of Safe Harbor fame) against Facebook.
  • Brexit is targeted for March 2019, and the EU is unlikely to issue an adequacy decision (regarding the protection of personal data) for the UK until Brexit is a reality. While other treaties may mitigate the impact, without an adequacy determination the UK (and UK affiliates of US companies) will be required to rely on model contracts, consent or other approved data transfer mechanisms as we do in the US.
  • Finally, foreign entities or individuals seeking to invest in US companies now have another hurdle -- The US Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) expands the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to include non-passive investments in any company that deals with “sensitive personal data of US citizens that may be exploited in a manner that threatens national security.” We are still awaiting regulations, but indications are that “sensitive personal data” will be broadly interpreted resulting in many more transactions being subject to these rigorous reviews.

On June 24, 2019, U.S. Sen. Mark Warner, D-Va., and Sen. Josh Hawley, R-Mo., introduced the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data, or Dashboard, Act, which mandates transparency by major platforms such as Facebook Inc., Google LLC, Amazon.com Inc. and Twitter Inc. regarding the monetization of user data.

A bipartisan effort, the bill would require broad disclosures to consumers and the U.S. Securities and Exchange Commission of exactly what data is collected, how it’s used and shared and its worth in dollars and cents. To encourage a uniform approach, the act also authorizes the SEC to develop methods for calculating the value of data across platforms. This novel approach, among the first of its kind, has important implications for the digital economy and the status of “data” as a discrete asset governed by a new and rapidly evolving body of law.

Specifics of the Act

The act requires commercial data operators (entities that generate a material amount of revenue from user data with more than 100,000,000 unique users or visitors) to provide each user with detailed information on a quarterly basis. Specifically, each user will receive a description of the types of data collected, any use of his or her data unrelated to the online services he or she patronizes and the economic value placed on the data by the commercial data operator. With limited exceptions, commercial data operators must also provide users with the ability to delete their data through a single setting or another “clear and conspicuous mechanism.”

In contrast to the personal nature of disclosures to users, public companies that qualify as commercial data operators under the act are required to make broad disclosures to the SEC. At least annually, commercial data operators must submit a written report to the SEC setting forth the “aggregate value” of user data they hold, contracts with third parties that collect such data on their behalf, and any other items that the SEC deems “necessary or useful.”

The act empowers the SEC to develop data valuation methodologies to encourage standardization across different users, sectors and business purposes. Within a year after passage, the act requires additional disclosures to the SEC including, among others, data security, aggregate revenue derived from user data, and a description of each revenue generating activity dependent on user data.

Enforcement of the act falls squarely within the jurisdiction of the Federal Trade Commission under Section 5 of the FTC Act. Any violation of the Dashboard Act is deemed an “unfair or deceptive act,” invoking the full range of the FTC’s investigatory and enforcement powers. Perhaps more significant, the FTC would be responsible for issuing regulations under the act. Commercial data operators will be confronting enhanced scrutiny and regulation from the SEC and the FTC, two formidable federal agencies.

Why This Bill Matters

By recognizing “data” as a valuable asset in its own right, the act would disrupt the existing dynamic between consumers, the technology industry and federal regulators. If “knowledge is power,” then consumers would have an unprecedented ability to control their data. As an example, consumers may begin demanding financial compensation for data formerly provided just for the privilege of using online services.

Adoption and implementation of the act would have an immediate impact on the technology industry at an already challenging time in its evolution. Additional scrutiny by the FTC and a newly empowered SEC could have significant financial repercussions and accelerate calls to break up these “monopolies.”

Other state and federal regulators are likely to become involved, particularly with activist attorneys general and state legislatures already promoting (and passing) new data protection legislation such as the California Consumer Privacy Act. No one can predict all the consequences, but we can be certain that if the sensitive information sought by the act becomes public, there’s simply no going back.

Whether or not the act becomes law, its underlying premise that “data” is an asset in its own right has other important implications. Viewed from this perspective, data assets may be licensed, purchased, processed and shared for any number of commercial and other activities. However, data is governed by its own unique and rapidly growing body of laws and regulations that did not exist a few years — or even a few months — ago. Current models for monetizing other intangible assets, such as intellectual property, may fail to take these new developments into account.

In the midst of legal uncertainty, commercial and business activities involving data continue apace across our economy. The private sector allocates the risks associated with commercializing data every day from scope of use issues to data breach liability and everything in between. In fact, there’s a distinct possibility that the development of commercial norms surrounding data and risk allocation may outstrip the pace of legislation or significantly influence its future course. There’s no doubt that when it comes to data assets, different rules apply and they’re changing every day.

 What You Should Do Now

 Be Alert

The ultimate fate of the act is not clear, but the concept of data as a discrete asset with economic value is not disappearing from the public or legislative landscape. In particular, states are promulgating laws governing data privacy and security at an unprecedented pace (dozens in the last 24 months), covering far more entities than the act.

The CCPA, for example, sets the bar for coverage at $25 million in revenue or meeting threshold amounts of data under management, and the pending New York Privacy Act covers any legal entity that conducts business in New York state or produces products or services that “intentionally target” New York State residents with no financial or data standard.

Coverage under Europe’s General Data Protection Regulation, which strongly influenced the CCPA, the NYPA and other legislation in the U.S., is independent of the size of the company or the amount of data it holds. In other words, the act’s focus on tech behemoths does not preclude others from replicating the key concepts and applying them to a broad range of companies.

Stay Ahead of the Curve With Your Users

It’s a truism in some circles that data is the centerpiece of the digital economy, but the users that deliver that commodity may benefit from some attention now. Stay ahead of the trend by offering your users enhanced transparency regarding their data, and ensure that your public facing terms and policies are user friendly and easy to access. Taking reasonable steps now to encourage loyalty may mitigate the impact of future laws on user retention and your business.

Acknowledge Data as a Valuable Asset in Your Business Portfolio

  • Know, understand and implement the new laws and regulations that impact your licensing, purchasing, sharing and monetizing of data in all areas of your business.
  • Ensure that key personnel are appropriately trained with the legal, technical and business resources necessary to obtain, protect and capitalize data assets.
  • Respect and preserve data assets with the same care and attention as any other material asset of your business.

WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2019