Photo of Jena M. Valdetero

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on cyber risks associated with mergers and transactions. Jena also advises a diverse array of clients on compliance with existing and emerging privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). She is a certified privacy professional through the International Association of Privacy Professionals (CIPP/US), for which she is a former KnowledgeNet Co-Chair.
Jena is a passionate advocate of diversity and inclusion. She currently serves as a board member of the Chicago chapter of Women in Law Empowerment Forum.


Some consumers may assume that a company owns the payment card-related information that it collects when it accepts payment cards (e.g., credit or debit cards). In order to process payment cards, however, a company typically must enter into a written contract with a payment processor or merchant-bank. Those contracts often specify that payment card-related

Amid the pandemic and the barrage of pandemic-related news, it has been easy to overlook the reports of a massive security incident that could potentially affect thousands of companies’ data. Beginning the week of December 7th, several prominent data breaches were reported by companies and government agencies, including the Department of Homeland Security.

Continue reading

Not specifically. While the CPRA will require businesses whose processing poses a “significant risk” to consumers’ privacy or security to conduct an annual risk assessment and submit it to the newly-created California Privacy Protection Agency, the CPRA does not require that businesses appoint a “Chief Privacy Officer” or similar individual responsible for compliance with the

The CCPA’s core requirements can be grouped broadly into three categories: (1) rights owed by businesses to Californians concerning their personal data, (2) data security breach risks and obligations, and (3) vendor management.

The CPRA expanded the scope of the first category – i.e., the rights conferred upon Californians concerning their personal data. Under the

Likely no. While the CCPA provides for statutory damages if certain personal information is exposed in a data breach due to a business’s failure to have reasonable and appropriate security in place, the CPRA goes a step further. The CPRA requires the California government to issue regulations requiring businesses whose processing of consumers’ personal information