Eric Setterlund

Eric Setterlund serves as a co-chair of Bradley’s Cybersecurity and Privacy Practice Group. Eric has extensive experience with matters related to privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.

Eric has a strong understanding of the day-to-day management and maintenance of an enterprise privacy program, including the development and implementation of required policies, procedures, and customer notices. He has years of experience guiding clients through significant changes in the regulatory landscape of state, federal, and international privacy and data use laws, including HIPAA, 42 C.F.R. Part 2, ONC Information Blocking Rules, CMS Interoperability mandates, CCPA/CPRA, GDPR, PIPEDA, COPPA, CAN-SPAM, FCRA, TCPA, CPA, UCPA, CTDPA, VCDPA, FTC rules, data breach notification laws, and other U.S. and international privacy and data requirements.

In addition to his extensive program management experience, Eric has assisted clients with a variety of other compliance and transactional matters. He has broad experience in structuring and negotiating complex technology transactions and data sharing arrangements in the healthcare space, such as drafting and negotiating master services agreements (MSAs), software license agreements, software as a service (SaaS) agreements, professional services agreements, and data use agreements and advising clients on strategic outsourcing and offshoring initiatives. He also has assisted clients with the development of new products and services to ensure compliance with privacy laws, including helping clients with emerging technologies, such as artificial intelligence (AI), and other digitization and customer outreach efforts. Eric has significant experience helping clients prepare for privacy and security risk assessments and third-party audits.

Eric has helped numerous public and private clients across all industries investigate and respond to data breaches or significant cybersecurity events, including helping companies notify customers, the media, and state and federal regulators. He has helped clients develop and implement response plans and test their cybersecurity readiness to mitigate risk associated with future incidents. Eric also has successfully defended and represented clients in numerous investigations and complaints brought by federal and state regulators, including the Department of Health & Human Services’ Office of Civil Rights for alleged violations of HIPAA.

In addition, Eric is a member of Bradley’s Class Action Litigation team, focusing on privacy- and data breach-related class action matters. He has experience across all phases of civil litigation, including initial investigation, developing case strategy, drafting dispositive motions, working with experts, preparing for trial, and handling high-stakes appeals.

Eric is designated as an ANSI Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.