Jeewon Kim Serrato

Head of Data Protection, Privacy and Cybersecurity, United States
Norton Rose Fulbright US LLP

San Francisco
United States
T:+1 628 231 6809
San Francisco
United States
T:+1 628 231 6809
Jeewon Kim Serrato

Jeewon Kim Serrato



Jeewon Kim Serrato is Norton Rose Fulbright's US Head of Data Protection, Privacy and Cybersecurity. She advises global companies, financial services institutions and public entities on cutting edge issues at the intersection of technology and law. Globally recognized for her unique background having served in both government and business positions, Jeewon is regularly called upon by her clients to assist in the design and execution of complex global compliance programs, negotiation of cross-border M&A deals, and advice in high-stakes investigation and dispute matters.  Jeewon helps companies create enterprise-wide privacy programs from the ground up, assists in testing critical vulnerabilities and performs risk assessments. Having handled and managed hundreds of data breach incidents and internal investigations, she also works with companies to prepare crisis management policies and data breach response plans.

Before joining the private sector, Jeewon served as Chief Privacy Officer of Fannie Mae and head privacy executive for RELX Group (formerly Reed Elsevier), where she led, implemented and tested the organizations' privacy program and data protection strategies. She currently serves on the US Department of Homeland Security Data Privacy and Integrity Advisory Committee and on the California Lawyers Association's Antitrust, UCL & Privacy Section Executive Committee. Jeewon is a Certified Information Privacy Professional and holds a US Secret Clearance. Jeewon was named a 2017 Cybersecurity Trailblazer by the National Law Journal and recognized in Cybersecurity Docket's "Incident Response 30", a list of the 30 best and brightest data breach response lawyers.  She is an active member of the International Association of Privacy Professionals (IAPP) and is a co-author of the IAPP publication, Data Processing Agreements: Coordination, Drafting and Negotiation (2019) and an editor for the IAPP California Consumer Privacy Act training.

Jeewon began her career working on issues relating to counterterrorism, the use of data by law enforcement and intelligence agencies and the balance between privacy and security. Upon graduation from law school, she served for two years as legislative counsel to members of the U.S. House of Representatives, during which she managed a portfolio including the reauthorization of the PATRIOT Act, the use of the National Security Letters and wireless surveillance, Secure America and Orderly Immigration Act and other homeland security-related bills, and crisis management issues including pandemic flu preparedness. She continued to provide advice relating to homeland security and public safety issues at a Washington, D.C. law firm, where she served as lead counsel to a major telecom carrier in over 90 mediations with public safety agencies nationwide to improve wire and radio interoperability for first responders, which was a post 9/11 top priority of the Federal Communications Commission's Public Safety and Homeland Security Bureau.

Jeewon continued to work on technology projects that have an impact on data and consumer privacy by next serving as the top-level executive in charge of privacy at RELX Group (formerly Reed Elsevier) where she oversaw product design and data use policies for over 500 e-commerce and mobile products globally. Her practice focuses on helping companies navigate complex regulatory frameworks, spanning from US consumer protection laws to the European Union General Data Protection Regulation, as well as data ownership and onward transfer of data issues. Jeewon has experience designing enterprise-wide policies and programs in 60 countries and is a thought leader and frequent speaker at industry conferences, including IAPP, RSA and ACC. 

In addition to her product, regulatory compliance and transactional experience, Jeewon has handled over 600 data security incidents over the course of her career and has experience designing and implementing consumer disputes processes for companies globally. She has extensive experience helping her clients with proactive cyber risk management, drafting crisis management plans, and testing incident response protocols.

Professional experience

Expand all Collapse all

JD, University of California, Berkeley School of Law
BA, University of California, Berkeley
International Program of Political Science and Social Sciences, Insititut D'Etudes Politiques de Paris

  • California State Bar
  • District of Columbia Bar
  • Acted as Chief Privacy Officer for a major US financial services institution, in charge of the enterprise program for all data protection, privacy and cybersecurity risks
  • Handled and managed over 600 information security incidents, including attacks involving nation state actors and insider threat issues
  • Developed incident response programs, and drafted, implemented and tested incident response plans for companies in a variety of industries, including financial services.
  • Developed and conducted training for various levels of employees, including legal, IT, IS, business lines, marketing departments, and senior management and boards on cyber security risks.
  • Provided product counseling and regulatory advice related to 500 e-commerce products and 20 mobile apps globally
  • Experience overseeing a 150-person consumer dispute and data accuracy complaints center which handled over 20,000 inquiries per year
  • Experience advising a major industrial company about notice and consent laws in 60 countries related to an M&A transaction
  • Experience working on over 4,000 GDPR-related contracts and data transfer agreements
  • Legal 500 US, recommended lawyer, General Commercial Disputes, The Legal 500, 2019
  • Cybersecurity Trailblazer, National Law Journal, 2017
  • "Incident Response 30," Cybersecurity Docket, 2018
  • "Future trends in law and business," Panel discussion, San Francisco, April 25, 2019
  • "How to Engineer Privacy Rights in the World of Artificial Intelligence," RSA Conference, San Francisco, April 18, 2018
  • "Negotiating Data Processing Agreements," International Association of Privacy Professionals Privacy Bar Section Forum 2018, Washington, DC, March 29, 2018
  • "NHTSA's Response to Hacking," KPMG's 7th Annual Automotive Executive Forum at the 2016 Los Angeles Auto Show, Los Angeles, Nov. 19, 2017
  • "Cyber Security: What In-House Lawyers Need to Know," The Lawyer's In-House Counsel as Business Partner 2017 Conference," London, Nov. 5, 2017
  • "RegTech, FinTech and Surveillance - How will developments in technology impact compliance and litigation?," European Compliance and Legal Conference, London, Sept. 19-20, 2017
  • "The Emergence of Ransomware and Other Targeted Exploits: Prevention & Effective Response," Legalweek's Legaltech West Coast Conference, San Francisco, June 13, 2017
  • "Cybersecurity and Data Protection Issues in M&A Transactions," Transatlantic General Counsel Summit 2017, London, June 8, 2017
  • "Implementing Cyber Information Sharing," Financial Services Roundtable, Washington, DC, Feb. 24, 2016
  • Appointed to serve on the executive committee of the California Lawyer Association's antitrust, UCL and privacy section
  • Member, U.S. Department of Homeland Security Data Privacy and Integrity Advisory Committee Technology Subcommittee
  • Korean