Lisa J. Sotto chairs the firm’s top-ranked global privacy and cybersecurity practice and is the managing partner of the firm’s New York office. Lisa has received widespread recognition for her work in the areas of privacy and cybersecurity.
Chambers USA 2018 quotes clients who call her a “market leader,” noting that she is “widely considered the best.” Another client reported that “she is a strong leader with fantastic advice. She does great work on advisory boards and her leadership in the industry has really moved it forward.”
Clients have called Lisa “the high priestess of privacy” and “the queen of breach.” She was named among The National Law Journal’s “100 Most Influential Lawyers,” an honor bestowed on practicing attorneys who are making the biggest impact in the legal world.
A preeminent lawyer and dynamic problem solver, Lisa assists clients in identifying, evaluating and managing risks associated with privacy and data security practices. She advises clients on the California Consumer Privacy Act of 2018, GLB, HIPAA, COPPA, CAN-SPAM, FCRA, VPPA, security breach notification laws, and other U.S. state and federal privacy and data security requirements (including HR rules), and global data protection laws (including those in the EU, Asia and Latin America).
She provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness. Through the firm’s privacy and security in M&A transactions team, Lisa also guides clients on risks and potential liabilities associated with inadequate privacy and data security practices in high-stakes corporate transactions.
She conducts all phases of online and offline privacy assessments and information security policy audits. She also develops corporate records management programs, including policies, records retention schedules and training modules.
Lisa has been rated the “No. 1 privacy professional” in all surveys by Computerworld magazine. She is recognized by Chambers and Partners as a “Star” performer (the highest honor) for privacy and data security—the only privacy lawyer in the United States to receive this distinguished ranking.
Lisa also is recognized as a leading lawyer for cyber crime, data protection and privacy by The Legal 500 United States. In addition, Hunton Andrews Kurth’s privacy and cybersecurity practice has received the topmost national rankings in privacy and data security both from Chambers and Partners and The Legal 500.
Lisa speaks frequently at conferences, testifies regularly before the US Congress and other legislative and regulatory agencies, is the author of numerous treatises and articles, has been tapped to lead several industry committees and organizations, is sought after by media outlets and industry publications for her professional insights, and appears regularly on national television and radio news programs.
She is the editor and lead author of the Privacy and Cybersecurity Law Deskbook, published by Aspen Publishers, Wolters Kluwer Law & Business.
- Appointed by Secretaries Nielson, Johnson and Napolitano as Chair of the US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (2012-present); previously served as Vice Chair (2005-2009).
- Testified in 2018 FTC Hearing on Competition and Consumer Protection in the 21st Century, focusing on the US framework related to consumer data security.
- Testified before the European Commission and five EU Supervisory Authorities during the Annual Review of the EU-US Privacy Shield.
- Selected by the European Commission and US Department of Commerce as one of a small group of 16 arbitrators in connection with the EU-US Privacy Shield Framework Binding Arbitration Program.
- Selected to represent the US Chamber of Commerce in Brussels to present “Global Best Practices Around Data Breach Notification,” a report prepared by Hunton Andrews Kurth LLP and the Chamber.
- Selected to represent the US Chamber of Commerce in Indonesia to present “Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity,” a report prepared by Hunton Andrews Kurth LLP and the Chamber.
- Selected as member of US government delegation to Brazil to brief Brazilian government officials on US privacy and cybersecurity policy.
- Selected to advise Commissioner Shimpo of the Personal Information Protection Commission of Japan on U.S. privacy and data security law.
- Selected to advise the Serbian government on global data protection law and to draft the country’s data security and breach notification laws. Lisa was sponsored by the USAID-funded Judicial Reform and Government Accountability Project.
- Testified before US House of Representatives, “Data Protection and the Consumer: Who Loses When Your Data Takes a Hike?”
- Testified before US Department of Health & Human Services’ Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics regarding RFID use in health care.
- Testified before CSIS Commission on Cyber Security for the 44th Presidency.
- Briefed congressional staffers in preparation for data breach hearings held by the House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and in connection with drafting of a comprehensive privacy bill.
- Selected to advise DHS’s Homeland Security Science and Technology Committee (HSSTAC) regarding Third Party Pre-Screening Program.
- Selected by US Government Accountability Office to provide advice for a GAO study on data security breaches.
- Selected by US Office of Management and Budget to participate in OMB analysis of DHS Privacy Office.
- Routinely assists clients in developing policy positions regarding privacy and cybersecurity legislative and regulatory proposals both in the US and abroad.
- Advising over 40 clients on compliance with the California Consumer Privacy Act of 2018 (CCPA), including conducting due diligence, preparing gap analyses, developing remediation plans, and undertaking compliance projects.
- Advises clients on FTC, OCR, SEC and state Attorney General (including Multistate Taskforce) investigations and enforcement actions for alleged data security and privacy violations.
- Advises clients on managing FTC Consent Orders and CIDs in connection with data security incidents.
- Advises major health care providers and health plans on all aspects of HITECH security breaches, including OCR and state enforcement.
- Advises numerous major retailers, financial institutions and other companies on proactive cybersecurity readiness, including developing and conducting full-scale tabletop exercises for C-suite executives and boards of directors.
- Since 2005, advised on over 1,600 cybersecurity and data breach incidents in the United States and abroad, including many of the world’s seminal events (such as the Yahoo! breaches affecting 3.5 billion user accounts).
- Advised well-known telecom manufacturer on extensive APT attack involving significant loss of intellectual property.
- Advised numerous major retailers on security breaches resulting from criminal tampering of POS terminals, including FBI involvement, forensic investigations, breach notification and PR efforts.
- Advised Texas State Comptroller in connection with well-known data security incident involving 3.5 million state workers.
- Advised many multinational clients on EU-US Privacy Shield certification and annual recertification.
- Counseled numerous technology companies (both as publishers and advertisers) on data collection and sharing issues (including online behavioral advertising and Big Data initiatives), collection and use of geolocation data, and EU-US Privacy Shield certification.
- Advised global consumer goods company on addressable TV issues.
- Counseled major consumer goods companies on privacy issues associated with the use of radio frequency identification (RFID) and data collection from mobile devices.
- Advised multiple clients on employee monitoring and surveillance issues under federal, state and international laws, and prepared related policies (including BYOD).
- Conducted comprehensive privacy and information security policy assessments of major US electric utility and retail and consumer goods companies, including extensive data flow mapping, remediation, and development and implementation of multiple privacy, information security and records management policies and procedures.
- Advised client on compliance with the Privacy Act, including preparation of a System of Records Notice and Privacy Impact Assessment, in connection with significant new government mortgage program.
- Served as HIPAA privacy counsel to large health care system, including over 40 hospitals and long-term care and assisted living facilities, and major academic medical center.
- Developed and implemented comprehensive global records management program in over 100 countries for one of world’s largest software companies (under court supervision), including preparation and implementation of policies and procedures, numerous records retention schedules, in-person and web-based training and audit program.
- Interview, Cybersecurity Risks and Legal Landscape, KUCI 88.9 FM (National Public Radio), “Privacy Piracy: Protect Your Privacy in the Information Age” (Sotto featured in 30-minute interview), July 25, 2016
- Mimesis Law’s Cy-Pher Executive Roundtable, What Do You Do With A Hacked Law Firm? (Sotto interviewed), June 10, 2016
- Mimesis Law’s Cy-Pher Executive Roundtable, Are Law Firms Soft Targets For Hackers? (Sotto interviewed), May 23, 2016
- CASE in POINT, “Understanding New Threats to Privacy and Cybersecurity” (Sotto interviewed), March 3, 2015
- HuffPost Live, Regulator Warns of ‘Cyber 9/11’ Attacks on Banks (Sotto interviewed), March 2, 2015
- Co-author, Navigating The Digital Age, The Definitive Cybersecurity Guide For Directors and Officers Vol. 2, Lessons From Today’s World, How to Manage a Data Breach, July 2018
- Editor and lead author, Privacy and Cybersecurity Law Deskbook (1,400-page treatise and annual updates), Third Edition, Aspen Publishers, Wolters Kluwer Law & Business, 2010-2018
- Co-author, Cybersecurity and Data Breach, Bloomberg BNA Privacy & Data Security Portfolio Series, 2015
- JD, University of Pennsylvania Law School, Law Review, 1987
- BA, History, Cornell University, distinction in all subjects, 1984
- New York
- Chair, US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, 2012-present; appointed to Committee by Secretaries Nielson, Johnson, Napolitano, Chertoff and Ridge; Chair, Policy Subcommittee, 2010-2012; Committee Vice Chair, 2005-2009; Member, Cybersecurity Subcommittee, 2013-present (requiring Top Secret security clearance)
- Co-chair, International Privacy Law Committee, New York State Bar Association, 2007-present
- Chair, New York Privacy Officers Forum, 2007-present
- Lead Advisor, DataGuidance US Panel of Experts, 2008-present
- Member, Law and Ethics Advisory Board, SAI Global, 2005-present
- Member, American Law Institute
- Fellow, American Bar Foundation
- Member, Board of Directors, International Association of Privacy Professionals, 2010-2015
- Member, Board of Directors, Identity Theft Resource Center, 2010–2012
Rate : $$$$