Lisa J. Sotto

Partner

Contact

  • New York
    p212.309.1223
    f212.309.1100
  • New York
    p212.309.1223
    f212.309.1100

Lisa’s practice focuses on privacy and cybersecurity.

Named among The National Law Journal’s “100 Most Influential Lawyers,” Lisa is the managing partner of the firm’s New York office and her practice focuses on privacy and cybersecurity issues. She assists clients in identifying, evaluating and managing risks associated with their privacy and information security practices. Lisa advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA, VPPA, security breach notification laws, and other U.S. state and federal privacy and data security requirements (including HR rules), and global data protection laws (including those in the EU and Latin America). She provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness. She conducts all phases of online and offline privacy assessments and information security policy audits. Lisa drafts and negotiates contractual agreements concerning data uses, privacy and security. She also develops corporate records management programs, including policies, procedures, records retention schedules and training modules.

Lisa has been rated the “No. 1 privacy expert” for three consecutive years by Computerworld magazine. She is recognized by Chambers and Partners as a “Star” performer (the highest honor) for privacy and data security; she is one of only two privacy lawyers in the United States to receive this distinguished ranking. Lisa also is recognized as a leading lawyer by The Legal 500 United States for cyber crime, data protection and privacy. Lisa was named one of Ethisphere Magazine’s 2013 “Attorneys Who Matter,” listing approximately 100 attorneys who “have risen to the top.” In addition, Hunton & Williams’ Privacy and Cybersecurity practice received a Band 1 national ranking from Chambers USA in privacy and data security and a Tier 1 ranking by The Legal 500 United States. Lisa speaks frequently at conferences, testifies regularly before the U.S. Congress and other legislative and regulatory agencies, is the author of numerous treatises and articles, has been tapped to lead several industry committees and organizations, is sought after by media outlets and industry publications for her professional insights, and appears regularly on national television and radio news programs. She is the editor and lead author of the Privacy and Data Security Law Deskbook, published by Aspen Publishers, Wolters Kluwer Law & Business.

Relevant Experience

  • Named to The National Law Journal’s “100 Most Influential Lawyers” list.
  • Appointed by Secretaries Johnson and Napolitano as Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (2012-present); previously served as Vice Chair (2005-2009).
  • Selected to represent the U.S. Chamber of Commerce in Indonesia to present “Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity,” a report prepared by Hunton & Williams and the Chamber.
  • Selected to advise the Serbian government on global data protection law and to draft the country's data security and breach notification laws. Sotto was sponsored by the USAID-funded Judicial Reform and Government Accountability Project.
  • Testified before U.S. House of Representatives, “Data Protection and the Consumer: Who Loses When Your Data Takes a Hike?”
  • Testified before U.S. Department of Health & Human Services’ Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics regarding RFID use in health care.
  • Testified before CSIS Commission on Cyber Security for the 44th Presidency.
  • Briefed Congressional staffers in preparation for data breach hearings held by the House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and in connection with drafting of a comprehensive privacy bill.
  • Selected to advise DHS’s Homeland Security Science and Technology Committee (HSSTAC) regarding Third Party Pre-Screening Program.
  • Selected by U.S. Government Accountability Office to provide advice for a GAO study on data security breaches.
  • Selected by U.S. Office of Management and Budget to participate in OMB analysis of DHS Privacy Office.
  • Routinely assists clients in developing policy positions regarding privacy and cybersecurity legislative and regulatory proposals both in the U.S. and abroad.
  • Advises clients on FTC, OCR and state Attorney General (including Multistate Taskforce) investigations and enforcement actions for alleged data security and privacy violations.
  • Advises clients on managing FTC Consent Orders and FTC CIDs in connection with data security incidents.
  • Advises major health care providers and health plans on all aspects of HITECH security breaches, including OCR and state enforcement.
  • Advises numerous major retailers on proactive cybersecurity readiness, including running full-scale tabletop exercises for C-suite executives and Board committees.
  • Since 2005, advised on over 1,000 cybersecurity and data breach incidents in the U.S. and abroad (extending to 78 countries), including many of the seminal events of 2014.
  • Advised major global bank on massive cyber intrusion.
  • Advised well-known telecom manufacturer on extensive APT attack involving significant loss of intellectual property.
  • Advised two major retailers on security breaches resulting from criminal tampering of POS terminals, including U.S. Secret Service involvement, forensic investigations, all aspects of breach notification and PR efforts.
  • Advised Texas State Comptroller in connection with well-known data security incident involving 3.5 million state workers.
  • Led HITECH Act breach notification effort for one of the largest PHI data breaches (1.2 million individuals).
  • Advised retailers, high-tech leaders, health care companies, consumer goods companies, insurers, utilities and industrial manufacturers on all aspects of information security breaches and developed media and consumer communications programs following breaches.
  • Advising many multinational clients on Safe Harbor certification and annual recertification.
  • Counseled numerous high-tech companies (both as publishers and advertisers) on data collection and sharing issues (including online behavioral advertising and Big Data initiatives), collection and use of geolocation data, and Safe Harbor certification.
  • Advised global consumer goods company on addressable TV issues.
  • Counseled major consumer goods companies on privacy issues associated with the use of radio frequency identification (RFID) and data collection from mobile devices.
  • Advised multiple clients on employee monitoring and surveillance issues under federal and state laws, and prepared related policies (including BYOD).
  • Advised numerous clients on complex cloud computing solutions.
  • Advised numerous clients on compliance with the Payment Card Industry Data Security Standard and preparation of related policies and procedures.
  • Advised multiple clients on FCRA and FACTA compliance.
  • Conducted comprehensive privacy and information security policy assessments of major U.S. electric utility, one of the world’s largest food companies, major global retailer, Fortune 15 consumer goods company and others, including extensive data flow mapping, remediation, and development and implementation of multiple privacy, information security and records management policies and procedures.
  • Advised client on compliance with the Privacy Act, including preparation of a System of Records Notice and Privacy Impact Assessment, in connection with significant new government mortgage program.
  • Served as HIPAA privacy counsel to large health care system, including over 40 hospitals and long-term care and assisted living facilities, and major academic medical center.
  • Prepared HIPAA and HITECH policies and procedures (including training) for numerous employer-sponsored group health plans.
  • Developed and implemented comprehensive global records management program in over 100 countries for one of world's largest software companies (under court supervision), including preparation and implementation of policies and procedures, numerous records retention schedules, in-person and web-based training and audit program.
  • Outside counsel to leading U.S. mutual fund company, financial services provider, commercial and consumer finance company, numerous global retailers, and massive U.S. government agency to develop omnibus records management program. 

Books

  • Editor and Lead Author, Privacy and Data Security Law Deskbook (1,400-page treatise and annual updates), Aspen Publishers, Wolters Kluwer Law & Business, 2010-2014
  • Co-author, Data Protection & Privacy 2015, United States, Getting the Deal Through, September 2014
  • Co-author, Chapter 11 European Union Data Protection, Data Security and Privacy Law: Combating Cyberthreats, West, Thomson Reuters, 2010
  • Co-author, Data Security Handbook, ABA Section of Antitrust Law, 2008
  • Co-author, Privacy Primer: An Overview of Global Data Protection Laws, 2006

Media Appearances

  • AskForbes Twitter Chat, What Companies Should Do When They’re Breached, August 26, 2014
  • Interview, Female Powerbrokers Q&A: Hunton & Williams’ Lisa Sotto, Law360, December 4, 2013
  • Interview, Cybersecurity Risks and Legal Landscape, KUCI 88.9 FM (National Public Radio), Privacy Piracy: Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), June 3, 2013
  • Interview, Should There Be a “Right to be Forgotten” Online? (Sotto interviewed), CBSnews.com, May 10, 2013
  • Legal Trends Roundtable: Part 5, 2013 Legislation: Breach Notification, Attorneys: Pay Attention to Uptick in Global Regulation (Sotto interviewed), BankInfoSecurity.com, February 6, 2013
  • Legal Roundtable: Part 4, Effective Breach Response, Attorneys: Don’t Take a One-Size-Fits-All Approach (Sotto interviewed), BankInfoSecurity.com, January 29, 2013
  • Legal Roundtable: Part 3, Fraud Litigation: Role of Regulation, Attorney: Courts Show Dependence on Guidance (Sotto interviewed), BankInfoSecurity.com, January 25, 2013
  • Legal Roundtable: Part 2, Will Regulators Dictate Privacy?  Attorneys Say Lack of U.S. Legislation Fuels Regulatory Action (Sotto interviewed), BankInfoSecurity.com, January 17, 2013
  • Legal Roundtable: Part 1, The “Hack Back” Offense, Legal Experts Weigh in on Hacking the Attackers (Sotto interviewed), BankInfoSecurity.com, January 11, 2013
  • Legal Trends Roundtable with Jeffrey Roman (Sotto interviewed), Information Security Media Group, November 20, 2012
  • Privacy Law Expert: Many Companies Waiting for a Hack (Sotto interviewed), Bloomberg Law, November 1, 2012
  • Radio Television of Serbia, Data Protection Act Good (English translation) (Sotto interviewed), July 18, 2012
  • B92 (Serbian radio and television broadcaster), Careful Sharing Data (English translation) (Sotto interviewed), July 18, 2012
  • Privacy Bill of Rights: A Step Forward, “Can’t be a Back-Burner Issue,” Privacy Lawyer Argues (Sotto interviewed), March 20, 2012
  • Interview (podcast), Privacy Bill of Rights: Not Be-All, End-All, Security Media Group, February 24, 2012
  • Breach Response: The Legal View, Fast Action Can Save Reputation and Ensure Compliance (Sotto interviewed), BankInfoSecurity.com, December 15, 2011
  • Breach Response: Reputational Risk, Your Organization’s Name Hinges on Data Value and Security (Sotto interviewed), BankInfoSecurity.com, November 30, 2011
  • Law360, Q&A with Hunton & Williams’ Lisa Sotto (Sotto interviewed), November 4, 2011
  • KUCI 88.9 FM, Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), September 19, 2011
  • FoxLive.com, Is There Need for a Data Privacy Law? (Sotto interviewed), September 6, 2011
  • Bank Information Security Podcasts, Epsilon Breach: Risks and Lessons; Incident is a Wake-Up Call about Database Security Gaps (Sotto interviewed), April 5, 2011
  • Biggest Security & Privacy Topics of 2011, “We’re Still Learning How to Do Data Security Right” (Sotto interviewed), BankInfoSecurity.com, January 25, 2011
  • End to End Trust, Microsoft Corporation, regarding cross industry collaboration and a safer Internet (Sotto interviewed), September 2009
  • CNN’s American Morning, Privacy in the Obama Administration (Sotto interviewed), December 8, 2008
  • ClearChannel Radio, “Tech Talk with Craig Peterson,” regarding the use of RFID in health care (Sotto interviewed), March 4, 2006
Close
Generate a PDF of Your eFolio
Clear Your eFolio
Close X
Remove
Error: There was an error with your eFolio. Please try again.
Add to eFolio
Already Added
View eFolio
Warning: Please Confirm You Would Like to Delete All eFolio Content.
There are no items in your eFolio. You can add professional and practice detail pages to your Briefcase by navigating to the pages and adding the page through the eFolio icon.
See content you want to save or print? Add it to your personalized eFolio. Select 'Add to eFolio' to add professional bios and practice content. Select 'View eFolio' to review your folder content. You can revise, save or print your eFolio at any time during your visit to hunton.com.
false
http://www.hunton.com/professionals/uniEntity.aspx?xpST=ProfessionalDetail&professional=108
a[href='javascript:packetBuilderSingleClick(document.title);']