Ms. Sotto assists clients in identifying, evaluating and managing risks associated with privacy and information security practices of companies and third parties. She conducts all phases of privacy assessments and information security policy audits. Ms. Sotto advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA/FACTA, Privacy Act, security breach notification laws, and other U.S. state and federal privacy requirements (including HR rules); Canada's PIPEDA; and global data protection laws (including those in the EU and Latin America). She drafts and negotiates contractual agreements concerning data uses, security and confidentiality. She also develops corporate records management programs, including policies, procedures, records retention schedules, and training modules.

Relevant Experience

• Appointee (and former Vice Chairperson) of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee, which advises the Secretary of DHS and its Chief Privacy Officer on privacy, data integrity and data interoperability matters.
• Testified before U.S. House of Representatives, Committee on Small Business, Subcommittee on Regulatory Reform and Oversight, "Data Protection and the Consumer: Who Loses When Your Data Takes a Hike?"
• Testified before U.S. Department of Health & Human Services' Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics regarding RFID use in health care.
• Testified before CSIS Commission on Cyber Security for the 44th Presidency.
• Briefed Congressional staffers in preparation for data breach hearings held by the House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science & Technology.
• Requested by U.S. Government Accountability Office to participate in GAO study on data security breaches.
• Requested by U.S. Office of Management and Budget to participate in OMB analysis of DHS Privacy Office.
• Advising numerous clients in FTC and state investigations and enforcement actions for alleged data security violations.
• Advising multiple clients on responses to FTC Consent Order and FTC access letters in connection with data security incidents.
• Advised major retailer on significant data breach, including managing FTC and Canadian DPA response and investigation, and counseling on consumer notification issues.
• Advised global financial services firm on several significant security breaches, including U.S. and international notification, FTC and state agency investigations and negotiations, credit bureau issues, call center management, and interactions with senior management.
• Represent global leader in premium lifestyle products in FTC investigation regarding significant data security breach, including U.S. Secret Service.
• Advised numerous multinational clients on Safe Harbor certification.
• Advising numerous clients on compliance with Payment Card Industry Data Security Standard and preparation of related policies and procedures.
• Advised numerous clients on compliance with FCRA and FACTA.
• Advised client on compliance with the Privacy Act, including preparation of a System of Records Notice and Privacy Impact Assessment, in connection with significant new government mortgage program.
• Conducted comprehensive privacy and information security policy assessment of major U.S. electric utility. 
• Conducted full-scale consumer information privacy assessment for one of the world's largest food companies, including extensive data flow mapping and development and implementation of multiple privacy, information security and records management policies and procedures.
• Conducted full-scale privacy assessment for Fortune 15 consumer goods company, including preparation of data flow maps; contractual privacy, confidentiality and information security provisions; multiple data disposition documents; numerous privacy notices, policies and procedures; and employee and vendor training materials.
• Conducted privacy assessment of online information practices of multi-national consumer goods company, including preparation of data flow maps, privacy notices, website Terms of Use and vendor analysis.
• Represented leading information provider in developing new, company-wide privacy, credentialing and compliance program.
• Advised numerous companies (including consumer goods company, retailer, insurer, U.S. energy company, leading health company and industrial manufacturer) on information security breach notification procedures and developed media and consumer communications programs following security breaches.
• Prepared numerous privacy policies, procedures and notices for online and offline clients in financial services, consumer goods, food, cosmetics, retail, publishing and health care industries.
• Advised numerous clients on onsite and offsite employer and visitor surveillance issues under federal and state laws.
• Led GLB legal compliance effort for major U.S. bank.
• Advised several global retailers on GLB security requirements, and prepared and negotiated contractual agreements with credit card issuers and issuing banks.
• Analyzed federal and state financial privacy laws in connection with stored value card programs for national telecommunications company and Fortune 15 consumer goods company.
• Advised major consumer goods companies on privacy issues associated with the use of radio frequency identification (RFID).
• Advised major multi-national client on data protection issues in Latin America.
• Developed and implemented comprehensive global records management program in over 100 countries for one of world’s largest software companies, including preparation and implementation of policies and procedures, numerous records retention schedules, in-person and web-based training and audit program.
• Developed and implemented company-wide records management programs for major U.S. consumer goods companies, including preparation of policies, procedures, guidelines and training modules concerning records security, retention and disposal.
• Developed comprehensive U.S. records management program for leading commercial and consumer finance company (with $50 billion in assets).
• Outside counsel to leading U.S. mutual fund company and financial services provider to develop omnibus records management program.
• Outside counsel to major U.S. government agency on new initiative to develop agency-wide, comprehensive records management program.
• Advising on state requests for information in connection with data breach incidents.
• Led full-scale HIPAA implementation project for major academic medical center, including data flow mapping, legal analyses, and preparation of related agreements, policies and procedures.
• Led project involving six health care privacy leaders to develop a prototype HIPAA "highlights" privacy notice that serves as HHS model for layered notice.
• Served as HIPAA privacy counsel to large health care system, including over 40 hospitals and long-term care and assisted living facilities.
• Advised health information aggregator on HIPAA and other privacy compliance issues and prepared various HIPAA-compliant agreements.
• Prepared HIPAA policies and procedures (including training) for numerous employer-sponsored group health plans.
• Advised numerous insurance clients on privacy requirements under GLB, HIPAA and state law, and prepared required documentation.
• Advised major health insurer on privacy requirements under GLB, HIPAA and state law concerning disclosure of health care information in class action litigation.
• Drafted and negotiated numerous website Terms of Use and non-disclosure agreements.

• Member, New York State Bar
• Member, District of Columbia Bar
• Appointee, Department of Homeland Security's Data Privacy and Integrity Advisory Committee, 2010
• Vice Chairperson, Department of Homeland Security's Data Privacy and Integrity Advisory Committee, 2005-2009
• Member, Board of Directors, International Association of Privacy Professionals, 2010 - 2015
• Co-chair, International Privacy Law Committee, New York State Bar Association, 2007 - present
• Chair, New York Privacy Officers Forum, 2007 to present
• Member, Law and Ethics Advisory Board, SAI Global, 2005 - present
• Member, Board of Editors, ALM's Privacy and Data Protection Legal Reporter, 2005 - 2006
• Past member, Information Technology Law Committee, New York City Bar Association
• Past Chair, Hunton & Williams New York Office Pro Bono Committee, 1994 - 2005

Treatises

• Author, Privacy and Data Security Law Deskbook, Aspen Publishers, Wolters Kluwer Law & Business, 07/10
• Co-author, Data Security Handbook, ABA Section of Antitrust Law, Data Security Handbook, 2008
• Co-author, European Union Data Protection, Chapter 11 in West's Data Security and Privacy Law: Combating Cyberthreats, 2008
• Co-author, eDiscovery for Corporate Counsel, Thomson Reuters/West, 2008
• Co-author, Privacy Primer: An Overview of Global Data Protection Laws, prepared for the Mortgage Bankers Association (MBA), 02/07

• Named one of Ethisphere Magazine's 100 “2009 Attorneys Who Matter,” listing attorneys who "have risen to the top"
• Voted number 1 in 2007 and 2008 Computerworld poll of global privacy lawyers
• Individually ranked by Chambers as Band 1 in Privacy & Data Security
• Selected as New York Super Lawyer, 2006 - 2009
• Selected as Hunton & Williams' nominee for National Law Journal's "Most Influential Women Lawyers" award
• Appointee, Department of Homeland Security's Data Privacy and Integrity Advisory Committee, 2010
• Vice Chairperson, Department of Homeland Security's Data Privacy and Integrity Advisory Committee, 2005-2009
• Testimony before CSIS Commission on Cyber Security for the 44th Presidency, 04/28/08
• Testimony before U.S. House of Representatives, Committee on Small Business, Subcommittee on Regulatory Reform and Oversight, "Data Protection and the Consumer:  Who Loses When Your Data Takes a Hike?", 05/23/06
• Testimony before U.S. Department of Health & Human Services' Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics regarding RFID use in health care, 01/11/05
• Co-chair, PLI's Eleventh Annual Institute on Privacy and Data Security Law in New York City, 6/21-22/10
• Lead Advisor, DataGuidance U.S. Panel of Experts, 2008 to present
• Law and Ethics Advisor, SAI Global, 2008 to present
• Hunton & Williams' Privacy & Information Management Practice named first in Computerworld survey of law firm privacy practices, 2006, 2007 and 2008
• Hunton & Williams' Privacy and Information Management Practice ranked by Chambers as "Band 1" in Privacy & Data Security
• Invited to participate in the U.S. Department of Homeland Security's Top Officials (Top Off) 3 Full-Scale Exercise (2004), 2004
• Awarded 2000 Champion of Justice Award by the New York City Bar Association

Media Appearances

• Interview, Do you Know Where your Data Is?, Corporate Governance, 03/09
• Interview, End to End Trust, Microsoft Corporation, regarding cross industry collaboration and a safer Internet, 09/09
• CNN's American Morning show, interview regarding privacy in the Obama Administration, 12/08/08
• Interview, "ReachMD" regarding HIPAA and physicians' use of text messaging, 01/24/08
• Interview, "Tech Talk with Craig Peterson," ClearChannel Radio, regarding the use of RFID in health care, 03/04/06

• J.D., University of Pennsylvania Law School, Comment Editor, Law Review, 1987
  
• B.A., History, Cornell University, Distinction in All Subjects, 1984