Lisa chairs the firm’s top-ranked global privacy and cybersecurity practice and is the managing partner of the firm’s New York office.
She has received widespread recognition for her work in the areas of privacy and cybersecurity. Chambers USA 2016 quotes clients who call her work “outstanding,” noting that “she’s incredibly knowledgeable and incredibly practical in her approach, is cool and collected, and provides her client with much comfort in this area of the law.” Chambers Global 2016 quotes a client who calls her a "phenomenal lawyer," and another who describes her as the “queen of privacy.” Lisa was named among The National Law Journal’s “100 Most Influential Lawyers,” an honor bestowed on practicing attorneys who are making the biggest impact in the legal world.
A preeminent lawyer and dynamic problem solver, Lisa assists clients in identifying, evaluating and managing risks associated with privacy and data security practices. She advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA, VPPA, security breach notification laws, and other U.S. state and federal privacy and data security requirements (including HR rules), and global data protection laws (including those in the EU, Asia and Latin America). She provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness. Through our firm’s privacy and security in M&A transactions team, Lisa also guides clients on risks and potential liabilities associated with inadequate privacy and data security practices in high-stakes corporate transactions. She conducts all phases of online and offline privacy assessments and information security policy audits. She also develops corporate records management programs, including policies, records retention schedules and training modules.
Lisa has been rated the “No. 1 privacy professional” in all surveys by Computerworld magazine. She is recognized by Chambers and Partners as a “Star” performer (the highest honor) for privacy and data security—one of only two privacy lawyers in the United States to receive this distinguished ranking. Lisa also is recognized as a leading lawyer for cyber crime, data protection and privacy by The Legal 500 United States. In addition, Hunton & Williams’ privacy and cybersecurity practice has received the topmost national rankings in privacy and data security both from Chambers and Partners and The Legal 500.
Lisa speaks frequently at conferences, testifies regularly before US Congress and other legislative and regulatory agencies; is the author of numerous treatises and articles; has been tapped to lead several industry committees and organizations; is sought after by media outlets and industry publications for her professional insights; and appears regularly on national television and radio news programs. She is the editor and lead author of the Privacy and Cybersecurity Law Deskbook, published by Aspen Publishers, Wolters Kluwer Law & Business.
Appointed by Secretaries Johnson and Napolitano as Chair of the US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (2012-present); previously served as Vice Chair (2005-2009).
Selected to represent the US Chamber of Commerce in Indonesia to present “Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity,” a report prepared by Hunton & Williams and the Chamber.
Selected to advise the Serbian government on global data protection law and to draft the country's data security and breach notification laws. Sotto was sponsored by the USAID-funded Judicial Reform and Government Accountability Project.
Testified before US House of Representatives, “Data Protection and the Consumer: Who Loses When Your Data Takes a Hike?”
Testified before US Department of Health & Human Services’ Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics regarding RFID use in health care.
Testified before CSIS Commission on Cyber Security for the 44th Presidency.
Briefed congressional staffers in preparation for data breach hearings held by the House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and in connection with drafting of a comprehensive privacy bill.
Selected to advise DHS’s Homeland Security Science and Technology Committee (HSSTAC) regarding Third Party Pre-Screening Program.
Selected by US Government Accountability Office to provide advice for a GAO study on data security breaches.
Selected by US Office of Management and Budget to participate in OMB analysis of DHS Privacy Office.
Routinely assists clients in developing policy positions regarding privacy and cybersecurity legislative and regulatory proposals both in the US and abroad.
Advises clients on FTC, OCR, SEC and state Attorney General (including Multistate Taskforce) investigations and enforcement actions for alleged data security and privacy violations.
Advises clients on managing FTC Consent Orders and CIDs in connection with data security incidents.
Advises major health care providers and health plans on all aspects of HITECH security breaches, including OCR and state enforcement.
Advises numerous major retailers, financial institutions and other companies on proactive cybersecurity readiness, including developing and conducting full-scale tabletop exercises for C-suite executives and boards of directors.
Since 2005, advised on over 1,000 cybersecurity and data breach incidents in the United States and abroad (extending to 78 countries), including many of the recent seminal events.
Advised global technology company and major global bank on massive cyber intrusions.
Advised well-known telecom manufacturer on extensive APT attack involving significant loss of intellectual property.
Advised numerous major retailers on security breaches resulting from criminal tampering of POS terminals, including FBI involvement, forensic investigations, breach notification and PR efforts.
Advised Texas State Comptroller in connection with well-known data security incident involving 3.5 million state workers.
Advised on extensive FTC investigation into mobile security issues.
Advised many multinational clients on EU-US Privacy Shield certification and annual recertification.
Counseled numerous technology companies (both as publishers and advertisers) on data collection and sharing issues (including online behavioral advertising and Big Data initiatives), collection and use of geolocation data, and EU-US Privacy Shield certification.
Advised global consumer goods company on addressable TV issues.
Counseled major consumer goods companies on privacy issues associated with the use of radio frequency identification (RFID) and data collection from mobile devices.
Advised multiple clients on employee monitoring and surveillance issues under federal, state and international laws, and prepared related policies (including BYOD).
Conducted comprehensive privacy and information security policy assessments of major US electric utility and retail and consumer goods companies, including extensive data flow mapping, remediation, and development and implementation of multiple privacy, information security and records management policies and procedures.
Advised client on compliance with the Privacy Act, including preparation of a System of Records Notice and Privacy Impact Assessment, in connection with significant new government mortgage program.
Served as HIPAA privacy counsel to large health care system, including over 40 hospitals and long-term care and assisted living facilities, and major academic medical center.
Developed and implemented comprehensive global records management program in over 100 countries for one of world's largest software companies (under court supervision), including preparation and implementation of policies and procedures, numerous records retention schedules, in-person and web-based training and audit program.
Editor and lead author, Privacy and Cybersecurity Law Deskbook (1,400-page treatise and annual updates), Second Edition, Aspen Publishers, Wolters Kluwer Law & Business, 2010-2016
Co-author, Cybersecurity and Data Breach, Bloomberg BNA Privacy & Data Security Portfolio Series, 2015
Co-author, Data Protection & Privacy, United States, Getting the Deal Through, 2014-2016
Co-author, Chapter 11 European Union Data Protection, Data Security and Privacy Law: Combating Cyberthreats, West, Thomson Reuters, 2010
Co-author, Data Security Handbook, ABA Section of Antitrust Law, 2008
Co-author, Privacy Primer: An Overview of Global Data Protection Laws, 2006
Bisnow Morning Brief NY, “16 Things You Need to Know This Morning” (Sotto interviewed), February 6, 2017
Interview, Cybersecurity Risks and Legal Landscape, KUCI 88.9 FM (National Public Radio), “Privacy Piracy: Protect Your Privacy in the Information Age” (Sotto featured in 30-minute interview), July 25, 2016
Penn Law Podcast, New Threats to Privacy and Cybersecurity (Sotto interviewed), February 11, 2015
AskForbes Twitter Chat, What Companies Should Do When They’re Breached, August 26, 2014
Interview, Female Powerbrokers Q&A: Hunton & Williams’ Lisa Sotto, Law360, December 4, 2013
Interview, Cybersecurity Risks and Legal Landscape, KUCI 88.9 FM (National Public Radio), Privacy Piracy: Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), June 3, 2013
Interview, Should There Be a “Right to be Forgotten” Online? (Sotto interviewed), com, May 10, 2013
Legal Trends Roundtable: Parts 1-5, 2013 The Year Ahead in Privacy and Data Security (Sotto interviewed), com, January-February 6, 2013
Privacy Law Expert: Many Companies Waiting for a Hack (Sotto interviewed), Bloomberg Law, November 1, 2012
Radio Television of Serbia, Data Protection Act Good (English translation) (Sotto interviewed), July 18, 2012
B92 (Serbian radio and television broadcaster), Careful Sharing Data (English translation) (Sotto interviewed), July 18, 2012
Privacy Bill of Rights: A Step Forward, “Can’t be a Back-Burner Issue,” Privacy Lawyer Argues (Sotto interviewed), March 20, 2012
Interview (podcast), Privacy Bill of Rights: Not Be-All, End-All, Security Media Group, February 24, 2012
Breach Response: The Legal View, Fast Action Can Save Reputation and Ensure Compliance (Sotto interviewed), com, December 15, 2011
Breach Response: Reputational Risk, Your Organization’s Name Hinges on Data Value and Security (Sotto interviewed), com, November 30, 2011
Law360, Q&A with Hunton & Williams’ Lisa Sotto (Sotto interviewed), November 4, 2011
KUCI 88.9 FM, Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), September 19, 2011
FoxLive.com, Is There Need for a Data Privacy Law? (Sotto interviewed), September 6, 2011
End to End Trust, Microsoft Corporation, regarding cross industry collaboration and a safer Internet (Sotto interviewed), September 2009
CNN’s American Morning, Privacy in the Obama Administration (Sotto interviewed), December 8, 2008
ClearChannel Radio, “Tech Talk with Craig Peterson,” regarding the use of RFID in health care (Sotto interviewed), March 4, 2006
Chair, US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, 2012-present; appointed to Committee by Secretaries Johnson, Napolitano, Chertoff and Ridge; Chair, Policy Subcommittee, 2010-2012; Committee Vice Chair, 2005-2009; Member, Cybersecurity Subcommittee, 2013-present (requiring Top Secret security clearance)
Co-chair, International Privacy Law Committee, New York State Bar Association, 2007-present
Chair, New York Privacy Officers Forum, 2007-present
Lead Advisor, DataGuidance US Panel of Experts, 2008-present
Member, Law and Ethics Advisory Board, SAI Global, 2005-present
Member, American Law Institute
Fellow, American Bar Foundation
Member, Board of Directors, International Association of Privacy Professionals, 2010-2015
Past Member, Board of Directors, Identity Theft Resource Center, 2010–2012
Awards & Recognition
Selected as Lawline’s Top 20 Women Faculty of 2016, April 18, 2017
Named among the 100 Most Influential Lawyers, National Law Journal, 2013
Recognized as a Leader in Privacy & Data Security, National; Star Individual (2013-2017) and Band 1 (2011-2012), Chambers USA and Chambers Global
Listed for Data Protection and Privacy 2009-2017, and for Cyber Law, 2014-2016, Legal 500 United States
Named among Incident Response 30, Cybersecurity Docket, 2016
Named among the 500 Leading Lawyers in America, Lawdragon, 2014-2016
Named among Cybersecurity & Data Privacy Trailblazers, National Law Journal, 2015
Named among 45 Regulatory & Compliance Trailblazers, National Law Journal, 2015
Named among the 75 Outstanding Women Lawyers, National Law Journal, 2015
Named among Attorneys Who Matter, Ethisphere Magazine, 2009, 2012, 2013, 2015
Voted Number 1 in all Computerworld polls of global privacy advisors
Named among Women in Law, Lawyer Monthly Magazine, 2017
Selected for Expert Guides’ “Best of the Best Expert Guide” as a Top 30 Privacy and Data Protection Practitioner Worldwide, 2017
Recognized as one of the world’s leading practitioners in The International Who’s Who of Information Technology Lawyers 2011-2016, Who’s Who Legal, ABA Section of International Law and the International Bar Association
Selected as a Super Lawyer for Technology Transactions, New York Super Lawyers magazine, 2006-2016. Also selected as one of The Top Women Attorneys for Information Technology/Outsourcing in the New York Metro Area, Super Lawyers, A description of the selection methodology can be found on Super Lawyers’ webpage.
Honoree, Empire State Counsel Program, New York State Bar Association, Pro Bono Affairs, 2011, 2014
2000 Champion of Justice Award, New York City Bar Association, 2000
Certified Information Privacy Professional/United States (CIPP/US and CIPM), International Association of Privacy Professionals
Fellow of Information Privacy, International Association of Privacy Professionals
Speaker, Cyber Risks and the Impact on Global Companies, Hunton & Williams LLP’s IT/Procurement Leadership Forum, New York, June 23, 2015
Speaker, ILO Corporate Counsel Congress, Cyber Security: A How-to Guide, June 11, 2015
Speaker, PLI’s 16th Annual Institute on Privacy and Data Security Law: The Latest Developments in Cybersecurity, June 9, 2015
Chair, PLI’s 16th Annual Institute on Privacy and Data Security Law, June 8-9, 2015
Speaker, ABA Joint Committee on Employee Benefits: Dealing with Cybersecurity Threats and Breaches, May 28, 2015
Speaker, Cyber Insurance: Addressing Your Risks and Liabilities, CT Corporation Webinar, May 6, 2015
Speaker, EEI Cybersecurity Law Conference, Cybersecurity: A How-To Guide, April 23, 2015
Speaker, Financial Services Cybercrime Forum, Ernst & Young, April 16, 2015
Speaker, Data Localization, ABA’s 63rd Antitrust Spring Meeting, April 15, 2015
Invited to brief Thai and Myanmar government officials on global privacy and data security law, April 13, 2015
Speaker, Blue Cross Blue Shield Association, Cybersecurity Threats and Solutions, February 13, 2015
Speaker, Cybersecurity Executive Panel, Live Cyber Attack Scenario, February 12, 2015
Speaker, Nonprofit General Counsel Consortium, The Latest Developments in Cybersecurity, February 6, 2015
Speaker, 2014 Key Considerations for Board and Audit Committee Members, Surviving a Cybersecurity Breach: A “Real-Life” Simulation, PricewaterhouseCoopers, December 9, 2014
Speaker, Cybercrime 2020: The Future of Online Crime and Investigations, Georgetown University Law Center, December 4, 2014
Speaker, Data Privacy & Security Are Front and Center in Litigation News, Georgetown Advanced eDiscovery Institute, November 20, 2014
Speaker, Cybersecurity: NIST Standards and Emerging Best Practices, Federal Reserve Conference: The Payments System Risk Symposium, November 19, 2014
Speaker, Cybersecurity Executive Panel: Learn Best Practices from a Live Cyber Attack Scenario, November 18, 2014
Speaker, 2014 NJ United States Attorney’s Computer Crime and Intellectual Property Symposium, November 13, 2014
Speaker, Security Standards and Guidelines: What they mean for Risk Managers and Underwriters, Advisen’s New York Cyber Risk Conference, October 28, 2014
Speaker, Cyber Policy and Legal Environment, 2014 EEI Cybersecurity Law Conference, October 24, 2014
Speaker, Cyber Security: Is your Business Prepared for Attack and Recovery?, Fairfax Chamber Capital One Cyber Forum, October 16, 2014
Speaker, Protecting Client and Law Firm Information: Threats from Carelessness to the People’s Liberation Army, Aon Risk Solutions Symposium, October 15, 2014
Speaker, Covering Your Assets: Cybersecurity, Privacy & the Corporate Secretary, Society of Corporate Secretaries & Governance Professionals’ Conference on Corporate Governance in a Volatile World, October 9, 2014
Speaker, The Latest Developments in Cyber Security, NY/NJ Metropolitan Joint Cyber Security Conference, October 7, 2014
Speaker, A Focus on State and Federal Cybersecurity Legal Regimes, Texas General Counsel Forum, October 1, 2014
Speaker, Getting Your Privacy House in Order, Washington Metropolitan Area Corporate Counsel Association (WMACCA) September 16, 2014
Speaker, Cyber Attack Tabletop - Are You Ready?, PLI’s Cybersecurity 2014: Managing the Risk, September 10, 2014
Chair, PLI’s Cybersecurity 2014: Managing the Risk, September 10, 2014
Speaker, Cybersecurity 2014: The Impact on Global Companies, The Network, August 14, 2014
Speaker, Cyber Security: Regulatory Update and Litigation, American Law Institute, July 17, 2014
By collecting this information, we learn how to best tailor this site to our visitors. To learn more, view our