Practice Expertise

  • Cloud Computing
  • Blockchain
  • Crisis Management
  • Corporate

Areas of Practice

  • Blockchain
  • Cloud Computing
  • Corporate
  • Crisis Management
  • AI, Metaverse, and Emerging Technologies
  • Blockchain and Digital Assets
  • Children’s Privacy
  • Cybersecurity Incidents
  • Data Breach
  • Energy Sector Security Team
  • European Data Protection and Privacy
  • FinTech
  • Global Economic Development, Commerce and ...
  • Global Economic Development, Commerce, and ...
  • Global Privacy and Cybersecurity
  • National Security
  • Privacy and Cybersecurity
  • Privacy and Data Security
  • Records Management
  • Retail
  • Sports and Entertainment
  • Unmanned Aircraft Systems
  • Unmanned Systems Group
  • View More

Profile

Lisa chairs the firm’s top-ranked global privacy and cybersecurity practice and is the managing partner of the firm’s New York office.

Lisa has received widespread recognition for her work in the areas of privacy and cybersecurity. Chambers USA quotes clients who call her a “market leader,” noting that she is “widely considered the best.” Another client reported that “she is a strong leader with fantastic advice. She does great work on advisory boards and her leadership in the industry has really moved it forward.” Chambers and Partners honored Lisa with the 2021 Outstanding Contribution to the Legal Profession award, which is given to only one lawyer each year for exceptional achievements, and noted that a peer enthused, “Lisa Sotto is a legend.” Clients have called Lisa “the high priestess of privacy” and “the queen of breach.” She was named among The National Law Journal’s “100 Most Influential Lawyers,” an honor bestowed on practicing attorneys who are making the biggest impact in the legal world.

A preeminent lawyer and dynamic problem solver, Lisa assists clients in identifying, evaluating and managing risks associated with privacy and data security practices. She advises clients on the California Consumer Privacy Act of 2018 and other comprehensive state privacy laws, GLB, HIPAA and state health privacy laws, COPPA, CAN-SPAM, FCRA, VPPA, data breach notification laws, and other U.S. state and federal privacy and cybersecurity requirements (including HR rules), and global data protection laws (including those in the EU, Asia and Latin America). She provides extensive advice on cybersecurity risks, incidents and policy issues, including proactive cyber incident readiness. Through the firm’s privacy and security in M&A transactions team, Lisa also guides clients on risks and potential liabilities associated with inadequate privacy and data security practices in high-stakes corporate transactions. She conducts all phases of data privacy assessments and information security policy audits. She also develops corporate records management programs, including policies, records retention schedules and training modules.

Lisa has been rated the “No. 1 privacy professional” in all surveys by Computerworld magazine. She is recognized by Chambers and Partners as a “Star” performer (the highest honor) for privacy and data security—the only privacy lawyer in the United States to receive this distinguished ranking. She also is ranked among the leading lawyers in Band 1 for incident response. Lisa is recognized as a leading lawyer for cyber crime, data protection and privacy by The Legal 500 United States. In addition, Hunton Andrews Kurth’s privacy and cybersecurity practice has received the topmost national rankings in privacy and data security both from Chambers and Partners and The Legal 500.

Lisa speaks frequently at conferences, has testified regularly before the US Congress and other legislative and regulatory agencies, is the author of numerous treatises and articles, has been tapped to lead several industry committees and organizations, is sought after by media outlets and industry publications for her professional insights, and appears regularly on national television and radio news programs. She is the editor and lead author of the Privacy and Cybersecurity Law Deskbook, published by Aspen Publishers, Wolters Kluwer Law & Business.

Relevant Experience

  • Appointed by Secretaries Mayorkas, Nielson, Johnson and Napolitano as Chair of the US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (2012-present); previously served as Vice Chair (2005-2009).
  • Testified in 2018 FTC Hearing on Competition and Consumer Protection in the 21st Century, focusing on the US framework related to consumer data security.
  • Testified before the European Commission and five EU Supervisory Authorities during the Annual Review of the EU-US Privacy Shield.
  • Selected by the European Commission and US Department of Commerce as one of a small group of 16 arbitrators in connection with the EU-US Privacy Shield Framework Binding Arbitration Program.
  • Selected to represent the US Chamber of Commerce in Brussels to present “Global Best Practices Around Data Breach Notification,” a report prepared by Hunton Andrews Kurth LLP and the Chamber.
  • Selected to represent the US Chamber of Commerce in Indonesia to present “Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity,” a report prepared by Hunton Andrews Kurth LLP and the Chamber.
  • Selected as member of US government delegation to Brazil to brief Brazilian government officials on US privacy and cybersecurity policy.
  • Selected to advise Commissioner Shimpo of the Personal Information Protection Commission of Japan on US privacy and data security law.
  • Selected to advise the Serbian government on global data protection law and to draft the country’s data security and breach notification laws. Lisa was sponsored by the USAID-funded Judicial Reform and Government Accountability Project.
  • Testified before US House of Representatives, “Data Protection and the Consumer: Who Loses When Your Data Takes a Hike?”
  • Testified before US Department of Health & Human Services’ Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics regarding RFID use in health care.
  • Testified before CSIS Commission on Cyber Security for the 44th Presidency.
  • Briefed congressional staffers in preparation for data breach hearings held by the House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and in connection with drafting of a comprehensive privacy bill.
  • Selected to advise DHS’s Homeland Security Science and Technology Committee (HSSTAC) regarding Third Party Pre-Screening Program.
  • Selected by US Government Accountability Office to provide advice for a GAO study on data security breaches.
  • Selected by US Office of Management and Budget to participate in OMB analysis of DHS Privacy Office.
  • Routinely assists clients in developing policy positions regarding privacy and cybersecurity legislative and regulatory proposals both in the US and abroad.
  • Advising over 80 clients on compliance with the California Consumer Privacy Act of 2018 (CCPA), California Privacy Rights Act of 2020 (CPRA) and other state privacy laws, including conducting due diligence, preparing gap analyses, developing remediation plans, and undertaking compliance projects.
  • Advises clients on FTC, OCR, SEC and state Attorney General (including Multistate Taskforce) investigations and enforcement actions for alleged data security and privacy violations.
  • Advises clients on managing FTC Consent Orders and CIDs in connection with data security incidents.
  • Advises major health care providers and health plans on all aspects of HITECH security breaches, including OCR and state enforcement.
  • Advises numerous major retailers, financial institutions and other companies on proactive cybersecurity readiness, including developing and conducting full-scale tabletop exercises for C-suite executives and boards of directors.
  • Since 2005, advised on over 3,000 cybersecurity and data breach incidents in the United States and abroad, including many of the world’s seminal events (such as the Colonial Pipeline ransomware incident and Yahoo! breaches affecting 3.5 billion user accounts).
  • Advised well-known telecom manufacturer on extensive APT attack involving significant loss of intellectual property.
  • Advised numerous major retailers on security breaches resulting from criminal tampering of POS terminals, including FBI involvement, forensic investigations, breach notification and PR efforts.
  • Advised Texas State Comptroller in connection with well-known data security incident involving 3.5 million state workers.
  • Advised many multinational clients on EU-US Data Privacy Framework and Privacy Shield certifications and annual recertifications.  
  • Counseled numerous technology companies (both as publishers and advertisers) on data collection and sharing issues (including online behavioral advertising and Big Data initiatives), and the collection and use of geolocation data.
  • Counseled major consumer goods companies on privacy issues associated with the use of radio frequency identification (RFID) and data collection from mobile devices.
  • Advised multiple clients on employee monitoring and surveillance issues under federal, state and international laws, and prepared related policies (including BYOD).
  • Conducted comprehensive privacy and information security policy assessments of major US electric utility and retail and consumer goods companies, including extensive data flow mapping, remediation, and development and implementation of multiple privacy, information security and records management policies and procedures. 
  • Served as HIPAA privacy counsel to large health care system, including over 40 hospitals and long-term care and assisted living facilities, and major academic medical center.
  • Developed and implemented comprehensive global records management program in over 100 countries for one of world's largest software companies (under court supervision), including preparation and implementation of policies and procedures, numerous records retention schedules, in-person and web-based training and audit program.  

Books

  • Editor and lead author, Privacy and Cybersecurity Law Deskbook (1,400-page treatise and annual updates), Aspen Publishers, Wolters Kluwer Law & Business, 2010-2024
  • Contributing editor and co-author, Data Protection & Privacy, United States, Getting the Deal Through, 2014-2021
  • Co-author, Navigating The Digital Age, The Definitive Cybersecurity Guide For Directors and Officers Vol. 3, Lessons From Today’s World, How to Manage a Data Breach, January 2021
  • Co-author, Cybersecurity and Data Breach, Bloomberg BNA Privacy & Data Security Portfolio Series, 2019
  • Co-author, Chapter 11 European Union Data Protection, Data Security and Privacy Law: Combating Cyberthreats, West, Thomson Reuters, 2010
  • Co-author, Data Security Handbook, ABA Section of Antitrust Law, 2008
  • Co-author, Privacy Primer: An Overview of Global Data Protection Laws, 2006

Media Appearances

  • Priestess of Privacy, Penn Law Journal (Sotto Featured), August 19, 2019
  • Thought Leaders in Privacy, DataGuidance (Sotto interviewed), May 1, 2017
  • Bisnow Morning Brief NY, “16 Things You Need to Know This Morning” (Sotto interviewed), February 6, 2017
  • Electronic Discovery Institute’s Distance Learning Initiative, Information Security 101 (Sotto interviewed), February 2017
  • Interview, Cybersecurity Risks and Legal Landscape, KUCI 88.9 FM (National Public Radio), “Privacy Piracy: Protect Your Privacy in the Information Age” (Sotto featured in 30-minute interview), July 25, 2016
  • Mimesis Law’s Cy-Pher Executive Roundtable, What Do You Do With A Hacked Law Firm? (Sotto interviewed), June 10, 2016
  • Mimesis Law’s Cy-Pher Executive Roundtable, Are Law Firms Soft Targets For Hackers? (Sotto interviewed), May 23, 2016
  • CASE in POINT, “Understanding New Threats to Privacy and Cybersecurity” (Sotto interviewed), March 3, 2015
  • HuffPost Live, Regulator Warns of 'Cyber 9/11' Attacks on Banks (Sotto interviewed), March 2, 2015
  • AskForbes Twitter Chat, What Companies Should Do When They’re Breached, August 26, 2014
  • Interview, Female Powerbrokers Q&A: Hunton & Williams’ Lisa Sotto, Law360, December 4, 2013
  • Interview, Cybersecurity Risks and Legal Landscape, KUCI 88.9 FM (National Public Radio), Privacy Piracy: Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), June 3, 2013
  • Interview, Should There Be a “Right to be Forgotten” Online? (Sotto interviewed), CBSnews.com, May 10, 2013
  • Legal Trends Roundtable: Parts 1-5, 2013 The Year Ahead in Privacy and Data Security (Sotto interviewed), com, January-February 6, 2013
  • Privacy Law Expert: Many Companies Waiting for a Hack (Sotto interviewed), Bloomberg Law, November 1, 2012
  • Radio Television of Serbia, Data Protection Act Good (English translation) (Sotto interviewed), July 18, 2012
  • B92 (Serbian radio and television broadcaster), Careful Sharing Data (English translation) (Sotto interviewed), July 18, 2012
  • Privacy Bill of Rights: A Step Forward, “Can’t be a Back-Burner Issue,” Privacy Lawyer Argues (Sotto interviewed), March 20, 2012
  • Interview (podcast), Privacy Bill of Rights: Not Be-All, End-All, Security Media Group, February 24, 2012
  • Breach Response: The Legal View, Fast Action Can Save Reputation and Ensure Compliance (Sotto interviewed), com, December 15, 2011
  • Breach Response: Reputational Risk, Your Organization’s Name Hinges on Data Value and Security (Sotto interviewed), com, November 30, 2011
  • Law360, Q&A with Hunton & Williams’ Lisa Sotto (Sotto interviewed), November 4, 2011
  • KUCI 88.9 FM, Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), September 19, 2011
  • FoxLive.com, Is There Need for a Data Privacy Law? (Sotto interviewed), September 6, 2011
  • End to End Trust, Microsoft Corporation, regarding cross industry collaboration and a safer Internet (Sotto interviewed), September 2009
  • CNN’s American Morning, Privacy in the Obama Administration (Sotto interviewed), December 8, 2008
  • ClearChannel Radio, “Tech Talk with Craig Peterson,” regarding the use of RFID in health care (Sotto interviewed), March 4, 2006

Bar Admissions

  • New York

Education
BA, Cornell University, History, distinction in all subjects

Areas of Practice

  • Blockchain
  • Cloud Computing
  • Corporate
  • Crisis Management
  • AI, Metaverse, and Emerging Technologies
  • Blockchain and Digital Assets
  • Children’s Privacy
  • Cybersecurity Incidents
  • Data Breach
  • Energy Sector Security Team
  • European Data Protection and Privacy
  • FinTech
  • Global Economic Development, Commerce and Government Relations Group
  • Global Economic Development, Commerce, and Government Relations Group
  • Global Privacy and Cybersecurity
  • National Security
  • Privacy and Cybersecurity
  • Privacy and Data Security
  • Records Management
  • Retail
  • Sports and Entertainment
  • Unmanned Aircraft Systems
  • Unmanned Systems Group

Professional Career

Significant Accomplishments
  • Named to The National Law Journal’s “100 Most Influential Lawyers” list (2013).
  • Appointed by Secretaries Johnson and Napolitano as Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (2012-present); previously served as Vice Chair (2005-2009)
  • Selected to represent the U.S. Chamber of Commerce in Indonesia to present “Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity,” a report prepared by Hunton & Williams and the Chamber.
  • Selected to advise the Serbian government on global data protection law and to draft the country's data security and breach notification laws. Sotto was sponsored by the USAID-funded Judicial Reform and Government Accountability Project.
  • Editor and lead author of the Privacy and Data Security Law Deskbook, published by Aspen Publishers, Wolters Kluwer Law & Business.
  • Testified before U.S. House of Representatives, “Data Protection and the Consumer: Who Loses When Your Data Takes a Hike?”
  • Testified before U.S. Department of Health & Human Services’ Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics regarding RFID use in health care.
  • Testified before CSIS Commission on Cyber Security for the 44th Presidency.
  • Briefed Congressional staffers in preparation for data breach hearings held by the House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and in connection with drafting of comprehensive privacy bill.
  • Selected to advise DHS’s Homeland Security Science and Technology Committee (HSSTAC) regarding Third Party Pre-Screening Program
  • Selected by U.S. Government Accountability Office to participate in GAO study on data security breaches.
  • Selected by U.S. Office of Management and Budget to participate in OMB analysis of DHS Privacy Office.
  • Routinely assisting clients in developing policy positions regarding privacy and cybersecurity legislative and regulatory proposals both in the U.S. and abroad.
  • Advising multiple clients on FTC, OCR and state Attorney General investigations and enforcement actions for alleged data security violations.
  • Advising multiple clients on managing FTC Consent Orders and FTC CIDs and access letters in connection with data security incidents.
  • Advising numerous major health care providers and other health plans on all aspects of HITECH security breaches, including OCR and state enforcement.
  • Advised two major retailers on security breaches resulting from criminal tampering of POS terminals, including U.S. Secret Service involvement, forensic investigations, all aspects of breach notification and PR efforts.
  • Advised Texas State Comptroller in connection with well-known data security incident involving 3.5 million state workers.
  • Led HITECH Act breach notification effort for one of the largest PHI data breaches (1.2 million individuals).
  • Advised major retailers on well-known data breaches, including managing FTC and Canadian DPA response and investigation, and consumer notification issues.
  • Represented global leader in premium lifestyle products in FTC investigation regarding significant data security breach, including U.S. Secret Service involvement.
  • Advised over 900 companies (including health care companies, retailers, consumer goods companies, insurers, utilities and industrial manufacturers) on all aspects of information security breaches and developed media and consumer communications programs following breaches.
  • Advising numerous multinational clients on Safe Harbor certification and annual recertification.
  • Counseled several Web 2.0 companies on data collection and sharing issues, collection and use of geolocation data, and Safe Harbor certification.
  • Counseled major consumer goods companies on privacy issues associated with the use of radio frequency identification (RFID).
  • Advising numerous publishers and advertisers on online behavioral advertising issues.
  • Advising multiple clients on employee and visitor monitoring and surveillance issues under federal and state laws, and preparing related policies (including personal computing device issues).
  • Advising numerous clients on complex cloud computing solutions.
  • Advising numerous clients on compliance with Payment Card Industry Data Security Standard and preparation of related policies and procedures.
  • Advised multiple clients with FCRA and FACTA compliance.
  • Conducted comprehensive privacy and information security policy assessment of major U.S. electric utility.
  • Advised client on compliance with the Privacy Act, including preparation of a System of Records Notice and Privacy Impact Assessment, in connection with significant new government mortgage program.
  • Conducted full-scale consumer information privacy assessments for one of the world’s largest food companies and a Fortune 15 consumer goods company, including extensive data flow mapping, remediation, and development and implementation of multiple privacy, information security and records management policies and procedures.
  • Represented leading information provider in developing new, company-wide privacy, credentialing and compliance program.
  • Advising numerous clients on privacy requirements under GLB, HIPAA, HITECH and state law, and preparing related documentation.
  • Served as HIPAA privacy counsel to large health care system, including over 40 hospitals and long-term care and assisted living facilities, and major academic medical center.
  • Prepared HIPAA and HITECH policies and procedures (including training) for numerous employer-sponsored group health plans.
  • Developed and implemented comprehensive global records management program in over 100 countries for one of world's largest software companies, including preparation and implementation of policies and procedures, numerous records retention schedules, in-person and web-based training and audit program.
  • Outside counsel to leading U.S. mutual fund company, financial services provider and commercial and consumer finance company to develop omnibus records management program.
  • Outside counsel to major U.S. government agency on new initiative to develop agency-wide, comprehensive records management program.
  • Drafted numerous website Terms of Use. 

Books

  • Editor and Lead Author, Privacy and Data Security Law Deskbook (1,400-page treatise), Aspen Publishers, Wolters Kluwer Law & Business, 2010
  • Co-author, Chapter 11 European Union Data Protection, Data Security and Privacy Law: Combating Cyberthreats, West, Thomson Reuters, 2008
  • Co-author, Data Security Handbook, ABA Section of Antitrust Law, 2008
  • Co-author, Privacy Primer: An Overview of Global Data Protection Laws, 2006

Media Appearances

  • Interview, Female Powerbrokers Q&A: Hunton & Williams’ Lisa Sotto, Law360, December 4, 2013
  • Interview, Cybersecurity Risks and Legal Landscape, KUCI 88.9 FM (National Public Radio), Privacy Piracy: Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), June 3, 2013
  • Interview, Should There Be a “Right to be Forgotten” Online? (Sotto interviewed), CBSnews.com, May 10, 2013
  • Legal Trends Roundtable: Part 5, 2013 Legislation: Breach Notification, Attorneys: Pay Attention to Uptick in Global Regulation (Sotto interviewed), BankInfoSecurity.com, February 6, 2013
  • Legal Roundtable:  Part 4, Effective Breach Response, Attorneys: Don’t Take a One-Size-Fits-All Approach (Sotto interviewed), BankInfoSecurity.com, January 29, 2013
  • Legal Roundtable:  Part 3, Fraud Litigation:  Role of Regulation, Attorney: Courts Show Dependence on Guidance (Sotto interviewed), BankInfoSecurity.com, January 25, 2013
  • Legal Roundtable: Part 2, Will Regulators Dictate Privacy?  Attorneys Say Lack of U.S. Legislation Fuels Regulatory Action (Sotto interviewed), BankInfoSecurity.com, January 17, 2013
  • Legal Roundtable: Part 1, The “Hack Back” Offense, Legal Experts Weigh in on Hacking the Attackers (Sotto interviewed), BankInfoSecurity.com, January 11, 2013
  • Legal Trends Roundtable with Jeffrey Roman (Sotto interviewed), Information Security Media Group, November 20, 2012
  • Privacy Law Expert: Many Companies Waiting for a Hack (Sotto interviewed), Bloomberg Law, November 1, 2012
  • Radio Television of Serbia, Data Protection Act Good (English translation) (Sotto interviewed), July 18, 2012
  • B92 (Serbian radio and television broadcaster), Careful Sharing Data (English translation) (Sotto interviewed), July 18, 2012
  • Privacy Bill of Rights:  A Step Forward, “Can’t be a Back-Burner Issue,” Privacy Lawyer Argues (Sotto interviewed), March 20, 2012
  • Interview (podcast), Privacy Bill of Rights: Not Be-All, End-All, Security Media Group, February 24, 2012
  • Breach Response: The Legal View, Fast Action Can Save Reputation and Ensure Compliance (Sotto interviewed), BankInfoSecurity.com, December 15, 2011
  • Breach Response: Reputational Risk, Your Organization’s Name Hinges on Data Value and Security (Sotto interviewed), BankInfoSecurity.com, November 30, 2011
  • Law360, Q&A with Hunton & Williams’ Lisa Sotto (Sotto interviewed), November 4, 2011
  • KUCI 88.9 FM, Protect Your Privacy in the Information Age (Sotto featured in 30-minute interview), September 19, 2011
  • FoxLive.com, Is There Need for a Data Privacy Law? (Sotto interviewed), September 6, 2011
  • Bank Information Security Podcasts, Epsilon Breach: Risks and Lessons; Incident is a Wake-Up Call about Database Security Gaps (Sotto interviewed), April 5, 2011
  • Biggest Security & Privacy Topics of 2011, “We’re Still Learning How to Do Data Security Right” (Sotto interviewed), BankInfoSecurity.com, January 25, 2011
  • End to End Trust, Microsoft Corporation, regarding cross industry collaboration and a safer Internet (Sotto interviewed), September 2009
  • CNN’s American Morning, Privacy in the Obama Administration (Sotto interviewed), December 8, 2008
  • ClearChannel Radio, “Tech Talk with Craig Peterson,” regarding the use of RFID in health care (Sotto interviewed), March 4, 2006


Professional Associations
  • Chair, US Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, 2012-present; appointed to Committee by Secretaries Johnson, Napolitano, Chertoff and Ridge; Chair, Policy Subcommittee, 2010-2012; Committee Vice Chair, 2005-2009; Member, Cybersecurity Subcommittee, 2013-present (requiring Top Secret security clearance)
  • Co-chair, International Privacy Law Committee, New York State Bar Association, 2007-present
  • Chair, New York Privacy Officers Forum, 2007-present
  • Lead Advisor, DataGuidance US Panel of Experts, 2008-present
  • Member, Law and Ethics Advisory Board, SAI Global, 2005-present
  • Member, American Law Institute
  • Fellow, American Bar Foundation
  • Member, Board of Directors, International Association of Privacy Professionals, 2010-2015
  • Past Member, Board of Directors, Identity Theft Resource Center, 2010–2012

Professional Activities and Experience
  • Selected among New York County Lawyers Association’s Outstanding Women in the Legal Profession, December 11, 2017

  • Selected as Lawline’s Top 20 Women Faculty of 2016, April 18, 2017
  • Named among the 100 Most Influential Lawyers, National Law Journal, 2013
  • Recognized as a Leader in Privacy & Data Security, National; Star Individual (2013-2017) and Band 1 (2011-2012), Chambers USA and Chambers Global
  • Listed for Data Protection and Privacy 2009-2017, and for Cyber Law, 2014-2016, Legal 500 United States
  • Named among Incident Response 30, Cybersecurity Docket, 2016
  • Named among the 500 Leading Lawyers in America, Lawdragon, 2014-2016
  • Named among Cybersecurity & Data Privacy Trailblazers, National Law Journal, 2015
  • Named among 45 Regulatory & Compliance Trailblazers, National Law Journal, 2015
  • Named among the 75 Outstanding Women Lawyers, National Law Journal, 2015
  • Named among Attorneys Who Matter, Ethisphere Magazine, 2009, 2012, 2013, 2015
  • Voted Number 1 in all Computerworld polls of global privacy advisors
  • Named among Women in Law, Lawyer Monthly Magazine, 2017
  • Selected for Expert Guides’ “Best of the Best Expert Guide” as a Top 30 Privacy and Data Protection Practitioner Worldwide, 2017
  • Recognized as one of the world’s leading practitioners in The International Who’s Who of Information Technology Lawyers 2011-2018, Who’s Who Legal, ABA Section of International Law and the International Bar Association
  • Selected as a Super Lawyer for Technology Transactions, New York Super Lawyers magazine, 2006-2016. Also selected as one of The Top Women Attorneys for Information Technology/Outsourcing in the New York Metro Area, Super Lawyers, A description of the selection methodology can be found on Super Lawyers’ webpage
  • Honoree, Empire State Counsel Program, New York State Bar Association, Pro Bono Affairs, 2011, 2014
  • 2000 Champion of Justice Award, New York City Bar Association, 2000
  • Certified Information Privacy Professional/United States (CIPP/US and CIPM), International Association of Privacy Professionals
  • Fellow of Information Privacy, International Association of Privacy Professionals


Articles

  • New Cyber Guidance on the Horizon—Be Prepared, LexisNexis Corporate Counsel Advisory
  • Strategic Information Management, BNA Privacy and Security Law Report
  • The Shifting Sands of Data Protection and Resulting Privacy Pitfalls, State Bar of Texas – 10th Annual Advanced In-House Counsel Course
  • Privacy & Data Security: The Future of the US-EU Safe Harbor, Practical Law
  • FTC’s Red Flags Rule: Delays Suggest Confusion on the Part of the Industry, Privacy & Data Security Law Journal
  • Sounding the Alert on Data Breaches, New York Law Journal
  • Maximillian Schrems v. Data Protection Commissioner, E-Commerce Law Reports, volume 15 Issue 5
  • Privacy Shield Redux: Looking Ahead to a New EU-U.S. Data Transfer Framework, CPO Magazine
  • Lisa Sotto Shares Insights on Cybersecurity, CCPA, Wolters Kluwer
  • Data Due Diligence in M&A Deals (Sotto featured), Corporate Secretary
  • Ransomware Attacks Raise Key Legal Considerations, Law360
  • How to Safeguard Privacy and Data Security in Corporate Transactions, Corporate Counsel
  • Navigating Privacy and Data Security Issues in M&A and Other Transactions, Bloomberg Law
  • Women in IT Security: Women of Influence (Sotto featured), SC Magazine
  • HITECH Breaches: A How-To Guide, BNA’s Health Law Reporter and Privacy & Security Law Report
  • Hottest Practice Area? (Sotto featured), Legal Bisnow
  • Online Behavioral Advertising: A User's Guide, IP Litigator
  • Where Calif. Privacy Law and Employee Benefits Data Collide, Law360
  • Data Protection & Privacy 2016, United States, Getting the Deal Through
  • Surviving an FTC Investigation After a Data Breach, New York Law Journal
  • Navigating The Digital Age, The Definitive Cybersecurity Guide For Directors and Officers Vol. 3, Lessons From Today’s World, How to Manage a Data Breach
  • The California Privacy Rights Act of 2020: CCPA Redux, Pratt’s Privacy & Cybersecurity Law Report
  • California: New year, new privacy policy: CCPA obligations and obstacles, OneTrust DataGuidance
  • Privacy and Cybersecurity Risks in the Metaverse: 5 Steps to Protect Your Data, Legaltech News
  • Women in IT Security: Where are They Now? (Sotto featured), SC Magazine
  • Lawyer Goes Into the Breach: Lisa Sotto Gets to the Bottom of Cyberattacks (Sotto featured), Crain’s New York Business
  • SEC Cybersecurity Investigations: A How-To Guide, Westlaw Journal: Securities Litigation & Regulation
  • The Move Toward a More Comprehensive Privacy Regime in the US (Sotto featured), Ernst & Young: 2012 Privacy Top Trends, Insights on IT Risk
  • The Boucher Bill: Shaping the Privacy Landscape in the U.S., Data Protection Law & Privacy
  • Preservation and Monitoring of Corporate Messaging, New York Law Journal
  • Privacy and Data Security Risks in Cloud Computing, BNA Electronic Commerce & Law Report
  • Notice and Choice Paradigm in the US: Shifting the Focus, Data Protection Law & Policy
  • EU-US Privacy Shield: A Path Forward, Corporate Compliance Insights
  • What Every U.S. Employer Should Know About Workplace Privacy (Parts One and Two), ALM’s Privacy & Data Protection Legal Reporter
  • Emerging Privacy Issues in Bankruptcy, New York Law Journal
  • Business Without Borders: The Importance of Cross-Border Data Transfers to Global Prosperity, Hunton & Williams and U.S. Chamber of Commerce
  • Data Protection & Privacy 2018, United States, Getting the Deal Through
  • Blockchain, Cybersecurity and Global Finance
  • Virginia and Colorado Add to the Evolving US Privacy Landscape, Retail Industry 2021 Year in Review
  • Privacy and Data Security in ESG, Corporate Counsel
  • NYDFS Proposes Updated Second Amendment to Its Cybersecurity Regulation, NYU Law’s Program on Corporate Compliance and Enforcement Blog
  • A New Era: The EU-U.S. Data Privacy Framework, Thomson Reuters’ Regulatory Intelligence
  • Data Breach! Correct Response Crucial, New York Law Journal
  • The EU-US Privacy Shield: A How-To Guide, Law360
  • California Legislature Passes Bill to Establish the Genetic Information Privacy Act, Pending Governor’s Signature, PLI Chronicle
  • Preventive Measures: Records and Information Management Companies Need to Take Steps to Comply with the Newly Adopted HIPAA Omnibus Rule, Storage & Destruction Business Magazine
  • Data Protection & Privacy 2019, United States, Getting the Deal Through
  • California Consumer Privacy Act and Its Impact, Los Angeles Business Journal
  • Data Protection & Privacy 2023, Introduction, Getting the Deal Through
  • A How-To Guide to Information Security Breaches, Privacy and Information Law Report, IAPP Privacy Advisor, BNA Privacy & Security Law Report
  • Legal Viewpoint: Critical Next Steps to Avoid Litigation, Notifying Law Enforcement, and Choosing Response Vendors, Symantec White Paper
  • Thought Leaders in Privacy, DataGuidance (Sotto interviewed)
  • Comment: Data Protection Outlook for 2011: A Global Discussion, Data Protection Law & Policy
  • The Lurking Dangers of Data Security (Sotto interviewed), Lodging Hospitality
  • The Queen of Breach: Privacy Expert Lisa Sotto Goes Public (Sotto featured), Super Lawyers
  • Technology: The privacy perils of mobile technology, InsideCounsel
  • Data Breach Resource Center
  • 2020 Retail Industry Year in Review
  • Board Oversight of Privacy and Cybersecurity Risk: Why Delaware Developments Matter, The Computer & Internet Lawyer
  • Data Protection & Privacy 2020, Introduction, Getting the Deal Through
  • Data Protection & Privacy 2022, Introduction, Getting the Deal Through
  • Data Protection & Privacy 2022, United States, Getting the Deal Through
  • President Biden’s Executive Order Enables Agencies to Address Key Artificial Intelligence Risks, Privacy & Cybersecurity Law Report
  • California Consumer Privacy Act and Its Impact on M&A Transactions, Deal Lawyers
  • Data Protection & Privacy 2019, Introduction, Getting the Deal Through
  • Data Protection & Privacy 2021, Introduction, Getting the Deal Through
  • Data Protection & Privacy 2023, USA, Getting the Deal Through
  • INSIGHT: Illinois Biometric Privacy Law Doesn’t Require Actual Injury—What’s Next?, Bloomberg Law
  • Cybersecurity Risks and Readiness for the Hotel Industry, GMBHA Allied Upgrade eNewsletter
  • Data Protection & Privacy 2020, United States, Getting the Deal Through
  • Data Protection & Privacy 2021, United States, Getting the Deal Through
  • INSIGHT: Six Flags Fingerprint Privacy Case Puts Illinois Biometric Law to Test, Bloomberg Law
  • Facebook pivots from facial recognition system following biometric privacy suit; more biometric privacy litigation on the horizon, Westlaw Today
  • Watch for the Expansion of BIPA Claims to New Use Cases and Jurisdictions, Pratt’s Privacy and Cybersecurity Law Report
  • Spokeo’s Impact and More, Westlaw Journal
  • The California Consumer Privacy Act is HERE: Are You Litigation Ready?, Cybersecurity Law & Strategy
  • Recent developments under BIPA: Examining Spokeo’s impact and more, Westlaw Journal Computer and Internet
  • California Consumer Privacy Act: A Sea of Change for Retailers, Chain Store Age

Meet our Firms and Professionals

WSG’s member firms include legal, investment banking and accounting experts across industries and on a global scale. We invite you to meet our member firms and professionals.