After spending the better part of 2018 preparing clients like Proctor & Gamble and PepsiCo for significant requirements of the General Data Protection Regulation, Lisa Sotto has spent the last two making sure they comply.
Not even a pandemic has lessened the workload for Sotto, who now chairs the Global Privacy and Cybersecurity practice at the law firm Hunton Andrews Kurth LLP, where she’s a partner. In fact, she’s busier than ever as she helps clients navigate the California Consumer Privacy Act (CCPA) and prepare for the California Privacy Rights Act (CPRA) that expands the existing law.
Click here for complete coverage of the 2020 Women in IT Security
When Sotto, a previous SC Women in Security Power Player and now a SC Media 2020 Veteran, first entered the space, privacy was fertile ground for women. Men, for whatever reason, were more than willing to concede to their female counterparts.
“Women have always had great numbers in privacy. That’s not true in cybersecurity,” says Sotto, although in the very early years of cyber more women were more involved. “The CEO would come around and ask who would take [security] on; women said, ‘I’ll do it,’” Sotto explains. “But now it’s male-dominated.”
Known as “the high priestess of privacy” and the “queen of the breach,” Sotto quickly moved up the ranks at Hunton and has distinguished herself as an adviser, both to clients and to government. She was appointed by three different Department of Homeland Security secretaries – Kirstjen Nielson, Jeh Johnson and Janet Napolitano – to chair DHS’s Data Privacy and Integrity Advisory Committee from 2012 through today. Prior to that she was vice chair from 2005-2009.
Over the past few years, Sotto has seen “board members become more sophisticated,” which means they understand the business risk of data and privacy breaches and are more willing to pony up dollars.
She has also seen privacy move to the forefront and expects a “raft of bills” to come from states going forward. “Once state legislators start thinking about something other than COVID, we’ll see a spate of state legislation that looks like the CCPA,” says Sotto, pointing to bills that have emerged in Washington and Oregon.
She bemoans the U.S.’s missed opportunity to take the lead in privacy, instead giving the European Union's GDPR the space to become the benchmark. “It’s easy for other countries without resources to take GDPR and draft their own privacy law” based on it, she explains. “It became the iconic law.”
With the Privacy Act of 1974, the U.S. looked poised to lead in privacy. “We understood the concept early on, but we failed at the federal level,” she says.
The patchwork of state laws that are emerging – and the difficulties they will present for companies trying to comply – “will likely serve as the impetus to push through a law at the federal level,” she says, as will thorny privacy issues as biometric data is captured and IoT proliferates.
That should create plenty of opportunity for women to put their talents to good use. “Women are superb leaders when given the opportunity – they bring compassion and organizational skills,” she says. “They’re really good at pulling a team together.”
