The following is derived from remarks made by Lisa J. Sotto at the Second Annual NetDiligence® Cyber Risk and Privacy Liability Forum, produced by HB Litigation Conferences.

It is not hyperbole to say that everything has changed in the last five years with regard to privacy and data security.  A decade ago we had very few laws in this space.  Now we have literally hundreds at the state level and several at the federal level.

At the state level we can put the changes into three categories:  policy, statutory and enforcement.

On the policy side, we are seeing a lot of new players surfacing in this space.  The Department of Commerce, for example, which was dormant for about 10 years on this issue, has entered the fray in the last year in a very big way.  The FTC which has always been active in this space is re-invigorating its efforts.  We’re now witnessing significant HHS activity, following a period of inactivity during the first nine years or so of HIPAA’s enactment.

At the state level we are seeing significant AG interest in this space.  From about 2005 to about 2008 or ‘09, I received only a handful of AG inquiries for breaches that we reported – and we’ve handled more than 800 breaches.  In the last year or two, we have been getting inquiries from state AGs in droves.  That doesn’t mean there are hundreds of enforcement actions, but there are many inquiries.

On the statutory side, we’re seeing a huge amount of activity.  In Congress, there are half a dozen or more bills on the privacy front, some of which are comprehensive, others of which are pinpointed.  On the state side, there is significant activity and there’s no question the states are leading the federal government by the nose.  The states are far ahead and they are able to act much more quickly than the federal government.

On the enforcement side, the federal government is very active in the privacy and data security space.  David Vladeck, the Director of Consumer Protection at the FTC, had said at the beginning of his tenure that he was going to bring more pure privacy cases and he wasn’t kidding.  He’s doing it and they’re coming in fast and furious.  We’re also seeing a significant amount of enforcement at the state level.


Lisa J. Sotto is the managing partner of the New York office of Hunton & Williams LLP, and her practice focuses on privacy, data security and records management issues. Lisa assists clients in identifying, evaluating and managing risks associated with privacy and information security practices of companies and third parties. She conducts all phases of online and offline privacy assessments and information security policy audits. Lisa advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA/FACTA, Privacy Act, security breach notification laws, and other U.S. state and federal privacy requirements (including HR rules), and global data protection laws (including those in the EU and Latin America). She drafts and negotiates contractual agreements concerning data uses, privacy and security. She also develops corporate records management programs, including policies, procedures, records retention schedules and training modules.

Lisa was rated “No. 1 privacy expert” for the past three consecutive years by Computerworld magazine. She also earned a Band 1 U.S. national ranking for Privacy & Data Security from Chambers and Partners. In addition, the firm’s Privacy & Information Management practice received a Band 1 U.S., UK and Global national ranking from Chambers USA in Privacy & Data Security. Lisa speaks frequently at conferences and seminars, testifies regularly before the U.S. Congress and other legislative and regulatory bodies, is the author of numerous treatises and articles, has been tapped to lead numerous committees and organizations, is sought after by media outlets and industry publications for her professional insights, and appears regularly on national television and radio news programs.