Liisa M. Thomas

Liisa Thomas, a partner based in the Chicago and London offices, is Leader of the firm's Privacy and Cybersecurity Team and Office Managing Partner of the firm's Chicago office. 

Areas of Practice

Liisa's clients rely on her ability to provide clarity in a sea of confusing legal requirements and describe her as "extremely responsive, while providing thoughtful legal analysis combined with real world practical advice." She is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data, praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law."

Liisa is known as an industry leader in the privacy and data security space and has been recognized by Best Lawyers in America, Leading Lawyers Network, Chambers and The Legal 500, as well as noted by leading publications and organizations for her "broad depth of privacy knowledge." Among other honors, she was named Lawyer of the Year – Privacy and Data Security 2022 by Best Lawyers; to Cybersecurity Docket's "Incident Response 30," honoring 30 incident response professionals critical to managing data breaches, in both 2016 and 2018; recognized as the 2017 "Data Protection Lawyer of the Year - USA" by Global 100; honored as the 2017 "U.S. Data Protection Lawyer of the Year" by Finance Monthly; and the recipient of the "Best in Data Security Law Services" at Corporate LiveWire’s 2017 Global Awards.

Liisa, who was born in Finland and previously lived in France, Egypt and Spain, frequently coordinates global efforts in the privacy area for her clients. Clients value her global insights and familiarity with business systems outside of the U.S. With Liisa’s assistance, her clients – which include major consumer brands, advertising agencies and consumer research companies – are able to navigate thorny data breach disclosure issues, use emerging interactive advertising techniques and create compliant security programs, all while effectively managing their legal risks. Clients praise Liisa’s ability to add real value to their businesses, and describe her as "keeping [clients] one step ahead of where [they] need to be."

Liisa is an active advocate of women and minorities in the legal industry and was honored for her leadership in the legal field by the Illinois Diversity Council. She is currently an adjunct professor in Northwestern University Law School where she is the recipient of the Edward Avery Harriman Law School Lectureship. She formerly taught privacy courses at several other Chicago-area law schools, including her alma mater, the University of Chicago. Liisa is the Vice-Chair of the Board of Trustees of the Chicago Symphony Orchestra, Chair of the CSO’s Negaunee Music Institute Board and plays violin in the Chicago Bar Association Symphony Orchestra, an orchestra made up of lawyers and judges.

Experience

Recent Privacy and Data Security Experience:

• Assisting clients with GDPR preparedness projects, including compliance assessments and implementation of remediation plans.
• Assessing the scope of possible breaches of personally identifiable information through use of forensic experts and extensive on-site due diligence.
• Creating data breach assessment and notification programs (both post-breach and pro-active pre-breach plans) for Fortune 100 companies.
• Assisting clients to develop e-mail marketing campaigns, text message campaigns, pre-recorded call campaigns and online information collection programs in compliance with CAN-SPAM and COPPA, among other laws.
• Developing internal policies for safeguarding personally identifiable information gathered online and from employees.
• Developing privacy compliance policies, procedures, monitoring programs and reporting plans.
• Training management on the requirements of the law, including those with respect to the maintenance and retention of employee records.
• Developing cross-border data transfer programs for multiple Fortune 100 and Fortune 500 companies.
• Helping a U.S.-based multinational corporation create binding corporate rules.

Honors

• Top Author, JD Supra Readers' Choice Awards, 2023
• Sheppard Mullin's Diversity and Inclusion Award, 2022
• Lawyer of the Year - Privacy and Data Security, Best Lawyers, 2022
• Best Lawyers in America, Best Lawyers, 2020-2023
• Named to Cybersecurity Docket's "Incident Response 40" (2021-2022) and "Incident Response 30" (2016, 2018), honoring the best and brightest data breach response lawyers in the business
• Notable Women in Law, Crain’s Chicago Business, 2020, 2022
• Legacy Award, Illinois Legal Aid Online, 2020
• The Legal 500 Hall of Fame – Cyber Law, Legal 500, 2020-2022
• Notable Minorities in Accounting, Consulting & Law, Crain’s Chicago Business, 2020
• Thought Leader on Cybersecurity, National Law Review, 2019
• Notable Women Lawyers, Crain's Custom Media, 2018
• Leading Lawyer, Cyber Law, Legal 500 USA, 2016-2021
• Leading Lawyer, Chambers Global, Privacy & Data Security, 2015-2023
• Leading Lawyer, Chambers USA, Nationwide Privacy & Data Security, 2014-2022
• Leading Lawyer, Chambers Illinois, Media & Entertainment: Transactional, 2013-2018
• Illinois Super Lawyer, Intellectual Property, Super Lawyers, 2006, 2018-2023
• Leading Lawyer, Leading Lawyers, 2016-2022
• Recommended Lawyer - Cyber Law, Legal 500, 2022
• Leading Woman Lawyer, Chicago Lawyer Magazine’s Diversity Issue, 2018
• "Data Protection Lawyer of the Year – USA," Global 100, 2017
• "U.S. Data Protection Lawyer of the Year," Finance Monthly, 2017
• "Best in Data Security Law Services," Corporate LiveWire’s Global Awards, 2017
• Recipient, National Law Journal's Cybersecurity Trailblazer Award, 2016
• Recipient, Lexology/ILO's Client Choice Award for IT and the Internet, 2016

Articles

Liisa has published extensively in the area of privacy and data security.  She is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification (Thomson Reuters, 2018), which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data (Thomson Reuters, 2021), praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law."  Liisa is also the editor of the firm’s eyeonprivacy.com blog, a recap of recent developments in the privacy and cyber space. A few of her more recent additional publications include:

• "CNIL Recommends Using US Analytics Tools Only for Anonymous Statistical Data," February 22, 2022
• "Identifying and Preparing for Privacy and Cyber Security Risks," Risk & Compliance Magazine, July-Sept 2021 issue
• Co-Author, "Playing with Privacy? Privacy and Cybersecurity Considerations in Esports," esportsinsider, June 24, 2021
• "Changing the Conversation," Legal Management Magazine, June 16, 2021

• "How to Take a Holistic Approach to Privacy Compliance in an Ever-Changing Legal Landscape," Global Data Review, January 14, 2021

• "2020 Privacy Law Trends And How They Affect Compliance," Law360, December 22, 2020

• "3 Privacy Law Predictions For The New Year," Law360, January 1, 2020
• "4 Privacy Law Predictions for 2019," Law360, January 23, 2019
• Co-Author with A. Thomson, "From Panic to Pragmatism: De-Escalating and Managing Commercial Data Breaches," Cyber Security: A Peer Reviewed Journal, Vol. 2, No. 1, Summer 2018 issue
• "Dealing with US Biometric Laws and Litigation," Data Protection Leader, May 2018
• "USA - Behavioural Advertising," Data Guidance, May 8, 2017
• "CFPB Provides Guidance on Consumer Data Protection," Financial Regulation Journal, November 23, 2017

Covering Your Ads Blog 

• "FTC Increases Scrutiny of Negative Option Marketing," March 23, 2023

Esports and Games: Game Counsel

• "Video Games, AI, and …the Law?," April 28, 2022

Privacy & Cybersecurity: Eye on Privacy Blog

• "Colorado Privacy Law Regulations Finalized: Time to Review Information Practices," March 28, 2023
• "UK App Code Provides Privacy and Security Compliance Direction," February 9, 2023
• "CNIL Weighs in On GDPR Applicability to US Company," February 7, 2023
• "Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities," February 1, 2023
• "EU’s Initial Response to US Proposed Data Transfers Framework," December 22, 2022

• "Lessons From New York AG Scrutiny of Breach Investigation and Response," November 14, 2022

• "FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations," November 3, 2022

• "IAB Steps In State Signal Morass," October 25, 2022
• "Comparing and Contrasting the Opt Out Preference Signal Across States," October 24, 2022
• "State Comprehensive Privacy Laws: Status of the Regulations," October 20, 2022
• "EU To Review New EU-US Data Transfers Framework," October 10, 2022
• "Impact on Companies of California’s Children’s Privacy Law – Effective 2024," September 28, 2022
• "FTC Renews Focus on Dark Patterns," September 27, 2022
• "Children’s App Settles with CARU Over COPPA and Guideline Violation Allegations," August 25, 2022
• "NAD Examines Privacy Statements Made By DuckDuckGo in Online Ads," July 28, 2022
• "Preparing for US State Privacy Law Compliance: The Six Month Mark," July 25, 2022
• "Wegmans Settles With NYAG for $400,000 Over Data Incident," July 14, 2022
• "Privacy and Cybersecurity Training: Addressing Regulatory Concerns," July 12, 2022
• "UK ICO and NCSC Issue Caution About Making Ransomware Payments," July 11, 2022
• "What Should We Do About the Draft CPRA Regulations?: Choice," June 27, 2022
• "Maryland Amends Data Security and Breach Notice Obligations," June 22, 2022
• "FTC Weighs In On Data Breach Notification," June 16, 2022
• "FTC Continues Focus on Children’s Privacy," May 27, 2022
• "What’s the Big Deal About Dark Patterns?," May 25, 2022
• "Connecticut Fifth State to Pass a Comprehensive Privacy Law," May 12, 2022
• "Formation of CBPR Forum Signals Continued Movement," May 2, 2022
• "Arizona Expands Regulator Data Breach Notification Obligations," April 11, 2022
• "Indiana Breach Notification Law Amended, Changes Effective July 1, 2022," April 5, 2022
• "DAA Issues Warning On Device Fingerprinting," March 23, 2022
• "Keeping Both Eyes on Cybersecurity," March 22, 2022
• "FTC Continues to Signal Interest in Digital Health Industry, Publishing Updated Resources," March 15, 2022

Books

Media Mentions

Speaking Engagements

• Speaker, "Which Rights for Which Data? A Legal Take on the Big Data Landscape," INTA The Business of Data Conference, March 22, 2023
• Coffee Chat with Liisa Thomas
  Northwestern Law and Technology Initiative, July 12, 2022
• Panelist, “Legal trends to watch: from influencer missteps to privacy pitfalls,” Ad Age Next: CMO Conference, December 1, 2021
• Speaker and faculty, “Technotainment” 2021: Distributing Content Across Multiple Platforms, Practising Law Institute, September 17, 2021

Events

Memberships

• Training Advisory Board, International Association of Privacy Professionals (IAPP)

• Executive Committee of the Board of Trustees, Chicago Symphony Orchestra (CSO)
• Chair, Negaunee Music Institute Board, CSO
• Subcommittee Chair, INTA Building Bridges Committee, International Trademark Association
• Member, International Association of Privacy Professionals
• Member, Women’s Foodservice Forum
• Adjunct Professor, Northwestern University School of Law
• Member, Leading Lawyers Network
• Violinist, Chicago Bar Association Symphony Orchestra

Digital Media