Liisa M. Thomas

Overview

Liisa Thomas, a partner based in the Chicago and London offices, is Leader of the firm's Privacy and Cybersecurity Team and Office Managing Partner of the firm's Chicago office.

Areas of Practice

Liisa's clients rely on her ability to provide clarity in a sea of confusing legal requirements and describe her as "extremely responsive, while providing thoughtful legal analysis combined with real world practical advice." She is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data, praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law."

Liisa is known as an industry leader in the privacy and data security space and has been recognized by Best Lawyers in America, Leading Lawyers Network, Chambers and The Legal 500, as well as noted by leading publications and organizations for her "broad depth of privacy knowledge." Among other honors, she was named Lawyer of the Year – Privacy and Data Security 2022 by Best Lawyers; to Cybersecurity Docket's "Incident Response 30," honoring 30 incident response professionals critical to managing data breaches, in both 2016 and 2018; recognized as the 2017 "Data Protection Lawyer of the Year - USA" by Global 100; honored as the 2017 "U.S. Data Protection Lawyer of the Year" by Finance Monthly; and the recipient of the "Best in Data Security Law Services" at Corporate LiveWire’s 2017 Global Awards.

Liisa, who was born in Finland and previously lived in France, Egypt and Spain, frequently coordinates global efforts in the privacy area for her clients. Clients value her global insights and familiarity with business systems outside of the U.S. With Liisa’s assistance, her clients – which include major consumer brands, advertising agencies and consumer research companies – are able to navigate thorny data breach disclosure issues, use emerging interactive advertising techniques and create compliant security programs, all while effectively managing their legal risks. Clients praise Liisa’s ability to add real value to their businesses, and describe her as "keeping [clients] one step ahead of where [they] need to be."

Liisa is an active advocate of women and minorities in the legal industry and was honored for her leadership in the legal field by the Illinois Diversity Council. She is currently an adjunct professor in Northwestern University Law School where she is the recipient of the Edward Avery Harriman Law School Lectureship. She formerly taught privacy courses at several other Chicago-area law schools, including her alma mater, the University of Chicago. Liisa is the Vice-Chair of the Board of Trustees of the Chicago Symphony Orchestra, Chair of the CSO’s Negaunee Music Institute Board and plays violin in the Chicago Bar Association Symphony Orchestra, an orchestra made up of lawyers and judges.

Experience

Recent Privacy and Data Security Experience:

Assisting clients with GDPR preparedness projects, including compliance assessments and implementation of remediation plans.
Assessing the scope of possible breaches of personally identifiable information through use of forensic experts and extensive on-site due diligence.
Creating data breach assessment and notification programs (both post-breach and pro-active pre-breach plans) for Fortune 100 companies.
Assisting clients to develop e-mail marketing campaigns, text message campaigns, pre-recorded call campaigns and online information collection programs in compliance with CAN-SPAM and COPPA, among other laws.
Developing internal policies for safeguarding personally identifiable information gathered online and from employees.
Developing privacy compliance policies, procedures, monitoring programs and reporting plans.
Training management on the requirements of the law, including those with respect to the maintenance and retention of employee records.
Developing cross-border data transfer programs for multiple Fortune 100 and Fortune 500 companies.
Helping a U.S.-based multinational corporation create binding corporate rules.

Honors

Sheppard Mullin's Diversity and Inclusion Award, 2022
Lawyer of the Year - Privacy and Data Security, Best Lawyers, 2022
Best Lawyers in America, Best Lawyers, 2020-2023
Named to Cybersecurity Docket's "Incident Response 40" (2021-2022) and "Incident Response 30" (2016, 2018), honoring the best and brightest data breach response lawyers in the business
Notable Women in Law, Crain’s Chicago Business, 2020, 2022
Legacy Award, Illinois Legal Aid Online, 2020
The Legal 500 Hall of Fame – Cyber Law, Legal 500, 2020-2022
Notable Minorities in Accounting, Consulting & Law, Crain’s Chicago Business, 2020
Thought Leader on Cybersecurity, National Law Review, 2019
Notable Women Lawyers, Crain's Custom Media, 2018
Leading Lawyer, Cyber Law, Legal 500 USA, 2016-2021
Leading Lawyer, Chambers Global, Privacy & Data Security, 2015-2022
Leading Lawyer, Chambers USA, Nationwide Privacy & Data Security, 2014-2022
Leading Lawyer, Chambers Illinois, Media & Entertainment: Transactional, 2013-2018
Illinois Super Lawyer, Intellectual Property, Super Lawyers, 2006, 2018-2022
Leading Lawyer, Leading Lawyers, 2016-2022
Recommended Lawyer - Cyber Law, Legal 500, 2022
Leading Woman Lawyer, Chicago Lawyer Magazine’s Diversity Issue, 2018
"Data Protection Lawyer of the Year – USA," Global 100, 2017
"U.S. Data Protection Lawyer of the Year," Finance Monthly, 2017
"Best in Data Security Law Services," Corporate LiveWire’s Global Awards, 2017
Recipient, National Law Journal's Cybersecurity Trailblazer Award, 2016
Recipient, Lexology/ILO's Client Choice Award for IT and the Internet, 2016

Insights

Articles

Tips for Managing and Mitigating Data Privacy Risk
Risk & Compliance, October-December 2022 issue
Eye on Privacy 2021 Year in Review
01.11.2022
5 Privacy Law Predictions for 2022
Law360, 01.07.2022

Liisa has published extensively in the area of privacy and data security. She is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification (Thomson Reuters, 2018), which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data (Thomson Reuters, 2021), praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law." Liisa is also the editor of the firm’s eyeonprivacy.com blog, a recap of recent developments in the privacy and cyber space. A few of her more recent additional publications include:

"CNIL Recommends Using US Analytics Tools Only for Anonymous Statistical Data," February 22, 2022
"Identifying and Preparing for Privacy and Cyber Security Risks," Risk & Compliance Magazine, July-Sept 2021 issue
Co-Author, "Playing with Privacy? Privacy and Cybersecurity Considerations in Esports," esportsinsider, June 24, 2021
"Changing the Conversation," Legal Management Magazine, June 16, 2021
"How to Take a Holistic Approach to Privacy Compliance in an Ever-Changing Legal Landscape," Global Data Review, January 14, 2021
"2020 Privacy Law Trends And How They Affect Compliance," Law360, December 22, 2020
"3 Privacy Law Predictions For The New Year," Law360, January 1, 2020
"4 Privacy Law Predictions for 2019," Law360, January 23, 2019
Co-Author with A. Thomson, "From Panic to Pragmatism: De-Escalating and Managing Commercial Data Breaches," Cyber Security: A Peer Reviewed Journal, Vol. 2, No. 1, Summer 2018 issue
"Dealing with US Biometric Laws and Litigation," Data Protection Leader, May 2018
"USA - Behavioural Advertising," Data Guidance, May 8, 2017
"CFPB Provides Guidance on Consumer Data Protection," Financial Regulation Journal, November 23, 2017

Esports and Games: Game Counsel

"Video Games, AI, and …the Law?," April 28, 2022

Privacy & Cybersecurity: Eye on Privacy Blog

"Lessons From New York AG Scrutiny of Breach Investigation and Response," November 14, 2022

"FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations," November 3, 2022

"IAB Steps In State Signal Morass," October 25, 2022
"Comparing and Contrasting the Opt Out Preference Signal Across States," October 24, 2022
"State Comprehensive Privacy Laws: Status of the Regulations," October 20, 2022
"EU To Review New EU-US Data Transfers Framework," October 10, 2022
"Impact on Companies of California’s Children’s Privacy Law – Effective 2024," September 28, 2022
"FTC Renews Focus on Dark Patterns," September 27, 2022
"Children’s App Settles with CARU Over COPPA and Guideline Violation Allegations," August 25, 2022
"NAD Examines Privacy Statements Made By DuckDuckGo in Online Ads," July 28, 2022
"Preparing for US State Privacy Law Compliance: The Six Month Mark," July 25, 2022
"Wegmans Settles With NYAG for $400,000 Over Data Incident," July 14, 2022
"Privacy and Cybersecurity Training: Addressing Regulatory Concerns," July 12, 2022
"UK ICO and NCSC Issue Caution About Making Ransomware Payments," July 11, 2022
"What Should We Do About the Draft CPRA Regulations?: Choice," June 27, 2022
"Maryland Amends Data Security and Breach Notice Obligations," June 22, 2022
"FTC Weighs In On Data Breach Notification," June 16, 2022
"FTC Continues Focus on Children’s Privacy," May 27, 2022
"What’s the Big Deal About Dark Patterns?," May 25, 2022
"Connecticut Fifth State to Pass a Comprehensive Privacy Law," May 12, 2022
"Formation of CBPR Forum Signals Continued Movement," May 2, 2022
"Arizona Expands Regulator Data Breach Notification Obligations," April 11, 2022
"Indiana Breach Notification Law Amended, Changes Effective July 1, 2022," April 5, 2022
"DAA Issues Warning On Device Fingerprinting," March 23, 2022
"Keeping Both Eyes on Cybersecurity," March 22, 2022
"FTC Continues to Signal Interest in Digital Health Industry, Publishing Updated Resources," March 15, 2022

Books

Media Mentions

Forget What You’ve Heard, Cybersecurity Attorneys Don’t Always Need Tech Skills
Legaltech News, 07.21.2022
New role, same vision
Chicago Lawyer, 07.2022
Sheppard Mullin Names New Chicago Leader
Law360, 05.23.2022
Spotlight on ILAO supporters and leaders: Liisa Thomas
Illinois Legal Aid Online, 10.07.2021
Does the Lindy effect apply to law?
Legal Evolution, 07.11.2021
Black Cyber Lawyers See Racial Diversity as Key to Data Safety
Bloomberg Law, 07.01.2021
Law360's 2020 Cybersecurity & Privacy Editorial Board
Law360, 03.27.2020
Cybersecurity & Privacy Policy To Watch In 2019
Law360, 01.01.2019
Cybersecurity & Privacy Predictions For 2019
Law360, 01.01.2019
Thought Leaders in Privacy: Liisa M. Thomas
Data Guidance, 06.2018
Sheppard Mullin Partner: U.S. Privacy Norms Already Close to Europe’s
Bloomberg Law, 05.23.2018
Sheppard Mullin Appoints Privacy Litigator
Commercial Dispute Resolution, 10.11.2017
Sheppard Mullin Adds Practice Leader to Grow Winston Lateral Roster
The American Lawyer, 09.26.2017
Sheppard Mullin Nabs Leading Cybersecurity Partner
Law360, 09.25.2017
FTC Takes First EU-U.S. Privacy Shield Enforcement Actions
Bloomberg Law: Privacy & Data Security, 09.08.2017

Speaking Engagements

Coffee Chat with Liisa Thomas
Northwestern Law and Technology Initiative, July 12, 2022
Panelist, “Legal trends to watch: from influencer missteps to privacy pitfalls,” Ad Age Next: CMO Conference, December 1, 2021
Speaker and faculty, “Technotainment” 2021: Distributing Content Across Multiple Platforms, Practising Law Institute, September 17, 2021

Events

Privacy Litigation and Enforcement in a CPRA+ World
Webinar, 02.08.2023
Understanding and Managing Cyber and Privacy Risk in an Increasingly Risky World
Virtual, 10.11.2022
Advertising Law Institute
September 29-30, 2022
Privacy in the Multiverse of Madness: Protecting Data in Real Life and Beyond
7th Annual Internet of Things (IoT) National Institute, Virtual, 09.13.2022
Twenty-Third Annual Institute on Privacy and Cybersecurity Law
The Allegro Royal Sonesta Hotel Chicago Loop, 171 West Randolph Street, Chicago, IL 60611, June 6-7, 2022
Understanding and Managing Risk in an Increasingly Risky World
Webinar, 05.25.2022
Privacy Connect: What do you think? - A Review of Privacy Program Management
Webinar, 04.06.2022
Understanding and Managing Risk in a Risky Technotainment World
"Technotainment" 2021: Distributing Content Across Multiple Platforms, In-person or virtual, 09.17.2021
ABA Internet of Things (IoT) National Institute 2021
Virtual, 6.10.2021-6.11.2021
Compliance Under Biden
Practical Insights for Turbulent Times: WSJ Risk & Compliance Forum, Virtual, 05.05.2021
Inside Scoop video #3: Project Management for Privacy Professionals
ANA Law & Public Policy Conference, In-person or virtual, 04.28.2021
Inaugural Ad Law Symposium
Webinar, 01.27.2021
2020 ANA/BAA Marketing Law Conference: A Virtual Experience
Virtual, 11.10.2020-11.12.2020
Advertising Law Institute 2020
Practising Law Institute Webcast, In-person or virtual, 10.15.2020-10.16.2020
Hot Topics in Privacy and Cyber Security in Uncertain Times: A Virtual Resource for In-House Privacy Teams
Webinar, 07.15.2020
Virtual Chicago KnowledgeNet: May 26, 2020
05.26.2020
Top Privacy and Cyber Questions in Uncertain Times: A Virtual Resource for In-House Privacy Teams
Webinar, 04.07.2020
Cybersecurity and Privacy: Convergence in a World of Increasing Cyber Attacks and Data Breaches
03.05.2020
Advertising Law Institute 2019
Practising Law Institute, October 17-18, 2019
Privacy Bootcamp for Security Professionals
IAPP Privacy. Security. Risk. 2019, 09.23.2019
Advertising Law Institute 2019
Practising Law Institute, 09.13.2019
To CCPA and Beyond! Creating a Flexible Approach to Privacy Compliance
Association of Corporate Counsel, 06.05.2019
2019 INTA Annual Meeting
May 18-22, 2019
Women Leading Privacy at the IAPP Global Privacy Summit 2019
05.02.2019
Global Privacy Summit 2019 Active Learning Day
05.01.2019
Data Breach Simulation
IAPP Data Protection Intensive: UK 2019, 03.12.2019
Hot Topics in Privacy Law
Third Thursday Emerging Company Webinar Series, via GlobalMeet, 12.05.2018
Data Breach Workshop
IAPP Europe Data Protection Congress, 11.27.2018
Data Breach Bootcamp
IAPP's Privacy, Security, Risk Conference, 10.17.2018
Security Ecosystems
SIM Women’s Leadership Summit, 09.28.2018
Big Data and Online Behavioral Advertising (OBA): An Advertiser’s Perspective
PLI's Advertising Law Institute, September 13-24
Limiting Exposure: Exploring Privacy Concerns for 2018 and Avoiding Unnecessary Risk
ACI’s Digital Advertising Law and Compliance Conference, New York City, 06.25.2018
Labor & Employment Law Update
New York, 06.07.2018
Ready or Not, GDPR is Here
Bloomberg Law Leadership Forum, New York, 05.23.2018
Law in the Information Age Panel
University of Chicago Law School, Chicago Symphony Orchestra Club, 05.17.2018
Data Security and Privacy Roundtable
Interactive Data Breach Simulation, 04.25.2018
Data Breach Bootcamp
IAPP Europe Data Protection Intensive 2018, London, 04.17.2018
Analyzing the Growth of Biometric Data Collection and Resolving Related Privacy Breach Concerns
at ACI's Cyber Risk & Data Security Conference, Chicago, April 10-12, 2018
Data Breach Bootcamp
IAPP Global Privacy Summit 2018, Washington, D.C., 03.26.2018
IAPP Europe Data Protection Congress 2017
Data Breach Bootcamp, SQUARE - Brussels Meeting Centre, 11.06.2017
Advertising Law Institute 2017
PLI Practising Law Institute, PLI California Center, 10.17.2017
Privacy. Security. Risk. 2017
Data Breach Bootcamp, Renaissance San Diego, 10.2017
Privacy + Security Forum
Hands-On Data Breach Simulation: Understanding the Roles of Legal, Forensics/IT, and PR, George Washington University The Marvin Center, 10.04.2017

Memberships

Training Advisory Board, International Association of Privacy Professionals (IAPP)
Executive Committee of the Board of Trustees, Chicago Symphony Orchestra (CSO)
Chair, Negaunee Music Institute Board, CSO
Subcommittee Chair, INTA Building Bridges Committee, International Trademark Association
Member, International Association of Privacy Professionals
Member, Women’s Foodservice Forum
Adjunct Professor, Northwestern University School of Law
Member, Leading Lawyers Network
Violinist, Chicago Bar Association Symphony Orchestra