Ashley L. Thomas is a privacy and cybersecurity attorney in Holland & Knight's Washington, D.C., office. Ms. Thomas focuses her practice on cyber and data risk management and governance, breach preparedness and response, crisis management and global data privacy compliance. She regularly counsels clients on cross-border data flows and navigating conflicts between foreign privacy laws and U.S. compliance obligations.

Ms. Thomas advises clients on all aspects of compliance with federal, state and international data privacy and security laws, such as the European Union (EU) General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Children's Online Privacy Protection Act (COPPA) and Family Educational Rights and Privacy Act (FERPA). She advises clients in various industries on privacy matters, including information governance and data management, online advertising and internal compliance policies as well as consumer policies, including website and mobile application policies, vendor management, blockchain and privacy and security-related compliance strategies and programs. She also guides clients on risks and potential liabilities associated with privacy and data security practices in mergers and acquisitions (M&A) and technology transactions.

Ms. Thomas prepares, updates and advises clients on their privacy, data security and incident response policies and procedures, as well as third-party vendor agreements. She regularly counsels clients following data and cybersecurity incidents, including subsequent internal investigations, state and federal notification obligations and associated regulatory and litigation risks. Ms. Thomas is a Certified Information Privacy Professional (CIPP/US and CIPP/E) through the International Association of Privacy Professionals (IAPP).

In addition, Ms. Thomas represents clients in the healthcare industry. She advises public health systems, medical device manufacturers and technology companies on data breaches and breach notification risk assessments, as well as on an array of regulatory compliance, licensure and operational matters.

Prior to joining Holland & Knight, Ms. Thomas was an attorney at multiple Am Law 100 firms, where she advised clients on all aspects of data privacy and security.

During law school, Ms. Thomas was a law clerk with the U.S. Attorney's Office in Nashville, Tennessee, as well as a law clerk with the Cook County (Illinois) State Attorney. She also completed judicial internships with the U.S. Bankruptcy Court for the Middle District of Florida and for the Honorable John Bryant of the U.S. District Court for the Middle District of Tennessee.

Representative Experience

  • Counseled multiple clients on the development of global privacy policies and terms of service for e-commerce websites and mobile applications, including drafting the policies and related agreements
  • Advised on written information security policies, incident response plans and other corporate policies addressing information governance, technical infrastructure and cybersecurity risk management
  • Advised a global hotel management company on the development and implementation of European Union (EU) General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance program
  • Performed privacy and security due diligence for the acquisition of technology companies
  • Counseled an international software company regarding cross border data transfers
  • Assisted healthcare entities in developing Health Insurance Portability and Accountability Act (HIPAA) compliance programs and conducting risk analyses and assessments
  • Drafted HIPAA policies and procedures, business associate agreements and notices of privacy practices


  • Vanderbilt University Law School, J.D.
  • Vanderbilt University, M.Ed.
  • Northwestern University, B.A., Political Science
Bar Admissions/Licenses
  • District of Columbia
  • Illinois
  • Indiana
  • Missouri
  • International Association of Privacy Professionals (IAPP)
  • American Bar Association, Health Law Section, eHealth, Privacy & Security Interest Group, Chair 2021-2022; Vice Chair, 2018-2020; Voices in Health Law Podcast, Chair 2021-2022; Washington Health Law Summit Committee Conference, Vice Chair 2021-2022; Web and Technology Committee, Chair, 2019-2021
  • American Bar Association, Science and Technology Section, Artificial Intelligence and Robotics Committee, Vice Chair, 2021-2022; Law Student Committee, Co-Chair, 2021-2022
  • American Bar Association, Young Lawyers Division, Physician Issues Interest Group, Liaison, 2015-2016; Science and Technology Committee, Chair, 2016-2018; Health Law Section Membership Committee, Liaison, 2018-2019; Science and Technology Section Council, Liaison, 2019-2023
  • American Health Lawyers Association (AHLA), Physician Organizations Practice Group, Social Media Coordinator, 2014-2017; Public Health System Affinity Group, Vice Chair, 2017-2020; Women's Leadership Council, 2019-2022
  • Junior League of Washington, Transfer Steering Committee, Vice Chair of Development, 2018-2019; Technology Committee, Chair, 2019-2020; Home & Heritage Council, Assistant Council Director, 2020-2021
  • C. Chi Omega Alumnae Chapter, Vice President of Philanthropy, 2018-2019
  • Illinois Association of Healthcare Attorneys, Communications Committee, 2015-2016
Honors & Awards
  • The Best Lawyers in America guide, Washington, D.C. Privacy and Data Security Ones to Watch, 2023, 2024
  • Rising Star, Washington, D.C., Super Lawyers magazine, Technology Transactions, Healthcare, 2020-2024
  • Emerging Young Lawyer in Healthcare Award, American Bar Association, 2019, 2020


Speaking Engagements