Mullen Coughlin, Cybersecurity & Data Privacy

On February 4, 2021, New York State’s Department of Financial Services (DFS) issued a seven-part “Cyber Insurance Risk Framework” (the Framework) urging insurance companies to develop a “rigorous” and “data driven approach” to insuring cybersecurity risks. Ransomware attacks reported to the DFS nearly doubled in 2020 from the previous year, with costs continuing to rise.

Managing cyber risk continues to be a challenge for insurers, and according to the DFS, one that requires coverage offerings and pricing based on a careful assessment of an insured organization’s risk level…which isn’t news to experienced cyber carriers.

To manage their cyber insurance risk, however, the DFS recommends the following for property/casualty insurers that write cyber insurance (again, not news to serious cyber insurance carriers): 

1. Establish a formal cyber insurance risk strategy;
2. Manage and eliminate exposure to silent cyber insurance risk;
3. Evaluate systemic risk;
4. Rigorously measure insured risk;
5. Educate insureds and insurance producers;
6. Obtain cybersecurity expertise; and
7. Require notice to law enforcement.

Additionally, in line with recent OFAC and FinCen advisories from October 2020, the DFS recommends against, but does not mandate, paying ransom payments.

While experienced carriers are already implementing these recommendations (and others), smaller and less experienced insurance carriers should begin to build them into their process of writing and marketing their cyber insurance policies.

If you have any questions about the Framework, please contact Carolyn Purwin Ryan (; 267.930.6836), Maria Monastra (; 267.930-4602) or another one of our cybersecurity professionals.

Like California with the California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and before that, Europe’s General Data Protection Regulation (GDPR), states are individually starting to enact their own state-specific comprehensive consumer privacy laws. Virginia appears primed to continue this trend by introducing the Consumer Data Protection Act (CDPA). The Virginia House approved H.B. 2307 on January 29, 2021 and the Senate approved S.B. 1392 on February 5, 2021. The two legislative branches will now attempt to pass a final bill, with Virginia Governor Ralph Northam potentially signing the bill into law by the end of February.

Virginia’s CDPA, in its current form, would apply to businesses that (1) control or process data for at least 100,000 consumers; or (2) those that make 50% or more of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. However, as currently drafted, the law contains many exceptions that businesses should review in more detail with counsel to determine applicability once enacted.

Similar to the CCPA or the GDPR, the CDPA grants consumers a broad range of control over their personal data, including sensitive personal data. It defines sensitive personal data as “a category of personal data that includes biometric data, data collected from children, precise geolocation data and personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status.” Specifically, the CDPA grants consumers the right to access, correct, delete, obtain a copy of their data in a portable format, opt out of targeted advertising, sales of their personal data or profiling decisions that produce legal or similarly significant effects. It also requires consent to process sensitive personal data. Using definitions like those in the GDPR, the CDPA requires contracts with specific terms between controllers and processors, imposing data protection responsibilities on both. Controllers must conduct data protection assessments for activities such as selling personal data, processing sensitive personal data or processing personal data for targeted advertising or profiling purposes or purposes with a heightened risk of consumer harm, weighing benefits against potential risks.

More conservatively and contrary to the CCPA, the GDPR and some other pending state privacy legislation, the current CDPA iteration does not contain a private right of action. Instead, the CDPA gives the Virginia Attorney General exclusive rights to bring enforcement actions and introduces the Consumer Privacy Fund to facilitate enforcement efforts. The CDPA also provides a 30-day cure period before a covered entity may be subject to a $7,500 civil penalty for each violation.

If signed into law, the CDPA will take effect on January 1, 2023, giving covered entities approximately two years to build out their CDPA compliance programs. Virginia-based companies that have not considered other comprehensive privacy laws like the CCPA or the GDPR should start preparing now. This may include:

• Identifying the categories of personal data that they process;
• Updating privacy notices to address new consumer rights;
• Implementing policies and procedures for responding to consumer requests and conducting data protection assessments;
• Verifying that they have obtained the required consent for processing sensitive personal data; and
• Revisiting vendor or other third-party contracts that involve collecting, using, storing, disclosing, analyzing, deleting or modifying personal data.

For companies already governed by the GDPR or CCPA, coming into compliance with the CDPA or other new regional privacy laws will not require wholesale implementation efforts. Instead, companies can leverage their current compliance programs with narrow adjustments tailored to the CDPA.

Preparing for the Virginia law may also help companies stay ahead of the curve. Since January 2021, Connecticut, Minnesota, New York and Washington State have already introduced – or reintroduced – comprehensive privacy laws.

Mullen Coughlin will continue to monitor the CDPA and other comprehensive privacy legislation. If you have any questions, please contact Kevin Mekler (; 267.930.2190), Melissa Sachs (; 267.930.4747) or another Mullen Coughlin representative.

Mullen Coughlin LLC proudly announces that Kevin E. Dolan has rejoined the firm as an equity partner in its Devon, PA headquarters. 

“I couldn’t be more excited to rejoin so many of my former colleagues and team up with all of the exceptional new talent that John, Jenn and the rest of firm leadership have assembled these past few years,” Kevin said. “The depth of expertise at Mullen Coughlin is unparalleled in the industry, and I’m proud to be a part of this next chapter of growth with the nation’s premier cybersecurity firm.”

Kevin, who is a graduate of Temple University’s Beasley School of Law, has been practicing law for over a decade, spending the initial portion of his career at Philadelphia-based law firms with several of the Mullen Coughlin team members, where he focused primarily on guiding clients through high-profile breach response incidents and compliance assessments.

Following his experience in private practice, Kevin joined La Salle University in 2015 to serve in various executive roles, most recently as Vice President of Strategy and General Counsel. At La Salle, Kevin oversaw all legal issues implicating the University and advised the President and Board of Trustees on significant operational, legal and governance matters.

“Kevin was an integral member of the team before and has returned with even more relevant experience and knowledge that further establishes Mullen Coughlin as the premier data privacy and security law firm for all industry sectors,” said Jennifer Coughlin.

“It’s no secret our team first came together in the early 2000s, and we’ve grown since then with talented attorneys that understand data privacy and security, the risks organizations face in this technology heavy world, appropriate incident response practices and the value of cyber insurance in the preparation for and response to data privacy events,” said John Mullen. “Kevin understood it when he was with us before, understands it now and we welcome him back to the team.”

Mullen Coughlin has 70 plus attorneys who counsel organizations solely in data privacy and security event preparation, incident response, regulatory investigation and litigation with a focus on insured entities.