Mullen Coughlin, Cybersecurity & Data Privacy

Cybersecurity & Data Privacy

Mullen Coughlin LLC is a law firm uniquely dedicated exclusively to representing organizations facing data privacy events, information security incidents, and the need to address these risks before a crisis hits. Founded by John Mullen, Jennifer Coughlin, Jim Prendergast, and Chris DiIenno, our team of accessible and motivated attorneys have handled thousands of events and possess experience and talent in data breach response, regulatory investigation defense, pre-breach planning and compliance, and privacy litigation defense unmatched in the industry.

Meet Our Team

  • Gregory Bautista Partner
    (267) 930-1509

    Gregory Bautista is a Partner at Mullen Coughlin and an experienced cybersecurity attorney and civil litigator. Mr. Bautista specializes in […]

    Read More
  • B Fox Brian F. Fox Partner
    (267) 930-4777

    Brian Fox focuses his practice on privacy and data security matters, helping clients navigate the various state, federal and international laws that govern the protection of data. When a privacy event occurs, he assists clients with locating the source of the breach, identifies affected individuals and prepares the legally required notice to individuals and regulatory officials.

    Read More
  • A Freind Angelina W. Freind Partner
    (267) 930-4782

    Angelina Freind is a Partner with Mullen Coughlin, LLC. Ms. Freind assists clients with the preparation for and response to data security incidents.

    Read More
  • Paulyne Gardner Partner
    (267) 930-2098

    As a Partner in Mullen Coughlin’s Litigation practice, Paulyne handles all aspects of data privacy and security class actions, third-party […]

    Read More
  • Amanda Harvey Partner
    (267) 930-1697

    Amanda Harvey is a Partner at Mullen Coughlin and focuses her practice on providing organizations of all sizes and from […]

    Read More
  • Lynda Jensen Partner
    (267) 930-2303

    Lynda Jensen is a Partner at Mullen Coughlin and an experienced privacy, cybersecurity and incident response attorney. Ms. Jensen focuses […]

    Read More
  • Rebecca J. Jones Partner
    (267) 930-4839

    Rebecca Jones is a Partner with Mullen Coughlin. Ms. Jones focuses her practice entirely on cybersecurity and privacy issues, including […]

    Read More
  • Greg Lederman Partner
    (267) 930-4637

    Greg Lederman is a Partner at Mullen Coughlin and concentrates his practice on data privacy and cybersecurity beginning with the […]

    Read More
  • R Loughlin Ryan C. Loughlin Partner
    (267) 930-4786

    Ryan Loughlin’s practice focuses on assisting clients to prepare for, minimize and respond to data security incidents. Mr. Loughlin guides […]

    Read More
  • C McCarron Claudia D. McCarron Partner
    (267) 930-4787

    Claudia McCarron, a Partner at Mullen Coughlin, is the Chair of the firm’s Litigation. She also serves as the firm’s […]

    Read More

Firm News & Events

Continuing Its Growth, Mullen Coughlin Welcomes Senior Partner Elizabeth Dill and Partner Katie Butler

As Mullen Coughlin LLC continues to grow, we are proud to welcome Elizabeth (Liz) Dill, CIPP/US to the firm as a Senior Partner and Katie Butler, CIPP/US, CIPP/E as a Partner. Liz will practice remotely from Virginia and Katie remotely in Arkansas. The addition of both Liz and Katie further strengthen the Mullen Coughlin team and solidifies Mullen Coughlin as the largest U.S. firm exclusively dedicated to counseling organizations in cybersecurity compliance and training and representing them during data privacy and security incidents and any subsequent litigation or regulatory investigation.

Liz received her Juris Doctor magna cum laude from Villanova University School of Law and is an experienced data privacy and security attorney who previously served as Vice-Chair of her former firm’s Data Privacy and Cybersecurity Practice. She routinely counsels clients in the healthcare, financial services, education and non-profit industries in all facets of incident response and data privacy and security, including with the preparation of incident response plans and compliance with state, federal and international regulatory authorities. She also holds a U.S. Certified Information Privacy Professionals (CIPP/US) credential from the International Association of Privacy Professionals (IAPP).

Katie earned her Juris Doctor from the University of Arkansas School of Law and since then has represented technology industry clients in data privacy and security matters ranging from developing incident response plans and incorporating “privacy-by-design” into new technologies, to facilitating third-party responses to data privacy and security incidents. Katie holds both a U.S. Certified Information Privacy Professionals (CIPP/US) and Certified Information Privacy Professional/Europe (CIPP/E) credential from the International Association of Privacy Professionals (IAPP).

With experience in handling over twenty thousand data privacy and security events on behalf of organizations of all sizes, across all industry sectors and in all geographic locations, Mullen Coughlin has over 90 experienced attorneys uniquely and solely dedicated to providing bespoke counsel relating to pre-event compliance and planning, data privacy and security event investigation and response, regulatory investigation defense and single-plaintiff and class action litigation defense.

Read More

Tales from the C-Suite: Protecting Corporate Assets & Cyber and Management Liability (D&O) Insurance

Partner Paul McGurkin participates in a Biocom California virtual webinar, “Tales from the C-Suite: Protecting Corporate Assets & Cyber and Management Liability (D&O) Insurance,” on June 22, 2021 from 10:00 am-11:00 am.

This panel discussion, presented by Biocom California and Quan Insurance, discusses recent events which triggered coverage, including cyber and ransomware incidents. As part of the Cyber Panel, Paul and his co-panelists Chris Ballod (Associate Managing Director, Kroll) and Ted Doolittle (Vice President, RT Specialty) provide essential tips for before and after a cyberattack, as well as respond to questions about common mistakes organizations make when responding to a data privacy and security incident (and how to avoid them). The panel is moderated by Jeff Quan – Principal, Quan Agency Insurance.

Biocom California is the largest advocate for life sciences organizations in California. For over 25 years, Biocom has provided the California life sciences industry with resources and industry advocacy to grow faster, work more efficiently and thrive.

Admission to the virtual webinar is free, and more information and registration can be found on the Biocom event webpage.

Read More

White House Signs Executive Order to Improve Federal Cybersecurity Posture

On May 12, 2021, President Joe Biden signed an Executive Order on Improving the Nation’s Cybersecurity (the Order) mandating “bold changes and significant investments” to advance the nation’s efforts to identify, deter and defend against cybercriminals. The Order institutes ambitious cybersecurity requirements for “information systems used or operated by [Federal agencies] or by a contractor of an agency or by another organization on behalf of an agency,” and further calls for the advancement of private sector data security practices to enhance the security of U.S. cyberspace and infrastructure.

The Order consists of 11 sections, each including several requirements. At a high-level, the Order addresses four (4) primary cybersecurity interests:

  1. expanding incident reporting and information sharing;
  2. modernizing federal information systems;
  3. improving software supply chain security; and
  4. remodeling the federal government’s policies and procedures to better detect, respond to, and mitigate cybersecurity events.

While the Order focuses on the federal government and its agencies, many of the requirements are expected to impact federal government contractors and the private sector at large, either directly or indirectly. The Order mandates that guidance be issued, and new requirements be adopted, in a number of areas over the next several months, and the cybersecurity industry will be closely monitoring this activity.

Information Sharing and Reporting

The Order seeks to remove obstacles in contracts between the federal government and its information technology service providers to increase information sharing requirements and opportunities. The Order requires more stringent reporting requirements for service providers. As part of this effort, the Order calls for a review of the Federal Acquisition Regulation (FAR) and recommends new conditions on federal contracts, including severity-based cyber incident reporting deadlines – some as early as three (3) days after discovery of a cyber incident. The Order seeks to not only improve the flow of information sharing from the private sector to the federal government, but also to standardize the collection and sharing of information between agencies and coordination of agency responses and approaches to cybersecurity, as discussed in more detail below.

Paul Caron, Cybersecurity Incident Response Lead at Arete Advisors, notes that the Order aims to provide a common lens to view cybersecurity so that those performing critical roles across defense, technology and incident response can seamlessly facilitate cross-functional information sharing in a transparent manner. Paul is reminded of the intelligence community’s experience following 9/11, when security professionals encouraged flattening the information sharing landscape to achieve national security goals.

Others are less certain about the Order’s potency when it comes to information sharing. To be sure, the federal government has advocated for information sharing for decades, and, while the Order goes to great lengths to funnel threat intelligence to the appropriate authorities, government contractors should brace for significant growing pains as the conditions and procedure for reporting begin to materialize.

Modernizing Federal Government Cybersecurity

The Order requires federal entities to accelerate the transition to cloud-based architectures, including Software-as-a-Service (SaaS), and adopt security practices including encryption standards, zero-trust architecture and multifactor authentication (MFA). The Order also emphasizes critical risk areas such as Secure Software Development Lifecycle (SSDLC), where many code vulnerabilities are overlooked and subsequently exploited. These vulnerabilities are found across both Information Technology (IT) and Operational Technology (OT) environments. While the requirements target government agencies, government contractors and suppliers should be prepared to facilitate these requirements.

Supply Chain Security

The Order addresses the lack of transparency and security controls in software development and calls for guidance that will enhance software supply chains, including securing production environments, attesting to secure development practices and requiring contract language that would mandate that private suppliers of software available for purchase by agencies to comply with the directive. Suppliers will need to attest to certain standards and those that fail to meet the standards may be removed from contracts.

Further, the Order instructs agencies to require vendors to provide a “Software Bill of Materials” (SBOM), or “a formal record containing the details and supply chain relationships of various components used in building software.” Open-source software developers and service providers, in particular, should take note of potential risks when attesting to the integrity and provenance of open-source software.

Federal Vulnerability and Incident Detection, Response, and Remediation

The Order seeks to improve detection of cybersecurity vulnerabilities and response to incidents involving Federal Information Systems. For instance, the Order explicitly identifies Endpoint Detection and Response (EDR) software and requires the Office of Management and Budget (OMB) to issue requirements for agencies to adopt a uniform EDR approach.

In addition, agencies and their contractors are directed to increase efforts to collect and maintain network and system logs on Federal Information Systems. The Order solicits recommendations on the retention schedules and types of logs to be collected, and vendors should be on the lookout for updated guidance in the FAR.


Much of the Order is a recitation of well-established, yet unrealized, cybersecurity goals. However, with this directive, the President establishes aggressive timelines for implementing large-scale information security measures across federal agencies, which will ultimately affect current and future government contractors and suppliers. Mandating that security measures liked EDR and MFA be adopted may have a significant positive benefit on federal government information systems, depending on the implementation specifications. In addition to creating more stringent reporting requirements for contractors and suppliers, the private sector can also expect to see greater government investment in certain technologies, and such contracts will surely be aggressively sought.

Time will tell if the new cybersecurity standards materially improve the federal government’s cybersecurity defenses. In the meantime, businesses that provide information technology products and services to federal agencies should begin evaluating the Order and positioning for compliance. If you have any questions or would like additional information, please contact Edward Finn (; 267.930.4776) or Ryan Gallagher (; 267.930.2308). Thank you to Paul Caron, Cybersecurity Incident Response Lead at Arete Advisors, for contributing to this article. He can be reached at or 847.274.5607

Read More

© Mullen Coughlin. Attorney Advertising Notice: Information contained in this Web site may be considered attorney advertising. The material and information contained on these pages is intended to provide general information only and not legal advice. You should consult with an attorney licensed to practice in your jurisdiction before relying upon any of the information presented here. You are advised that the acts of sending e-mail to or view or downloading information from this website does not create an attorney-client relationship. Disclaimer | Sitemap