Mullen Coughlin, Cybersecurity & Data Privacy

On September 21, 2021, the Department of Treasury took two significant steps in further articulating its position on the payment of ransoms in cyber extortion matters.

First, the Office of Foreign Assets Control (OFAC) added SUEX – a virtual currency exchange – to its Specially Designated Nationals (SDN) list as a result of their analysis that as much as 40% of its known transaction history has been associated with illicit actors.

Second, it issued its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Updated Advisory). Notable content from the Updated Advisory includes:

•  Payment is discouraged. The U.S. Government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.

•  Law enforcement and regulatory body reporting, and cooperation with law enforcement, remains an essential step in the ransomware incident response process. In the case of a ransomware payment with a potential sanctions nexus, OFAC will consider as a significant mitigating factor, among other things, an entity’s complete and self-initiated report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA) or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), “as soon as possible after discovery of an attack.” OFAC encourages victims to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center or their local U.S. Secret Service office as soon as possible. Victims should report ransomware attacks and payments to the OCCIP and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to ransomware payment. OFAC will consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack – e.g., providing all relevant information such as technical details, ransom payment demand and ransom payment instructions as soon as possible – to be a significant mitigating factor if an enforcement action is pursued.

•  Preventative protection and recovery efforts matter. Meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in CISA’s September 2020 Ransomware Guide, will be considered a significant mitigating factor in any OFAC enforcement response. The Updated Advisory notes these steps could include maintaining offline backups of data; developing incident response plans; instituting cybersecurity training; regularly updating antivirus and anti-malware software; and employing authentication protocols – all important hygiene steps.

•  License applications remain a possibility. While applications will continue to be reviewed on a case-by-case basis, the presumption of denial articulated in the October 2020 Advisory remains.

•  We have more, but still limited, visibility into OFAC enforcement actions. While each potential enforcement matter depends on specific facts and circumstances, OFAC will be more likely to resolve apparent violations involving ransomware attacks with a non-public response, such as a No Action Letter or a Cautionary Letter, when an organization timely reports the event to respective law enforcement and regulatory agencies, cooperates with investigations resulting from the event or reporting and takes steps to better protect against a ransomware infection impacting the victim organization’s systems.

Organizations of all sizes and from all industry sectors face the risk of a ransomware event impacting the security of their systems and data. Mullen Coughlin’s team of 90+ attorneys possesses unmatched experience in handling over 20,000 data privacy events, including over 1,000 ransomware events in 2020 and over 800 ransomware events in 2021 (to date).

For more information on the Updated Advisory, as well as ransomware preparedness services and incident response services, please contact John F. Mullen (; 267.930.4791), Jennifer A. Coughlin (; 267.930.4774) or Carolyn Purwin Ryan (; 267.930.6836).

Mullen Coughlin is proud to announce that Partner Amanda Harvey has been selected as a 2021 Texas “Super Lawyer” in the Technology Transactions practice area by Super Lawyers. The annual “Super Lawyer” selection is based off an evaluation of 12 indicators, including peer recognition and professional achievement in legal practice. This is Amanda’s first time being selected as a “Super Lawyer,” having been named a “Rising Star” in 2010 and 2017-2019.

Amanda joined Mullen Coughlin in January 2020 from a full-service, Dallas, TX-based law firm. Amanda now focuses her practice on providing organizations of all sizes and from every industry sector in first-party breach response and third-party privacy defense legal services. She has counseled hundreds of clients in investigating and responding to an event compromising information and systems security, working closely with client resources, third-party forensic consulting experts and law enforcement to identify the nature and scope of a compromise. She advises clients on their legal notice and compliance responsibilities required by state, federal and international law, as well as those stemming from industry-specific standards, ethical obligations and by contract.

In addition, Amanda also represents these companies in single-plaintiff and class action litigation stemming from data privacy and cybersecurity incidents. Her experience of over a decade of handling complex litigation has prepared her to successfully litigate matters within the designated timeframe and budget, oftentimes providing innovative legal strategies to negotiate disputes with minimal disruption to the organization’s business and reputation.

This selection further solidifies Mullen Coughlin as the preeminent law firm that is exclusively dedicated to counseling organizations in the context of data privacy and cybersecurity under the umbrella of cyber insurance.

Congratulations, Amanda!

Partner Greg Bautista presents, “Proactive Cyber Security Risk Mitigation Strategies,” at the National Conference on Public Employee Retirement Systems’ (NCPERS) 2021 Financial, Actuarial and Legislative & Legal (FALL) Conference with James Martinez (Risk Management Consultant – Gallagher) and CJ Dietzman (Managing Director, Cyber Solutions – Aon) in Scottsdale, AZ on September 26, 2021 from 2:00 pm-2:45 pm.

On the General Session track, Greg’s presentation focuses on the proactive risk strategies that a pension system should address to mitigate the downtime and cost to a system should they be the victim of a data privacy and cybersecurity incident. In addition, Greg and his co-presenters discuss the steps involved in creating an effective incident response plan and how to identify the key components so that the incident response and investigation is streamlined. Finally, cyber insurance is discussed, including the expectations sought from cyber insurance providers as pension systems look to secure coverage prior to a data privacy and cybersecurity incident.

NCPER’s FALL Conference is developed for public pension trustees, staff and industry partners to meet their educational needs, exchange ideas, strategize solutions and network.

NCPERS is the largest trade association for public sector pension funds, representing nearly 500 funds throughout the United States and Canada.