Mullen Coughlin, Cybersecurity & Data Privacy
Cybersecurity & Data Privacy
Mullen Coughlin LLC is a law firm uniquely dedicated exclusively to representing organizations facing data privacy events, information security incidents, and the need to address these risks before a crisis hits. Founded by John Mullen, Jennifer Coughlin, Jim Prendergast, and Chris DiIenno, our team of accessible and motivated attorneys have handled thousands of events and possess experience and talent in data breach response, regulatory investigation defense, pre-breach planning and compliance, and privacy litigation defense unmatched in the industry.
Meet Our Team
Gregory Bautista is a Partner at Mullen Coughlin, LLC and an experienced cyber security attorney and civil litigator. Mr. Bautista […]
Amanda Harvey is a Partner at Mullen Coughlin, LLC. and focuses her practice on providing organizations of all sizes and […]
Ryan C. Loughlin
Ryan Loughlin’s practice focuses on assisting clients to prepare for, minimize and respond to data security incidents. Mr. Loughlin guides […]
Claudia D. McCarron
Claudia McCarron, a partner at Mullen Coughlin LLC, is a member of the Data Privacy & Network Security Practice and […]
Paul T. McGurkin, Jr.
Paul McGurkin is a Partner with Mullen Coughlin LLC. Mr. McGurkin focuses exclusively on assisting clients prepare for and respond to data security incidents and breaches including regulatory investigations and inquiries.
James F. Monagle
Jim Monagle’s practice focuses on data privacy and security issues, including incident response, related litigation, compliance and best practices. Mr. […]
John F. Mullen
John F. Mullen, Sr. is a name partner and co-founder of Mullen Coughlin. He has been licensed in Pennsylvania and […]
James E. Prendergast
Jim Prendergast is a founding partner of Mullen Coughlin. Mr. Prendergast’s practice is focused on representing clients who have experienced […]
Vince F. Regan
Vince Regan is a Partner at Mullen Coughlin LLC. Mr. Regan’s practice is focused exclusively on cybersecurity and data privacy […]
Sian M. Schafle
Sian Schafle is a partner in the Data Privacy and Network Security Practice. Ms. Schafle focuses her practice on the […]
Firm News & Events
Mullen Coughlin expands team, footprint By Erin Ayers, Advisen
Mullen Coughlin, a cyber-focused law firm, announced it will expand its team and geographic reach with the addition of Greg Bautista and several other members from the Wilson Elser data privacy team.
The move expands Mullen Coughlin’s practice to over 50 attorneys practicing in California, Connecticut, New York, New Jersey, Tennessee, and Texas. In addition to Bautista, former co-chair of Wilson Elser’s data privacy team, two partners and several associates will join Mullen Coughlin.
John Mullen, founder of the firm, told Advisen that they were seeking senior cyber attorneys to join the practice and the new additions make sense from talent and geographical perspectives.
“Some insureds prefer to have a lawyer located close to them, even if they never meet them,” said Mullen. “Although we’ve always serviced the entire country, this new team will add to the comfort level of those insureds.”
Mullen Coughlin focuses solely on data privacy, providing pre-event services, incident response, compliance, litigation, and regulatory defense. The firm’s lawyers handled over 3,000 events in 2019.
The firm’s expansion comes at a time of increasing cyber threats, particularly ransomware. Ransom amounts have skyrocketed, and attacks have become more complex and more frequent.
“It’s a three-part monster on ransomware,” Mullen said. Entities of all sizes also continue to face traditional hacks, business email compromises, vendor risk, and other perennial cyber threats.
“There’s a reason more and more entities are buying cyber insurance,” he said. Mullen predicted “double and then triple” growth for the cyber insurance industry in the coming years. Market consensus suggests that take-up rates will increase beyond the Fortune 5000, the majority of whom have bought cyber coverage for several years.
The vast majority of Mullen Coughlin’s business comes in via its insurer partners. The insurers have “figured it out,” according to Mullen.
“The insurance industry and the vendors they use lead the market in its ability to respond to these events. All the big insurers have dealt with thousands of these breaches,” he said. “They know what the process should look like. They figured out how to best and most efficiently deal with breaches.”
Editor Erin Ayers can be reached at
MULLEN COUGHLIN LLC ANNOUNCES EXPANSION
Greg Bautista, former co-chair of Wilson Elser’s Data Privacy Team, along with two additional partners and several associates, is joining Mullen Coughlin. The new Mullen Coughlin attorneys practice in Connecticut, New York, New Jersey, Tennessee, and Texas, with several attorneys barred in California.
Consistent with Mullen Coughlin’s unique cyber-focus, these attorneys will practice only cyber law, adding depth and geographic footprint to a team that now exceeds fifty attorneys. Mullen Coughlin is solely dedicated to data privacy, including pre-event counseling, incident response, regulatory investigation, single-plaintiff and class action litigation, and compliance. With its unparalleled experience handling in excess of twenty thousand data privacy matters, including over 3,000 incidents in 2019, Mullen Coughlin is proud of its growing team which will continue to service cyber insurance carriers and their insureds. This numeric and geographic expansion will enhance the firm’s ability to provide immediate and efficient data privacy legal counsel to organizations.
8 Questions to Answer Before Paying a Ransomware Demand by Roger A. Grimes
This article was originally published here at CSO.
Consider these factors before deciding to pay a ransom after a ransomware attack. Better yet, know where you stand before one hits you.
Until the last few years, conventional wisdom said never to pay the ransom that ransomware criminals demanded, because it only encourages them. Despite those warnings it was rumored that somewhere around 40% of all ransomware victims paid the ransom.
Now it seems, many impacted companies have been paying the ransom and the very few who didn’t probably wish they did. There is evidence that ransomware recovery companies who claim to help recover environments without paying the ransom are often paying the ransom and getting the decryption key in secret.
Who’s paying the ransoms?
I spoke with John Mullen, of Mullen Coughlin, who has been involved with thousands of cybersecurity incident responses in his career. His firm handled over 1,200 privacy matters last year and will handle over 1,500 in 2019.
I asked Mullen if he’s seen that 40% figure go up recently. “It was never 40% or 50%. I don’t know where that number came from. It was always higher. Most companies pay the ransom when faced with the decision to pay or close down. They typically make the payment because they don’t have another valid continuing business option. Pay or it or be out of business for days, weeks or longer.” Mullen adds that no one knows the actual percentage of companies that pay the ransoms, but he has “little doubt” it is rising.
I mentioned that law enforcement presentations frequently recommend not paying the ransom no matter what. “When you speak with individual experienced law enforcement off the record, that is rarely what they say,” says Mullen. Most will admit that its often better for the victim to pay the ransom. The reality is that people are paying because they don’t have another good option.”
One reason people pay, according to Mullen, is that attackers are getting better at maximizing the damage ransomware causes. “Today, the attackers are accessing systems, running reconnaissance, and identifying critical pain points in order to maximize the impact of their attacks,” he says. “These types of attacks make it harder than ever to repair or recover. The percentage of people who pay the ransom is higher now because the bad guys are better.”
Recent studies back up John’s claims. All are showing that most companies spend far more time, money, and resources (one report says that the average company spends 23 times more) recovering from ransomware without the key than if they just paid the ransom from the start.
You might think that the decision on whether to pay the ransom comes down to whether you have a good tested backup, but it’s more than that.
How to determine if you should pay a ransomware demand
Here’s what you should think about before deciding whether to begin ransomware recovery without paying the ransom:
1. Does your company have a ransomware policy?
What is your organization’s policy on paying ransom? If your company has a written, unshakable policy against paying the ransom, then you have your answer. If you know that despite a written policy that senior management is not going to tolerate 23 times more money and resources than paying the ransom and are likely to create an exception if put on the spot, then consider that, too. Many companies have stuck to their non-ransom-paying commitment and had to endure weeks of downtime. It’s one thing to say it and another to live it when operations are down.
2. How bad is the damage?
Did they just get a few critical machines or did they pull the heart out of your operation? Can you prevent further damage? Can you stop the bad guy from getting back in? Do you need to shut down your ingress points, change all passwords, and do a network scrub for malware and malicious network connections? How confident are you that you know the extent of the damage and the reach?
3. How good are your restore capabilities?
Even if you have an awesome backup, have you ever truly done a complete test restore of all the impacted critical assets? How long will it take to restore? How can you be assured the restores don’t contain backdoors that led the bad guys back in? How long will it take you to do the restores and the necessary unit testing? Are all your most recent backups online and also reachable by the criminal?
These days ransomware criminals are whacking all your online tape restores, from the most recent online copies to the supposedly “trusted” offline copies. I’ve heard of ransomware criminals changing the legitimate encryption key that the company is using to encrypt their data during the backup process.
Every company should be encrypting all data backups (again, it’s a compliance requirement of every regulation). The attackers are changing the encryption keys to those backups without the victim’s noticing. The victims go about their normal data backup routines not noticing that the encryption keys have been modified. All the data backups for days to months get encryptedwith the wrong encryption key. Then right before the ransomware attack is kicked off, they change them again. This way, even the long ago, stored offline data backups are unrecoverable.
So, when I ask do you have a good data restore ready to go, I mean you have to check everything.
4. Do you have a business continuity plan in place?
Will your business continuity plan (BCP) handle the ransomware event in case you don’t pay the ransom? If not, that means more downtime and more alternative data processes. How much downtime can your BCP handle or cover? If the estimated downtime exceeds the BCP’s ability to handle it, do you pay the ransom right from the start?
5. Do you have senior management support?
If you do or don’t pay the ransom, do you have senior management and board support for the action? I’ve seen a lot of CISO heads roll because of ransomware attacks. They might love you while everything is running fine, but if you have to tell them that your supposed excellent data backup and restores aren’t that viable and they could be down for days to weeks, will they still have confidence in you? I’ve seen CISO’s fired during the recovery event.
6. Do you have the necessary staff?
Whether you pay the ransom or not, you will need all hands on board to help recover. If you don’t pay the ransom, you wll need just that much more help. Companies like Mullen Coughlin can help provide the needed adjunct staff and expertise, but do you have the money and time?
7. Will paying the ransom do any good?
When you pay the ransom, the ransomware gangs usually give you the keys that unlock your systems and do so consistently. Otherwise, no one would pay the ransom. They are forced to be gentleman criminals.
But there are edge cases where paying the ransom doesn’t work. I have herd of some cases where the payer got the decryption key, but the recovery process did not work or required far more additional recovery actions that it made paying the ransom almost worthless.
If you can, speak to a ransomware expert to find out how the recoveries went of other people who paid the ransom to the same criminal groups. he most knowledgeable ransomware fighters are clued into when paying the ransom works and when it doesn’t. Get an expert opinion on the exact malware program you are dealing with first.
8. Do you have cybersecurity insurance that covers paying the ransom?
If your cybersecurity insurance carrier does cover paying the ransom, who decides? As I’ve covered previously, some cybersecurity insurance policies don’t cover acts caused by social engineering (the most popular type) or offer a very reduced damage payment.
Don’t publicly announce that you’ve got cybersecurity insurance and especially how much you have, like when Baltimore announced it is getting $20 million in cybersecurity insurance. Pubic disclosure is often required for such things – welcome to government life – but if yo can hide that facet, do it. Criminals will only use that as a floor negotiation point. If your cybersecurity insurance policy is online, move t to safe, quickly accessible offline storage. No need to let the bad guys find it before they launch their attack.
Whether to pay a ransom demand is most often a simple business decision. Far too many companies aren’t prepared, and paying the ransom seems to be the easiest and quickest way out for most. Pick your best path.