& Compliance
Investigation
& Management
Mullen Coughlin LLC is a law firm uniquely dedicated exclusively to representing organizations facing data privacy events, information security incidents, and the need to address these risks before a crisis hits. Founded by John Mullen, Jennifer Coughlin, Jim Prendergast, and Chris DiIenno, our team of accessible and motivated attorneys have handled thousands of events and possess experience and talent in data breach response, regulatory investigation defense, pre-breach planning and compliance, and privacy and security litigation defense unmatched in the industry.
Mullen Coughlin Partner and Chair of the Litigation practice, Carolyn Purwin Ryan, is a faculty member for this year’s ClaimsXchange Cyber Claims Academy this July 14-15 in Chicago. Carolyn is a Professor for the “Regulatory Environment – International, Federal, and State Breach & Privacy Laws” session this year.
Carolyn uses the Firm’s collective litigation and regulatory defense experience, as well as her own Breach Counsel experience, to provide a deep dive into the various U.S. state, federal, and international various laws and regulations that underpin security- and privacy-related disputes of all types.
The Cyber Claims Academy is designed for cyber claims professionals to immerse themselves in a peer-to-peer learning environment with rigorous discussion, real-world application, and executive-level thinking. Learn more here.
Mullen Coughlin welcomed three (3) attorneys to the Firm this June – Colin Scanlon as Partner and Chaiyeon Lee and Caitlyn Sarudy as Associates. Colin and Chaiyeon are based in Pennsylvania, Caitlyn in Maryland, and all will practice primarily in the Incident Response (IR) practice group.
Colin Scanlon re-joins Mullen Coughlin and will continue his practice of providing Breach Counsel legal services to clients experiencing data privacy and security incidents. He will also work closely with the Firm’s internal data collection team to provide integral reporting for the Firm’s cyber insurance carrier clients and partners. Colin received his J.D. from Widener University Commonwealth Law School and is licensed to practice in Pennsylvania and New Jersey state courts, as well as before the U.S.D.C for the Eastern District of Pennsylvania.
Chaiyeon Lee and Caitlyn Sarudy join the IR practice group as Associates. Their practice focuses on counseling clients on their legal and regulatory obligations, including notification and other reporting duties, stemming from data privacy and security incidents. Chaiyeon received her J.D. from Temple University Beasley School of Law and is licensed to practice in Pennsylvania state court and before the U.S.D.C for the Middle District of Pennsylvania. Caitlyn earned her J.D. from University of Maryland Francis King Carey School of Law with a focus in cybersecurity and crisis management and is licensed to practice in Maryland state court.
Yesterday afternoon, July 1, 2026, the California Assembly Committee on Privacy and Consumer Protection passed an amended version of Senate Bill 690, paving the way for significant CIPA reform upon passage of the bill into law later this year. The newly amended bill passed in committee is currently limited to addressing liability under California Penal Code Section 638.51, known as the pen register / trap and trace provision.
As amended, SB690 would restrict CIPA’s private right of action under California Penal Code Section 637.2 so that only the Attorney General could bring actions against persons or entities under Section 638.51 when based on “an internet website, online application, or mobile application.” On its effective date, SB690 will also apply retroactively to any pending claim brought under Section 638.51 filed within the prior two years.
As currently drafted, SB690 is set to become effective as of January 1, 2027, and would cover all pending claims under Section 638.51 filed on or after January 1, 2025.
A broad coalition appeared at the committee hearing to voice their support for SB690. Committee member comments at the hearing indicated that further amendments aimed at curbing other CIPA litigation being pursued by private persons may be considered and added to the bill before the August 31, 2026 deadline for the entire Assembly and Senate to pass SB690 through a floor vote. Further amendments may address claims brought under CIPA Section 631(a), known as the wiretapping provision. Following passage by floor vote, unless signed into law earlier or vetoed by Governor Gavin Newsom, SB690 will become law on September 30, 2026.
Key Takeaways:
– The amendment eliminates a private right of action under the pen register / trap and trace provision (Section 638.51).
– The amendment would retroactively apply to claims filed within the two years prior to the effective date. As currently drafted, the amendment would become effective January 1, 2027, and would retroactively apply to any claims filed on or after January 1, 2025.
– Legislative momentum and a recognition of need for further change appears strong, with broad support and indications that additional amendments—potentially addressing the wiretapping provision under Section 631(a)—may be introduced before final passage.
Businesses should continue to monitor developments closely and assess their risk exposure, particularly with respect to website tracking and communication technologies. For additional information, please contact Kevin Dolan () and Jim Monagle ().