Michele Veltri is a Partner at Mullen Coughlin and focuses her practice on data privacy and security incident response and cyber risk management. She has counseled hundreds of clients in investigating and responding to incidents impacting the security of systems, software or data, including business account and email compromises; insider threats; malware infections; phishing attacks; ransomware attacks; tax fraud schemes; unemployment claim schemes; and fraudulent wire transfer attempts. She coordinates incident response efforts with client resources, third-party forensic specialists, crisis communications professionals and law enforcement to ensure that remediation and investigation efforts are handled quickly to minimize disruptions to daily operations and in compliance with legal, contractual or industry-specific notification and reporting deadlines.

Ms. Veltri understands the emerging threats to information security systems and has advised clients across many industries – including education, finance, healthcare, insurance, public service, technology, transportation and utilities – on efficiently responding to data privacy and security incidents while protecting her clients’ reputations. She counsels clients on their legal notice and compliance responsibilities required by state and federal law, as well as those stemming from industry-specific standards, ethical obligations and/or by contract.

Ms. Veltri has also represented numerous clients in inquiries by regulators, including state attorneys general, state insurance departments, state health departments and the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS-OCR). She has also coordinated with local law firms to assist clients during investigations brought by regulators outside the United States.

REPRESENTATIVE MATTERS

• Counseled an accounting firm that was impacted by a data privacy and security incident experienced by a third-party provider who handled clients’ files, resulting in notice obligations to more than 150 of their clients and more than 75,000 individuals on behalf of those clients; Represented client in a subsequent regulatory inquiry by a state attorney general, which ultimately resulted in no penalties or further actions taken against the client
• Counseled an international payment firm in their response to a data privacy and security incident involving unauthorized access to more than 30 employee email accounts; Coordinated with multiple law firms and vendors to satisfy notice obligations to customers, beneficiaries, employees and regulators in more than 50 countries; Represented client in two subsequent regulatory inquires in the United States and assisted in responding to multiple regulatory investigations outside the United States, none of which resulted in any penalties or further actions taken against the client
• Counseled a for-profit healthcare services provider after a widespread ransomware attack encrypted and stole patient data, ultimately recovering operationally, while also responding to a myriad of urgent requests from business partners and healthcare providers; Coordinated a swift Incident Response Plan (IRP) to satisfy rigorous notice and reporting obligations under applicable contracts, state laws, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH ACT)

SPEAKING ENGAGEMENTS & PRESENTATIONS

• “Alternative Compliance,” Continuing Legal Education, Devon, PA, June 2022
• “Requirements & Service Offerings for Credit Monitoring & Identity Restoration,” International Insurer, Jersey City, NJ, February 2020
• “Cybersecurity: What Municipalities Need to Know Now,” Massachusetts Municipal Association Annual Meeting, January 2020