Mullen Coughlin, Cybersecurity & Data Privacy

At the annual “Cyber Risk Awards” presented by Advisen Ltd. in New York, NY, Mullen Coughlin (MC) was voted Cyber Law Firm of the Year; MC received this award in 2017, 2018, and most recently, in 2021. In addition, Mullen Coughlin Co-Founder and Managing Member Jennifer Coughlin was honored as the Cyber Risk Industry Person of the Year – USA.

The Cyber Law Firm of the Year award recognizes a law firm that has been “unparalleled in its work within the cyber insurance space in 2021.” Under the umbrella of cyber insurance, MC counseled organizations in their response and investigation into nearly 4,000 data security incidents in 2021. MC represented over 65 organizations in data privacy and security litigation and provided pre-incident advisory compliance services to over 200 organizations.

“Mullen Coughlin wins nothing, and does not even exist, without the faith and support of our insurance carrier and broker partners. We thank them for this recognition,” said CEO John Mullen.

The Cyber Risk Industry Person of the Year is awarded to individuals who demonstrate to the entire cyber community “dedication, foresight and leadership” while “enhance[ing] and develop[ing] the treatment of cyber risk through the past year.”

Jennifer co-founded Mullen Coughlin in 2016, and as the firm’s Managing Member, has steadily led its growth through 2021 and beyond. One of six female equity members of MC, Jennifer continues to develop and implement data privacy and security practices and incident response services industry-wide. As a trusted partner to MC’s carrier and broker clients and third-party business partners, Jennifer is often asked to speak at client and industry-wide events due to her exceptional knowledge and insight into the data privacy and security and cyber insurance industries. Since its founding, MC has grown to over 90 attorneys and 120 support staff.

Jennifer remarks, “My recognition as the Cyber Risk Industry Person of the Year for the USA is only possible because of the amazing team of attorneys and non-attorneys at Mullen Coughlin, all of whom share a focus and commitment to being the best business partner to the cyber insurance industry. In addition to thanking cyber carriers, brokers and insureds for this award, I applaud and give all kudos to the entire Mullen Coughlin team.”

John adds, “Jenn is an industry leader with unrivaled energy, knowledge and connectivity skills. She is terrific example to all. Well done!”

With over 90 attorneys solely practicing data privacy and security law and experience in handling over twenty thousand data privacy and security events on behalf of organizations of all sizes, across all industry sectors and in all geographic locations, Mullen Coughlin is uniquely dedicated to providing bespoke counsel relating to pre-incident advisory compliance services; data privacy and security incident response; regulatory investigation defense; and single-plaintiff and class action data privacy litigation defense. For more information, please visit www.mullen.law.

A pair of recently-issued court decisions provide significant assistance to healthcare providers who are considered Federally Qualified Health Centers (FQHC) and are facing litigation following a data security incident; both appear to be cases of first impression.

The United States District Court for the District of South Carolina found that FQHCs who tender the defense of data security claims to the federal government under the Federal Tort Claims Act (FTCA) (28 U.S.C. § 1346(b)) may substitute the United States as a defendant. Under the FTCA, a FQHC is entitled to absolute immunity “…for actions arising out of the performance of medical or related functions…” (Hui v. Castaneda, 559 U.S. 799, 806 (2010), citing 42 U.S.C. § 233(a)). Thus, for claims subject to the FTCA, a plaintiff must bring his or her claim against the United States, rather than the FQHC itself. Historically, the FTCA had only been applied to medical malpractice claims, and until now, it was a disputed issue whether the FTCA could be invoked by a FQHC facing litigation over a data security incident.

The same District Court, in Mixon v. Caresouth Carolina, Inc. (Case No. 4:22-cv-00269) and Ford v. Sandhills Medical Foundation (Case No. 4:21-cv-02307), granted a motion to substitute the United States in place of an FQHC sued over a data security incident, despite the motion having been opposed by the United States itself.

The District Court found that both of the above-mentioned data security incidents arose out of medical functions subject to the FTCA. Because patients were required to provide their personal information to the FQHCs to receive medical services, and federal law imposes a duty to maintain the confidentiality of patients’ medical information, the United States is the appropriate defendant. Accordingly, due to the immunity provided to FQHCs under the FTCA, the FQHCs are no longer defendants in the litigation.

Although it remains possible other courts will decide these issues differently, these decisions are a welcome development for FQHCs facing litigation stemming from data security incidents.

Mullen Coughlin incorporates this development into its strategic advice to its clients. We will continue to monitor evolving case law on these and other issues relevant to data security litigation and will provide related updates as warranted.

If you have any questions about these cases, how it may affect your organization or if you have been faced with data security litigation, please contact the Mullen Coughlin Litigation team – Claudia McCarron (; 267.930.4787) or Jim Monagle (; 267.930.1529).

At the 2022 Injury Board Pathfinders Conference, Partner Kevin Mekler presents the session “Cyber Security for Law Firms – Why Law Firms Make Prime Targets for Criminals” on June 27 from 1:15 pm-2:00 pm.

Law firms do not operate like other businesses, and due to this uniqueness, they are often prime targets for cyber criminals. As part of the Competition: Staying Relevant track of the conference, Kevin presents to attendees about current trends in cyber-criminal activity towards law firms, how an attack can happen and considerations for safeguarding systems and data.

Founded in 2021, the Injury Board is a membership organization comprised of leading trial attorneys throughout the United States and the United Kingdom. The annual Pathfinders Conference brings together members of the Injury Board for access to thought leadership and emerging opportunities and threats on the horizon of civil trial law, society, politics and technology.