Elizabeth (Liz) Dill, CIPP/US is a Partner at Mullen Coughlin, located in Richmond, Virginia. She focuses her practice on counseling and representing clients across all industries, including in the healthcare and life sciences; financial services & insurance; education; professional services; retail/e-commerce; manufacturing and distribution; and technology industry sectors, as well as non-profit organizations and governmental entities, in all facets of data privacy and security preparedness and incident response.

Liz is Co-Chair of the firm’s Advisory Compliance practice group. She routinely advises her clients on the development of comprehensive data privacy and security compliance programs tailored to their industry sector and geographic scope of operations in compliance with numerous U.S. federal and state data privacy and security statutes and regulations, including the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach-Bliley Act (GLBA); the California Consumer Privacy Act (CCPA), and its amendment the California Privacy Rights Act (CPRA); the Virginia Consumer Data Protection Act (VCDPA); the Colorado Privacy Act (CPA); the Utah Consumer Privacy Act (UCPA); and the European Union’s General Data Protection Regulation (GDPR), among others. Initiatives in developing these data privacy and security programs include:

• preparing policies relating to the collection, handling and sharing of legally protected information;
• development of website and mobile application privacy policies;
• creation of vendor management processes;
• establishing processes, policies and technological infrastructure for verifying and responding to consumer requests;
• evaluation and modification of business processes relating to consent management and financial incentives; and
• analysis of cross-border data transfer issues, among others.

Liz also counsels organizations through information security preparedness tailored to her clients’ industry sector and geographic location, in compliance with applicable federal and state laws and industry best practices, including HIPAA; GLBA; New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and Department of Financial Services (NYDFS) Cybersecurity Regulation; the Massachusetts Information Security Standard; and the National Association of Insurance Commissioners (NAIC) standards. These initiatives include:

• preparing and updating information security programs and Incident Response Plans (IRPs);
• directing data and network infrastructure mapping exercises and security assessments;
• conducting mock data privacy and security incident preparedness tabletop exercises; and
• assessing contracts and vendor management programs to ensure that risks, rights and obligations relating to data privacy and security are crafted to appropriately allocate risks and protect clients’ interests.

Additionally, Liz devotes her practice to counseling clients who are experiencing any manner of data privacy and security incident, including ransomware; business email compromises (BEC); Payment Card Industry (PCI) incidents; inadvertent disclosures; and device theft. In this role, she manages the full lifecycle of an incident response, including:

• the facilitation of the incident investigation;
• managing communications as the response progresses;
• reporting to law enforcement;
• analyzing contractual and statutory notification obligations;
• effectuating notification to consumers and regulatory authorities; and
• interfacing with regulatory authorities during informal and formal investigations into an incident.

Using her background as a complex commercial litigator and former role as a law firm assistant general counsel, Liz has also defended clients in single-plaintiff and class action litigation and government investigations arising out of data privacy and security incidents. These experiences have served to provide her with a holistic understanding of the legal and business liabilities that may be implicated when a data privacy and security incident occurs, and the importance of limiting these potential liabilities when managing the response to an incident.

SPEAKING ENGAGEMENTS & PRESENTATIONS

• “Maturing Beyond the Plan: Developing the Infrastructure for Effective Cybersecurity Incident Response,” 2024 Privacy+Security Spring Forum, Washington, D.C., May 9, 2024
• “Document Swap: A Practical Guide to Cyber and Incident Response Policies and Crisis Management,” American Conference Institute (ACI) Cybersecurity Law & Compliance Conference, Washington, DC, February 27, 2024
• “2023 Cyber Legal Trends & 2024 Predictions,” Council of Independent Colleges in Virginia (CICV) 2023 Risk Management Conference, Charlottesville, VA, November 30, 2023
• “Operationalizing Privacy Law in the Transactional Realm,” 2023 Privacy+Security Fall Forum, Washington, D.C., November 10, 2023
• “Future of Cyber Losses,” Virginia Chapter of RIMS’s 2023 Educational Conference, Virginia Beach, VA, October 4, 2023
• “A Website Privacy Playbook for Legal, Marketing and IT,” 2023 Privacy+Security Spring Forum, Washington, D.C., May 12, 2023
• “Effective Cyber Incident Response – Keys to Success and Avoiding Critical Pitfalls,” American College of Construction Lawyers (ACCL) 2023 Annual Meeting, Bonita Springs, FL, February 25, 2023
• “Trends in Cyber Security Threats & Data Privacy Laws,” Virginia Chapter of RIMS’s 2022 Educational Conference, Virginia Beach, VA, October 6, 2022
• “10 Essential Cyber Controls,” Kroll Webcast, Virtual, November 4, 2021
• “Cyber Claims Handling Best Practices,” NetDiligence Cyber Risk Summit 2020, Virtual, July 21, 2020
• “Ransomware: To Pay or Not To Pay,” NetDiligence Cyber Risk Summit 2019, Philadelphia, PA, June 14, 2019
• “Effective Preparation Against Ransomware Attacks,” CLM Business Insurance Cyber Summit, New York, NY, October 12, 2018