Incident Response to Cybersecurity Breaches: State of Play

Evan Roberts is a Senior Managing Director in the Strategic Communications segment at FTI Consulting and is based in New York. Mr. Roberts is part of the segment's Crisis & Litigation practice and co-leads the firm's Cybersecurity & Data Privacy Communications offering. Mr. Roberts advises companies and develops multistakeholder communication programs around moments of significant change and crisis, including data privacy challenges, cybersecurity incidents and other crisis scenarios. He has particular expertise in designing and implementing complex issues management campaigns and providing crisis communications support around cybersecurity incidents. Mr. Roberts has counseled clients through nation-state attacks and ransomware incidents conducted by some of the highest-profile threat actors, as well as insider threats and third-party breaches that led to significant data compromise. In addition, Mr.Roberts has extensive experience counseling clients through cybersecurity preparedness exercises and designing scenario plans and response playbooks to prepare for a variety of potential cyber crises. Mr. Roberts has provided cyber response and issues management counsel to a range of companies, from publicly traded Fortune 500 businesses to smaller operators with less established infrastructure and communications functions. Mr. Roberts is a member of the International Association of Privacy Professionals ("IAPP") and has spoken at some of the most prominent cybersecurity industry events as an expert in cyber crisis communications. He was named North American Cybersecurity PR Professional of the Year in 2022 by the Cybersecurity Excellence Awards.

Jennifer A. Coughlin is a Founding Partner of Mullen Coughlin and its Managing Member, guiding the Firm in its commitment to provide effective and efficient data privacy and security legal services and develop, maintain and grow client and partner relationships. She focuses her legal practice solely on providing organizations of all sizes and from every industry sector in first-party data privacy and security incident response and third-party data privacy defense legal services.

Jenn has counseled hundreds of organizations in investigating and responding to data privacy and security incidents compromising protected data and network and system security, such as ransomware attacks, business email compromises (BECs) and other network intrusions, among others. She works closely with various organizational and third-party incident response stakeholders including cyber insurance claims teams; forensic investigation and data mining firms; law enforcement; and business partners. Once the incident is contained and the nature and scope is identified, she relies on her knowledge of state, federal and international laws, as well as industry-specific guidance and regulations to assist the victim organization with identifying and complying with legal obligations stemming from the incident.

While Jenn has represented organizations from virtually every industry group, she has a particular focus on organizations within the healthcare and life sciences; financial services; hospitality and entertainment; retail/e-commerce; and professional services industry groups. She also represents these organizations with follow-up inquiries related to data privacy and security incidents by state, federal and international regulatory agencies, including state attorneys general; state insurance and health departments; the Federal Trade Commission (FTC); and the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS-OCR).

In addition to the first- and third-party legal services she provides, Jenn also assists organizations with pre-incident Advisory Compliance services. She routinely leads tabletop exercises and other training efforts for client’s employees, management and Board members. She also aids in data privacy and information security policy and procedure development, including the development of Incident Response Plans (IRPs).

As the Firm’s Managing Member, Jenn leads the 115 Mullen Coughlin attorneys in the provision of exceptional data privacy and security legal services and the management of client and third-party vendor relationships. She also, in collaboration with the Firm’s equity members and department chairs, oversees the development and implementation of legal, administrative and organizational strategies.

Jenn is a frequent speaker and collaborator at industry, client and legal conferences and events. She is often sought after by organizations to present valuable information regarding incident response and data privacy to their teams and clients. In turn, she has developed strong relationships with cyber insurance carriers and brokers, industry thought leaders, third-party incident response partners and law enforcement.

Prior to founding Mullen Coughlin with John Mullen, Chris DiIenno and Jim Prendergast (deceased) in 2016, Jenn was a Partner at a full-service law firm in their Data Privacy & Cybersecurity practice group.

Chris Cwalina is the Global Head of Cybersecurity and Privacy at Norton Rose Fulbright. He concentrates his international practice on cybersecurity and privacy compliance and program development, with a focus on complex cybersecurity attack and data breach investigations, primarily involving sophisticated threat actor groups and advanced persistent threats focused on critical infrastructure entities. Having been in-house for a decade, Chris understands clients' challenges, priorities, and concerns, and knows what clients expect from their outside counsel.

Chris has managed some of the largest data breaches that have occurred. He began his career in privacy as vice president and assistant general counsel at ChoicePoint Inc., where he ran the company's Privacy, Compliance, Ethics and Credentialing Department and helped lead the company's response to the first publicly-reported data breach. This occurred at a time when only one state breach notification law had been enacted. While at ChoicePoint, Chris helped the company respond to a Federal Trade Commission (FTC) investigation and complaint, Congressional inquiry, a U.S. Securities and Exchange Commission (SEC) investigation, an investigation and complaint brought by a coalition of state attorneys general offices, as well as managed a number of class-action complaints.

Since the inception of state breach notification statutes, Chris has helped companies respond to countless cybersecurity events, incidents, and data breaches, on an international scale, involving external and internal threats and sophisticated threat actors with a variety of motives. He has handled theft of credit card data, intellectual property, trade secrets and confidential company information, health information, employee information, personal data and personally identifiable information.

Chris provides advice and counsel on the full lifecycle of cybersecurity and privacy compliance and risk management. He advises clients on how to prepare for a security incident to help them be in the best position possible prior to an incident occurring. This counsel involves assessing and developing appropriate governance and organizational structures, incident response programs, as well as conducting incident response workshops and exercises. These techniques and procedures are designed to prepare companies to respond to security incidents quickly, efficiently and in a manner that complies with applicable laws and regulations while simultaneously mitigating risk and preserving customer relationships.

As soon as a security incident occurs, Chris serves as "breach coach" and works closely with CISOs and SIRTs assisting his clients with leading the investigation, containment and remediation of the incident, and developing effective communications, which are designed to preserve customer relationships and minimize the likelihood and consequences of litigation and regulatory investigations. Chris also helps companies deal with the fallout of an incident by responding to resulting state, federal and international regulatory inquiries and investigations. He also defends clients in related litigation, including actions brought by consumers, shareholders, employees, and others.

Chris has represented companies in a wide range of industries, including a number of companies in critical infrastructure sectors, energy, oil & gas, communications, retail, transportation, hospitality, life sciences and healthcare, insurance, financial services, technology, advertising and marketing, entertainment, and education.

Chris brings his years of experience to provide proactive counsel on the complex regulatory issues pertaining to cybersecurity and privacy programs and data collection, use, maintenance, transfer, and sharing. He regularly presents to boards of directors and advises on governance and cybersecurity risk disclosure obligations. He advises clients on regulatory issues and legislative affairs pertaining to the full range of cybersecurity, data governance, data privacy and cross-border transfer issues with a focus on technology, mobile and online practices. Chris also provides counsel on compliance with COPPA, GLBA, HIPAA, FCRA, ECPA, CPNI Rules, TCPA, and other state and federal privacy and security laws as well as international privacy laws, regulations and directives, including the EU General Data Protection Regulation (GDPR).

Travis co-chairs Cooley’s global cyber/data/privacy practice. He is a top authority on cybersecurity, data privacy, telecommunications, and the regulation of emerging and innovative technologies. Drawing on his broad experience in federal and state government, he helps clients manage regulatory and litigation risk, as well as strategically respond to data breaches, cyberattacks, nation-state attacks, dissemination of stolen data, misinformation campaigns and government enforcement efforts, including those by the Federal Trade Commission (FTC), Federal Communications Commission (FCC) and state attorneys general.
In addition to advising boards of directors and senior corporate officers on crisis management, internal investigations, information governance and national security matters, Travis counsels clients on antitrust investigations, telecommunications strategies and regulatory enforcement responses. The respect and skills Travis has earned during his career have translated into appointments across the political spectrum, including his selection by the US Department of Commerce and the European Commission to serve as an arbitrator for the EU-US Privacy Shield Framework and his unanimous US Senate confirmation to the US Privacy and Civil Liberties Oversight Board.
With his broad understanding of technology, media and telecommunications, as well as his senior government experience at the national and state levels, Travis is uniquely positioned to advise and represent clients in litigation on a range of data privacy, cybersecurity and information management issues, including data breaches, class actions and government enforcement actions. Travis has assisted clients with federal and state telecommunications needs, including FCC proceedings and regulations and merger reviews. He has worked with Congress and other regulatory agencies on behalf of clients and advocated for emerging and established technology companies before regulatory bodies. He also has worked closely with senior officials at other federal, state and international agencies, including the FTC, US Securities and Exchange Commission (SEC), Consumer Financial Protection Bureau (CFPB), Department of Justice (DOJ), all 50 state attorneys general, and data protection authorities (DPAs) across the globe. His deep understanding of the regulatory and legal landscapes helps Travis strategically respond to and favorably resolve government inquiries and legal disputes.
Travis currently serves on the US Privacy and Civil Liberties Oversight Board (PCLOB), a position he has held since 2019 after being nominated by then-President Donald Trump and confirmed by the Senate. Travis was renominated to the board by President Joseph Biden in 2022. Travis is the only former chief of the FCC’s Enforcement Bureau in privacy practice. As former chief of the FCC’s Enforcement Bureau during the Obama administration, Travis spearheaded hundreds of enforcement actions involving consumer issues, such as false advertising and the Telephone Consumer Protection Act (TCPA), unfair competition, regulatory compliance, and fraud, waste and abuse of government programs.
Travis previously served as a senior adviser to former California Attorney General (now Vice President) Kamala Harris and as special assistant attorney general of California, where he oversaw the state’s complex policy and litigation in areas including technology regulation, high-tech crime, cybersecurity, privacy, intellectual property, antitrust, healthcare, telecommunications and human trafficking. Before this high-profile California role, he served during the Obama administration as an attorney in the DOJ’s Office of Legal Counsel, which advises the president, attorney general and executive branch agencies on the constitutionality and legality of US government programs and activities.
Travis’s background and leadership roles, as well as his practice at leading law firms, have translated into advising clients – both nationally and globally – on responding to and finding solutions for novel local, state, federal and cross-border issues. He also has represented companies, boards, founders, CEOs, executives and other prominent individuals in a diverse array of complex and bet-the-company civil litigation, government investigations and advisory matters.