Cases
Experience: Cyber Liability - Breach Response: Served as lead incident response counsel in connection with the largest data breach in our client's industry. By building collaborative teams across the organization
within GT, we were able to help the client respond effectively. The incident response was built to facilitate a strong legal defense before regulators
in class action litigation. Even though the breach was the largest in its industry sector, GT's collaborative approach resulted in resolution with a myriad of state
federal regulators without assessment of any fine or penalty. The approach also provided factual
expert information that facilitated settlement of the $6.5 billion class action for considerably less than six figures. GT's collaborative team approach was essential to obtaining this result.
Acted as lead counsel
defended multi-state litigation of our client's attorney rating service's right to post accurate information about a disgruntled attorney. Obtained dismissal of all claims made against our client. Also obtained a precedent-setting award of attorneys' fees to our defendant client under Washington's anti-SLAPP law in Davis v. Avvo, Inc., U.S. District Court, Western District of Washington, 2012 (U.S. Dist. Lexis 43743).
Acted as lead counsel
obtained summary judgment in the precedent-setting federal court opinion in Worix v. MedAassets, 869 F. Supp. 2d. 893 (N.D. Ill. 2012), which alleged that the company was negligent in safe-guarding the plaintiff's personal
health information when a hard drive containing patients' information was stolen from an employee's vehicle. The plaintiff alleged violations of the Stored Communications Act (SCA), Illinois Consumer Fraud Act (ICFA), negligence,
negligence per se,
sought to exp
the putative class to include patients of multiple facilities in addition to the facility at which the named plaintiff was treated
Illinois common law. Rather than challenging st
ing at the certification stage, we proceeded aggressively in discovery of the plaintiff,
moved for summary judgment
stayed the plaintiff's discovery of our client pending the court's summary judgment ruling. Notably, the court made several findings: 1) time spent researching credit monitoring services
identity theft protection services does not constitute actual damage recoverable under the ICFA
2) emotional damages alone are not sufficient to constitute actual damages under the ICFA
3) no reasonable jury could conclude that the alleged breach proximately caused the plaintiff's alleged injuries
4) the plaintiff's alleged damages were not reasonably foreseeable.
Assessed cybersecurity governance
compliance issues to facilitate acquisition negotiations.
Assessed cybersecurity preparedness, governance
legal defensibility of large utility company, including evaluation of privacy
security policies
practices, as well as nine other indicators of good cybersecurity practices
defensibility. Obtained information from a wide variety of employees across numerous operations,
provided the General Counsel with summarizing findings
recommendations. Our informal recommendations were being implemented while interviews were still underway.
Acted as lead counsel responding to a breach of a Fortune 100 hospitality company's large customer database. Analyzed
confirmed the scope of the breach, created a customized call centering protocol to assist individuals who may have been impacted,
arranged for identity restoration services.
Served as lead incident response counsel for a technology services contractor in connection with a lost laptop
flash drive that contained Personally Identifiable Information
Personal Health Information provided by its business clients: a teachers' union, scholarship fund,
non-profit organizations. To determine our client's notification obligations under state law, we analyzed hundreds of spreadsheets, tables, fields,
partial databases,
with careful analysis, were able to reduce the number of impacted individuals requiring notification. Ultimately, the exposed data included PII
PHI of individuals in 36 jurisdictions, requiring compliance with the breach notification laws of each jurisdiction. We notified the subcontractor's business clients
worked with each to craft a collaborative breach response tailored to each business client's unique population
concerns. These plans included joint issuance of notification letters to impacted individuals
the provision of credit monitoring
identification restoration services.
Notably, formal notification was provided to the teachers' union while the union was in the midst of negotiating a new contract with the School Department. The union's initial response was very aggressive toward our technology services contractor client,
it appeared that the union's Board would support its members in filing suit against our client. We collaborated with the union's treasurer, secretary,
its outside counsel to develop
execute a data breach response plan that met the union's expectations
was manageable for our client. We also provided a presentation describing the nature of the information disclosed, the proposed breach response plan,
the service offerings to be provided to impacted individuals,
were successful in obtaining the support of the union's Board
members.
Coordinated responses to numerous regulator inquiries. One of our client's customers received a written request for additional information regarding the event as well as its security practices from the Executive Office of Health
Human Services,
requested that our client provide guidance. In order to minimize any potential exposure to our client, we assisted our client's customer in crafting appropriate responses to the regulators,
there were no further inquiries. We also provided written
oral responses to requests our client received from the Massachusetts Attorney General. Despite the significance of the security incident, our client was not sued, fined, or penalized by regulators.
Defended a media network that provides interactive online advertisements in a high- exposure, high-profile cyber class action matter. Plaintiffs alleged that our client used local shared objects stored in Adobe Flash Media local storage to regenerate certain information stored in Internet users' HTTP browser cookies after users deleted those cookies. Convinced plaintiffs' counsel
the court that these allegations were false,
negotiated a favorable settlement for the client that was significantly less than similarly situated defendants.
As lead incident response counsel, defended a large technology service provider with a credit card breach situation involving assets that recently had been acquired by the client but had yet to be migrated to the client's more secure systems. Negotiated the resolution of a complex multimillion-dollar dispute against our client stemming from zero day attack on data in transit. Attained settlement at 20% of the amount asserted against the client, despite evidence demonstrating that client's vulnerability
responsibility. The claim, pursued by a major U.S. bank, credit card companies,
a Fortune 500 corporation, involved coordinated data theft from hundreds of automatic teller machines by the organized crime in Eastern Europe. Although there was considerable news coverage of the data breach, with our assistance, the client maintained a low profile
avoided media attention, successfully protecting its br
.
Worked collaboratively with co-counsel to attain a low six-figure settlement of data tracking class actions. A class action suit was filed in Arkansas,
plaintiffs' counsel issued a settlement dem
that was excessive. Rather than respond to the Arkansas plaintiffs' unreasonable dem
, we engaged a well-respected mediator
a New York-based privacy advocate with whom we previously settled another flash cookie class action on favorable terms. We engaged in settlement negotiations
ultimately resolved the national class action that was filed by the New York privacy advocate in federal court along with the proposed settlement agreement. As planned, the settlement which ultimately was approved by the court, also settled the claims of the Arkansas plaintiffs' class.
Based on careful review
challenges to a forensic report concerning breach of credit card data, we convinced a merchant bank
credit card br
to reverse a significant fine assessed against a hospitality company. This unprecedented result permitted our client to earn a profit during the year when the breach happened, rather than facing a significant loss.
Aided a Fortune 100 hospitality company in response to the breach of a large customer database. Analyzed
confirmed the scope of the breach, created a customized call centering protocol to assist individuals who may have been impacted,
arranged for identity restoration services.
Represented an accountant with an international tax practice whose computers were stolen out of his office. Provided communication to notify the accountant's clients, determined the scale of the breach,
arranged with an outside vendor an identity restoration solution.
Led a team of attorneys in a breach response for a health care facility. Obtained identity restoration services after a hard drive with key data was stolen
ensured compliance with breach notification laws. Addressed HIPAA issues
coordinated with local regulators.
Punitive Damages: Acted as special counsel following an oil spill against an oil refinery on the appeal of punitive damages assessed. Class action plaintiffs asserted that punitive damages should be assessed based on either Texas or Oklahoma law, even though the spill took place in Louisiana. Argued that constitutional challenges to the award of punitive damages based on the laws of Oklahoma or Texas without applying the protections inherent in those jurisdictions' punitive damages constructs
without specifying which jurisdiction's law applied. The Supreme Court of Louisiana reversed the award of punitive damages in a 2012 verdict.
Acted as counsel of record in the appeal of a punitive damages award that resulted in the death of a mother who did not receive a timely blood transfusion during surgery for a hospital defendant. H
led punitive damages portion of the appeal with local counsel focused on compensatory issues. Also obtained friend of the court support from the Kentucky Chamber of Commerce as well as a competing hospital. Argued on appeal that by statute, punitive damages cannot be assessed in Kentucky absent proof that the corporate defendant participated in, ratified or authorized a specific employee's wrongful conduct. The Supreme Court of Kentucky reversed the lower court
held that punitive damages were not warranted against the hospital, as it was not complicit in the conduct of the nurse
blood bank employees who were found responsible for the delay in obtaining blood during surgery in a 2011 verdict.
Acted as punitive damages counsel for appeal
post-verdict motions of record-setting punitive damages award assessed against a hospital in New Mexico. After post-verdict investigation, determined that a juror failed to disclose his bias against hospitals during voir dire, including the fact that his wages were being garnished by a hospital during the trial. Obtained testimony
created a trial court record that the juror encouraged other jurors during jury deliberations to get this hospital. Obtained a supersedeas bond of 50 percent less than the statutory amount
a stay of judgment.
Acted as punitive damages counsel for a global chemical company facing a class action stemming from the release of airborne chemicals over a residential area. Prosecuted a punitive damages offense, including challenges to financials
trial phasing as well as a variety of constitutional
factual challenges. Resulted in a pretrial settlement at approximately 10 percent of plaintiffs' dem
prior to our retention.
The above representations were h
led by Ms. Nugent prior to her joining Greenberg Traurig, LLP .
