.

Defense Digest

On the Pulse…Data Breaches and Ransomware Attacks: Getting to Know Marshall Dennehey’s Privacy and Data Security Practice Group

Defense Digest, Vol. 27, No. 4, September 2021

September 1, 2021

by David J. Shannon

Solar Winds, JBS, Kaseya…the list goes on and on each week, as more and more ransomware cyberattacks occur. The public is inundated with announcements of businesses being crippled by data breaches and ransomware attacks by foreign hackers and state-sponsored cyberterrorists. Here at Marshall Dennehey, our Privacy and Data Security Practice Group is focused on helping clients, large and small, in reducing their cyber risk exposures and guiding them through the inevitable incident response, containment and compliance measures that are needed after a data breach or ransomware attack occurs. Our firm is staffed to respond to time critical situations 24-7, and we work with clients to reduce their exposure to the risk and liability that happens when a cyberattack occurs.

Marshall Dennehey has been focused on data breach litigation since 2010, handling hundreds of data breaches and helping clients respond and recover. As we have seen, the rise of criminal ransomware and other data breach attacks can lead to crippling business interruption for businesses throughout the United States. Our ability to provide a customized approach is the key to our success in resolving all types of cyber incidents. We partner with each client, focusing on not only the future defense to litigation or regulatory action, but also the business’s ability to get back up and running as quickly as possible.

Our attorneys have assisted in corporate ransomware attacks where hundreds of thousands of dollars have been at stake. We have also helped smaller businesses, such as health care providers, with data breach mitigation to allow them to treat their patients in an uninterrupted environment.

In Philadelphia, Karen Grethlein and I handle a large portion of this litigation. Karen is a graduate of Johns Hopkins University and Drexel University Thomas R. Kline School of Law, and she has been with us since 2017. She is active in the Pennsylvania Bar Association and is the current president of the Philadelphia Chapter of the National Association of Women in Construction, where she has lectured on cybersecurity in the construction industry. Karen often advises clients of their statutory reporting obligations following a data breach and encourages them to adopt a proactive approach to data security.

R. David Lane, Jr., shareholder in our New York City office, devotes the entirety of his practice to privacy and data security, representing clients through all stages of data breach response, including investigations, compliance with data breach notification laws and regulatory investigations. Accredited by the International Association of Privacy Professionals as a Certified Information Privacy Professional CIPP/US, David routinely advises clients on legal compliance with state, federal, and international privacy and data security laws. He is a graduate of the University of Florida and the University of Florida Levin College of Law.

As chair of the practice group, I have been handling data breach litigation since the practice’s inception more than 10 years ago. When a breach involves the theft or disclosure of trade secrets, or the violation of a company’s social media policy, my experience as leader of the firm’s Technology, Media, and Intellectual Property Litigation Practice Group is put to good use. In this capacity, I am able to provide critical and immediate counsel, including assisting clients in appropriately and effectively communicating with employees who may be suspected of involvement with a breach incident. I am a graduate of Denison University and Widener University School of Law, and I frequently lecture on cybersecurity and data breach topics to insurance and legal audiences.

            As a full-service insurance defense firm, we have assisted health care, education, finance, banking, retail, energy and utility services throughout the United States in responding to data breaches. Our firm has handled these incidents in all 50 states, and also has handled international events. We work with the clients in notifying either a small number of individuals or hundreds of thousands of affected customers or patients. Working with our health care group, we are able to ensure that HIPAA/Hitech compliance occurs. We are able to ensure that educational FERPA regulations are complied with, as well as all financial and banking SEC and FINRA regulations.

Finally, we continue to assist retail entities in complying with the Payment Card Industry-Data Security Standards (PCI-DSS) compliance. With our extensive experience in defending business entities in consumer-related litigation, we have the attorney resources to manage every aspect of a data breach, from the initial scoping calls with forensic companies to class actions lawsuits that are filed by affected individuals.

If worries about cyberattacks keep you up at night, please don’t hesitate to get in touch. We are here to help and look forward to working with you.

*David, a shareholder, chairs the Privacy & Data Security Practice Group at Marshall Dennehey. He may be reached at djshannon@mdwcg.com or 215.5752615.

Defense Digest, Vol. 27, No. 4, September 2021 is prepared by Marshall Dennehey Warner Coleman & Goggin to provide information on recent legal developments of interest to our readers. This publication is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. ATTORNEY ADVERTISING pursuant to New York RPC 7.1. © 2021 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved. This article may not be reprinted without the express written permission of our firm. For reprints, contact tamontemuro@mdwcg.com.

Firm Highlights

Result

No-Cause Jury Verdict Secured in Wrongful Death Trial

We successfully obtained a no-cause jury verdict in a 13-day wrongful death trial. The decedent, a 59-year-old man, was admitted to the emergency room on February 15, 2019, with complaints of abdominal pain, decreased appetite, and constipation, despite the use of laxatives. The patient did not complain of any nausea, vomiting, or diarrhea. He had a significant medical history including diabetes, hypertension, prior coronary artery stenting, morbid obesity (with past gastric bypass surgery), longstanding ventral hernia, and back pain. A CT scan revealed multiple hernias and a potential closed-loop bowel obstruction, leading to a surgery consultation. Our client, an emergency general surgeon, interpreted that the patient did not have a closed loop or any significant obstruction and recommended non-surgical management. The patient was approved to have clear liquids, and had a vomiting incident shortly after, but our client was not notified. The patient was returned to NPO status, and after improving overnight, he was returned to “clears” and additional medical and renal consults were ordered. Our client did not receive any communications from the residents/nurses of any changes in the patient’s condition. On February 18, 2019, two rapid responses were called due to increased heart rate and vomiting. It is believed that the vomiting resulted in aspiration, causing sepsis, ultimately leading to the patient’s death. During the trial, the plaintiff’s sole medical expert highlighted imaging on the wrong hernia, which called into question all of his opinions in the case. We made key objections related to the expert testimony, limiting what the allegations were, and preventing new allegations from being made. After approximately two and a half hours of deliberating, the jury returned a no-cause verdict. 

Thought Leadership

Legal Update for Special Education Law: Recent Positive Outcomes From the Group

Hearing Officer Confirms District Acted Appropriately Under IDEA and Section 504 Atty. William J. McPartland (Scranton) obtained a finding in favor of our client, a school district, on all issues following a due process hearing. The parent had filed a due process complaint alleging that the school district had breached its child find duty under the IDEA and Section 504, that the school district had discriminated against the student on the basis of disability in violation of Section 504, and that the school district had denied a free and appropriate public education to the student both by developing inadequate IEPs and via an actionable procedural violation.  Specifically, the student had received a Section 504 evaluation in October 2023, after a number of behavioral infractions culminating in a fight in September 2023, was identified as having anxiety and a sleep disorder, and received appropriate Section 504 accommodations. The student had never previously demonstrated signs of a learning disability, and the parent denied the school district permission to evaluate the student for special education needs in November 2023, and January 2024. The parent granted the district permission to evaluate the student in October 2024, after a private psychologist diagnosed the student with Attention Deficit Hyperactivity Disorder, possible Oppositional Defiance Disorder, a learning disorder, and anxiety. The school district issued a special education evaluation report in December 2024, finding that the student had an emotional disturbance and other health impairment, and an IEP providing an itinerant level of emotional support, as well as instruction in academics and social skills, was issued in January 2025, and amended in February, March, and April 2025. The student withdrew from the school district in April 2025, to attend a cyber charter school. The hearing officer determined that the school district had not violated its child find duty to the student in violation of either the IDEA or Section 504 where the district developed a Section 504 plan for the student within a month and a half of the parent’s first request for a Section 504 evaluation and where the parent repeatedly denied consent to conduct an IDEA evaluation of the student. The hearing officer noted that the student’s sporadic record of behavioral infractions prior to September 2023, did not suggest that the student had a disability prior to the parent’s initial request for an evaluation. The hearing officer further determined that no evidence had been produced to suggest that the student was discriminated against on the basis of disability in violation of Section 504. Additionally, the hearing officer determined that the IEP offered to the student was substantively adequate and that, to the extent the social and emotional programming offered by the school district was not received by the student, this resulted from the parent’s refusal to accept the same. The hearing officer finally determined that the school district did not commit an actionable procedural violation by delaying development of an IEP for the student where the parent repeatedly denied consent to evaluate the student. Court Dismisses Three of Four Claims Against School District Attys. Christopher J. Conrad and Daniel P. McGannon (Harrisburg) achieved a significant early victory on behalf of a school district client in. The team successfully obtained dismissal of three of the four claims asserted in the plaintiff’s amended complaint. The former district superintendent brought multiple claims arising out of his alleged “forced resignation,” including age discrimination under the ADEA, a Section 1983 Equal Protection claim, a Pennsylvania Whistleblower claim, and breach of contract. On behalf of the district, the defense team moved to dismiss the complaint in part, arguing: The plaintiff failed to plead sufficient facts to support a prima facie case of age discrimination. The equal protection claim was barred because the ADEA provides the exclusive federal remedy for age-based employment claims. The breach of contract claim could not stand because the underlying employment agreement had expired prior to the alleged breach. The court agreed, dismissing the ADEA, equal protection, and breach of contract claims in their entirety. As a result, only a single claim under the Pennsylvania Whistleblower Law remains pending. This outcome substantially narrows the scope of the litigation and positions the client for a more efficient defense moving forward.

Thought Leadership

Featured Conversations... Key Takeaways from A.M. Best’s Webinar on the Misuse Defense in Product Liability Claims, Featuring Michael Salvati

Michael Salvati, shareholder in our Philadelphia office, was a panelist for the April A.M. Best webinar, “The Misuse Defense: Strategic Approaches to Defending Product Liability Claims for Insurers.” During the program, Michael and his fellow panelists offered practical, jurisdiction‑specific guidance on how misuse and failure‑to‑warn theories intersect in modern product liability litigation. Michael emphasized the unique challenges these claims present—particularly in states like Pennsylvania, where evidentiary rules diverge sharply from those applied in many other jurisdictions. Failure to Warn as the “Flip Side” of Misuse Salvati explained that failure‑to‑warn allegations often arise as a direct counter to a misuse defense. As he noted, “If our misuse defense is that the plaintiff didn't use a product properly or safely, then the failure to warn claim is that we didn't tell them how to use it properly.” He emphasized that these claims can stem from either the absence of warnings or criticisms of existing warnings, such as insufficient specificity or lack of clarity about risks. Pennsylvania’s Unique Evidentiary Landscape One of Salvati’s most notable points was the stark difference in how Pennsylvania treats evidence of compliance with industry standards. He highlighted that Pennsylvania is “one of the only states…where that evidence is not admissible” in strict liability cases. Manufacturers cannot rely on compliance with ANSI, UL, ISO, or even federal safety standards to defend the product against a strict liability claim—because the focus is solely on the product itself, not the manufacturer’s conduct. Salvati acknowledged the challenge this creates for defense counsel and clients who expect such compliance to carry weight. Understanding the Three Defect Theories Salvati also walked through the three primary defect theories recognized in many jurisdictions: - Design defect – a flaw in the product’s intended design - Manufacturing defect – a deviation affecting a specific unit - Failure to warn – inadequate instructions or warnings He noted that warnings claims are increasingly significant and sometimes stand alone when design or manufacturing theories are weak. As he put it, plaintiffs often default to warnings claims because “the default position seems to be, ‘If I got hurt, there must be something wrong.’” Warranties and State‑by‑State Variations Salvati addressed how breach‑of‑warranty claims fit into the broader framework, explaining that implied warranties—such as merchantability—often overlap with strict liability in Pennsylvania. He emphasized the importance of understanding local nuances, as warranty law and admissibility rules vary widely across states. Looking Ahead: The Growing Importance of Warnings In his closing remarks, Salvati stressed that warnings should never be treated as an afterthought in product liability defense. He observed that warnings‑only claims are becoming more common and urged manufacturers and insurers to continually evaluate the clarity and completeness of their instructions and warnings. His takeaway: “We should always be talking about what are the instructions that come with our products…to bolster a misuse defense.” Listen to the complete webinar here: https://www3.ambest.com/conferences/events/eventregister.aspx?event_id=WEB1074.