Kaitlin Clemens at Troutman Pepper Locke

When to Notify Your Cyber Carrier of a Security Incident - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

Our company experienced a cybersecurity incident. It seemed pretty minor — just a few suspicious emails and an employee’s account being locked. To my dismay, we’re now hearing from our IT team that the issue is more serious....more

3/20/2025 / Cyber Attacks , Cyber Incident Reporting , Cybersecurity , Data Breach , Data Privacy , Data Security , Insurance Claims , Insurance Contracts , Insurance Industry , Risk Management

6 Tips for Cos. Facing Service Provider Cyber Incidents

It is no secret that ransomware dominates headlines, and cybersecurity incidents have become part of our everyday language. However, the criminal “business model” behind ransomware keeps evolving. Originally published in...more

1/23/2025 / Business Continuity Plans , Cybersecurity , Data Breach , Data Breach Plans , Data Protection , Federal Trade Commission (FTC) , Forensic Accounting , Incident Response Plans , Ransomware , Risk Management , Third-Party Risk , Third-Party Service Provider

Amendments Align Pennsylvania’s Breach Notification Law With Majority of States

Earlier this year, Governor Josh Shapiro signed amendments to Pennsylvania’s Breach of Personal Information Notification Act (BPINA) into law, which go into effect on September 26. As part of the implementation of these...more

9/24/2024 / Breach Notification Rule , Data Breach , Notification Requirements , Pennsylvania , Personally Identifiable Information , Reporting Requirements , State and Local Government , State Attorneys General , State Data Breach Notification Statutes

SEC Cybersecurity Incidents Disclosures: Materiality, Decryptors, and Ransom Payments - Dear Mary – Incidents + Investigations...

I work for a public company that recently experienced a ransomware attack. Fortunately, we were able to restore our business operations quickly by obtaining a decryption key from the threat actor. Given that we managed to get...more

9/11/2024 / Cyber Attacks , Cyber Incident Reporting , Cybersecurity , Data Protection , Disclosure Requirements , Incident Response Plans , Publicly-Traded Companies , Ransomware , Reporting Requirements , Reputational Injury , Securities and Exchange Commission (SEC) , Securities Regulation

Notifying Law Enforcement of Security Incidents - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

“Dear Mary” is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related — data breaches, forensic investigations, how to...more

8/22/2024 / Breach Notification Rule , Cyber Attacks , Cyber Crimes , Cybersecurity , Data Breach , Data Privacy , Data Protection , Data Security

Ensuring Proper Legal Involvement in the Incident Response Process - Dear Mary – Incidents + Investigations Cybersecurity Advice...

“Dear Mary” is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related — data breaches, forensic investigations, how to...more

8/14/2024 / Cybersecurity , Data Breach , Data Privacy , Data Protection , Data Security , Incident Response Plans , Ransomware

Restrictions on Paying a Ransom Demand - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

“Dear Mary” is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related — data breaches, forensic investigations, how to...more

8/1/2024 / Cyber Attacks , Cyber Crimes , Cybersecurity , Data Breach , Data Protection , Data Security , Financial Institutions , Ransomware , Regulatory Authority

Understanding Access vs. Acquisition - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

Each of the 50 states has its own definition of what constitutes a reportable data breach. For some, it requires “unauthorized access” to personal information. For others, it requires “unauthorized acquisition.” And then,...more

7/25/2024 / Cybersecurity , Data Breach , Data Collection , Data Privacy , Data Protection , Data Security , Data Theft , Identity Theft , Personal Data , Personally Identifiable Information , Unauthorized Access