Lori S. Nugent

Shareholder

Lori S. Nugent focuses her practice on cybersecurity and privacy issues. She has served as lead counsel responding to and defending over 1,000 data breaches, as well ransomware situations and variety of privacy problems. Lori has defended breached operations of all sizes in a wide variety of market sectors, including retail, health care, financial institutions, energy and utilities, public entities, hospitality, high tech, and higher education, as well as for a variety of professionals.

As a first-responder to cyber crisis situations, Lori leads a team of specially trained attorneys, on call 24/7. She is the calm voice of experience in the eye of whatever cyber storm emerges. At her fingertips, Lori has a wide-ranging network of highly skilled people, including key vendors, who are ready to help contain and defend against whatever attackers try today or tomorrow.

Lori builds strong legal defenses into breach responses. Defenses she built in responding to the largest breach in our client’s market sector led to settlement of a $6.5 billion data breach class action for less than six figures. The related investigations by over 20 state and federal regulators were closed without assessment of any fines, penalties, or corrective actions.

Lori has unique insight. Her perspective helps operational teams, senior management, and boards of directors improve an organization’s cyber legal defensibility. She assists in developing practical, legally defensible solutions. Collaborating with technologists, operational leaders, and in-house lawyers, Lori adds her expertise to assist in building strong teams in the fight against ever-changing, well-funded attackers. She understands the constantly mutating attack vectors, the vulnerabilities that attackers seek, and continuously works to develop and deploy practical countermeasures that enhance legal defenses.

Mergers and acquisitions teams also seek Lori’s perspective in connection with cyber diligence for acquisitions and funding. For acquiring organizations, Lori facilitates determination of cyber risk appetite, and quick evaluation of a target’s current state. Where warranted, Lori delves deeper and provides insight concerning the time and cost needed for the target to meet the acquirer’s risk appetite for cyber risk. For emerging operations, Lori identifies cost-effective steps that enhance the organization’s ability to retain its valuation as funding or sale is sought. She also helps companies to reduce sales friction with a variety of techniques that make it easier for the organization’s product or service to meet its potential customers’ vendor management procurement requirements.

Lori also works with a variety of insurers, brokers, and companies to create and enhance insurance solutions to protect companies from the negative financial impact of cyber liabilities, including data breaches. She encourages careful analysis of cyber exposures, and facilitates thoughtful evaluation of insurance coverage and reserving options.

Concentrations

  • First-responder to cyber crisis situations, including data breaches and ransomware attacks
  • Advising companies on cyber legal defensibility and practical steps to enhance compliance and defensibility
  • Developing tailored cyber incident response plans, including joint incident response plans for companies that share sensitive data
  • Preparing and updating key cybersecurity regulatory compliance documentation, including privacy policies, written information security programs, and breach response plans
  • Working collaboratively with technologists and others to assist operations in meeting governmental guidance expectations and adapting to continuously changing threats and defenses
  • Defending companies in regulatory investigations involving data breaches and privacy issues, and in related litigation, arbitration, and mediation
  • Helping emerging companies retain value during funding diligence and reducing sales friction
  • Assisting acquiring companies in evaluating target company current state of cyber preparedness, and estimated time and costs for the target to meet the client’s cyber risk appetite
Read More +

Capabilities

Experience

  • Served as lead incident response counsel in connection with the largest data breach in our client’s industry. By building collaborative teams across the organization and within GT, we were able to help the client respond effectively. The incident response was built to facilitate a strong legal defense before regulators and in class action litigation. Even though the breach was the largest in its industry sector, GT’s collaborative approach resulted in resolution with a myriad of state and federal regulators without assessment of any fine or penalty. The approach also provided factual and expert information that facilitated settlement of the $6.5 billion class action for considerably less than six figures. GT’s collaborative team approach was essential to obtaining this result.
  • Acted as lead counsel and defended multi-state litigation of our client’s attorney rating service’s right to post accurate information about a disgruntled attorney. Obtained dismissal of all claims made against our client. Also obtained a precedent-setting award of attorneys’ fees to our defendant client under Washington’s anti-SLAPP law in Davis v. Avvo, Inc., U.S. District Court, Western District of Washington, 2012 (U.S. Dist. Lexis 43743).°
  • Acted as lead counsel and obtained summary judgment in the precedent-setting federal court opinion in Worix v. MedAassets, 869 F. Supp. 2d. 893 (N.D. Ill. 2012), which alleged that the company was negligent in safe-guarding the plaintiff’s personal and health information when a hard drive containing patients' information was stolen from an employee's vehicle. The plaintiff alleged violations of the Stored Communications Act (SCA), Illinois Consumer Fraud Act (ICFA), negligence, and negligence per se, and sought to expand the putative class to include patients of multiple facilities in addition to the facility at which the named plaintiff was treated and Illinois common law. Rather than challenging standing at the certification stage, we proceeded aggressively in discovery of the plaintiff, and moved for summary judgment and stayed the plaintiff’s discovery of our client pending the court’s summary judgment ruling. Notably, the court made several findings: 1) time spent researching credit monitoring services and identity theft protection services does not constitute actual damage recoverable under the ICFA; 2) emotional damages alone are not sufficient to constitute actual damages under the ICFA; 3) no reasonable jury could conclude that the alleged breach proximately caused the plaintiff’s alleged injuries; and 4) the plaintiff’s alleged damages were not reasonably foreseeable.°
  • Assessed cybersecurity governance and compliance issues to facilitate acquisition negotiations.
  • Assessed cybersecurity preparedness, governance and legal defensibility of large utility company, including evaluation of privacy and security policies and practices, as well as nine other indicators of good cybersecurity practices and defensibility. Obtained information from a wide variety of employees across numerous operations, and provided the General Counsel with summarizing findings and recommendations. Our informal recommendations were being implemented while interviews were still underway.
  • Acted as lead counsel responding to a breach of a Fortune 100 hospitality company’s large customer database. Analyzed and confirmed the scope of the breach, created a customized call centering protocol to assist individuals who may have been impacted, and arranged for identity restoration services.°
  • Served as lead incident response counsel for a technology services contractor in connection with a lost laptop and flash drive that contained Personally Identifiable Information and Personal Health Information provided by its business clients: a teachers’ union, scholarship fund, and non-profit organizations. To determine our client’s notification obligations under state law, we analyzed hundreds of spreadsheets, tables, fields, and partial databases, and with careful analysis, were able to reduce the number of impacted individuals requiring notification. Ultimately, the exposed data included PII and PHI of individuals in 36 jurisdictions, requiring compliance with the breach notification laws of each jurisdiction. We notified the subcontractor’s business clients and worked with each to craft a collaborative breach response tailored to each business client’s unique population and concerns. These plans included joint issuance of notification letters to impacted individuals and the provision of credit monitoring and identification restoration services.
  • Notably, formal notification was provided to the teachers’ union while the union was in the midst of negotiating a new contract with the School Department. The union’s initial response was very aggressive toward our technology services contractor client, and it appeared that the union’s Board would support its members in filing suit against our client. We collaborated with the union’s treasurer, secretary, and its outside counsel to develop and execute a data breach response plan that met the union’s expectations and was manageable for our client. We also provided a presentation describing the nature of the information disclosed, the proposed breach response plan, and the service offerings to be provided to impacted individuals, and were successful in obtaining the support of the union’s Board and members.
  • Coordinated responses to numerous regulator inquiries. One of our client’s customers received a written request for additional information regarding the event as well as its security practices from the Executive Office of Health and Human Services, and requested that our client provide guidance. In order to minimize any potential exposure to our client, we assisted our client’s customer in crafting appropriate responses to the regulators, and there were no further inquiries. We also provided written and oral responses to requests our client received from the Massachusetts Attorney General. Despite the significance of the security incident, our client was not sued, fined, or penalized by regulators.°
  • Defended a media network that provides interactive online advertisements in a high- exposure, high-profile cyber class action matter. Plaintiffs alleged that our client used local shared objects stored in Adobe Flash Media local storage to regenerate certain information stored in Internet users’ HTTP browser "cookies" after users deleted those cookies. Convinced plaintiffs’ counsel and the court that these allegations were false, and negotiated a favorable settlement for the client that was significantly less than similarly situated defendants.°
  • As lead incident response counsel, defended a large technology service provider with a credit card breach situation involving assets that recently had been acquired by the client but had yet to be migrated to the client’s more secure systems. Negotiated the resolution of a complex multimillion-dollar dispute against our client stemming from zero day attack on data in transit. Attained settlement at 20% of the amount asserted against the client, despite evidence demonstrating that client’s vulnerability and responsibility. The claim, pursued by a major U.S. bank, credit card companies, and a Fortune 500 corporation, involved coordinated data theft from hundreds of automatic teller machines by the organized crime in Eastern Europe. Although there was considerable news coverage of the data breach, with our assistance, the client maintained a low profile and avoided media attention, successfully protecting its brand.°
  • Worked collaboratively with co-counsel to attain a low six-figure settlement of data tracking class actions. A class action suit was filed in Arkansas, and plaintiffs’ counsel issued a settlement demand that was excessive. Rather than respond to the Arkansas plaintiffs’ unreasonable demand, we engaged a well-respected mediator and a New York-based privacy advocate with whom we previously settled another flash cookie class action on favorable terms. We engaged in settlement negotiations and ultimately resolved the national class action that was filed by the New York privacy advocate in federal court along with the proposed settlement agreement. As planned, the settlement which ultimately was approved by the court, also settled the claims of the Arkansas plaintiffs’ class.°
  • Based on careful review and challenges to a forensic report concerning breach of credit card data, we convinced a merchant bank and credit card brand to reverse a significant fine assessed against a hospitality company. This unprecedented result permitted our client to earn a profit during the year when the breach happened, rather than facing a significant loss.°
  • Aided a Fortune 100 hospitality company in response to the breach of a large customer database. Analyzed and confirmed the scope of the breach, created a customized call centering protocol to assist individuals who may have been impacted, and arranged for identity restoration services.°
  • Represented an accountant with an international tax practice whose computers were stolen out of his office. Provided communication to notify the accountant’s clients, determined the scale of the breach, and arranged with an outside vendor an identity restoration solution.°
  • Led a team of attorneys in a breach response for a health care facility. Obtained identity restoration services after a hard drive with key data was stolen and ensured compliance with breach notification laws. Addressed HIPAA issues and coordinated with local regulators.°
  • Acted as special counsel following an oil spill against an oil refinery on the appeal of punitive damages assessed. Class action plaintiffs asserted that punitive damages should be assessed based on either Texas or Oklahoma law, even though the spill took place in Louisiana. Argued that constitutional challenges to the award of punitive damages based on the laws of Oklahoma or Texas without applying the protections inherent in those jurisdictions’ punitive damages constructs and without specifying which jurisdiction’s law applied. The Supreme Court of Louisiana reversed the award of punitive damages in a 2012 verdict.°
  • Acted as counsel of record in the appeal of a punitive damages award that resulted in the death of a mother who did not receive a timely blood transfusion during surgery for a hospital defendant. Handled punitive damages portion of the appeal with local counsel focused on compensatory issues. Also obtained friend of the court support from the Kentucky Chamber of Commerce as well as a competing hospital. Argued on appeal that by statute, punitive damages cannot be assessed in Kentucky absent proof that the corporate defendant participated in, ratified or authorized a specific employee’s wrongful conduct. The Supreme Court of Kentucky reversed the lower court and held that punitive damages were not warranted against the hospital, as it was not complicit in the conduct of the nurse and blood bank employees who were found responsible for the delay in obtaining blood during surgery in a 2011 verdict.°
  • Acted as punitive damages counsel for appeal and post-verdict motions of record-setting punitive damages award assessed against a hospital in New Mexico. After post-verdict investigation, determined that a juror failed to disclose his bias against hospitals during voir dire, including the fact that his wages were being garnished by a hospital during the trial. Obtained testimony and created a trial court record that the juror encouraged other jurors during jury deliberations to "get this hospital." Obtained a supersedeas bond of 50 percent less than the statutory amount and a stay of judgment.°
  • Acted as punitive damages counsel for a global chemical company facing a class action stemming from the release of airborne chemicals over a residential area. Prosecuted a punitive damages offense, including challenges to financials and trial phasing as well as a variety of constitutional and factual challenges. Resulted in a pretrial settlement at approximately 10 percent of plaintiffs’ demand prior to our retention.°

°The above representations were handled by Ms. Nugent prior to her joining Greenberg Traurig, LLP.

Recognition & Leadership

  • Listed, Leading Lawyers Network, 2015-2016
  • Listed, Business Insurance magazine, "Woman to Watch," 2006
  • Listed, Best’s Review, "People to Watch," 2002
  • Member, Claims & Litigation Management Alliance (CLM)
  • Member, International Association of Privacy Professionals
  • Member, The Sedona Conference, Working Group 11 on Data Security and Privacy Liability

Credentials

Education
  • J.D., Northwestern Pritzker School of Law, 1987
  • B.A., Knox College, 1984
Admissions
  • Texas
  • Illinois
  • Supreme Court of Illinois
  • Supreme Court of the United States
  • U.S. Court of Appeals for the Seventh Circuit
  • U.S. District Court for the Northern District of Illinois