.

Privacy & Data Security

As one of the country's leading civil defense litigation law firms, the attorneys in Marshall Dennehey's Privacy & Data Security Practice Group are focused on helping clients reduce cyber risk exposures and guiding them through incident response, containment, and compliance measures after a data breach occurs. Staffed to respond to time critical situations with 24/7 availability, our firm has handled thousands of data breaches and privacy claims for clients in the technology, health care, education, financial, banking, retail, energy, consumer protection, professional services and other industry sectors.

A Customized Approach

In the arena of privacy and data security, there is no one-size-fits-all response. At Marshall Dennehey, we partner with each client to develop a customized approach, with a focus on how decisions may impact a future defense to litigation or regulatory action. Whether it is a breach involving hundreds of individuals, or millions, we counsel clients in a way that is cost-effective, compliant with the law and protective of a company's brand.

Data breaches often involve multiple areas of a client's business. When a breach involves the theft or disclosure of trade secrets, or the violation of a company's social media policy, attorneys in our Employment Law and Technology, Media and Intellectual Property Litigation Practice Groups are available to provide critical and immediate counsel. This counsel includes assisting clients in appropriately and effectively communicating with employees who may be suspected of involvement with the breach incident.

SELECT INDUSTRIES WE SERVE

Health Care

Privacy and data security matters in the health care sector require significant knowledge of how health care systems work on both regulatory and administrative levels. Our attorneys play a critical role in helping health care clients avoid, prepare for, and respond to data breach events. Beginning with HIPAA/HITECH compliance, our attorneys provide counsel on interpretation of federal and state privacy/security laws and regulations, and assist clients in investigations by governmental agencies, including the state attorneys general and the Department of Health and Human Services Office for Civil Rights. We additionally help clients develop risk management procedures and policies that are not only required by law, but that also help to educate and prepare providers, insurers and business associates on ways sensitive patient health information can be safeguarded.

Education

Universities, colleges and other institutions of higher education across the country are increasingly the target of computer hackers. Marshall Dennehey has provided legal counsel to educational entities of all sizes in the aftermath of data breach events. Our services focus on incident response development and notification as well as containment and compliance measures, including appropriate usage of social media channels to communicate incident updates to internal and external audiences. Our client representation in this sector has included working with the U.S. Department of Education in investigating breach incidents.

Financial and Banking

Security breaches and computer hacking incidents at financial institutions have become alarmingly common. Our firm routinely works with banking and financial institutions in responding to data breaches. From compliance with the Gramm-Leach-Bliley Act requirements to working with forensic investigators in the critical initial stages, we are experienced in counseling clients through every stage of these sensitive, and often, high-profile, engagements. When necessary, we are also accustomed to working with governmental agencies such as local and state law enforcement as well as the Secret Service and the FBI to help respond to, or investigate, a breach event.

Retail, Energy, Utility and Service Industries

From e-commerce web retailers to insurance companies and their nationwide brokers, we have assisted companies in the investigation and response to data breaches as well as Payment Card Industry-Data Security Standards (PCI-DSS) compliance. With extensive experience in defending business entities in consumer-related litigation, we have the attorney resources to manage every aspect of a data breach event.

Professional Services

Professional services entities such as law firms and accounting firms are increasingly the targets of cyber criminals for personal information and sensitive data. We have assisted hundreds of professional services firms when they have been forced to respond to cyberattacks. Our services allow these clients to immediately identify the issues, respond in a timely manner, and ensure that all legal obligations are met. We also assist with communications that enable clients to reassure their constituencies that their data is protected.

AREAS OF EXPERIENCE

  • Data breach incident response and notification
  • Data security and retention policies
  • Defense of numerous state lawsuits involving federal and state law privacy breaches
  • Review of Vendor Agreements and Business Associate Agreements
  • HIPAA/HITECH violation responses
  • Investigations and audits by Department of Health and Human Services Office for Civil Rights
  • Counseling to respond to U.S. Department of Health and Human Services Centers for Medicare & Medicaid Services (CMS), state Medicaid agencies, state departments of health and insurance and state/professional licensing boards
  • Gramm-Leach-Bliley Act (GLBA) requirements
  • PCI-DSS compliance, requirements and other payment card data issues
  • Claims and litigation involving point of sale (POS) software and hardware

Our attorneys are available at any time to discuss potential legal matters, or the development of workshops and educational seminars for your company or organization.

Results

Thought Leadership

Legal Updates for Privacy and Data Security

Vendor Cyber Attack Compromises PII of More Than 3 Million Hunting and Fishing License Holders in Texas

June 30, 2026

The Texas Parks & Wildlife Department (TPWD) announced earlier this month that one of its vendors which handles the sale of state hunting and fishing licenses was the victim of a cybersecurity attack. The threat actor appears to have exfiltrated personal driver’s license information, passport numbers, email addresses, phone numbers and addresses of over 3 million hunting and fishing license holders.  The State Parks Department advised that the attack did not compromise social security numbers, dates of birth or financial information. Texas Cyber Command, the state’s new cybersecurity authority formed to protect critical infrastructure and coordinate threat responses across state and local government, reportedly assisted in detecting and containing the attack. TPWD has already set up free credit monitoring for those impacted through Kroll.  According to press reports, no specific group has yet been identified as the perpetrator of the theft. TPWD also advised that business has not been interrupted and license sales were continuing. This incident once again demonstrates that cybersecurity is only as strong as the weakest link in the supply chain. Businesses must prioritize security across their own environments and those of their vendors and contractors as well.

Legal Updates for Privacy and Data Security

Identity Theft Resource Center Report Reveals Rising Data Breaches Despite Drop in Mega Breaches

February 19, 2026

The Identity Theft Resource Center (ITRC), a well-known, non-profit identity theft and fraud prevention organization, recently released its 2025 annual data breach report with significant findings for the data breach field. The ITRC tracked 3,322 data breaches in 2025 – an increase of more than 5% compared to 2024. The numbers set a new record for U.S. data breaches tracked by the ITRC over the past 20 years. These numbers also show a 79% jump in data breaches over the last five years.  Just as importantly, the number of victim notices that were sent out decreased. In 2024, the ITRC found that over 1.3 million notices had been sent out, while in 2025 less than 300,000 notices were distributed. The ITRC noted that the significant decrease in victim notices was likely due to the lack of “mega-breaches” in 2025 compared to 2024.  The ITRC also found that the financial services industry was the most breached industry in 2025 followed by health care, professional services, manufacturing, and education.  The ITRC’s president was quoted that they had found “more attacks that are more precise, more automated and more difficult to detect. Consumers can take all of the right steps, businesses can have the best cyber security and still fall victim to criminals.”   These findings are significant for the cyber security insurance field. While mega breaches may be decreasing, the overall number of breaches demonstrates that all businesses should be obtaining proper cyber security insurance, and insurance carriers should be aware that while less notices will go out, more claims will be made that can affect both underwriting and the claims procedures.  Legal Updates for Privacy & Data Security - February 19, 2026, has been prepared for our readers by Marshall Dennehey. It is solely intended to provide information on recent legal developments and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. If you receive the alerts in error, please contact MeDeSatnick@MDWCG.com. ATTORNEY ADVERTISING pursuant to New York RPC 7.1. © 2026 Marshall Dennehey, P.C. All Rights Reserved.

Firm Highlights

Result

No-Cause Jury Verdict Secured in Wrongful Death Trial

We successfully obtained a no-cause jury verdict in a 13-day wrongful death trial. The decedent, a 59-year-old man, was admitted to the emergency room on February 15, 2019, with complaints of abdominal pain, decreased appetite, and constipation, despite the use of laxatives. The patient did not complain of any nausea, vomiting, or diarrhea. He had a significant medical history including diabetes, hypertension, prior coronary artery stenting, morbid obesity (with past gastric bypass surgery), longstanding ventral hernia, and back pain. A CT scan revealed multiple hernias and a potential closed-loop bowel obstruction, leading to a surgery consultation. Our client, an emergency general surgeon, interpreted that the patient did not have a closed loop or any significant obstruction and recommended non-surgical management. The patient was approved to have clear liquids, and had a vomiting incident shortly after, but our client was not notified. The patient was returned to NPO status, and after improving overnight, he was returned to “clears” and additional medical and renal consults were ordered. Our client did not receive any communications from the residents/nurses of any changes in the patient’s condition. On February 18, 2019, two rapid responses were called due to increased heart rate and vomiting. It is believed that the vomiting resulted in aspiration, causing sepsis, ultimately leading to the patient’s death. During the trial, the plaintiff’s sole medical expert highlighted imaging on the wrong hernia, which called into question all of his opinions in the case. We made key objections related to the expert testimony, limiting what the allegations were, and preventing new allegations from being made. After approximately two and a half hours of deliberating, the jury returned a no-cause verdict. 

Thought Leadership

Featured Conversations... Key Takeaways from A.M. Best’s Webinar on the Misuse Defense in Product Liability Claims, Featuring Michael Salvati

Michael Salvati, shareholder in our Philadelphia office, was a panelist for the April A.M. Best webinar, “The Misuse Defense: Strategic Approaches to Defending Product Liability Claims for Insurers.” During the program, Michael and his fellow panelists offered practical, jurisdiction‑specific guidance on how misuse and failure‑to‑warn theories intersect in modern product liability litigation. Michael emphasized the unique challenges these claims present—particularly in states like Pennsylvania, where evidentiary rules diverge sharply from those applied in many other jurisdictions. Failure to Warn as the “Flip Side” of Misuse Salvati explained that failure‑to‑warn allegations often arise as a direct counter to a misuse defense. As he noted, “If our misuse defense is that the plaintiff didn't use a product properly or safely, then the failure to warn claim is that we didn't tell them how to use it properly.” He emphasized that these claims can stem from either the absence of warnings or criticisms of existing warnings, such as insufficient specificity or lack of clarity about risks. Pennsylvania’s Unique Evidentiary Landscape One of Salvati’s most notable points was the stark difference in how Pennsylvania treats evidence of compliance with industry standards. He highlighted that Pennsylvania is “one of the only states…where that evidence is not admissible” in strict liability cases. Manufacturers cannot rely on compliance with ANSI, UL, ISO, or even federal safety standards to defend the product against a strict liability claim—because the focus is solely on the product itself, not the manufacturer’s conduct. Salvati acknowledged the challenge this creates for defense counsel and clients who expect such compliance to carry weight. Understanding the Three Defect Theories Salvati also walked through the three primary defect theories recognized in many jurisdictions: - Design defect – a flaw in the product’s intended design - Manufacturing defect – a deviation affecting a specific unit - Failure to warn – inadequate instructions or warnings He noted that warnings claims are increasingly significant and sometimes stand alone when design or manufacturing theories are weak. As he put it, plaintiffs often default to warnings claims because “the default position seems to be, ‘If I got hurt, there must be something wrong.’” Warranties and State‑by‑State Variations Salvati addressed how breach‑of‑warranty claims fit into the broader framework, explaining that implied warranties—such as merchantability—often overlap with strict liability in Pennsylvania. He emphasized the importance of understanding local nuances, as warranty law and admissibility rules vary widely across states. Looking Ahead: The Growing Importance of Warnings In his closing remarks, Salvati stressed that warnings should never be treated as an afterthought in product liability defense. He observed that warnings‑only claims are becoming more common and urged manufacturers and insurers to continually evaluate the clarity and completeness of their instructions and warnings. His takeaway: “We should always be talking about what are the instructions that come with our products…to bolster a misuse defense.” Listen to the complete webinar here: https://www3.ambest.com/conferences/events/eventregister.aspx?event_id=WEB1074.

Thought Leadership

The Enforceability of Online Arbitration Agreements Remains Unresolved in Pennsylvania, But the Pennsylvania Superior Court has Provided Substantive Guidance on the Issue

Key Points: The Pennsylvania Supreme Court confirms that an order compelling arbitration is not immediately appealable as collateral orders. The outcome of Chilutti II has generally left the substantive enforceability issues with browsewrap agreements unresolved in Pennsylvania. Until this issue is resolved by the Pennsylvania courts, companies operating in the Commonwealth should strive to ensure that their registration websites and/or application screens conspicuously present arbitration agreements in manners which ensure their users and consumers assent to the terms of the agreements by following the standards set forth in Chilutti I. Browsewrap agreements have been defined as agreements “‘in which a website offers terms that are disclosed only through a hyperlink and the user supposedly manifests assent to those terms simply by continuing to use the website,’ and typically do not require an electronic signature.” See, Cobb v. Tesla, Inc., 2026 WL 458470, at *1 n. 2 (Pa. Super. Feb. 18, 2026) (citation omitted). They are largely regarded as the “if you keep using this, you agree to everything buried in this link” terms embedded into almost every online agreement consumers and users sign before proceeding with purchases of goods and/or services. While consumers are generally aware of them, many almost never click on the link, nor read them in their entirety. This leaves many consumers and users ignorant of the terms and impact of such agreements. However, one’s ignorance of the otherwise neatly-tucked-away terms rarely renders them unenforceable. The issue of the enforceability of browsewrap agreements has been up for debate for some time in many jurisdictions, including Pennsylvania. Indeed, Pennsylvania had a brief grip on this issue for a period in time. Specifically, in 2023, an en banc Superior Court set forth heightened standards for companies to meet in order to secure assent and enforce browsewrap arbitration agreements. See Chilutti v. Uber Techs., Inc., 300 A.3d 430 (Pa.Super. 2023) (en banc) (“Chilutti I”) Chilutti I involved a husband and wife who sued Uber and its subsidiaries after the wife, a wheelchair bound passenger using Uber’s rideshare service, fell, struck her head, and lost consciousness due to her uber driver failing to provide a seatbelt and making an aggressive turn during the trip. The Chilutti’s filed a negligence lawsuit against Uber and its subsidiaries. In response, the defendants moved to compel arbitration, arguing that “the couple’s conduct on the company’s website and application — when they registered for the ridesharing service — signified that they agreed to be bound by the mandatory arbitration provision found in the hyperlinked terms and conditions.” The trial court granted the defendants’ petition and stayed the proceedings pending the results of arbitration, and the Chilutti’s appealed. On appeal, the Superior Court addressed two issues. First, it addressed the issue of whether it had jurisdiction to hear the appeal. A divided Superior Court determined that it did, with its basis for the holding being that the order from which the Chilutti’s appealed was a collateral order. Next, the Superior Court set out to address the merits of the Chilutti’s substantive claim. The Superior Court concluded that the parties lacked a valid agreement to arbitrate. Its rationale was that Uber’s website and application did not provide reasonably conspicuous notice of the terms to the Chiluttis. In reaching this decision, the en banc Superior Court held that browsewrap arbitration agreements are enforceable in Pennsylvania only if the registration website and application screens explicitly inform consumers that they are waiving the right to a jury trial, the registration process cannot be completed until the consumer is fully informed of this waiver, and, when the agreement is available via hyperlink, the waiver appears at the top of the first page of the terms in bold, capitalized text. Since the ruling, Pennsylvania courts have applied Chilutti I to determine if browsewrap agreements are enforceable.  For instance, the Allegheny County Court of Common Pleas invoked Chilutti I to reject an agreement that lacked an express jury-trial waiver on the assent screen.  See Miller v. Festival Fun Parks, LLC, 92 WDA 2025 (C.P. Alleg. Cnty. Mar. 24, 2025). Similarly, the Superior Court has held that notice which failed to explicitly state the consumer was waiving a jury-trial right did not “me[e]t the strict burden set forth by our en banc Court in Chilutti I.” Pierce v. FloatMe Corp., 348 A.3d 1077, 1088 (Pa. Super. 2025). While the issue of enforceability of browsewrap agreements appeared to have been resolved by Chilutti I, Pennsylvania courts’ grip on this issue has been slackened by the Pennsylvania Supreme Court’s January 21, 2026, opinion in Chilutti II. See Chilutti v. Uber Techs., Inc., 349 A.3d 826 (Pa. 2026) (“Chilutti II”). Therein, the Supreme Court did not address the merits of the Chiluttis’ substantive claim, but rather the issue of whether the Superior Court had appellate jurisdiction to immediately review the orders staying litigation pending arbitration. The Court ultimately vacated the en banc opinion on jurisdictional grounds, holding that the Superior Court did not have appellate jurisdiction because the trial court’s order from which the Chiluttis appealed did not qualify as a collateral order and, thus, the Superior Court erred in holding to the contrary and lacked jurisdiction to entertain the merits” of the Chiluttis’ substantive claim. As such, Chilutti II has rendered Chilutti I nonbinding, and the issue of enforceability of online arbitration agreements remains unresolved. However, in light of the fact the Supreme Court did not address or comment on the merits of the Chiluttis’ appeal, Chilutti I is still meaningful. Specifically, it provides guidance as to the standards a company should strive to meet to ensure they have obtained users’ assent so that they are able to enforce online arbitration agreements. Additionally, it may serve as persuasive authority in judges’ evaluations of petitions and/or motions to compel browsewrap arbitration agreements until this particular issue is properly put before our appellate courts. Keanna works in our Pittsburgh, PA office. She can be reached at (412) 803-1174 or KASeabrooks@MDWCG.com.