Profile

Education

  • Georgetown University Law Center, JD (magna cum laude), Order of the Coif, 2000
  • University of Cambridge, Girton College, MPhil, 1994
  • Loyola University Maryland, BA (cum laude), 1993

Josh is the firm’s head of US Cyber and Data Privacy and is based in Kennedy’s Philadelphia office. 

Josh is an integral part of Kennedys global 24/7 breach response services and data privacy services. He coordinates responses and recovery efforts in North America and manages regulatory requirements worldwide. His clients include public and private corporations, healthcare providers, professional sports franchises, universities, financial services firms, and law firms.

Josh provides clients with practical and commercial level guidance through step-by-step actions in order to minimize the impact and cost arising from an incident. Globally, he works closely with Kennedys offices in EMEA, LATAM, and APAC, and with numerous insurers, their insureds, and corporate clients to deliver fast and efficient incident response advice and services on a local and an international level.

Josh also represents clients in a variety of high stakes cyber and privacy litigation matters, including class action defense arising from healthcare and other data breaches, online tracking, and targeted advertising, and corporate litigation arising from cyber-related events. Josh also has litigated matters involving invasion of privacy, defamation, and trade secret theft.

He advises clients on a wide array of data privacy and security issues, whether US-based or international. He guides clients in matters involving big data usage, data licensing, cross-border data transfers, and implementation of privacy and security protocols.

He also has represented insurers in media and cyber matters. He has litigated at trial and appellate levels throughout the country, winning two cases involving matters of first impression before the United States Court of Appeals for the Third Circuit.

Josh regularly writes and lectures on cybersecurity and data privacy. He is a regular contributor on cyber matters to the ALM Legal Intelligencer and has guest-lectured at Temple University Fox School of Business, Rutgers Law School, and has been quoted in The Wall Street Journal, S&P Global Market Intelligence, Law360, Business Insurance, Claims Journal, and Compliance Week. For several years, Josh served as a Vice Chair of the ABA TIPS Cybersecurity and Data Privacy Committee, and he was the founding Chair of the Cybersecurity and Data Privacy Committee for the Pennsylvania Bar Association, and the association’s successful cyber blog/newsletter. He also is a past editor of an X9 working group, an ANSI-accredited standards developing organization, to develop a universal standard for data protection and data breach notification in the financial services industry.

Outside of law, Josh is a founding member of The Oxford & Cambridge Society of Philadelphia and has been selected by Cambridge in America and the University of Cambridge as an official alumni contact for the Commonwealth of Pennsylvania.

Qualifications and admissions

  • District of Columbia
  • Pennsylvania
  • US District Court for the District of Columbia
  • US District Court for the Eastern and Western District of Pennsylvania
  • US Court of Appeals for the Third Circuit

Market recognition

  • Recognized by Pennsylvania Super Lawyers (2020-2021)
  • Received the Attorney Recognition and Leadership Award by the Pennsylvania Bar Association (2019)

Work highlights

Incident Response and Privacy

  • Advised and assisted clients with response to varying cyberattacks, including healthcare providers, professional sports franchises, universities, financial services firms, and law firms
  • Instructed hospitality company in incident involving just under 1 million customers in over 200 countries
  • Instructed university in data breach involving data subjects in over 150 countries
  • Negotiated data licensing agreements and processing agreements on behalf of mobile application developer for white-labeled services
  • Represented insurance carrier in multiple vendor and claims handling agreements for cyber-related services
  • Advised and helped prepare for corporate client international data transfer agreement for organization with worldwide operations, affiliates, and subsidiaries
  • Advised and prepared for corporate client multiple internal and external cross-border data transfer and processing agreements
  • Advised and assisted clients with drafting and implementing information security programs under the CCPA, SHIELD Act, Dittman, and New York DFS cyber regulation 23 NYCRR 500, and GDPR
  • Advised insurance industry clients with compliance under NAIC Model Law on Insurance Data Security, as promulgated by applicable jurisdictions
  • Drafted/negotiated InsurTech and start-up licensing and service agreements, resolving issues regarding data ownership, use, security and privacy of data
  • Assisted multiple cyber insurance carriers with drafting of cyber provisions

Litigation

  • Obtained dismissal of multiple class action litigation matters brought against large healthcare provider following ransomware event
  • Defending one of the nation’s largest healthcare providers in multiple federal class-action lawsuits, pre-litigation matters and  OCR investigation following significant, high-profile data breach
  • Successfully represented international media organization in obtaining nuisance-value resolution of class action brought under VPPA
  • Successfully represented advertising agency in connection with alleged VPPA claims and a well-known fast-food franchise
  • Successfully defended MSP in litigation matter involving first-party and third-party claims of clientele and downstream organizations
  • Successfully defended various clients in matters involving misdirected payments arisng form business email compromises
  • Successfully defended high-profile client in defamation matter
  • Successfully represented media insurer in connection with underlying litigation brought against large, nationally-known university for false reporting to third-party ranking publications in order to bolster national rankings
  • Successfully represented insurer in connection with underlying class action alleging wrongful disclosure of disability information, privacy violations, and discrimination against college board testing organization, Bloom v ACT, Inc.
  • Successfully represented media insurer in connection with underlying defamation lawsuit filed against bankrupt online media periodical, winning narrow construction of direct-action statute and first impression decision that policy was rejected by the bankruptcy estate as an executory contract, Riley v. Mutual Ins. Co. Ltd., 2019 U.S. Dist. LEXIS 121123 (E.D. Pa. Jan. 9, 2019), aff’d, 805 Fed. App’x 143 (3d Cir. 2020)
  • Successfully represented insurer in coverage litigation involving alleged unlawful collection of personal information, OneBeacon Am. Ins. Co. v. Urban Outfitters, Inc., 21 F. Supp. 3d 426 (E.D. Pa. 2014), aff’d, 625 Fed. App’x 117 (3d Cir. 2015)
  • Successfully represented insurer in coverage litigation involving underlying class action alleging false advertising, Cincinnati Ins. Co. v. KT Health Holdings, LLC, 2017 U.S. Dist. LEXIS 44432 (D. Mass. March 27, 2017)
  • Successful defense of school district in coverage litigation over high-profile class action lawsuit accusing district of using webcams in school-issued laptops to spy on students at home
  • Successfully represented media in matter involving criminal action pending in the Tribunal de Grande Instance (Paris) in connection with film production of a fictionalized account of French politician’s visit to New York

Presentations and publications

Presentations

  • “Days of reckoning: How to prepare for, respond to, and recover from ransomware and other cyberattacks,” In-House Client Training (June 2024)
  • “Navigating the future of privacy & compliance in the age of AI,” In-House client training (February 2024)
  • “Privacy litigation update and trends,” In-House Client Training (February 2024)
  • “2023 Business Formation Considerations: Delaware vs Florida and Related Cybersecurity Concerns,” presented for Brazilian-American Chamber of Commerce of Florida (November 2023)
  • “Guide to Data Breaches, Cybersecurity Regulations, and Ensuing Litigation,” presented for Thomas Reuters and Lexeprint, Inc. (September 2023)
  • “2022 Year in Review: Cybersecurity Information Sharing Act (CISA),” presented for Thomas Reuters and Lexeprint, Inc. (December 2022)
  • “The day after a cyberattack: An anatomy of benchmarks, procedures, and fallout,” In-House Client Training (November 2022)
  • “Around the World in 50 Minutes,” NetDiligence (October 2022)
  • “Silent Cyber Issues,” In-House Client Training (September 2022)
  • “Kennedys US Cyber Team Capabilities + Current trends discussion,” In-House Client Training (July 2022)
  • “Ransomware Attacks & Threat Actor Engagement,” presented at the PBI Cyber Conference (April 2022)
  • “OFAC & Regulatory Compliance When Responding to Ransomware,” In-House Client Training, Fort Lauderdale (February 2022)
  • “OFAC and Responding to a Ransomware Attack,” NetDiligence (January 2022)
  • “The Risk of Silent Cyber Claims,” In-House Client Training (September, December 2021)
  • “Cyber Security Claims,” Maguire Academy of Insurance & Risk Management in the Haub School of Business at Saint Joseph’s University (September 2021)
  • “The Risk of Silent Cyber Claims,” NAMIC Annual Convention (September 2021)
  • “Data Privacy Litigation and Regulatory Update,” NetDiligence (July 2021)
  • “A Guide for In-House Lawyers and Senior Leadership at Companies to Manager Cybersecurity Class Action Disputes,” Lexeprint (May 2021)
  • "In Case of Emergency, Break Glass: Responding to a Ransomware Attack" presented for the Pennsylvania Bar Institute (May 2021)
  • “Ransomware: Where Do We Go From Here?” presented for the American Bar Association (February 2021)
  • “Coverage 101,” In-House Client Training (February 2021)
  • “Cybersecurity in the Post-Pandemic World: Not Another Dystopian Tale?” presented for CLM (December 2020)
  • “Attorney's Guide to Effectively Advising the Board in the Event of a Data Breach” (October 2020)
  • “Best Practices for Placing Cutting Edge "Cyber" Insurance: Policyholder, Insurer and Broker Perspectives” presented for the Potomac Law Group (September 2020)
  • “Best Practices for Placing Cutting-Edge "Cyber" Insurance: Policyholder, Insurer and Broker Perspectives” presented for ABA (August 2020)
  • “Creating a Data Privacy Compliance Program on a Limited Budget” presented for Arthur J. Gallagher’s Cyber Insight Series (July 2020)
  • “Building A Compliance Program Without Breaking the Bank” presented for the NetDiligence Cyber Risk Virtual Summit (July 2020)
  • “Cyber and Operational Risk From a Remote Workforce” published for the Legalist (June 2020)
  • “It Was Tricky Before COVID-19 - How Do You Build a Data Privacy and Security Resiliency Program Now?” presented for the ABA (May 2020)
  • “The Expanding Universe of Biometric Data: Embrace, Curtail, or Regulate?” presented for the Privacy + Security Forum (May 2020)
  • “COVID-19: Working Remotely - What Attorneys Need to Know to Avoid Cyberthreats and Privacy Risks” presented for ABA TIPS Cybersecurity (March 2020)
  • “Transitioning to a Remote Workforce: Addressing Cybersecurity and Data Privacy Concerns in the Legal World” presented for PBI (March 2020)
  • “Steps To Take to Prepare Your Workplace During COVID-19” presented for PBI (March 2020)
  • “Mastering Ethical Issues in the Cybersecurity Space” presented for ABA TIPS Cybersecurity Conference (March 2020)
  • “CCPA: How Do You Prepare?” presented (December 2019)
  • “The Limits of Cyber Insurance” presented for The Wall Street Journal Cybersecurity Executive Forum (December 2019)
  • “Arthur Hall Insurance: Data Protection Seminar” presented for the Wilmington Country Club (October 2019)
  • “New Ideas to Strengthen Your Firm Against Relentless Cyber Criminals” presented for the 19th Annual IA Compliance Master Emerging Challenges (September 2019)
  • “Cyber Liability: Preventing, Responding & Resolving” presented for PBI (June 2019)
  • “Various Types of Cyber Coverages: How They Interact with Other Types of Insurance, Including Property, General Liability and E&O Policies” presented for Perrin Conference for Insurance Coverage & Allocation Issues (May 2019)
  • “Data Protection and Privacy Compliance: Steps to Safeguard Your Data and Minimize Liability” presented for Philly Tech Week 2019 (May 2019)
  • “Emerging Issues in Civil Litigation” presented for PBA Civil Litigation Section Retreat (May 2019)
  • “Cybersecurity and Technology: Ethical Considerations for Lawyers” presented at the Pennsylvania Bar Association 2019 Midyear Meeting (February 2019)

Publications

  • Co-author, “Pa.'s Insurance Data Security Law – Getting ready for the second phase,” published for Legal Intelligencer (August 2024)
  • Author, “Searching for Yes: Defining consent in website data procession and online litigation,” published for Legal Intelligencer (April 2024)
  • Co-author, “Is AI Right for Your Company? Four Things General Counsel Should Consider,” published for Legal Intelligencer (January 2024)
  • Co-author, “5 ways to reduce legal risk with privacy policies,” published for Risk Management (December 2023)
  • Author, “October Cyber Bag: UK Adequacy Decision, Pa.'s Insurance Data Security Act and CDPA,” published for ALM Legal Intelligencer (October 2023)
  • Co-author, “Pennsylvania - Sectoral Privacy Overview,” published for OneTrust DataGuidance (August 2023)
  • Author, “The New EU-US Data Privacy Framework: 5 things to know for GCS outside privacy counsel,” published for ALM Legal Intelligencer (August 2023)
  • Author, “With rising consumer privacy litigation, is it time to dust off those online policies?” published for ALM Legal Intelligencer (April 2023)
  • Author, “'Popa,' 'Facebook,' and 3 things GCs should know about cookies, wiretapping and webpages,” published for ALM Legal Intelligencer (January 2023)
  • Co-author, “Notice and process of service via NFTs: A new frontier in tech and litigation?” published for Kennedys (July 2022)
  • Co-author, “Connecticut’s new consumer data privacy law: a New Haven for privacy protection? Not exactly,” published for Kennedys (May 2022)
  • Co-author, “An in-depth look at the target decision finding that loss-of-use damages included costs of replacing payment cards compromised in data breach,” published for Kennedys (April 2022)
  • Co-author, “Virginia Slim- A cheat sheet for the Utah Consumer Privacy Act,” published for Kennedys (March 2022)
  • Co-author, “What one court giveth, a brother court taketh away: Thermoflex and 3 policy exclusions in the context of BIPA,” published for Kennedys (March 2022)
  • Co-author, “What is hostile or warlike?: An in-depth look at the Merck war exclusion decision and its shortfalls,” published for Kennedys (January 2022)
  • Co-author, “In a new BIPA decision, coverage barred by Employment-Related Practices exclusion, but not by Access or Disclosure of PI exclusion,” published for Kennedys (January 2022)
  • Co-author, “Seventh Circuit punts BIPA claim accrual question to Illinois Supreme Court,” published for Kennedys (December 2021)
  • Co-author, "’Cyber-ing around the Christmas tree’ Kennedys 2021 cybersecurity and privacy (US) year in review" published for Kennedys (December 2021)
  • Co-author, “Massachusetts Bay v. Impact Fulfillment and its impact on the duty to defend BIPA claims,” published for Kennedys (October 2021)
  • Co-author, “SEC Cyber Orders: If You Say It, Do It and Make Required Incident Disclosures,” published for Kennedys (September 2021)
  • Co-author, “PRC enacts the Personal Information Protection Law: a 10-point cheat sheet,” published for Kennedys (September 2021)
  • Co-author, “No click-bait here: Click-wrap mandatory arbitration clause in your Terms of Use,” published for Kennedys (August 2021)
  • Co-author, “Lessons learned from the California AG’s CCPA Enforcement Announcement,” published for Kennedys (August 2021)
  • Co-author, “Four states update their breach notification laws,” published for Kennedys (August 2021)
  • Co-author, “New Connecticut law incentivizes better cyber measures through litigation safe harbor,” published for Kennedys (July 2021)
  • Co-author, “Another holding that a data breach forensics report is not privileged,” published for Kennedys (July 2021)
  • Co-author, “Fifth Circuit holds GL Carrier must defend data breach litigation,” published for Kennedys (July 2021)
  • Co-author, “New York City biometric privacy law now in effect,” published for Kennedys (July 2021)
  • Co-author, “NY DFS issues new guidance on ransomware,” published for Kennedys (July 2021)
  • Author, “A cheat sheet for Colorado’s forthcoming new privacy act,” published for Kennedys (June 2021)
  • Author, “Tik Tok: In 60 Seconds, 4 takeaways from the Colonial Pipeline Cyberattack that every company should know,” published for Kennedys (June 2021)
  • Co-author, “Illinois Supreme Court rules that carrier has duty to defend BIPA lawsuit,” published for Kennedys (May 2021)
  • Author, “Does computer fraud coverage include ransomware payments? The Indiana Supreme Court believes so,” published for Kennedys (March 2021)
  • Co-author, “Cyber underwriting report released by Bermuda Monetary Authority: And it may remind you of another regulator’s recent report,” published for Kennedys (February 2021)
  • Author, “Breaking down New York's Department of Financial Services' new cyber insurance framework,” published for Kennedys (February 2021)
  • Author, “"US data privacy rights cometh: multiple states contemplating passage of significant data rights legislation,” published for Kennedys (February 2021)
  • Co-Author, “Between a Rock and a Hard Place: Advisories Target Ransomware Victims, Insurers” published for the Legal Intelligencer (November 2020)
  • Author, “With Anticipated Cyberattacks, Protecting Data Breach Reports From Discovery” published for the Legal Intelligencer (August 2020)
  • Co-Author, “Despite COVID-19, Here Are 4 Easy Steps for Data Privacy, Security Compliance” published for the Legal Intelligencer (May 2020)
  • Co-Author, “Financial Services Firms Face New Cybersecurity Regulation”, published for Risk Management (May 2020)
  • Author, “Phishing Scam Does Not Implicate Forgery Coverage, Court Requests Further Briefing for Computer Fraud Coverage” published for Pratt's Privacy and Cybersecurity Law Report (May 2020)
  • Author, “Policyholders' Biometric Suit Coverage Buoyed by Ill. Ruling” published for Law360 (March 2020)
  • Co- Author, “Cyber update: Personal Certification by Corporate executives on the Rise” published for the Legal Intelligencer (March 2020)
  • Author, “E-Mail Phishing Scam: Coverage For "Social Engineering" published for Coverage Opinions (February 2020)
  • Author, “Ransomware Victims Get New Path To Coverage In Md. Ruling” published for Law360 (January 2020)
  • Co-Author, “Why GDPR Should Not Stifle Information Sharing” published for The Risk Management Society (April 2019)
  • Co- Author, “What Types of Insurance for Startups? Consider Your Risks and Liabilities” published for JD Supra Corporate Law Report (March 2019)
  • Co- Author, “Threat Information Sharing Under GDPR” published for The SciTech Lawyer, (March 2019)
  • Co- Author, “How a Misunderstanding of GDPR Could Heighten Cyber Exposure” published for Business Insurance (February 2019)
  • Author, “Elections Aside, Pennsylvania and Ohio Provide Insight for National Duties of Care in Cybersecurity” published for the American Bar Association Tort Trial and Insurance Practice (Winter 2019)