Admissions
• District of Columbia
• Pennsylvania
• US Court of Appeals for the Third Circuit
• US District Court for the District of Columbia
• US District Court for the Eastern and Western Districts of Pennsylvania

Education
• Georgetown University Law Center, JD, magna cum laude, Order of the Coif, 2000
• University of Cambridge, Girton College, MPhil, 1994
• Loyola University Maryland, BA, cum laude, 1993

Josh is the firm’s head for US Cyber and Data Privacy and is based in Philadelphia.

Josh advises clients on a wide array of data privacy and security, including breach response, compliance under such laws as CCPA, HIPAA, New York’s DFS Cyber Regulation and the SHIELD Act, and BIPA, and big data usage and licensing. Josh also advises on cross-border data transfers and implementation of privacy and security protocols.

In addition, Josh represents insurers in media and cyber liability coverage matters. He has litigated at trial and appellate levels throughout the country, winning two cases involving matters of first impression before the United States Court of Appeals for the Third Circuit, and litigating one of the first cyber coverage matters in the Commonwealth of Pennsylvania.

Josh is an integral part of Kennedys global 24/7 breach response services and data privacy services, coordinating responses in North America and managing notification requirements worldwide. Josh also is a key member of Kennedys global privacy services.

Josh regularly writes and lectures on cybersecurity and data privacy and coverage issues. He has guest-lectured on cyber law and insurance at Temple University Fox School of Business and Rutgers Law School, and has been quoted in The Wall Street Journal, S&P Global Market Intelligence, Law360, Business Insurance, Claims Journal, and Compliance Week. He also served as an editor for a working group of X9, an ANSI-accredited standards developing organization, to develop a universal standard for data protection and data breach notification in the financial services industry.

Currently, Josh is a former Vice Chair of the ABA TIPS Cybersecurity and Data Privacy Committee, and is the founding Chair and current Co-Chair of the Cybersecurity and Data Privacy Committee for the Pennsylvania Bar Association. He is also a founding member of The Oxford & Cambridge Society of Philadelphia, and has been selected by Cambridge in America and the University of Cambridge as an official alumnus contact for the Commonwealth of Pennsylvania.



Market recognition

  • Recognized by Pennsylvania Super Lawyers (2020-2021)

Work highlights

CYBER

  • Advised and assisted clients with response to varying cyberattacks
  • Coordinated both national and international notification compliance efforts in response to significant data breaches as part of Kennedys global incident response coverage 
  • Negotiated data licensing agreements and processing agreements on behalf of mobile application developer for white-labeled services
  • Advised and helped prepare for corporate client international data transfer agreement for organization with worldwide operations, affiliates, and subsidiaries
  • Advised and prepared for corporate client multiple internal and external cross-border data transfer and processing agreements
  • Advised and assisted clients with drafting and implementing information security programs under the CCPA, SHIELD Act, Dittman,  and New York DFS cyber regulation 23 NYCRR 500, and GDPR
  • Advised insurance industry clients with compliance under NAIC Model Law on Insurance Data Security, as promulgated by applicable jurisdiction
  • Drafted/negotiated InsurTech and start-up licensing and service agreements, resolving issues regarding data ownership, use, security and privacy of data

INSURANCE

  • Assisted multiple cyber insurance carriers with drafting of cyber provisions
  • Successfully represented media insurer in connection with underlying litigation brought against large, nationally-known university for false reporting to third-party ranking publications in order to bolster national rankings
  • Successfully represented insurer in connection with underlying class action alleging wrongful disclosure of disability information, privacy violations, and discrimination against college board testing organization, Bloom v ACT, Inc.
  • Successfully represented media insurer in connection with underlying defamation lawsuit filed against bankrupt online media periodical, winning narrow construction of direct-action statute and first impression decision that policy was rejected by the bankruptcy estate as an executory contract, Riley v. Mutual Ins. Co. Ltd., 2019 U.S. Dist. LEXIS 121123 (E.D. Pa. Jan. 9, 2019), aff’d, 805 Fed. App’x 143 (3d Cir. 2020)
  • Advised cyber insurers in various underlying cybersecurity attacks, including data breaches, ransomware and double-exploitations matters, business email compromise and social engineering matters, MSP attacks;
  • Successfully represented insurer in coverage litigation involving alleged unlawful collection of personal information, OneBeacon Am. Ins. Co. v. Urban Outfitters, Inc., 21 F. Supp. 3d 426 (E.D. Pa. 2014), aff’d, 625 Fed. App’x 117 (3d Cir. 2015)
  • Successfully represented insurer in coverage litigation involving underlying class action alleging false advertising, Cincinnati Ins. Co. v. KT Health Holdings, LLC, 2017 U.S. Dist. LEXIS 44432 (D. Mass. March 27, 2017)
  • Successful defense of school district in coverage litigation over high-profile class action lawsuit accusing district of using webcams in school-issued laptops to spy on students at home
  • Successfully represented media in matter involving criminal action pending in the Tribunal de Grande Instance (Paris) in connection with film production of a fictionalized account of French politician’s visit to New York
  • Defense of insurer in coverage litigation brought by national retailer involving underlying intellectual property infringement and violation of Indian Arts and Crafts Act
  • Advised insurance carriers on various coverage matters involving reality television programming

Publications and presentations

THIRD-PARTY

  • “Silent Cyber Issues,” In-House Client Training (September 2022)
  • “Kennedys US Cyber Team Capabilities + Current trends discussion,” In-House Client Training (July 2022)
  • “Ransomware Attacks & Threat Actor Engagement,” presented at the PBI Cyber Conference (April 2022)
  • “OFAC & Regulatory Compliance When Responding to Ransomware,” presented for NetDiligence, Fort Lauderdale (February 2022)
  • “Cyber Security Claims,” Maguire Academy of Insurance & Risk Management in the Haub School of Business at Saint Joseph’s University (September 23, 2021)
  • “The Risk of Silent Cyber Claims,” NAMIC Annual Convention (September 20, 2021)
  • “Data Privacy Litigation and Regulatory Update,” NetDiligence (July 14, 2021)
  • “A Guide for In-House Lawyers and Senior Leadership at Companies to Manager Cybersecurity Class Action Disputes,” Lexeprint (May 25, 2021)
  • "In Case of Emergency, Break Glass: Responding to a Ransomware Attack" presented for the Pennsylvania Bar Institute (May 2021)
  • “Ransomware: Where Do We Go From Here?” presented for the American Bar Association (February 2021)
  • “Cybersecurity in the Post-Pandemic World: Not Another Dystopian Tale?” presented for CLM (December 2020)
  • Co-Author, “Between a Rock and a Hard Place: Advisories Target Ransomware Victims, Insurers” published for the Legal Intelligencer (November 2020)
  • “Attorney's Guide to Effectively Advising the Board in the Event of a Data Breach” presented October 2020
  • “Best Practices for Placing Cutting Edge "Cyber" Insurance: Policyholder, Insurer and Broker Perspectives” presented for the Potomac Law Group (September 2020)
  • Author, “With Anticipated Cyberattacks, Protecting Data Breach Reports From Discovery” published for The Legal Intelligencer (August 2020)
  • “Best Practices for Placing Cutting-Edge "Cyber" Insurance: Policyholder, Insurer and Broker Perspectives” presented for ABA (August 2020)
  • “Creating a Data Privacy Compliance Program on a Limited Budget” presented for Arthur J. Gallagher’s Cyber Insight Series (July 2020)
  • “Building A Compliance Program Without Breaking the Bank” presented for the NetDiligence Cyber Risk Virtual Summit (July 2020)
  • “Cyber and Operational Risk From a Remote Workforce” published for the Legalist (June 2020)
  • Co-Author, “Despite COVID-19, Here Are 4 Easy Steps for Data Privacy, Security Compliance” published for The Legal Intelligencer (May 2020)
  • “It Was Tricky Before COVID-19 - How Do You Build a Data Privacy and Security Resiliency Program Now?” presented for the ABA (May 2020)
  • “The Expanding Universe of Biometric Data: Embrace, Curtail, or Regulate?” presented for the Privacy + Security Forum (May 2020)
  • Co-Author, “Financial Services Firms Face New Cybersecurity Regulation”, published for Risk Management (May 2020)
  • Author, “Phishing Scam Does Not Implicate Forgery Coverage, Court Requests Further Briefing for Computer Fraud Coverage” published for Pratt's Privacy and Cybersecurity Law Report (May 2020)
  • “COVID-19: Working Remotely - What Attorneys Need to Know to Avoid Cyberthreats and Privacy Risks” presented for ABA TIPS Cybersecurity (March 2020)
  • Author, “Policyholders' Biometric Suit Coverage Buoyed by Ill. Ruling” published for Law360 (March 2020)
  • “Transitioning to a Remote Workforce: Addressing Cybersecurity and Data Privacy Concerns in the Legal World” presented for PBI (March 2020)
  • “Steps To Take to Prepare Your Workplace During COVID-19” presented for PBI (March 2020)
  • Co- Author, “Cyber update: Personal Certification by Corporate executives on the Rise” published for The Legal Intelligencer (March 2020)
  • “Mastering Ethical Issues in the Cybersecurity Space” presented for ABA TIPS Cybersecurity Conference (March 2020)
  • Author, “E-Mail Phishing Scam: Coverage For "Social Engineering" published for Coverage Opinions (February 2020)
  • Author, “Ransomware Victims Get New Path To Coverage In Md. Ruling” published for Law360 (January 2020)
  • “CCPA: How Do You Prepare?” presented (December 2019)
  • “The Limits of Cyber Insurance” presented for The Wall Street Journal Cybersecurity Executive Forum (December 2019)
  • “Arthur Hall Insurance: Data Protection Seminar” presented for the Wilmington Country Club (October 2019)
  • “New Ideas to Strengthen Your Firm Against Relentless Cyber Criminals” presented for the 19th Annual IA Compliance Master Emerging Challenges (September 2019)
  • “Cyber Liability: Preventing, Responding & Resolving” presented for PBI (June 2019)
  • “Various Types of Cyber Coverages: How They Interact with Other Types of Insurance, Including Property, General Liability and E&O Policies” presented for Perrin Conference for Insurance Coverage & Allocation Issues (May 2019)
  • “Data Protection and Privacy Compliance: Steps to Safeguard Your Data and Minimize Liability” presented for Philly Tech Week 2019 (May 2019)
  • “Emerging Issues in Civil Litigation” presented for PBA Civil Litigation Section Retreat (May 2019)
  • Co-Author, “Why GDPR Should Not Stifle Information Sharing” published for The Risk Management Society (April 2019)
  • Co- Author, “What Types of Insurance for Startups? Consider Your Risks and Liabilities” published for JD Supra Corporate Law Report (March 2019)
  • Co- Author, “Threat Information Sharing Under GDPR” published for The SciTech Lawyer, (March 2019)
  • Author, “Elections Aside, Pennsylvania and Ohio Provide Insight for National Duties of Care in Cybersecurity” published for the American Bar Association Tort Trial and Insurance Practice (Winter 2019)
  • Co- Author, “How a Misunderstanding of GDPR Could Heighten Cyber Exposure” published for Business Insurance (February 2019)
  • “Cybersecurity and Technology: Ethical Considerations for Lawyers” presented at the
  • Pennsylvania Bar Association 2019 Midyear Meeting (February 2019)
  • “How to Mediate a Cyber Dispute” presented at the CLM Insurance Conference (December 2018)
  • Co-Author, “Threat Information Sharing and GDPR: A Lawful Activity that Protects Personal Data” (Fall 2018)
  • “Law Firms and Cybersecurity: Are You Ready for a Cyberattack?” presented for the Northampton County Bar Association Bench Bar Conference (October 2018)
  • Author, “Medidata and American Tooling Courts Misunderstood Tech” published for Law360 (September 2018)
  • “GDPR’s Effect on Incident Response Here in the U.S.” presented for the Business Resiliency Committee for the Financial Services Information Sharing & Analysis Center (June 2018)
  • Author, “Internet of Medical Things Resilience Partnership Act of 2017” published for The ALI Advisor (October 2017)
  • Co- Author, “5 Things Insurers' GCs and Their Boards Must Know for Cybersecurity” published for The Legal Intelligencer (August 2017)
  • “Cyber Insurance - Assessment of the Risk and Analysis of Available Coverages” presented for the Perrin Conference for Emerging Insurance Coverage & Allocation Issues (May 2017)

KENNEDYS

  • Co-author, “Notice and process of service via NFTs: A new frontier in tech and litigation?” published for Kennedys (July 2022)
  • Co-author, “Connecticut’s new consumer data privacy law: a New Haven for privacy protection? Not exactly,” published for Kennedys (May 2022)
  • Co-author, “An in-depth look at the target decision finding that loss-of-use damages included costs of replacing payment cards compromised in data breach,” published for Kennedys (April 2022)
  • Co-author, “Virginia Slim- A cheat sheet for the Utah Consumer Privacy Act,” published for Kennedys (March 2022)
  • Co-author, “What one court giveth, a brother court taketh away: Thermoflex and 3 policy exclusions in the context of BIPA,” published for Kennedys (March 2022)
  • Co-author, “What is hostile or warlike?: An in-depth look at the Merck war exclusion decision and its shortfalls,” published for Kennedys (January 2022)
  • Co-author, “In a new BIPA decision, coverage barred by Employment-Related Practices exclusion, but not by Access or Disclosure of PI exclusion,” published for Kennedys (January 2022)
  • Co-author, “Seventh Circuit punts BIPA claim accrual question to Illinois Supreme Court,” published for Kennedys (December 2021)
  • “The Risk of Silent Cyber Claims,” In-House Client Training (September, December 2021)
  • Co-author, "’Cyber-ing around the Christmas tree’ Kennedys 2021 cybersecurity and privacy (US) year in review" published for Kennedys (December 2021)
  • Co-author, “Massachusetts Bay v. Impact Fulfillment and its impact on the duty to defend BIPA claims,” published for Kennedys (October 2021)
  • Co-author, “SEC Cyber Orders: If You Say It, Do It and Make Required Incident Disclosures,” published for Kennedys (September 2021)
  • Co-author, “PRC enacts the Personal Information Protection Law: a 10-point cheat sheet,” published for Kennedys (September 2021)
  • Co-author, “No click-bait here: Click-wrap mandatory arbitration clause in your Terms of Use,” published for Kennedys (August 2021)
  • Co-author, “Lessons learned from the California AG’s CCPA Enforcement Announcement,” published for Kennedys (August 2021)
  • Co-author, “Four states update their breach notification laws,” published for Kennedys (August 2021)
  • Co-author, “New Connecticut law incentivizes better cyber measures through litigation safe harbor,” published for Kennedys (July 2021)
  • Co-author, “Another holding that a data breach forensics report is not privileged,” published for Kennedys (July 2021)
  • Co-author, “Fifth Circuit holds GL Carrier must defend data breach litigation,” published for Kennedys (July 2021)
  • Co-author, “New York City biometric privacy law now in effect,” published for Kennedys (July 2021)
  • Co-author, “NY DFS issues new guidance on ransomware,” published for Kennedys (July 2021)
  • Author, “A cheat sheet for Colorado’s forthcoming new privacy act,” published for Kennedys (June 2021)
  • Author, “Tik Tok: In 60 Seconds, 4 takeaways from the Colonial Pipeline Cyberattack that every company should know,” published for Kennedys (June 2021)
  • Co-author, “Illinois Supreme Court rules that carrier has duty to defend BIPA lawsuit,” published for Kennedys (May 2021)
  • Author, “Does computer fraud coverage include ransomware payments? The Indiana Supreme Court believes so,” published for Kennedys (March 2021)
  • “Coverage 101,” In-House Client Training (February 2021)
  • Co-author, “Cyber underwriting report released by Bermuda Monetary Authority: And it may remind you of another regulator’s recent report,” published for Kennedys (February 2021)
  • Author, “Breaking down New York's Department of Financial Services' new cyber insurance framework,” published for Kennedys (February 2021)
  • Author, “"US data privacy rights cometh: multiple states contemplating passage of significant data rights legislation,” published for Kennedys (February 2021)