Blog

Introduction

In a world where data is the new currency, the legal landscape is shifting beneath our feet. In this episode of The Jeffrey Gross Show, host Jeffrey Gross, Esq., and co-host Joe Dougherty sit down with Rebecca Rakoski, Esq., the Managing Partner at XPAN Law Partners. Rakoski is a titan in the field of cybersecurity and data privacy law, bringing a decade of specialized experience to a conversation that spans from the intricacies of HIPAA to the “James Bond-esque” world of international hackers and ransomware.

The Intersection of Workers’ Comp and Data Privacy

While Jeffrey Gross specializes in Pennsylvania and New Jersey workers’ compensation, the conversation highlights a critical overlap: medical records. In the digital age, the transmission of sensitive health data is no longer done via paper and mail. It moves through a complex web of hospital portals, electronic discovery tools, and legal databases.

Rakoski explains that data privacy laws “follow the subject.” This means if a Philadelphia-based company holds data on a resident in Oklahoma or a citizen in the EU, they must comply with the specific laws of those jurisdictions. For workers’ compensation attorneys, this adds a layer of complexity to ensuring that client information doesn’t end up “in the wind” following a breach at a third-party medical provider.

The Reality of Ransomware: Victims as Defendants

One of the most striking points made by Rakoski is the unique nature of cyber law. In almost every other area of the law, the victim of a crime is just that—a victim. However, in cybersecurity, the victim of a hack is often the defendant in a civil lawsuit. When a company is breached, they are legally obligated to disclose the incident. Failure to do so can result in massive state and federal fines. If personal data—such as Social Security numbers or financial records—is compromised, the company can be sued by its own employees, union members, or customers. Rakoski acts as the “quarterback” in these scenarios, managing forensic investigators, insurance carriers, and legal notifications to mitigate the fallout.

The AI Revolution: A Double-Edged Sword

The episode concludes with a fascinating look at Artificial Intelligence. While AI can streamline legal research, it has also “hallucinated” fake case law, leading to the reprimand of attorneys who failed to proofread their work.

More alarmingly, Rakoski notes that AI has “helped hackers immeasurably.” Gone are the days of spotting a phishing email by its poor grammar. Today, hackers use AI to craft hyper-localized messages. An email might mention grabbing a hoagie from Wawa to gain the trust of a Philadelphia executive, making “social engineering” attacks more effective—and dangerous—than ever before.

Key Takeaways:

• Data Privacy is Global: Laws follow the individual, not the company headquarters.

• The Cybersecurity “Quarterback”: Why immediate legal retention is vital for maintaining attorney-client privilege during a breach.

• AI Phishing: How hackers use tools like ChatGPT to create authentic-looking local scams.

• Manufacturing Vulnerability: Why “offline” industries are now prime targets for ransomware.

Episode Transcript

Date: March 4, 2025

Host: Jeffrey Gross, Esq.

Co-Host: Joe Dougherty

Guest: Rebecca Rakoski, Esq. (Managing Partner at XPAN Law Partners)

Speaker 1 (Announcer): The following programming is sponsored by DND Media. The views expressed do not necessarily reflect the views of this station, its management, or Beasley Media Group.

Speaker 2 (Joe Dougherty): All right, ladies and gentlemen around the Delaware Valley, welcome to the Jeff Gross Show here on WWDB Talk 860. We’ve got a fantastic broadcast. Certainly, we’re going to be entering into discussions in new areas of the law. Jeff, how are you, sir?

Speaker 3 (Jeffrey Gross): I’m good, Joe. How are you? Cannot complain at all.

Speaker 2 (Joe Dougherty): Certainly, you and I haven’t talked since the big Super Bowl win. So that was a feat. And being down here at 15th and JFK, you know, you would think it would be a good vantage point to watch the parade from my office.

Speaker 3 (Jeffrey Gross): Were you here? Did you try? It would have been great, except I was unfortunately unable to be here. I was stuck speaking at a conference in Miami. In fact, I even closed my office so that everyone could go to the parade.

Speaker 2 (Joe Dougherty): Okay, well, that’s great. Certainly, we have Rebecca Rakoski, who’s our guest today. She is the Managing Partner at XPAN Law Partners. Rebecca, how are you?

Speaker 4 (Rebecca Rakoski): I’m great. Thanks, Joe. How are you?

Speaker 2 (Joe Dougherty): I’m fantastic. You’re a little informal talk at the beginning. Where are you originally from?

Speaker 4 (Rebecca Rakoski): I’m originally from South Jersey, born and raised, and yeah, I’ve lived here my whole life. I went to school in Maryland and slowly kind of made my way back to New Jersey. I’ve been practicing law in this area for 20 years.

Speaker 2 (Joe Dougherty): Did you get a chance to watch the Super Bowl?

Speaker 4 (Rebecca Rakoski): It would have been impossible in my house not to. Yes, we watched it. The first half, we were holding our breath a little bit, and then when they started to pull away in the second half of the game, there was a lot of celebrating in my house.

Speaker 2 (Joe Dougherty): Well, it’s interesting you say that because on Facebook, they have these reels—they’re like TikToks or whatever—and there was a comedian talking about Philadelphia and how even though we were up 34 to nothing, we were still irritable and nervous waiting for the other shoe to drop.

Speaker 4 (Rebecca Rakoski): Well, we felt like we’ve had that experience before, right? I mean, we were down this road once before with Kansas City.

Speaker 2 (Joe Dougherty): And so my automatic thinking was about the two biggest comebacks in the history of football. That would be in the Super Bowl, Tom Brady up 27–3. So that was looming in one side of my brain. And the other one—Jeff, I don’t know if you know what the other comeback was—but it was Houston and the Bills, 34 to 7. It happens.

Speaker 3 (Jeffrey Gross): That would have been a disaster if that happened.

Speaker 2 (Joe Dougherty): Oh, yeah, they would have had to grease the bridges. We did a show last week where we talked about the liabilities of a parade, greasing the poles, and all those things—all the personal injuries that probably happened, including Dram Shop liability. But obviously, it was a massive celebration. By the way, Rebecca and Jeff, I’ve had people say to me, “Well, you know, I wish it was closer.” Are you kidding me? Do I need that headache?

Speaker 4 (Rebecca Rakoski): No, I don’t need that kind of anxiety.

Speaker 2 (Joe Dougherty): Exactly. I remember when we finally won our first one against Tom Brady. I need to see one Super Bowl, one parade down Broad Street. And right where we’re at right now in Jeff’s office is “Parade Central.” So let’s remind our listeners, Jeff—if you will remind our listeners—obviously about you and the practice.

Speaker 3 (Jeffrey Gross): So, I handle all workers’ compensation claims in Pennsylvania. We do New Jersey also, but all throughout the state, on behalf of the injured workers. We do not represent any insurance companies or any employers. I’ve been doing this for 35 years.

Speaker 2 (Joe Dougherty): Fantastic. And Rebecca, if you will, as our guest, tell our listeners a little bit about your background and your pathway to where you are.

Speaker 4 (Rebecca Rakoski): Sure. We have our own law firm; it is a data privacy and cybersecurity-focused law firm. It’s really all we do. I’ve been practicing in this space exclusively for about 10 years now. Before that, I did a lot of large-scale commercial litigation. But when I started my own practice, I really wanted to focus on cybersecurity and data privacy because it’s such a dynamic regulatory and legal environment. I felt that “dabbling” in it would just not work.

We work with organizations from small startups all the way to large multinational corporations who are looking for counsel who is appropriately aggressive and extremely knowledgeable in this area. In addition to that, I’m also an adjunct professor at Drexel Kline School of Law, where I teach international data privacy and cyber law, along with enterprise risk management. I’m also an adjunct at University of Miami teaching domestic data privacy, and I am the contributing author to Thomson Reuters’ textbook on international data privacy and HIPAA.

Speaker 2 (Joe Dougherty): So how did you get into that area?

Speaker 4 (Rebecca Rakoski): I have always been drawn to technology. I did a lot of work in electronic discovery in my early days of practice. It was all on paper then, so I witnessed the evolution from paper discovery into electronic discovery. I helped write the complex business litigation rules for the State of New Jersey on their electronic discovery portions. I saw some holes in datasets at one point and realized the client had a data issue. It sparked my interest, and I started studying all that I could. Ten years later, I get up every morning excited to do this work.

Speaker 2 (Joe Dougherty): Well, it’s interesting, Jeff, because we’ve been doing the show for 10 years, and we have not talked about this area of the law before.

Speaker 3 (Jeffrey Gross): It is a very cool area of the law to interject our practices together. With regard to our clients, I can tell you that my clients’ data is very important because you don’t want to divulge any attorney-client privileged information. If cybersecurity is not present, that can easily happen.

Speaker 2 (Joe Dougherty): There’s a civil area of the law here, but is there a criminal element also in regards to data protection breaches and hackers?

Speaker 4 (Rebecca Rakoski): There are state and federal laws that are impacted by data breaches. Companies are sued civilly, but the hackers are absolutely subject to state and federal law—to the extent you can find them, which is always the tough part.

Speaker 2 (Joe Dougherty): When there is a situation where it was hackers, do you ever work in tandem with a federal agency?

Speaker 4 (Rebecca Rakoski): I actually have worked many times with the FBI and the U.S. Secret Service on data breaches. Never where they are investigating my client for wrongdoing, but always where they’re assisting us in trying to uncover who the threat actor was. You also have federal agencies like the Office of Civil Rights, which administers and enforces HIPAA. There are criminal penalties associated with HIPAA, though they usually keep it in the civil context unless it’s really egregious.

Speaker 2 (Joe Dougherty): Jeff, in your world, obviously HIPAA is at the forefront. How does that impact you with your clients’ medical records?

Speaker 3 (Jeffrey Gross): Medical records are very sensitive. But in workers’ compensation, HIPAA regulations generally don’t protect the claimants because their credibility is on the line. Their medical records must be divulged for the opposition to review and cross-examine. If we have them in our possession, we have to turn them over. However, the opposition often asks for prior records we don’t have. Medical providers want authorizations signed, and I don’t think clients can be compelled to sign an authorization. The records can be subpoenaed, which HIPAA doesn’t apply to, or if we have them, we turn them over.

Speaker 2 (Joe Dougherty): Rebecca, who are typically your clients?

Speaker 4 (Rebecca Rakoski): I get retained by law firms, accounting firms, and a lot of manufacturing companies. People think manufacturing doesn’t have data that needs protecting, but their processes are protected by intellectual property. Also, machines run off the internet now. If someone ransomware-attacks that computer and locks you out, you can’t do your job. I also work with healthcare providers, health and welfare funds, union pension funds—anybody that has data and finances to protect.

Speaker 2 (Joe Dougherty): What about jurisdiction? If a company is in Philadelphia but dealing with people across the country, which laws cover them?

Speaker 4 (Rebecca Rakoski): Data privacy and cybersecurity laws follow the data subject. If a company collects data from someone in Oklahoma, they have to follow Oklahoma law if there’s a data breach regarding that person’s data. Understanding where your data is coming from is vital because it dictates what laws are triggered. State Attorney Generals are pretty aggressive in enforcing these.

Speaker 3 (Jeffrey Gross): From my perspective, we have a lot of medical records that get transmitted electronically instead of by paper mail. All these entities—hospitals, medical records companies—are subject to having their data breached and my clients’ sensitive information going out “into the wind.”

Speaker 2 (Joe Dougherty): Rebecca, are you telling me that if a company is collecting data from 20 different states, you as their attorney have to understand the law in each one of those cases?

Speaker 4 (Rebecca Rakoski): 100%. Yes. You have to know the laws of 50 different states and, in some instances, international laws as well.

Speaker 3 (Jeffrey Gross): It’s a different world. You need to know the differences in each jurisdiction. And what’s interesting is the federal element. Federal law trumps state law.

Speaker 2 (Joe Dougherty): Medical marijuana is a great example where federal law trumps state law.

Speaker 3 (Jeffrey Gross): Right. It’s still illegal federally. In Pennsylvania, there’s a court case saying it’s legal to reimburse a claimant for medical marijuana usage if it’s for a work-related injury. Because insurance companies didn’t want to violate the federal ban, they often reimburse it as a “miscellaneous out-of-pocket medical expense” to overcome that issue.

Speaker 2 (Joe Dougherty): Rebecca, let’s take a scenario. There’s a data breach. Where do you come in?

Speaker 4 (Rebecca Rakoski): Ideally, I get retained immediately. The minute I get retained, I engage experts, and that is then covered by attorney-client privilege. We hire cyber forensics to investigate while the operations team works on getting the client back up and running.

Speaker 2 (Joe Dougherty): Give me an example of the type of data that is breached.

Speaker 4 (Rebecca Rakoski): In ransomware attacks, it’s often a large chunk of their system. I ask the company what’s in the encrypted files, and they never know for sure. They often say there’s no personal data, and 100% of the time, there is. Then we have to decide: Are we paying the ransom? Are we negotiating for the key? Can we pull from a backup? Sometimes you pay the ransom just to prevent them from selling the data on the dark web.

Speaker 2 (Joe Dougherty): Why are they calling you? Are they being sued? Full disclosure is required, right?

Speaker 4 (Rebecca Rakoski): Sometimes I’m their regular attorney, or I’m named as counsel on their cyber liability policy. I’m like the quarterback on the field, directing traffic. If you don’t follow the law, there are fines and penalties at the state and federal levels. It’s the only area of the law where the victim of a crime—the company that was broken into—is also the defendant.

Speaker 2 (Joe Dougherty): Are members of unions suing the unions over data breaches?

Speaker 4 (Rebecca Rakoski): Yes, there are several lawsuits right now where members sued because there was a data breach. It can lead to identity theft, which is a huge issue.

Speaker 3 (Jeffrey Gross): How can you tell a scammer from a person who actually has your information?

Speaker 4 (Rebecca Rakoski): If they are blackmailing you, that goes into the criminal side. For corporate ransomware, it usually starts with someone clicking a link in an email. The hacker then waits to escalate their privileges to get to more interesting data, like the finance department. Eventually, they deploy the ransomware and ask for Bitcoin.

Speaker 2 (Joe Dougherty): How is Artificial Intelligence (AI) impacting this?

Speaker 3 (Jeffrey Gross): It’s impacting legal research. But there was a famous New York case where an attorney used AI to write a brief and it “hallucinated” fake cases. The judge confronted him, and he was reprimanded.

Speaker 4 (Rebecca Rakoski): AI has helped hackers immeasurably. They can use ChatGPT to draft perfect emails using local terms—like “Wawa” or “Hoagie”—to make a phishing email look authentic. Before, you could spot them because they were poorly worded. Now, they’re much more convincing.

Speaker 2 (Joe Dougherty): Rebecca, thank you so much for being on. If someone wants to get in touch, what is your contact info?

Speaker 4 (Rebecca Rakoski): You can go to xpanlawpartners.com or reach me at rakoski@xpanlawpartners.com. We’re also on LinkedIn and Twitter.

Speaker 3 (Jeffrey Gross): And you can reach me on my cell at 215-512-1500 or at phillyworkerscomp.com.

Speaker 2 (Joe Dougherty): Thanks for tuning into the Jeff Gross Show on WWDB Talk 860.