Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

December 15, 2020
Please email questions to
Click here to have future newsletters sent to your inbox.  
  • We're Number 1 (Not in a Good Way}: The U.S. is the worst-affected country in the world by data breaches, with four times as many cases as second-place South Korea. There have been more than six billion data breach cases in the U.S. in the past seven years. In addition, since COVID-19, the FBI has reported a 300% increase in reported cyber crime.

  • A Record Year (Also Not in a Good Way): According to recent data from Risk Based Security,  the number of records exposed in 2020 (so far) is 36 billion. It's already the worst year on record, and it's not over. 

  • A Look Ahead: Experian predicts that the top five targets for hackers in 2021 will be the vaccine rollout, home networks, contact tracing, 5G networks, and of course personal healthcare data.

  • Who Ya Gonna Call?: According to CrowdStrike’s recently released Global Incident Response report, outside counsel, rather than organizations, coordinated 49 percent of incident response engagements. In the event of a data incident outside counsel should be called FIRST in order to ensure that the response is covered by appropriate legal protections. 

  • If it Can Happen To Them...: FireEye, a giant in the cyber industry, announced that it was the victim of a cyber attack in which its most secure servers were hacked and its most important proprietary hacking tools stolen. 

  • It Also Happened To Them: The U.S. Departments of Commerce and Treasury were both victims of data breaches in which a nation-state hacker believed to be Russia exploited a vulnerability in the popular SolarWinds software (an IT management tool).

  • Banking Update: The FDIC is scheduled to vote this week on proposed rulemaking dealing with “computer-security incident notification" as bank regulators seek to tighten up their reporting requirements.   

  • GDPR Collective Redress: The EU Parliament has endorsed a directive that requires E.U. Member States to implement, within 24 months, at least one effective procedural mechanism that will allow qualified entities, such as consumer organizations, to bring representative lawsuits on behalf of consumers, including those related to violations of the GDPR. Injunctions and compensation may be sought in these actions. 

  • Covid's Impact on Cyber: According to a recent report by cyber vendor Netwrix, four of the top six types of cyber incidents suffered by businesses whose workforces shifted to the home were caused by insiders, including accidental mistakes by admins (reported by 27% of respondents), accidental improper sharing of data by employees (26%), misconfiguration of cloud services (16%) and data theft by employees (14%).
On December 10, 2020, the California Department of Justice released a fourth set of proposed modifications to the regulations regarding the California Consumer Privacy Act that went into effect on August 14, 2020. Among other things, the proposals: 
  • Provide clarification that a business that sells personal information collected from consumers in the course of interacting with them offline must  also inform those consumers of their right to opt-out of the sale of their personal information by an offline method.

  • Provide the look of the Opt-Out button that businesses should use (image can been seen on page 3 of proposed modifications). 

  • Provide that requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.
It remains to be seen if these proposals will be adopted, or if more will be proposed in the future. All written comments to the proposals must be submitted to the Department of Justice no later than 5:00 p.m. on December 28, 2020 by email to 
Federal Court in Washington Finds Clickwrap Arbitration Agreement Enforceable; Dismisses Class Action Lawsuit
By: Daniel Marvin
Like many, you’ve probably purchased a new tech product, set it up, and in doing so, accepted the manufacturer’s terms and conditions without reading them. A recent federal case out of Washington (In re: Wyze Data Incident Litigation, Case No. C20-0282-JCC (W.D. Wa. 2020) sheds some light on the type of things that you’ve probably agreed to in such situations, as well as what the practical impact could be for businesses that utilize similar terms and conditions.
Wyze manufactures internet-enabled security cameras which require users to create a user account prior to activating them. When registering for the user account, Wyze collects users’ personally identifiable information (PII), including usernames, e-mail addresses, and WiFi network details. As part of the sign-up process, users are required to check a “clickwrap agreement indicating that they “agree” to Wyze’s terms and conditions. Within those terms and conditions is a section titled “"DISPUTE RESOLUTION AND ARBITRATION/WAIVER OF CLASS ACTION AND JURY TRIAL” which provides that 1) the user agrees to “exclusively arbitrate all disputes and claims,” 2) the  provision is “mandatory and not permissive,”  and that 3) any user that wishes to opt-out of the provision needs to notify Wyze within 10 days of accepting the terms and conditions.  
In December 2019, Defendants unintentionally exposed user PII in a data breach. Several class action lawsuits were filed against Wyze asserting claims including negligence, invasion of privacy, and breach of implied contract, and the cases were ultimately consolidated into the Washington matter. Wyze moved to compel arbitration and dismiss, arguing that that by accepting its terms and conditions, the Plaintiffs individually agreed to arbitrate their claims. The Plaintiffs opposed, arguing that they never agreed to Wyze’s terms and conditions and, even if they did, the arbitration provision is procedurally unconscionable. The Court sided with Wyze.
The Court first pointed out that courts have consistently upheld arbitration provisions contained in clickwrap agreements, and such an agreement is enforceable as long as the user had the opportunity to read it. The Court also noted that none of the named Plaintiffs opted-out of the agreement and described the evidentiary support that it believed Wyze put forward to win the motion. Specifically, the Court found that Wyze provided sufficient evidence to show that any person who had user account could not have accessed his or her account without, at some point, clicking a box indicating that he or she agreed to its terms and conditions. The Court rejected Plaintiffs’ counter-argument which suggested that for Wyze to meet its evidentiary burden, it must have evidence of individualized acts of assent. Finally, the Court ruled that whether or not the the arbitration provision is procedurally unconscionable is an issue for arbitration. The matter now heads to arbitration on the substance of Plaintiffs’ claims.
Clickwrap agreements are commonplace in today’s day-and-age, and the law has evolved to address a myriad of issues which they raise. At the end of the day, it’s important for consumers to know that such agreements are enforceable and that they should be read carefully, and it’s similarly important for businesses to draft the agreements carefully to afford themselves of all of the protections that they are entitled to under the law.
Class Action Lawsuit Claims Wiretapped Its Users
By: Alex D'Amico
Blizzard Entertainment Inc. (“Blizzard”), the owner and operator of, was brought into the world of class action data privacy litigation recently when a class of California residents who visited the site filed suit against it and its vendor Mouseflow, Inc. (“Mouseflow”) based on allegations of illegal and surreptitious wiretapping.  In their complaint, the Plaintiffs alleged that Mouseflow provides a “Session Replay” tool that records a website visitor’s interactions on a website, including the user’s keystrokes, mouse clicks, mouse movements, and scrolls.  Mouseflow also allegedly tracks other user information such as device and location.  According to Plaintiffs, Mouseflow’s Javascript is installed on pursuant to a voluntary partnership with Blizzard, and Plaintiffs’ information is captured and sent to Blizzard by way of Mouseflow’s program.  Plaintiffs’ lawsuit claims that Blizzard and Mouseflow’s data collection amounts to a form of wiretapping that violates the California Invasion of Privacy Act (CIPA).
While the Complaint does not contain any factual allegations establishing actual damages, CIPA provides a statutory claim of $5,000 per violation.  Accordingly, Plaintiffs allege that the total statutory damages for their class exceeds $5 million.
Mouseflow purports to be a major corporation with more than 165,000 clients.  Importantly, however, size of a corporate partner does not guarantee their compliance with data privacy laws.  It is incumbent on all organizations to review not only their own practices and policies for compliance, but also those of their vendors and corporate partners alike.  Contracts with these vendors and corporate partners should expressly articulate the responsibilities of the parties with respect to data privacy generally and compliance with applicable data privacy laws specifically. As always, we recommend that organizations consult with counsel proactively before implementing a new program involving the collection and use of customer data.
Learn more about our team by clicking on the images below.
Daniel Marvin, Robert Stern, John Knight
Michael Aylward, Eva Kolstad and Anthony Abeln
Alex D'Amico and Jennifer Chan

This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at:
Wall Street Plaza, 88 Pine Street, Suite 1900 | New York, NY 10005
Phone: 212-825-1212 |
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.

This email was sent to
To continue receiving our emails, add us to your address book.