Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

April 13, 2021
Please email questions to
Click here to have future newsletters sent to your inbox.  
  • That's Affirmative: Utah Governor Spencer Cox has signed the Cybersecurity Affirmative Defense Act into law which creates several affirmative defenses for those faced with causes of action relating to a breach of system security. From a litigation defense perspective, this is an important law, with Utah joining Ohio as the only two states with this type of statute. More are sure to follow.

  • The Florida CCPA?: The Florida Legislature has been working on legislation akin to the CCPA. Things were going well, but now, the Senate Rules Committee has offered an amendment which would effectively replace the Senate's Version (SB1734) with a new version that would: (i) eliminate a private right of action; (ii) change application of the law from any business that generates more than $25 million in revenue, to companies that annually buy, sell, or share the personal information of 100,000 or more consumers, household, or devices; or derive 50% or more of their global annual revenue from selling or sharing personal information about consumers; and (iii) apply only to companies that buy, sell, or share a significant amount of personal information (as opposed to companies that collect personal information.) We'll keep you posted. 

  • Zero Day, Fourteen Lawsuits: As you may have heard, numerous organizations from Universities to health care providers were affected by a data breach of file transfer vendor Accellion (the HHS Data Breach website lists at least four such health care providers with more than 2,700,000 affected individuals). Now, at least fourteen lawsuits have been filed relating to this breach, alleging that Accellion did not adequately address a zero day flaw in its 20-year FTP software.

  •  A Federal Case: The White House is expected to issue an order requiring companies that conduct business with the federal government to meet certain software security requirements and report cyber incidents to a newly created division within the Department of Homeland Security.

  • Hello! Your Network Has Been Hacked: That was the message sent to the Universities of Colorado and Miami by hackers utilizing Clop Ransomware. The bad actors have already published screenshots of student grades and biographical information, as well as university financial documents.

  • Have You Been Pwned? 530 million Facebook users had their data stolen in 2019, and user names, lobations, phone numbers and email addresses were recently posted to a hacker forum. You can see if your email or phone number has been compromised by visiting and entering your info. Good luck!

  • A Late Booking: was fined €475,000 ($560,000) pursuant to the GDPR for not reporting a 2018 data breach within the required 72 hours of discovery.
Morrison Mahoney's Daniel Marvin will be joining a panel presentation at the Information Technology Alliance's (ITA) 2021 Spring Collaborative. The ITA is a collaborative of accounting IT consultants, service providers, software publishers, and the internal technology leaders of many of the largest CPA firms. The virtual conference will take place from April 26-28, 2021, and Daniel will be joining a panel entitled "Privacy and Artificial Intelligence," which will take place on April 28, 2021 from 1:30 p.m. to 2:30 p.m. For more information on this conference, click here
Maine has joined eleven other states (AL, CT, DE, IN, LA, MI, MS, NH, OH, SC and VA) in enacting legislation based on the National Association of Insurance Commissioners Model Cybersecurity Law. On March 17, 2021, Governor Janet Mills signed the Maine Insurance Data Security Act into law. The Act, which becomes effective on January 1, 2022, establishes standards for data security and for the investigation of and notification to the superintendent of insurance regarding a cybersecurity event applicable to licensees.Covered licencees with more than 10 employees are required to implement a comprehensive information security program which is described in the Act. Certain licencees that are subject to, and in compliance with HIPAA, HITECH or the GLBA, are exempt from the provisions of the Act (other than notification to the commissioner of a cybersecurity event), and the Act does does create a private right of Action. 
On Your Terms: How An Effective Website Terms of Use Policy Can Mitigate Risk
Website Terms of Use (TOU), which are agreements that bind a website user to certain terms, (should) exist on virtually every website. You’ve probably agreed to several today just by visiting certain websites, and whether it’s a browser-wrap agreement (where the terms and conditions are on a website page that is linked to from another page) or a click-wrap agreement (where you must actively click to “accept” the terms and conditions), these agreements are legally binding and enforceable, as recently demonstrated in the matter of Gardiner v. Walmart, Inc., 20-cv-04618-JSW (ND CA 2021). In this case, the Plaintiff alleged that he provided personal identifying information (“PII”) to Walmart when creating his online account, and that the PII, including credit card information, was accessed by hackers because of a data breach. Plaintiff further alleged that as a result of the alleged breach, he and the proposed class face an imminent threat of identity theft and fraud. Claims were brought for: violation of the California Consumer Privacy Act; negligence; violation of California’s Unfair Competition Law, breach of express contract; breach of implied contract; and breach of the implied covenant of good faith and fair dealing. In dismissing the Complaint’s claims, the Court engaged in some of the typical analyses  we have seen in similar cases concerning such things as Article III Standing, the Economic Loss Doctrine, and the retroactivity of the CCPA. While not as front and center as the Court’s rulings with respect to those issues, the Court’s ruling with respect to the Plaintiff’s Contract claims, and their interplay with Walmart’s website’s TOU, are equally as important. In sum, the Court ruled that Walmart’s limitation of liability clause contained in its website's TOU precluded Plaintiff’s contract claims.
In particular, Walmart’s TOU contained a disclaimer of warranties provision, which provided that information sent or received while using the Walmart website “may not be secure and may be intercepted or otherwise accessed by unauthorized parties." The TOU also contained a limitation of liability provision, which applied to “theft, destruction, authorized access to, alteration of, loss of use of any record or data,” among other things. The Plaintiff did not dispute that he agreed to the TOU, but argued that the limitation of liability provision was both procedurally and substantively unconscionable. The Court disagreed for three reasons
First, the Plaintiff argued that the TOU was unconscionable because it was a contract of adhesion (a contract between two parties where the terms and conditions are set by one of the parties, and the other party has little or no ability to negotiate more favorable terms). The Court disagreed, noting that adhesion contracts are not per se unconscionable under California law.
Next, the Plaintiff contended that the TOU’s limitation of liability provision created consumer confusion because it conflicted the terms of Walmart's online Privacy Policy which stated that Walmart "uses reasonable security measures to protect customers information." However, the Court found that the limitation of liability provision contained clear language, is not buried in the TOU, and is emphasized with the use of capitalization. Accordingly, the Court concluded that the TOU put consumers on notice that Walmart’s reasonable measures for protecting PII were not infallible. 
Finally, Plaintiff argued that the TOU is substantively unconscionable because it “purports to waive liability for all damages of any kind...making them completely illusory.” However, the Court noted that similar limitation of liability provisions, however, are routinely upheld by courts, and Plaintiff offers no contrary authority to support their argument.
Lesson Learned: A proper Terms of Use Policy (as well as a Privacy Policy that does not promise too much) can be a useful tool in protecting an organization from certain contract-based claims arising from a data breach. Make sure your organization has one. 
Maryland District Court Agrees with Marriott That Plaintiffs Lack Standing in Data Breach Case
Since our last newsletter, another federal court, this time for the District of Maryland, has held that the plaintiffs in a data breach case lacked standing to pursue their claim. See Springmeyer et al. v. Marriott International, Inc., No. 20-cv-867-PWG, 2021 WL 809894 (D. Md. Mar. 3, 2021). Specifically, the judge found that the plaintiffs were unable to trace their alleged damages to any particular conduct of the defendant, Marriott.
In early 2020, Marriott suffered a data beach after the login credentials of two of its employees were compromised. On March 31, 2020, Marriott notified its customers that certain personal information may have been accessed, but that no social security or credit card numbers were leaked. The plaintiffs alleged that their personal information, along with that of approximately 5.2 million other hotel guests, was improperly accessed and that they spent time monitoring their accounts to protect the integrity of their personal information. Though Marriott offered the plaintiffs one year of free enrollment in Experian’s IdentityWorks credit monitoring service, at least one of the plaintiffs alleged that she had purchased a credit monitoring service for an annual cost. The complaint brought eleven claims under various common law and statutory causes of action.  
Marriott moved to dismiss the complaint on the grounds that the plaintiffs failed to state a claim and that the plaintiffs lacked standing. With respect to the standing argument, the court noted that the plaintiffs were tasked with alleging an injury in fact “that is fairly traceable to the challenged conduct of the defendant.” Importantly, the court noted that the plaintiffs must allege more than an injury that resulted from the independent action of some third party that was not before the court.
While the plaintiffs alleged that Marriott’s cybersecurity was unreasonable, according to the court, the plaintiffs failed to allege facts that adequately described Marriott’s cybersecurity or the steps that Marriott could have taken to prevent the data breach.  Relying in part upon authority from the Northern District of California, the court held that, because the plaintiffs did not adequately describe the nature of the alleged unreasonable action, they had not claimed damages that were fairly traceable to Marriott.  As a result, the plaintiffs lacked standing and the court dismissed the complaint.
While the court initially dismissed the complaint with prejudice in light of the fact that the plaintiffs had already had an opportunity to amend the complaint, after a motion for reconsideration by the plaintiffs, the judge agreed to amend his prior order to reflect that the complaint would be dismissed without prejudice.
As we have seen in other jurisdictions, this Maryland District Court recognized that the mere existence of a data breach alone is not sufficient to support a claim for damages.  We will continue to monitor the courts’ decisions on this important issue.
What To Do When Your Company's PII Is Subpoenaed
A subpoena is a court order that requires a person or company to show up to testify at a specified time and place or to produce specified documents. For the average person, responding to a subpoena might seem like an opportunity to play a small role in a well-functioning judicial system and to contribute to our society.  In a way, that is true. However, there is nuance to it—particularly when the subpoena demands the production of somebody else’s data.
Bluegrass Cellular, Inc. (“Bluegrass”), a Kentucky cell phone company, is finding that out the hard way.  In November 2016, Bluegrass produced Morgan Rae Petty’s text messages in response to a subpoena issued in connection with a custody dispute involving Petty.  Thereafter, Petty filed a lawsuit against Bluegrass claiming that by producing the text messages, Bluegrass violated the Stored Communications Act and caused her emotional distress.  The litigation has devolved into a morass, with a recent April 2021 decision addressing seven separate discovery motions.  (For context, each motion necessarily requires attorney time, and by extension, causes a party’s attorney fees to grow.).
Bluegrass is mounting a stout defense in the ongoing litigation. Nevertheless, this serves as an important reminder that responding to a subpoena—even when it seems straightforward—warrants close scrutiny. The wise practice is to retain counsel to review the subpoena, as well as any potentially responsive information and documents, and to determine which information and documents should be produced.  Experienced data privacy counsel will be particularly well-suited to weigh the rights of any individuals whose data is responsive to the subpoena and guide the subpoena recipient accordingly.  In some cases, the best approach will be to object to the subpoena or file a motion to quash the subpoena.  While it is natural to think that going to court to file a motion to quash is unnecessary or indicative of a party that is overly combative, the lawsuit against Bluegrass Cellular is an example of the type of litigation that can result when a company produces information or documents about an individual in response to a subpoena. 
This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at:
Wall Street Plaza, 88 Pine Street, Suite 1900 | New York, NY 10005
Phone: 212-825-1212 |
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.

This email was sent to .
To continue receiving our emails, add us to your address book.
Subscribe to our email list.