MOVEit Clients Responsible for Securing Their Own Systems, Says Opposition Response

The scope of the proposed MDL has “expanded substantially” since Bailey’s July motion (see 2307120053) moving the JPML to transfer and centralize all actions related to Progress Software Corp.’s (PSC) May data breach (see Ref:2307120053]) to the Minnesota court, said plaintiff Jose Soto’s response. Centralization would result in claims against dozens of companies, related to hundreds of independent breaches of each company’s individual systems, “each of which occurred at different times, resulted from different data security failures of those separate companies, involved different breached promises or representations made by those separate companies, involved different data, and resulted in different damages unique to each individual, separate breach," said Soto's response.

Soto cited cybersecurity expert Jeffrey Hansen’s declaration that all companies affected by the MOVEit data breach were responsible for securing their installation of PSC's file transfer software and that MOVEit users have a network infrastructure “specific to their organization.” Designing and securing the network infrastructure “is the responsibility of each defendant,” said Hansen, saying specific security practices will determine how the hacker, Russian ransomware group Clop, “was able to access the server to be able to exploit the MOVEit Transfer web application.”

It’s up to each MOVEit user to employ software and practices to control and monitor access to data and systems such that each company whose system was accessed using the MOVEit vulnerability "suffered a separate, independent data breach,” said Hansen. In the similar Accellion, Inc., Customer Data Security Breach Litigation MDL, involving multiple data breaches through that company's file transfer appliance, the JPML denied centralization, “finding factual differences specific to each defendant outweighed any overlap among the actions as to Accellion’s FTA product,” said Soto's response.

Bailey’s proposed MDL would potentially involve “hundreds of defendants with no relationship beyond use of Progress Software’s MOVEit software,” said Soto’s response. Many of the potential actions don’t name PSC as a defendant. Accordingly, "the Panel should conclude centralization is unnecessary and that any efficiencies to be gained by centralization can be accomplished through informal coordination, where necessary," he said. Soto was joined by three other class actions in his opposition -- Gregory v. Milliman Solutions (3:23-cv-00559), Hale v. Milliman Solutions (2:23-cv-01206) and Jones v. Milliman Solutions (2:23-cv-01246).

On Monday, plaintiff April Manar also filed an interested party opposition response to Bailey’s motion to transfer and consolidate on behalf of herself and the potential class in her class action vs. Genworth Financial involving the MOVEit breach. The tagging of her action in the MDL by PSC and PBI is “misguided and inappropriate,” said the Missouri resident, who sued Genworth, a Virginia-based company, “for failing to protect her personally identifiable information.

Manar's action will focus on the breach by Genworth “of obligations it owed” her, rather than PSC or PBI, which are “strangers” to her, she said, also citing the Accellion MDL. Consolidation of cases would not provide any efficiency for any of the parties, said Manar: “In fact, consolidation of the Manar Action would do just the opposite,” she said, saying that in Genworth’s filing in support of transfer, the company “repeatedly attempts to shift the blame to PSC and PBI.” But Genworth’s “culpability cannot be obfuscated by a run-around" or her "right to prosecute her case on behalf of herself and the putative class,” said her response.