JPML Rejects District of Minn. for MOVEit Data Breach MDL; Opts for Mass. Instead

The JPML instead ordered the actions listed on Bailey’s motion and pending outside the District of Massachusetts to be transferred to the District of Massachusetts under U.S. District Judge Allison Burroughs. The Massachusetts federal court consented Wednesday to assigning the actions to Burroughs for coordinated or consolidated pretrial proceedings, Chief Judge Dennis Saylor said.

Bailey filed a motion July 6 asking the JPML to transfer the 10 actions -- pending in the districts of Central California, Northern California, Eastern Louisiana, Massachusetts and Minnesota (see 2307120053) to Minnesota -- saying they all alleged violations of common and state consumer protection laws. Since Bailey’s filing, the panel has been notified of 91 related actions in 22 districts in Re: MOVEit Customer Data Security Breach Litigation, the order said.

The District of Massachusetts is the appropriate transferee district for the cases because more cases are pending in the district than in any other, and the owner of the MOVEit software at issue, PSC, is headquartered in Burlington, Massachusetts, said the order. Relevant employees are likely based in the district, where potentially relevant databases, documents, witnesses and other evidence may be found, it said.

Parties in the lawsuits “differ significantly” on whether an MDL should be created, which defendants should be included in an MDL and where an MDL should be centralized, said the order. Plaintiffs in 33 actions and potential tag-along actions support centralization, along with PSC and MOVEit producer Ipswitch, which PSC acquired in May 2019; Pension Benefits Information (PBI); F&G Annuities & Life; Genworth Financial; Milliman and Milliman Solutions; and Union Bank and Trust, said the order. Fidelity Investments Institutional and FMR do not oppose centralization, the order said.

Several parties oppose centralization, and others oppose transfer of their cases or cases brought against certain defendants, the order said. Plaintiffs David Berry and Bonnie Ng, who sued PBI in June, oppose centralization and alternatively requested that their putative statewide class action be excluded from the MDL (see 2309050070). Plaintiffs in three potential tagalong cases in the Eastern District of Virginia and the District of New Jersey oppose centralization, asking at oral argument that the JPML create a “limited-purpose MDL” for discovery of claims against PSC exclusively.

Plaintiffs in two District of Maryland potential tagalong actions oppose transfer of cases against Johns Hopkins defendants, and Johns Hopkins defendants in five District of Maryland potential tagalong actions oppose including the claims against them in any MDL; alternatively, they request separation and remand of the claims against them or, further, that actions in which they and PSC are defendants proceed in the District of Maryland, said the order. Plaintiffs in four Southern District of New York potential tagalong actions and defendant Teachers Insurance and Annuity Association of America (TIAA) oppose inclusion of the cases against TIAA in any MDL, the order said.

Plaintiffs in four potential tagalong cases against Milliman oppose inclusion of cases against Milliman in any MDL, and a potential tagalong plaintiff in a District of Nebraska action opposes centralization of cases that don’t exclusively name PSC or PBI as defendants, the order said. Potential tagalong plaintiffs in a District of Oregon action oppose centralization of their claims against Performance Health Technology, and defendants Maximum oppose centralization but take no position on creating an MDL involving only PSC; they alternatively request exclusion of cases against them from any MDL, it said. Defendant Prudential opposes centralization and alternatively suggests separation and remand of claims against it.

Parties in their primary or alternative positions support centralization in different districts in California, Louisiana, Massachusetts, Minnesota, Nebraska and Virginia, said the order. Certain parties asked the panel to create defendant-specific MDLs for claims against Milliman, Maximus, Genworth Financial and TD Ameritrade entities, it said.

After hearing oral argument, the JPML decided centralization in the District of Massachusetts will be convenient for the parties and witnesses “and promote the just and efficient conduct of the litigation.” All actions are expected to share factual questions arising from allegations that a vulnerability in PSC’s MOVEit Transfer and MOVEit Cloud file transfer services was exploited by Russian cybergang Clop in May; the breach is estimated to have compromised the personally identifying information (PII) of over 55 million people, the order said.

All actions in the MDL are expected to share “common and complex factual questions” on how the MOVEit vulnerability occurred, the circumstances of the unauthorized access and data exfiltration -- and PSC’s response to it -- plus the response of various downstream MOVEit users and customer-facing defendants with whom plaintiffs did business. PBI, a “prominent user” of MOVEit software, provides audit and address research services, including identifying decedents, lost participants or policyholders, and beneficiaries to pensions, insurance companies, third-party administrators and financial institutions, the order noted.

Centralization will enable streamlined pretrial proceedings; reduce duplicative discovery and conflicting pretrial obligations; prevent inconsistent rulings on common Daubert challenges and summary judgment motions; and conserve the resources of the parties, their counsel and the judiciary, said the order.

Plaintiffs who oppose transfer argue that, instead of a singular breach, there have been numerous successive intrusions into different servers due to the MOVEit vulnerability. That “weighs against centralization because multiple entities responded differently to the alleged intrusions,” and at least one entity to which plaintiffs had given their PII “prevented the intrusion from occurring,” said the order. That argument doesn’t change that the MOVEit vulnerability is at the core of all cases, it said.

Even if the MOVEit vulnerability led to successive breaches, PSC, “direct users of MOVEit software, and customer-facing companies (many of whom did not use MOVEit software but instead contracted or subcontracted with a company that did) are alleged to be responsible for the compromise of plaintiffs’ PII and are named in varying combinations among the overlapping putative class actions,” said the order. “Disentangling the allegations against Progress (and, in many cases, direct users of MOVEit software like PBI and IBM) from the allegations against other defendants in the same case seems impracticable, if not impossible,” it said.

The panel is “sympathetic” to convenience-based arguments made by certain plaintiffs who are suing only the defendant to which they entrusted their data, it said, but it has to consider the needs of all parties in deciding the issue of centralization “and view the litigation as a whole,” it said, citing Re: Watson Fentanyl Patch Product Liability Litigation.

At some point in the litigation, possibly after common discovery and motion practice concludes concerning PSC, PBI and other widely named defendants, “the transferee judge may decide that some actions are ready for remand to their transferor courts ahead of other actions,” said the order. If so, Section 1407 remand “is available to return actions to their transferor courts with a minimum of delay,” it said.