Oppositions to Transfer, Tagalong Notices, Class Actions Pile Up in MOVEit MDL
Plaintiff Dominic Fiacco’s claims against the University of Rochester in a fraud case (docket 6:23-cv-97200) involving Progress Software Corp.'s May MOVEit data breach “shares extremely limited factual overlap” with centralized actions in In Re: MOVEit Customer Data Security Breach Litigation. So said Fiacco’s memorandum Monday (docket 3083) before the U.S. Judicial Panel on Multidistrict Litigation in support of his motion to vacate conditional transfer order 7 (CTO-7) with respect to his case.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Though PSC's MOVEit vulnerability was the means by which Fiacco’s personally identifiable information (PII) “was eventually accessed by bad actors,” Fiacco’s complaint asserts the university is liable for the breach. Rochester “committed its own, separate malfeasance” with respect to Fiacco’s and class members’ PII “by failing to adhere to its own policies and contractual obligations” concerning data retention and safekeeping of sensitive information, and failing to provide “prompt notification to its’ students and employees when an unauthorized disclosure occurs.” That “has nothing whatsoever to do with the MOVEit Defendants’ liability,” Fiacco said.
Fiacco’s claims “materially differ” from those at issue in the centralized actions in U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs, said the memorandum. “This case has little to do with the negligence of the defendants in the MOVEit action,” it said, saying that instead, the university “breached its contractual obligations” in its handling of information including Social Security numbers, dates of birth, and first and last names. Fiacco asserts claims of negligence, breach of implied and express contract and violation of New York General Business Law. The centralized actions bring claims against “producers of technological firmware and code” for “failing to maintain sufficient data security practices," it said.
Also Monday, defendant First Merchants Bank submitted opposition to CTO-13 in In Re: MOVEit Customer Data Security Breach Litigation as it relates to Everling v. First Merchants Bank. The defendant “reserves all rights and expressly waives none, including, but not limited to, seeking any relief allowed under the Federal Rules of Civil Procedure and applicable law,” said the notice of opposition before the JPML.
Class actions continue to be filed involving the far-reaching MOVEit data breach, with court records showing seven filed in the past week against The Bank at Canton et al., Athene Annuity and Life et al., Delaware Life Insurance et al., PSC et al., National Account Service et al, Cbiz et al. and a Monday class action vs. Standard Insurance et al. All but the Standard Insurance action name PSC as a defendant.
Plaintiff David Gaffin's class action vs. Standard Insurance, in U.S. District Court for Massachusetts in Worcester, not in Boston where the MDL has been centralized, also names Pension Benefit Information (PBI) as a defendant. Gaffin sued the defendants for failing to secure his and class members' PII in the data breach and waiting over three months to notify affected individuals. Cybercriminals “were given a head start in misusing Plaintiff’s and the Class’s PII before they were even informed of what happened," said the complaint.
PBI sent a letter to Milford, Massachusetts resident Gaffin Sept. 6, notifying him that around May 31 a vulnerability in MOVEit web transfer software was hacked and class members’ names, dates of birth and Social Security numbers were compromised, said the complaint (docket 4:23-cv-40158). Gaffin, a Standard Insurance customer, was unaware of the breach, and wasn’t aware PBI had retained possession of his data until he received PBI's letter, it said.
Gaffin has suffered lost time in dealing with the consequences of the breach, the “material risk” of future harm from his exposed data, diminution of his PII’s value, increased anxiety over the impact of cybercriminals selling his PII, and imminent and impending injury from the “substantially increased risk” of fraud and identity theft, the complaint said. Gaffin asserts claims of negligence, breach of implied contract and covenant of good faith and fair dealing, unjust enrichment, invasion of privacy and breach of confidentiality.
Gaffin seeks for himself and the class orders prohibiting defendants from engaging in wrongful acts alleged; to protect and encrypt collected data and purge plaintiffs’ and class members’ PII; to establish and maintain a comprehensive information security program; and to meaningfully educate affected individuals about threats they face and steps they can take to protect themselves, the complaint said. He seeks actual, nominal, and consequential damages and pre- and post-judgment interest, plus attorneys’ fees and legal costs.
Two notices of potential tagalong actions were filed Monday before the JPML in the MOVEit MDL. One, filed by Zimmerman Reed, includes William Madden v. Radius Global Solutions (docket 0:23-cv-02670), Hillary French v. Radius Global (docket 0:23-cv-02992) and Frederick Smith v. Radius Global (docket 0:23-cv-03182), all filed in U.S. District Court for Minnesota. Also, Copans v. Sutter Health and Welltok (docket 2:23-cv-01154), in U.S. District Court for Eastern California in Sacramento, is a potential tagalong, said a Monday filing by Erickson Kramer.