All Related Comcast Data Breach Actions Should Be Moved to Eastern Pa. Court: Movant

The underlying litigation comprises 23 federal putative actions across five different federal district courts that have been filed against Comcast Corp., Comcast Cable Communications and Comcast Communications Management and/or Citrix Systems, said the reply. Each of the actions arises from a cyberattack resulting in the theft and dissemination of the personally identifiable information (PII) of about 36 million Comcast customers, it said.

The Diamond action “is not unique” and arises from the same “common factual core” as the other related actions, said the reply. The Diamond plaintiffs oppose transfer to the Eastern District of Pennsylvania on the basis that they raise a different legal claim from the others -- a claim under the Cable Act -- and because Comcast “might seek to compel arbitration of all claims asserted in the related actions except the Diamond action," said the reply.

The Diamond plaintiffs’ arguments demonstrate “a fundamental misunderstanding of the Section 1407(a) mechanism, and their arguments must be rejected,” said Hasson’s reply. The Diamond plaintiffs’ ignore Section 1407(a)’s “plain language” that centralization and transfer are permitted if civil actions pending in different districts involved “one or more common questions of fact” and if the panel determines that transfer will “further 'the convenience of parties and witnesses and will promote the just and efficient conduct of such actions,’” it said.

The JPML has observed in other data breach litigation that the presence of differing legal theories “is not significant where, as here, the actions still arise from a common factual core,” said the reply, citing In re: Uber Technologies, Inc. Data Security Breach Litigation. In Citrix, all related actions arise from a common factual core, “a Citrix vulnerability that led to the unauthorized access to, and compromise of, thirty-six million Comcast customers’ PII,” it said. Transfer of all the related actions, including Diamond, “is therefore proper under Section 1407(a),” it said.

Plaintiffs in the Diamond class action oppose centralization on the ground that Comcast “might try to compel arbitration” in the related actions, “bringing an early end to the litigation while Diamond proceeds under the Cable Act,” said the reply. The JPML has recognized that such an assessment of the merits of the actions “is beyond the Panel’s authority,” it said.

The framers of Section 1407 “did not contemplate that the Panel would decide the merits of the actions before it and neither the statute nor the implementing Rules of the Panel are drafted to allow for such determinations,” the reply said, citing Uber. The panel in that case declined Uber’s suggestion to delay ruling on centralization “until their motions to compel arbitration are decided, as the timing and outcome of such rulings in this growing litigation is highly speculative,” it said. “Given that the Diamond plaintiffs’ arbitration argument raises issues that go to the merits of the litigation, the Panel should decline to entertain such an argument,” it said.

In addition, in arguing against transfer, the Diamond plaintiffs don’t address that their case proposes a “substantively identical nationwide class as the asserted classes in the other related actions,” said the reply. Hasson compared asserted classes of the two cases: Hasson v. Comcast Cable Communications proposes a class of all individuals in the U.S. whose PII was compromised in the Comcast data breach that occurred in or around October; Diamond et al v. Comcast Cable Communications proposes a class of all Xfinity subscribers in the U.S. whose PII was compromised in the Xfinity data breach occurring Oct. 16-19, it said.

Without transfer of all related actions, including Diamond, “duplicative class litigation would exist in two separate district courts, raising issues of overlapping or inconsistent class determinations,” said Hasson’s reply: “This would not promote judicial efficiency for the parties, their counsel, or the courts.”

Given that the panel has consistently recognized that a compelling reason for transfer of related actions is to eliminate the possibility of "overlapping or inconsistent class determinations by courts of coordinate jurisdiction,” the panel “should reject the Diamond plaintiffs’ argument,” said the reply. Centralization will “eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary,” it said.

Hasson agrees with Comcast’s and Citrix’s positions that the proposed MDL be limited to cases related to the Citrix Bleed vulnerability that led to the breach of Comcast’s systems Oct. 16-19, said the reply. The specific Citrix vulnerability at issue in the litigation is a “critical vulnerability” affecting Citrix’s NetScaler Gateway and ADC products that enables attackers to hijack the user network managed by the Citrix product and gain access to sensitive information, it said. The litigation “will thus focus on Citrix’s products used by Comcast, the products’ vulnerability to attack, Comcast’s knowledge of the alleged vulnerability, and Citrix’s efforts to mitigate the vulnerability,” it said.

Hasson cited another MDL, In re: Accellion, Inc., Customer Data Security Breach Litigation, saying the factual issues will be specific to the Citrix vulnerability and Comcast, “making the addition of any further Citrix users who suffered or suffer a data breach related to the Citrix Bleed vulnerability unworkable.” He doesn’t oppose Comcast’s request to recaption the proposed MDL from In Re: Citrix Software Customer Data Security Breach Litigation to In Re: Citrix Bleed Vulnerability And Comcast Breach Litigation, “as this better reflects a neutral description of the claims asserted in this proposed MDL,” said the reply. Hasson requests the panel to transfer the related actions, "as well as any and all subsequently filed tag-along actions," to the Eastern District of Pennsylvania for coordinated or consolidated pretrial proceedings.

Also Friday, Joseph Zagacki of Philadelphia sued Comcast and Citrix for negligence, alleging the defendants failed to provide basic details concerning the data breach, including how many people were affected, said his class action (docket 2:24-cv-00507) in U.S. District Court for Eastern Pennsylvania in Philadelphia. The complaint cited the Maine Attorney General’s Office filing, in which Comcast said the breach affected 35.8 million people.

The defendants neglected to properly monitor the computer network and systems containing class members’ PII, the complaint said. Plaintiff and class members have suffered losses including “a loss of potential value of their private and confidential information, the loss of the benefit of their contractual bargain” with the defendants, out-of-pocket expenses and the value of their time incurred to remedy or mitigate the effects of breach, it said. Comcast has not offered free credit monitoring or identity fraud protection to those affected by the breach, said Zagacki, showing “an unwillingness to assist or protect its customers from the potential consequences of its own negligence,” it said.

In addition to negligence and negligence per se, Zagacki asserts claims of breach of contract, breach of third-party beneficiary contract and unjust enrichment. He seeks damages, an order of restitution, declaratory and injunctive relief, attorneys’ costs and legal expenses, plus pre- and post-judgment interest.