A further case management videoconference that had been slated for Friday in the AirTags stalking lawsuit against Apple was reset to Feb. 9 at 10 a.m. PST, said a text-only clerk’s notice Tuesday (docket 3:22-cv-07668) in U.S. District Court for Northern California in San Francisco. Apple and the 38 plaintiffs seeking to hold the company accountable for the growing use of the AirTag as a stalking device (see 2311140041) attended private mediation April 27 and a follow-up mediation session Aug. 31, “and have been in contact with the mediator in between and after those sessions,” said the parties’ Friday joint case management report. The parties haven’t reached a resolution, said the report. The plaintiffs’ “primary concern” in the litigation “is to obtain injunctive relief that remedies the immediate and ongoing risks to safety caused by the AirTag as it currently operates,” it said. But finding solutions “involves working with complex technology not only of the AirTag product but also other Apple products and IP, and even with technology of non-parties,” it said. Because of these “issues of scope,” and “in light of the unique nature of the relief sought,” the plaintiffs sought to begin an early mediation process so that they could begin to evaluate how the safety needs of the class “may best be protected in light of Apple’s existing technology,” it said. Another goal of early mediation was to identify “all stakeholders within Apple’s organization who would need to participate in the development and implementation of changes, and accordingly identify areas of alignment and find achievable solutions in as expeditious a manner as possible,” it said. The report was a forerunner to the case management videoconference.
Jan. 22 oral argument on Samsung’s pending motions to dismiss the plaintiffs’ amended consolidated complaint and to strike their class allegations arising from a July 2022 data breach was adjourned to Feb. 7, said a text-only order Tuesday (docket 1:23-md-3055) from U.S. District Judge Christine O'Hearn for New Jersey in Camden. Despite the “benign nature” of the data stolen in the breach, the amended consolidated complaint “cobbles together 49 individuals from 34 states alleging violations of numerous different state laws based on sharply diverging experiences and injuries” that the plaintiffs attribute to the data breach, said Samsung’s motion to strike (see 2308230018). In light of the “divergent experiences” of the 49 named plaintiffs, “the reality is that no factual development could alter the conclusion that this case cannot be certified as a class action,” it said.
Apple and the 38 plaintiffs seeking to hold the company accountable for the growing use of the AirTag as a stalking device (see 2311140041) attended private mediation April 27 and a follow-up mediation session Aug. 31, “and have been in contact with the mediator in between and after those sessions,” said the parties’ joint case management report Friday (docket 3:22-cv-07668) in U.S. District Court for Northern California in San Francisco. The parties haven’t reached a resolution, said the report. The plaintiffs’ “primary concern” in the litigation “is to obtain injunctive relief that remedies the immediate and ongoing risks to safety caused by the AirTag as it currently operates,” it said. But finding solutions “involves working with complex technology not only of the AirTag product but also other Apple products and IP, and even with technology of non-parties,” it said. Because of these “issues of scope,” and “in light of the unique nature of the relief sought,” the plaintiffs sought to begin an early mediation process so that they could begin to evaluate how the safety needs of the class “may best be protected in light of Apple’s existing technology,” it said. Another goal of early mediation was to identify “all stakeholders within Apple’s organization who would need to participate in the development and implementation of changes, and accordingly identify areas of alignment and find achievable solutions in as expeditious a manner as possible,” it said. The report was a forerunner to the case management videoconference that the court scheduled for Jan. 12 at 10 a.m. PST.
U.S. District Judge Kelley Hodge for Eastern Pennsylvania in Philadelphia granted the FTC and Rite Aid's Sept. 19 joint motion to stay their case for 45 days to give the U.S. Bankruptcy Court time to approve their facial recognition settlement, said Hodge’s signed order Thursday (docket 2:23-cv-05023). The action is stayed until Feb. 2 or until the bankruptcy court approves the settlement, whichever is earlier, said the order. The parties by Feb. 2 will file a motion seeking entry of the settlement, or will otherwise notify the court “of the status of the effort” to seek bankruptcy court approval, it said. The settlement with the FTC bars Rite Aid from using facial recognition technology for surveillance purposes in its stores for five years (see 2312190090). The FTC had alleged that Rite Aid failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology to combat theft in hundreds of its stores.
Medical transcription company Perry Johnson & Associates waited nearly six months to notify “impacted individuals” of a data breach that occurred March 27-May 2, said a negligence class action Thursday (docket 2:24-cv-00025) in U.S. District Court for Nevada in Las Vegas. Plaintiff Huda Abdaljalil, an Ohio resident, is a patient at a healthcare provider for which PJ&A provides transcription services, it said. In “requesting and maintaining” Abdaljalil’s personally identifiable (PII) and personal health (PHI) information, the defendant didn’t take care of her information, “leading to its exposure as direct result” of its “inadequate data security measures,” the complaint said. The notification Abdaljalil received from PJ&A “put the onus” on her to protect her PII and PHI by urging her to “remain vigilant” and recommending that she “regularly review her financial accounts, report any suspicious or unrecognized activity immediately and monitor her accounts for the next 12 to 24 months,” it said. Since learning of the breach, Abdaljalil has received “multiple dark web monitoring alerts” from her credit monitoring agencies, informing her that her PII and PHI “is on the dark web,” it said. Abdaljalil has had to spend time mitigating risk of future identity theft and fraud, including spending time researching the breach, changing her passwords and freezing her credit with credit bureaus, it said. She has experienced “significant frustration, anxiety, worry, stress, and fear” knowing that hackers accessed her PII and PHI and will likely use it in the future for identity theft, fraud “and other nefarious purposes,” it said. In addition to negligence, Abdaljalil claims unjust enrichment. She seeks compensatory and punitive damages, an order of restitution, injunctive relief, pre- and post-judgment interest and legal costs. PJ&A didn’t comment Friday.
Plaintiff Alexandra Lardis’ claims against Columbia University “materially differ” from those at issue in centralized actions in conditional transfer order (CTO-23) issued Dec. 13 by the Judicial Panel on Multidistrict Litigation in In Re: MoveIt Customer Data Security Breach Litigation, and the CTO should be vacated, said her Wednesday motion (docket 3083) before the panel. Lardis’ case “has nothing to do with the negligence of the defendants in the MOVEit action,” said the motion. Instead, her action (docket 1:23-cv-10241) alleges that defendant Columbia breached its contractual obligations to her and class members regarding its handling of personally identifiable information (PII) including Social Security numbers, dates of birth and first and last names, it said. Lardis alleges Columbia’s conduct violated the university’s written policies regarding maintenance, retention and handling of PII. As of Wednesday, the university “still failed to notify any class members,” or Lardis, of the data breach, “despite it occurring approximately seven months ago,” the motion said. Lardis’ theories of liability require “extremely limited, if any, fact discovery that would overlap with that of the centralized cases,” the motion said, and as a result of factual and legal discrepancies, the case “lacks sufficient commonality with the centralized cases and should not be transferred for pre-trial proceedings.” Lardis’ Nov. 21 action against Columbia, involving the May data breach in Progress Software Corp.'s MOVEit file transfer software, asserts claims of negligence, breach of implied contract and express contract, plus violation of New York Business Law.
Plaintiff Jamie Garcia “deliberately chose to file” in Indiana state court a negligence lawsuit against Maximus Health Services (docket 1:23-cv-02129) “for convenience purposes,” and because Maximus was the sole party she dealt with involving Progress Software Corp.'s MOVEit software data breach, said her Tuesday brief (docket 3083) in support of her motion to vacate conditional transfer order 22 (CTO-22) before the Judicial Panel on Multidistrict Litigation. Maximus “failed to adequately secure and upgrade its data systems,” and although the health services company detected the attack on May 30, it didn’t properly notify Garcia and waited over two months before informing the public on Aug. 11, the brief said. Maximus removed Garcia’s Nov. 15 case to U.S. District Court for Southern Indiana from Superior Court of Marion County, on Nov. 27, and it filed a notice of potential tagalong actions Dec. 4 including her case. On Dec. 8, the JPML issued CTO-22 and will consider whether consolidation of her case is appropriate in U.S. District Court for Massachusetts in Boston. Garcia asserts she “timely filed” a motion to remand the case to Superior Court of Marion, and it remains pending before U.S. District Judge Patrick Hanlon for Southern Indiana in Indianapolis, who has been “fully briefed,” said the filing. Maximus’ primary argument for federal jurisdiction “is to suggest that a non-party to the state-court action creates jurisdiction in the Federal court”; Garcia disagrees.
The court should reject the first-to-file rule in a privacy case about a September data breach involving a cyberattack on MGM International’s computer systems, said MGM Resorts International’s brief Tuesday (docket 1:23-cv-20419) in U.S. District Court for New Jersey in Camden. It opposes the plaintiffs’ November emergency motion to preclude all other venues and duplicate litigation. U.S. District Judge Joseph Rodriguez for New Jersey reset deadlines in December for the motion, originally set for Tuesday, to Jan. 16 (see 2312120066). The court should deny Saul and Shirley Lassoff’s first-to-file motion, said MGM, calling it a “baseless attempt to seize control of 13 other putative nationwide class actions pending in the District of Nevada," each alleging similar negligence, breach of contract and unjust enrichment claims against MGM arising from the data breach. The first-to-file rule aims to limit duplicate litigation, “not to incentivize first filers,” said the brief. The rule is “inapposite” where it will neither preserve judicial resources nor enhance “the just and efficient management of the litigation,” it said. The cases against MGM in the District of Nevada “are at least as mature,” if not more so, than the Lassoffs’ case, it said. MGM intends to transfer the Lassoffs’ action to Nevada because the federal court in Las Vegas “provides a more convenient forum in which to efficiently coordinate between and manage multiple pending cases with multiple plaintiffs and counsel of record,” the brief said. Given the location of many witnesses and documents in Nevada, “as well as the total lack of any such evidence in New Jersey,” the convenience offered by trial in Nevada “is sufficient to overcome the first-to-file rule,” it said, citing Ricoh v. Honeywell. All the cases vs. MGM “are in their infancy,” and MGM is of the belief that multiple interested parties in Nevada are working to coordinate the litigation and address the issues that inspire the first-to-file rule, said the brief. “Were those efforts interrupted by an injunction -- particularly without any evidence that these Plaintiffs provided proper notice to the plaintiffs in other actions -- it would undoubtedly lead to ancillary litigation and delay,” it said.
All claims against T-Mobile are dismissed following plaintiff Waleed Lashin’s November notice of voluntary dismissal without prejudice (see 2311140040), said a Tuesday text-only order (docket 4:23-cv-00393) from U.S. District Judge David Kays for Western Missouri in Kansas City. Lashin’s June 8 negligence complaint alleged that T-Mobile downplayed the severity of a Feb. 24 data breach and that it didn’t notify customers whose personally identifiable information was exposed until April 28, more than two months after the breach began.
23andMe filed a memorandum of law in support of a motion before the U.S. Judicial Panel on Multidistrict Litigation Friday to transfer and consolidate 31 class actions, and others subsequently filed, involving similar facts or claims around an October data breach (see 23102500360). The genetic testing company announced Oct. 6 that it was hacked, compromising the names, gender, date of birth, genetic ancestry results, profile photos and geographical location of some customers who "recycled login credentials" with usernames and passwords that a threat actor may have accessed. The first action involving the incident, Santana et al v. 23andMe, was filed Oct. 9 in the U.S. District Court for Northern California in San Francisco, and 28 more followed there; two others were filed in the Northern District of Illinois: Gill v. 23andMe (8:23−cv−02387) and Bacus v. 23andMe (docket 1:23-cv-16828), said the memorandum (docket 3:23-cv-05464). On Nov. 30, Judge Edward Chen issued an order relating cases, finding 22 actions in the Northern District of California are related to the Santana action, said the memorandum. The last action, Rivers v. 23andMe Holding Co., was filed Dec. 15. The defendant expects additional lawsuits involving the same alleged security breach “given the ongoing filing of putative class actions over the last two-and-a-half months." Transfer is necessary to conserve court resources, reduce duplicative discovery and avoid inconsistent rulings if the actions proceed separately, the memorandum said.