Plaintiff-appellee John Doe's counsel in the privacy appeal brought by Cedars-Sinai Health System (see 2305260047) on Thursday submitted to the 9th U.S. Circuit Court of Appeals as supplemental authority the 8th Circuit’s decision in John Doe v. BJC Health System (docket 23-1107). Cedars-Sinai’s appeal seeks to reverse the district court’s order remanding the case to state court where it originated. BJC Health System, like Byrd’s case before the 9th Circuit, “involves a defendant’s improper removal of a case based upon the federal officer removal statute,” said counsel Rachele Byrd of Wolf Haldenstein in her letter Friday (docket 23-55466) to the 9th Circuit clerk. The plaintiffs in BJC Health System allege that when they visited BJC’s online patient portal to access electronic health records, BJC shared their protected health information with third-party marketing services in violation of state privacy laws, it said. The 8th Circuit, “in a comprehensive and carefully reasoned opinion,” affirmed the district court’s order remanding the action back to state court, said the letter. The 8th Circuit held that a party acts under a federal officer, within the meaning of the federal officer removal statute, only when it performs a basic governmental task, it said. That task involves a delegation of legal authority from a federal entity, it said. In other words, the party acts on the government’s behalf, and does the business of the federal government and not merely its own, it said. The 8th Circuit held that the design of private websites is not, and has never been, a basic governmental task, said the letter. When BJC created and operated an online portal for its patients, it wasn’t doing the federal government’s business but rather its own, it said. That BJC received a federal subsidy when it created its private website is an “insufficient” basis for removing a case under the federal officer removal statute, it said.
23andMe filed a memorandum of law in support of a motion before the U.S. Judicial Panel on Multidistrict Litigation Friday to transfer and consolidate 31 class actions, and others subsequently filed, involving similar facts or claims around an October data breach (see 23102500360). The genetic testing company announced Oct. 6 that it was hacked, compromising the names, gender, date of birth, genetic ancestry results, profile photos and geographical location of some customers who "recycled login credentials" with usernames and passwords that a threat actor may have accessed. The first action involving the incident, Santana et al v. 23andMe, was filed Oct. 9 in the U.S. District Court for Northern California in San Francisco, and 28 more followed there; two others were filed in the Northern District of Illinois: Gill v. 23andMe (8:23−cv−02387) and Bacus v. 23andMe (docket 1:23-cv-16828), said the memorandum (docket 3:23-cv-05464). On Nov. 30, Judge Edward Chen issued an order relating cases, finding 22 actions in the Northern District of California are related to the Santana action, said the memorandum. The last action, Rivers v. 23andMe Holding Co., was filed Dec. 15. The defendant expects additional lawsuits involving the same alleged security breach “given the ongoing filing of putative class actions over the last two-and-a-half months." Transfer is necessary to conserve court resources, reduce duplicative discovery and avoid inconsistent rulings if the actions proceed separately, the memorandum said.
Michael Foulkes voluntarily dismissed without prejudice his Video Privacy Protection Act class action claims against Chegg, said his notice Thursday (docket 1:23-cv-23993) in U.S. District Court for Southern Florida in Miami. Foulkes alleged in his Oct. 19 complaint that the educational services company tracked his video viewing history while he was on its website and then shared that history with Facebook (see 2310200013).
Clearesult Consulting opposes conditional transfer order 24 (CTO-24) as it relates to Dauch v. Clearesult Consulting, said its Dec. 26 notice (docket 3083) before the U.S. Judicial Panel on Multidistrict Litigation related to the May Progress Software Corp. (PSC) data breach MDL. Dauch’s case was one of three tagalong actions in CTO-24, transferred to U.S. District Court for Massachusetts in Boston and assigned to U.S. District Judge Allison Burroughs. In the Sept. 29 breach of contract case in U.S. District Court for Western Texas in Austin (docket 1:23-cv-01182), plaintiff Jason Dauch sued the energy consulting company for failure to properly secure his personally identifiable information (PII) in the late May data breach at Progress Software, one of Clearesult’s IT vendors. Also Tuesday, plaintiff Sophie Jani withdrew her November notice of opposition (see 2311220007) to CTO-17 and a December motion to vacate conditional transfer order with brief in support of the CTO related to Jani v. Patelco Credit Union (docket 3:23-cv-05054), in a notice before the panel. Jani sued Patelco for failing to protect her PII in the PSC MOVEit file transfer software data breach. Jani's case was transferred to U.S. District Court for Massachusetts from U.S. District Court for Northern California as part of conditional transfer order CTO-17 Nov. 27.
Alyssa Gary and Marla Defoort’s first amended complaint against Dynatrace should be dismissed in its entirety with prejudice because they can't state a claim against Dynatrace, said the defendant's motion to dismiss Friday (docket 3:23-cv-11673) in U.S. District Court for Massachusetts in Springfield. The plaintiffs also lack Article III standing, and Defoort fails to plausibly allege facts to support a claim under a theory of liability under the California Invasion of Privacy Act, said Dynatrace. The plaintiffs allege that Dynatrace “wiretaps” electronic communications of “thousands” of website visitors, secretly observing and recording their “keystrokes, mouse clicks, data entry, and other electronic communications, in real time” (see 2307270025). Plaintiff Gary visited Ulta Beauty’s website last year to buy cosmetics, and her keystrokes, mouse clicks and other electronic communications “were intercepted in real time and disclosed” to Dynatrace, along with her IP address, geolocation and information about her device, it said. The “capturing, recording, and redirection” of her website interactions began when she accessed the Ulta site, “before any purported disclosures were made,” the complaint alleged. Defoort, too, was unaware her website interactions on Ulta Beauty were being disclosed to Dynatrace, the complaint said. When the plaintiffs voluntarily browsed Ulta Beauty’s website, their online activity “was purportedly captured by Dynatrace’s ‘session replay’ technology, which Ulta used on its website “to understand and improve its online consumer experience,” said the motion. The technology enables website owners to identify ways to improve website design “to be more consumer-friendly, resolve problems consumers may encounter, and protect against fraud,” the motion said. Plaintiffs’ unidentified activities on the website are the “online equivalent of browsing in a brick-and-mortar store” and “not protected private activity or communications that Dynatrace somehow eavesdropped,” it said. Courts have rejected similar claims on grounds that this type of online activity isn’t protected and not the type of conduct the “decades-old laws were intended to prohibit,” it said. Also, the use of session replay technology to improve a website “does not constitute unlawful eavesdropping,” it said. The Massachusetts court “should do the same here and dismiss this misdirected lawsuit,” it said.
U.S. District Judge Susan Paradise Baxter dismissed a privacy class action for lack of subject-matter jurisdiction, said her order Friday (docket 1:23-cv-00330) in U.S. District Court for Western Pennsylvania in Erie. Plaintiff Robert Marrone and defendant Warren General Hospital requested an order dismissing Marrone’s Nov. 22 data breach class action against the hospital because more than 80% of proposed class members -- roughly 115,000 out of 142,000 -- live in Pennsylvania, said their joint motion Thursday (see 2312220037). Marrone intends to refile his case to Warren County Court, said the judge's order.
The Electronic Privacy Information Center supports the appeal of six Chrome users to reverse the district court’s dismissal of their complaint alleging that Chrome secretly sent their personal information to Google when Google said it wouldn’t (see 2312130029), said its amicus brief Thursday (docket 22-16993) in the 9th U.S. Circuit Appeals Court. For more than two decades, Google and other internet companies have presented privacy as an issue of “user choice” and argued that their legal obligations “should only extend so far as the promises they have explicitly made,” it said. That “notice and choice” framework “has led to a massive expansion in commercial surveillance that has fueled harmful discrimination, enabled invasive profiling, and degraded user privacy across the internet ecosystem,” it said. In response to the recent trend of users demanding greater privacy protection, companies like Google “have made new privacy promises and offered new services that they claim protect user privacy,” it said. “This case is about what happens when a company purports to offer its users new privacy-protective settings on the one hand, but then continues to invade their privacy on the other,” it said. Google contends that even when it has explicitly promised its users that it will protect their data, “it doesn’t have to abide by that promise so long as it points to contrary terms in its general user agreement and statements posted in a sprawling web of disclosure pages,” said the brief. The U.S. District Court for Northern California’s ruling in Google’s favor “is a fundamental rejection of the reasonable consumer standard and would eliminate even the modicum of privacy that the common law currently provides to internet users,” it said. When Google makes specific privacy promises to Chrome users, the company shouldn’t be allowed “to override those promises with blanket disclaimers in its general user agreement,” it said. Internet users want strong privacy protections online, and companies like Google shouldn’t be “insulated from liability when they expand the scope of their disclosures beyond what users reasonably expect,” it said.
Plaintiff Melanie Newman gave her Social Security number and other personal information to AMC Theatres when she began working for the company, but the theater chain incurred a data breach “well after” her employment ended, said Newman’s response Thursday (docket 2:23-cv-02358) in U.S. District Court for Kansas in Kansas City to AMC's Nov. 21 motion to compel her claims to arbitration. Newman’s Aug. 17 complaint alleges AMC failed to properly secure and safeguard her personally identifiable information that was compromised in Progress Software’s MOVEit May file transfer software data breach. The theater chain “now seeks to avoid” answering to Newman’s claims arising out of the MOVEit data breach “by attempting to tie its failure to implement reasonable data security to Plaintiff’s role as an employee of the company,” said the response. AMC’s motion doesn’t mention that any agreement it had with Newman “unambiguously excludes Plaintiff’s ability to seek equitable relief before this Court from the agreement itself,” it said. The court should deny AMC’s motion as her claim is “unrelated to her role as an employee,” or, in the alternative, sever Newman’s claims from her claims for damages and allow her to seek equitable relief on behalf of all others similarly situated before the court, it said. The U.S. Judicial Panel on Multidistrict Litigation added Newman’s case as the single tagalong action in conditional transfer order 20 last month (see 2312010048) in In Re: MoveIt Customer Data Security Breach Litigation, transferring it to the U.S. District Court for Massachusetts in Boston. AMC's motion to compel arbitration should be denied, said the response.
U.S. Magistrate Judge Adam Abelson for Maryland in Baltimore ordered plaintiff Abigail Collins to appear in court for a Jan. 26 hearing to show cause why she hasn’t filed the required consent or declination to have her negligence case against Washington College tried by a magistrate judge, said Abelson’s signed order Wednesday (docket 1:23-cv-03258). Abelson will vacate the order if Collins files the consent or declination by the hearing date, it said. Collins alleges that the school where she’s a student failed to secure her personally identifiable information (PII) in a March data breach (see 2312040021). Though Collins was aware a cybersecurity incident occurred in March, she didn't know her PII might have been exposed until the college notified her in a Nov. 15 letter.
U.S. District Judge for Southern New York Nelson Stephen Roman granted plaintiffs’ motion for consolidation of class actions against IBM and Johnson & Johnson involving a data breach defendants were alerted to on Aug. 2 (see 2311060062), said his order Tuesday (docket 7:23-cv-09725) in U.S. District Court for Southern New York in White Plains. Seven cases will be consolidated into Malinowski v. IBM Corp. (docket 7:23-CV-08421), filed Sept. 22. Plaintiff Elaine Malinowski asserts claims of negligence and negligence per se; unjust enrichment; and breach of confidence, implied contract, covenant of good faith and fair dealing, and fiduciary duty against the defendants for failing to protect her personally identifiable information in the data breach. The other six class actions were brought by Michelle Pettiford; Anthony Hanna; Vanessa Hays; Michael Wright; Joseph Haley, Rowdy Alldridge and Mary Lea Kirby; and Kristal Mize.