U.S. District Judge John Coughenour granted in part and denied in part motions to dismiss a May privacy case against Microsoft and Qualtrics, said his Tuesday order (docket 2:23-cv-00718) in U.S. District Court for Western Washington in Seattle. Plaintiff “Jane Doe” alleged Microsoft and analytics company Qualtrics “repeatedly and systematically” violated patients’ healthcare privacy rights on the Kaiser Permanente website by intercepting and collecting data on medical conditions, prescriptions, immunizations and more (see 2305160051). Coughenour granted defendants’ requests for judicial notice with respect to certain exhibits that are public webpages. In the case of Qualtrics’ seeking judicial notice for “of the truth of its contents, not merely its existence” with respect to an assertion that the “Site Intercept function does not ‘intercept’ anything,” Coughenour said that request isn’t appropriate under Federal Rule of Evidence 201. Qualtrics contends Doe lacks standing, but Coughenour said she adequately pleads an entitlement to Qualtrics’ profits from users’ personal data. She alleges that her personal data carries financial value and cites numerous articles and studies describing the “growing market for personal data, including personal health data,” said the order. She also alleges that Qualtrics profited from the data and used it for targeted advertising, generating revenue and profit, the order said. The defendants challenged the complaint’s factual allegations with Qualtrics arguing Doe fails to plead when she used the Kaiser website and thus was exposed to alleged data collection. Microsoft argues Doe fails to allege facts plausibly showing she was personally affected by Microsoft’s alleged conduct, including the dates she used the Kaiser website and facts showing Kaiser disclosed her data in a manner that allowed Microsoft to identify her personally. But Doe alleges she has been a Kaiser member for 10 years and that while logged into her account accessing her medical information, “Defendants unlawfully intercepted and collected such data along with her personal identifiers.” That is sufficient to allege facts, said the order. Qualtrics argues that Doe’s claims must be dismissed because she consented to its collection of her data when accepting the website’s terms, but Doe’s claims don’t hinge on her being logged in, said the order. Doe alleges Qualtrics collects data “regardless of whether the user is logged in to her Kaiser Account.” Coughenour denied that motion to dismiss, but he dismissed Doe’s California Invasion of Privacy Act claims to the extent she bases them on intentional wiretapping, the order said.
Seven plaintiffs filed notices of opposition Tuesday and Wednesday before the U.S. Judicial Panel on Multidistrict Litigation (docket 3083) to conditional transfer order 23 (CTO-23) in In Re: MOVEit Customer Data Security Breach Litigation. The cases involve the May Progress Software MOVEit data breach. Plaintiff Brad Yourglich opposes CTO-23 as it relates to Yourglich v. Pension Benefit Information (PBI) (docket 3:23-cv-02034), said his filing Tuesday. Yourglich sued PBI and Does 1-10 Oct. 2 in California Superior Court in San Diego, claiming violations of the California Customer Records and Consumer Privacy acts, plus negligence. PBI removed the case to the U.S. District Court for Southern California in San Diego Nov. 3. PBI on Nov. 27 also removed an Oct. 23 negligence suit (docket 3:23-cv-02167) filed by plaintiff Sean Carlblom, with the same claims, from state court to district court. Carlblom opposes the transfer to the multidistrict litigation in U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs. Counsel Jennifer Simil of Jibrael Hindi filed a notice of opposition Wednesday on behalf of four of her clients who are suing PBI for negligence related to the MOVEit data breach. Defendant PBI removed the four cases brought by plaintiffs Andrew Kantack (docket 3:23-cv-01406), Sharon Oliver (docket 3:23-cv-01420), Brian Huey (docket 5:23-cv-00700) and Stacey Lockett (docket 0:23-cv-62321) from Florida state court to U.S. district courts in Florida. Columbia University, a defendant in a negligence suit brought by plaintiff Alexandra Lardis (docket 1:23-cv-10241) in U.S. District Court for Southern New York, also opposes CTO-23 in the MDL, said its notice Wednesday.
Four negligence class actions against Orrick Herrington, a global law firm that has defended data breach clients (see 2312050005), have many of the same claims, proposed class definitions and “sufficient commonality of issues and parties” to warrant consolidation, said U.S. District Judge Susan Illston for Northern California in San Francisco in an order Monday (docket 3:23-cv-06264). The class actions, brought by Dennis Werley (docket 3:23-cv-04089), Robert Jensen (docket 3:23-cv-04433), Robert Bass and Jody Frease (docket 3:23-cv-06227) and Kimberly McCauley (docket 3:23-cv-06264), involve a March 13 data breach affecting some 150,000 persons. The order also applies to any action filed in, transferred to, or removed to the San Francisco court that relates to the Orrick data breach, and shall apply to all actions included in case number 3:23-cv-04089, the order said. Plaintiffs’ consolidated complaint is due within 30 days of the order.
The U.S. Judicial Panel on Multidistrict Litigation transferred 11 cases involving the May Progress Software Corp. (PSC) MOVEit file transfer software data breach to U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs, said conditional transfer order 23 (CTO-23) (docket 3083) in In Re: Moveit Customer Data Security Breach Litigation Wednesday. District court cases transferred include one from Central California vs. AutoZone; two from Southern California vs. Pension Benefit Information (PBI); three from Middle Florida and one from Southern Florida vs. PBI; one from Minnesota vs. Radius Global Solutions; cases from Southern New York vs. TSG Interactive US Services and Columbia University; and one case in Southern Ohio vs. PSC. The transmittal of the transfer is stayed seven days for any party to file a notice of opposition with the panel, it said.
The appeal by six Chrome users seeking to reverse the district court’s dismissal of their privacy complaint (see 2212290037) “is about clear, broken promises that Google made to users of its popular web browser,” said their opening brief Tuesday (docket 22-16993) in the 9th U.S. Circuit Court of Appeals. Google’s first broken promise was that there was no need to provide one’s personal information to use Chrome, said the brief. Its second was that any personal information provided while using Chrome wouldn’t be sent to Google when the browser’s default “sync” setting was turned on, it said. As it turns out, Chrome did secretly send users’ personal information to Google, regardless of whether the sync mode was turned on or off, it said. These data transmissions “are detailed and intrusive,” it said. They reveal to Google “the content of communications that users exchange online and information that they submit to others,” from unemployment-benefit applications to political activities, the brief said. The district court wrongly granted summary judgment to Google on its consent defense, concluding as a matter of law that its disclosures “unambiguously informed a reasonable user that Chrome sent their personal information to Google regardless of sync status,” it said. The district court’s approach to consent “is untenable on multiple levels,” it said. Its holding can’t be reconciled “with longstanding, black-letter tort principles,” said the brief. It also “tramples” on the jury’s traditional role “in resolving questions about the existence and scope of consent.” If allowed to stand, the district court’s logic “would allow companies to obtain consent for all sorts of intrusive and unexpected privacy practices merely by obfuscating the mechanics behind those practices,” it said.
U.S. District Judge Joseph Rodriguez for New Jersey reset deadlines Monday in a lawsuit against MGM Resorts International over its September data breach, after the defendant invoked an automatic extension under Local Civil Rule 7.1(d)(5), said the judge’s text-only order (docket 1:23-cv-20419). MGM’s letter cited plaintiffs Saul and Shirley Lassoff’s Nov. 30 motion to preclude all other venues and duplicate litigation against MGM Resorts International only and to issue a proposed first to file preclusion order and transfer remaining cases to U.S. District Court for New Jersey in Camden. The motion was originally set for hearing Jan. 2, which has not previously been extended or adjourned, said MGM’s filing. The new and next available motion day is Jan. 16, it said. The Lassoffs’ preclusion order requests that the remaining cases involving the cyberattack on the hospitality company’s systems in September be transferred to Camden. The plaintiffs’ amended complaint added New Jersey, New York and Las Vegas MGM customers as potential class members in the action against MGM Resorts International and removed Caesars Entertainment, following the dismissal of Caesars without prejudice from the case in November. The Lassoffs assert claims of breach of fiduciary duty and negligence (see 2311160060).
Plaintiff Julio Garcia voluntarily dismissed with prejudice his individual Video Privacy Protection Act claims against Dow Jones, according to his notice of dismissal Monday (docket 8:23-cv-02351) in U.S. District Court for Middle Florida in Tampa. All claims of Garcia’s putative class are also dismissed without prejudice, said the notice. Garcia used a digital subscription to view video content on the Wall Street Journal website, and he alleges Dow Jones didn’t inform him that his personally identifiable information and viewing history would be shared with Facebook (see 2310180027).
The U.S. Judicial Panel on Multidistrict Litigation transferred seven tagalong actions to In Re: MOVEit Customer Data Security Breach Litigation in U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs, said conditional transfer order 22 (CTO-22) (docket 3083) Friday. The cases, which all involve Progress Software Corp.’s (PSC) May data breach in its MOVEit file transfer software, name as defendants Umpqua Bank, PSC, Maximus Health Services, Performance Health Technology and Columbia Banking Systems; two name Flagstar Bank. The cases are being transferred from district courts in Northern California, Middle Florida, Southern Indiana, Eastern Michigan, Oregon and Western Washington. Elsewhere on the MOVEit docket, PSC responded to Primis Bank’ motion to vacate CTO-9, saying Thursday that transfer of Kline v. Primis Bank (docket 3:23-cv-00574) to the MDL is warranted because it shares common questions of fact with cases in MOVEit, and transfer will promote the “just and efficient conduct of this litigation.” Like other defendants centralized in the MDL, Primis’ customer filed an action against it but not against PSC or any other party, said the response. The JPML “has made clear that such a circumstance does not defeat centralization,” said the response. The panel “has already ruled that ‘the MOVEit vulnerability is at the core of all cases’” and that it would be “impossible” to “disentangle the allegations against Progress . . . from the allegations against other defendants,” it said. Many defendants share the belief regarding their cases “that the claims against them will be dismissed,” said PSC’s response. “Presuming for these purposes the outcome of a motion to dismiss simply puts the cart before the horse,” it said, saying one reason for the MDL is “to create an efficient way for addressing issues that are common to these cases at the pleadings stage as well as in discovery.” If the Kline action fails as a matter of law, “that will be true even if the action is centralized into the MDL,” said the response. If Kline survives dismissal, “it will benefit from the efficiencies of being centralized with the other actions that have 'the MOVEit vulnerability'” at their core, it said. Friday, plaintiff Dominic Fiacco filed a reply memorandum in support of his motion to vacate CTO-7, after defendants the University of Rochester and PSC opposed the motion. “It is not the job of Defense counsel or any other outside counsel to determine what facts are material to Plaintiff Fiacco’s legal theory,” said counsel Philip Fraietta of Bursor & Fisher. Fiacco’s claims “materially differ from those in the centralized actions against [Pension Benefits Information], PSC and Ipswitch," and his action "lacks sufficient commonality with the centralized cases,” said the memorandum.
Grand Rapids, Michigan-based insurance firm Acrisure didn’t begin informing victims of a Dec. 28 data breach until Nov. 10, said a privacy class action (docket 1:23-cv-01288) Friday in U.S. District Court for Western Michigan, Southern Division. Victims’ identities are “now at risk” because of Acrisure’s “negligent conduct” that allowed their private information to fall into the hands of “data thieves,” said the complaint. Acrisure became aware of “unusual activity” on its systems Dec. 28; an investigation showed unauthorized access to its computer systems occurred from Dec. 1, 2022 to Jan. 28, 2023, the complaint said, quoting the letter to victims. It hired a “data-review firm” to determine what information was in the compromised files and received those results in late August, the letter said. The letter didn’t say why Acrisure “failed to stop the unauthorized access for approximately one month after detecting” the breach, it said. The breach was the direct result of Acrisure’s “failure to implement adequate and reasonable" cybersecurity procedures and protocols necessary to protect the consumers in its network from a “foreseeable and preventable” cyberattack, the complaint said. Acrisure maintained the data of plaintiff Carlos Dias of Lake Mary, Florida, and class members in a “reckless manner” in a “condition vulnerable to cyberattacks,” it said. Acrisure collected and maintained sensitive information of Dias and class members, including their name, address, date of birth, Social Security and driver’s license numbers, financial account numbers and health insurance information, the complaint said. Despite assurances on its website that it protects personal information from “unauthorized access, use, or disclosure,” the company “disregarded the rights” of Dias and class members by “intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” it said. Dias asserts on behalf of himself and the class claims of negligence, breach of third-party beneficiary contract, unjust enrichment and violation of Florida’s Deceptive and Unfair Trade Practices Act. He seeks actual, nominal, statutory, consequential and punitive damages, attorneys’ fees and costs, and prejudgment interest.
Meta and the FTC propose a Wednesday deadline for the filing of the FTC’s opposition and anticipated cross-motion to Meta’s motion for a preliminary injunction to block the agency from modifying its 2020 privacy consent order to include new restrictions on Meta’s business activities, said their joint meet and confer statement Thursday (docket 1:23-cv-03562) in U.S. District Court for the District of Columbia. Dec. 27 is their proposed deadline for Meta’s response, and the FTC’s reply would be due Jan. 10, followed by a hearing Jan. 17 or 18 on the preliminary injunction motion, said the statement. They structured the proposed schedule to allow Meta’s injunction motion and the FTC’s anticipated cross-motion to be briefed and heard before Jan. 31, said the statement. That's Meta's newly extended deadline to respond to the FTC’s May 3 order to show cause why the commission shouldn’t modify the 2020 consent order and enter the new restrictions, said the statement. Meta’s Nov. 29 complaint asked the court to declare that “fundamental aspects” of the FTC’s structure violate the Constitution, and that those violations “render unlawful” the FTC’s proceeding against Meta (see 2311300039).