HopSkipDrive should have known it was responsible for protecting plaintiff Tara McIntosh’s and class members' personal information, alleged McIntosh’s data breach negligence class action Thursday (docket 2:24-cv-01676) in U.S. District Court for Central California in Los Angeles. The ride-hailing service waited over three months after being notified of a May 31-June 10 data breach, discovered “one to two months afterward,” to notify McIntosh of the incident, said the complaint. The Spokane, Washington, resident received a letter from HopSkipDrive Nov. 14, notifying her that her personally identifiable information had been improperly accessed, it said.
The seven-day stay for conditional transfer order 32 (CTO-32) was lifted in In Re: MOVEit Customer Data Security Breach Litigation, said a clerk’s notice (docket 3083) from the Judicial Panel on Multidistrict Litigation Wednesday. The five negligence class actions against 1st Source Bank in U.S. District Court for Northern Indiana related to Progress Software Corp.’s May data breach involve questions of fact common to actions previously transferred to the U.S. District Court for Massachusetts in Boston and assigned to U.S. District Judge Allison Burroughs, said the order. None of the five cases names Progress Software as a defendant. Since five actions were transferred to the Boston court on Oct. 4, 206 additional actions have been transferred, it said.
Meta is violating the EU data protection law by requiring users to pay for ad-free service or consent to the use of their personal data, eight European consumer groups alleged Thursday. Meta didn't immediately comment. The groups, from the Czech Republic, Denmark, Greece, France, Norway, Slovakia, Slovenia and Spain, are European Consumer Organisation (BEUC) members. In complaints filed with their national data protection authorities (DPAs), they charged the tech giant with failing to comply with GDPR principles of fair processing, data minimization and purpose limitation. Moreover, they said Meta has no valid legal basis to justify the massive data sweep it carries out on Facebook and Instagram users because the choice it gives them can't lead to free and informed consent. "Meta has tried time and time again to justify the massive commercial surveillance it places its users under," said BEUC Deputy Director-General Ursula Pachl. "Its unfair 'pay-or-consent' choice is the company's latest effort to legalise its business model." In recent years several DPAs have tried to force Meta to change the legal basis for collecting and processing people's data, and the company's "last resort" is to obtain users' consent for those activities by offering them the choice to either pay to see a supposedly ad-free service or consent to the company's full commercial surveillance with ads, BEUC said. Asked why BEUC didn't file the complaint with the DPA in Ireland, where Meta is headquartered, a spokesperson said the organization wanted to involve national data protection authorities that can then take ownership of the issue when those authorities transfer the matter to the Irish authority. In addition, he said, BEUC wanted to involve its members because they know the procedural rules of their own DPAs and to maximize coverage of the issue to show that it affects all Europeans.
A Chicago-area child care agency violated the Illinois Biometric Information Privacy Act by using an employee timekeeping system that includes the dissemination of biometrics to third parties, such as data storage vendors and payroll services, alleged Evilin Cortez’s class action Monday (docket 1:24-cv-01589) in U.S. District Court for Northern Illinois in Chicago. The Little Achievers Learning Center's system stores and repeatedly uses employees’ biometrics each time they clock in or out for their jobs, said the complaint. Cortez relied on her employer “to not only provide a lawful and legally compliant system, but to also disclose all material information regarding the technology and system, including retention, destruction, and dissemination policies,” it said. Before taking possession of Cortez’s biometrics through its timekeeping system, Little Achievers didn’t inform her in writing that her biometrics “were being collected, stored, used, or disseminated,” nor did it publish any policy “specifically about the collection, retention, use, deletion, or dissemination of biometrics,” it said. To this day, the child care worker is unaware of the status of her biometrics obtained by her employer, which hasn’t informed her whether it still retains her biometric information, and if it does, for how long it intends to retain such information without her consent, it said. To the extent Little Achievers is still retaining Cortez’s biometrics, “such retention is unlawful,” said the complaint. Cortez wouldn’t have provided her biometric data to her employer or used its biometric timekeeping technology had she known that her information would remain with the employer “for an indefinite period or subject to unauthorized disclosure,” it said.
Comcast notified the Judicial Panel on Multidistrict Litigation in a Tuesday notice (docket 3099) of two related class actions in U.S. District Court for Eastern Pennsylvania in Philadelphia involving Citrix's October data breach. Jaclyn Remark and Noah Birkett v. Comcast Cable Communications and Citrix Systems (docket 2:24-cv-00793) (see 2402230042) and Vince Estevez v. Comcast Cable Communications and Citrix Systems (docket 2:24-cv-00800) (see 2402260036), filed last week, bringing claims of negligence, breach of implied contract and third-party beneficiary contract, and unjust enrichment.
U.S. District Judge William Conley for Western Wisconsin in Madison granted the plaintiffs' motion to consolidate the cases against Forward Bank and Forward Financial Services involving a Sept.6 data breach, said his signed order Monday (docket 3:23-cv-844). The plaintiffs in Hamilton v. Forward Bank and Forward Financial Services and Ethan Rohland v. Forward Bank and Forward Financial Services moved to consolidate their cases Dec. 19, and the defendants didn’t oppose the motion. The plaintiffs’ consolidated amended complaint is due by April 11, and the defendants will have 21 days to respond, the order said. The plaintiffs in both data breach cases allege Forward Bank maintained, used and shared customers’ personally identifiable information in a “reckless manner,” the complaint said. Conley's order will apply to any action filed in, transferred to, or remanded to the Wisconsin court relating to the Sept. 6 data breach, subject to "prompt objection" by any new plaintiffs or their counsel, it said.
The Dec. 18 SIM swap complaint in which Dagyana Ortiz-Nieves alleges Four Liberty Mobile Puerto Rico employees accessed her account without her authorization and failed to safeguard her personal information (see 2312190061) repeats “hundreds of legally deficient and insufficient allegations,” said Liberty’s motion to dismiss Friday (docket 3:23-cv-01613) in U.S. District Court for Puerto Rico in San Juan. The complaint then “incorrectly and baselessly attempts” to hold Liberty liable for alleged disclosures of some “unspecified” personal information and “a swath of third-party actions and unfortunate incidents” that weren’t within Liberty’s control, it said. Ortiz-Nieves lacks Article III standing to sue Liberty for the conduct alleged because she fails to allege an injury-in-fact that's traceable to Liberty’s alleged conduct and that’s likely to be redressed by a favorable judicial decision, it said. Even if Ortiz-Nieves had Article III standing, which Liberty denies, the court would lack subject-matter jurisdiction over her federal claims, it said.
Matthew Hartz voluntarily dismissed without prejudice his privacy action vs. TaxAct because his claims have been incorporated into Smith-Washington v. TaxAct, said his notice of dismissal (docket 1:23-cv-04591) in U.S. District Court for Eastern Illinois in Chicago Thursday. Hartz’s July complaint alleged TaxAct violated congressional and IRS safeguards against the sharing of private tax return information with third parties when it transmitted his personally identifiable information to Facebook and Google (see 2307170033). TaxAct has not served an answer or a motion for summary judgment in the proceeding, so dismissal without prejudice is appropriate without a court order, said the notice.
U.S. District Judge Theodore Chuang for Maryland in Baltimore granted leave to the plaintiffs in seven class actions to move to consolidate those cases involving a data breach at the Retina Group of Washington (RGW) and to appoint interim co-lead class counsel, said his order Tuesday (docket 1:24-cv-00082). His order followed a case management conference Friday. The ophthalmology provider notified patients on its website from July 7 to Nov. 4 of a data breach it experienced March 26 but didn’t disclose that current and former patients’ personally identifiable or personal health information was compromised, Shalane Vance and Sharon Jenkins alleged in one of the class actions last month (see 2401100023). The other actions are brought by Mary Vandenbroucke (docket 1:24-cv-0004), Kwame Dapaah-Siakwan (1:24-cv-0016), Jennifer Boehles (1:24-cv-0020), Natalia Girard (1:24-cv-0082), David Puckett (1:24-cv-0137) and Desiree McCormick (1:24-cv-0166). Plaintiffs must file their motion by Friday, and if the motion is granted, they will be granted leave to file an amended complaint by March 18, the order said. RGW intends to file a motion to dismiss following submission of the amended complaint, due April 17, it said.
U.S. District Judge Donald Middlebrooks for Southern Florida in Fort Lauderdale denied Citrix and Comcast’s joint Feb. 13 motion for an extension of time to respond to plaintiff Alexander Nunn’s negligence complaint (see 2401080014) involving Citrix’s October data breach, said the judge's order Tuesday (docket 0:24-cv-60029). Citrix's deadline to respond to the complaint is March 11 and Comcast's is March 19, and the defendants seek extensions to 30 days after the U.S. Judicial Panel on Multidistrict Litigation reaches a decision on transfer or consolidation of cases involving the data breach. The JPML’s hearing on those cases is set for March 28 in U.S. District Court for South Carolina in Charleston, and it would be “tedious and wasteful” for the defendants to spend resources briefing cases that might be consolidated and transferred, said their motion. The defendants noted the March 28 hearing date, “but they fail to indicate if a final decision on transfer will be made at this hearing,” said Middlebrooks. While acknowledging that Comcast and Citrix want to avoid devoting resources to litigating the case before they know whether it will be consolidated in an MDL, the judge declined their motion, “as it would effectively result in a stay of these proceedings,” said the order. “I am not inclined to allow this case to lie dormant during the pendency of the proceedings before the MDL panel, especially where there is no reasonable expectation as to how long it will take the panel to render its decision,” it said. Nunn’s class action alleges Comcast and Citrix failed to adequately protect his and class members' personally identifiable information from data thieves in the data breach.