Four negligence class actions against Orrick Herrington, a global law firm that has defended data breach clients (see 2312050005), have many of the same claims, proposed class definitions and “sufficient commonality of issues and parties” to warrant consolidation, said U.S. District Judge Susan Illston for Northern California in San Francisco in an order Monday (docket 3:23-cv-06264). The class actions, brought by Dennis Werley (docket 3:23-cv-04089), Robert Jensen (docket 3:23-cv-04433), Robert Bass and Jody Frease (docket 3:23-cv-06227) and Kimberly McCauley (docket 3:23-cv-06264), involve a March 13 data breach affecting some 150,000 persons. The order also applies to any action filed in, transferred to, or removed to the San Francisco court that relates to the Orrick data breach, and shall apply to all actions included in case number 3:23-cv-04089, the order said. Plaintiffs’ consolidated complaint is due within 30 days of the order.

The appeal by six Chrome users seeking to reverse the district court’s dismissal of their privacy complaint (see 2212290037) “is about clear, broken promises that Google made to users of its popular web browser,” said their opening brief Tuesday (docket 22-16993) in the 9th U.S. Circuit Court of Appeals. Google’s first broken promise was that there was no need to provide one’s personal information to use Chrome, said the brief. Its second was that any personal information provided while using Chrome wouldn’t be sent to Google when the browser’s default “sync” setting was turned on, it said. As it turns out, Chrome did secretly send users’ personal information to Google, regardless of whether the sync mode was turned on or off, it said. These data transmissions “are detailed and intrusive,” it said. They reveal to Google “the content of communications that users exchange online and information that they submit to others,” from unemployment-benefit applications to political activities, the brief said. The district court wrongly granted summary judgment to Google on its consent defense, concluding as a matter of law that its disclosures “unambiguously informed a reasonable user that Chrome sent their personal information to Google regardless of sync status,” it said. The district court’s approach to consent “is untenable on multiple levels,” it said. Its holding can’t be reconciled “with longstanding, black-letter tort principles,” said the brief. It also “tramples” on the jury’s traditional role “in resolving questions about the existence and scope of consent.” If allowed to stand, the district court’s logic “would allow companies to obtain consent for all sorts of intrusive and unexpected privacy practices merely by obfuscating the mechanics behind those practices,” it said.

The U.S. Judicial Panel on Multidistrict Litigation transferred 11 cases involving the May Progress Software Corp. (PSC) MOVEit file transfer software data breach to U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs, said conditional transfer order 23 (CTO-23) (docket 3083) in In Re: Moveit Customer Data Security Breach Litigation Wednesday. District court cases transferred include one from Central California vs. AutoZone; two from Southern California vs. Pension Benefit Information (PBI); three from Middle Florida and one from Southern Florida vs. PBI; one from Minnesota vs. Radius Global Solutions; cases from Southern New York vs. TSG Interactive US Services and Columbia University; and one case in Southern Ohio vs. PSC. The transmittal of the transfer is stayed seven days for any party to file a notice of opposition with the panel, it said.

U.S. District Judge Joseph Rodriguez for New Jersey reset deadlines Monday in a lawsuit against MGM Resorts International over its September data breach, after the defendant invoked an automatic extension under Local Civil Rule 7.1(d)(5), said the judge’s text-only order (docket 1:23-cv-20419). MGM’s letter cited plaintiffs Saul and Shirley Lassoff’s Nov. 30 motion to preclude all other venues and duplicate litigation against MGM Resorts International only and to issue a proposed first to file preclusion order and transfer remaining cases to U.S. District Court for New Jersey in Camden. The motion was originally set for hearing Jan. 2, which has not previously been extended or adjourned, said MGM’s filing. The new and next available motion day is Jan. 16, it said. The Lassoffs’ preclusion order requests that the remaining cases involving the cyberattack on the hospitality company’s systems in September be transferred to Camden. The plaintiffs’ amended complaint added New Jersey, New York and Las Vegas MGM customers as potential class members in the action against MGM Resorts International and removed Caesars Entertainment, following the dismissal of Caesars without prejudice from the case in November. The Lassoffs assert claims of breach of fiduciary duty and negligence (see 2311160060).

Plaintiff Julio Garcia voluntarily dismissed with prejudice his individual Video Privacy Protection Act claims against Dow Jones, according to his notice of dismissal Monday (docket 8:23-cv-02351) in U.S. District Court for Middle Florida in Tampa. All claims of Garcia’s putative class are also dismissed without prejudice, said the notice. Garcia used a digital subscription to view video content on the Wall Street Journal website, and he alleges Dow Jones didn’t inform him that his personally identifiable information and viewing history would be shared with Facebook (see 2310180027).

The U.S. Judicial Panel on Multidistrict Litigation transferred seven tagalong actions to In Re: MOVEit Customer Data Security Breach Litigation in U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs, said conditional transfer order 22 (CTO-22) (docket 3083) Friday. The cases, which all involve Progress Software Corp.’s (PSC) May data breach in its MOVEit file transfer software, name as defendants Umpqua Bank, PSC, Maximus Health Services, Performance Health Technology and Columbia Banking Systems; two name Flagstar Bank. The cases are being transferred from district courts in Northern California, Middle Florida, Southern Indiana, Eastern Michigan, Oregon and Western Washington. Elsewhere on the MOVEit docket, PSC responded to Primis Bank’ motion to vacate CTO-9, saying Thursday that transfer of Kline v. Primis Bank (docket 3:23-cv-00574) to the MDL is warranted because it shares common questions of fact with cases in MOVEit, and transfer will promote the “just and efficient conduct of this litigation.” Like other defendants centralized in the MDL, Primis’ customer filed an action against it but not against PSC or any other party, said the response. The JPML “has made clear that such a circumstance does not defeat centralization,” said the response. The panel “has already ruled that ‘the MOVEit vulnerability is at the core of all cases’” and that it would be “impossible” to “disentangle the allegations against Progress . . . from the allegations against other defendants,” it said. Many defendants share the belief regarding their cases “that the claims against them will be dismissed,” said PSC’s response. “Presuming for these purposes the outcome of a motion to dismiss simply puts the cart before the horse,” it said, saying one reason for the MDL is “to create an efficient way for addressing issues that are common to these cases at the pleadings stage as well as in discovery.” If the Kline action fails as a matter of law, “that will be true even if the action is centralized into the MDL,” said the response. If Kline survives dismissal, “it will benefit from the efficiencies of being centralized with the other actions that have 'the MOVEit vulnerability'” at their core, it said. Friday, plaintiff Dominic Fiacco filed a reply memorandum in support of his motion to vacate CTO-7, after defendants the University of Rochester and PSC opposed the motion. “It is not the job of Defense counsel or any other outside counsel to determine what facts are material to Plaintiff Fiacco’s legal theory,” said counsel Philip Fraietta of Bursor & Fisher. Fiacco’s claims “materially differ from those in the centralized actions against [Pension Benefits Information], PSC and Ipswitch," and his action "lacks sufficient commonality with the centralized cases,” said the memorandum.

Grand Rapids, Michigan-based insurance firm Acrisure didn’t begin informing victims of a Dec. 28 data breach until Nov. 10, said a privacy class action (docket 1:23-cv-01288) Friday in U.S. District Court for Western Michigan, Southern Division. Victims’ identities are “now at risk” because of Acrisure’s “negligent conduct” that allowed their private information to fall into the hands of “data thieves,” said the complaint. Acrisure became aware of “unusual activity” on its systems Dec. 28; an investigation showed unauthorized access to its computer systems occurred from Dec. 1, 2022 to Jan. 28, 2023, the complaint said, quoting the letter to victims. It hired a “data-review firm” to determine what information was in the compromised files and received those results in late August, the letter said. The letter didn’t say why Acrisure “failed to stop the unauthorized access for approximately one month after detecting” the breach, it said. The breach was the direct result of Acrisure’s “failure to implement adequate and reasonable" cybersecurity procedures and protocols necessary to protect the consumers in its network from a “foreseeable and preventable” cyberattack, the complaint said. Acrisure maintained the data of plaintiff Carlos Dias of Lake Mary, Florida, and class members in a “reckless manner” in a “condition vulnerable to cyberattacks,” it said. Acrisure collected and maintained sensitive information of Dias and class members, including their name, address, date of birth, Social Security and driver’s license numbers, financial account numbers and health insurance information, the complaint said. Despite assurances on its website that it protects personal information from “unauthorized access, use, or disclosure,” the company “disregarded the rights” of Dias and class members by “intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” it said. Dias asserts on behalf of himself and the class claims of negligence, breach of third-party beneficiary contract, unjust enrichment and violation of Florida’s Deceptive and Unfair Trade Practices Act. He seeks actual, nominal, statutory, consequential and punitive damages, attorneys’ fees and costs, and prejudgment interest.

Meta and the FTC propose a Wednesday deadline for the filing of the FTC’s opposition and anticipated cross-motion to Meta’s motion for a preliminary injunction to block the agency from modifying its 2020 privacy consent order to include new restrictions on Meta’s business activities, said their joint meet and confer statement Thursday (docket 1:23-cv-03562) in U.S. District Court for the District of Columbia. Dec. 27 is their proposed deadline for Meta’s response, and the FTC’s reply would be due Jan. 10, followed by a hearing Jan. 17 or 18 on the preliminary injunction motion, said the statement. They structured the proposed schedule to allow Meta’s injunction motion and the FTC’s anticipated cross-motion to be briefed and heard before Jan. 31, said the statement. That's Meta's newly extended deadline to respond to the FTC’s May 3 order to show cause why the commission shouldn’t modify the 2020 consent order and enter the new restrictions, said the statement. Meta’s Nov. 29 complaint asked the court to declare that “fundamental aspects” of the FTC’s structure violate the Constitution, and that those violations “render unlawful” the FTC’s proceeding against Meta (see 2311300039).

Sovos Compliance, a defendant in a privacy class action involving Progress Software’s MOVEit file transfer software data breach, moved to vacate conditional transfer order 15 (CTO-15) issued by the U.S. Judicial Panel on Multidistrict Litigation following mediation proceedings with plaintiffs, said its Monday motion (docket 3083) before the panel. Sovos and plaintiffs in a previously consolidated class action reached an agreement in principle to resolve all claims against Sovos and its customers arising out of the MOVEit data breach, including claims brought against Sovos and Midland States Bank in Gorman v. Progress Software Corp., it said. Following the filing of Stadnik v. Sovos Compliance in U.S. District Court for Massachusetts Sept. 13, Zide v. Sovos Sept 14 in U.S. District Court for Central California, and Yenca v. Sovos in Massachusetts federal court Sept. 22, counsel for plaintiffs and Sovos began discussions for an early resolution on a class-wide basis of all claims against Sovos and its customers arising out of the incident, it said. Zide dropped Sovos as a defendant in her Oct. 5 first amended complaint, and Stadnik and Yenca filed an unopposed motion to consolidate their cases in the Massachusetts court; the court granted the motion Nov. 13. The Sovos “subclass” that Gorman seeks to represent is the same putative class that the plaintiffs in the Sovos consolidated action seek to represent, said the motion. Transfer of the Gorman action to the MDL would “frustrate rather than promote judicial economy and efficiency,” and it would cause the parties to expend “significantly more resources to litigate in the interim, despite the likelihood of resolution” through the Sovos consolidated action, it said.

Nine cases from eight districts were transferred to U.S. District Court for Massachusetts in Boston for coordinated or consolidated pretrial proceedings in In Re: MoveIT Customer Data Security Breach Litigation, said conditional transfer order 21 (docket 3083) from the U.S. Judicial Panel on Multidistrict Litigation Monday. Some 166 actions involving Progress Software Corp.’s May data breach have been transferred to the Massachusetts court and assigned to U.S. District Judge Allison Burroughs. Other defendants in the nine cases are Sutter Health, Pension Benefit Information, HealthCare Services, Radius Global Solutions, Aristocrat Technologies and Columbia Banking Systems. The cases all involve questions of fact that are common to the previously transferred actions, said the JPML.