Mandry Technology Solutions removed to U.S. District Court for Central California in Los Angeles Thursday an Oct. 4 complaint (docket 2:23-cv-09502) from Los Angeles Superior Court in which plaintiff Dana Hughes alleges Mandry, a supplier of IT, cybersecurity and cloud strategy enterprise services, “secretly installed” spyware on its website from third party Lead Forensics. The spyware allows Mandry to “de-anonymize every anonymous visitor to the site” so that it knows each visitor's name, face, location, email and browsing history, said the complaint. The spyware “aggregates” that user data “with other data obtained from the dark web,” so that Mandry can turn “anonymous visitors into actionable sales leads in real-time," it alleged. None of that’s done with Hughes’ “consent or authorization,” it said. She visited Mandry’s website “without being informed, let alone authorizing,” Mandry to share her data with third parties, it said. Mandry’s conduct, if allowed to proceed, “would dramatically change the nature of the internet,” such that anonymous web-surfing “is now a means to surveil, commoditize, and control personal information of users,” it said. Mandry’s actions are unlawful under the California Unauthorized Access to Computer Data Act, plus they’re intrusive and offensive “such that they would shock the conscience of any website user,” it said. She seeks “all relief available” under the statute, including compensatory and punitive damages, plus injunctive relief and attorneys' fees. Mandry denies Hughes’ allegations and that she has suffered any loss or injury, said its notice of removal. It also denies she’s entitled to any damages, injunctive relief or any other relief or recovery, it said.

The World Wildlife Fund “regrettably” devotes “a substantial portion” of its Sept. 14 motion to dismiss plaintiff Sonya Valenzuela’s privacy complaint attacking her and her counsel, said Valenzuela’s memorandum of points and authorities Thursday (docket 2:23-cv-06112) in U.S. District Court for Central California in Los Angeles in support of her opposition to the motion. Valenzuela alleges WWF invaded her privacy with its use of FullContact software to record and “deanonymize” internet protocol addresses when she used WWF’s website chat function (see 2307280032). WWF’s motion to dismiss asks the court “to draw adverse credibility inferences” about Valenzuela and her lawyer, Scott Ferrell of Pacific Trial Attorneys, on grounds that Valenzuela is a serial litigant, said her memorandum. But the 9th U.S. Circuit Court of Appeals recently made “exceptionally clear” that WWF’s tactics are “improper,” it said. The 9th Circuit held in its Jan. 23 decision in Langer v. Kiser that it’s “necessary and desirable” for committed individuals to bring serial litigation to enforce and advance consumer protection statutes, as Valenzuela “does here,” it said. WWF should be “sternly reminded” of the 9th Circuit’s “admonition” that courts mustn’t “discredit and/or penalize a plaintiff for being a litigation tester,” it said. WWF’s “implicit challenge” to Valenzuela’s standing to sue “is without merit,” said her memorandum. Though WWF doesn’t “expressly challenge” her standing to sue, its argument that she fails to allege any injury “should be construed as making that challenge,” it said. The 9th Circuit has held that claims under the California Invasion of Privacy Act, such as those that Valenzuela raises in her complaint, “protect concrete, substantive privacy interests, which is sufficient to confer standing,” it said.

Five privacy class actions vs. Hartford Life and Accident Insurance involving the May MOVEit data breach were transferred from federal court in Connecticut to U.S. District Court for Massachusetts under U.S. District Judge Allison Burroughs, said conditional transfer order 14 (CTO-14) before the U.S. Judicial Panel on Multidistrict Litigation Monday (docket 3083). Since the JPML on Oct. 4 transferred five actions to In Re: Moveit Customer Data Security Breach Litigation to the Massachusetts court, 119 additional actions have been transferred, it said. The Monday order will be stayed seven days pending any notices of opposition.

The U.S. Judicial Panel on Multidistrict Litigation (JPML) transferred three cases in In Re: MOVEit Customer Data Security Breach Litigation to U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs, said conditional transfer order 13 (CTO-13) Friday (docket 3083). The three latest cases from federal courts in Indiana, Michigan and South Dakota are Everling v. First Merchants Bank, Heinz v. Jackson National Life Insurance and Ken v. Pathward. The three cases involve the late May data breach in Progress Software’s MOVEit file transfer software. Since Oct. 4, 120 actions have been transferred to the District of Massachusetts. Elsewhere, plaintiff Samantha O’Neal in O’Neal v. EMS Management & Consultants (docket 1:23-cv-00738) opposes transfer in CTO-10 to the MOVEit MDL, said her Friday notice of opposition before the JPML. O’Neal’s negligence class action alleges EMS Management had a duty to protect her personally identifiable information and should have known “through readily available and accessible information about potential threats for the unauthorized exfiltration and misuse of such information.”

Plaintiff Susan Allcock opposes inclusion of her negligence class action against Valley National Bank involving the MOVEit data breach in conditional transfer order 9 (CTO-9), said her opposition notice (docket 2:23-cv-20900) Wednesday before the U.S. Judicial Panel on Multidistrict Litigation. Allcock's case, removed Oct. 4 from Middlesex County Superior Court in New Jersey to the U.S. District Court for New Jersey in Newark, asserts she and class members are entitled to a “significant amount of monetary damages” related to “actual identity theft” from the compromise of her personally identifiable information in the late May data breach of Progress Software Corp.'s (PSC) MOVEit file transfer software. Her action, which doesn't name PSC as a defendant, claims Valley Bank “failed to implement reasonable data security measures” to protect her PII. Valley Bank’s failure to protect customers’ information “ultimately allowed nefarious third-party hackers to breach the systems housing PII,” alleges her complaint. Allcock’s action was one of 13 included in CTO-9 (see 2310260037), transferring cases to In Re: MOVEit Customer Data Security Breach Litigation to U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs. As of Monday, the number of transferred cases in the MOVEit MDL had reached 100 (see 2310300006).

X-Mode Social sells highly sensitive personal data it buys from third-party phone applications, alleged plaintiff Norma Egan in her first amended complaint (FAC) (docket 1:23-cv-11651) Friday in U.S. District Court for Massachusetts in Boston. X-Mode violates state law by acquiring and tracking consumers’ “precise geolocation data and other data through the use of XDK spyware and then profiting from the data by selling it to others without obtaining consent," said the FAC. Egan doesn’t challenge that the app that originally obtained her geolocation data obtained her consent to collect and share her data, but any purported consent was on behalf of the specific phone app “and did not apply to” X-Mode, it said. The data can include consumers’ movements to and from locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, addiction recovery or other “at-risk populations,” said the FAC. Neither X-Mode, nor any entity acting on its behalf, “ever attempted to obtain -- or did obtain -- consent for its subsequent sale or transfer of the data to other third parties after it acquired data from the phone applications,” said the FAC. Through the selling of Egan’s data without her consent, X-Mode has been “unjustly enriched” and has violated Egan’s privacy rights, state consumer protection and privacy statutes, and Section 5 of the FTC Act, it said. Egan claims unjust enrichment and violation of the Massachusetts Unfair and Deceptive Business Practices Act (see 2307260030).

The number of transferred cases in In Re: Moveit Customer Data Security Breach Litigation reached 100 less than a month after the first five cases were transferred to U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs Oct. 4. Five tagalong cases were added Friday in conditional transfer order 10 (docket 3083) before the U.S. Panel on Multidistrict Litigation: one from New York District Court vs. Ernst & Young; three from North Carolina Middle District vs. EMS Management and one from U.S. District Court for Oregon against Standard Insurance Co.

A privacy complaint against Meta, E.H. v. Meta Platforms (docket 3:23-cv-04784), is related to In Re: Meta Pixel Healthcare Litigation (docket 3:22-cv-03580), said U.S. District Judge for Northern California William Orrick’s Friday order. The September privacy complaint alleges the Meta Pixel tracking code collects information such as prescriptions, diagnoses and symptoms, which “even close friends and family might not have known about,” from third-party businesses’ websites and sends it to Meta, whether or not a user has a Facebook account.

Some 70 cases involving the May MOVEit data breach have been sent to U.S. District Court of Massachusetts since the U.S. Panel on Multidistrict Litigation transferred five actions to the court Oct. 4 for coordinated or consolidated pretrial proceedings in In re: MOVEit Customer Data Security Breach Litigation, said conditional transfer order 9 (CTO-9) before the JPML Wednesday. CTO-9 added 13 federal cases to the list: two from New Jersey vs. Valley National Bank, three from New York vs. Global Atlantic Financial Group, four vs. Franklin Mint Federal in Eastern Pennsylvania, three from Eastern Tennessee vs. Unum Group and one from Eastern Virginia against Primis Bank.

A class action against T-Mobile involving the carrier’s February data breach should be dismissed for lack of jurisdiction and because the U.S. District Court for Western Missouri is an improper venue, said T-Mobile Friday in its motion to dismiss (docket 4:23-cv-00393) the privacy class action. Alternatively, plaintiff Waleed Lashin’s claims should be compelled to arbitration and the action stayed because he entered into valid and enforceable agreements with T-Mobile that include mandatory arbitration provisions for claims not asserted in small claims court, the company said. Lashin’s lawsuit said T-Mobile “largely put the burden of a fraud alert on victims,” said the New Jersey plaintiff. T-Mobile's breach notice didn’t explain which security weakness was compromised in the breach, to what extent individuals were affected and who perpetrated it, the complaint said. Just after the breach, Lashin experienced a large increase in spam and “suspicious” phone calls, texts and emails, the complaint said, and he received a two-factor authentication message from PayPal for a login he didn’t make or authorize. On Feb. 28, Lashin's phone lost service, and he received an email from T-Mobile that he had canceled his internet account. An hour later, he began receiving notices that the cryptocurrency in his Coinbase account was being converted into bitcoin and the cash was being transferred out of the account, the complaint said. The cash and cryptocurrency account loss was $13,000, he said. Lashin’s complaint claims negligence, unjust enrichment and breach of implied contract.