Numerous new website technologies and tools allow companies to more effectively interact with their customers, but new consumer privacy suits “continue under decades-old wiretapping statutes,” said a Coblentz Patch analysis Tuesday. The tools include chatbots, session recording software, tracking pixels and cookies, it said. All are “immensely helpful in engaging with and identifying user experiences, and they help improve and promote a company’s business operations,” it said. But plaintiffs’ attorneys recently argued the use of these website technologies -- especially when provided or facilitated by a third-party vendor -- “constitutes violations of wiretapping and eavesdropping statutes,” it said. Under these federal and state statutes, it’s a violation “if an individual uses a recording device to eavesdrop or intercept a confidential communication without the consent of the parties,” it said. These statutes historically were used against individuals secretly listening in on private phone conversations, it said. But plaintiffs’ attorneys “have revived these statutes to claim that companies are violating these laws through the use of website technologies,” and some courts “have allowed some of these claims to pass the motion to dismiss stage,” it said. As more of these cases are making their way through the courts, “we are able to see patterns in how courts are addressing these claims,” it said. There appears to be a distinction emerging between claims that are allowed to proceed past the motion to dismiss stage and those that are not. Chatbots and session recording technologies used only to aid in servicing the website as a service provider “have been found insufficient to state a claim under the wiretapping statutes,” it said. By contrast, the use of these tools to collect user data that a third-party vendor is permitted to use for other purposes, including its own business purposes or with services to other companies, “has been found to be sufficient to pass the motion to dismiss hurdle,” it said.

Defendant NationsBenefits moves for all related actions against Fortra involving a January data breach to be transferred to the U.S. District Court in Minnesota, a common jurisdiction that has the first-filed action, said its Wednesday memorandum (docket 3:23-cv-01224) in support of a motion for transfer and centralization before the U.S. Panel on Multidistrict Litigation (JPML) in In re: Fortra File Transfer Software Data Security Breach Litigation. The facts and circumstances of the related cases are “very similar” to those in the In re: MOVEit Customer Data Security Breach Litigation cases that the JPML found justified centralization and transferred to U.S. District Court in Massachusetts, said the memorandum. With cases in Fortra filed throughout the country, Minnesota is the most centrally located of the forum districts, said the memorandum, noting Fortra is headquartered in Minneapolis. Centralization will prevent different courts from arriving at contrary rulings on scope of discovery, evidentiary issues and substantive motions, it said. Some 46 class actions are pending in seven federal judicial districts involving a January data breach in which Russian ransomware group Clop targeted Fortra’s GoAnywhere managed file transfer software, exploiting a then-unknown software vulnerability, it said. NationsBenefits contracted with Fortra to license and use the software and was named a defendant in 18 of the cases in the Southern District of Florida that have been consolidated under the lead case, Skuraskis v. NationsBenefits et al., it said. NationsBenefits’ clients were named in several of the related actions pending in the Southern District of Indiana and the District of Connecticut. Of the remaining cases with no direct relationship to NationsBenefits, four are in federal courts in Northern California, four in federal court in Connecticut, one in Indiana, one in Minnesota and seven in the Middle District of Tennessee, it said. Consolidation of related cases pending in California, Connecticut, Ohio and Tennessee occurred in those respective jurisdictions, it said. The Fortra data breach affected over 100 entities; additional tagalong cases are likely, it said.

New filings before the U.S. Judicial Panel on Multidistrict Legislation in In Re MOVEit Customer Data Security Breach Litigation Monday included notices of six potential tagalong actions, filing of conditional transfer order 5 (CTO-5), and a notice of opposition to CTO-1 by plaintiff Fortuno Jeanfort (docket 3083) in a negligence class action against TD Ameritrade. Defendants Charles Schwab and TD Ameritrade notified the panel of three potential tagalong cases in U.S. District Court for Nebraska: David Schultz v. TD Ameritrade (docket 23-cv-00375), Keren Jeanfort v. TD Ameritrade (docket 23-cv-00380) and Francis Grande v. TD Ameritrade (docket 23-cv-00385). Actions listed on CTO-5 -- Little v. American National Insurance and Matthews v. American National Group -- appear to involve questions of fact common to the actions previously transferred to the District of Massachusetts in Boston and assigned to U.S. District Judge Allison Burroughs, said the panel. Since five actions in In Re MOVEit Customer Data Security Breach Litigation were transferred to the Massachusetts court Oct. 4, 64 additional actions have been transferred to the district, the JPML said. In addition, defendant CareSource filed a notice of three additional potential tagalong cases against defendant CareSource in Ohio district courts.

Cybercriminals broke into the systems of debt collection company Radius Global Solutions in May, resulting from the MOVEit software data breach, but the company didn’t inform individuals affected by the breach until September, said a Monday class action (docket 0:23-cv-03182) in U.S. District Court for Minnesota in Minneapolis. Radius, based in Edina, Minnesota, provides outsourced customer service and debt collection to healthcare providers, said the complaint. Plaintiff Frederick Smith of Georgia alleges Radius touts it “is a professional capable of and committed to safeguarding its clients’ data and the individuals’ information contained in that data,” but its pronouncements of being a “capable data custodian proved false.” Radius used “inadequate data security measures that it knew, or should have known, put the highly sensitive data they oversaw at significant risk of theft by or exposure to nefarious parties,” the complaint said. Plaintiffs and class members are at continued risk of harm due to the exposure and potential misuse of their sensitive personal information (SPI) by criminals, it said. Due to Radius’ “needless delay” in disclosing the data breach to the U.S. Department of Health and Human Services, on or about Aug. 4, plaintiff’s and class members’ data “had been acquired by cybercriminals,” and they “could not take remedial steps to protect their credit and accounts from malicious actors -- until months after the Data Breach occurred,” said the complaint. The defendant offered “little to no remedial measures” to Smith or class members “to protect their personal information and credit going forward,” the complaint said. Though Radius offered two years of identity monitoring and protection services, the “time-limited monitoring is inadequate given that Defendant’s victims are likely to face many years of identity theft,” the complaint said. The company urged them to check credit reports and place fraud alerts or freezes on their account and to “educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information,” it said. A notice on the Radius website says it learned June 1 "of a vulnerability in the MOVEit web transfer application that Radius, along with several thousand other companies and government agencies," uses for transferring documents. When it learned cybercriminals exploited the vulnerability, Radius "immediately investigated its MOVEit database to assess its security and to identify any documents that may have been accessed by unauthorized actors," the company said. After determining some documents were accessed, it did a "comprehensive review of the impacted files to determine what information was present in the impacted files, to whom the information related, and contact information for applicable individuals," it said. Radius "then worked with its clients to notify individuals whose information was present in the files accessible to the unauthorized actors" due to the data breach. The company "promptly reviewed the identified documents" so it could notify "relevant individuals," and it continues to implement "necessary patching and measures to secure the MOVEit database as we learn new information," it said. Plaintiff Smith suffered “actual injury” from having his SPI exposed or stolen as a result of the data breach, including mitigation efforts to ensure his accounts weren’t being used for identity theft and fraud; changing passwords for accounts; damages to the value of his SPI; loss of privacy; and “impending injury” from the increased risk of identity fraud and theft, the complaint said. Smith claims negligence and unjust enrichment. He seeks awards of damages with pre- and post-judgment interest, injunctive relief and attorneys’ fees and costs.

FullStory “failed to take steps" to prevent Hey Favor from using its software in a way that wouldn't collect sensitive health information, said plaintiff Jane Doe's opposition Friday (docket 3:23-cv-00059) to FullStory’s motion to dismiss a privacy case in U.S. District Court for Northern California in San Francisco. Doe's January suit alleged Hey Favor knowingly and intentionally sent personally identifiable information about her medical history to Meta, TikTok and analytics company FullStory. Doe dismissed all claims against Hey Favor in July (see 2308010066); the healthcare platform filed for Chapter 11 bankruptcy protection in April. Claims remain against Meta, TikTok and FullStory. Whether the actions were intentional is a question of fact not appropriate for a determination of motion to dismiss, said the filing. The defendant’s argument that its session play software on the Favor platform is “not a device,” is “illogical,” said the opposition, citing In re Meta Pixel Healthcare Litigation, in which the court agreed Pixel software is a device under section 632(a) of the California Invasion of Privacy Act. Doe alleges “FullStory designed and created its session replay software for the very purposes of intercepting the contents of users’ communications with websites and apps” and provided the software to Favor to incorporate on its platform. Once FullStory intercepts the data, “it uses it to provide analytics services to its clients such as Favor,” said Doe: “There is no question this conduct is intentional.” Courts “consistently recognize that individuals have a reasonable expectation of privacy in their medical information input on websites or apps that incorporate tracking technologies,” said the opposition, citing Doe v. Regents of the University of California. “FullStory intercepted health data and prescription requests she entered into the Favor Platform,” the opposition said. FullStory’s characterization of the data at issue as “innocent ‘online activity’ or ‘unspecified movements on a website’ is a red herring,” said Doe. The case involves her communications with a telemedicine company that prescribes and provides reproductive health related items, “not generic ‘online activity,’” it said. The court should allow Doe’s unjust enrichment claims to go forward, in addition to her wiretapping claims, as it did in In re Meta Pixel Healthcare Litigation, it said.

IBM, a defendant with Progress Software Corp. (PSC) in a class action brought by plaintiff Kimberlee Daniels involving the May MOVEit file transfer software data breach, moved for an order staying the action, after the U.S. Judicial Panel on Multidistrict Litigation’s Oct. 4 transfer order for In re: MOVEit Customer Data Security Breach Litigation, said its Wednesday motion (docket 1:23-cv-12010) in U.S. District Court for Massachusetts in Boston. Plaintiff and defendants don’t oppose the instant request for a 30-day stay, it said. The JPML’s Oct. 4 order granted, in part, a transfer motion for centralization of related actions for coordinated pretrial proceedings before the Massachusetts federal court for centralized proceedings before U.S. District Judge Allison Burroughs, and parties in Daniels anticipate this case, along with others pending in the district involving the MOVEit incident, will be consolidated, with the cases already transferred to Burroughs in conditional transfer order 1 (CTO-1), it said. The District of Massachusetts has stayed four other matters involving the MOVEit breach, which were reassigned according to the JPML’s transfer order: Diggs v. Progress Software Corp., Pipes v. Ipswitch, Tenner v. Progress Software and Anastasio v. Progress Software. On Tuesday, U.S. District Judge Nathaniel Gorton for Massachusetts endorsed (docket 1:23-cv-12015) PSC’s unopposed motion to stay a ruling on Prudential’s motion to sever and transfer the venue of claims against the insurer in a MOVEit class action filed by plaintiff Christopher Arden, which names PSC, Prudential and Pension Benefit Information as defendants.

U.S. District Judge Yvonne Gonzalez Rogers for Northern California in Oakland scheduled a status videoconference Friday at 9 a.m. in the website wiretap case against Google, said a text-only clerk’s notice Tuesday (docket 4:20-cv-03664). Plaintiffs Chasom Brown, Maria Nguyen and William Byatt allege Google tracks and collects consumer browsing history and other web activity data regardless of what safeguards consumers use to protect their privacy, including when they activate Google’s recommended “private browsing mode.”

An additional medical privacy complaint should be added to In Re Meta Pixel Healthcare Litigation, said a joint administrative motion Tuesday (docket 3:23-cv-04821) to consider whether Dianna Williams, et al. v. Meta Platforms should be related to the consolidated Meta Pixel action. The Williams case transferred to U.S. District Court for Northern California in San Francisco Sept. 20, and its claims and allegations against Meta concerning the technology, Meta’s allegedly wrongful conduct and the category of developers that installed Meta Pixel on their websites -- healthcare entities -- overlap with the consolidated action, it said. Williams alleges Meta received sensitive health information through the Meta Pixel tracking tool that’s integrated into the web properties of healthcare providers. Williams plaintiffs, who are Facebook account holders, are part of the consolidated action’s putative class, said the filing. The court in October 2022 granted a motion to consolidate four related cases.

The plaintiff in a privacy class action against Coinbase filed a proposed order granting Coinbase’s motion to stay proceedings pending arbitration, after the parties were unable to reach agreement on the language of a proposed order, said a Wednesday notice (docket 3:23-cv-02123) in U.S. District Court for Northern California in San Francisco. Plaintiff Michael Massel’s May complaint alleges Coinbase's requirement that users upload pictures of a valid identification card and a “selfie” violates the Illinois Biometric Information Privacy Act.

Progress Software Corp. (PSC) seeks an order staying a ruling on Prudential’s motion to sever and transfer claims against it, after the U.S. Judicial Panel on Multidistrict Litigation’s Wednesday order transferring and centralizing all actions involving PSC’s May MOVEit data breach in the District of Massachusetts, and those pending outside the district, to Massachusetts federal court (see 2310050030). PSC, Prudential and Pension Benefit Information are defendants in an Aug. 30 negligence and breach of contract class action brought by plaintiff Christopher Arden. In light of the transfer order and a forthcoming conditional transfer order, Prudential’s motion to sever is “premature and not ripe” for court review, said PSC's Thursday unopposed motion (docket 1:23-cv-12015) in U.S. District Court for Massachusetts in Boston. PSC asked the court to stay a ruling on Prudential’s motion, and, if the JPML vacates the CTO and remands the action to Massachusetts District Court, to grant to PSC three weeks from that ruling to file a response. Arden's action is one of over 100 subject to the motion for transfer of actions for centralized pretrial proceedings before the JPML, said the motion.