The parties in a data breach lawsuit are negotiating a proposed settlement to be submitted for review by the court but believe the assistance of a mediator is necessary to finalize agreed terms of a May class action, said defendant Squishable’s unopposed request (docket 1:23-cv-03660) for adjournment and referral to the mediation program Wednesday in U.S. District Court for Southern New York in Manhattan. Squishable has a Wednesday deadline to answer or otherwise respond to the May complaint, which alleges the toy maker allowed a third party to capture information on the checkout page as e-commerce customers made purchases. Plaintiff Christine Borovoy claims negligence, unjust enrichment, breach of contract, invasion of privacy and violation of Illinois’ Consumer Fraud and Deceptive Business Practices Act and seeks actual, nominal, consequential and punitive damages. Squishable notified customers March 2 that their personal identifiable information was compromised in a data breach May 26-Oct. 12, 2022. The parties ask the court to adjourn all present and anticipated deadlines for 60 days to allow them to finalize settlement efforts with a mediator.

The plaintiffs’ arguments of injury arising from the February data breach “perpetuated” against AudienceView Ticketing (see 2307260019) “are wholly unsupported by the facts,” and their consolidated complaints “must be dismissed for lack of standing,” said AudienceView’s memorandum of law Monday (docket 1:23-cv-03764) in U.S. District Court for Southern New York in Manhattan in support of its motion to dismiss. Despite the “limited nature of the information potentially impacted” in the data breach, the plaintiffs claim “they are at an imminent risk of identity theft,” said AudienceView. They also allege “a litany of damages,” including invasion of privacy, financial costs, loss of time and productivity, loss of benefit of the bargain and continued risk to their personal identifiable information, it said. One of the plaintiffs, Richard Toledo, “purports to allege that there were fraudulent charges on his credit card” as a result of the data breach, but the allegations in the complaint “make clear that such an allegation is entirely implausible and, indeed, impossible,” it said: “These allegations are woefully insufficient to confer standing.”

U.S. District Judge George Russell granted defendants Johns Hopkins Health System and Johns Hopkins University their unopposed second motion to stay a deadline to respond to a negligence class action involving the MOVEit data breach, said his Friday order (docket (docket 1:23-cv-01826) in U.S. District Court for Maryland in Baltimore. Plaintiff Pamela Hunter sued the Johns Hopkins defendants in July, alleging they disregarded her rights by intentionally, recklessly or negligently failing to take and implement adequate and reasonable measures to ensure her personal health information was safeguarded. The defendants failed to take available steps to prevent unauthorized disclosure of data and failed to follow required and appropriate protocols, policies and procedures for data encryption resulting from the May MOVEit data breach, Hunter alleged. In another class action involving the MOVEit data breach, plaintiff “John Doe” and defendants Pension Benefit Information (PBI) and Progress Software Corp. (PSC), jointly moved (docket 3:23-cv-01610) Friday to stay proceedings pending the U.S. Judicial Panel on Multidistrict Litigation’s ruling on a July 7 motion by plaintiff Bruce Bailey for transfer and centralization of related MOVEit actions currently before the panel. PBI hasn't filed a responsive pleading to Doe’s Aug. 31 complaint; it's due Nov. 6. On Sept. 25, PBI filed its own third-party complaint against PSC. At the time of the Doe filing, 100 similar actions involving the MOVEit breach had begun in 22 U.S. District Courts, it said. Bailey’s transfer motion requests that the JPML transfer certain actions to U.S. District Court for Minnesota for coordinated pretrial proceeding, including the Doe case. The JPML held a hearing on Bailey's transfer motion Sept. 28. Based on the pendency of that motion, the parties in the Doe case request that the court stay the action until 30 days after entry of the JPML’s final determination of the transfer motion.

It’s evident from plaintiff Julie Jones’ complaint and Tonal Systems’ motion to dismiss (see 2308300028) that the parties “have been tracking the numerous cases filed” concerning similarly alleged violations of the California Invasion of Privacy Act (CIPA) in California courts over the past two years, said Jones’ opposition to Tonal’s motion to dismiss. All the cases specifically involve companies “employing a third party to secretly record private conversations with their website visitors,” it said. In that context, defendant Tonal, a maker of home gym equipment, “predictably asserts arguments that have been variably successful at dismissing or delaying those cases, or requiring amendment to the pleadings,” said Jones’ opposition. But “a broader view” of the present dispute is warranted “to dispel Tonal’s oversimplification,” it said. Companies’ deployment of powerful, highly profitable, “privacy shattering” technology to secretly monitor the American public -- combined with a lack of federal law to address these issues -- “have left consumers with few options to abate the rapid erosion of their privacy,” it said. The conduct prohibited by laws like CIPA ultimately remains prohibited,” and the teeth of these laws remain necessarily sharp to protect consumers from unlawful invasions of privacy,” said Jones’ opposition. “The extent to which various plaintiffs have launched an array of similar lawsuits against companies for CIPA violations across various industries is but a small reflection of the vast and ubiquitous technological campaign that companies are waging to secretly absorb Americans’ highly profitable private information,” it said. “That is the context of this case.” Tonal’s arguments fail in support of its motion to dismiss, because the complaint demonstrates Jones “pled every fact necessary to show the unlawful conduct of Tonal under every claim she asserts,” it said. For these reasons, Tonal’s motion should be denied, it said.

The plaintiffs in the class action who allege CapCut, ByteDance’s videoediting app, collected, retained and disseminated their private and personally identifiable data and information in violation of various data privacy laws and consumer protections (see 2307300001), agreed not to serve the defendants “while the parties explore resolution of the case through mediation or otherwise,” said their joint case status report Wednesday (docket 1:23-cv-04953) in U.S. District Court for Northern Illinois in Chicago. Since the complaint was filed July 28, the parties “initiated discussions on whether they can resolve the case consensually,” said the report. The parties further agreed the three Singapore-based defendants that agreed to waive service will have 90 days, to Jan. 23, “to move to dismiss or otherwise respond to the complaint,” it said. During that time, the parties “will explore the possibility of an early resolution through mediation or otherwise,” it said. The plaintiffs demanded a jury trial, said the report. They anticipate a trial of these claims would last approximately one week, “but the estimated length may change based on discovery and other factors,” it said.

U.S. Magistrate Judge Eric Long for Central Illinois in Peoria entered a text order Tuesday (docket 1:23-cv-01050) accepting plaintiff Zachary Rohlfs’ May 1 unopposed notice of voluntary dismissal of his Video Privacy Protection Act claims against Nexstar Media. His order terminated the case. “All pending motions are denied as moot and all scheduled deadlines and court settings are vacated,” said the order. Rohlfs alleged in February that Nexstar, owner of WGNTV.com, violated the VPPA by obtaining or requesting specific video materials or services “from a video tape provider” without obtaining express consent in a stand-alone consent form (see 2302100028). He alleged Nexstar didn't disclose that it would share his personal viewing information with third parties such as Facebook when he opened his account, or when he watched WGNTV.com.

Plaintiff Matthew Hartz’s allegations that TaxAct violated congressional and IRS safeguards against the sharing of private tax return information with third parties when it transmitted sensitive personally identifiable information to Facebook and Google (see 2307170033) must be compelled to arbitration and his action stayed pending the outcome of that arbitration, said TaxAct’s memorandum of law Friday (docket 1:23-cv-04591) in U.S. District Court for Eastern Illinois in Chicago in support of its motion. Hartz can’t litigate his claims in the Eastern District of Illinois, said the memorandum. That’s because when Hartz used TaxAct’s tax preparation products and services, he agreed to do so under TaxAct’s standard terms and conditions of service, it said. Those terms require any disputes, including those at issue here, to be resolved by “confidential binding arbitration,” and that it be conducted on an individual, and not class-wide, basis, it said. The pertinent arbitration provisions also include “delegation clauses,” which delegate all issues aside from “contract formation” to the arbitrator, it said.

Meta doesn’t intend to waive its right to respond to a fraud complaint “at the appropriate time,” said counsel Stephanie Silvano of Gibson Dunn in a Thursday letter (docket 2:23-cv-13558) to the U.S. District Court of New Jersey in Newark involving a fraud complaint by a plaintiff who opted out of the $725 million settlement in re: Facebook, Inc., Consumer Privacy User Profile Litigation. Meta filed a letter Wednesday requesting an extension until Oct. 5 to give the U.S. Judicial Panel on Multidistrict Litigation time to finalize a conditional transfer order and transfer Aakash Dalal v. Meta Platforms, Inc. to the Northern District of California, where U.S. District Judge Vince Chhabria is overseeing other related actions for pre-trial proceedings.

Plaintiff Jane Doe’s May complaint challenging Kaiser Permanente's use of Microsoft session replay software should be dismissed for failure to plead a concrete injury sufficient to confer Article III standing, said Microsoft's Tuesday notice (docket 2:23-cv-00718) of supplemental authority in U.S. District Court for Western Washington in Seattle. Plaintiff Jane Doe didn’t consent to the collection of her personal information and alleged Microsoft and data analytics firm Qualtrics violated patients’ healthcare privacy rights on the Kaiser Permanente website by intercepting and collecting their personal data (see 2305160051). Microsoft cited a recent decision in Adams v. PSP Group, in which the U.S. District Court for Eastern Missouri ruled the plaintiff didn’t have standing to bring her claims in federal court and denied her motion to transfer. There, plaintiff Jill Adams alleged PSP unlawfully intercepted the electronic communications of visitors to its website, and PSP “directed third parties” to embed on its website Microsoft’s session replay code, which is then deployed on visitors’ internet browsers. The court granted Microsoft’s motion to dismiss for lack of subject matter jurisdiction. Federal courts are only authorized to hear cases or controversies that present actual imminent injury, which is caused by the named defendants, and can be redressed by a favorable decision, said the ruling. Adams bore the burden of demonstrating she suffered an injury in fact, that it was “fairly traceable” to defendant’s conduct and that it's “likely to be redressed by a favorable judicial decision," said the court's order.

Five tax preparation companies could face civil penalties if they use or disclose confidential data collected from consumers for other unrelated purposes, such as advertising, without obtaining their consent, said the agency Monday. Violators could incur civil penalties of up to $50,120 per instance if they misuse personal data in ways that aren't the original purpose for which the information was collected, the agency said. To remind tax preparers of the law, the FTC is using its penalty offense authority, which allows it to seek civil penalties against a company that engages in conduct it knows is unlawful and that has been found unlawful in a previous FTC administrative order, other than a consent order, it said. The notices detail practices found to be a violation of the FTC Act in a case against Beneficial Corp. in which the FTC found the company used information collected for tax preparation for unrelated loan solicitation purposes.