Equifax reached a settlement with pro se plaintiff Venton Smith, who sued over 20 credit reporting agencies, banks and retailers in a June privacy lawsuit involving the 2019 Capital One data breach, said a Thursday notice (docket 3:23-cv-02804) in U.S. District Court for Northern California in San Francisco. Smith claimed that as a result of the breach, in which an Amazon Web Services employee stole data affecting about 106 million customers, at least 12 of his accounts were fraudulently accessed to buy unknown merchandise. Fraudulent purchases using Smith's accounts for American Express, Best Buy, Capital One, Chase, Citibank, Macy’s and Nordstrom totaled $92,300 in loans, merchandise and products, he said. Equifax and Smith are in the process of consummating terms of the settlement agreement and filing a dismissal with prejudice for Equifax, said the Thursday notice. Smith’s claims against the remaining defendants remain before the court. Equifax requested that the court retain jurisdiction for matters related to completing and enforcing the settlement. On Tuesday, credit reporting agency TransUnion said Smith's complaint failed to state a claim upon which relief may be granted and his claims are barred by the applicable statute of limitations (see 2307130055. Smith failed to take reasonable steps to mitigate damages, and any damages he suffered are the result of acts or omissions he committed, said TransUnion's response.

Cybercriminals were able to “roam freely” in Onix’s computer systems during a March 20-27 data breach, alleges former Onix employee Angela Haynie in a Thursday privacy class action (docket 2:23-cv-02689) in U.S. District Court for Eastern Pennsylvania in Philadelphia. Onix failed to protect plaintiff and the putative classes’ personally identifiable (PII) and personal health information (PHI), and failed to mitigate the harms of the breach, said the complaint. “Rather than immediately accepting responsibility” and warning plaintiff about the risks of her PII and PHI being stolen, Onix “opted to bury its head in the sand,” informing victims of the breach two months later, around May 26, it said. Onix’s “negligent conduct” is “illuminated further” by the fact that Haynie, a Newark, Delaware resident, is a former Onix employee who has not worked at the company for several years, said the complaint. “This means that Defendant also maintains an inadequate data deletion schedule,” because there is no reason why Onix should still be in possession of Haynie's PII and PHI, said the complaint. Haynie cited “glaring omissions” in the May letter, including whether Onix paid the ransomware demand in the data breach, leaving victims no way of knowing whether their data is still in Onix’s custody or control. Onix didn’t explain how long the investigation took or whether it knew immediately that PII and PHI had been compromised. The company also didn’t disclose remedial measures being taken to ensure the protection of PII and PHI still in its custody, the complaint said. The 12 months of identity theft monitoring services Onix offered victims of the data breach “fails to touch upon any true future harms,” said the complaint. Plaintiff and class members will need credit and identity theft monitoring for a minimum of five years to protect their identities due to the breach, the complaint said. The retail cost of such monitoring can run about $200 a year per class member; the costs are “reasonable and necessary” to protect class members from the risk of identity theft, it said. Haynie claims violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law, negligence and unjust enrichment; she seeks awards of actual, compensatory, statutory and nominal damages; statutory penalties; equitable and injunctive relief; and attorneys’ fees and costs.

A dispute over alleged unlawful access of a customer’s cellphone SIM card “should have been brought in arbitration in the first instance,” said counsel Rebecca Tingey of Davis Wright for T-Mobile in a Thursday letter (docket 1:23-cv-05206) requesting a pre-motion conference on the carrier’s motion to compel arbitration in U.S. District Court for Eastern New York in Brooklyn. Plaintiff Benjamin Kyle opposes the motion. Kyle sued T-Mobile and T-Mobile store employees Silvia Hernandez and Emma Nodine this month (see 2307070024), alleging a T-Mobile data breach enabled the two employees to unlawfully access his cellphone’s SIM card with his financial information, social security number and over $30,000 in funds from his Coinbase cryptocurrency account. T-Mobile maintains Kyle agreed to its terms and conditions, including an agreement to arbitrate claims about T-Mobile services. The court should compel Kyle’s claims to arbitration and stay the action pending arbitration, Tingey said. T-Mobile’s deadline to respond to the complaint was seven days after its removal from New York Supreme Court July 7.

Plaintiff Venton Smith’s privacy claims are preempted by the Fair Credit Reporting Act, said defendant TransUnion Tuesday, responding (docket 3:23-cv-02804) to a June lawsuit against it, Amazon and over 20 credit reporting agencies, banks and retailers in U.S. District Court for Northern California in San Francisco. Smith claimed in his pro se suit (see 2306120045) involving the 2019 Capital One data breach, in which an Amazon Web Services employee stole data affecting about 106 million customers, that at least 12 of his accounts were fraudulently accessed to buy unknown merchandise. Fraudulent purchases using Smiths accounts for American Express, Best Buy, Capital One, Chase, Citibank, Macy’s and Nordstrom totaled $92,300 in loans, merchandise and products, he said. Despite receiving identity theft and fraudulent activity police reports, credit reporting agencies and furnisher defendants continued adversely reporting identity theft and fraud on Smith’s credit profile, alleged the complaint, and furnisher defendants “failed to conduct a reasonable reinvestigation” into disputed information to consumer reporting agencies they “knew or should have known was inaccurate.” In its Tuesday response, credit reporting agency TransUnion said Smith and retailers are barred by the theories of estoppel, waiver and laches. Smith failed to state a claim upon which relief may be granted and his claims are barred by the applicable statute of limitations, it said. TransUnion’s reports concerning Smith were “true or substantially true,” and the reporting agency “at all times followed reasonable procedures to assure maximum possible accuracy” of its credit reports concerning him. Smith failed to take reasonable steps to mitigate damages, and any damages he suffered are the result of acts or omissions he committed, said the response. Smith’s claim of exemplary and punitive damages violates TransUnion’s rights under due process and excessive fines clauses of the Fifth, Sixth, Eighth and 14th amendments, plus those of state constitutions, it said.

Plaintiffs Thomas Jones and Leah Simione support a motion to consolidate their action against Onix Group, said their supplemental briefing Wednesday (docket 2:23-cv-02621) in U.S. District Court for Eastern Pennsylvania in Philadelphia. Jones and Simione agree the privacy cases against Onix for a data breach in its healthcare business involve common questions of law and fact, and consolidation would simplify discovery, pretrial motions and class certification issues, said the brief. They also support the appointment of Benjamin Johns of Shub & Johns and Gary Klinger of Milberg Coleman as interim co-lead class counsel. The fraud complaints against Onix allege the company failed to secure and safeguard about 320,000 individuals’ personally identifiable information and personal health information during a March data breach in its healthcare business (see 2307100027). Plaintiffs Eric Meyers, Donald Owens and Aida Wimbush informed the court Wednesday they're moving to consolidate the related actions.

A March data breach at PharMerica led to “concrete injuries” for some 5.8 million customers, alleges a Tuesday privacy class action (docket 3:23-cv-00353) against the pharmacy services company in U.S. District Court for Western Kentucky in Louisville. Plaintiff Frank Raney of Port Bolivar, Texas, alleges the data breach at PharMerica resulted in his personally identifiable information (PII) being disseminated on the dark web; an increase in spam calls, texts and emails; lost or diminished value of his PII; lost opportunity costs and time from attempting to mitigate consequences of the breach; invasion of privacy; loss of benefit of bargain; and continued risk to his PII, which “remains unencrypted and available for unauthorized third parties to access and abuse.” Raney’s PII “remains backed up” in PharMerica’s possession and is subject to further unauthorized disclosures as long as the company fails to undertake appropriate and adequate measures to protect it, alleges the complaint. An undated and untitled notification letter is listed on the Maine attorney general’s website with May 12 and June 8 consumer notification dates. The letter informs unspecified recipients that their PII “may have been obtained” from their systems due to “suspicious activity” on PharMerica’s computer network. On March 21, the company determined that the data contained “your name, address, date of birth, Social Security number, medications and health insurance information.” PharMerica’s offer of 12 months of identity monitoring services “is wholly inadequate” to compensate Raney and class members who face “multiple years of ongoing identity theft, medical and financial fraud” as a result of the breach, said the complaint. The lawsuit claims negligence, breach of implied contract and fiduciary duty, and unjust enrichment. Plaintiff seeks an order enjoining PharMerica from engaging in wrongful conduct. He also seeks equitable relief requiring the company to use appropriate methods for data collection, encryption and safety; to establish a data protection program; restitution and disgorgement of revenue wrongfully gained; 10 years of credit monitoring services for plaintiffs and the class; awards of actual, compensatory, statutory and punitive damages; and attorneys’ fees and costs.

Tonal Systems removed to U.S. District Court for Southern California in San Diego a June 1 class action filed in California Superior Court in which plaintiff Julie Jones alleges the maker of home gym equipment violated the California Invasion of Privacy Act (CIPA) and the state’s Unfair Competition Law, said its notice of removal Friday (docket 3:23-cv-01267). Jones’ claims arise from Tonal’s integration of third parties' software to “secretly wiretap and eavesdrop on the private conversations of users of the chat features on Tonal’s website in real time,” said her complaint. She also seeks to hold Tonal liable for its practice of allowing third parties “to harvest data for financial gain,” it said. Tonal didn’t obtain website visitors' consent “to either the wiretapping or sharing of their private conversations,” it said. As a result, Tonal and the third parties “violated the CIPA in numerous ways,” it said. Tonal disputes Jones’ allegations and that it’s liable to her or the members of her proposed class, said the notice removal. “Tonal specifically reserves all rights to challenge the Complaint on all available grounds,” it said.

Plaintiff Venton Smith didn't opt out of the settlement in Capital One Consumer Data Security Breach Litigation, making his claims against defendants Capital One and Amazon “barred,” said defendants’ memorandum (docket 3:23-cv-02804) of points and authorities Friday in U.S. District Court for Northern California in San Francisco. Jones is a member of the settlement class the Eastern District of U.S. certified in connection with its approval of a class-wide settlement in the case, meaning his claims are “fully encompassed by the settlement” and should be dismissed, said defendants. If the court declines to dismiss Capital One and Amazon from the action, it should transfer the case to U.S. District Court for Eastern Virginia, they said. San Francisco resident Smith sued the defendants last month, alleging his personally identifiable information was exposed in the 2019 Capital One data breach in which an Amazon Web Services employee stole data affecting about 106 million customers. Smith is suing over 20 merchants, banks and credit reporting agencies in his per se suit (see [Ref:2306120045).

Defendant Match Group and its affiliated dating websites, via their June 15 motion to reconsider (see 2306160044), ask U.S. District Judge Manish Shah for Northern Illinois in Chicago to abandon “a well-reasoned decision because they regret the result of their own litigation decisions,” said plaintiff Marcus Baker’s opposition Thursday (docket 1:22-cv-06924). Match Group’s motion asserts Shah’s May 31 ruling denying its motion to dismiss erred by deciding the issue of small claims court jurisdiction instead of leaving it for the small claims court to decide. It also contends Shah mistakenly ruled small claims courts lack jurisdiction over Baker’s claims. The defendants seek reconsideration of Shah’s “correctly decided” order, “neither on the basis of newly discovered facts nor because the controlling law has changed,” said Baker’s opposition. They instead contend the court committed a “manifest error of law” because it failed to account for arguments the defendants could have made, “but knowingly elected not to make, in support of their original motion” to dismiss,” it said. Their dissatisfaction with the result of their motion, and their “belated presentment of arguments” they failed to include in their original motion aren’t valid bases for reconsideration, it said, so the motion for reconsideration should be denied. Baker alleges Match Group and its affiliated dating websites collect, analyze and use unique biometric identifiers associated with people’s faces in photos uploaded to their apps and websites without disclosing or acknowledging the collection or requesting consent.

U.S. District Judge Marilyn Horan for Western Pennsylvania in Pittsburgh granted the parties’ joint motion to consolidate three privacy class actions against Spirit Airlines, said her signed order Wednesday. All further filings are to be made under the first-filed action, Smidga v. Spirit Airlines (docket 2:22-cv-01578), her order said. The plaintiffs in the three class actions are to file a consolidated amended complaint by Aug. 22, with Spirit to file an answer 45 days later, it said. Spirit’s pending motions to dismiss for lack of jurisdiction and for failure to state a claim are denied as moot in light of the “forthcoming filing” of the consolidated amended complaint, said the order. Spirit is alleged to have recorded the electronic communications of visitors to its website in violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (see 2305310045).