Rah-Nita Boykin, who filed a negligence class action (docket 1:24-cv-02973) against AT&T April 12 in U.S. District Court for Northern Illinois, supports transfer and consolidation of related actions in In re: AT&T Inc. Customer Data Security Breach Litigation to the Northern District of Texas in Dallas, said her interested party response (docket 3114) Thursday before the Judicial Panel on Multidistrict Litigation. Alternatively, the Country Club Hills, Illinois, resident supports transfer to the Northern District of Illinois in Chicago, the response said. Boykin agrees that the related actions involve one or more common questions of fact, that transferring the cases would serve “the convenience of parties and witnesses,” and that transferring the cases will “promote the just and efficient conduct of such actions,” meeting the criteria of 28 U.S.C. section 1407(a). Each of the related actions concerns “alleged failures” by AT&T resulting in a data breach affecting more than 73 million current and former AT&T customers, the response said. Because the related actions comprise overlapping putative nationwide classes, “no efficiencies will be gained by litigating these claims in multiple forums." Boykin referenced the group of plaintiffs supporting centralization in the Northern District of Georgia, on the basis that the breach largely involves Atlanta-based AT&T Mobility, and cited the carrier's response from Paula Phillips, director-legal administrator of AT&T Services: that “(1) AT&T’s investigation indicates less than 5% of potentially impacted customers are wireless customers; (2) AT&T incident response is based in Dallas; and (3) relevant witnesses for AT&T are located in Dallas.” While some evidence may be located out of the Northern Texas district, the company’s supplemental information “makes clear that much of the evidence subject to discovery will be found at AT&T’s headquarters,” said the response. Chicago federal court would be a “suitable alternative” to the Dallas court because it is also a “convenient and readily accessible location for all counsel and witnesses given its central location and large airports,” the response said. The Northern District of Illinois also has a “faster median time from filing to disposition compared to the Northern District of Texas,” it said. While many AT&T employees and records are located in Dallas, “the distance is easily overcome through the use of Zoom or other telecommunications platforms in today’s modern era of litigation,” said the filing.
The Gap used a hidden embedded tracking system to collect, obtain and track the time and place where Ivonne Carbajal and other Arizona consumers opened the clothing retailer’s marketing emails, alleged Carbajal’s class action Tuesday (docket 2:24-cv-01056) in U.S. District Court for Arizona. The tracking system was provided by co-defendant PaeDae, doing business as Gimbal, and operating as Infillion, said the complaint. The system also enabled The Gap to discern the average read time of an email, the number of times an email was opened and whether an email was printed or forwarded, said the complaint. It enabled the retailer to learn the type of device a recipient used to access the email, it said. The Gap uses Infillion’s hidden embedded email tracking pixels to monitor the behavior of Carbajal and that of other Arizona residents, it said. Infillion obtains, stores and uses the collected data and communication service records “to paint a uniquely identifiable detailed picture” of consumers’ interests “to create targeted advertising campaigns for The Gap,” it said. The Maricopa County resident’s claims are brought under Arizona’s Telephone, Utility and Communication Service Records Act, which prohibits a person from knowingly obtaining a communication service record of any Arizona resident without the authorization of the person to whom the record pertains or by fraudulent, deceptive or false means, said the complaint. The Gap and Infillion never received consent from Carbajal and the class members to collect and track their communication service records, and they used "deceptive means" to collect and track those records, it said.
The plaintiffs in two class actions against AT&T involving the recently disclosed release of customer data sets on the dark web (see 2404010019) filed an interested party response Tuesday (docket 3114) before the Judicial Panel on Multidistrict Litigation in support of movant Alex Petroski’s May 2 motion for centralization and transfer of related actions to U.S. District Court for Northern Texas in Dallas. David Vita, Charles Fairchild, Daniel Mariscal and Faith Brown in Vita et al. v. AT&T, Inc. (docket 5:24-cv-02356), in U.S. District Court for Northern California, and Jeryl Luciani, Courtney Garner and Michael Crain in Garner et al. v. AT&T, Inc. (docket 3:24-cv-00962) in Dallas federal court, cited Section 1407 of U.S. Code 28 that permits transfer and centralization of cases pending in different districts and involving “one or more common questions of fact,” if the panel determines that transfer and centralization will further “the convenience of parties and witnesses and will promote the just and efficient conduct of such actions.” Especially worth noting, the response said, is that “there is no evidence to suggest that AT&T’s operations in Georgia, which are predominantly the operations of AT&T’s cellular telephone service, AT&T Mobility, play an important role in this case. Rather, this data breach affects AT&T customers across the broad spectrum of AT&T’s telecommunication offerings, including landline service, internet service and television service,” the response said. Many plaintiffs in the AT&T action, including plaintiffs in the Vita and Garner actions, didn't have AT&T Mobility accounts, yet the company notified them that their personally identifiable information was compromised in the breach, said the response. “As AT&T made clear in its argument to the Panel, 'the Georgia proponents’ conjecture that AT&T Mobility Customers comprise the majority of impacted individuals is wrong'” (see 2405030065), the response said, referencing a group of plaintiffs who want the transferee venue to be the Northern District of Georgia. The Northern District of Texas is the “most appropriate and convenient venue for transfer and centralization of the related and any tag-along actions because relevant witnesses, databases, documents, and other evidence are likely located there," said the plaintiffs. At the time of the response filing, at least 33 of 46 cases filed were pending in the Dallas court, and the Northern District of Texas is easily accessible from two major commercial airports, the response said.
Actor-comedian Deon Cole continues to suffer “severe and prolonged emotional distress” after he caught an Amazon Fresh delivery driver taking photos inside his Los Angeles home from his front doorstep and sharing the photos in a group chat, alleged Cole’s negligence and privacy complaint March 28 in Los Angeles County Superior Court, removed Friday (docket 2:24-cv-03709) to U.S. District Court for Central California in Los Angeles. Cole was caught off guard when he went to retrieve his ID at the driver’s request, said the complaint. When Cole complained to Amazon about the driver’s behavior, he was told that photos are taken only when packages are left unattended and are only meant to capture the placement of the package, it said. Amazon also told him that photos are never sent to an individual person within the company but are uploaded to an app to notify customers of the location of their packages after delivery when left unattended, it said. The incident, in conjunction with Amazon’s response, has left Cole “troubled and in constant distress” over his safety in the privacy of his home, it said. The plaintiff’s level of distress was heightened “because of his well-known celebrity status as an actor and comedian,” said the complaint. Cole had a “reasonable fear” of being targeted in a future home invasion, it said. The complaint alleges that Amazon “failed to conduct any criminal background check” on the driver who delivered groceries to his home, it said.
U.S. District Judge William Orrick for Northern California in San Francisco rescheduled for June 5 at 2 p.m. PDT a case management conference and motion hearing on FullStory’s April 2 motion to dismiss Jane Doe’s third amended privacy complaint (see 2404250017), said a text-only clerk’s order Thursday (docket 3:23-cv-00059). Doe’s January 2023 class action alleged Meta and TikTok, via their Pixel tracking codes, intercepted confidential healthcare information from her communications with Hey Favor, an online women-focused telehealth firm that delivered birth control. The plaintiff alleged Hey Favor knowingly and intentionally sent personally identifiable information about her and class members' medical history to Meta, TikTok and data analytics firm FullStory. Hey Favor rebranded as The Pill Club in January 2023 following a trademark lawsuit and then filed for Chapter 11 bankruptcy in April 2023, triggering a stay in the class action. In July, Doe voluntarily dismissed all claims vs. Hey Favor, following a June motion to lift the stay in which she said the action will exist against “advertising and analytics defendants” Meta, TikTok and FullStory, as if she had never named Hey Favor in the first place (see 2308010066).
The Federal Trade Commission finalized a settlement with data aggregator InMarket Media over allegations the company unlawfully collected and used consumers’ location data for advertising and marketing, said an agency news release Wednesday. InMarket is barred from selling, sharing or licensing any precise location data and any product or service that categorizes or targets consumers based on location data, said the order. Other provisions require the company to delete or destroy all the location data it previously collected and any products produced from the data unless it obtains consumer consent or ensures the data has been deidentified. InMarket also must provide a "simple and easy-to-find way" for consumers to withdraw their consent for the collection and use of their location data for InMarket apps and a mechanism to request deletion of any location data that InMarket previously collected; it is also required to create a sensitive location data program and privacy program. After receiving one comment, the commission voted 3-0-2 to finalize the settlement, said the release. Commissioners Melissa Holyoak and Andrew Ferguson didn’t vote on the matter.
Plaintiff Natalie Ebneshahidi voluntarily dismissed her class action against Johns Hopkins University and Johns Hopkins Health System involving the May 2023 MOVEit data breach, said her notice (docket 3083) Monday in U.S. District Court for Massachusetts in Boston. Ebneshahidi’s Sept. 18 class action alleged her personally identifiable and personal health information were compromised due to Johns Hopkins’ inadequate safeguarding of her private information.
U.S. District Judge Nicholas Garaufis for Eastern New York in Brooklyn granted the American Bar Association’s Nov. 21 motion to dismiss Tiffany Troy and Eric Mata's amended complaint arising from the March 2023 data breach that exposed the records of 1.4 million ABA members (see 2311220034), said the judge’s signed memorandum and order Tuesday (docket 1:23-cv-03053). The judge dismissed the case in its entirety for failure to state a claim under Rule 12(b)(6), it said. While the plaintiffs sufficiently alleged that an implied contract exists between them and the ABA, their claim still fails because the plaintiffs don’t allege how ABA has breached that contract, said the memorandum and order. Troy and Mata specifically fail to identify which commercially reasonable security measures that ABA didn’t implement to protect their data, it said: “Instead, they assume that ABA's practice of using hashed and salted passwords was inadequate and thus violative of industry-standard security measures.” The plaintiffs argue that the process of using hashed and salted passwords, coupled with the defunding and mismanaging of the department that implements data security measures, indicates a failure to implement commercially reasonable security measures that constitute a breach of the implied agreement, said the memorandum and order. But the court disagrees “that this sole allegation concerning the handling of personal information is sufficient to state a claim that industry practices were not followed,” it said. Absent allegations identifying the security measures ABA purportedly failed to implement, the plaintiffs “cannot sustain their breach of implied contract claim,” it said.
Walmart’s “unlawful collection,” storage and use of its employees’ biometric data “exposes them to serious and irreversible privacy risks,” alleged Joann Davis’ privacy class action Thursday (docket 1:24-cv-03373) in U.S. District Court for Northern Illinois in Chicago. If Walmart’s database containing its employees’ fingerprint scans is hacked, breached or otherwise exposed, employees “have no means by which to prevent identity theft, unauthorized tracking or other unlawful or improper use of this highly personal and private information,” said the complaint. As an employee of the Silvis, Illinois, Walmart Davis was required when clocking into and out of her daily shift, including any lunch breaks, to have her fingerprint scanned, said her complaint. Illinois enacted the Biometric Information Protection Act “to protect residents' privacy interests in their biometric data,” it said. Courts “analogize an individual's privacy interest in their unique biometric data to their interest in protecting their private domain from invasion, such as from trespass,” it said. Walmart “has collected and stored the fingerprint of each employee who was required to use the fingerprint scanning technology as part of Walmart’s timeclock procedure,” said the complaint. Each fingerprint scan the retailer extracts “is unique to a particular individual in the same way that facial geometry or voiceprint uniquely identifies a particular individual,” it said. The suit seeks a declaration that Walmart has violated the BIPA, plus statutory damages of $5,000 for those “intentional and reckless” violations.
The hearing on the plaintiffs’ motion for final approval of a class-action settlement in a privacy case vs. Google has been rescheduled for Aug. 7, said a signed joint stipulation and order (docket 4:20-cv-03664) by U.S. District Judge Yvonne Gonzalez Rogers for Northern California in Oakland. Google requested that the hearing take place a week later than the original July 30 date, and the plaintiffs didn't oppose, said the Tuesday order. Class-action plaintiffs Chasom Brown, William Byatt, Jeremy Davis, Christopher Castillo and Monique Trujillo alleged in their March 2 fourth amended complaint that Google engages in “surreptitious interception and collection” of personal and sensitive user data while users are in a private browsing mode, and does this without “disclosure or consent (see 2304140026).” The deadline for Google to file opposition to plaintiffs’ fee motion for an award of attorneys’ fees, costs and service awards is June 7, with plaintiffs’ reply in support of their fee motion slated for June 21, said the order.