A lawsuit against Progress Software Corp. and Delta Dental is the lone class action transferred in conditional transfer order 37 (CTO-37) (docket 3083) to In Re: MOVEit Customer Data Security Breach Litigation in U.S. District Court for Massachusetts in Boston Monday. Shannon Harker’s March 25 negligence complaint alleges PSC and Delta Dental failed to provide timely notice of PSC’s May data breach in its MOVEit cloud hosting and file transfer service, which insurer Delta Dental used to transfer or store the sensitive information of its 45 million customers, said the complaint (docket 3:24-cv-01830). Though PSC claimed to have notified its customers immediately upon learning of the vulnerability on May 31, and both defendants “knew as early as July 6" that Delta Dental’s customers’ information was involved in the breach, they didn’t notify Delta customers of the breach until Jan. 12, said the complaint. Since the Judicial Panel on Multidistrict Litigation transferred five actions involving the MOVEit breach to the Massachusetts court, 218 additional actions have been transferred, said the order, which is stayed for seven days to allow any party to file a notice of opposition.

Amazon denies Sonia Sofer’s allegations that the company forced her to resign as a senior program manager after it began retaliating against her for filing whistleblower reports internally about its data collection practices involving the Astro home robot when the product was in beta testing in 2021 (see 2403130002), said the company’s answer Friday (docket 5:24-cv-01515) in U.S. District Court for Northern California in San Jose. Amazon is informed, and believes that further investigation and discovery will reveal, and on that basis alleges, that Sofer isn’t entitled to recover punitive or exemplary damages, said its answer. That’s because the plaintiff failed to state facts sufficient to state a claim for damages, it said. Amazon also committed no acts justifying an award of punitive or exemplary damages, it said. The company also didn’t supervise employees “with conscious disregard for the rights and/or safety of others," it said. It also asserts that no officer, director or managing agent “committed, authorized or ratified any improper acts,” it said.

Wyteria Trimble, Stefanie Garcia and Olivia Georgiady dismissed without prejudice their negligence class action against Paycom Payroll, involving the Progress Software May MOVEit data breach, said the plaintiffs' notice (docket 5:24-cv-00154) of voluntary dismissal Thursday in U.S. District Court for Western Oklahoma in Oklahoma City. Trimble alleges in the Feb. 8 class action that following the MOVEit file transfer software data breach in May, an unknown user gained access to her Paycom account numerous times, changed her direct deposit information and stole her paychecks. Garcia said two days after she was supposed to receive her direct deposit, May 17, an unknown person accessed her Paycom account and changed her routing information, resulting in her direct deposit routing “to an unknown account.” An unknown user gained access to Georgiady’s Paycom account on May 28 and changed her direct deposit information, resulting in 90% of her May and June direct-deposit paychecks “being sent to an unknown account,” said the complaint. Paycom never informed the plaintiffs their accounts had been breached, the complaint said.

Charles Bezak’s negligence complaint vs. MGM over the resort company's September data breach has been consolidated with three others under lead case Owens v. MGM Resorts International (docket 2:23-cv-01480), said a text-only notice Monday in U.S. District Court for Nevada in Las Vegas. During the Sept. 11 data breach, cybercriminals shut down MGM's ATMs and slot machines, its website and online booking systems. Bezak asserts claims of negligence, breach of implied contract, unjust enrichment and violation of Nevada’s Consumer Fraud Act.

U.S. District Judge Tom Barber for Middle Florida in Tampa granted TelevisaUnivision Digital's motion to compel plaintiff Indira Falcon’s Video Privacy Protection Act claims to arbitration and to stay the case pending that arbitration's outcome, said Barber’s signed order Friday (docket 8:23-cv-02340). Falcon alleges that TelevisaUnivision violated the VPPA by disclosing her and other class members’ ViX.com viewing history to Facebook via a Meta tracking pixel embedded in the ViX.com website. Falcon opposes arbitration by arguing that she wasn’t on “inquiry notice” of the arbitration provision. But courts in the Middle District of Florida have “consistently found” that a statement informing a user that consenting to a set of hyperlinked terms “provides sufficient inquiry notice if the hyperlinks are conspicuously placed above the button that users must click to continue,” said Barber’s order. In Falcon’s case, the hyperlinks weren’t “buried” at the bottom of ViX’s webpage, it said. Users of the site, such as Falcon, therefore had “sufficient inquiry notice” that she was agreeing to the use agreement's terms, including its arbitration provision, by clicking “create account” and “subscribe,” it said.

Two dozen negligence class actions vs. Comcast and/or Citrix Systems pending in U.S. District Court for Eastern Pennsylvania in Philadelphia have been consolidated before U.S. District Judge John Younge pursuant to Federal Rule of Civil Procedure 42(a) for purposes of addressing common issues of law and fact prior to trial, said a signed order (docket 5:24-cv-01201) by U.S. District Judge Mitchell Goldberg Wednesday in consideration of the plaintiffs’ unopposed motion to consolidate. The cases involve Citrix’s October data breach in which the personally identifiable information of some 36 million Comcast customers was allegedly compromised. The case will be maintained under master docket 2:23-cv-05039, the order said. Any action subsequently filed, transferred or removed to the Pennsylvania court that arises out of the same or similar alleged facts as the consolidated action will be consolidated with the case for pretrial purposes, the order said.

A “mere risk of future harm” isn’t a concrete injury, and claims for diminished value of personally identifiable information (PII), mitigation expenses, lost time and actual misuse and theft of PII “are insufficient to establish an injury in fact,” said ESO Solutions' motion to dismiss (docket 1:23-cv-01557) a negligence class action Thursday in U.S. District Court for Western Texas in Austin. Essie Jones, one of about 2.7 million individuals whose PII was affected by a September data breach, sued ESO in December for failing to maintain proper safeguards in its computer systems (see 2312220025). Jones’ case was consolidated with five others arising from the same breach in January (see 2401100021). Plaintiffs fail to properly trace their alleged injuries to the data breach, so the court lacks subject-matter jurisdiction, said the motion. ESO owed no duty to plaintiffs, whose allegations don’t demonstrate proximate cause, and they haven’t alleged sufficient damages, the motion said. A plaintiff's obligation to provide grounds of his entitlement to relief requires "more than labels and conclusions," it said, citing Ashcroft v. Iqbal. “A formulaic recitation of the elements of a cause of action will not do.”

Progress Software Corp. (PSC) requested that the Judicial Panel on Multidistrict Litigation deny M&T Bank’s motion to vacate conditional transfer order 31 in In Re: MOVEit Customer Data Security Breach Litigation, said its response (docket 3083) Wednesday to M&T’s motion. The M&T cases at issue – Twoguns v. M&T Bank and Wormack v. M&T Bank -- involve the May data breach in PSC’s MOVEit file transfer software. Like other cases, M&T’s cases allege the compromise of plaintiffs’ personally identifiable information (PII), said the response, and the panel has already found that the MOVEit vulnerability is at the core of all cases in the MDL, making it “impossible” to “disentangle the allegations against Progress … from the allegations against other defendants,” it said. M&T argues its cases are “somehow different” from others in the MDL for reasons the panel has “already considered and rejected,” the response said. M&T argues in its motion to vacate that transfer isn't warranted because the cases don’t share common factual issues with the MDL and transfer will be inefficient and inconvenient for the parties, said the filing. M&T also argues that the actions involve third-party vendors; “supposedly do not involve the exposure” of PII; PSC isn’t named as a party in the actions; the M&T actions involve “unique issues and create no risk of inconsistent rulings"; the actions won’t create duplicative discovery; transfer would force M&T to litigate against direct competitors; and the parties oppose centralization in the MDL, said the response. “Each of these arguments has either been considered and rejected by the Panel or ignores the realities of the cases in MDL, which are similarly situated, for the purposes of centralization, with the M&T Actions,” said PSC’s response.

T-Mobile seeks to compel Samuel Whatley's claims to arbitration and to stay his case pending the outcome of that arbitration, said T-Mobile’s motion Wednesday (docket 2:23-cv-01339) in U.S. District Court for South Carolina in Charleston. The pro se plaintiff alleges a T-Mobile employee unlawfully transferred his phone number to another unauthorized device and in so doing compromised his entire bank account. He alleges violations of the Electronic Communications Privacy Act and the Electronic Funds Transfer Act. But Whatley’s customer agreement with T-Mobile contains an “express, conspicuous arbitration provision” by which he agreed “to submit any and all disputes with T-Mobile to arbitration,” said the motion. Whatley for years “repeatedly consented” to the carrier’s terms and conditions and “explicitly agreed” to arbitrate disputes with the company, said T-Mobile’s memorandum of law in support of the motion. To the extent that the plaintiff disputes the “scope or enforceability” of the arbitration provision, “that dispute goes to the arbitrator, as the parties agreed,” it said. But in any event, the arbitration agreement “plainly covers the claims” Whatley brings against T-Mobile “based on its alleged failure to protect his account from unauthorized access,” it said.

Plaintiff Jane Doe and defendants Microsoft and Qualtrics don't agree on a discovery plan and timing for discovery in Doe’s privacy case, said their joint status report and discovery plan Tuesday (docket 2:23-cv-00718) in U.S. District Court for Western Washington in Seattle. Doe’s May complaint (see 2305160051), asserting claims of California’s Invasion of Privacy Act and Unfair Competition Law violations, alleges the defendants repeatedly and systematically violated Doe's and class members’ privacy by surreptitiously extracting private healthcare and other information from Kaiser members’ communications with the Kaiser website through tracking code and services provided by Microsoft and Qualtrics. Doe anticipates 15-20 trial days for completion of the case; defendants expect to try Doe’s individual claim in 7-10 days; if the case proceeds to trial as a class action, the trial “will be substantially longer,” said the defendants’ statement. Doe proposes that a trial date be set after class certification or for June 15, 2026, said the report. Since the defendants will contend a motion for class certification, they request deferral of a trial date until after a decision on class certification, it said. If the court requires an anticipated trial date now, defendants anticipate the case may be “trial ready” by Feb. 27, 2026. The parties don’t believe settlement discussions would be fruitful at this time, it said.