Plaintiff Raymond Goodrow and defendants Comcast and Citrix Systems jointly moved the U.S. District Court for Southern Florida in Fort Lauderdale for an order transferring Goodrow’s class action to the U.S. District Court for Eastern Pennsylvania in Philadelphia under the first-filed doctrine, said their motion Wednesday (docket 0:24-cv-60100). Goodrow’s negligence suit relates to the Citrix data breach in October in which Xfinity customers’ personally identifiable information (PII) was allegedly compromised. Goodrow also claims breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment, alleging that the defendants failed to secure and safeguard his and class members’ PII. Since the first-filed class action related to the Citrix data breach was filed in Pennsylvania, 16 additional class actions have been filed and are pending in the district court in Philadelphia, the motion said. U.S. District Judge Donald Middlebrooks for Southern Florida granted two other joint motions for transfer involving the Citrix breach -- Carey v. Comcast Cable Communications (docket 0:24-cv-60008) and Metzger v. Comcast Cable Communications and Citrix Systems (docket 0:24-cv-60126) -- to the Eastern District of Pennsylvania this month.

Sonia Sofer was forced to resign as an Amazon senior program manager after the company began retaliating against her for filing whistleblower reports internally about its data collection practices involving the Astro home robot when the product was in beta testing in 2021, alleged Sofer’s complaint Tuesday (docket 5:24-cv-01515) in U.S. District Court for Northern California in San Jose. During her employment as a senior program manager, which began in August 2021, Sofer became aware of Amazon’s failure to disclose “the extent, nature and potential uses of data collected and stored by the Astro product to potential public end users of the product,” said her complaint. She also began to suspect the company was doctoring internal and external data about the product's “true performance,” including its retail readiness, it said. Sofer reported her concerns to her superiors about the data that was being collected from beta users without their knowledge or consent that Amazon was using to help train its AI models “to recognize humans and their home environments,” it said. Amazon soon began a series of “adverse employment actions” against Sofer, “constituting illegal and unlawful workplace retaliation,” said her complaint. Among the retributions were “escalated, factually false and unjustified criticisms” of Sofer’s workplace performance, “often in the presence” of one or more of her co-workers, it said. Compounding the attacks were unwanted sexual advances from her direct supervisor, it said. She alleges wrongful workplace retaliation and unlawful sexual harassment under California labor laws.

Apple submitted a March 5 memorandum decision by the 9th U.S. Circuit Appeals Court in Hammerling v. Google affirming dismissal of contract, privacy, consumer protection and unjust enrichment claims based on Google’s disclosure of the challenged data collection. The statement of recent decision (docket 5:22-cv-07069) was submitted Monday in support of Apple's pending motion to dismiss a consolidated data privacy class action in U.S. District Court for Northern California in San Jose. In the Google case, plaintiffs Marie Hammerling and Kay Jackson sued the tech company, alleging it surreptitiously collected personal information from Android users by tracking their download and use of third-party mobile apps and used the data for purposes other than those covered by the privacy policy. The district court dismissed the amended complaint with prejudice under Federal Rule of Civil Procedure 12(b)(6), and the plaintiffs appealed. In Hammerling, the 9th Circuit agreed with Google that by explaining in its privacy policy that it collects data on third-party apps that use its services, it has “sufficiently explained" that it collects activity data in third-party apps downloaded to Android devices because those third-party apps "use" the Android operating system, said the memorandum. Because Google disclosed the challenged data collection efforts in its policy, plaintiffs’ fraud claims “fail to allege an actionable misrepresentation” and were properly dismissed, it said. Plaintiffs also failed to state a claim for breach of contract because the contract “expressly contemplates such collection,” it said. The plaintiffs’ invasion of privacy claims were properly dismissed because Google’s disclosure precludes those claims under common law and the California constitution, it said. Google’s disclosure “expressly disclosed” its intention to track users’ activity on third-party apps so plaintiffs “have no reasonable expectation of privacy in that data,” said the memorandum.

Plaintiff Kevin Kohn voluntarily dismissed without prejudice his privacy class action vs. eHarmony, said his notice Monday (docket 2:24-cv-00613) in U.S. District Court for Central California in Los Angeles. In his January lawsuit, Kohn, who uploaded a selfie to gain access to eHarmony's dating platform, alleged eHarmony collected and retained his biometric information to verify his identity without giving him a retention schedule, in violation of the Illinois’ Biometric Information Privacy Act (see 2401250016).

Xfinity customer Curtis Brown dismissed without prejudice his Dec. 21 negligence lawsuit vs. Comcast and Citrix Systems arising from Citrix’s October data breach, said the parties' stipulation Monday (docket 0:23-cv-62392) in U.S. District Court for Southern Florida in Fort Lauderdale. Brown’s class action was one of a dozen named in a motion before the Judicial Panel on Multidistrict Litigation to transfer the cases in In Re: Citrix Data Security Breach Litigation to the Eastern District of Pennsylvania for coordinated or consolidated pretrial proceedings (see 2401120011). Also in the Southern Florida district court Monday, U.S. District Judge Donald Middlebrooks granted the parties’ Thursday motion to transfer the venue of plaintiff Jessica Carey’s Jan. 3 class action vs. Comcast to the Eastern District of Pennsylvania (see 2403080006), said his signed order (docket 0:24-cv-60008). Middlebrooks found that 28 U.S.C. section 1404(a) change of venue factors, plus the “first-filed” rule, weighed in favor of transfer, said the order. Middlebrooks signed an order Thursday dismissing Citrix from Carey’s class action following her March 1 notice of voluntary dismissal.

A Jane Doe plaintiff who sued PHE, owner of adult products website Adam & Eve, for violations of the California Invasion of Privacy Act (CIPA) moved Friday (docket 2:24-cv-01065) to remand her class action to Los Angeles County Superior Court from U.S. District Court for Central California in Los Angeles. Doe originally filed her action alleging PHE disclosed her private and protected sexual information, plus her IP address, in the Central California district court Sept. 25. The case was dismissed and Doe then added Google to the lawsuit and filed in state court; Google removed the case to district court last month (see 2402080070). Doe, a Los Angeles resident, alleges PHE caused Google to learn the contents of her private and protected sexual information without notifying her and without her consent, and that Google violated CIPA each time it “read, learned from, and/or utilized” that information without her consent. Both defendants violated CIPA by operating under an agreement under which PHE installed Google Analytics to disclose Doe’s protected sexual information “in exchange for payment or another form of consideration,” says the complaint. The putative class comprises California residents solely, satisfying the local controversy exception for remand to state court, said the motion, and Google is also a citizen of California. The plaintiff and class members seek statutory damages of $5,000 for each time Google “read, learned the contents of” and used information obtained from a message or communication between PHE and the class without consent. Google’s potential exposure in the action is $5 million or more, it said.

Plaintiff Jessica Carey and defendant Comcast jointly asked the U.S. District Court for Southern Florida in Fort Lauderdale for an order transferring Carey's class action involving the October Citrix Systems data breach to the Eastern District of Pennsylvania in Philadelphia in a Thursday motion (docket 0:24-cv-60008). Carey’s Jan. 3 complaint vs. Citrix and Comcast (see 2401030066) said the defendants failed to collectively secure and safeguard her and other putative class members’ personally identifiable information. The suit asserts claims for negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment, Carey’s action was one of 12 included in a motion before the Judicial Panel on Multidistrict Litigation to transfer cases in In Re: Citrix Data Security Breach Litigation to the Eastern District of Pennsylvania for coordinated or consolidated pretrial proceedings (see 2401120011). The MDL has since been renamed In Re: Comcast (NetScaler CVE-4966) Customer Data Security Breach Litigation. The first-filed action related to the Citrix Bleed incident was filed in Philadelphia federal court Dec. 19; since then, 16 more cases stemming from the same data breach have been filed against Comcast or Comcast and Citrix and are currently pending in the court, said the motion. Also Thursday, U.S. District Judge Donald Middlebrooks for Southern Florida signed an order dismissing Citrix from Carey’s class action following her March 1 notice of voluntary dismissal.

Good cause exists for the court to grant the FTC’s Feb. 9 motion to unseal eight documents in the agency’s case against Kochava, said a docket entry order Tuesday (docket 2:22-cv-00377) from U.S. District Judge Lynn Winmill for Idaho in Coeur d’Alene. “Neither party has objected to the unsealing of these documents,” said the FTC’s motion. Among the newly unsealed documents are Kochava’s July 5 motion to dismiss the FTC’s first amended complaint, and the FTC’s Aug. 9 response in opposition. The judge denied Kochava’s motion to dismiss in a Feb. 3 order (see 2402060041). The FTC sued Kochava in August 2022 for allegedly selling vast amounts of personal information about millions of people. The agency alleges that the data can reveal a person’s sensitive information, including religious affiliations, sexual orientation and medical conditions, and by selling that data, Kochava arguably invades consumers’ privacy and exposes them to significant risks of secondary harms.

The National Association of Attorneys General requested “immediate action” from Facebook and Instagram for the “dramatic increase in user account takeovers and lockouts” on the social media platforms, said their Tuesday letter to Meta Platforms Chief Legal Officer Jennifer Newstead. The letter came on the same day both platforms experienced disruptions when users weren’t able to log in to their accounts for over two hours. Meta issued a cursory tweet on X Tuesday acknowledging the outage but not giving a reason for it: “We know some people were having trouble accessing our apps earlier. Apologies for any inconvenience this may have caused, and thank you for your patience while our teams worked quickly to resolve!” The Tuesday letter, signed by 41 AGs, cited a “dramatic and persistent spike in complaints in recent years concerning account takeovers that is not only alarming for our constituents but also a substantial drain on our office resources.” In account takeovers, threat actors compromise Facebook and Instagram user accounts and change passwords so the rightful owner can’t access the account, the AGs said. The hackers can then “usurp personal information, read private messages, scam contacts, post publicly, and take other nefarious actions,” the letter said. There’s risk of financial harm to those users who use Facebook Marketplace for their business and those who have credit cards tied to their accounts, it said, referencing complaints of hackers “fraudulently charging thousands of dollars to stored credit cards.” In 2019, the New York Attorney General’s office received 73 account takeover complaints on Meta platforms; the number rose to 783 last year, and in January alone, the office received 128 complaints, it said. “While we may not be completely certain of any connection, we note that the increase in complaints occurred around the same time Meta announced a massive layoff of around 11,000 employees in November 2022, which reportedly focused on the 'security and privacy and integrity sector,'” the letter said. The AGs urged Meta to “substantially increase its investment in account takeover mitigation tactics, as well as responding to users whose accounts were taken over.” The AGs “refuse to operate as the customer service representatives of your company,” it said, saying “proper investment in response and mitigation is mandatory." In addition, they requested materials on the number of account takeovers over the past five years; suspected causes of the increase in account takeovers; safeguards in place to prevent account takeovers; current policies and procedures related to Meta’s response to account takeovers; and staffing related to safeguarding the platforms against account takeovers and responding to complaints. A Meta spokesperson emailed Wednesday: "Scammers use every platform available to them and constantly adapt to evade enforcement. We invest heavily in our trained enforcement and review teams and have specialized detection tools to identify compromised accounts and other fraudulent activity." Meta regularly shares tips and tools people can use "to protect themselves, provide a means to report potential violations, work with law enforcement and take legal action," she said. AGs from Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming signed the letter.

The plaintiffs have shown injury and have “more than adequately pled" their data breach claims, said their opposition Tuesday (docket 1:23-cv-01168) in U.S. District Court for Colorado in Denver to Dish Network’s motion to dismiss their consolidated complaint in its entirety. The case involves a February 2023 ransomware attack in which the personally identifiable information (PII) of Dish employees and family members was compromised. Dish employees and their family members have suffered financial, reputational and other cognizable injuries, the opposition said. Some plaintiffs’ have experienced actual harm with bank accounts opened illegally in their names, were denied jobs or discovered attempts to apply for unemployment in their names, said the filing. It’s not just “theoretical” that plaintiffs’ PII may be misused by criminals, said the opposition: “It already has been -- and the door is wide open now for all of them to experience increased misuse going forward.” Article III standing requires that plaintiffs’ injuries are fairly traceable to the challenged action of the defendant, it said. Plaintiffs “easily satisfy this standard" by alleging the data breach occurred as a result of Dish’s “misconduct,” allowing cybercriminals to access their private information, including Social Security numbers, and that the stolen data was misused, it said. Without Dish’s “misconduct,” the plaintiffs wouldn’t have been harmed, it said. Dish argued that one injury related to a plaintiff’s debit card number being used for unauthorized charges was insufficient because the consolidated amended complaint didn’t provide details about the purchase or that he provided a particular debit card number. “But so what?” said the opposition, saying it’s unnecessary to allege debit card numbers in a pleading. Dish asserted the plaintiffs haven’t alleged any facts suggesting a future data breach is likely, but it has already been breached once “due to inadequate data security – and it is foreseeable another breach will occur,” the opposition said. Plaintiffs' claim for injunctive relief doesn’t rely solely on past conduct but also relies on protecting their PII still backed up in Dish’s possession, it said. Class members are largely past and current employees of Dish, and the company is obligated, under the Fair Labor Standards Act, to maintain their PII for up to three years, post severance, said the opposition. Without better cybersecurity going forward, class members’ information is “vulnerable to another hack and, if and when it does happen, the results would likely be devastating,” giving plaintiffs standing to seek injunctive relief, it said. Dish concluded it had no duty to protect plaintiffs’ PII, but an employer’s duty to protect employees’ PII has been recognized in circuit courts across the country, it said. Dish argued that a claim for breach fails because it made no representations regarding an agreement to provide data security to plaintiffs, but an express communication regarding the agreement doesn’t need to be made, the opposition said. As a condition of being employed, current and former employees were required to provide their PII to Dish, it said. Dish accepted the PII with the understanding it would take “appropriate steps to safeguard” it; otherwise, plaintiffs would not have provided it, said the filing.