The seven-day stay for conditional transfer order 32 (CTO-32) was lifted in In Re: MOVEit Customer Data Security Breach Litigation, said a clerk’s notice (docket 3083) from the Judicial Panel on Multidistrict Litigation Wednesday. The five negligence class actions against 1st Source Bank in U.S. District Court for Northern Indiana related to Progress Software Corp.’s May data breach involve questions of fact common to actions previously transferred to the U.S. District Court for Massachusetts in Boston and assigned to U.S. District Judge Allison Burroughs, said the order. None of the five cases names Progress Software as a defendant. Since five actions were transferred to the Boston court on Oct. 4, 206 additional actions have been transferred, it said.

A Chicago-area child care agency violated the Illinois Biometric Information Privacy Act by using an employee timekeeping system that includes the dissemination of biometrics to third parties, such as data storage vendors and payroll services, alleged Evilin Cortez’s class action Monday (docket 1:24-cv-01589) in U.S. District Court for Northern Illinois in Chicago. The Little Achievers Learning Center's system stores and repeatedly uses employees’ biometrics each time they clock in or out for their jobs, said the complaint. Cortez relied on her employer “to not only provide a lawful and legally compliant system, but to also disclose all material information regarding the technology and system, including retention, destruction, and dissemination policies,” it said. Before taking possession of Cortez’s biometrics through its timekeeping system, Little Achievers didn’t inform her in writing that her biometrics “were being collected, stored, used, or disseminated,” nor did it publish any policy “specifically about the collection, retention, use, deletion, or dissemination of biometrics,” it said. To this day, the child care worker is unaware of the status of her biometrics obtained by her employer, which hasn’t informed her whether it still retains her biometric information, and if it does, for how long it intends to retain such information without her consent, it said. To the extent Little Achievers is still retaining Cortez’s biometrics, “such retention is unlawful,” said the complaint. Cortez wouldn’t have provided her biometric data to her employer or used its biometric timekeeping technology had she known that her information would remain with the employer “for an indefinite period or subject to unauthorized disclosure,” it said.

Comcast notified the Judicial Panel on Multidistrict Litigation in a Tuesday notice (docket 3099) of two related class actions in U.S. District Court for Eastern Pennsylvania in Philadelphia involving Citrix's October data breach. Jaclyn Remark and Noah Birkett v. Comcast Cable Communications and Citrix Systems (docket 2:24-cv-00793) (see 2402230042) and Vince Estevez v. Comcast Cable Communications and Citrix Systems (docket 2:24-cv-00800) (see 2402260036), filed last week, bringing claims of negligence, breach of implied contract and third-party beneficiary contract, and unjust enrichment.

U.S. District Judge William Conley for Western Wisconsin in Madison granted the plaintiffs' motion to consolidate the cases against Forward Bank and Forward Financial Services involving a Sept.6 data breach, said his signed order Monday (docket 3:23-cv-844). The plaintiffs in Hamilton v. Forward Bank and Forward Financial Services and Ethan Rohland v. Forward Bank and Forward Financial Services moved to consolidate their cases Dec. 19, and the defendants didn’t oppose the motion. The plaintiffs’ consolidated amended complaint is due by April 11, and the defendants will have 21 days to respond, the order said. The plaintiffs in both data breach cases allege Forward Bank maintained, used and shared customers’ personally identifiable information in a “reckless manner,” the complaint said. Conley's order will apply to any action filed in, transferred to, or remanded to the Wisconsin court relating to the Sept. 6 data breach, subject to "prompt objection" by any new plaintiffs or their counsel, it said.

The Dec. 18 SIM swap complaint in which Dagyana Ortiz-Nieves alleges Four Liberty Mobile Puerto Rico employees accessed her account without her authorization and failed to safeguard her personal information (see 2312190061) repeats “hundreds of legally deficient and insufficient allegations,” said Liberty’s motion to dismiss Friday (docket 3:23-cv-01613) in U.S. District Court for Puerto Rico in San Juan. The complaint then “incorrectly and baselessly attempts” to hold Liberty liable for alleged disclosures of some “unspecified” personal information and “a swath of third-party actions and unfortunate incidents” that weren’t within Liberty’s control, it said. Ortiz-Nieves lacks Article III standing to sue Liberty for the conduct alleged because she fails to allege an injury-in-fact that's traceable to Liberty’s alleged conduct and that’s likely to be redressed by a favorable judicial decision, it said. Even if Ortiz-Nieves had Article III standing, which Liberty denies, the court would lack subject-matter jurisdiction over her federal claims, it said.

Matthew Hartz voluntarily dismissed without prejudice his privacy action vs. TaxAct because his claims have been incorporated into Smith-Washington v. TaxAct, said his notice of dismissal (docket 1:23-cv-04591) in U.S. District Court for Eastern Illinois in Chicago Thursday. Hartz’s July complaint alleged TaxAct violated congressional and IRS safeguards against the sharing of private tax return information with third parties when it transmitted his personally identifiable information to Facebook and Google (see 2307170033). TaxAct has not served an answer or a motion for summary judgment in the proceeding, so dismissal without prejudice is appropriate without a court order, said the notice.

U.S. District Judge Theodore Chuang for Maryland in Baltimore granted leave to the plaintiffs in seven class actions to move to consolidate those cases involving a data breach at the Retina Group of Washington (RGW) and to appoint interim co-lead class counsel, said his order Tuesday (docket 1:24-cv-00082). His order followed a case management conference Friday. The ophthalmology provider notified patients on its website from July 7 to Nov. 4 of a data breach it experienced March 26 but didn’t disclose that current and former patients’ personally identifiable or personal health information was compromised, Shalane Vance and Sharon Jenkins alleged in one of the class actions last month (see 2401100023). The other actions are brought by Mary Vandenbroucke (docket 1:24-cv-0004), Kwame Dapaah-Siakwan (1:24-cv-0016), Jennifer Boehles (1:24-cv-0020), Natalia Girard (1:24-cv-0082), David Puckett (1:24-cv-0137) and Desiree McCormick (1:24-cv-0166). Plaintiffs must file their motion by Friday, and if the motion is granted, they will be granted leave to file an amended complaint by March 18, the order said. RGW intends to file a motion to dismiss following submission of the amended complaint, due April 17, it said.

U.S. District Judge Donald Middlebrooks for Southern Florida in Fort Lauderdale denied Citrix and Comcast’s joint Feb. 13 motion for an extension of time to respond to plaintiff Alexander Nunn’s negligence complaint (see 2401080014) involving Citrix’s October data breach, said the judge's order Tuesday (docket 0:24-cv-60029). Citrix's deadline to respond to the complaint is March 11 and Comcast's is March 19, and the defendants seek extensions to 30 days after the U.S. Judicial Panel on Multidistrict Litigation reaches a decision on transfer or consolidation of cases involving the data breach. The JPML’s hearing on those cases is set for March 28 in U.S. District Court for South Carolina in Charleston, and it would be “tedious and wasteful” for the defendants to spend resources briefing cases that might be consolidated and transferred, said their motion. The defendants noted the March 28 hearing date, “but they fail to indicate if a final decision on transfer will be made at this hearing,” said Middlebrooks. While acknowledging that Comcast and Citrix want to avoid devoting resources to litigating the case before they know whether it will be consolidated in an MDL, the judge declined their motion, “as it would effectively result in a stay of these proceedings,” said the order. “I am not inclined to allow this case to lie dormant during the pendency of the proceedings before the MDL panel, especially where there is no reasonable expectation as to how long it will take the panel to render its decision,” it said. Nunn’s class action alleges Comcast and Citrix failed to adequately protect his and class members' personally identifiable information from data thieves in the data breach.

Plaintiffs Brandford Bosley and Patricia Bosley oppose conditional transfer order 30 (CTO-30) in In Re: MOVEit Customer Data Security Breach Litigation said their notice of opposition (docket 3083) Friday before the Judicial Panel on Multidistrict Litigation. Bosley et al v. California Physicians’ Services et al (docket 3:24-cv-00229) was removed Feb. 2 from Superior Court of California, San Diego County and is pending in U.S. District Court for Southern California. The class action involves Progress Software Corp.’s May data breach in its MOVEit file transfer software.

Mr. Cooper “negligently allowed” customers’ personally identifiable information (PII) to be compromised and failed to take “reasonable steps to protect against an obvious threat,” alleged a Feb. 1 complaint (CVMV2401017) in California Superior Court, Riverside County, involving an Oct. 31 data breach. Plaintiff Michael Geller, who received a letter Dec. 15 informing him of the breach in Mr. Cooper’s systems, alleges the mortgage company “failed to take reasonable steps to employ security measures that are adequate” and didn’t attempt to protect PII, “despite highly publicized breaches of other large companies in recent years.” Affected files included Geller’s name, address, phone number, email address, Social Security number and birthdate, it said. As a result of the data breach, the Moreno Valley, California, resident has suffered losses including loss of control over the value of his PII. The suit also names Does 1-10 as defendants. Causes of action are negligence, breach of implied contract and violation of the California Data Breach Notification Act. Geller seeks appropriate monetary relief not to exceed $35,000, said the complaint. Mr. Cooper didn't comment.