A lawsuit against Progress Software Corp. and Delta Dental is the lone class action transferred in conditional transfer order 37 (CTO-37) (docket 3083) to In Re: MOVEit Customer Data Security Breach Litigation in U.S. District Court for Massachusetts in Boston Monday. Shannon Harker’s March 25 negligence complaint alleges PSC and Delta Dental failed to provide timely notice of PSC’s May data breach in its MOVEit cloud hosting and file transfer service, which insurer Delta Dental used to transfer or store the sensitive information of its 45 million customers, said the complaint (docket 3:24-cv-01830). Though PSC claimed to have notified its customers immediately upon learning of the vulnerability on May 31, and both defendants “knew as early as July 6" that Delta Dental’s customers’ information was involved in the breach, they didn’t notify Delta customers of the breach until Jan. 12, said the complaint. Since the Judicial Panel on Multidistrict Litigation transferred five actions involving the MOVEit breach to the Massachusetts court, 218 additional actions have been transferred, said the order, which is stayed for seven days to allow any party to file a notice of opposition.

Amazon denies Sonia Sofer’s allegations that the company forced her to resign as a senior program manager after it began retaliating against her for filing whistleblower reports internally about its data collection practices involving the Astro home robot when the product was in beta testing in 2021 (see 2403130002), said the company’s answer Friday (docket 5:24-cv-01515) in U.S. District Court for Northern California in San Jose. Amazon is informed, and believes that further investigation and discovery will reveal, and on that basis alleges, that Sofer isn’t entitled to recover punitive or exemplary damages, said its answer. That’s because the plaintiff failed to state facts sufficient to state a claim for damages, it said. Amazon also committed no acts justifying an award of punitive or exemplary damages, it said. The company also didn’t supervise employees “with conscious disregard for the rights and/or safety of others," it said. It also asserts that no officer, director or managing agent “committed, authorized or ratified any improper acts,” it said.

Wyteria Trimble, Stefanie Garcia and Olivia Georgiady dismissed without prejudice their negligence class action against Paycom Payroll, involving the Progress Software May MOVEit data breach, said the plaintiffs' notice (docket 5:24-cv-00154) of voluntary dismissal Thursday in U.S. District Court for Western Oklahoma in Oklahoma City. Trimble alleges in the Feb. 8 class action that following the MOVEit file transfer software data breach in May, an unknown user gained access to her Paycom account numerous times, changed her direct deposit information and stole her paychecks. Garcia said two days after she was supposed to receive her direct deposit, May 17, an unknown person accessed her Paycom account and changed her routing information, resulting in her direct deposit routing “to an unknown account.” An unknown user gained access to Georgiady’s Paycom account on May 28 and changed her direct deposit information, resulting in 90% of her May and June direct-deposit paychecks “being sent to an unknown account,” said the complaint. Paycom never informed the plaintiffs their accounts had been breached, the complaint said.

Charles Bezak’s negligence complaint vs. MGM over the resort company's September data breach has been consolidated with three others under lead case Owens v. MGM Resorts International (docket 2:23-cv-01480), said a text-only notice Monday in U.S. District Court for Nevada in Las Vegas. During the Sept. 11 data breach, cybercriminals shut down MGM's ATMs and slot machines, its website and online booking systems. Bezak asserts claims of negligence, breach of implied contract, unjust enrichment and violation of Nevada’s Consumer Fraud Act.

U.S. District Judge Tom Barber for Middle Florida in Tampa granted TelevisaUnivision Digital's motion to compel plaintiff Indira Falcon’s Video Privacy Protection Act claims to arbitration and to stay the case pending that arbitration's outcome, said Barber’s signed order Friday (docket 8:23-cv-02340). Falcon alleges that TelevisaUnivision violated the VPPA by disclosing her and other class members’ ViX.com viewing history to Facebook via a Meta tracking pixel embedded in the ViX.com website. Falcon opposes arbitration by arguing that she wasn’t on “inquiry notice” of the arbitration provision. But courts in the Middle District of Florida have “consistently found” that a statement informing a user that consenting to a set of hyperlinked terms “provides sufficient inquiry notice if the hyperlinks are conspicuously placed above the button that users must click to continue,” said Barber’s order. In Falcon’s case, the hyperlinks weren’t “buried” at the bottom of ViX’s webpage, it said. Users of the site, such as Falcon, therefore had “sufficient inquiry notice” that she was agreeing to the use agreement's terms, including its arbitration provision, by clicking “create account” and “subscribe,” it said.

Two dozen negligence class actions vs. Comcast and/or Citrix Systems pending in U.S. District Court for Eastern Pennsylvania in Philadelphia have been consolidated before U.S. District Judge John Younge pursuant to Federal Rule of Civil Procedure 42(a) for purposes of addressing common issues of law and fact prior to trial, said a signed order (docket 5:24-cv-01201) by U.S. District Judge Mitchell Goldberg Wednesday in consideration of the plaintiffs’ unopposed motion to consolidate. The cases involve Citrix’s October data breach in which the personally identifiable information of some 36 million Comcast customers was allegedly compromised. The case will be maintained under master docket 2:23-cv-05039, the order said. Any action subsequently filed, transferred or removed to the Pennsylvania court that arises out of the same or similar alleged facts as the consolidated action will be consolidated with the case for pretrial purposes, the order said.

A “mere risk of future harm” isn’t a concrete injury, and claims for diminished value of personally identifiable information (PII), mitigation expenses, lost time and actual misuse and theft of PII “are insufficient to establish an injury in fact,” said ESO Solutions' motion to dismiss (docket 1:23-cv-01557) a negligence class action Thursday in U.S. District Court for Western Texas in Austin. Essie Jones, one of about 2.7 million individuals whose PII was affected by a September data breach, sued ESO in December for failing to maintain proper safeguards in its computer systems (see 2312220025). Jones’ case was consolidated with five others arising from the same breach in January (see 2401100021). Plaintiffs fail to properly trace their alleged injuries to the data breach, so the court lacks subject-matter jurisdiction, said the motion. ESO owed no duty to plaintiffs, whose allegations don’t demonstrate proximate cause, and they haven’t alleged sufficient damages, the motion said. A plaintiff's obligation to provide grounds of his entitlement to relief requires "more than labels and conclusions," it said, citing Ashcroft v. Iqbal. “A formulaic recitation of the elements of a cause of action will not do.”

Progress Software Corp. (PSC) requested that the Judicial Panel on Multidistrict Litigation deny M&T Bank’s motion to vacate conditional transfer order 31 in In Re: MOVEit Customer Data Security Breach Litigation, said its response (docket 3083) Wednesday to M&T’s motion. The M&T cases at issue – Twoguns v. M&T Bank and Wormack v. M&T Bank -- involve the May data breach in PSC’s MOVEit file transfer software. Like other cases, M&T’s cases allege the compromise of plaintiffs’ personally identifiable information (PII), said the response, and the panel has already found that the MOVEit vulnerability is at the core of all cases in the MDL, making it “impossible” to “disentangle the allegations against Progress … from the allegations against other defendants,” it said. M&T argues its cases are “somehow different” from others in the MDL for reasons the panel has “already considered and rejected,” the response said. M&T argues in its motion to vacate that transfer isn't warranted because the cases don’t share common factual issues with the MDL and transfer will be inefficient and inconvenient for the parties, said the filing. M&T also argues that the actions involve third-party vendors; “supposedly do not involve the exposure” of PII; PSC isn’t named as a party in the actions; the M&T actions involve “unique issues and create no risk of inconsistent rulings"; the actions won’t create duplicative discovery; transfer would force M&T to litigate against direct competitors; and the parties oppose centralization in the MDL, said the response. “Each of these arguments has either been considered and rejected by the Panel or ignores the realities of the cases in MDL, which are similarly situated, for the purposes of centralization, with the M&T Actions,” said PSC’s response.

T-Mobile seeks to compel Samuel Whatley's claims to arbitration and to stay his case pending the outcome of that arbitration, said T-Mobile’s motion Wednesday (docket 2:23-cv-01339) in U.S. District Court for South Carolina in Charleston. The pro se plaintiff alleges a T-Mobile employee unlawfully transferred his phone number to another unauthorized device and in so doing compromised his entire bank account. He alleges violations of the Electronic Communications Privacy Act and the Electronic Funds Transfer Act. But Whatley’s customer agreement with T-Mobile contains an “express, conspicuous arbitration provision” by which he agreed “to submit any and all disputes with T-Mobile to arbitration,” said the motion. Whatley for years “repeatedly consented” to the carrier’s terms and conditions and “explicitly agreed” to arbitrate disputes with the company, said T-Mobile’s memorandum of law in support of the motion. To the extent that the plaintiff disputes the “scope or enforceability” of the arbitration provision, “that dispute goes to the arbitrator, as the parties agreed,” it said. But in any event, the arbitration agreement “plainly covers the claims” Whatley brings against T-Mobile “based on its alleged failure to protect his account from unauthorized access,” it said.

The March 21 decision in U.S. District Court for Southern California in San Diego granting Ford’s motion to dismiss a California Invasion of Privacy Act complaint is “relevant” to defendant Tonal Systems’ own motion to dismiss plaintiff Julie Jones’ CIPA class action in the same court for failure to state a claim on which relief can be granted (see 2308300028), said Tonal’s notice Tuesday (docket 3:23-cv-01267). Jones alleges Tonal, a maker of home gym equipment, violated the CIPA and the state’s Unfair Competition Law when it used software from a third-party vendor, Drift, to secretly eavesdrop on the private conversations of users of the chat features on Tonal’s website (see 2307110047). Tonal’s motion to dismiss was fully briefed, and the motion hearing was held Oct. 18, said the notice. Jones lacks a “viable statutory claim for wiretapping” under the CIPA, said Tonal’s motion to dismiss. In the Ford case, plaintiff Rebeka Rodriguez alleged that the automaker secretly enables and allows a third-party spyware company to eavesdrop on the private conversations of everyone who visits Ford’s website and communicates through its chat feature. She alleged that the spyware company then monetized that data by sharing it with other third parties, which used it to bombard the unsuspecting visitors with targeted marketing, all without their informed consent. The court construed Rodriguez's argument in her opposition to the motion to dismiss as declining to pursue a claim against Ford for direct liability under the first three clauses of the CIPA’s Section 631(a). It dismissed any such claim against Ford with prejudice because amendment would be futile.