The seven-day stay for conditional transfer order 32 (CTO-32) was lifted in In Re: MOVEit Customer Data Security Breach Litigation, said a clerk’s notice (docket 3083) from the Judicial Panel on Multidistrict Litigation Wednesday. The five negligence class actions against 1st Source Bank in U.S. District Court for Northern Indiana related to Progress Software Corp.’s May data breach involve questions of fact common to actions previously transferred to the U.S. District Court for Massachusetts in Boston and assigned to U.S. District Judge Allison Burroughs, said the order. None of the five cases names Progress Software as a defendant. Since five actions were transferred to the Boston court on Oct. 4, 206 additional actions have been transferred, it said.

A Chicago-area child care agency violated the Illinois Biometric Information Privacy Act by using an employee timekeeping system that includes the dissemination of biometrics to third parties, such as data storage vendors and payroll services, alleged Evilin Cortez’s class action Monday (docket 1:24-cv-01589) in U.S. District Court for Northern Illinois in Chicago. The Little Achievers Learning Center's system stores and repeatedly uses employees’ biometrics each time they clock in or out for their jobs, said the complaint. Cortez relied on her employer “to not only provide a lawful and legally compliant system, but to also disclose all material information regarding the technology and system, including retention, destruction, and dissemination policies,” it said. Before taking possession of Cortez’s biometrics through its timekeeping system, Little Achievers didn’t inform her in writing that her biometrics “were being collected, stored, used, or disseminated,” nor did it publish any policy “specifically about the collection, retention, use, deletion, or dissemination of biometrics,” it said. To this day, the child care worker is unaware of the status of her biometrics obtained by her employer, which hasn’t informed her whether it still retains her biometric information, and if it does, for how long it intends to retain such information without her consent, it said. To the extent Little Achievers is still retaining Cortez’s biometrics, “such retention is unlawful,” said the complaint. Cortez wouldn’t have provided her biometric data to her employer or used its biometric timekeeping technology had she known that her information would remain with the employer “for an indefinite period or subject to unauthorized disclosure,” it said.

Comcast notified the Judicial Panel on Multidistrict Litigation in a Tuesday notice (docket 3099) of two related class actions in U.S. District Court for Eastern Pennsylvania in Philadelphia involving Citrix's October data breach. Jaclyn Remark and Noah Birkett v. Comcast Cable Communications and Citrix Systems (docket 2:24-cv-00793) (see 2402230042) and Vince Estevez v. Comcast Cable Communications and Citrix Systems (docket 2:24-cv-00800) (see 2402260036), filed last week, bringing claims of negligence, breach of implied contract and third-party beneficiary contract, and unjust enrichment.

U.S. District Judge William Conley for Western Wisconsin in Madison granted the plaintiffs' motion to consolidate the cases against Forward Bank and Forward Financial Services involving a Sept.6 data breach, said his signed order Monday (docket 3:23-cv-844). The plaintiffs in Hamilton v. Forward Bank and Forward Financial Services and Ethan Rohland v. Forward Bank and Forward Financial Services moved to consolidate their cases Dec. 19, and the defendants didn’t oppose the motion. The plaintiffs’ consolidated amended complaint is due by April 11, and the defendants will have 21 days to respond, the order said. The plaintiffs in both data breach cases allege Forward Bank maintained, used and shared customers’ personally identifiable information in a “reckless manner,” the complaint said. Conley's order will apply to any action filed in, transferred to, or remanded to the Wisconsin court relating to the Sept. 6 data breach, subject to "prompt objection" by any new plaintiffs or their counsel, it said.

The Dec. 18 SIM swap complaint in which Dagyana Ortiz-Nieves alleges Four Liberty Mobile Puerto Rico employees accessed her account without her authorization and failed to safeguard her personal information (see 2312190061) repeats “hundreds of legally deficient and insufficient allegations,” said Liberty’s motion to dismiss Friday (docket 3:23-cv-01613) in U.S. District Court for Puerto Rico in San Juan. The complaint then “incorrectly and baselessly attempts” to hold Liberty liable for alleged disclosures of some “unspecified” personal information and “a swath of third-party actions and unfortunate incidents” that weren’t within Liberty’s control, it said. Ortiz-Nieves lacks Article III standing to sue Liberty for the conduct alleged because she fails to allege an injury-in-fact that's traceable to Liberty’s alleged conduct and that’s likely to be redressed by a favorable judicial decision, it said. Even if Ortiz-Nieves had Article III standing, which Liberty denies, the court would lack subject-matter jurisdiction over her federal claims, it said.

Matthew Hartz voluntarily dismissed without prejudice his privacy action vs. TaxAct because his claims have been incorporated into Smith-Washington v. TaxAct, said his notice of dismissal (docket 1:23-cv-04591) in U.S. District Court for Eastern Illinois in Chicago Thursday. Hartz’s July complaint alleged TaxAct violated congressional and IRS safeguards against the sharing of private tax return information with third parties when it transmitted his personally identifiable information to Facebook and Google (see 2307170033). TaxAct has not served an answer or a motion for summary judgment in the proceeding, so dismissal without prejudice is appropriate without a court order, said the notice.

U.S. District Judge Theodore Chuang for Maryland in Baltimore granted leave to the plaintiffs in seven class actions to move to consolidate those cases involving a data breach at the Retina Group of Washington (RGW) and to appoint interim co-lead class counsel, said his order Tuesday (docket 1:24-cv-00082). His order followed a case management conference Friday. The ophthalmology provider notified patients on its website from July 7 to Nov. 4 of a data breach it experienced March 26 but didn’t disclose that current and former patients’ personally identifiable or personal health information was compromised, Shalane Vance and Sharon Jenkins alleged in one of the class actions last month (see 2401100023). The other actions are brought by Mary Vandenbroucke (docket 1:24-cv-0004), Kwame Dapaah-Siakwan (1:24-cv-0016), Jennifer Boehles (1:24-cv-0020), Natalia Girard (1:24-cv-0082), David Puckett (1:24-cv-0137) and Desiree McCormick (1:24-cv-0166). Plaintiffs must file their motion by Friday, and if the motion is granted, they will be granted leave to file an amended complaint by March 18, the order said. RGW intends to file a motion to dismiss following submission of the amended complaint, due April 17, it said.

U.S. District Judge Donald Middlebrooks for Southern Florida in Fort Lauderdale denied Citrix and Comcast’s joint Feb. 13 motion for an extension of time to respond to plaintiff Alexander Nunn’s negligence complaint (see 2401080014) involving Citrix’s October data breach, said the judge's order Tuesday (docket 0:24-cv-60029). Citrix's deadline to respond to the complaint is March 11 and Comcast's is March 19, and the defendants seek extensions to 30 days after the U.S. Judicial Panel on Multidistrict Litigation reaches a decision on transfer or consolidation of cases involving the data breach. The JPML’s hearing on those cases is set for March 28 in U.S. District Court for South Carolina in Charleston, and it would be “tedious and wasteful” for the defendants to spend resources briefing cases that might be consolidated and transferred, said their motion. The defendants noted the March 28 hearing date, “but they fail to indicate if a final decision on transfer will be made at this hearing,” said Middlebrooks. While acknowledging that Comcast and Citrix want to avoid devoting resources to litigating the case before they know whether it will be consolidated in an MDL, the judge declined their motion, “as it would effectively result in a stay of these proceedings,” said the order. “I am not inclined to allow this case to lie dormant during the pendency of the proceedings before the MDL panel, especially where there is no reasonable expectation as to how long it will take the panel to render its decision,” it said. Nunn’s class action alleges Comcast and Citrix failed to adequately protect his and class members' personally identifiable information from data thieves in the data breach.

The Citrix Bleed flaw in Citrix’s NetScaler software allowed bad actors to access plaintiff Antonio Cole's and nearly 285,000 class members’ personally identifiable information (PII), alleged Cole's class action Friday (docket 0:24-cv-60269) in U.S. District Court for Southern Florida in Fort Lauderdale. Co-defendant Planet Home Lending informed plaintiff Cole, an Alabama resident, of the incident on Jan. 25, telling him his name, Social Security number, loan and financial account numbers were compromised in a Nov. 15 cyberattack that Planet became aware of that day, the complaint said. On Feb. 13, Cole’s bank informed him about unauthorized charges on his debit/credit card, forcing him to freeze and close that account, and change his autopay information with several vendors. Following the breach, Cole noticed an increase in spam emails, texts and phone calls, it said. Cole has spent about four hours consulting his bank about the fraudulent charges and six hours dealing with consequences of the breach, it said. On Nov. 28, Planet determined “with reasonable certainty” that the threat actor accessed a read-only data folder with copies of loan files containing the PII of some of its customers. The notice said Planet has not paid, and doesn’t anticipate paying, a ransom to the threat actor. The mortgage company was in the process of retaining a third-party consultant to do an audit and risk assessment of its information security technology, controls and processes, it said. Planet offered affected individuals credit monitoring and identity protection services via Experian Identity Works for 24 months, it said. The class action asserts claims of negligence, breach of express and implied contract, and unjust enrichment. Cole seeks for himself and the class actual and statutory damages, equitable relief, restitution, disgorgement and statutory costs; an order requiring defendants to purchase funds for lifetime credit monitoring and identity theft insurance; attorneys’ fees and legal costs; and pre- and post-judgment interest.

Mr. Cooper “negligently allowed” customers’ personally identifiable information (PII) to be compromised and failed to take “reasonable steps to protect against an obvious threat,” alleged a Feb. 1 complaint (CVMV2401017) in California Superior Court, Riverside County, involving an Oct. 31 data breach. Plaintiff Michael Geller, who received a letter Dec. 15 informing him of the breach in Mr. Cooper’s systems, alleges the mortgage company “failed to take reasonable steps to employ security measures that are adequate” and didn’t attempt to protect PII, “despite highly publicized breaches of other large companies in recent years.” Affected files included Geller’s name, address, phone number, email address, Social Security number and birthdate, it said. As a result of the data breach, the Moreno Valley, California, resident has suffered losses including loss of control over the value of his PII. The suit also names Does 1-10 as defendants. Causes of action are negligence, breach of implied contract and violation of the California Data Breach Notification Act. Geller seeks appropriate monetary relief not to exceed $35,000, said the complaint. Mr. Cooper didn't comment.