Plaintiff Michelle Righetti moved to relate 14 class actions arising out of MGM Resorts International’s September data breach, said her motion to consolidate Wednesday (docket 2:23-cv-01719) in U.S. District Court for Nevada in Las Vegas. All the cases involve the same defendant, set forth similar or identical proposed classes, raise virtually identical legal and factual issues, and seek the same or substantially similar relief, said the motion, saying consolidation would provide “judicial efficiency and economy of resources.” Righetti sued MGM on Dec. 14, alleging claims for negligence, violations of the California’s Privacy and Customer Records acts and its Unfair Competition Law. The motion includes the 14 class actions plus any additional related cases that may be filed or transferred to the Nevada court, it said.

Sonia Sofer was forced to resign as an Amazon senior program manager after the company began retaliating against her for filing whistleblower reports internally about its data collection practices involving the Astro home robot when the product was in beta testing in 2021, alleged Sofer’s complaint Tuesday (docket 5:24-cv-01515) in U.S. District Court for Northern California in San Jose. During her employment as a senior program manager, which began in August 2021, Sofer became aware of Amazon’s failure to disclose “the extent, nature and potential uses of data collected and stored by the Astro product to potential public end users of the product,” said her complaint. She also began to suspect the company was doctoring internal and external data about the product's “true performance,” including its retail readiness, it said. Sofer reported her concerns to her superiors about the data that was being collected from beta users without their knowledge or consent that Amazon was using to help train its AI models “to recognize humans and their home environments,” it said. Amazon soon began a series of “adverse employment actions” against Sofer, “constituting illegal and unlawful workplace retaliation,” said her complaint. Among the retributions were “escalated, factually false and unjustified criticisms” of Sofer’s workplace performance, “often in the presence” of one or more of her co-workers, it said. Compounding the attacks were unwanted sexual advances from her direct supervisor, it said. She alleges wrongful workplace retaliation and unlawful sexual harassment under California labor laws.

Xfinity customer Curtis Brown dismissed without prejudice his Dec. 21 negligence lawsuit vs. Comcast and Citrix Systems arising from Citrix’s October data breach, said the parties' stipulation Monday (docket 0:23-cv-62392) in U.S. District Court for Southern Florida in Fort Lauderdale. Brown’s class action was one of a dozen named in a motion before the Judicial Panel on Multidistrict Litigation to transfer the cases in In Re: Citrix Data Security Breach Litigation to the Eastern District of Pennsylvania for coordinated or consolidated pretrial proceedings (see 2401120011). Also in the Southern Florida district court Monday, U.S. District Judge Donald Middlebrooks granted the parties’ Thursday motion to transfer the venue of plaintiff Jessica Carey’s Jan. 3 class action vs. Comcast to the Eastern District of Pennsylvania (see 2403080006), said his signed order (docket 0:24-cv-60008). Middlebrooks found that 28 U.S.C. section 1404(a) change of venue factors, plus the “first-filed” rule, weighed in favor of transfer, said the order. Middlebrooks signed an order Thursday dismissing Citrix from Carey’s class action following her March 1 notice of voluntary dismissal.

Plaintiff Kevin Kohn voluntarily dismissed without prejudice his privacy class action vs. eHarmony, said his notice Monday (docket 2:24-cv-00613) in U.S. District Court for Central California in Los Angeles. In his January lawsuit, Kohn, who uploaded a selfie to gain access to eHarmony's dating platform, alleged eHarmony collected and retained his biometric information to verify his identity without giving him a retention schedule, in violation of the Illinois’ Biometric Information Privacy Act (see 2401250016).

Apple submitted a March 5 memorandum decision by the 9th U.S. Circuit Appeals Court in Hammerling v. Google affirming dismissal of contract, privacy, consumer protection and unjust enrichment claims based on Google’s disclosure of the challenged data collection. The statement of recent decision (docket 5:22-cv-07069) was submitted Monday in support of Apple's pending motion to dismiss a consolidated data privacy class action in U.S. District Court for Northern California in San Jose. In the Google case, plaintiffs Marie Hammerling and Kay Jackson sued the tech company, alleging it surreptitiously collected personal information from Android users by tracking their download and use of third-party mobile apps and used the data for purposes other than those covered by the privacy policy. The district court dismissed the amended complaint with prejudice under Federal Rule of Civil Procedure 12(b)(6), and the plaintiffs appealed. In Hammerling, the 9th Circuit agreed with Google that by explaining in its privacy policy that it collects data on third-party apps that use its services, it has “sufficiently explained" that it collects activity data in third-party apps downloaded to Android devices because those third-party apps "use" the Android operating system, said the memorandum. Because Google disclosed the challenged data collection efforts in its policy, plaintiffs’ fraud claims “fail to allege an actionable misrepresentation” and were properly dismissed, it said. Plaintiffs also failed to state a claim for breach of contract because the contract “expressly contemplates such collection,” it said. The plaintiffs’ invasion of privacy claims were properly dismissed because Google’s disclosure precludes those claims under common law and the California constitution, it said. Google’s disclosure “expressly disclosed” its intention to track users’ activity on third-party apps so plaintiffs “have no reasonable expectation of privacy in that data,” said the memorandum.

A Jane Doe plaintiff who sued PHE, owner of adult products website Adam & Eve, for violations of the California Invasion of Privacy Act (CIPA) moved Friday (docket 2:24-cv-01065) to remand her class action to Los Angeles County Superior Court from U.S. District Court for Central California in Los Angeles. Doe originally filed her action alleging PHE disclosed her private and protected sexual information, plus her IP address, in the Central California district court Sept. 25. The case was dismissed and Doe then added Google to the lawsuit and filed in state court; Google removed the case to district court last month (see 2402080070). Doe, a Los Angeles resident, alleges PHE caused Google to learn the contents of her private and protected sexual information without notifying her and without her consent, and that Google violated CIPA each time it “read, learned from, and/or utilized” that information without her consent. Both defendants violated CIPA by operating under an agreement under which PHE installed Google Analytics to disclose Doe’s protected sexual information “in exchange for payment or another form of consideration,” says the complaint. The putative class comprises California residents solely, satisfying the local controversy exception for remand to state court, said the motion, and Google is also a citizen of California. The plaintiff and class members seek statutory damages of $5,000 for each time Google “read, learned the contents of” and used information obtained from a message or communication between PHE and the class without consent. Google’s potential exposure in the action is $5 million or more, it said.

Plaintiff Jessica Carey and defendant Comcast jointly asked the U.S. District Court for Southern Florida in Fort Lauderdale for an order transferring Carey's class action involving the October Citrix Systems data breach to the Eastern District of Pennsylvania in Philadelphia in a Thursday motion (docket 0:24-cv-60008). Carey’s Jan. 3 complaint vs. Citrix and Comcast (see 2401030066) said the defendants failed to collectively secure and safeguard her and other putative class members’ personally identifiable information. The suit asserts claims for negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment, Carey’s action was one of 12 included in a motion before the Judicial Panel on Multidistrict Litigation to transfer cases in In Re: Citrix Data Security Breach Litigation to the Eastern District of Pennsylvania for coordinated or consolidated pretrial proceedings (see 2401120011). The MDL has since been renamed In Re: Comcast (NetScaler CVE-4966) Customer Data Security Breach Litigation. The first-filed action related to the Citrix Bleed incident was filed in Philadelphia federal court Dec. 19; since then, 16 more cases stemming from the same data breach have been filed against Comcast or Comcast and Citrix and are currently pending in the court, said the motion. Also Thursday, U.S. District Judge Donald Middlebrooks for Southern Florida signed an order dismissing Citrix from Carey’s class action following her March 1 notice of voluntary dismissal.

Good cause exists for the court to grant the FTC’s Feb. 9 motion to unseal eight documents in the agency’s case against Kochava, said a docket entry order Tuesday (docket 2:22-cv-00377) from U.S. District Judge Lynn Winmill for Idaho in Coeur d’Alene. “Neither party has objected to the unsealing of these documents,” said the FTC’s motion. Among the newly unsealed documents are Kochava’s July 5 motion to dismiss the FTC’s first amended complaint, and the FTC’s Aug. 9 response in opposition. The judge denied Kochava’s motion to dismiss in a Feb. 3 order (see 2402060041). The FTC sued Kochava in August 2022 for allegedly selling vast amounts of personal information about millions of people. The agency alleges that the data can reveal a person’s sensitive information, including religious affiliations, sexual orientation and medical conditions, and by selling that data, Kochava arguably invades consumers’ privacy and exposes them to significant risks of secondary harms.

Dagyana Ortiz-Nieves and Alternative for Kids seek the dismissal without prejudice of their verified complaint against Liberty Mobile of Puerto Rico, said their notice Tuesday (docket 3:23-cv-01613) in U.S. District Court for Puerto Rico in San Juan. The Dec. 18 SIM swap complaint alleged that four Liberty employees accessed Ortiz-Nieves’ account without her authorization about 30 times between December 2020 and June 2022 and repeatedly failed to safeguard her personally identifiable information and customer proprietary network information (see 2312190061). Ortiz-Nieves is president of Alternative for Kids, a daycare center in Bayamon, Puerto Rico.

American Vision Partners knew its patients’ personally identifiable (PII) and personal health information (PHI) was compromised in a Nov. 14 data breach, but it “inexcusably delayed disclosing and providing notice” of the incident to its victims until February, alleged a class action Tuesday (docket 2:24-cv-00463) in U.S. District Court for Arizona in Phoenix. American Vision determined on Dec. 6 that hackers had compromised its patients' PII and PHI, affecting some 2 million individuals, but only first publicly disclosed the breach to the Department of Health and Human Services on Feb. 6; it then began issuing data breach notices to affected patients, the complaint said. Plaintiffs Ralph Gallegos of El Paso County, Texas, and James Drews of Pinal County, Arizona, received notices dated Feb. 15 from American Vision, informing them their PII and PHI were compromised in the data breach. As a result, both plaintiffs will be forced to invest “significant time” monitoring their accounts to detect and reduce the consequences of “likely identity fraud,” the complaint said. American Vision had numerous statutory, regulatory, contractual and common law duties and obligations to patients to keep their PII and PHI confidential, secure and protected from unauthorized access, the complaint said. The data exposed in the breach -- including Social Security numbers, medical records, and health and insurance data -- indicates plaintiffs and class members have suffered “irreparable harm,” it said. The defendant “failed to use reasonable security procedures" appropriate to the nature of the private information it maintained for the plaintiffs, it said. Causes of action include negligence and negligence per se, breach of implied contract, invasion of privacy, unjust enrichment and violation of the Arizona Consumer Fraud Act, it said. Plaintiffs seek statutory damages, prejudgment interest and an order of restitution. American Vision didn't comment Wednesday.