Donald Hess seeks damages, injunctive relief and restitution on behalf of himself and other consumers whose sensitive personal information was stolen after a cybersecurity breach at Rivers Casino in Des Plaines, Illinois, that started in August, said his class action Thursday (docket 1:23-cv-16791) in U.S. District Court for Northern Illinois in Chicago. The information stolen in the data breach included individuals’ “private, sensitive information,” including their full names, phone numbers, email addresses, dates of birth, driver’s license ID numbers, financial account numbers, passport numbers and Social Security numbers, it said. As a result of the data breach, Hess and the class members have “recognizable losses,” including an increased risk of identity theft or fraud, the loss of the benefit of “contractual bargain,” and the loss of time and resources for “rectifying or mitigating the effects” of the data breach, it said. A Milwaukee resident, Hess also brings his class action to address the casino’s “reckless handling” of consumers’ personal information, it said. The casino’s lax maintenance and control of its internal servers and computer networks left the personal information “vulnerable to external attacks,” it said. Its lack of “proper encryption protocols and software” left those internal servers and networks “defenseless against third-party attacks,” it said. The casino must have known, “or alternatively should have known,” of the foreseeable risk of potential cyberattacks on its internal servers and computer networks, it said. The casino “was on notice” that the failure to properly maintain network security could compromise consumers’ personal information “and cause future harm,” it said. The injunctive relief Hess seeks includes profiting the casino from maintaining consumers' personal identifying information on a cloud-based database, "if, in fact, it does so," it said. The class action also wants the court to require the casino to hire "independent third-party security auditors" or "penetration testers," it said.

Plaintiff-appellants Ayana Stevenson, David Ambrose and Lisa Ramirez don’t believe that mediation would be conducive to their appeal against SiriusXM, “which will probably focus on pure issues of law,” said their mediation questionnaire Tuesday (docket 23-4018) at the 9th U.S. Circuit Court of Appeals. They allege that SiriusXM falsely advertised its music plans at lower prices than it actually charges, and contend that the district court erred when it granted SiriusXM’s motion to compel their claims to arbitration (see 2311130005). The two main issues on appeal are whether the plaintiffs may properly raise a violation of the Discover Bank rule, and whether a provision prohibiting arbitration as a private attorney general violates the McGill rule by prohibiting public injunctive relief, said the questionnaire. In the Discover Bank rule, the U.S. Supreme Court ruled in a 2005 decision that an arbitration clause was unenforceable because a class-action waiver contained within it would exculpate Discover Bank from liability for wrongdoing involving small sums of damages. Under California's McGill rule, an arbitration provision that waives the right to seek public injunctive relief in all forums is unenforceable.

U.S. District Judge Michael Moore for Southern Florida in Miami signed an order Monday staying Garrison v. MLB because it's a member case in In Re: FTX Cryptocurrency Exchange Collapse Litigation (docket 1:23-md-03076). Moore ordered the case to be administratively closed for statistical purposes, while the claims proceed under the multidistrict litigation, said the text-only order. The court will retain jurisdiction, and the case “will be restored to the active docket upon motion of a party if circumstances change so that the action may proceed to final disposition,” the order said.

There’s “no substantive opposition” to AT&T’s motion to transfer to the Northern District of Texas in Dallas the securities fraud class action in which the company is alleged to have made “materially false and misleading statements” about its ownership of legacy telecom cables laden with toxic lead (see 2311270004), said AT&T’s reply memorandum of law Monday (docket 2:23-cv-04064) in U.S. District Court for New Jersey in Newark in further support of its motion to transfer. The two AT&T shareholder applicants for lead plaintiff claiming the largest alleged losses, the New York City Public Pension Funds and the New Mexico State Investment Council, “have each filed notices of non-opposition to the transfer,” said the memorandum. Another shareholder, Velliv, Pension & Livsforsikring, has acknowledged that the two other shareholders have larger alleged losses and has said it should be selected as lead plaintiff only in the event the court decides that the other two applicants fail to satisfy Private Securities Litigation Reform Act standards, AT&T said. As to the transfer issue, Velliv doesn’t dispute the merits of AT&T’s motion, but instead suggests that it should be deferred until after the appointment of a lead plaintiff, said the memorandum. “This suggestion lacks merit given that neither party claiming to be the presumptive lead plaintiff opposes transfer,” it said. “Indeed, courts often decide a transfer motion first so that the court determining the lead plaintiff is the same court deciding other issues in the case,” it said.

Apple’s Nov. 24 motion to dismiss plaintiff Lisa Bodenburg’s Nov. 9 first amended class action complaint (see 2311270043) is without merit and should be denied, said Bodenburg’s opposition Friday (docket 3:23-cv-04409) in U.S. District Court for Northern California in San Francisco. Bodenburg alleges that Apple delivers iCloud+ subscribers 5 GB less monthly cloud-storage capacity than they pay for. Her first amended complaint alleges a principal claim for breach of contract, with derivative claims for violations of California’s Consumer Legal Remedies Act, False Advertising Law and Unfair Competition Law, “all arising from the same allegations and conduct forming part of the breach of contract claim,” said her opposition. Apple’s attack on Bodenburg’s breach of contract claim fails “because the contract interpretation Apple concocts flies in the face of the unambiguous plain meaning” of the iCloud legal agreement “that Apple itself drafted,” it said. Under the agreement, Bodenburg and all putative class members who paid Apple for their additional storage “should have received the storage they paid for under their iCloud subscription plan in addition to the 5 GB of free storage they already had,” it said. But Bodenburg alleges, and Apple now confirms, that Apple “provided no such thing,” it said. Instead of delivering cloud storage in addition to the free 5 GB of cloud storage Bodenburg already had, Apple provided only the amount of storage that was supposed to be provided in addition to the free 5 GB of storage “without also retaining the 5 GB of cloud storage” Bodenburg already had, thus “shortchanging” her and all putative class members by 5 GB, it said. Apple provided the iCloud subscription storage instead of or to supplant the 5 GB of storage Bodenburg and all class members already had, instead of in addition to it, it said. Because that practice directly contradicts the agreement’s “plain terms,” Apple’s attack on Bodenburg breach of contract claim fails, it said.

Plaintiff Matthew Hamilton and some 46,000 class members, including former customers, suffered “concrete injuries” due to a data breach at Marshfield, Wisconsin-based Forward Bank, alleged Hamilton's privacy class action Friday (docket 3:23-cv-00844) in U.S. District Court for Western Wisconsin in Madison. Forward Bank maintained, used and shared customers’ personally identifiable information (PII) in a “reckless manner,” the complaint said. Hamilton, a resident of Medford, Wisconsin, received a letter from Forward dated Nov. 17, informing him the bank experienced a “network disruption” Sept. 11 and discovered files may have been “acquired without authorization” on or about Sept. 6, it said. Hamilton is a former Forward customer, who closed his account in 2021, the complaint said. To open that account initially, he had to provide PII including his name, Social Security number “and other sensitive information,” the complaint said. At the time of the data breach, Forward “retained Plaintiff’s PII in its system,” it said. After a “thorough review” of the files, on Oct. 27, the bank learned Hamilton’s PII was identified as “being contained within the potentially affected data," the complaint said. Stolen information may have included Hamilton’s name, Social Security number, driver’s license or other government ID number and financial information, it said. The “disclosure” letter “amounts to no real disclosure at all, as it fails to inform, with any degree of specificity,” critical facts, said the complaint. The letter didn’t disclose the cause of the breach, the vulnerabilities exploited and the remedial measures the bank was undertaking to ensure such a breach doesn’t happen again, it said. Without such details, plaintiff’s and class members’ ability to mitigate risks from the breach “is severely diminished,” it said. The bank didn’t use reasonable security procedures and practices appropriate to the nature of the PII they were maintaining for customers, said the complaint, including encrypting the information or deleting it when it is no longer needed. Experian informed Hamilton that his PII was disseminated on the dark web; he further believes it was sold on the dark web following the data breach, “as that is the modus operandi of cybercriminals that commit cyberattacks of this type,” the complaint said. Hamilton suffered actual injury from having his PII compromised after the breach, including invasion of privacy; theft of his PII; lost or diminished value of his PII; lost time and opportunity costs associated with attempting to mitigate the breach's consequences; loss of benefit of the bargain; and the continued and increased risk to his PII, which “remains unencrypted and available for unauthorized third parties to access and abuse,” it said. Hamilton asserts claims of negligence and negligence per se; breach of implied contract; unjust enrichment; and violation of Wisconsin’s Deceptive Trade Practices Act.

The mediation questionnaire is due Tuesday from plaintiff-appellants Ayana Stevenson, David Ambrose and Lisa Ramirez in their appeal of the district court’s Nov. 9 order granting SiriusXM’s motion to compel their claims to arbitration (see 2311130005), said a docketing notice and time schedule order Thursday (docket 23-4018) at the 9th U.S. Circuit Court of Appeals. Their opening brief is due Feb. 28, and SiriusXM’s answering brief is due March 29, said the order. U.S. District Judge William Orrick, in granting SiriusXM's motion to compel, also granted the plaintiffs’ request to dismiss the case without prejudice so that they could immediately appeal. Stevenson, Ambrose and Ramirez allege that SiriusXM falsely advertised its music plans at lower prices than it actually charges. They unsuccessfully opposed SiriusXM’s motion to compel, arguing that provisions in their customer agreement’s “class action waiver” violate California public policy, are unenforceable, and as a result trigger a “poison pill” -- a non-severability clause in the waiver -- nullifying the entire arbitration agreement.

Amid plaintiff Tiffany McDougall's notification to the court that she doesn’t intend to pursue her arbitration claims against Samsung at this time (see 2312050047), her case is dismissed “without costs and without prejudice,” said an order signed Wednesday (docket 1:23-cv-00168) by U.S. District Judge Lorna Schofield for Southern New York in Manhattan. McDougall may apply to restore her action to the court’s calendar within 30 days, “provided that she has commenced arbitration proceedings,” said the order. The judge granted Samsung's motion to compel McDougall's claims to arbitration on Oct. 3. Any application to reopen the case that McDougall files after 30 days “may be denied solely on that basis,” it said. All pending motions are denied as moot, and conferences are canceled, it said. McDougall bought her Galaxy S21 Ultra 5G smartphone with 128 gigabytes of storage in September 2021. She alleged Samsung misled her because part of the phone’s advertised 128 GB storage space is occupied by its operating system and preinstalled applications, leaving 101.4 GB of memory for users to store applications, photos, videos and music.

An initial pretrial conference is set for Dec. 14 at 2 p.m. on the SEC’s Oct. 30 securities fraud complaint against SolarWinds and Timothy Brown, its chief information security officer (see 2310310041), said an order signed Wednesday (docket 1:23-cv-09518) by U.S. District Judge Paul Engelmayer for Southern New York in Manhattan. The parties also are to submit a joint proposed case management plan by Monday, said the order. The Dec. 14 conference will be held in person, it added. Engelmayer’s judgment “is that an in-person, rather than telephonic, conference, is better suited to the demands of this complex case,” said the order. The SEC’s 10-count complaint alleges that SolarWinds and Brown “defrauded investors through misstatements, omissions, and schemes that concealed” the company’s “poor cybersecurity practices and its heightened -- and increasing -- cybersecurity risks.”

AT&T Wireless withdrew funds from a customer’s account after the customer canceled service and revoked authorization for withdrawals, alleged a fraud complaint Wednesday (docket 3:23-cv-02228) in U.S. District Court for Southern California in San Diego. Plaintiff Esiah Smith of San Diego entered into an agreement with AT&T in August 2022 and soon after returned the phone and stopped using its wireless service, the complaint said. Smith’s “alleged debt” was set up to be paid via recurring monthly automatic payments of $211.32 from his checking account, said the complaint. AT&T withdrew payments from August to October, and in November, Smith revoked the defendant’s authorization to make electronic fund transfers from his account, it said. Smith spoke to an AT&T representative Nov. 18, 2022, who confirmed his account was canceled, and AT&T issued refunds for August-October payments, the complaint said. On Dec. 9, AT&T again withdrew $211.32 from Smith’s checking account. The carrier was unable to say why the withdrawal occurred after Smith canceled service, and he has not been issued a refund for the December withdrawal or any additional communication, it said. As a result of the error, Smith has experienced anger, stress, worry, frustration, embarrassment and mental distress, said the complaint. Smith asserts violations of the Electronic Fund Transfer and California Consumers Legal Remedies acts and the Unfair Prong of the California Unfair Competition Law, it said. He seeks actual damages and attorney’s fees and costs. AT&T didn't comment.