negligently failed to secure their PII, which led to unauthorized access, disclosure, and theft of their data. The data breach, which occurred on February 1, 2023, was part of a larger ransomware attack affecting NCB’s systems, and it was initially disclosed in March 2023. The breach ultimately affected over a million people. The plaintiffs claimed they suffered various damages, including unauthorized activity on their accounts, due to NCB’s alleged negligence in managing their data security. The plaintiffs brought claims against NCB for negligence, violations of federal and state laws, breach of contract, invasion of privacy, and unjust enrichment. NCB moved to dismiss eight of the 16 named plaintiffs, arguing that they lacked standing because they did not allege concrete injuries. NCB also sought the dismissal of 15 of the 17 claims on the grounds that the plaintiffs failed to state valid legal claims under Rule 12(b)(6). In response, the plaintiffs voluntarily dropped their claims against the bank defendants (BOA and Pathward), making those motions moot. The plaintiffs also withdrew claims related to the Fair Credit Reporting Act, the California Customer Records Act, and invasion of privacy. The court granted NCB’s motion in full. It dismissed eight plaintiffs for lack of standing due to their failure to show concrete injury, and it dismissed the remaining claims because the plaintiffs failed to state valid legal claims for which relief could be granted. Accordingly, the court granted NCB’s motion and significantly narrowed the claims against it. In Re MOVEit Customer Data Security Breach Litigation, 2024 U.S. Dist. LEXIS 224712 (D. Mass. Dec. 12, 2024), involved the MOVEit Transfer data breach caused by a cybercriminal group, Cl0p, which exploited security vulnerabilities in the software to exfiltrate personally identifiable information (PII) and protected health information (PHI) from over 2,600 entities, affecting 93 million records. The breach also involved extortion attempts by Cl0p, threatening to release the stolen data unless a ransom was pa Id. Hundreds of affected entities had the stolen data published on the web, leading to concerns about fraud and the potential misuse of the exposed data. The plaintiffs asserted that both the software company (Progress Software Corp.) and other defendants failed to take adequate precautions before and during the breach, leading to various harms, including potential fraud and future misuse of their data. Over 300 individual cases were filed, leading to the creation of the MDL in October 2023, which consolidated the cases in the U.S. District Court for the District of Massachusetts. Following the creation of the MDL, a briefing schedule was set for threshold issues, including motions to dismiss for lack of standing. The plaintiffs filed a common complaint in May 2024, which set out common factual allegations relevant to the standing analysis. The defendants moved to dismiss, alleging that the plaintiffs’ allegations failed to allege an injury-in-fact and challenging the traceability requirement for standing. With regard to injury-in-fact, the court found that the plaintiffs sufficiently alleged a material risk of further harm, an actual injury, and future risk of harm. The court took a generalized approach in looking at the totality of the allegations, instead of a more granular approach that was plaintiff-specific. For example, the court stated that if between 30 to 157 plaintiffs (out of 300+) have asserted actual injury, that was enough to apply across the board for actual injury. Id. at 21. Relative to the traceability factor, the court held that the plaintiffs plausibly alleged exposure of their data to C10p “which is fairly traceable to Defendants’ actions vis-à-vis the Data Breach.” Id. at 26. The court ruled that that the complaint could stand but that through discovery, the plaintiffs’ claims against various entities “may prove insufficient to establish liability at subsequent stages of the MDL.” Id. at 29. The court granted the motion to dismiss as to four claims that predated the date of when the alleged breach occurred, finding there was no traceability injury. Id. at 31. The court also dismissed requests for injunctive relief. Accordingly, the court granted in part and denied in part the defendants’ motion to dismiss. In this putative class action entitled De Medicis, et al. v. Ally Bank And Ally Financial, Inc., 2024 WL 1257022 (S.D.N.Y Mar. 25, 2024), the plaintiffs alleged that the defendants Ally Bank and Ally Financial, Inc. recklessly or negligently disseminated their customers’ account usernames and passwords to unnamed, unauthorized third parties through a coding error in Defendants’ website portal and failed to take reasonable measures to maintain the confidentiality of those usernames and passwords. The plaintiff, on behalf of himself and all others similarly- situated, brought this action against the defendants asserting claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, violations of the Virginia Personal Information Breach Notification Act and the North Carolina Unfair and Deceptive Trade Practices Act, and injunctive/declaratory relief under the Declaratory Judgment Act. The defendants moved to dismiss the complaint under Rule 12(b)(1) and 12(b)(6). Similar to the plaintiff’s first attempt, the court again dismissed the class action on standing grounds. In its prior opinion, the court dismissed the plaintiff’s claims for lack of Article III standing because the plaintiff failed to allege he suffered a concrete, particularized injury-in-fact or a substantial risk of future injury. In his amended complaint, the plaintiff asserted the same claims previously asserted against the defendants for negligence, negligence per se, breach of implied contract, violations of the Virginia Personal Information Breach Notification
6
© Duane Morris LLP 2025
Duane Morris Data Breach Class Action Review – 2025
Made with FlippingBook - professional solution for displaying marketing and sales documents online