than 55 million people. Affected entities include Shell PLC, TIAA, American Airlines, the U.S. Departments of Energy and Agriculture, the government of Nova Scotia, and the Louisiana and Oregon Departments of Motor Vehicles. While the panel heard many arguments against consolidation and centralization, Judge Caldwell determined that all actions can be expected to share common and complex factual questions as to how the MOVEit vulnerability occurred, as well as the circumstances of the unauthorized access and Progress Software ’ s response. The panel recognized that while some of the suits target the customer-facing providers of the software and not MOVEit ’ s manufacturer, that does not mean that discovery in those actions must cease while common discovery is being conducted against other defendants in the MDL. Similarly, the panel put distance between this case and its decision to deny centralization in the litigation entitled In Re Accellion Inc. Customer Data Security Breach Litigation, 543 F. Supp. 3d 1372 (J.P.M.L. 2021), noting a difference in the software at the center of the litigation, the larger number of cases in the MOVEit litigation, and MOVEit owner Progress Software ’ s central role in it. Some plaintiffs opposing MOVEit centralization argued that, instead of a singular breach, there were numerous successive intrusions into different servers affecting different customer-facing defendants. But the panel opined this argument does not change the fact that MOVEit ’ s vulnerability is at the core of all cases. The panel chose the District of Massachusetts because more cases are pending there than in any other district and Progress Software is headquartered in the state, thereby increasing access to relevant employees, databases, documents, witnesses and other evidence. This data breach litigation is at the top of the watch list as we move into 2024. 3. The U.S. Supreme Court ’ s TransUnion Decision In regards to other recent jurisprudence that has impacted the data breach class action landscape, the U.S. Supreme Court ’ s decision in TransUnion LLC v. Ramirez, et al. , 141 S.Ct. 2190 (2021), remains a game-changer for defendants. In TransUnion , a class of 8,185 individuals sued a credit report agency for failing to use reasonable procedures to ensure the accuracy of their credit reports. Id. TransUnion used a third-party software to cross-reference its database with the Office of Foreign Assets Control ’ s (OFAC) terrorist list. Id. at 2201. The “cross-referencing” consisted only of comparing the first and last name of the individual with the first and last name of suspected terrorists on the OFAC list. Id. Part of the class (1,853 members) were tagged as “suspected” matches and had their misleading credit report distributed by TransUnion to a third-party business. Id. at 2200. For example, the named plaintiff , Sergio Ramirez, was denied the ability to purchase a car at a Nissan dealership because of an inaccurate OFAC alert on his credit report. Id. at 2201. The remaining members of the class had an inaccurate OFAC alerts on their credit report, but did not have their credit reports distributed. Id. The Supreme Court concluded that only the class members who had their misleading credit report actually distributed suffered a “concrete harm” and thus had Article III standing. The Supreme Court compared the injury to a “person [who] is injured when a defamatory statement ‘ that would subject him to hatred, contempt, or ridicule’ is published to a third party.” Id. at 2209. Because such a harm has a “close relationship” to harms traditionally recognized in American law, it was sufficient to establish an injury-in-fact for purposes of Article III standing. The Supreme Court rejected the claims of class members who only alleged TransUnion maintained files with inaccurate OFAC alerts. The Supreme Court concluded that “there is no ‘ historical or common law analog where the mere existence of inaccurate information, absent dissemination, amounts to concrete injury.” Id. (quoting Owner-Operator Independent Drivers Association, Inc. v. Department Of Transportation , 879 F.3d 339, 344 (D.C. Cir. 2018)). The Supreme Court also rejected the class members’ argument that the increased “risk of future harm” was sufficient to confer standing. Id. at 2210. It reasoned that although a “person exposed to a risk of future harm may pursue forward-looking, injunctive relief to
6
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online