Consumer Electronics Daily was a Warren News publication.
'Hundreds' of Breaches

Plaintiff Linked With MOVEit MDL Asks Court to Deny Bailey Consolidation Motion

The “vast breadth” of centralization plaintiff Bruce Bailey sought in his Friday reply (see 2308140020) means parties in cases associated with MOVEit Customer Data Security Breach Litigation that don't name multidistrict litigation (MDL) defendants Progress Software Corp. (PSC), Ipswitch or Pension Benefit Information (PBI), and who aren't monitoring the MDL docket, “had no way of knowing that their cases are at risk of being swept up in a sprawling MDL,” said plaintiff Carlos Harding in a Monday interested party response (docket 3083) before the U.S. Judicial Panel on Multidistrict Litigation (JPML). Harding urged the JPML to deny Bailey’s motion for transfer and centralization of related actions filed July 6.

Harding filed a class action Aug. 8 involving the MOVEit breach in U.S. District Court for Eastern Virginia, naming as defendants only Maximus and Maximus Federal Services, which are located in that district, but none of the MDL defendants. Bailey seeks to have cases related to the MOVEit data breach transferred to and centralized in the U.S. District Court for Minnesota; Harding said if the JPML considers “defendant-specific MDLs," it should centralize the Maximus cases in the Eastern District of Virginia.

The scope of the proposed MDL has changed substantially since Bailey’s initial motion and would potentially result in the centralization of claims related to “hundreds of independent breaches, each of which occurred at different times, resulted from different data security failures, involved different breached promises or representations, involved different data, and resulted in different damages,” said Harding’s response, referencing Bailey's reply.

Because PSC’s customers “who are impacted by the breach are being identified on a near-daily basis,” the JPML isn’t currently well positioned to “fully assess the number of litigants, the type of litigants, or the nature of the claims that any MDL would encompass,” said Harding’s response. If the JPML decided to consider an MDL of the scope proposed in Bailey’s reply, he should be required to “provide notice to all affected litigants, who should have the opportunity to respond,” said the response.

Harding cited a similar case, Accellion, Inc. Customer Data Security Breach Litigation (docket 3002), an MDL involving multiple data breaches via Accellion’s file transfer software, Appliance. The JPML denied centralization in Accellion, “finding factual differences specific to each defendant outweighed any overlap among the actions" as to Accellion’s product, said the response. The same reasoning should apply in MOVEit: The proposed MDL “would potentially involve hundreds of defendants with no relationship beyond use of PSC's MOVEit” file transfer software, and many of the potential actions don’t name PSC as a defendant, it said.

The JPML “should conclude centralization is unnecessary and that any efficiencies to be gained by centralization can be accomplished through informal coordination, where necessary,” Harding's response said. Consolidation and transfer are appropriate only where common questions of fact prevail, but there is nearly a “total lack of common questions of fact” between Harding’s action and those naming the MDL defendants sought to be consolidated by the MDL motion, it said. The same is true of the numerous other actions filed against MOVEit users that do not name the MDL defendants, it said.

Harding’s claims and discovery will focus on Maximus’ duty to its customers to protect private personal and health data; Maximus’ data privacy processes and procedures and its failure to detect, prevent or minimize the scope of the data breach; its response to the breach after discovering it and steps taken to mitigate damage; the value of information exfiltrated during the breach; and facts about Maximus’ “eventual” notice to affected individuals, it said.

Harding doesn't allege MDL defendants PSC, Ipswitch or Pension Benefit Information failed to protect his data, said the response. The only shared fact between Harding’s action and others naming the MDL defendants “is the hackers’ exploitation of the MOVEit software vulnerability which, standing alone, falls far short of satisfying the ‘heavy burden’ of warranting centralization,” it said. That will also be true in other cases in which only MOVEit customers, and not the MDL defendants, are named, it said.

Meanwhile, attorneys filed notices of related actions for three lawsuits in the MOVEit MDL this week. Attorney Paulyne Gardner of Mullen Coughlin, said Tuesday Golestani v. Pension Benefit Information (docket 0:23-cv-02478), filed in U.S. District for Minnesota, and Taylor v. Pension Benefit Information (docket 5:23-cv-01617), filed in U.S. District Court for Central California, relate to the MOVEit MDL. Attorney Eamon Joyce of Sidley Austin notified the JPML of a related complaint, Smith v. Genworth Financial (docket 3:23-cv-00510) in U.S. District Court for Eastern Virginia, which has been filed but not served.