Consumer Electronics Daily was a Warren News publication.
'Individualized Circumstances'

TIAA Opposes Centralization, Transfer in MOVEit MDL; Pushes for N.Y. Court

Plaintiffs Gayle Jentz, Andre Lopez, Gwendolyn Smuda, Steven Checchia and Robin Anderson and defendant Teachers Insurance and Annuity Association of America (TIAA) oppose plaintiff Bruce Bailey’s July motion for transfer and centralization of cases related to MOVEit Customer Data Security Breach Litigation to the district of Minnesota, said their Friday response (docket 3083) before the U.S. Judicial Panel on Multidistrict Litigation (JPML).

Plaintiffs and TIAA request that the panel deny Bailey’s motion of transfer and centralization for consolidated pretrial proceedings to the extent that it seeks to include in the proposed proceeding the actions filed by plaintiffs against TIAA. Since Bailey’s motion, “dozens of complaints” have been identified as related by counsel supporting the MDL, the response noted.

Bailey argued in his July 7 motion that transfer and centralization are appropriate because “all involve” defendants Progress Software Corp. (PSC) and/or Pension Benefit Information (PBI), and the Minnesota district is home forum for PBI. He argued that the cases arise from a “common nucleus of operative facts” -- the breach of the MOVEit file transfer application, owned by PSC and developed by its subsidiary, Ipswitch, “and controlled, for the purposes of these actions by PBI.”

But in August, seven actions were filed against TIAA, six in U.S. District Court for Southern New York and one in U.S. District Court for Northern Illinois; TIAA was the sole defendant in all seven. None of the cases makes claims against PSC or PBI, or any other party potentially involved in the MDL, said the opposition response. The New York cases were identified as related; the parties are coordinating on transfer and consolidation of the Illinois complaint, said the response. The parties have stipulated to consolidation, and U.S. District Judge Lewis Kaplan, to whom all six cases were assigned upon relation, entered a consolidation order on Aug. 30, it said.

On Sept. 1, the plaintiff in Marshall v. Progress Software Corp., (docket 23-cv-07822) represented by Leeds Brown attorney Jeffrey Brown, advocating for an MDL in other cases, filed a complaint in the Southern District of New York. That case mirrored allegations in the previously filed complaints against TIAA but also named PBI and PSC as defendants, the response said. The same day, Brown identified Marshall and four of the other complaints against TIAA -- Jentz, Lopez, Smuda and Anderson -- as allegedly related actions in the JPML, it said.

Bailey’s request to consolidate was based on all cases involving PBI’s use of MOVEit file transfer software and the District of Minnesota being an appropriate venue for cases brought against PBI, said the response. Similarly, many other parties supporting centralization argue it should occur in the District of Massachusetts, where PSC, a “key shared defendant,” is located. TIAA’s position is that transfer and centralization “is unwarranted, irrespective of venue.”

The response cited another case, Accellion, Inc. Customer Data Security Breach Litigation, in which the JPML was asked to transfer cases arising out of a security vulnerability in a different file transfer platform that also resulted in unauthorized access to information maintained by customers of that file transfer application (FTA). “As occurred with PSC’s MOVEit software, various organizations, including Kroger and the University of California, used Accellion’s file transfer appliance to move large files and quantities of data and threat actors exploited the vulnerability to steal data from Accellion’s customers,” said the response. The panel declined to transfer and centralize those cases, in part, because “any factual overlap among the actions as to Accellion’s FTA product, its vulnerability to attack, and its alleged support of this ‘legacy’ product may be eclipsed by factual issues specific to each [Accellion customer] defendant.”

TIAA plaintiffs said the situations are no different and the proposed MDL involves various defendants, including PBI, which directly or indirectly used MOVEit software for different purposes. “Whether there is liability for any one defendant will depend heavily on individualized circumstances, including whether that defendant directly used MOVEit or instead had a relationship to a company that used MOVEit, how and why it used MOVEit, its knowledge of and response to the data breach, and any relevant contractual arrangements and policies,” said the response. The individualized questions “go beyond the use of MOVEit by PBI and discovery into PSC’s actions in creating and securing MOVEit,” it said.

Cases against various other defendants subject to the MOVEit breach will involve individualized issues about their actions, “which will have no bearing on Plaintiffs’ claims and TIAA’s defenses in the New York cases against TIAA,” said the response. The principal questions of fact presented in the complaints filed against TIAA concern the company’s handling of information obtained from retirement plan participants or beneficiaries and its vetting of its vendors, it said.

The efficiency gain from transfer and centralization, one of the primary purposes of an MDL, “is lacking here,” said the response. Including the cases against TIAA “would only serve to complicate the centralized proceeding with little benefit to show for it,” it said, saying there are “numerous” efficiency gains from allowing the TIAA actions to proceed in the “already-consolidated” proceedings in Southern New York, “the venue where TIAA documents and witnesses are located.”