Consumer Electronics Daily was a Warren News publication.
PSC Exposure 'Capped'

3 MOVEit MDL Defendants Move to Dismiss 6 Suits on Home-State Exception

Three defendants in In Re: MOVEit Customer Data Security Breach Litigation filed a joint motion (docket 3083) Monday to dismiss six class actions based on the home-state exception to the Class Action Fairness Act in U.S. District Court for Massachusetts in Boston.

Performance Health Technology, Greater Rochester Independent Practice Association and Union Bank and Trust claim the cases naming them as defendants in the MDL involving Progress Software Corp.'s May 2023 MOVEit file-transfer software data breach were all filed in transferor courts asserting jurisdiction based on CAFA. But CAFA’s grant of subject-matter jurisdiction doesn’t extend to any of those actions, each of which falls into the home-state exception, the motion said.

In each of the six lawsuits, two-thirds of the members of the putative classes are citizens of the same state as are all “primary defendants,” said the motion. The only defendant in any of the actions with citizenship different from the “overwhelming majority of the class” is PSC, but the software company is “not a 'primary’ defendant” because its presence in the suits “is of little to no legal or practical significance,” said the motion. PSC’s citizenship is “thus irrelevant” for purposes of determining the Massachusetts’ court’s jurisdiction, it said.

The motion noted the “vast number of cases” involving the MOVEit breach in which PSC “is simply not named as a defendant at all.” Of the 17 cases named against the defendants, PSC is named in only three, so it “cannot be said that Progress is 'first in importance’ to, or the 'real target’ of, these lawsuits when its presence in them is so demonstrably optional,” said the filing.

PSC wouldn't likely be expected to incur most of the loss if liability is found, said the motion, citing Manson v. GMAC Mortgage. In a January investor filing, PSC said it was party to about 118 class actions related to the MOVEit breach, a defendant in another case brought by an insurer, and “the recipient of 'formal letters from 31 customers and others that claim to have been impacted by the MOVEit Vulnerability, some of which have indicated that they intend to seek indemnification,’” said the motion.

PSC’s actual contribution to any judgment or settlement involving the MOVEit breach in any of the home-state cases “will be exceedingly limited,” the motion said. PSC has a market capitalization of just over $2 billion, and estimates for the total cost of the MOVEit breach top $12 billion, it said. If PSC is ultimately found liable for the breach, “it will have almost no 'ab[ility] to satisfy a potential judgment’ in any of these actions,” said the motion, citing Manson. “The 'lion’s share of any recovery’ in these cases will thus inevitably come from defendants other than Progress,” it said, citing Sudholt v. Country Mutual Insurance Co.

Because PSC’s liability exposure in the home-state cases is “effectively capped” -- and “minimal” compared with the “vast amount of damages” allegedly sustained by the members of the putative class – allowing its presence in a handful of home-state cases “to determine in which forum they proceed is to allow the tail to wag the dog,” the motion said.

Far from being the ‘primary defendant,' Progress is essentially an optional party, whose presence or absence in these matters will make essentially no difference to their resolution, either practically or legally,” the motion said. “The Court must decline jurisdiction pursuant to the home-state exception” and dismiss the home-state cases, it said The defendants have seven cases pending in the MOVEit MDL and 10 involving the data breach pending in various state courts.