MOVEit Data Breach Litigation: Key Rulings Allow Claims to Proceed
A recent ruling in the MOVEit data breach litigation, heard in the District of Massachusetts, has clarified the path forward for several claims related to the widespread security incident. The decision, analyzed by Pierce Atwood LLP, indicates an expanding scope of liability for data breaches, particularly concerning cybersecurity practices and vendor management.
The litigation stems from a vulnerability in the MOVEit Transfer file transfer software, impacting numerous organizations and individuals. The court addressed motions to dismiss brought by defendants, yielding a mix of wins for both plaintiffs and defendants.
Key Outcomes for PBI and Other Defendants:
The court sided with defendants Progress Software Corporation and PBI regarding certain claims. Specifically, PBI successfully argued that its curative actions following the breach prevented the submission of statutory damages, and that its notification of these actions was sufficient.
Progress Software saw dismissal of claims under the California Consumer rights Act (CCRA) due to a lack of evidence demonstrating a direct relationship between plaintiffs and the company – a requirement of the CCRA. Claims under the California Confidentiality of Medical Information Act (CMIA) were also dismissed, as the court steadfast the statute’s definition of “consumer” applies only to individuals, not business entities directly impacted. Plaintiffs also abandoned claims related to data-breach notification statutes, leading to their dismissal.
Notable Wins for Plaintiffs:
Though, plaintiffs secured key victories, particularly against the “Bellwether Defendants.” The court found that allegations of “unreasonably weak internal and external cybersecurity protocols” were sufficient to state a claim for unfair conduct under Massachusetts’ Chapter 93A (Massachusetts Consumer Protection Act).
Regarding the CCPA, the court ruled that, for one Bellwether Defendant, Welltok, the plaintiffs’ pre-suit notice was adequate. Crucially, the court found sufficient the plaintiffs’ argument that the breach occurred because of the defendants’ failure to implement preventative security measures, rejecting arguments that the breach wasn’t a direct result of security failings.
Plaintiffs also saw success with unjust enrichment claims against Progress in some states. The court determined that allegations sufficiently established Progress’ business relied on protecting sensitive data, satisfying the “conferred benefit” element of the claim.
Declaratory Relief Remains in Play:
The court also denied the defendants’ motion to dismiss the plaintiffs’ requests for declaratory relief, noting that these requests focused on ongoing risks - the continued inadequacy of security measures and the potential for future compromises.
Implications for Vendor Risk Management:
Pierce Atwood LLP highlights the ruling as a critical signal: “data breach litigation risk is expanding across state law theories based on cybersecurity practices and vendor management.” The firm emphasizes the necessity of “robust, proactive security measures, careful vendor vetting, and a clear understanding of state and federal data protection laws.” They also caution that the complex choice-of-law analysis inherent in these cases necessitates careful consideration of applicable law during both compliance efforts and litigation strategy.
[Source: https://www.firstclassdefense.com/moveit-data-breach-litigation-district-of-massachusetts-allows-bellwether-negligence-and-consumer-protection-claims-to-proceed/ ]
