Hundreds of attorneys are gearing up to litigate the largest systems hack of the year in a case that could establish a roadmap for how lawyers and judges manage similar consolidated class actions, attorneys said.
Dozens of businesses are defending claims that they’re responsible for the exposure of customer Social Security numbers and other private information they stored on Progress Software Corp.'s MOVEit file transfer software breached by Russian cybercriminals in May.
Hackers ultimately obtained data from more than 2,600 organizations, including US government agencies, the nation’s largest pension fund, and major companies like
The multidistrict litigation, or MDL, has the potential to set a new standard for trying cyber cases that involve third-party vendors being hacked, attorneys said. Determining who’ll serve as lead counsel is among the key first steps.
“Seeing how the MDL manages, it will be interesting to see if it sets a paradigm for similar cases like this in the future,” said David Opderbeck, a cybersecurity law professor at Seton Hall University in New Jersey.
More cases are still being added to the list in Massachusetts, though in decreasing numbers. Plaintiffs allege Progress Software and its customers are liable because they didn’t perform due diligence or maintain proper cybersecurity protections, leaving their information at risk when the ransomware gang Clop exploited a previously unknown vulnerability in the MOVEit software.
Data-breach MDL of this magnitude is rare, and the court will address core questions that arise in such cases, Opderbeck said.
“We’re likely to see more cases involving third-party software that’s used widely across different industry sectors, like the MOVEit software was,” he said. “This also just kind of highlights the many, many layers of third parties who are involved in moving data around, and at any given point any one of them can be vulnerable.”
Consolidation Debate
The cases involving the MOVEit breach filed in federal court so far name nearly 90 different defendants, including law firms and insurance providers, according to court filings. The Judicial Panel on Multidistrict Litigation identified the Massachusetts court as the most efficient venue to answer common questions raised by the class actions, despite the host of disparate defendants.
The consolidation reduces the risk of different courts publishing conflicting rulings on the same questions. That consistency will be helpful to attorneys, because data-breach “case law is all over the place,” said Linn Freedman, a data breach and complex litigation partner at Robinson & Cole LLP.
A handful of plaintiffs objected to having their claims consolidated in Massachusetts, citing differences in their cases’ primary defendants and how individual data breaches unfolded.
The consolidation panel overruled those concerns, identifying the MOVEit vulnerability as the “core of all cases” and suggesting Judge Burroughs could remand certain cases to their original venues following discovery.
“You’re going to at least have common discovery and probably some common dispositive motions as to exactly what the fault was in the MOVEit software,” Opderbeck said. “Some parties will want to do their own discovery in that area, but now they’re going to have to live with whatever happens in the MDL.”
Vying to Lead
But before the consolidated proceeding can move forward, lead counsel must be assigned. Judge
Deciding who controls the case strategy is the “biggest initial procedural turning point in the case,” said Simon Grille, a plaintiffs’ attorney at Girard Sharp LLP who has worked on several complex litigation cases involving data breaches.
“It’s competitive because there’s a lot of good firms, and usually in a big MDL like this one, you’re competing against people who are equally qualified as you,” Grille said. “And the challenge is really how do you distinguish yourself.”
Standing out as a lead counsel candidate requires some creativity, but attorneys can gain an edge with the court by filing their proposals first, he said.
Several groups are vying to lead the plaintiff class, which is represented by 170 law firms. The leading proposal, supported by a majority of firms who sued over MOVEit, coalesces a nine-person steering committee of attorneys who’ve litigated major consolidated data breach cases that yielded multimillion-dollar settlements with the likes of Equifax Inc. and T-Mobile Inc.
While plaintiffs’ attorneys are teeing up proposals for how to best advance the case, defense counsel are deliberating to identify one or several liaisons to help coordinate proceedings among themselves, the court, and plaintiffs. Attorneys on both sides either declined or didn’t respond to requests for comment on the record.
Attorneys are also debating whether to manage the cases within “tracks” for defendants in specific industries or those favoring settlement over pursuing the case to trial.
So few data-breach cases are consolidated in the kinds of numbers involved in this MDL that counsel may examine how attorneys managed tracks and other consolidation complexities in areas of law like toxic tort cases filed over asbestos exposure, where plaintiffs can number in the tens of thousands, Freedman said.
Attorneys may also study recent district court rulings involving software company data breaches, such as a recent motion to dismiss denial allowing plaintiffs to allege software provider Blackbaud Inc. violated California privacy statutes after a cyberattack, which could provide a useful reference to attorneys pursuing state law claims, Grille said.
“Those are vigorously litigated claims because they provide a path to damages, which can be difficult in data breach cases,” Grille said.
Dwindling New Breaches
While the number of cases brought together in Massachusetts “inevitably” grows, as the defendants put it in a case filing, the pool of new likely defendants appears to be shrinking. Fewer breaches linked to the software vulnerability have been occurring day by day, said Ariel Ropek, a principal threat researcher at cybersecurity firm Panther Labs Inc.
Software vendors like MOVEit undergo cybersecurity incidents on a regular basis, Ropek said, but the MOVEit hack has attracted so much litigation because of how widespread private data exposure became.
“Zero days occur in large numbers, and oftentimes they’ll be exploited once or twice and then patched and then they kind of disappear off the radar,” he said, referring to attacks exploiting previously unknown vulnerabilities. “In this case, the ransomware gang was able to successfully exploit a large number of vulnerable organizations simultaneously and then pivot through the supply chain from one organization to the next.”
Ropek said a sophisticated ransomware gang like Clop likely first identified several software systems used by high-value targets before discovering the MOVEit vulnerability, underlining the importance of businesses understanding which vendors they’re using to manage specific types of data.
More than 632,000 employees of the Justice and Defense departments had their email addresses exposed as a result of the hack, Bloomberg News reported. Several government bodies—including NASA and the Veterans Affairs Department—have active contracts to use the MOVEit system, according to information in the Federal Procurement Data System.
But the work ahead looms over attorneys even as the addition of cases slows. Once counsel for each side finish jockeying for leadership positions, Seton Hall’s Opderbeck said, discovery and other filings that progress the case will begin. Many businesses will likely find settling cheaper than going to trial, he said.
“I wouldn’t be surprised if eventually—within a couple of years—most of these cases get pulled together in some kind of global settlement, and consolidating is part of what makes that kind of thing more feasible,” Opderbeck said.
The case is In Re: MOVEit Customer Data Security Breach Litigation, J.P.M.L., No. 3083, initial status conference held 11/30/23.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.