Federal Court Rejects Efforts to Derail Cybersecurity Litigation Settlement
Following a widespread data event and subsequent cybersecurity litigation, last month a group of individuals (“Proposed Intervenors”) moved to intervene and oppose preliminary approval of a negotiated proposed settlement. Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021). Ultimately, the Court denied the motion. Read on to learn more and what it may mean for other similar cases going forward.
First, some background. In December 2020, Defendant Accellion notified its clients that it had experienced a data event. According to filings in the litigation, cybercriminals targeted vulnerabilities in Accellion’s legacy file transfer product during December 2020-January 2021. The incident affected a number of public and private sector entities. Litigation, including a number of California Consumer Privacy Act class action lawsuits, followed. This included claims raised that were related to Accellion’s and other Defendants’ alleged failure to maintain reasonable security procedures. As alleged in one of the complaints:
Defendant [Accellion Inc.] violated § 1798.150 of the CCPA by failing to prevent Plaintiffs’ and class members’ nonencrypted and nonredacted personal information from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of their duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.
Brown v. Accellion, Inc., Case No. 5:21cv1155, Dkt. #1 at ¶70. However, notwithstanding that over fourteen lawsuits were filed against Accellion and other parties in three federal forums, the Judicial Panel for Multidistrict Litigation (“JPML”) denied in June 2021 a motion to consolidate the litigations for coordinated pretrial proceedings. [Note: This is consistent with a broader trend in 2021 of multidistrict litigations reaching an all-time low, notwithstanding that the number of privacy class actions filed continues to exponentially rise year over year.]
In this particular instance, the JPML denied consolidation on the basis that “[m]ost parties, including two defendants, oppose centralization, and have cooperated to organize all but two actions into three coordinated or consolidated proceedings” ongoing in the Northern District of California, the Eastern District of Michigan, and the Southern District of Ohio. These constituent actions were pending “in just three courts before three judges.” As such, the JPML ruled that “informal coordination” among the parties was preferable, particularly in light of JPML precedent that “centralization under Section 1407 should be the last solution after considered review of all other options.” (emphasis supplied).
Which brings us back to Cochran. In that case, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward. This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event, and boosting its third-party vendor risk management program. [Note: For more on other data privacy litigations brought against vendors, check out our prior coverage here]. In June 2021, Plaintiffs in Cochran moved for preliminary approval of a nationwide class action settlement. Thereafter, the Proposed Intervenors moved to intervene and oppose preliminary approval of the Parties’ proposed settlement.
In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention.
Turning to intervention as of right, the Court noted this procedural device requires the moving party to show it has (1) a significant protectable interest, (2) which may be impaired or impeded, (3) the application is timely and (4) lack of adequate representation by existing parties. Fed. Rule Civ. Proc. 24(a). The Proposed Intervenors argued for intervention as a matter of right because they claimed that settlement terms were not fair. The Court, however, rejected this argument because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions and the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class. Furthermore, the Court found that the Proposed Intervenors' interest in a preliminary settlement approval is not a “significant protectable interest,” and did not analyze the remaining factors.
In the alternative, the Proposed Intervenors advocated for permissive intervention. This allows a court to grant intervention where the applicant shows (1) independent grounds for jurisdiction, (2) that the motion is timely, and (3) a common question of law or fact with the applicant’s claim or defense and the main action. Fed. Rule Civ. Proc. 24(b). For reasons similar to its analysis for intervention as a matter of right, the Court in its discretion quickly dismissed this avenue of intervention. The Court emphasized that the Proposed Intervenors already had the opportunity to participate in the fairness hearings.
This litigation illustrates several broader data privacy litigation trends in 2021, including a rise in individual data privacy class actions that are not consolidated as part of an MDL, litigation brought against vendors and services providers in the wake of a data event (as well as other parties with which they contracted), and barriers to individuals interested in disrupting a negotiated settlement agreement (absent circumstances that did not apply here). For more developments on this area of the law, stay tuned. CPW will be there to keep you in the loop.