Despite overlap of alleged putative nationwide class definitions, the Judicial Panel on Multidistrict Litigation (JPML) denied Geico’s attempt to consolidate five class-action lawsuits arising from a data breach notification published in April 2021 (impacting a reported 132,000 individuals). The JPML’s decision might set a precedential limit for transfer and consolidation of smaller data breach class-action lawsuits moving forward.

Geico Data Breach Litigation

Geico announced a data breach in April 2021, which occurred between January and March of this year. The threat actors impersonated individuals with valid Geico credentials to gain access to customer driver’s license numbers, and in many cases, filed fraudulent unemployment claims. According to Geico, 85% of the impacted individuals live in New York. In the wake of this disclosure, the plaintiffs filed five putative class-action lawsuits in New York (three lawsuits), Maryland (one lawsuit), and California (one lawsuit).

Geico submitted its motion to transfer and for consolidation to the JPML in June, arguing that each of the five cases shared the same factual basis and common legal issues. The plaintiffs in the three New York class-action cases fully supported the motion. The Maryland plaintiffs agreed with the concept of transfer and consolidation but argued for venue in Maryland. Only the California plaintiffs outright opposed consolidation.

The California plaintiffs argued that a subclass of California residents with claims arising under the CCPA were unique. They argued that establishing their claims under the CCPA would require the California plaintiffs to prove unique material facts to recover statutory damages, specifically pointing to the CCPA’s requirement that statutory damages are available if Geico does not cure the data breach in the manner prescribed under the CCPA. The California plaintiffs also noted that the CCPA is relatively new, and therefore, the MDL court (presumably located outside California) would be tasked with interpreting unsettled areas of California law.

The JPML’s Decision

The JPML denied Geico’s motion in a brief order on the basis that “centralization is not necessary for the convenience of the parties and witnesses or to further the just and efficient conduct of this litigation.” While the JPML found that the five cases share common questions of fact, the JPML did not believe that Geico met its burden that centralization is appropriate because “informal coordination among the small number of parties and involved courts appears eminently feasible.”

Conclusion

JPML’s decision is important. Given the increasing frequency of data breaches driving a rise in class-action litigation, it establishes a possible precedential threshold and signals that the JPML may not be willing to consolidate multiple class actions arising from a data breach where the number of cases nationwide is relatively low. In contrast, the JPML regularly grants motions for transfer and consolidation in larger data breach litigation with numerous class-action lawsuits.[1] The decision may be seen as a boon for certain plaintiffs firms that want to avoid the influence and control other firms have established when fighting over the lead counsel positions.

While the JPML did not specifically address the California plaintiffs’ argument based on the CCPA claims, it was likely swayed by the argument as demonstrated by allowing the California case to remain in that jurisdiction despite a majority of the parties supporting an MDL in New York (where the majority of class members reside) or Maryland. Plaintiffs’ firms are likely to continue to use versions of this argument to defeat transfer and consolidation in future proceedings before the JPML.

The role of defense counsel in JPML proceedings is tricky. It is incumbent to carefully advocate the common questions of law and fact, especially when unique state privacy law claims are present, while not conceding points that later could be used against them when opposing class certification. Defense attorneys must also be prepared to clearly articulate the efficiency and convenience to be gained by consolidation. Above all, defense counsel should carefully weigh the benefits of pursuing consolidation before the JPML in data breach class-action cases against seeking the informal coordination with the parties or voluntary transfer to a single forum under Section 1404, as the JPML suggested in Geico.

Troutman Pepper’s Cybersecurity, Information Governance, and Privacy team monitors developments like these as it counsels clients in the evolving landscape of cybersecurity and data privacy litigation. It has handled numerous putative data breach class cases, including cases consolidated by the JPML.

 


[1] For example, the JPML recently granted motions to transfer and consolidate in the following data breach litigation matters: In Re: Equifax Inc. Customer Data Security Breach Litigation (MDL 2800) with more than 90 pending class-action lawsuits; In Re: Capital One Customer Data Security Breach Litigation (MDL 2915) with more than 20 pending class-action lawsuits; and In Re: Blackbaud Inc. Customer Data Security Breach Litigation (MDL 2972) with more than 20 class-action lawsuits.