The FBI has reported that since the start of the pandemic the number of complaints about cyberattacks to their Cyber Division is up to as many as 4,000 a day. As a result, individuals’ sensitive data is particularly vulnerable, and class actions involving data breaches are more prevalent than ever. With multiple lawsuits filed across the country, companies have to make the decision whether or not to pursue multidistrict litigation (MDL) – a special procedure where cases from different jurisdictions are transferred to one court for adjudication. While MDLs can alleviate some of the burden associated with litigating on multiple fronts, companies must consider the risks, including enhanced publicity and potential government investigations. In this advisory, we’ll outline some of the pros and cons of using a MDL.
Pros of a MDL
- Makes Discovery Efficient. MDL allows you to make efficient use of discovery, witnesses, your employees, and experts. It reduces travel required for testimony and may limit the number of times witnesses would have to be deposed. Litigating in multiple districts would require you to discover the same documents and depose the same witnesses or experts repeatedly.
- Reduces The Number of Cases. MDL permits you to make consolidated motions on general issues. These consolidated motions, once ruled upon, can work to cull the cases to a more manageable number. You can also use summary judgment specifically to limit the scope of the cases, resolving issues against multiple plaintiffs. You can then focus resources on significant cases, avoiding waste on weaker ones.
- Ensures Consistent Rulings. MDL judges are selected by the Judicial Panel1 based on their expertise. But even if the judge is not a subject matter expert, MDL provides your attorneys the opportunity to quickly educate one judge instead of multiple judges across various districts. The presiding judge’s rulings then are consistent across all cases in the MDL, whereas two similar or identical cases heard in two courts can have very different outcomes.
- Monetarily Efficient. Firms share costs and pool resources to litigate the MDL. When the MDL concludes, each case that benefits from the collective MDL work is assessed a fee that pays back your firm for work and expenses toward the common benefit of resolving the cases.
Cons of a MDL
- Unfamiliarity of State-Specific Nuances. Because most presiding judges will not have a connection to the original jurisdiction, the presiding judge may be unfamiliar with the state-specific law. This is particularly hazardous in cases where state law differs drastically from one jurisdiction to another. Attorneys must be vigilant to ensure that the proper law is applied.
- Multiple Judges May Preside. The MDL judge only handles the pretrial phases of the case. The Supreme Court requires that if the MDL court does not dispose of the case in the pretrial phase, it should be remanded back to the original jurisdiction for trial. Your attorneys will then have to educate the trial judge, who has had no involvement in the case until this point.
- “Away Team” at the Venue. The Judicial Panel is not guided by any specific principles when assigning cases. As a result, you risk litigating the case before an unfamiliar judge. The venue may also present logistical difficulties for your attorneys when depositions are required. These difficulties could lead to blunders that, given the stakes in a MDL, can be ruinous.
- Potential Regulatory Repercussions. Although some argue that MDLs facilitate settlement, the collateral consequences of a high-profile MDL may outweigh those benefits. Settlements can alert government agencies to issues that they may have been unaware of. This can lead to potential investigations and regulatory actions.
Three recent data breach cases seeking MDLs highlight some of these pros and cons. In re: Dickey’s Barbecue Restaurants (Dickey’s), In re: Clearview AI, Inc., Consumer Privacy Litigation (Clearview) and In re: Blackbaud, Inc., Customer Data Security Breach Litigation (Blackbaud),
Dickey’s Barbecue Restaurants is a chain restaurant with headquarters in Dallas, Texas. In 2019, 156 Dickey’s locations across 30 states were compromised by card-stealing malware which affected more than 3 million customers. Customers in California and Arizona were most exposed. The stolen information was bundled and offered for sale as a part of information listed as the “BlazingSun” breach on the dark web website “Joker’s Stash.” Affected customers brought six lawsuits in Texas and California alleging violation of California’s Consumer Privacy Act, negligence, breach of implied contract, and unjust enrichment.
The California plaintiffs moved to centralize the suits in the Southern District of California (SDC). Dickey’s and one of the Texas plaintiffs opposed the motion arguing that the cases should remain separate and that informal coordination among the parties would work best to manage the disputes. In the alternative, they argued that if the Judicial Panel did decide to centralize the cases, that it should do so in the Northern District of Texas (NDT), where Dickey’s is located. The Judicial Panel found against centralization, reasoning that the California plaintiffs failed to meet their higher burden to demonstrate that centralization was appropriate given the minimal number of cases (six) against Dickey’s. The Judicial Panel also noted that the small number of parties and involved courts would make informal coordination “eminently feasible.”
Next, Clearview AI is a facial recognition startup that allows users to identify a person by uploading a picture of their face for comparison to the images in Clearview's database. The images in the database are collected, without consent, from regular sweeps of the internet. The plaintiffs in over a dozen lawsuits allege that this practice violates, among other things, the Illinois Biometric Information Privacy Act, Illinois Consumer Fraud and Unfair Business Practices Act, and common law protection against invasion of privacy.
Clearview AI moved to centralize the litigation in the Southern District of New York (SDNY) because it is headquartered in New York, and nine of the suits were filed in the SDNY. Only three were filed in the Northern District of Illinois (NDILL). Five of the six plaintiffs in the SDNY actions supported the motion. The one remaining SDNY plaintiff, the three NDILL plaintiffs, and a potential tag-along NDILL plaintiff recommended centralization in the NDILL. Macy’s, the sole defendant in the tag-along action, opposed centralization in NDILL. The Judicial Panel found in favor of centralization in the NDILL, citing “convenience of the parties and witnesses” and the shared factual questions arising from similar allegations against Clearview. Specifically, Clearview “improperly collected, captured, obtained, distributed, and profited off of citizens' biometric data.” The Judicial Panel did not opine on why the NDILL was a better forum than the SDNY.
Finally, in Blackbaud, the cloud computing provider is accused in 15 lawsuits of negligently allowing a ransomware attack in May 2020 that might have exposed the data of several of its health and education clients, amounting to about 6 million affected people. The suits, filed in South Carolina, Florida, California, and New York, argue that Blackbaud failed to take reasonable steps to safeguard its clients’ data, particularly in light of reporting that cybercriminals were taking advantage of the increased number of employees working remotely by launching an extraordinary number of attacks.
One plaintiff moved to centralize the litigation in District of South Carolina (DSC). Blackbaud and all but one of the plaintiffs supported or simply did not oppose the motion. A different plaintiff suggested the SDNY because Blackbaud is incorporated in New York. The Judicial Panel, however, granted the motion for centralization in the DSC, citing efficiency and common factual questions such as: (1) Blackbaud's data security practices and whether they met industry standards; (2) how the unauthorized access occurred; (3) the extent of affected personal information; (4) when Blackbaud knew or should have known of the breach; (5) the investigation into the breach; and (6) the alleged delay in disclosure of the breach to clients and affected consumers.
These cases are cautionary tales. In Dickey’s, the Judicial Panel declined centralization altogether citing a minimal number of cases even though the breach at issue affected over 3 million customers and the option of the NDT as viable alternative forum. As Dickey’s shows, because centralization is not guaranteed, MDL can be precarious. In Clearview, most of the plaintiffs and Clearview itself supported centralization in the SDNY. This is understandable since most of the litigation was filed in the SDNY, and Clearview is headquartered in New York. The Judicial Panel, however, assigned that matter to the NDILL. This uncertainty in MDL assignments is one of the risks of MDL. Conversely, in Blackbaud where most of the litigation had been filed in DSC and Blackbaud was headquartered in South Carolina, the Panel centralized the litigation in DSC. Although the MDL assignment was likely seen as a boon to Blackbaud, it is currently being investigated by over 40 state and federal agencies. How the MDL resolves will certainly have collateral effects in those investigations and vice versa. These cases show that although MDLs can be a useful tool to reduce costs, manage caseloads, and encourage resolution, it is key to make a holistic assessment or otherwise risk exposing yourself to greater liability.
- The United States Judicial Panel on Multidistrict Litigation is a special body within the United States federal court system which manages multidistrict litigation.