Trade Law Daily is a Warren News publication.
'Scattered Proceedings'

Comcast Supports Centralization of Data Breach Actions but Only Where It's Named

Comcast would oppose centralization with claims against unrelated companies “who simply happened to use the same Citrix software,” said its filing Friday. It was in response to plaintiff Kenneth Hasson's motion to transfer a dozen negligence class actions over Citrix's October data breach now pending before the U.S. Judicial Panel on Multidistrict Litigation (docket 3099).

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

A vulnerability in a Citrix network device used by Comcast and other companies resulted in the October data breach that compromised the personally identifiable information (PII) of over 36 million Comcast Xfinity customers, said Hasson’s memorandum of law in support of his motion. The related actions “seek redress on behalf of individuals whose PII was accessed and exfiltrated because of Comcast’s and Citrix’s alleged failure to reasonably and properly secure it,” it said.

Comcast was responding to Hasson’s Jan. 4 motion for transfer and centralization of actions to the Eastern District of Pennsylvania (see 2401120011). Hasson asserted centralization is appropriate because the related class actions filed in three separate federal district courts arise from the same October data breach “that impacted the personal information of millions of individuals.” But Comcast called Hasson’s case title, Kenneth Hasson v. Comcast Cable Communications a “misnomer,” because it suggests “that centralization would extend to cases involving Citrix software vulnerabilities that do not primarily involve Comcast.” Hasson's motion referenced "All individuals in the United States whose PII was compromised in the Comcast Data Breach which occurred on or around October 2023," it noted.

With 21 class actions brought against Comcast involving Citrix Systems’ data breach in multiple U.S. district courts -- Pennsylvania, Florida, Illinois, South Carolina and Nevada – “the situation merits a solution,” said Comcast. But the ISP cited In re: Accellion, Inc. Customer Data Security Breach Litigation, in which the JPML denied centralization of 14 data breach class actions against several unrelated defendants using the same software product. The panel determined in that case that finding “any factual overlap among the actions as to Accellion's FTA product, its vulnerability to attack, and its alleged support of this ‘legacy’ product may be eclipsed by factual issues specific to each client defendant.”

Citrix announced a vulnerability in a product used by Comcast and “thousands of other companies worldwide,” said Comcast’s response. Citrix released a patch to fix the vulnerability, and “Comcast promptly patched and mitigated its systems,” the response said. But Comcast later determined that “prior to mitigation,” Oct 16-19, “there was unauthorized access to some of its internal systems whereby personal information of certain customers was likely acquired by a threat actor,” it said. It “acted swiftly to notify those potentially impacted, but nevertheless plaintiffs’ class action lawyers singled out Comcast as a target of early class action lawsuits beginning one day after Comcast notified its customers of the cyberattack,” said the response.

Without centralization, the “scattered proceedings,” which share common questions of fact, are likely to result in “inconsistent rulings, waste of judicial resources, and unnecessary duplication of efforts,” the response said. Factual investigation into the data breach, and Comcast’s response to it, will be common to all the related actions, it said. The legal claims asserted “largely overlap" with claims of negligence, breach of implied contact and unjust enrichment, it said.

Of the 21 federal actions to date, 20 assert claims for negligence, 17 for breach of implied contract, 17 for unjust enrichment and 11 for negligence per se, the response said. Due to the similarities, transfer and centralization will “serve the convenience of parties and witnesses, promote efficiency and judicial economy, and prevent duplicative discovery and inconsistent rulings,” it said. Each of the plaintiffs purports to represent the same nationwide class of individuals whose PII was compromised in the breach, it said.

The Eastern District of Pennsylvania is the most appropriate transferee venue, said the Philadelphia-based Comcast in its response. Eleven of the related actions are pending in the Philadelphia court, making it “geographically convenient for the parties," it said. Defendants would support centralization in the Eastern District before any of the judges currently assigned to a related action, it said, naming John Younge, Michael Baylson, Chad Kenney and Gerald McHugh.

With the actions in “very early stages,” Comcast hasn’t yet answered or filed a response to any of the related actions, said the defendant. “No parties will be prejudiced by transfer and centralization,” it said. “No court has yet had to expend judicial resources on case management, nor has any court dug into the substance of any case or developed any particular expertise,” it said. Comcast agrees with Hasson that the Eastern District’s “favorable docket conditions and history of successful multidistrict litigation weigh in further support of transfer” of the related actions.