This week Plaintiffs in thirteen consolidated cases brought against Accellion and other defendants filed a motion for preliminary approval of a class action settlement in California federal court. This development is notable for its resolution (if approved) only as to Accellion and for the categories of relief offered to class members. In re Accellion, Inc. Data Breach Litigation, Case No. 21-cv-01155-EJD (E.D. Cal.).
First, some background. In December 2020, Defendant Accellion notified its customers that it had experienced a data event. According to filings in the litigation, cybercriminals targeted vulnerabilities in Accellion’s legacy file transfer (“FTA”) product during December 2020-January 2021. The incident affected a number of public and private sector entities. Litigation, including a number of California Consumer Privacy Act class action lawsuits, followed.
In these cases Plaintiffs alleged that Accellion: (a) failed to implement and maintain adequate data security practices to safeguard Plaintiffs’ and Class Members’ Personal Information; (b) failed to prevent the data event; (c) failed to detect security vulnerabilities leading to the data event; and (d) failed to disclose that their data security practices were inadequate to safeguard Class Members’ Personal Information.
Besides invoking the CCPA, Plaintiffs also asserted claims against Accellion for negligence, negligence per se, invasion of privacy (intrusion upon seclusion), violations of various consumer protection statutes (including the North Carolina Unfair Deceptive Trade Practices Act, the Washington Consumer Protection Act, , the California Confidentiality of Medical Information Action (“CMIA”), the California Customer Records Act (“CCRA”), and the California Unfair Competition Law (“UCL”)), and for declaratory and injunctive relief.
In March 2022, thirteen of these cases were consolidated in the Northern District of California under the caption In re Accellion, Inc. Data Breach Litigation, Case No. 21-cv-01155-EJD before Judge Davila.
Based upon the underlying facts alleged by Plaintiffs, the cases involved interesting questions concerning the potential liability of Accellion’s customers regarding the data event as a result of prior disclaimers made by Accellion and how its FTA software operated. This is because, as explained in prior court filings:
Accellion did not guarantee the security of the FTA software to customers. Its standard license agreement disclaimed such guarantees and included a broad limitation of liability for any damages resulting from a data breach. The license agreement explicitly states that each FTA Customer is “solely responsible and liable for the use of and access to” the FTA software “and for all files and data transmitted, shared, or stored using” FTA. With the FTA, customers have exclusive control over the data they are storing or transferring via FTA . . . Accellion never had access to the contents of the customers’ files.
These issues will likely remain unaddressed, however. This week, Plaintiffs in the cases filed a motion for preliminary approval of a class action settlement that would resolve all of the class’s claims against Accellion (not the other defendants). The settlement class, comprised of about 9.2 million individuals, would include “all natural persons who are residents of the United States whose Personal Information was stored on the FTA systems of Accellion’s FTA Customers and was compromised in the [data event].”
As outlined in materials filed with the court, the Settlement establishes a non-reversionary cash fund of $8.1 million to pay for valid claims, notice and administration costs, any Service Awards to the named Plaintiffs, and any Fee Award and Costs awarded by the Court Under the terms of the Settlement, Claimants may elect to receive one of the following:
(1) two years of three-bureau credit monitoring;
(2) reimbursement of Documented Losses(up to a capped amount); or
(3) a cash payment, calculated in accordance with the terms of the Settlement Agreement, estimated at $15 to $50 (at 1% and 3% claims rates respectively).
The Settlement also provides for injunctive relief to be implemented for four years from the Effective Date of the Settlement, including requiring Accellion to fully retire its FTA offering, provide annual cybersecurity training to all employees, employ personnel with formal responsibilities for cybersecurity, and take other measures.
A hearing on the motion for preliminary approval has been scheduled for December 8, 2022, with additional briefing by the parties due over the summer. For more on this, and other developments in the realm of data privacy, security and innovation stay tuned. CPW will be there to keep you in the loop.