This week the Judicial Panel on Multidistrict Litigation (“JPML”) declined to create a multidistrict litigation (“MDL”) from competing class action lawsuits stemming from the same data incident.  Read on to learn more about this particular decision and how it relates to CPW’s prior analysis of other data incident litigation.

MDLs are a way of handling multiple civil actions at once and can be formed when separate actions in different federal district courts share a common question of fact.  28 U.S.C. Section 1407(a).  On a motion filed by either party, those separate actions can be flagged to the JPML.  The JPML then decides whether the litigations should be consolidated and transferred into one federal court for consolidated pretrial proceedings.  [Note: Don’t assume that just because a party requests the formation of an MDL it will happen.  The JPML denies the majority of such motions, although data breach MDLs are becoming increasingly common.]  MDLs are generally formed to address complex legal matters.  They differ from class actions because, while a class action is one lawsuit brought on behalf of a group of plaintiffs, the cases that are part of a MDL remain separate lawsuits that are handled together for efficiency.

The lawsuits presented to the JPML for consolidation all arose from a data event involving Kronos’s cloud-based time and attended systems and workforce management software applications in December 2021.  The incident is alleged to have caused an outage of Kronos’s payroll system and compromised the personally identifiable information of Kronos’s clients’ employees.  Five class actions were subsequently filed following notification of the incident: three in the Northern District of California, one in the District of Massachusetts, and one in the Western District of Pennsylvania.  Plaintiffs in the District of Massachusetts moved to centralize the five actions in an MDL in the District of Massachusetts.  Kronos and the plaintiffs in the Northern District of California and Western District of Pennsylvania opposed the motion.

The JPML concluded that the creation of an MDL and centralization of the class actions were not necessary for the convenience of the parties and witnesses or to further the just and efficient conduct of the litigation.  Instead, according to the JPML, informal coordination among the small number of parties and involved courts appeared “eminently feasible.”  Indeed, the voluntary coordination efforts of the parties in the Northern District of California cases already resulted in the consolidation of the three class actions in that court.  Accordingly, the motion for centralization was denied.  This outcome is distinguishable from the JPML’s consolidation of the T-Mobile data breach cases, where common factual questions existed across the forty filed actions and the overwhelming majority of plaintiffs did not oppose centralization.

For more on data privacy, security, and innovation, stay tuned.  CPW will be there to keep you in the loop.