In re Accellion, Inc. Data Breach Litigation

• Court: District Court, N.D. California
• Decided: March 14, 2022
• Docket: 5:21-cv-01155
• Status: Unknown

Opinion

1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 SAN JOSE DIVISION 7 8 MADALYN BROWN, et al., Case No. 5:21-cv-01155-EJD

9 Plaintiffs, ORDER DENYING DEFENDANT'S ADMINISTRATIVE MOTION TO 10 v. CONSIDER WHETHER CASES SHOULD BE RELATED 11 ACCELLION, INC., 12 Defendant. Re: Dkt. No. 81

13 Defendant Accellion moves pursuant to Civil Local Rules 3-12(b) and 7-11(a) to relate Ace 14 American Insurance Company v. Accellion, Inc., No. 4:21-cv-09615-YGR (“Ace American”) to 15 Brown v. Accellion, Inc., No. 5:21-cv-01155-EJD (“Brown”), which is pending before the 16 undersigned. See Administrative Motion to Consider Whether Cases Should Be Related (“Mot.”), 17 Dkt. No. 81. Plaintiff in Ace American opposes the motion. See Plaintiff’s Opposition to 18 Defendant’s Administrative Motion to Consider Whether Cases Should Be Related (“Opp.”), Dkt. 19 No. 82. 20 Pursuant to Civil Local Rule 3-12(a), actions are related when (1) they “concern 21 substantially the same parties, property, transaction or event;” and (2) “[i]t appears likely that there 22 will be an unduly burdensome duplication of labor or expense or conflicting results if the cases are 23 conducted before different Judges.” Defendant argues that the Ace American action should be 24 related because it is based on the same conduct at issue in Brown (and the cases now consolidated 25 into Brown). The Court disagrees. 26 27 Case No.: 5:21-cv-01155-EJD 1 1. The plaintiffs are not similarly situated. Ace American provided cyber insurance 2 coverage to a Boston law firm (“the law firm”). Defendant provided collaboration system 3 software services to the law firm pursuant to a contract. The law firm and Defendant were thus in 4 direct contractual privity, and the rights and duties owed were governed, at least in part, by this 5 contract. The law firm was the victim of a ransomware attack in which a bad actor exfiltrated 6 highly confidential files from the law firm’s server. Consequently, the law firm had to pay a $2 7 million ransom demand to avoid having the confidential files disclosed to the public. Because 8 Ace American was the firm’s cyber insurer, Ace American had to repay the $2 million to the firm. 9 The plaintiffs in Brown and the consolidated class actions are “individuals whose private 10 information . . . was exposed because of the failure of Accellion, Inc. to safeguard and protect the 11 [plaintiff’s] exposed sensitive information.” Brown Complaint ¶ 1. No plaintiff in Brown was in 12 direct contractual privity with Accellion. Instead, the Brown plaintiffs had some interaction with a 13 third-party who used the Accellion file transfer appliance (“FTA”), and as a result their personally 14 identifiable information (“PII”) was exposed. Thus, in contrast to Ace American, where the claims 15 at issue largely relate to a breach of contract, the claims in Brown arise out of alleged violations of 16 common law and relevant statutes. 17 2. The claims presented in the cases are different. As noted, the Brown complaint (and 18 the complaints consolidated therein) raise claims against Accellion for negligence and for 19 violations of state consumer protection laws. In contrast, the Ace American complaint raises five 20 claims—negligence, breach of contract, and three misrepresentation claims that arise out of the 21 law firm’s transactions with Accellion. While both cases assert a claim of negligence, the claims 22 are different. The allegations of negligence in Ace American relate mostly to Accellion’s 23 negligence in failing to notify the law firm about the availability of a patch to fix the vulnerability 24 in its software, whereas the negligence allegations in the Brown complaint relate almost entirely to 25 Accellion’s failure to adequately safeguard and protect individuals’ PII. Because the negligence 26 claims are different and require different evidence to resolve, the danger of “conflicting results” 27 Case No.: 5:21-cv-01155-EJD 1 discussed in Civil Local Rule 3-12 is not applicable. 2 3. The cases involve different facts. Accellion and Ace American had a long-standing 3 relationship, which forms the basis of many of the claims asserted in Ace American. Additionally, 4 || unlike Brown, Ace American involves a contract between Accellion and the law firm. The 5 || contract has various limitation of liability provisions and thus separate motion practice will be 6 || required to resolve the applicability of these indemnification provisions. Finally, the Brown 7 || plaintiff has requested a jury trial, while the Ace American plaintiff has requested a bench trial. 8 The two cases will thus require different and separate triers of fact. 9 For these reasons, the Court DENIES Defendant’s motion to relate the Ace American and 10 || Brown cases. See Asus Computer Int'l v. Interdigital, Inc., 2015 WL 13783764 (N.D. Cal. June 11 15, 2015) (“The Court finds that the cases can proceed before different judges without being 12 unduly burdensome because there are [a] myriad [of] case-specific facts and issues that do not 5 13 overlap, even if the cases both involve similar licensing agreements, and [] it is unlikely that there 14 || would be conflicting results were the cases to be tried before different judges.”). 3 15 IT IS SO ORDERED. a 16 Dated: March 14, 2022

EDWARD J. DAVILA 19 United States District Judge 20 21 22 23 24 25 26 Case No.: 5:21-cv-01155-EJD 28 || ORDER DENYING DEFENDANT'S ADMINISTRATIVE MOTION TO CONSIDER WHETHER CASES SHOULD BE RELATED .