OINIE | ONAL SIN, Judge: Robert W. Gettleman ‘ a ‘s/ ‘GEXOUNG Judge: M. David Weisman br ye LE UNITED STATES JUDICIAL PANEE:S- oigtrigre ei □□□□□□□ No: 25cv10320 on BIST XC” 2 TELINOIS MULTIDISTRICT LITIGATION Ie Regomh 1S"2925e |
IN RE: SALESFORCE, INC., CUSTOMER ting uo DATA SECURITY BREACH LITIGATION MDL No. 3164 IN RE: TRANS UNION, LLC, CUSTOMER DATA SECURITY BREACH LITIGATION MDL No. 3170
TRANSFER ORDER AND ORDER DENYING TRANSFER
Before the Panel:* Before the Panel are two dockets involving a series of data breaches of Salesforce customers that occurred at various times throughout 2025. Threat actors allegedly used social engineering to gain access to the Salesforce databases controlled by Allianz Life Insurance Company of North America (Allianz); Farmers Insurance Exchange, Farmers Group, Inc., and Farmers New World Life Insurance Company (collectively Farmers Insurance); Louis Vuitton North America, Inc. (Louis Vuitton); and Trans Union, LLC (TransUnion). Some plaintiffs allege that dozens of additional Salesforce customers have similarly fallen victim to social engineering attacks and had data exfiltrated from their Salesforce databases. Plaintiffs in five actions listed on Schedule A move under 28 U.S.C. § 1407 to centralize 41 actions involving the theft of data from a Salesforce customer’s Salesforce database. This motion was docketed as MDL No. 3164, Jn re: Salesforce, Inc., Customer Data Security Breach Litigation.| One of those Salesforce customers, TransUnion, later moved on October 3, 2025, to centralize 53 actions arising from the breach affecting it. Two of those 53 actions are from MDL No. 3164, and the rest are potential tag-along actions to MDL No. 3164. This motion was docketed as MDL No. 3170, Jn re: Trans Union, LLC, Customer Data Security Breach Litigation. The two competing motions proposed the Northern District of California and the Northern District of Illinois as the transferee district for a Salesforce MDL and TransUnion MDL, respectively.
* Judge Madeline Cox Arleo did not participate in the decision of this matter. Additionally, one or more Panel members who could be members of the putative classes in this litigation have renounced their participation in these classes and participated in this decision. ' After briefing concluded, movants in MDL No. 3164 sought to withdraw their motion to centralize all Salesforce-customer-related actions in a single multi-defendant MDL, explaining that information uncovered during briefing makes centralization inappropriate. The Panel Clerk denied that motion because several plaintiffs had responded in support of the multi-defendant MDL proposed in MDL No. 3164.
The responding parties take a variety of positions. The main areas of disagreement are whether a multi-defendant SalesforceMDL is appropriate, whether the TransUnion-related actions should be centralized in a separate MDL, and the selection of a transferee district. Plaintiffs in 25 actions and 23 potential tag-along actions support the proposed Salesforce MDL but differ on transferee district. Plaintiffs in six actions and fourteen potential tag-along actions support centralization in the Northern District of California. The other plaintiffs supporting a Salesforce MDL variously request the Northern District of Illinois and the District of Minnesota. Plaintiffs in fifteen actions and five potential tag-along actions—including movants—either oppose a Salesforce MDL, oppose transfer of their actions to a Salesforce MDL, or oppose inclusion of actions against a specific Salesforce-customer defendant in any Salesforce MDL. Plaintiffs in twenty actions support a TransUnion-specific MDL but differ on transferee district. Plaintiffs in eighteen of those actions support centralization in the Northern District of Illinois. The other plaintiffs supporting a TransUnion MDL propose the Northern District of California. Plaintiffs in nine actions and one potential tag-along action oppose creation of a standalone TransUnion MDL. All responding defendants oppose the proposed Salesforce MDL to some degree. Defendants Salesforce, TransUnion, Allianz, and Farmers Insurance oppose creation of a Salesforce MDL. Louis Vuitton and Workday oppose transfer of actions against them to a Salesforce MDL. Farmers Insurance, Pandora, Salesforce, and Workday take no position as to a TransUnion MDL but request separation and remand under Section 1407(a) of the claims against themif we create a TransUnion MDL. On the basis of the papers filed and the hearing session held, we conclude that centralization of MDL No. 3164 (Salesforce) is not necessary for the convenience of the parties and witnesses or to further the just and efficient conduct of the litigation. We do, however, find that the actions listed on Schedule B involve common questions of fact and that centralization of MDL No. 3170 (TransUnion) in the Northern District of Illinois will serve the convenience of the parties and witnesses and promote the just and efficient conduct of the litigation. The actions listed on Schedule A present few common questions of fact. Proponents of a Salesforce MDL argue that all actions raise common questions of fact surrounding a vulnerability in the Salesforce platform. We are not persuaded that any common questions of fact that may exist justify centralization of a large, multi-defendant MDL. The actions allege separate data breaches affecting multiple different Salesforce customers. Each breach involved a social engineering attack directly on a Salesforce customer, not an exploit of Salesforce itself with downstream consequences. Different facts will emerge for each Salesforce-customer defendant regarding how the attacks were conducted, which employee was involved, how the employee reacted, whether that defendant had procedures for guarding against social engineering attacks, how that defendant responded to the incident, and which types of personally identifiable information (PII) were impacted. Most of the complaints do not mention Salesforce, let alone allege that a common vulnerability in the Salesforce platform was a crucial factor in each data breach. We also find centralization unnecessary because of the parties’ ongoing self-organization efforts. See In re Cash Sweep Programs Cont. Litig., 766 F. Supp. 3d 1346, 1350 (J.P.M.L. 2025) (finding that “the ongoing self-organization of this litigation on a defendant-specific basis further weighs against centralization”). Litigation hubs have emerged for each Salesforce-customer defendant in the defendant’s home district: the Northern District of Illinois for TransUnion, the District of Minnesota for Allianz, the Central District of California for Farmers Insurance, the Northern District of California for Salesforce, and the Southern District of New York for Louis Vuitton.2 If discovery of Salesforce becomes necessary, it can be handled informally. See In re Accellion, Inc., Customer Data Sec. Breach Litig., 543 F. Supp. 3d 1372, 1374 (J.P.M.L. 2021) (“Proponents of centralization argue that even in the actions in which Accellion is not named, it will be involved in some third-party discovery. But we are persuaded that such discovery can be informally coordinated.”). In our view, a multi-defendant Salesforce MDL will hinder, rather than promote, the just and efficient conduct of the litigation. Proponents of a Salesforce MDL argue that centralization is necessary to eliminate duplicative discovery. We disagree that any potential duplicative discovery warrants creation of a potentially unwieldy MDL comprised of all Salesforce customers. Each breach appears unique, and the claims against each customer defendant that was breached may turn on individualized discovery as to that customer defendant. Because some of the defendants are competitors (e.g., Allianz and Farmers Insurance), there also may be privacy and trade secret concerns that would unnecessarily complicate discovery if centralized. See In re CP4 Fuel Pump Mktg. Sales Pracs., & Prods. Liab. Litig., 412 F. Supp. 3d 1365, 1367 (J.P.M.L. 2019) (“[C]entralizing competing defendants in the same MDL likely would complicate case management due to the need to protect trade secret and confidential information.”). And a transferee judge would have to contend with a sprawling MDL with numerous litigation tracks for the dozens of Salesforce customers that fell victim to social engineering attacks. Salesforce MDL proponents also argue that, absent centralization, Salesforce and its customers will bear the burden of litigating similar suits across the country. Notably, neither Salesforce nor any of its customers raise that concern. Salesforce and the Salesforce-customer defendants unanimously prefer the status quo. Finally, movants themselves no longer support creation of a Salesforce MDL. They now assert that the attacks on each Salesforce customer, including the timing and method of access, are distinct. In contrast to the expansive request for a multi-defendant Salesforce MDL, we are persuaded that a TransUnion MDL is appropriate. There are 54 cases against TransUnion pending in five district courts. All actions listed on Schedule B include claims against TransUnion arising from the same data breach affecting TransUnion customers. Plaintiffs’ claims present common factual questions about the TransUnion breach, such as what duties TransUnion owed to plaintiffs 2 All actions in the District of Minnesota are related before one judge. Farmers Insurance is seeking consolidation of the litigation against it in Central District of California. Four of the five actions against Louis Vuitton have already been designated as related and assigned to the same judge in the Southern District New York. to protect their PII, how the hackers executed their social engineering attack on TransUnion, whether TransUnion had adequate procedures in place to prevent the attack, and whether TransUnion adequately responded to the breach. Centralization will eliminate duplicative discovery; prevent inconsistent pretrial rulings, particularly with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary. With actions pending in five districts, it does not appear that efforts at self-organization have succeeded, making the case for centralization more compelling. Plaintiffs opposing a TransUnion MDL do not address the propriety of a TransUnion MDL as a standalone proposition. They instead rehash their arguments that a large, multi-defendant MDL is the best means for effectuating Section 1407’s goals. For the reasons previously discussed, we disagree. We are persuaded that the Northern District of Illinois is the appropriate transferee district for the TransUnion MDL. TransUnion’s headquarters is in Chicago, and most actions against TransUnion are already pending in the Northern District of Illinois. We select Judge Robert W. Gettleman, who presides over two TransUnion actions, as the transferee judge. Judge Gettleman is an experienced jurist with the willingness and ability to efficiently manage this litigation. We are confident that he will steer this litigation on a prudent and expeditious course. We are mindful of the potential complications that may arise from transfer of the multi- defendant actions listed on Schedule B, but we decline the requests from Farmers Insurance, Pandora, Salesforce, and Workday to separate and remand the claims against them. “Whether Section 1407(a) remand is available turns on a highly specific inquiry about how each complaint is pled.” See, e.g., Transfer Order at 2, In re Juul Labs, Inc., Mktg., Sales Pracs., & Prods. Liab. Litig., MDL No. 2913 (J.P.M.L. Feb. 4, 2020), Dkt. No. 365 (“In any event, the seemingly indivisible nature of plaintiff’s claims renders a partial transfer (i.e., transferring only plaintiff’s claims against JLI and separating and remanding the claims against the other defendants) impracticable.”). Judge Gettleman can more ably make that inquiry. “As with any other litigation, the transferee judge retains wide discretion as to how the MDL should be defined, and if, after close scrutiny, the transferee judge determines that remand of any claims . . . is appropriate, procedures are available whereby this may be accomplished with a minimum of delay.” In re AndroGel Prods. Liab. Litig., 24 F. Supp. 3d 1378, 1380 (J.P.M.L. 2014). Should Judge Gettleman find separation and remand of claims against non-TransUnion defendants inappropriate, he may use any number of case management techniques to ensure that litigation of those claims does not conflict with the proceedings against those non-TransUnion defendants pending elsewhere. IT IS THEREFORE ORDERED that the motion for centralization of the actions listed on Schedule A (MDL No. 3164) is denied. IT IS FURTHER ORDERED that the actions listed on Schedule B (MDL No. 3170) and pending outside the Northern District of Illinois are transferred to the Northern District of Illinois -5-
and, with the consent of that court, assigned to the Honorable Robert W. Gettleman for coordinated or consolidated pretrial proceedings to proceed in MDL No. 3170, In re Trans Union, LLC, Customer Data Security Breach Litigation.
PANEL ON MULTIDISTRICT LITIGATION
Karen K. Caldwell Chair
Nathaniel M. Gorton Matthew F. Kennelly David C. Norton Roger T. Benitez Dale A. Kimball
IN RE: SALESFORCE, INC., CUSTOMER DATA SECURITY BREACH LITIGATION MDL No. 3164 SCHEDULE A Central District of California
EMANUEL, ET AL. v. FARMERS INSURANCE EXCHANGE, ET AL., C.A. No. 2:25−07972 SCHWARTZ v. FARMERS GROUP, INC., C.A. No. 2:25−08021 SCOTT v. FARMERS INSURANCE EXCHANGE, ET AL., C.A. No. 2:25−08032 MILSTEAD, ET AL. v. FARMERS INSURANCE EXCHANGE, ET AL., C.A. No. 2:25−08062 MONTALVAN, ET AL. v. FARMERS INSURANCE EXCHANGE, ET AL., C.A. No. 2:25−08085 KOVNER V. FARMERS GROUP, INC., ET AL., C.A. No. 2:25−08120 Northern District of California SCOTT v. SALESFORCE, INC., C.A. No. 3:25−07232 MEDINA v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07245 CANICK, ET AL. v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07306 MORGAN v. SALESFORCE, INC., C.A. No. 3:25−07318 Northern District of Illinois SNELGROVE v. TRANSUNION, LLC, C.A. No. 1:25−10320 IHRKE, ET AL. v. TRANSUNION, LLC, C.A. No. 1:25−10321 District of Minnesota KERITSIS v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−02777 TAYLOR v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03020 LOPEZ v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03052 HODGES v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03080 HERRERA v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03100 MAROTTA, ET AL. v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03109 OGDEN v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03111 THOMPSON v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03118 FEMATT v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03133 GOLDMAN v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03135 LENNON v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03139 LATRONICO v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03159 HANSCH v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03207 BERGER v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03221 GRAHAM v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03224 BUTLER v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03228 ZABRISKIE v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03231 ANDERSON v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03235 LAMARRE v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03237 ROALDI, ET AL. v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03244 ROBINSON v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03251 COLGAN v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03285 GIULIANI v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03291 CROWNOVER v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03308 THOMAS, ET AL. v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03313 POWERS v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03328 GRESS v. ALLIANZ LIFE INSURANCE COMPANY OF NORTH AMERICA, C.A. No. 0:25−03638 Southern District of New York BUTLER-ADAMS v. LOUIS VUITTON NORTH AMERICA, INC., C.A. No. 1:25−07109 MIAMEN, ET AL. v. LOUIS VUITTON NORTH AMERICA, INC., C.A. No. 1:25−07183 IN RE: TRANS UNION, LLC, CUSTOMER DATA SECURITY BREACH LITIGATION MDL No. 3170 SCHEDULE B Central District of California
25-cv-15376 MCLEOD v. TRANSUNION, ET AL., C.A. No. 2:25−08553 Northern District of California 25-cv-15378 KING v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07507 TATUM v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07688 25-cv-15379 MORTON v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07791 25cv15380 YADAV, ET AL. v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07847 25-cv-15381 ACOSTA, ET AL. v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07888 25-cv-15382 EALY v. SALESFORCE, INC., ET AL., C.A. No. 3:25−07970 WATSON, ET AL. v. SALESFORCE, INC., ET AL., C.A. No. 3:25−08051 25-cv-15384 BINGHAM v. TRANSUNION, LLC, C.A. No. 3:25−08267 25-cv-15386 25-cv-15389 Northern District of Florida 25-cv-15390 GORDON v. TRANSUNION, LLC, C.A. No. 3:25−01575 Northern District of Illinois SNELGROVE v. TRANSUNION, LLC, C.A. No. 1:25−10320 IHRKE, ET AL. v. TRANSUNION, LLC, C.A. No. 1:25−10321 WEATHERFORD v. TRANSUNION, LLC, C.A. No. 1:25−10404 NASH v. TRANSUNION, LLC, C.A. No. 1:25−10415 BROWN v. TRANSUNION, LLC, C.A. No. 1:25−10435 PERKINS v. TRANSUNION, LLC, C.A. No. 1:25−10444 ELLISON, ET AL. v. TRANSUNION, LLC, C.A. No. 1:25−10501 THOMAS v. TRANSUNION, LLC, C.A. No. 1:25−10511 TOBIN v. TRANSUNION, LLC, C.A. No. 1:25−10515 MEYER v. TRANSUNION, LLC, C.A. No. 1:25−10527 SAMOZA v. TRANSUNION, LLC, C.A. No. 1:25−10561 CORNWELL v. TRANSUNION, LLC, C.A. No. 1:25−10573 GARCIA v. TRANSUNION, LLC, C.A. No. 1:25−10577 DAVIS v. TRANSUNION, LLC, C.A. No. 1:25−10580 SMALLS v. TRANSUNION, LLC, C.A. No. 1:25−10587 KEMPF v. TRANSUNION, LLC, C.A. No. 1:25−10599 SEE v. TRANSUNION, LLC, C.A. No. 1:25−10659 TODD v. TRANSUNION, LLC, C.A. No. 1:25−10686 ALMEIDA v. TRANSUNION, LLC, C.A. No. 1:25−10690 GOTAY v. TRANSUNION, LLC, C.A. No. 1:25−10704 CALLOWAY v. TRANSUNION, LLC, C.A. No. 1:25−10712 LOPEZ v. TRANSUNION, LLC, C.A. No. 1:25−10742 SEVIGNY v. TRANSUNION, LLC, C.A. No. 1:25−10759 DUHON v. TRANSUNION, LLC, C.A. No. 1:25−10784 ENGH v. TRANSUNION, LLC, C.A. No. 1:25−10790 LOVELL v. TRANSUNION, LLC, C.A. No. 1:25−10817 BRAAT v. TRANSUNION, LLC, C.A. No. 1:25−10823 ZAUSZMER v. TRANSUNION, LLC, C.A. No. 1:25−10941 BONILLA v. TRANSUNION, LLC, C.A. No. 1:25−11007 SELESNICK v. TRANSUNION, LLC, C.A. No. 1:25−11126 CLAYTON v. TRANSUNION, LLC, C.A. No. 1:25−11140 JOHNSON v. TRANSUNION, LLC, C.A. No. 1:25−11188 ROBERTS v. TRANSUNION, LLC, C.A. No. 1:25−11248 JUDKA v. TRANSUNION, LLC, C.A. No. 1:25−11249 REVELLE v. TRANSUNION, LLC, C.A. No. 1:25−11268 MCGLYNN v. TRANSUNION, LLC, C.A. No. 1:25−11462 HOUSTON v. TRANSUNION, LLC, C.A. No. 1:25−11519 WILLIAMS-DIGGINS, ET AL. v. TRANSUNION, LLC, ET AL., C.A. No. 1:25−11525 ALEXANDER v. TRANSUNION, LLC, C.A. No. 1:25−11552 KORLOU, ET AL. v. TRANSUNION, LLC, C.A. No. 1:25−11569 MADKIN v. TRANSUNION, LLC, C.A. No. 1:25−11653 CROCKRAN v. TRANSUNION, LLC, C.A. No. 1:25−11931 BULLARD, ET AL. v. TRANSUNION, LLC, C.A. No. 1:25−12028 Eastern District of Pennsylvania LOUIS v. TRANSUNION, LLC, C.A. No. 2:25−05188 25-cv-15392