In re Uber Techs., Inc., Data Sec. Breach Litig., 304 F. Supp. 3d 1351 (2018)

April 4, 2018 · United States Judicial Panel on Multidistrict Litigation · MDL No. 2826

304 F. Supp. 3d 1351

IN RE: UBER TECHNOLOGIES, INC., DATA SECURITY BREACH LITIGATION

MDL No. 2826

United States Judicial Panel on Multidistrict Litigation.

April 04, 2018

TRANSFER ORDER

SARAH S. VANCE, Chair

Before the Panel :^* Plaintiffs in one action in the Northern District of California move under 28 U.S.C. § 1407 to centralize this litigation in that district. This litigation currently consists of 10 actions pending in five districts,¹ as listed on Schedule A. Since the filing of the motion, the Panel has been notified of seven related federal actions.² The actions arise out of the announcement by Uber Technologies, Inc., on November 21, 2017, that certain personal information of 57 million Uber drivers and riders was inappropriately downloaded by individuals outside the company in late 2016.

All responding plaintiffs support centralization, but there is some disagreement on the transferee district. Plaintiffs in three Northern District of Illinois actions request centralization in their district or, alternatively, the Central District of California. Plaintiffs in six other actions support centralization in the Northern District of California. The responding Uber defendants³ oppose centralization and, alternatively, propose the Central District of California as the transferee district. Defendant Apple opposes inclusion of Harang (the sole action naming Apple as a defendant) and, in the alternative, requests separation and remand of the claims against Apple. Apple takes no position on centralization of the claims against Uber.

On the basis of the papers filed and the hearing session held, we find that these actions involve common questions of fact, and that centralization will serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation. These putative class actions share complex factual questions arising from Uber's announcement on November 21, 2017, that a data security breach of its network occurred in late 2016 in which the personal information of 57 million Uber users was downloaded by unauthorized individuals outside the company.⁴ Common factual questions are presented with respect to Uber's practices in safeguarding its users' personal information, the investigation into the breach, the alleged delay in disclosing the breach, and the nature of the alleged damages. Centralization will eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.

The Uber defendants principally object to centralization based on the asserted likelihood that their pending and anticipated motions to compel individual arbitration will be granted in all actions, prior to the commencement of any discovery, bringing an early end to this litigation.

But such an assessment of the merits of the actions is beyond the Panel's authority. See In re: Maxim Integrated Prods., Inc., Patent Litig. , 867 F.Supp.2d 1333, 1335 (J.P.M.L. 2012) (" '[t]he framers of Section 1407 did not contemplate that the Panel would decide the merits of the actions before it and neither the statute nor the implementing Rules of the Panel are drafted to allow for such determinations' ") (quoting In re: Kauffman Mut. Fund Actions , 337 F.Supp. 1337, 1339-40 (J.P.M.L.1972) ). Thus, where the litigation involves common factual questions, centralization may be appropriate even though defendants predict that they will prevail on dispositive motions prior to commencement of discovery.⁵ Centralization will avoid inconsistent rulings on these and other common pretrial motions. We decline Uber's suggestion to delay ruling on centralization until their motions to compel arbitration are decided, as the timing and outcome of such rulings in this growing litigation is highly speculative.

The Uber defendants further oppose centralization on the ground that (1) the involvement of different state law claims for relief will undermine efficiencies; (2) there are pending state court actions, and consequently, an MDL would not be effective in eliminating duplicative pretrial proceedings; and (3) informal coordination is preferable to centralization. These arguments are unconvincing. As the Panel recently observed in other data breach litigation, "the presence of ... differing legal theories is not significant where, as here, the actions still arise from a common factual core." See In re: Sonic Corp. Customer Data Security Breach Litig. , 276 F.Supp.3d 1382, 1383 (J.P.M.L. 2017) (internal quotation marks and citation omitted). Additionally, the Panel often has granted centralization where there are pending state court actions, observing that an MDL will make it easier "to coordinate both the state and federal cases, because there will now be just one judge handling the latter."⁶

We do not believe that informal coordination is a practicable alternative to centralization here. There are ten actions on the motion and seven potential tag-along actions, which are pending in nine districts. Fourteen distinct groups of plaintiffs' counsel represent plaintiffs in these actions. In our judgment, the number of actions, districts, and involved counsel, and the complexity of the litigation, make effective coordination on an informal basis impracticable.

The Harang action, which asserts claims against both Uber and Apple, will be included in the MDL. Apple contends that the claims against Apple are unrelated to the Uber data breach, arguing that they relate solely to an alleged "entitlement" given by Apple to Uber that allowed the Uber app to capture screen images and other data on an iPhone without the user's knowledge. At oral argument, counsel for the Harang plaintiffs also characterized their claims against Apple as distinct from the data breach claims against Uber. But as pled in the complaint, the alleged entitlement and the data breach are related with respect to the scope of personal information accessed by the alleged hackers-that is, that the entitlement allegedly allowed the hackers to access the personal information in the captured screen images.⁷ Moreover, 12 of the 13 claims in Harang are brought against both Apple and the Uber defendants in terms that are not amenable to separation.⁸ In these circumstances, inclusion of Harang in its entirety is appropriate.

As this litigation progresses, it may become apparent that certain actions or claims could be more efficiently handled in the actions' respective transferor courts. Should the transferee judge deem remand of any claims or actions appropriate, then he may file a suggestion of remand to the Panel. See Panel Rule 10.1. As always, we leave the question of when Section 1407 remand is appropriate to the sound discretion of the transferee judge.

We conclude that the Central District of California is an appropriate transferee district for this litigation. Three actions are pending in this district. The Uber defendants support this district if centralization is granted over their objection, and plaintiffs in two Northern District of Illinois actions support it as their second choice. California has a significant connection to this litigation, as Uber Technologies, Inc., has its headquarters in this state, where much of the common evidence, including witnesses, will be located. Judge Philip S. Gutierrez, to whom we assign this litigation, is an experienced transferee judge, and we are confident he will steer this litigation on a prudent course.

IT IS THEREFORE ORDERED that the actions listed on Schedule A and pending outside the Central District of California are transferred to the Central District of California and, with the consent of that court, assigned to the Honorable Philip S. Gutierrez for coordinated or consolidated pretrial proceedings.

SCHEDULE A

MDL No. 2826 - IN RE: UBER TECHNOLOGIES, INC., DATA SECURITY BREACH LITIGATION

Northern District of Alabama

GRICE v. UBER TECHNOLOGIES, INC., C.A. No. 5:17-01975

Central District of California

FLORES v. RASIER, LLC, ET AL., C.A. No. 2:17-08503

HELLER, ET AL. v. RASIER, LLC, ET AL., C.A. No. 2:17-08545

Northern District of California

WEBBER, ET AL. v. UBER TECHNOLOGIES, INC., ET AL., C.A. No. 3:17-06758 AGANS, ET AL. v. UBER TECHNOLOGIES, INC., C.A. No. 3:17-06759

BURNETT, ET AL. v. UBER TECHNOLOGIES, INC., C.A. No. 4:17-06835

Northern District of Illinois

HARANG, ET AL. v. UBER TECHNOLOGIES, INC., ET AL., C.A. No. 1:17-08500

WEST v. UBER USA, LLC, ET AL., C.A. No. 1:17-08593

PATNI, ET AL. v. UBER TECHNOLOGIES, INC., ET AL., C.A. No. 1:17-08709

Eastern District of Pennsylvania

DESIGNOR v. UBER TECHNOLOGIES, INC., ET AL., C.A. No. 5:17-05289

* Judge Charles R. Breyer and Judge Lewis A. Kaplan took no part in the decision of this matter. One or more Panel members who could be members of the putative classes in this litigation have renounced their participation in these classes and have participated in this decision.

1 Plaintiffs' motion for centralization lists 12 actions, but after the filing of the motion, two actions were voluntarily dismissed.

2 The related actions are pending in the Northern District of Alabama, Central and Northern Districts of California, Northern District of Georgia, District of Minnesota, Western District of Missouri, and Western District of Wisconsin. These and any other related actions are potential tag-along actions. See Panel Rules 1.1(h), 7.1 and 7.2.

3 Uber Technologies, Inc., Uber USA, LLC, Rasier, LLC, Rasier-CA, LLC, Dara Khosrowshahi, Travis Kalanick, Angela M. Padilla, Katherine Tassi, Salle Eun Yoo, Sabrina Ross, and John Flynn. Mr. Kalanick is represented by separate counsel, but joins in the Uber defendants' brief.

4 Uber's announcement stated that the personal information accessed by the hackers included names, email addresses and mobile phone numbers, and for around 600,000 drivers, their names and driver's license numbers. Plaintiffs in several actions allege that additional personal information was compromised, including financial account information and trip location history.

5 See, e.g., In re: Anheuser-Busch Beer Labeling Mktg. and Sales Practices Litig. , 949 F.Supp.2d 1371, 1371 n.2 (J.P.M.L. 2013) (centralizing actions over defendant's objection that "little or no discovery will be required in light of the defenses raised in its pending motions to dismiss"); In re: Fluoroquinolone Prods. Liab. Litig. , 122 F.Supp.3d 1378, 1380 (J.P.M.L. 2015) (centralizing actions over defendants' objections that the claims were time-barred or otherwise were not viable).

6 See, e.g., In re: Lipitor (Atorvastatin Calcium) Mktg., Salespractices and Prods. Liab. Litig. (No. II) , 997 F.Supp.2d 1354, 1356 (J.P.M.L. 2014).

7 See, e.g. , Harang Compl. ¶ 113 (alleging that "Uber's permission entitlement could have been exploited by Uber or a hacker," noting a researcher's alleged observation that "a hacker who managed to break into Uber's network ... could silently monitor activity on an iPhone user's screen, harvesting passwords and other personal information"); ¶ 121 (Apple "knew of a[nd] approved the nondisclosure of this hidden app feature and ... helped facilitate the Uber Defendants' improper conduct"); ¶¶ 391, 399, 404 ("Defendants' misconduct has led to data breaches and the disclosure of personal information, including, possible pick up and drop off points for rides paid for through Uber's rideshare app.").

8 At oral argument, counsel for the Harang plaintiffs indicated their desire to have their claims against Apple severed from their claims against Uber, and counsel for Apple suggested that we ignore any inartful pleading of the complaint that presents an obstacle to separation and remand. It is incumbent upon the parties to bring issues such as these to the attention of the transferee court and propose ways to resolve them.