MDL Sought for Salesforce Data Breach Lawsuits

Companies are still discovering that customer data hosted on Salesforce cloud services was illegally accessed months after the breach occurred.

The cloud storage company responsible for hosting customer data from major companies like Google, Farmers Group and Christian Dior, faces dozens of lawsuits brought by individuals nationwide, who say their personal information was compromised during a data breach earlier this year.

The service, Salesforce, specializes in cloud storage for software products and sensitive data, which it is expected to keep safe. However, in late March, Farmers Group detected suspicious activity in one of its vendors’ customer information databases.

Soon, other companies detected similar data breaches, all of whom were customers of the cloud storage service, according to Salesforce data breach lawsuits filed in federal courts nationwide.

Plaintiffs say companies are still discovering they were breached, and that hackers gained access to customers’ names, addresses, phone numbers, and some social security numbers, banking information, and other personal identifying information that could make them vulnerable to identity theft and fraud.

Attention was brought to the data breach months after it happened, when Google announced it had also been affected on August 26, warning other companies that they should consider data hosted by Salesforce to be compromised.

On August 29, several plaintiffs who have filed Salesforce data breach lawsuits filed a motion for transfer (PDF) with the U.S. Judicial Panel on Multidistrict Litigation (JPML), requesting that all of the complaints brought throughout the federal court system be consolidated before U.S. District Judge Jacqueline Scott Corley in the Northern District of California.

In complex product liability litigation, where a large number of claims are brought by users of the same service, each experiencing similar damages, it is common for the U.S. JPML to establish a multidistrict litigation (MDL) for pretrial proceedings and a series of early bellwether trials. These early test cases are designed to help gauge how juries may respond to certain evidence and testimony that will be repeated throughout the litigation.

According to the motion, Salesforce currently faces 48 lawsuits filed in six different federal courts. Each of the actions raises similar claims, that Salesforce failed to adequately protect its customers’ sensitive data by ignoring industry-standard cybersecurity measures that would have prevented the breach. The lawsuits also usually include the company whose data was hacked as a defendant, saying they should have done more to make certain their customers’ data was secure.

The plaintiffs argue that consolidation would prevent duplicate discovery and contradictory rulings by different federal judges, and serve the convenience of the court, the parties and witnesses.

“All the Actions subject to this motion arise from one nucleus of operative facts: a Data Breach impacting the data maintained by Salesforce, Inc.”

– Plaintiffs’ Motion to Transfer, Salesforce Data Security Breach Litigation

The JPML is not expect to hear oral arguments on the Salesforce data breach lawsuit motion until a meeting on December 4, in Austin, Texas.

If the cases are consolidated, each will remain an individual lawsuit with plaintiffs represented by their own attorneys. If, after pretrial proceedings and bellwether trials, the litigation is not resolved, the judge assigned to oversee the MDL will likely remand the claims back to their originating districts for individual trials.

The litigation is the latest in a series of mass torts that have emerged following massive data breaches over the past year, which cybersecurity experts estimate have impacted more than 1 billion online accounts held in the U.S., resulting in thousands of Change Healthcare lawsuits, AT&T data breach lawsuits, Ticketmaster data breach lawsuits and others.

Sign up for more legal news that could affect you or your family.