IN RE: KEYBANK CUSTOMER DATA SECURITY BREACH LITIGATION (2023)

TRANSFER ORDER

Plaintiffs in the Western District of Pennsylvania action move under 28 U.S.C. § 1407 to centralize this litigation in the Western District of Pennsylvania. This litigation consists of six actions pending in three districts, as listed on Schedule A. Since the filing of the motion, the Panel has been notified of four related actions.¹

All responding parties support centralization but disagree as to the transferee district. Plaintiffs in the two constituent Northern District of Ohio actions suggest centralization in that district. Plaintiffs in the three constituent Northern District of Georgia actions suggest centralization in that district. Defendants KeyBank, N.A., and KeyCorp. (together, KeyBank) and Overby-Seawell Company (OSC) support centralization in the Northern District of Georgia, and OSC alternatively supports the Northern District of Ohio as transferee district. Plaintiffs in one Northern District of Georgia action and KeyBank suggest renaming the litigation to reflect that OSC is the main defendant in this litigation.

On the basis of the papers filed and the hearing session held, we find that these actions involve common questions of fact, and that centralization in the Northern District of Georgia will serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation. These actions—all of which are putative nationwide class actions—share factual issues relating to a July 2022 incident in which an “unauthorized external party” gained remote access to OSC's network and acquired certain personally identifiable information of OSC's financial institution clients’ customers. OSC is a technology services vendor for financial institutions that provides ongoing verification that the institutions’ residential mortgage customers are maintaining required property insurance. All plaintiffs allege that OSC failed to maintain adequate security measures, and they assert similar claims including for negligence, negligence per se, and breach of contract. Common factual issues will include how OSC's system was breached, what security measures OSC had in place to protect against such a breach, what information was compromised in the breach, and whether OSC provided timely notice of the breach to its financial institution clients. Centralization will eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification and Daubert motions; and conserve the resources of the parties, their counsel, and the judiciary.

No party disputes that the actions involve common factual and legal issues, and that centralization is warranted. But there are some questions as to the appropriate scope of this litigation. While all actions included in the motion for centralization involve claims against OSC and one of its financial institution clients (KeyBank), the Panel has been notified of two related actions brought against OSC and another financial institution client (Fulton Bank). These actions, like the actions before the Panel, allege that the financial institution defendants negligently entrusted plaintiffs’ and putative class members’ personal information to OSC. During briefing, no party argued that the actions naming financial institutions other than KeyBank should be excluded from the MDL, while some responding parties explicitly advocated in favor of their inclusion and requested the MDL be renamed to reflect that OSC is the common defendant. At oral argument, counsel for plaintiffs in favor of centralization in the Northern District of Ohio argued that the actions naming Fulton Bank should not be included in the MDL. We are inclined to believe that the MDL should include all actions naming OSC and involving its July 2022 data breach, regardless of which, if any, financial institution is named as a co-defendant. But we do not reach that issue, as none of the actions naming Fulton Bank are presently before the Panel. Arguments concerning the inclusion of any non-KeyBank cases filed outside the transferee district will be considered in due course through the conditional transfer order process. See Panel Rules 1.1(h), 7.1 and 7.2. We are persuaded at this time that the litigation should be renamed to reflect that the entity whose system was breached was OSC, not KeyBank.

The Northern District of Georgia is an appropriate transferee forum for this litigation. Five of the ten actions now pending are in this district before Judge Stephen D. Grimberg, and several plaintiffs and both OSC and KeyBank support centralization there. And since OSC is headquartered there, relevant evidence and witnesses likely will be in this district. Judge Grimberg is a skilled jurist who has not yet had the opportunity to preside over an MDL. We are confident that he will steer this litigation on a prudent course.

IT IS THEREFORE ORDERED that the actions listed on Schedule A and pending outside the Northern District of Georgia are transferred to the Northern District of Georgia and, with the consent of that court, assigned to the Honorable Stephen D. Grimberg for coordinated or consolidated pretrial proceedings.

IT IS FURTHER ORDERED that the caption of this litigation is changed from “In re: KeyBank Customer Data Security Breach Litigation” to “In re: Overby-Seawell Company Customer Data Security Breach Litigation.”

PANEL ON MULTIDISTRICT LITIGATION

Karen K. Caldwell Chair

Nathaniel M. Gorton

David C. Norton

Dale A. Kimball

Matthew F. Kennelly

Roger T. Benitez

Madeline Cox Arleo

IN RE: KEYBANK CUSTOMER DATA SECURITY BREACH LITIGATION

MDL No. 3056

SCHEDULE A

Northern District of Georgia

SAMSEL v. OVERBY−SEAWELL COMPANY, ET AL., C.A. No. 1:22−03593

MARLOWE v. OVERBY−SEAWELL COMPANY, ET AL., C.A. No. 1:22−03648

ARCHER, ET AL. v. OVERBY−SEAWELL CO., ET AL., C.A. No. 1:22−03780

Northern District of Ohio

BOZIN v. KEYBANK, N.A., C.A. No. 1:22−01536

URCIUOLI, ET AL. v. KEYBANK NATIONAL ASSOCIATION, ET AL.,

C.A. No. 1:22−01598

Western District of Pennsylvania

MARTIN, ET AL. v. KEYBANK NATIONAL ASSOCIATION, ET AL.,

C.A. No. 2:22−01346

FOOTNOTES

FOOTNOTE.  

1.   These and any other related actions are potential tag-along actions. See Panel Rules 1.1(h), 7.1, and 7.2.

Before the Panel:* FN* One or more Panel members who could be members of the putative classes in this litigation have renounced their participation in these classes and have participated in this decision.