Maine Appeals
First Class Defense
September 18, 2025

MOVEit Data Breach Litigation: District of Massachusetts Allows Bellwether Negligence and Consumer Protection Claims to Proceed

Class Action Litigation, Class Actions, Consumer Class Actions, Privacy Class Actions, US District Court - Mass
Authors:
Practice area:

On July 31, 2025, the District of Massachusetts issued two rulings largely denying motions to dismiss filed by software developer Progress Software Corporation (“Progress”) and certain direct users or vendor contracting entities employing Progress’ software product, MOVEit (the “Bellwether Defendants”). In the In re: MOVEit Customer Data Security Breach Litigation, MDL No. 1:23-md-03083-ADB, the Court found that Plaintiffs’ allegations of negligence, breach of contract, unjust enrichment, and certain state-related unfair business practices and breach of consumer protection laws could move forward.

The MOVEit Breach Bellwether Proceedings and the Amended Complaint

This multidistrict litigation was initiated by individuals affected by a data breach of Progress’ MOVEit file transfer platform, carried out by a group of Russian cyberhackers known as CL0P in 2023, that impacted approximately 85 million people. Plaintiffs allege that CL0P posted individuals’ personal information on the dark web and elsewhere, and that such disclosure resulted in an array of cognizable injuries.

Specifically, Plaintiffs allege that the Bellwether Defendants could have prevented the data breach by implementing industry-standard cybersecurity techniques and protocols including auditing the security of the MOVEit file transfer platform, auditing Progress’ cyber security practices, restricting IP addresses with access to the MOVEit file transfer platform, limiting file types uploaded to the MOVEit file transfer platform, and implementing monitoring programs to detect suspicious activity.

Separately, Plaintiffs allege that Progress was aware that the MOVEit file transfer platform would be used to move and store highly sensitive information and failed to (1) design the software in a manner that would promote security and (2) identify and remediate software vulnerabilities. Plaintiffs also allege that Progress moved too slowly in patching the vulnerabilities that had allowed the breach and in notifying Plaintiffs of the breach.

The Court ordered bellwether proceedings and Plaintiff filed an amended bellwether complaint naming Progress and the Bellwether Defendants. The defendants moved to dismiss, and the Court held oral argument on May 12, 2025.

Negligence Claims Survive Based on Duty to Implement Reasonable Safeguards

In its rulings, the Court largely denied both the Bellwether Defendants’ and Progress’ motions to dismiss on similar grounds. With respect to Plaintiffs’ negligence claims, the Court found that both the Bellwether Defendants and Progress had a duty to implement reasonable safeguards to protect user data and that Plaintiffs had sufficiently alleged that such reasonable safeguards could have prevented the breach even if defendants were unaware of the specific vulnerability exploited by the hackers.

The Court further broke down its findings with respect to the Bellwether Defendants between “direct users” and “vender contracting entities” or “VCEs”. In sum, the Court found Plaintiffs’ allegations sufficient for both direct users and VCEs, noting that, for direct users, specific security practices that were allegedly omitted, such as restricting IP addresses, limiting file types, and implementing monitoring programs could have prevented the cybersecurity incident and that plaintiffs successfully argued that VCEs had a duty to “vet and audit” the security practices of their direct-user vendors.

Some Procedural Wins for Defendants Under State Data Privacy Laws, but Consumer Protection Claims Survive

With respect to Plaintiffs’ state law claims, the Court’s ruling awarded defendants some largely procedural wins but found that Plaintiff’s allegations substantively met statutory requirements. A few examples are highlighted below:

  • Wins for Bellwether Defendants:
    • CCRA (California Customer Records Act): The Court granted dismissal of a CCRA claim against a Bellwether Defendant, Genworth, finding that an alleged delay of two to six weeks between learning of the breach and notifying individuals provided, without any allegations to support that this delay was unreasonable, did not provide a basis for untimely notification under the CCRA.
    • WDPTA (Wisconsin Deceptive Trade Practices Act): The Court granted dismissal of a WDPTA claim against a Bellwether Defendant, MLIC, because Plaintiffs failed to plead facts supporting a causal connection or “pecuniary loss”. The Court specifically stated that “a hypothetical future cost is not a recoverable pecuniary loss” and that lost time and emotional distress alone were insufficient.
    • CCPA (California Consumer Privacy Act): The Court found, with respect to one Bellwether Defendant, PBI, that PBI had taken appropriate curative measures under the CCPA, thereby preventing statutory damages and that PBI’s notice of this curative action was sufficient.
  • Wins for Plaintiffs (as to Bellwether Defendants):
    • Chapter 93A (Massachusetts Consumer Protection Act): The Court found that allegations of “unreasonably weak internal and external cybersecurity protocols” were sufficient to state a claim for unfair conduct under the act.
    • CCPA: The Court found, with respect to one Bellwether Defendant, Welltok, that Plaintiffs’ pre-suit notice was adequate and that Plaintiffs’ pleading that the specific breach could not have occurred but for Defendants’ failure to take certain preventative steps; rather than pleading a per se injury generally, was sufficient. The Court rejected the argument that the breach was not a result of the defendants’ failure to implement reasonable security.
  • Wins for Progress Software Corporation:
    • CCRA: The Court found that Progress’ EULA did not disclaim third-party beneficiaries. However, it dismissed the claim because Plaintiffs did not sufficiently allege that they had a direct relationship with Progress, which the CCRA requires.
    • CMIA (California Confidentiality of Medical Information Act): The Court dismissed this claim, finding that the statute’s definition of “consumer” only applies to individuals, not to business entities, which were the direct customers of Progress.
    • Data-Breach Notification Statutes: Progress argued that it was not subject to these statutes because it did not “own,” “license,” or “maintain” the data. The Court dismissed the claims because Plaintiffs abandoned them in their opposition brief.
  • Wins for Plaintiffs (as to Progress):
    • Unjust Enrichment: The Court denied dismissal of this claim in some states, finding that Plaintiffs sufficiently alleged that Progress’ business was to protect sensitive data and therefore its business depended on receiving that information. This was enough to satisfy the “conferred benefit” element of the claim.

Finally, the Court denied the defendants’ motion to dismiss the plaintiffs’ requests for declaratory relief, noting that these requests were forward-looking (i.e. the security measures remained “inadequate” and posed a risk of “further compromises”) and not duplicative of other claims.

Takeaway: Vendor Vetting and Monitoring Programs Are Legal Risk Management Imperatives

The Court’s decisions in the MOVEit litigation sends a clear message: data breach litigation risk is expanding across state law theories based on cybersecurity practices and vendor management. These rulings underscore the need for robust, proactive security measures, careful vendor vetting, and a clear understanding of state and federal data protection laws. Given the complex choice-of-law analysis required in these cases, applicable law should not be an afterthought in compliance or litigation strategy.

Tagged

Leave a Comment

Your email address will not be published. Required fields are marked *

To top