Data Breach Lawsuits Over Failure To Safeguard Information on Snowflake Cloud Platform Centralized in Single MDL

A panel of federal judges has decided to consolidate all lawsuits over data breaches involving the cloud-based server company Snowflake as part of a single multidistrict litigation (MDL), transferring claims brought in U.S. District Courts nationwide to one judge in the District of Montana for coordinated discovery and pretrial proceedings.

The MDL will include claims stemming from a number of massive data breaches announced earlier this year, including lawsuits against AT&T over the release of phone records and text messages of 110 million customers, as well as a Ticketmaster data breach involving personal information for more than 500 million individuals.

Each of those incidents involved companies that were customers of Snowflake Inc., a cloud-based platform that hosts and stores data for several major service providers.

While Snowflake has reportedly denied that the information was hacked due to cybersecurity failures on its end, it has been named as a co-defendant in a growing number of data breach lawsuits in recent months, each raising similar allegations.

Given common questions of fact and law raised in the claims being presented against Snowflake Inc. and various other companies, a motion to centralize the data breach lawsuits was filed with the U.S. Judicial Panel on Multidistrict Litigation (JPML) in July, calling for the cases brought throughout the federal court system to be consolidated before one judge to reduce duplicative discovery, avoid conflicting pretrial rulings and increase judicial efficiency.

Following oral arguments heard late last month, the JPML issued a transfer order (PDF) on October 4, granting the request and establishing a Snowflake data breach multidistrict litigation (MDL) before U.S. District Judge Brian Morris in the District of Montana.

The Snowflake MDL will include claims concerning data breaches involving the cloud server company between approximately April and June 2024. This includes data breaches involving Ticketmaster, Advance Auto Parts and AT&T, which the panel indicated affected a combined 500 million consumers. The judge rejected efforts by Advance Auto Parts and AT&T to separate pretrial proceedings for claims involving their customers..

“We deny the request to create an MDL solely for the AT&T actions in these dockets, as proposed in MDL No. 3124, considering the common factual core. Carving out the AT&T actions from the Snowflake MDL would be inefficient considering the common factual questions,” the judges wrote. “An MDL limited to AT&T actions also would not address the risk of inconsistent rulings on discovery, class certification (the AT&T and Snowflake putative classes overlap), and Snowflake’s alleged liability.”

The U.S. JPML has already established a separate MDL for AT&T data breach lawsuits involving a separate incident announced in February, involving claims stemming from the 2021 security failures that exposed social security numbers and other personal identifying information, which does not appear to involve the Snowflake security failures. Those claims are currently centralized before U.S. District Judge Ada Brown in the Northern District of Texas.