Data Privacy Class Action Alleges Insurers Improperly Collected The Data Of 40 Million Users Through Third-Party Applications

By Gerald L. Maatman, Jr., Justin Donoho, George J. Schaller, Ryan T. Garippo

Duane Morris Takeaways: In Mahoney, et al. v. The Allstate Corp, et al., 25-CV-01465 (N.D. Ill. Feb. 11, 2025), Plaintiffs Michael Mahoney and Scott Schultz (collectively, “Plaintiffs”) filed a putative class action lawsuit asserting Allstate, and its subsidiary Arity, illegally obtained personal driving data of 40 million policyholders through third-party mobile application software.  The case is pending in the U.S. District Court for the Northern District of Illinois before Judge Steven C. Seeger.This is the third lawsuit in a series of lawsuits alleging class-wide allegations based on Allstate’s alleged data collection practices.  See Sims et al. v. The Allstate Corp. et al., 1:25-CV-00407 (N.D. Ill. Jan. 14, 2025) (alleging data collection through third party application Sirius XM); see also Arellano et al. v. The Allstate Corp. et al., 1:25-CV-01256, (N.D. Ill. Feb. 5, 2025) (alleging data collection through third party applications Life360, GasBuddy, and Fuel Rewards). 

Mahoney, Sims, and Arellano, represent a triumvirate of data privacy class actions centered on allegations of improper data collection through third-party applications.  Companies will be well-served monitor these cases for their novel assertions in trending data privacy litigation.

Complaint Allegations

Michael Mahoney resides in San Francisco, California, and he downloaded the GasBuddy application in 2011 to “find competitive gas prices.”  Mahoney, 25-CV-01465, ECF No. 1 § III ¶ 14 (N.D. Ill. Feb. 11, 2025).  Scott Schultz resides in Highland Park, Illinois, and he downloaded the GasBuddy application in 2021 and used it “in his own and other people’s vehicles to find competitive gas prices.”  Id. § III ¶ 15.

Plaintiffs collectively allege that Allstate and its subsidiary Arity (collectively, “Defendants”) “conspired to collect drivers’ geolocation data and movement data from mobile devices, in-car devices, and vehicles.”  Id. § IV ¶ 7.  Plaintiffs allege Defendants designed a software development kit that could be integrated into third-party mobile applications such as “Routely, Life360, GasBuddy, and Fuel Rewards.”  Id.  § IV ¶ 8.  Plaintiffs further allege Defendant advertised that they “collect data ‘every 15 seconds or less’ from 40 million ‘active mobile connections’ and ‘derive[] unique insights that help insurers, developers, marketers, and communities understand and predict driving behavior at scale.”  Id. § IV ¶ 24.

Plaintiffs contend Defendants’ software development kit was “designed to and does collect data” including “Geolocation data and ‘GPS Points,’” “cellphone accelerometer, magnetometer, and gyroscopic data,” “Trip attributes” data (including start and end locations, trip distances, trip duration), “Derived events” data (including acceleration, speeding, distracted driving, crash detection), and “Metadata.”  Id. § IV ¶ 11 (A) – (E).  Plaintiffs further assert that when using these third-party applications “Defendants could collect real-time data on their locations and movements and surreptitiously collect highly sensitive and valuable data directly from Plaintiffs’ mobile phones.”  Id. § IV ¶ 16.

It is also important to note that Plaintiffs maintain that Defendants used their personal data to “develop, advertise, and sell several products and services to third parties, including insurance companies . . .” and used the purchased consumer data for “[Defendants’] own underwriting purposes.”  Id. § IV ¶ 23.  Plaintiffs, ultimately, assert that Defendants real purpose in using this data is for their “own financial and commercial benefit” and to obtain “substantial profit.”  Id. § V ¶ 49.  They ultimately assert via their nine-count Complaint that this technology amounts to a wiretapping of their personal information which entitles them, inter alia, to a sum of “$100 per day per violation or $10,000” per class member whichever is greater.  Id. § V ¶ 51.

Implications For Companies

Although such data collection lawsuits are no longer a new phenomenon, their scope has become far more aggressive as the plaintiffs’ bar continues to look for ways to monetize lawsuits against corporations using such technologies.

Take for example the dilemma presented by Mahoney.  In that case, it is likely that Defendants will have strong defenses to this action.  For example, Plaintiffs admit that Defendants’ purpose in using this technology was to earn “substantial profit.”  Id. § V ¶ 49.  Based on similar allegations, many courts have found that these purposes are insufficient for a plaintiff to avail itself of such wiretapping statutes.  See, e.g., Katz-Lacabe v. Oracle Am., Inc., 668 F. Supp. 3d 928, 945 (N.D. Cal. 2023) (dismissing wiretap claim because defendant’s “purpose has plainly not been to perpetuate torts on millions of Internet users, but to make money.”).

There are, however, enough court rulings that come out in the opposite direction to give a corporate defendant pause.  See, e.g., R.S. v. Prime Healthcare Services, Inc., No. 24-CV-00330, 2025 WL 103488, at *6-7 (C.D. Cal. Jan. 13, 2025) (recognizing the split and siding with the plaintiffs).  And, if Plaintiffs are correct that there are 40 million individuals in the class, and that each class member is entitled to $10,000 at a minimum, then this lawsuit alleges at least $400 billion dollars in liability.  Even if there is a 1% chance of success on these claims, it would suggest that the completely unrealistic figure of $4 billion dollars is on the table.

Corporations in these types of class actions are faced with the difficult choice of settling the claims for an astronomical figure based on the use of technologies which are ubiquitous in nature (like software development kits for mobile applications) or defend a $400 billion lawsuit based on defenses in an area of the law which is not fully developed.  It will be interesting to see how the Mahoney defendants balance these concerns as the case progresses, because many twists and turns lie ahead.

In the meantime, corporate counsel should take the opportunity to evaluate their companies’ data collection and privacy policies to make sure their companies are not easy targets.  If the allegations in Mahoney are any example, the mere threat of one of these lawsuits should be enough to keep corporate counsel up at night.  And, if their companies are ultimately sued in one of these lawsuits, they should ensure that an experienced defense team has its hands on the steering wheel. 

The Class Action Weekly Wire – Episode 88: Key Trends In Data Breach Class Actions

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jerry Maatman and Jennifer Riley, special counsel Justin Donoho, and associate Ryan Garippo with their discussion of the key trends analyzed in the 2025 edition of the Duane Morris Data Breach Class Action Review, including the contributing factors in the exponential growth of data breach class action filings, the sophistication of the plaintiffs’ bar litigation theories, and the chart-topping settlements in this area.  

Bookmark or download the Data Breach Class Action Review e-book here, which is fully searchable and accessible from any device.

Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.

Episode Transcript

Jerry Maatman: Welcome all our loyal listeners and blog readers. Thank you for being here on our weekly podcast, the Class Action Weekly Wire. I’m, Jerry Maatman of Duane Morris, and joining me today are my colleagues, Jen, Justin, and Ryan. Thanks so much for being on this particular podcast.

Jennifer Riley: Thank you, Jerry. Happy to be part of the podcast today.

Justin Donoho: Thanks, Jerry. Glad to be here.

Ryan Garippo: Thanks for having me, Jerry.

Jerry: Today in the podcast we’re discussing the publication of this year’s Duane Morris Data Breach Class Action Review and desk reference designed for our clients to give them the latest, greatest information on the cutting-edge issues in the world of data breach class action. Listeners can find the e-book publication on our blog, the Duane Morris Class Action Defense blog. Jen, can you share with our listeners a bit about this desk reference and publication?

Jennifer: Absolutely, Jerry. The volume of data breach class actions exploded in 2024. Data breach has emerged as one of the fastest growing areas of class action litigation. The Review contains an overview of these filing numbers as well as settlements as well as some of the key decisions in this area. So, in sum, courts continue to reach inconsistent outcomes on issues such as standing and uninjured class members, those issues that are uniquely challenging in the data breach space. The Review has dozens of contributors, and it reflects really the collective experience and expertise of our class action defense group.

Jerry: I think it used to be, people thought whenever there was a drop in the stock following a company announcement, as sure as the sun rises in the east and sets in the west every day, there’d be a securities fraud class action lawsuit being filed. That seems to be the case now, when there’s a data breach incident, a data breach class action follows in its wake. Justin, can you shed some light on why this particular cause of action in this particular space has been growing incrementally over the last 36 months?

Justin: Absolutely. I mean, the frequency of the data breaches have been increasing, which is a huge part, and of course, with that comes heightened attention from both consumers and the plaintiffs’ bar. High profile cases, such as that multidistrict litigation arising from the Marriott International breach that affected over 133 million people, for example. There’s the MOVEIt MDL, which is another big one that got going last year. These have all put companies on notice that failure to secure personal data can lead to costly litigation. Cost lawsuits are not just about the breach itself, it’s also about the aftermath. So, consumers are now more aware of the risks and more inclined to seek legal recourse when their data is compromised.

Jerry: I think this is a great area where the notion that the law is trailing behind technology and can’t keep up with it – may well explain some of the developments in this particular space from a cybersecurity perspective. How do you think the increasing frequency of these sorts of events, and the sophistication of cyber criminals, is playing out in the class action space?

Ryan: Well, the rise in cyberattacks is definitely a huge factor. We’re seeing more sophisticated tactics from cybercriminals. Ransomware is at least one prime example – hackers demand payments in exchange for not publishing or further exploiting stolen data. The issue is that paying the ransom doesn’t necessarily guarantee the safe return or the deletion of the data, which makes these incidents devastating for companies. Additionally, I think we’ve seen as there’s been a shift to remote work and cloud-based infrastructure, that more vulnerabilities are exposed which ultimately increases the frequency of breaches. As a result, I think we’re seeing more lawsuits following these incidents and plaintiffs’ attorneys are more eager to capitalize on the growing number of affected individuals.

Jerry: In the last two weeks, the U.S. Supreme Court has accepted a case for review on the issue of uninjured class members, and whether or not their presence is something that can be used by a defendant to stop class certification. And one of the things we’ve seen in the last few years in the data breach area is the lack of injury or no injury-in-fact, as the Supreme Court has articulated that in TransUnion v. Ramirez. Jen, what do you see in terms of what plaintiffs are doing to try and come up with theories, at least from a financial damage or injury standpoint, that companies are now facing in what I would call data breach litigation 2.0?

Jennifer: Well, Jerry, I think several factors are really contributing to the rise of the popularity of these lawsuits. First, I think the sheer volume of people affected by these breaches has ballooned. Especially with breaches impacting millions of consumers or employees. As the size of these cases increases, I think it naturally leads to higher settlement amounts which in turn are attracting more plaintiffs’ lawyers to this area. Additionally, I think the type of data being compromised is becoming more sensitive – financial and healthcare information, for example – are leading to additional claims and higher potential damages and are leading plaintiffs’ attorneys to become more creative in looking for ways to monetize, capitalize on these breaches in terms of converting them into settlement dollars.

Justin: Yes, absolutely. And some courts are also becoming more sympathetic to plaintiffs in these cases, and to the potential long-term consequences of data breaches to plaintiffs, even where immediate harm is not apparent. So, it’ll be interesting to see where that Supreme Court case plays out. And let’s not forget about the legal fees and the expert fees also contributing to some of these large settlement dollars. As these cases become more complex with issues like class certification and determining damages, and the reasonableness of the cybersecurity, the costs involved in litigating these lawsuits are skyrocketing.

Jerry: You mentioned class certification – certainly the plaintiffs’ bar their theory is file the case, certify the case, then monetize the case, and the statistical study within the desk reference talks about the rise in class certification to 40%. Still a low number, but significantly up from 16% in calendar year 2023. What do you attribute to the trend that’s showing an upward number and a more of a chance for the plaintiffs’ bar to certify their data breach class actions?

Ryan: Well, like we mentioned before, I think it’s reflective of the fact that plaintiffs’ counsel has gotten more sophisticated in this space, and courts are getting more sympathetic to the plaintiffs at issue. But that said, class certification is still a major hurdle in any class action. And it’s particularly challenging in data breach cases. The increased success rate for class certification in the data breach space is 40% in 2024, reflecting that evolving legal precedent. Courts are now more inclined to accept the argument that consumers have suffered harm, even if their data hasn’t been directly misused, and that the mere recognition of an indirect harm, such as the increased risk of identity, theft, or emotional dispute or emotional distress, is enough to allow plaintiffs to get into court and overcome this clear obstacle.

Jerry: Jen, what were some of the major data breach litigation markers in the federal courts this year, by your way of thinking?

Jennifer: Well, Jerry, great question. We discuss in the Review some of the largest ones. Certainly, one of the prime examples is the ongoing MOVEIt Customer Data Breach Litigation. That litigation that began back in 2023 continued throughout 2024, and is ongoing. In that one, the Judicial Panel on Multidistrict Litigation consolidated more than 200 class action lawsuits. Those lawsuits resulted from a Russian cybergang hacking the file transfer software MOVEIt. The Judicial Panel on Multidistrict Litigation transferred those proceedings after consolidating them to the U.S. District Court for the District of Massachusetts. The plaintiffs in that case, as I mentioned, alleged that this vulnerability in the Massachusetts-based company MOVEIt, a transfer file software, was exploited. That data breach is considered to be the largest hack of 2023. According to the Panel’s initial transfer order, it exposed personally identifiable information of more than 55 million people. So, as I mentioned, that proceeding is ongoing. In July 2024, the Transferee Court issued an order adopting a modified bellwether structure in which it ordered the plaintiffs to file up to six consolidated amended complaints, and it ordered the parties to meet confer on the defendants to be named in each of those. The plaintiffs are going to file their motions for class certification, according to the schedule at least, in the summer of 2025. So, lots to be done in those cases yet.

Jerry: Well, it seems to me that data breach litigation, especially in the class action arena, is a problem or a fear that keeps corporate counsel up at night, and some of the top settlements in this space in 2024 maybe fuel that fear. What were some of the key and highest class action settlements in the data breach case, despite the fact that certification hovered around 40%?

The largest data breach class action settlement in 2024 was $350 million in In Re Alphabet Inc. Securities Litigation, Case No. 18-CV-6245 (N.D. Cal. Sept. 30, 2024), in which the court granted final settlement approval in a class action alleging that a software glitch led to a data breach in which Google+ users’ personal data was exposed for three years.

Justin: Yes, Jerry. Plaintiffs did very well in securing high dollar settlements last year, with the top 10 settlements totaling $593.2 million dollars. This was a significant increase over 2023 when the top 10 totaled $515 million – so they keep going up, too.

Jerry: Well, my prognostication is the 2025 numbers are going to go up and even exceed those chart-toppers in the next 12 months. In terms of final parting thoughts for our loyal listeners, what are some of the takeaways and key points that our listeners and readers should keep in mind for data breach issues in 2025?

Ryan: Invest in strong cybersecurity measures – it’s essential to stay out of the game in this space and constantly involve your cybersecurity infrastructure against these emerging threats. But beyond that, companies should also have a well-designated incident response plan in place and make sure that it’s regularly tested. This helps ensure not only quicker recovery, but also a stronger defense in court if a breach ever occurs. This legal landscape is evolving, and data breaches are no longer niche; they’re becoming an expected part of the litigation landscape, and so, having a proactive and comprehensive approach can help mitigate the immediate and long-term costs, and help keep you out of those $500 million numbers that Jerry and Justin mentioned before.

Jerry: Well, thanks, Jen, Justin, and Ryan, for your thought leadership and your analysis of this particular area. Loyal listeners, please stop by our blog and website to download for free our e-book, Data Breach Class Action Review – 2025. Thanks so much everyone for lending your expertise today on our Class Action Weekly Wire podcast.

Ryan: Thanks, Jerry.

Justin: Thanks for having me and thank you, listeners.

Jennifer: Thanks so much, everyone. See you next week.

U.S. Supreme Court Unanimously Holds That FLSA Exemptions Are Subject To The Same Standard Of Proof As Almost All Other Civil Cases

By Gerald L. Maatman, Jr., Gregory Tsonis, and Ryan T. Garippo

Duane Morris Takeaways:  On January 15, 2025, in Carrera v. EMD Sales, Inc., No. 23-217, 2025 WL 96207 (S. Ct. Jan. 15, 2025), the U.S. Supreme Court unanimously reversed the U.S. Court of Appeals for the Fourth Circuit, holding that the burden of proof required to prove the applicability of exemptions to the Fair Labor Standards Act (the “FLSA”) is not the “clear and convincing evidence” standard applied in the Fourth Circuit.  In so doing, the Supreme Court harmonized the law across the country and confirmed that such exemptions need only be proven by a preponderance of the evidence.

Background

E.M.D Sales, Inc. (“EMD”) is a company that distributes food products in the Washington D.C. area.  It employs sales representatives who work with partner grocery stores to help manage EMD products.  The sales representatives “spend most of their time outside of EMD’s main office servicing stores on their routes,” however, there was disagreement as to “whether [the] sales representatives’ primary duty is to make sales of EMD products.”  Carrera v. EMD Sales, Inc., No. 17-CV-3066, 2021 WL 1060258, at *2 (D. Md. Mar. 19, 2021).

In 2017, several of these sales representatives sued EMD in federal court in Maryland, arguing that they were entitled to overtime pay under the FLSA.  In response, EMD argued that the sales representatives were exempt from the FLSA’s requirements pursuant to the “outside salesman” exemption.  29 U.S.C. § 213(a)(1). 

Following a bench trial on the issue, the district court held that the outside salesman exemption did not apply.  In so doing, the district court relied on Fourth Circuit precedent holding that the employer has the burden of proving the applicability of any FLSA exemption by “clear and convincing evidence.”  Carrera, 2021 WL 1060258, at *5In federal courts outside of the Fourth Circuit, an employer is only required to prove these exemptions under a lower standard of proof called the preponderance-of-the-evidence standard, which is the typical standard in civil cases.  Id.  The district court held that the employer failed to meet the heightened burden of proof regarding the applicability of the exemption, and thus held that the EMD sales representatives were entitled to overtime pay.

On appeal, EMD argued that the heightened “clear and convincing evidence” standard, which had long been the applicable standard for federal courts within the Fourth Circuit, should be overturned so it conformed with the standard applied across the rest of the country.  The Fourth Circuit declined to do so and explained that “the district court properly applied the law of this circuit in requiring the defendants to prove their entitlement to the outside sales exemption by clear and convincing evidence.”  Carrera v. EMD Sales, Inc., 75 F.4th 345, 353 (4th Cir. 2023).  EMD, thereafter, sought review from the U.S. Supreme Court, which granted certiorari to resolve the issue.

The Supreme Court’s Opinion

In a unanimous 9-0 opinion written by Justice Kavanaugh, the Supreme Court explained that the “Fourth Circuit stands alone in requiring employers to prove the applicability of Fair Labor Standards Act exemptions by clear and convincing evidence.  Every other Court of Appeals to address the issue has held that the preponderance standard applies.”  Carrera, 2025 WL 96207, at *3.  In noting that the “preponderance of the evidence” standard is “the established default standard of proof in American civil litigation,” the Supreme Court explained that the default standard can only be abrogated by statute, constitutional requirement, or other uncommon situations where unusual coercive relief is sought (e.g., revocation of citizenship, etc.). 

In analyzing whether any such circumstances existed, the Supreme Court first observed that the FLSA is silent on the applicable burden of proof, noting there is no language that suggests that Congress intended a heightened burden to apply.  Second, because the FLSA does not implicate constitutional rights, the U.S. Constitution did not compel a different result.  Third, because FLSA lawsuits are akin to other employment statutes that entitle certain employees to monetary relief, they are not unusually coercive. 

Turning next to policy arguments in favor of a heightened standard, the Supreme Court noted that other important statutes, such as Title VII of the Civil Rights Act, apply a preponderance standard while seeking to achieve laudable policy goals, such as ending discrimination in the workplace.  Id. at *4-5.  Finding nothing particularly distinct about the FLSA, the Supreme Court ultimately rejected the policy arguments advanced by the sales representatives, explaining that “rather than choose sides in a policy debate, this Court must apply the statute as written and as informed by the longstanding default rule regarding the standard of proof.”  Id. at *5.

As a result, the Supreme Court reversed the decision of the Fourth Circuit and held that an employer must prove the applicability of FLSA exemptions only by a preponderance of the evidence.  The Supreme Court also remanded the case back to the district court for a determination as to whether EMD met the lower evidentiary burden.

Implications For Employers

The Supreme Court’s decision in Carrera is a welcome reprieve for employers sued in Maryland, Virginia, West Virginia, North Carolina, and South Carolina federal courts.  These employers will no longer have to satisfy a heightened burden of proof that they would otherwise not have to satisfy if sued for the same claims in any other state.  Accordingly, employers based in those states can rest a little easier knowing that the standard for proving FLSA exemptions if sued will be the default standard applied in other jurisdictions, and not the heightened “clear and convincing evidence” standard that has long applied.

© 2009-2025 Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress