Facts

Accellion Inc. is a Palo Alto-based company that provided the Accellion File Transfer Appliance to its clients, which included banks, law firms, universities, and healthcare organizations. For more than 20 years, Accelion FTA had been used by clients to securely transfer files that were too large to be sent via email. Accellion, however, developed a new platform, Kiteworks, and had decided to cease support for the FTA effective April 30, 2021. Prior to this date, Accellion encouraged customers to upgrade to Kiteworks, but many clients continued to use Accellion FTA. Then, in December 2020, two hacker groups exploited vulnerabilities in the FTA to gain unauthorized access to and download a significant amount of clients' data. A class action lawsuit was filed by Jaramey Stobbe on behalf of himself and on behalf of all others similarly situated who had been affected by the data breach.

PLAINTIFFS' CONTENTIONS: Plaintiffs contended that defendant had possession of affected users' personal information and sensitive data, including names, dates of birth, Social Security numbers, and medical information; that defendant failed to properly protect users' information, specifically by failing to implement and maintain appropriate data security practices, to detect security vulnerabilities in the FTA, and to disclose that its security practices were inadequate to protect sensitive data; that plaintiffs had been harmed by their data being illegally accessed and downloaded; and that defendant's failure was the proximate cause of that harm.

DEFENDANT'S CONTENTIONS: Defendant denied all of plaintiffs' material allegations; and defendant contended that it was not responsible for maintaining and updating clients' instances of the FTA software; that it did not collect, access, or store the content of files shared via the FTA; and that it did not provide any guarantees to clients that the FTA software was secure.

Settlement Discussions

The parties engaged in two formal mediation sessions with the Honorable Jay C. Gandhi (Retired), but were unable to reach an agreement during those sessions. A settlement was eventually reached following further negotiations between the parties' counsel.

Result

A settlement was reached wherein Accellion admitted no wrongdoing but agreed to fund an $8.1 million settlement for class members. Accellion also agreed to retires its File Transfer Appliance offering; to expand its bug bounty program; to provide annual cybersecurity training to all employees; to employ personnel with formal responsibilities for cybersecurity; to maintain FedRAMP certification for its newer Kiteworks offering; and to periodically and publicly confirm compliance with the agreement on its website.