Judicial panel transfers Snowflake data breach cases to district of Montana

A federal judicial panel has ordered roughly 80 data breach lawsuits involving cloud storage software firm Snowflake Inc. be consolidated and transferred to the District of Montana. The decision, issued by the U.S. Judicial Panel on Multidistrict Litigation (JPML) on Friday, brings the cases under the jurisdiction of Chief U.S. District Judge Brian Morris. The panel cited Snowflake’s headquarters in Bozeman, Montana, and noted the district’s capacity to manage the multidistrict litigation (MDL).

The cases stem from a series of breaches between April and June that exposed the personal information of over 100 million individuals. The lawsuits target Snowflake’s data security practices, with plaintiffs alleging that the firm failed to adequately protect sensitive data shared across its cloud platform. Notably, seven companies that utilized Snowflake’s services—including AT&T, Ticketmaster, Live Nation Entertainment, Advance Auto Parts, Cricket Wireless, Lending Tree’s QuoteWizard.com subsidiary, and The Neiman Marcus Group—have also been named in lawsuits.

Attorney Jeff Ostrow, who filed the motion for an MDL in Montana, praised the decision, noting that modern technology has made the physical location of a courthouse less relevant in such cases. “The panel clearly placed less emphasis on the physical location of the courthouse,” Ostrow stated. “Recognizing the District of Montana is just as deserving as any other district, it chose to transfer the cases to Chief Judge Brian Morris, who is well-respected and more than capable of overseeing this large MDL.”

The JPML rejected alternative proposals, including suggestions to separate the breach cases based on individual Snowflake clients. Instead, the panel emphasized that the core issues of the breach—Snowflake’s data security practices and the company’s response—are common to all cases. The panel highlighted the importance of examining Snowflake’s “shared responsibility” cybersecurity model, which plaintiffs allege made Snowflake jointly responsible with its corporate clients for securing the breached data.

The breaches, which occurred over several months, were first detected by Snowflake on May 23. The company has insisted that its platform was not compromised and that the responsibility for enhancing security controls, such as multifactor authentication, rested with its clients. Snowflake’s attorney, Stephen Broome, had opposed the consolidation of the cases, arguing that the claims against Snowflake were not comparable to prior MDLs, such as the MOVEit cyberattack in 2023.