Sept 20 (Askume) – When the U.S. Federal Communications Commission announced on Tuesday that AT&T had agreed to pay $13 million to resolve an investigation into a data breach affecting nearly 9 million wireless customers, my first reaction was to yawn.
What does $13 million mean for a company with $122.4 billion in revenue in 2023 under the FCC consent order ? Barely changed.
That is, until I compared the FCC settlement to a proposed class action lawsuit over the same data breach.
In a little-known ruling , AT&T convinced a federal judge in North Carolina last year that a class action lawsuit was not possible under the terms of AT&T’s customer service agreement and that potential plaintiffs would have to arbitrate their disputes individually.
The defense could be a sign of how successfully the telecom giant will fight against pending class-action lawsuits tied to two massive data breaches earlier this year.
Suddenly, the FCC’s $13 million fine looks pretty severe, as an agency spokesperson noted via email that it also requires AT&T to make “substantial expenditures” to improve its security and supply chain integrity.
An AT&T spokesperson said via email that protecting customer data “remains one of our top priorities.”
The spokesperson also said the company’s arbitration policy, which “is recognized by federal courts as one of the most consumer-friendly in the country, is designed to resolve claims promptly, regardless of whether a customer has an attorney.”
As is often the case in this case, federal regulators and private attorneys are pursuing the same misconduct. According to the FCC, hackers obtained wireless customer data from AT&T providers from 2015 to 2017 in 2023, including information like account line counts, as well as billing and rate plan information for some accounts. Both parties agreed that any more sensitive information, like credit card information or social security numbers, would not be compromised.
After AT&T began notifying customers of the breach in March 2023, Palin | attorneys Wiley | and Copeland Steyer Walz & Lowell immediately filed a class action lawsuit in the U.S. District Court for the Western District of North Carolina.
The lawyers, who did not respond to requests for comment, claim the breach exposed AT&T customers nationwide to identity theft and fraud, and assert that causes of action include negligence, violation of privacy, breach of contract and unjust enrichment.
“AT&T has a tremendous responsibility to safeguard the information it collects,” plaintiffs’ lawyers wrote in the 49-page complaint. “AT&T has completely failed to meet these obligations and safeguard sensitive consumer data.”
AT&T’s outside counsel, Kilpatrick Townsend & Stockton, countered in court filings that the company’s customer service agreement “clearly” states that all disputes with AT&T “must be resolved on an individual basis, and not through jury trials or class actions.”
AT&T said its records show the lead plaintiff signed the agreement electronically when she upgraded her phone in 2021. She was again notified of the arbitration clause via email and on her bill when AT&T later updated the terms and conditions of her service agreement, the company said.
US Magistrate Judge Susan Rodriguez was persuaded that the case should go to arbitration. Last August, she ruled that the parties had entered into a valid contract, which included an arbitration agreement, and rejected arguments from plaintiffs’ lawyers that the clause did not cover claims related to the personal data breach.
In the modern age of technology, he wrote, it would be “difficult” for plaintiffs to maintain that such violations “do not fall within the scope of the arbitration clause.”
In fact, AT&T’s settlement stands in stark contrast to Disney’s move to force arbitration , which I wrote about recently. In that case, Disney initially argued that a claim by a Florida widower whose wife died of an allergic reaction after dining at a Disney Springs restaurant required arbitration because the man had signed up for a Disney+ trial of the streaming service. (Disney later withdrew its arbitration request from the case.)
Rodriguez also rejected arguments that the AT&T contract was unfair or that the plaintiff had no choice but to agree, noting that he could have switched to another cell phone provider.
In a status report filed Wednesday, the parties said the plaintiffs have filed a request for individual mediation with the American Arbitration Association, but have not yet appointed an arbitrator to hear the case.
The question I am left with now is whether similar arbitration arguments will ultimately defeat other pending class action lawsuits against AT&T.
On March 30, my Askume colleagues reported that AT&T said it was investigating a data leak on the dark web. The company’s preliminary analysis shows that the breach affected about 7.6 million current customers and 65.4 million former account holders.
The hacked information included names, addresses, dates of birth and Social Security numbers, according to multiple class-action lawsuits now consolidated in federal court in Dallas .
The multi-district lawsuit is in the early stages of proceedings, and AT&T has yet to provide any concrete defense.
Lead plaintiffs’ attorney Mark Lanier told me via email that “AT&T may seek arbitration in some cases, but we have seen no indication that they will do so.”
If that is the case, he said, “mediations could be conducted on a group basis,” though it’s also possible these would all be individual mediations. “That would depend on the attorney filing the ruling,” Lanier said.
As my colleague Alison Frankel writes , large-scale arbitration, in which thousands of plaintiffs bring nearly identical arbitration claims, can be prohibitively expensive for defendants paying the arbitration fees and provides plaintiffs with an advantage to settle.
The March data breach isn’t AT&T’s only legal headache. In July, the company said it suffered another hacker attack and that data from about 109 million customer accounts was illegally downloaded, including call and text message records dating back to 2022, according to Askume .
At least one complaint was filed on behalf of non-AT&T customers — who may not have an arbitration agreement with AT&T. They claim their data was compromised because their wireless provider exploited AT&T’s network when hackers accessed call and text message records.
An FCC spokesperson confirmed to me that the agency is also investigating the July breach.
All of this shows that even the strongest arbitration agreement will not solve all of a company’s legal problems.
The views expressed are solely the author’s own. They do not reflect the views of Askume News, which is committed to integrity, independence and non-partisanship in accordance with the principles of trust.
