Data breach lawsuit plaintiffs often struggle to establish cause and effect between a cyberattack and consumer harm. Consumers claimed in a series of class actions brought against T-Mobile that stolen personal information was put up for sale on a dark web forum, allegedly allowing for instances of actual and attempted identity theft and fraud.
“So many people’s data has been pilfered in various breaches that it’s difficult, if not impossible, to trace the attempted misuse of data to a particular breach,” said David Balser, a partner at King & Spalding LLP who has defended companies including
Being able to follow exfiltrated data makes it easier to “connect the dots on causation,” Balser said, likely spurring T-Mobile to settle sooner. Some of the consumers in the T-Mobile case said they were notified by third-party monitoring companies that their personal information was found on the dark web.
Their combined complaint alleged that T-Mobile tried to purchase the stolen customer data in exchange for its deletion from the forum.
“As we continue to invest time, energy, and resources in addressing this challenge, we are pleased to have resolved this consumer class action filing,” T-Mobile said in a July 22 statement.
The deal comes less than a year after T-Mobile disclosed last August that a cyberattack compromised more than 76 million customer records. T-Mobile hadn’t yet made legal arguments in favor of dropping the data breach suits, which were combined into one case.
“A business decision was made to put this behind them as quickly as possible,” Balser said.
The agreement includes $350 million to pay claims from consumers, with another $150 million boost to security spending at T-Mobile, putting the pact among the biggest data breach settlements lately.
Equifax previously agreed to pay about $380 million to resolve allegations stemming from a 2017 data breach that affected approximately 147 million people. That compares to Capital One’s $190 million data breach deal over an incident that impacted about 100 million people in the US.
The cyberattack against T-Mobile systems exposed customer details such as names, Social Security numbers, and phone numbers.
The proposed class action settlement estimates damages to consumers based on how much time they spent responding to the incident. As an alternative, consumers can seek fixed payments of $25 per person, or $100 for individuals in California, where a first-in-the-nation state privacy law lays out pre-set damages for data breaches.
“The issue has always been proving damages,” said Robert Braun, a partner at Jeffer Mangels Butler & Mitchell LLP. “By having statutory damages, that really changes the landscape for these kinds of settlements.”
One of the lawyers representing consumers in the T-Mobile suit said they’re pleased with the settlement, which still needs approval from the US District Court for the Western District of Missouri.
“The settlement provides unprecedented relief to a class of this size and was achieved early in the litigation, meaning benefits will be in the hands of class members much sooner than can usually be accomplished in these cases,” Norm Siegel, a partner at Stueve Siegel Hanson LLP, said in an emailed reaction on behalf of the consumers’ lawyers.
The settlement terms don’t detail how T-Mobile will use its $150 million in security spending, though the company said it has added to cyber defenses in the past year. That includes creating a cyber unit that reports directly to T-Mobile’s chief executive officer and working with consulting firms on further reforms to its security safeguards.
Lawyers from Alston & Bird LLP, Perkins Coie LLP, Spencer Fane LLP, and Snell & Wilmer LLP represent T-Mobile in the case. The consumers are represented by law firms including Stueve Siegel Hanson LLP, Keller Rohrback LLP, and Hausfeld LLP.
The case is In re T-Mobile Customer Data Security Breach Litig., W.D. Mo., No. 4:21-md-3019, settlement proposed 7/22/22.