T-Mobile Notice of Removal Breaks Its Silence on Data Breach Lawsuits
T-Mobile removed to U.S. District Court for Northern Illinois in Chicago what’s believed to be the 13th class action nationally arising from the company’s Jan. 19 disclosure that bad actors accessed the accounts of 37 million current postpaid and prepaid customers (see 2301230046). T-Mobile’s notice of removal Wednesday (docket 1:23-cv-01263) of the complaint filed Jan. 24 in Cook County Circuit Court broke its nearly six weeks of silence since the first of the class actions was filed against the carrier Jan. 21.
T-Mobile "denies all liability" on the claims of plaintiffs David Lopez and Jerome Cascio, both Illinois residents, that it negligently allowed hackers access to the personally identifiable information (PII) of 37 million account holders, said the notice. It also denies the plaintiffs “could ever recover damages, and denies that a court could ever certify a class” under Federal Rule of Civil Procedure 23, it said.
Accepting the plaintiffs’ allegations as true, “for removal purposes only,” their putative class claims “put more than $5 million, exclusive of interest and costs, in controversy,” thus satisfying the threshold for federal subject-matter jurisdiction under the Class Action Fairness Act, said the notice. Assuming, “for purposes of this removal,” that there are 37 million putative class members, a “plausible number” considering the allegations, as long as the plaintiffs are seeking to recover more than 14 cents in damages per putative class member, the amount in controversy exceeds $5 million, it said.
Lopez and Cascio allege T-Mobile should compensate putative class members “for the costs associated with paying for credit monitoring services,” to safeguard against identify theft stemming from the data breach, said the notice. Even assuming the plaintiffs are seeking such services for only a year, the costs “for just for this one category of relief” easily satisfies “the amount in controversy requirement,” it said. “Numerous courts have considered the cost of identity theft protection and credit monitoring in evaluating CAFA jurisdiction in data breach cases.”
T-Mobile's failure to “implement or maintain adequate data security measures” for customers’ PII in its systems “directly and proximately caused injuries” to plaintiffs Lopez, Cascio and the class, alleged their complaint. It failed to take “reasonable steps” to “properly protect” sensitive PII, “despite well-publicized data breaches at numerous businesses and financial institutions in recent years,” it said.
American consumers “have suffered real and imminent harm as a direct consequence” of T-Mobile’s negligent conduct, alleged the Lopez-Cascio class action. They accuse T-Mobile of refusing “to take available steps to prevent the breach from happening.” They also allege T-Mobile is culpable for “failing to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard” the sensitive PII in its systems. T-Mobile is also guilty of “failing to provide timely and adequate notice of the data breach,” said the complaint.
Comments are due March 16 at the Judicial Panel on Multidistrict Litigation on a motion to transfer the previously filed data breach class actions against T-Mobile to U.S. District Court for Western Washington in Seattle, near the carrier’s primary headquarters in Bellevue for pretrial consolidation under a single judge. An alternate transferee venue proposed is U.S. District Court for Western Missouri in Kansas City, about 12 miles northeast of T-Mobile’s secondary headquarters in Overland Park, Kansas.