Plaintiffs 'More Than Adequately Pled' Their Dish Data Breach Claims, Says Filing
The plaintiffs have shown injury and have “more than adequately pled" their data breach claims, said their opposition Tuesday (docket 1:23-cv-01168) in U.S. District Court for Colorado in Denver to Dish Network’s motion to dismiss their consolidated complaint in its entirety. The case involves a February 2023 ransomware attack in which the personally identifiable information (PII) of Dish employees and family members was compromised. Dish employees and their family members have suffered financial, reputational and other cognizable injuries, the opposition said. Some plaintiffs’ have experienced actual harm with bank accounts opened illegally in their names, were denied jobs or discovered attempts to apply for unemployment in their names, said the filing. It’s not just “theoretical” that plaintiffs’ PII may be misused by criminals, said the opposition: “It already has been -- and the door is wide open now for all of them to experience increased misuse going forward.” Article III standing requires that plaintiffs’ injuries are fairly traceable to the challenged action of the defendant, it said. Plaintiffs “easily satisfy this standard" by alleging the data breach occurred as a result of Dish’s “misconduct,” allowing cybercriminals to access their private information, including Social Security numbers, and that the stolen data was misused, it said. Without Dish’s “misconduct,” the plaintiffs wouldn’t have been harmed, it said. Dish argued that one injury related to a plaintiff’s debit card number being used for unauthorized charges was insufficient because the consolidated amended complaint didn’t provide details about the purchase or that he provided a particular debit card number. “But so what?” said the opposition, saying it’s unnecessary to allege debit card numbers in a pleading. Dish asserted the plaintiffs haven’t alleged any facts suggesting a future data breach is likely, but it has already been breached once “due to inadequate data security – and it is foreseeable another breach will occur,” the opposition said. Plaintiffs' claim for injunctive relief doesn’t rely solely on past conduct but also relies on protecting their PII still backed up in Dish’s possession, it said. Class members are largely past and current employees of Dish, and the company is obligated, under the Fair Labor Standards Act, to maintain their PII for up to three years, post severance, said the opposition. Without better cybersecurity going forward, class members’ information is “vulnerable to another hack and, if and when it does happen, the results would likely be devastating,” giving plaintiffs standing to seek injunctive relief, it said. Dish concluded it had no duty to protect plaintiffs’ PII, but an employer’s duty to protect employees’ PII has been recognized in circuit courts across the country, it said. Dish argued that a claim for breach fails because it made no representations regarding an agreement to provide data security to plaintiffs, but an express communication regarding the agreement doesn’t need to be made, the opposition said. As a condition of being employed, current and former employees were required to provide their PII to Dish, it said. Dish accepted the PII with the understanding it would take “appropriate steps to safeguard” it; otherwise, plaintiffs would not have provided it, said the filing.