Briefs Due April 18 on Motion to Consolidate AT&T Data Breach Cases in Dallas
The U.S. Judicial Panel on Multidistrict Litigation (JPML) is moving with apparent speed to corral the growing volume of AT&T data breach class actions into a single, centralized proceeding.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The panel assigned the MDL case number 3114 and released a briefing schedule Thursday that calls for opening notices of appearances to be filed by April 18, responses by April 25 and optional replies by May 2, said its text-only clerk's notice. In their briefs, the parties should address what steps they have taken to pursue alternatives to centralization, including engaging in informal coordination of discovery and scheduling, and seeking Section 1404 transfer of one or more of the subject cases, said the notice.
On the table is a motion filed Wednesday by attorneys for Alex Petroski, the plaintiff in the first-filed data breach class action against AT&T (see 2404010019), to consolidate the multitude of cases and transfer them to U.S. District Court for Northern Texas in Dallas, where the vast majority of the cases have originated.
“Compelling logistical and common-sense reasons” justify transfer to the “common jurisdiction” of the Northern District of Texas, said Petroski’s motion. AT&T, the common defendant in every action, “has its principal place of business and headquarters in Texas” and does significant business there, it said. A “substantial portion of the events” giving rise to Petroski’s claims also “arise in Texas,” it said: “Thus, key witnesses and documents are likely to be found there.”
The vast majority of cases were filed in the Northern District of Texas, said the motion. “Only one case has been filed in another jurisdiction, the Western District of Oklahoma,” it said. Another case outside Dallas has since been filed in the Northern District of Georgia in Atlanta (see 2404030040). The Dallas court “also has suitable docket conditions and is a major air hub and international business and travel destination,” so traveling to and from there, when needed, “is easily accomplished,” it said.
Petroski’s motion lists 12 related actions pending against AT&T, but it doesn’t account for the Atlanta case, and the number is certain to rise. Another class action was filed Tuesday in U.S. District Court for Western Missouri in Kansas City. Court records show 19 class actions in total filed against the AT&T data breach in the Northern District of Texas through the close of business Thursday.
All the related actions “assert similar claims arising from a common nucleus of operative facts,” said the motion. They all allege that AT&T failed to prevent a cyberattack that resulted in the theft and dissemination of at least 73 million individuals’ sensitive and personal information, which has now appeared on the dark web, it said.
AT&T is one of the world’s largest wireless carriers and internet providers, said the motion. According to AT&T, the leaked data included full names, email addresses, mailing addresses, phone numbers, dates of birth, Social Security numbers, AT&T account numbers and passcodes, it said. Movant Petroski filed the first lawsuit against AT&T related to the data breach on March 30, it said: “Other cases soon followed, and more are expected.”
The JPML has transferred and centralized “a host of cases involving data security breaches” similar to the AT&T breach, “usually in the state where the primary defendant does substantial business or resides,” said the motion. It specifically cited the JPML’s June order transferring some 16 T-Mobile data breach cases to the Western District of Missouri, roughly 20 miles northeast of T-Mobile’s headquarters campus in Overland Park, Kansas (see 2306050001).
Each action against AT&T arises from the carrier's “lax security practices,” said the motion. Each complaint filed “alleges that AT&T’s practices either violate common law or state data privacy laws, or both,” it said. The cases all involve “common questions of fact,” including whether the defendant violated state common laws “by failing to properly secure the sensitive personal information” of the various plaintiffs and the putative classes, it said.
The factual and expert discovery concerning those common questions of fact “will be substantially the same” in all the related actions, said the motion. The related actions “also share substantially similar legal theories and causes of action,” it said. Plaintiff Petroski “anticipates similar motion practice" in all the cases, it said. These cases thus “will benefit from coordinated or consolidated pretrial proceedings through a multidistrict litigation,” it said.