Dallas Federal Court Is Appropriate Venue for Data Breach MDL, Say Plaintiff, AT&T
The Northern District of Texas is the appropriate transferee forum for coordinated or consolidated litigation in In re: AT&T Inc. Customer Data Security Breach Litigation, said movant Alex Petroski in a Thursday reply (docket 3:24-cv-00757) before the Judicial Panel on Multidistrict Litigation (docket 3114). The reply was in further support of his motion for transfer and centralization of related actions to the district.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Petroski’s March 30 complaint was the first filed since AT&T disclosed that “data-specific fields” from 2019 or earlier were contained in a data set released on the dark web in March, affecting 73 million former and current AT&T customers (see 2404010019).
None of the parties who filed responses to Petroski’s motion opposes centralization of the actions, so there’s no dispute that centralized pretrial proceedings will secure the “just, speedy and inexpensive determination” of the issues raised in the actions, said the reply. The only issue is the most appropriate jurisdiction for the coordination of the actions, which the reply said is “unquestionably” the Northern District of Texas.
Since Petroski’s March 30 filing, the potential MDL comprises 46 actions in eight jurisdictions, said the reply. Thirty-three of those are pending in the Texas District, four are in the Northern District of Georgia and the others are “dispersed through different courts,” said the reply. U.S. District Judge Ada Brown has consolidated all the Northern District of Texas cases in her court, where they are stayed pending the outcome of the MDL petition, it said.
With AT&T headquartered in Texas, relevant witnesses and documents will be found there, the reply said. Given the likelihood that the breach occurred before the 2024 release of the exfiltrated data on the dark web, and given the seriousness of the incident and “sheer volume of customer records at issue, it cannot be presumed that decisions about preventing, responding to, and/or disclosing” the breach were made at “some low-level of the company as Unruh Plaintiffs speculate,” the reply said.
Ryan Unruh, a Kansas resident, and Christopher Isbell, residing in Florida, seek consolidation in the Northern District of Georgia. Of the plaintiffs who have filed in or are seeking consolidation in the Northern District of Georgia, only one lives in that jurisdiction “with the rest dispersed” throughout the country, the reply said. The central location of Dallas is “more convenient” for all parties, it said. Also, it said, interested parties seeking transfer to the Western District of Oklahoma noted the “short drive” from Dallas.
AT&T has acknowledged that “senior management’s knowledge of, and response to,” the cyberattack will likely be a critical aspect of the litigation, said Petroski's reply. AT&T’s senior management is located in its Dallas headquarters, including CEO John Stankey and Chief Operating Officer Jeff McElfresh, “both of whom may be relevant witnesses in the litigation,” said the filing. The company’s chief technology officer and chief data officer are employees of AT&T Services and spend “considerable time” at the Dallas headquarters, said the response.
In its supplemental response in support of transfer to and centralization in Dallas federal court Wednesday, AT&T said Georgia proponents’ conjecture that AT&T Mobility customers comprise the majority of potentially affected individuals is wrong. AT&T companies offer wireline and wireless telephony and broadband services to consumer, business, and government customers in the U.S., the response said. Though its investigation is ongoing, “less than 5% of potentially impacted customer accounts are wireless,” said AT&T's response.
Regardless of the number of potentially affected customer accounts, the Northern District of Texas remains “the most appropriate and convenient forum,” said AT&T. Though AT&T Mobility is based in Atlanta, the organization that builds the wireless network and customer operations, “which has certain incident response and breach remediation responsibilities,” is located “in Dallas, not Atlanta,” and AT&T’s response to the security incident is directed from the Dallas headquarters, said the response.
The Unruh plaintiffs claim at least a dozen AT&T cybersecurity employees are based in Atlanta, but the company has over 1,200 employees with internal cybersecurity responsibilities, said AT&T’s response. None of the Georgia individuals the Unruh complaint cited was involved in the incident or the response to it, AT&T said. Also, said the defendant, only seven of the 63 named plaintiffs say they reside in Georgia; the other six sued in the Dallas court, it said.