Consumer Electronics Daily was a Warren News publication.
'Center of Gravity'

Support 'Thin' to Centralize AT&T Data Breach MDL in Dallas, Say Plaintiffs

Plaintiffs Ryan Unruh and Christopher Isbell oppose the consolidation of all related actions to the Northern District of Texas and support centralization in the Northern District of Georgia in In Re: AT&T Inc. Customer Data Security Breach Litigation, said their supplemental response (docket 3114) to their interested party response in support of transfer and centralization Monday before the U.S. Panel on Multidistrict Litigation.

Movant Alex Petroski's motion to centralize cases in the Northern District of Texas was “based on the generalized claim that AT&T was headquartered in Dallas,” said the response. “Given the lack of substance supporting centralization in the Northern District of Texas, and the dearth of publicly available information about the data breach,” Unruh and Isbell “sought to engage AT&T to determine the location of the witnesses, victims, and events giving rise to their claims," it said.

Unruh and Isbell’s counsel met with AT&T’s counsel on April 23 “to ask whether there were any other facts AT&T could point to related to the data breach that would inform the appropriate venue for centralization under section 1407,” the response said, citing 28 U.S. Code. “AT&T’s counsel declined to provide any information,” and two days later filed its response in support of centralization in the Northern District of Texas “pointing to the same reason" Petroski cited in his motion: that Dallas "is the location of AT&T’s headquarters,” the response said. “No other information relevant to the inquiry was cited."

Based on the “thin record supporting centralization in the Northern District of Texas,” Unruh and Isbell filed their interested party response providing detailed information about the location of likely key witnesses including “vital members of AT&T’s cybersecurity team.” They also noted that AT&T Mobility -- the service provider for AT&T’s largest customer base of customers -- was based in Atlanta, in the Northern District of Georgia, the response said.

Unruh and Isbell supplemented that information with AT&T securities filings, updated LinkedIn profiles and AT&T’s website, “pointing to Atlanta as a central source of the evidence likely to be at issue in this case,” they said. “Compared to the threadbare information provided by AT&T in response to the data breach and submitted in support of centralization in the Northern District of Texas,” the plaintiffs presented evidence that the “center of gravity” of the litigation was more likely to be in the Northern District of Georgia, they said.

AT&T’s May 2 supplemental response in support of transfer to the Northern District of Texas (see 2405030065) “belatedly came forward with some facts about the breach that purportedly respond to the 'conjecture’ offered by Plaintiffs in support of the Northern District of Georgia," said the response. “But this selective information is vague and incomplete, and in any event does not detract from the objective evidence presented that the 'center of gravity’ of the breach is the Northern District of Georgia," it said.

AT&T focuses on the claim that its breach response is being directed from its Dallas headquarters, “but a company’s post-breach reaction and remediation is typically a small part of the inquiry,” said the response. “More germane witnesses” such as the chief technology offer and chief data officer -- “who AT&T admits are in Atlanta -- have knowledge of AT&T’s cybersecurity practices before the breach, the types of data compromised in the breach, and vendor relationships that AT&T has (at least in part) blamed for the breach,” the response said. “More importantly,” it said, AT&T’s supplement “invites more questions about the breach itself, the answers to which would allow the Panel to make an informed decision about the 'center of gravity’ of this litigation.”

The defendant should “at least” answer three questions that would provide information that’s typically well known by the time the JPML determines an appropriate venue for centralization, the response said: What does AT&T know about the source of its data placed on the dark web; what is AT&T’s relationship “with the breached entity that possessed that data," including any vendor the carrier is responsible for the breach; and, if, as AT&T claims, less than 5% of “potentially impacted customer accounts are wireless,” which customer accounts comprise the remaining 95%?

AT&T should not only answer those questions but also Rule 6.1(f) requires that AT&T “promptly notify” the clerk of any development within its knowledge that could moot this matter or further inform the panel regarding the appropriate transferee venue, said the response. “If, for example, AT&T is transparent about the source of the breach and it is a vendor or a subsidiary, such as AT&T Mobility or DirecTV, then the parties could facilitate 1404 transfer to that entity’s location in lieu of an MDL,” the response said.

Unruh and Isbell sought this information directly from AT&T, but the defendant responded that it “does not believe it should have been put to the time and expense of an additional filing to address the Georgia proponents’ speculation,” said the response. In declining to provide the discovery plaintiffs seek, AT&T “appears to be in possession of this information, but unwilling to provide it to the Panel,” it said.

To date, AT&T has “selectively provided information” to the public, plaintiffs’ counsel, and the JPML that have left “an incomplete record as to the appropriate transferee forum for this case,” the response said. Based on the "weight of the limited information" before the JPML, the panel should centralize the actions in the Northern District of Georgia, it said.