On January 22, 2023, T-Mobile was sued in federal court in California alleging negligence, unjust enrichment, breach of express contract, breach of implied contract, and invasion of privacy over the recently-disclosed data breach of more than 37 million postpaid and prepaid customer records.

According to the complaint, the plaintiff was informed just two days before suit was filed that information belonging to her and other class members was “accessed and acquired by the unauthorized actor” and that class members “are at imminent risk of identity theft.”

On the other hand, T-Mobile has stated in a recently filed Form 8-K that the threat actor obtained data through a single API (application programming interface), that the company discovered and stopped it within one day, and that the threat actor was unable to compromise its systems or network. Significantly, T-Mobile stated that the data accessed by the bad actor did not include any financial information or Social Security numbers. Instead, the data accessed included customers’ “names, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.”

Based on the facts presented by T-Mobile, we expect that the company will vigorously defend the suit and a motion to dismiss the complaint will be forthcoming. There is strong precedent that requires plaintiffs to prove substantial harm in order to withstand a motion to dismiss. No matter how this particular case plays out, what is astounding is the speed at which suits are filed after a data breach is announced, no matter the facts.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.