In a record-setting proposed settlement filed last week, T-Mobile has agreed to pay $350 million and boost its data security by $150 million over the next two years to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  Read on for the terms of the settlement, which may serve as a model in other high stakes data security cases going forward.

Recall that in August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.  In December 2021, the Judicial Panel on Multidistrict Litigation transferred and centralized the putative class actions into the MDL standing before the Western District of Missouri.

In the Consolidated Complaint in the MDL filed in May, Plaintiffs alleged that they “entrusted their sensitive PII to T-Mobile with the understanding that T-Mobile would keep their information secure and employ reasonable and adequate security measures to ensure that it would not be compromised.”  Plaintiffs also asserted that “[i]f Plaintiffs had known of T-Mobile’s lax security practices with respect to Plaintiffs’ PII, they would not have done business with T-Mobile, would not have applied for T-Mobile’s services or purchased its products, would not have opened, used, or continued to use T-Mobile’s cell phone and other telecommunications-related services at the applicable rates and on the applicable terms, or would have paid less because of the diminished value of T-Mobile’s services.”

Plaintiffs sought to certify a nationwide class comprised individuals whose personal information was disclosed in the Data Event and asserted 95 separate claims for: (1) negligence; (2) negligence per se; (3) breach of confidence; (4) invasion of privacy-intrusion upon seclusion; (5) breach of express contract; (6) breach of implied contract; (7) unjust enrichment; (8) declaratory judgment; and (9) violation of state consumer protection and privacy laws (including under the California Consumer Privacy Act (“CCPA”).  Plaintiffs sought statutory damages (including liquidated damages), disgorgement of all earnings received by T-Mobile as a result of its allegedly unlawful practices, injunctive relief, attorneys’ fees and punitive damages.

On July 22, 2022, Plaintiffs filed an unopposed motion for preliminary approval of a proposed settlement to the class.  The settlement class comprises of approximately 76.6 million U.S. residents whose information was involved in the cyberattack.  As part of the settlement, T-Mobile agreed to fund a non-reversionary $350 million settlement fund to pay class claims for out-of-pocket losses or charges incurred as a result of identity theft or fraud, falsified tax returns, or other alleged misuse of a class member’s personal information.  The settlement fund will then make payments to class members on a claims-made basis with a $25,000 aggregate claims cap per class member.  The proposed settlement also contemplates attorneys’ fees of no more than 30% of the settlement fund, approximately $105 million, and $2,500 individual service awards to class representatives.

In addition to its monetary provisions, the proposed settlement also provides class members with the opportunity to enroll in two years of identify protection services including credit monitoring from TransUnion.  T-Mobile further agreed to maintain an incremental spend commitment of at least $150 million for data security and related technologies for years 2022 and 2023, above its previously budgeted baseline.  The specifics of these additional remedial measures are not set forth in the proposed settlement agreement.  This commitment is in addition to the $350 million settlement fund.

The size of this settlement is in stark contrast to many other data breach litigation settlements, but is a reflection of the scope of the T-Mobile Data Event.  Whether this case now serves as a new benchmark for other high stakes data breach cases involving putative nationwide classes remains to be seen.