In a landmark development for data privacy cases, AT&T has agreed to a $177 million settlement to resolve class-action lawsuits stemming from massive data breaches that exposed millions of customers’ personal information. This case highlights the critical role of private rights of action in holding corporations accountable, allowing individuals to seek redress for privacy violations amid a fragmented U.S. regulatory landscape. While federal laws like the Gramm-Leach-Bliley Act (GLBA) set baselines for financial data protection, the absence of a comprehensive national privacy framework often leaves enforcement to private lawsuits, as seen here.
The Breaches: A Timeline of Privacy Failures
AT&T’s troubles trace back to a 2019 breach that compromised the data of about 7.6 million current and 65.4 million former account holders, including names, Social Security numbers, and dates of birth. This sensitive information surfaced on the dark web in March 2023, leading to an investigation confirmed in May 2023. A second breach in April 2024 targeted AT&T’s cloud provider Snowflake, stealing 2022 call and text records for nearly 109 million U.S. customers—though no names were directly attached. Two arrests followed in July 2024. These incidents fueled allegations of corporate negligence, underscoring vulnerabilities in telecom data handling and the need for stronger safeguards under laws like GLBA, which mandates protection of non-public personal information.
Settlement Terms: Compensation and Accountability
The $177 million settlement, preliminarily approved in June 2024, prioritizes payments for proven damages “fairly traceable” to the breaches. AT&T denies responsibility, attributing the leaks to “criminal acts,” but the agreement marks a win for consumer privacy rights. It ties into broader discussions on private rights of action, as seen in state laws like California’s CCPA, which allows individuals to sue for data breaches involving unencrypted personal info—potentially inspiring federal reforms amid stalled efforts like the American Data Privacy and Protection Act (ADPPA).
Privacy Implications: Lessons from the Settlement
This settlement amplifies key privacy concerns and the value of private rights of action in a system without a unified federal law:
- Corporate Accountability: It forces companies like AT&T to invest in better security, aligning with GLBA’s Safeguards Rule, which requires risk assessments and training—but highlights gaps in enforcement without private suits.
- Consumer Empowerment: Private rights enable class actions for breaches, as in CCPA (up to $750 per violation), contrasting with federal limits where agencies like the FTC handle most cases.
- Data Vulnerability: Exposed SSNs and call logs heighten risks of identity theft and surveillance, tying into GLBA’s focus on financial privacy while exposing needs for broader protections.
- Regulatory Patchwork: Without a national framework, states fill voids, but inconsistencies burden businesses; this case could push for federal preemption, as debated in recent House RFIs on GLBA amendments.
- Future Reforms: It underscores calls for data-level exemptions in privacy laws and stronger definitions of sensitive info, potentially influencing stalled bills like ADPPA to include robust private actions.
As breaches proliferate, private rights of action remain a vital tool for justice, bridging gaps in federal oversight and showcasing the risk for businesses of any size if they do not have their privacy measures in place. Luckily there is a superhero compliance team waiting to help patch up these vulnerabilities and tighten up their data privacy measures close by.
