On Monday, Judge Jesse M. Furman of the Southern District of New York issued an opinion in the putative class action suit resulting from a November 2019 data breach at television and communications provider Altice USA, Inc. denying Altice’s motion to dismiss for lack of subject-matter jurisdiction but granting its motion to dismiss for failure to state a claim as to some of the claims made by the plaintiff. Additionally, the court deferred judgment on the motion to compel arbitration.
In November 2019, the opinion recounted, bad actors carried out a phishing attack on Altice, accessing email accounts after employees inadvertently disclosed their login credentials. The court noted that an investigation indicated that “one of the downloaded email inboxes contained a password-protected, but not encrypted, document with the names, employment information, dates of birth, social security numbers, and in some instances, driver’s license numbers of 52,846 current and former Altice employees.
The opinion noted that the “nine named Plaintiffs are current or former employees of Altice whose personal identifying information, including Social Security numbers, was stolen in the breach.” Accordingly, the plaintiffs brought various claims, including “negligence, negligence per se, breach of implied contract, violation of the New York Labor Law, and violation of the Cable Communications Act of 1984” against Altice for purportedly “failing to take adequate measures to protect their data.”
Altice moved to dismiss for lack of subject-matter jurisdiction asserting that the plaintiffs failed to sufficiently allege injury for Article III standing; Altice moved to compel arbitration for seven out of the nine named plaintiffs based on the General Terms and Conditions to which they supposedly agreed to as Altice subscribers; and Altice moved to dismiss New York Labor Law claims and the related negligence per se claims, as well as the claims for breach of an implied contract, for failure to state a claim.
In regards to the motion to compel arbitration, the court noted that it is based on “a relatively new species of arbitration clause…for its striking breadth: It effectively requires arbitration of any dispute between a subscriber and Altice (and/or related parties)…whether arising now or in the future, and without regard for whether it arises from or relates to the cable services agreement of which it is part.” The court pointed to the fact that the arbitration agreement is not found in any employment agreement, but rather found in the General Terms and Conditions of Service. The court claimed that the “arbitration clause at issue does not require arbitration of claims that lack a nexus to the cable services agreement.” However, the court added that since “the record is unclear with respect to whether or to what extent Plaintiffs’ claims arise from or relate to their status as cable service subscribers, the Court ultimately defers decision on the motion to compel arbitration pending supplemental submissions from the parties.”
The court concluded that the plaintiffs’ New York Labor Law claims and related negligence per se claims fail as a matter of law. The court said the plaintiffs “do not cite and the Court has not found, any authority supporting the proposition that a New York Labor Law claim lies where, as here, the employer did not ‘communicate’ personal identifying information to anyone, but instead is alleged to have not taken adequate steps to prevent criminals from gaining information that, in turn, they used to gain access to the relevant information.”
Additionally, the court said the plaintiffs state plausible claims for breach of implied contract by, for example, providing “specific examples of Altice’s failure to perform its implied contractual duties, including inadequate email filtering software and cybersecurity training for employees who deal with sensitive data; a failure to encrypt the stolen document; and retention of personal identifying information pertaining to former employees who had left the company years earlier.”