(The opinions expressed here are those of the author, a

columnist for Reuters.)

By Jenna Greene

Sept 20 (Reuters) - When the Federal Communications

Commission on Tuesday announced that AT&T ( T ) agreed to pay $13

million to resolve an investigation into a data breach that

affected nearly 9 million wireless customers, my initial

reaction was a yawn.

What's $13 million to a company that, per the FCC consent

decree, had operating revenue of $122.4 billion in 2023?

Practically pocket change.

That is, until I compared the FCC's settlement to a proposed

class action over the same data breach.

In a little-noticed decision, AT&T ( T ) last year convinced a

federal judge in North Carolina that under the terms of AT&T's ( T )

customer service agreement, a class action was a no-go, and the

would-be plaintiffs were required to individually arbitrate

their disputes.

It's a defense that may foreshadow how the telecom giant

could successfully counter still-pending class action claims

involving two much-larger data breaches that occurred earlier

this year.

Suddenly, the FCC's $13 million penalty, which an agency

spokesperson via email noted also requires AT&T ( T ) to make a

"significant expenditure" to boost its security and supply chain

integrity, is looking rather robust.

An AT&T ( T ) spokesperson said via email that protecting customer

data "remains one of our top priorities."

The spokesperson also said that the company's arbitration

policy, "recognized by a federal court as one of the most

consumer-friendly in the country, is designed to quickly resolve

claims regardless of whether the customer has an attorney."

As is often the case, federal regulators and private lawyers

in this instance were chasing the same misconduct. According to

the FCC, hackers in 2023 accessed data from an AT&T ( T ) vendor on

wireless customers from 2015 through 2017 that included

information such as the number of lines on an account, as well

as billing and rate plan information for some accounts. Both

sides agree that more sensitive data such as credit card

information or social security numbers were not compromised.

After AT&T ( T ) began notifying customers in March of 2023 of the

breach, lawyers from Poulin | Willey | Anastopoulo and Copeland

Stair Valz & Lovell promptly filed a class action in U.S.

District Court for the Western District of North Carolina.

The lawyers, who did not respond to requests for comment,

alleged that the breach exposed AT&T ( T ) customers across the

country to identity theft and fraud and asserted causes of

action including negligence, invasion of privacy, breach of

contract and unjust enrichment.

AT&T ( T ) had "enormous responsibility to protect the data it

collected," the plaintiffs' lawyers wrote in their 49-page

complaint. "AT&T ( T ) completely and utterly failed to meet these

obligations and protect sensitive consumer data."

AT&T ( T ) outside counsel from Kilpatrick Townsend & Stockton

countered in court papers that the company's customer service

agreement "conspicuously" states that all disputes with AT&T ( T )

must be resolved "on an individual basis rather than jury trials

or class actions."

AT&T ( T ) said its records showed that when the lead plaintiff

upgraded his cell phone in 2021, he electronically signed the

agreement. He was again notified of the arbitration provision

via email and in billing statements when AT&T ( T ) later updated the

service agreement's terms and conditions, the company said.

U.S. Magistrate Judge Susan Rodriguez was persuaded that the

case belonged in arbitration. Last August, she ruled the parties

had formed a valid contract that included an agreement to

arbitrate, rejecting arguments by the plaintiffs' lawyers that

the provision did not cover personal data breach-related claims.

In the modern age of technology, she wrote, it's "difficult"

for a plaintiff to maintain that such a breach "was not within

the realm of possibilities to be covered by an arbitration

provision."

Indeed, AT&T's ( T ) agreement here stands in contrast to a recent

move I wrote about by Disney to compel arbitration. In that

case, Disney initially argued that a Florida widower whose wife

died of an allergic reaction after eating at a Disney Springs

restaurant was required to arbitrate the claim because the man

once signed up for a trial of streaming service Disney+. (Disney

subsequently withdrew its bid to arbitrate the case.)

Rodriguez also rejected arguments that AT&T's ( T ) contract was

unfair, or that the plaintiff had no choice but to agree to it,

noting that he could have switched to a different cell phone

provider.

In a status report filed on Wednesday, the parties said the

plaintiff had filed an individual demand for arbitration with

the American Arbitration Association, and that an arbitrator had

not yet been appointed to hear the case.

The question to me now is whether similar arbitration

arguments will carry the day in nixing other pending class

actions against AT&T ( T ).

On March 30, my Reuters colleagues reported, AT&T ( T ) said it

was investigating a data leak on the dark web. The company's

preliminary analysis showed the leak impacted about 7.6 million

current customers and 65.4 million former account holders.

According to multiple class actions now consolidated in

Dallas federal court, the hacked information includes names,

addresses, dates of birth and Social Security numbers.

The multidistrict litigation is still in its early

procedural stages, and AT&T ( T ) has yet to offer substantive

defenses.

Lead plaintiff's counsel Mark Lanier told me via email that

"AT&T ( T ) might assert arbitration on some of the cases, but we

don't have any indication yet that they will."

If so, he said, the "arbitrations might be in groups,"

though it's also possible they could be all individual. "It will

be up to the filing lawyers," Lanier said.

As my colleague Alison Frankel has written, mass

arbitrations in which thousands of plaintiffs file nearly

identical demands for arbitration can be punishingly expensive

for defendants paying the arbitration fees and provide

plaintiffs with settlement leverage.

The March breach is not AT&T's ( T ) only litigation headache. In

July, the company said it suffered another hacking incident,

with data from about 109 million customer accounts containing

records of calls and texts from 2022 illegally downloaded,

Reuters reported.

At least one complaint is on behalf of non-AT&T ( T ) customers

-- who presumably do not have arbitration agreements with AT&T ( T ).

They allege their data was compromised because their wireless

providers utilized AT&T's ( T ) networks when the hackers accessed the

call and text records.

The FCC spokesperson confirmed to me that the agency is also

investigating the July breach.

All of which suggests to me that even the most iron-clad

arbitration agreements can't solve every legal woe for

companies.