NEVILLE MCFARLANE, individually and on behalf of all others similarly situated v. Altice USA, Inc.

CourtDistrict Court, S.D. New York
DecidedMarch 8, 2021
Docket1:20-cv-01297
StatusUnknown

This text of NEVILLE MCFARLANE, individually and on behalf of all others similarly situated v. Altice USA, Inc. (NEVILLE MCFARLANE, individually and on behalf of all others similarly situated v. Altice USA, Inc.) is published on Counsel Stack Legal Research, covering District Court, S.D. New York primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
NEVILLE MCFARLANE, individually and on behalf of all others similarly situated v. Altice USA, Inc., (S.D.N.Y. 2021).

Opinion

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK ---------------------------------------------------------------------- X : NEVILLE MCFARLANE et al., individually and on : behalf of all others similarly situated, : : Plaintiffs, : 20-CV-1297 (JMF) : -v- : OPINION AND ORDER : ALTICE USA, INC., : : Defendant. : : ---------------------------------------------------------------------- X JESSE M. FURMAN, United States District Judge: This putative class action arises from a November 2019 data breach at Altice USA, Inc. (“Altice”), one of the largest television and communications providers in the United States. The nine named Plaintiffs are current or former employees of Altice whose personal identifying information, including Social Security numbers, was stolen in the breach. They bring various claims — for negligence, negligence per se, breach of implied contract, violation of the New York Labor Law, and violation of the Cable Communications Act of 1984 — against Altice for allegedly failing to take adequate measures to protect their data. Now pending are three motions filed by Altice. First, Altice moves, pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, to dismiss for lack of subject-matter jurisdiction, on the ground that Plaintiffs fail to allege injury sufficient to give them Article III standing. Second, Altice moves, pursuant to the Federal Arbitration Act (“FAA”), 9 U.S.C. § 1 et seq., to compel seven of the nine named Plaintiffs to arbitrate their claims based on a clause in the General Terms and Conditions to which they allegedly agreed as subscribers of Altice’s cable services. And third, Altice moves, pursuant to Rule 12(b)(6), to dismiss Plaintiffs’ claims under the New York Labor Law (and related claims for negligence per se) as well as their claims for breach of an implied contract. Altice’s motions to dismiss are relatively easily resolved. For the reasons discussed below, the Court concludes that Plaintiffs — three of whom have already experienced identity theft since the data breach — plainly allege the kind of injury sufficient to give them Article III

standing; that their New York Labor Law claims (and related negligence per se claims) fail as a matter of law; and that they state plausible claims for breach of an implied contract. Altice’s motion to compel arbitration requires more extensive discussion as it is based on a relatively new species of arbitration clause that one scholar has dubbed an “infinite arbitration clause” for its striking breadth: It effectively requires arbitration of any dispute between a subscriber and Altice, as well Altice’s parents, subsidiaries, affiliates, successors, employees, agents, and the like, whether arising now or in the future, and without regard for whether it arises from or relates to the cable services agreement of which it is part. For the reasons discussed below, the Court concludes that, as a matter of either contract formation or unconscionability, the arbitration

clause at issue does not require arbitration of claims that lack a nexus to the cable services agreement. Because the record is unclear with respect to whether or to what extent Plaintiffs’ claims arise from or relate to their status as cable service subscribers, the Court ultimately defers decision on the motion to compel arbitration pending supplemental submissions from the parties. BACKGROUND The Court is technically permitted to consider materials beyond the four corners of the Amended Complaint in deciding Altice’s motions to dismiss for lack of subject-matter jurisdiction and to compel arbitration. See, e.g., Nicosia v. Amazon.com, Inc., 834 F.3d 220, 229 (2d Cir. 2016) (arbitration); Cortlandt St. Recovery Corp. v. Hellas Telecomms., S.À.R.L., 790 F.3d 411, 417 (2d Cir. 2015) (jurisdiction). Nevertheless, the following facts are drawn from the Amended Complaint and documents that it incorporates by reference. See DiFolco v. MSNBC Cable L.L.C., 622 F.3d 104, 110-11 (2d Cir. 2010). Altice is one of the largest cable television and communications providers in the United States. See ECF No. 42 (“Am. Compl.”), ¶ 1. In November 2019, cyber criminals targeted

Altice with a phishing attack, and an “undisclosed number” of the company’s employees inadvertently divulged the log-in credentials for their corporate email accounts. See id. ¶¶ 5, 99. The cyber criminals then “used the stolen credentials to remotely access and, in some instances, download the employees’ mailbox contents.” Id. ¶ 96; see ECF Nos. 42-1 (“Breach Notice”), 42-2, 42-3.1 A forensic investigation revealed that one of the downloaded email inboxes contained a password-protected, but unencrypted, document with the names, employment information, dates of birth, social security numbers, and, in some instances, driver’s license numbers of 52,846 current and former Altice employees. See Am. Compl. ¶¶ 6-7, 101-02, 154, 161. In February 2020, Altice sent notices to those whose data was affected stating that, “[a]s a

former [or current] employee, your personal information was included in this report.” See id. ¶¶ 96-97; Breach Notice. “[I]n an abundance of caution,” the notices offered recipients free identity and credit monitoring services for one year and recommended resources for monitoring and fraud protection. Breach Notice (emphasis omitted). The named Plaintiffs in this putative class action are nine former employees of Altice or its subsidiaries or predecessor companies who received the Breach Notice. See Am. Compl. ¶¶ 14, 17, 22, 24, 30, 32, 38, 40, 46, 48, 54, 56, 62, 64, 70, 72, 81, 83. All but one — namely, DeAnna Cottrell — are also current or former cable subscribers through Altice or one of its

1 ECF Nos. 42-1, 42-2, and 42-3 are substantively identical in all material respects. subsidiaries. See id. ¶¶ 15, 31, 39, 47, 55, 63, 71, 82. Plaintiffs were required to provide the personal identifying data that was compromised in the breach as “a condition of their employment.” Id. ¶ 104. All Plaintiffs have already spent time responding to the breach, such as by regularly monitoring their accounts and credit reports, changing passwords, and implementing credit freezes. See id. ¶¶ 18, 26, 34, 43, 50, 59, 66, 75, 85. Because their Social Security

numbers were compromised, Plaintiffs anticipate needing to monitor their identity and credit and needing to pay for identity theft protection and credit monitoring services “for the rest of [their] li[ves].” Id. ¶¶ 18, 26, 34-35, 43, 50-51, 59, 66-67, 76, 86. Additionally, three of the named Plaintiffs — Neville McFarlane, Shariq Mehfooz, and Steven Paniccia — were the victims of identity theft in the months following the breach. All three allege that between December 2019 and March 2020, they discovered that identity thieves had used their personal identifying information to fraudulently open credit cards in their names. See id. ¶¶ 16, 73-74, 84. In March 2020, an identity thief also “attempted to change [McFarlane’s] home address.” Id. ¶ 16. Mehfooz discovered the fraudulent credit card

application when he was applying to refinance his home mortgage. See id. ¶ 73. The fraudulent application harmed his credit score and interrupted the refinancing process, which may have prevented him from taking advantage of “historically low interest rates.” Id. ¶¶ 73-74. All three allege that, to their knowledge, they had not been the victim of any data breach other than the breach of Altice. Id. ¶¶ 20, 79, 88. The other six allege that they are “at imminent and substantial risk of identity theft that is continuous and ongoing.” Id. ¶¶ 25, 33, 42, 49, 58, 65.

Free access — add to your briefcase to read the full text and ask questions with AI

Related

Leibowitz v. Cornell University
584 F.3d 487 (Second Circuit, 2009)
Holmes v. Grubman
568 F.3d 329 (Second Circuit, 2009)
Perry v. Thomas
482 U.S. 483 (Supreme Court, 1987)
Lujan v. Defenders of Wildlife
504 U.S. 555 (Supreme Court, 1992)
First Options of Chicago, Inc. v. Kaplan
514 U.S. 938 (Supreme Court, 1995)
Doctor's Associates, Inc. v. Casarotto
517 U.S. 681 (Supreme Court, 1996)
Bell Atlantic Corp. v. Twombly
550 U.S. 544 (Supreme Court, 2007)
Davis v. Federal Election Commission
554 U.S. 724 (Supreme Court, 2008)
Ashcroft v. Iqbal
556 U.S. 662 (Supreme Court, 2009)
DiFolco v. MSNBC Cable L.L.C.
622 F.3d 104 (Second Circuit, 2010)
Krottner v. Starbucks Corp.
628 F.3d 1139 (Ninth Circuit, 2010)
Anderson v. Hannaford Bros. Co.
659 F.3d 151 (First Circuit, 2011)
Reilly Ex Rel. Pluemacher v. Ceridian Corp.
664 F.3d 38 (Third Circuit, 2011)
Sheila Smith v. John Steinkamp
318 F.3d 775 (Seventh Circuit, 2003)
Jean Resnick v. AvMed, Inc.
693 F.3d 1317 (Eleventh Circuit, 2012)
Clapper v. Amnesty International USA
133 S. Ct. 1138 (Supreme Court, 2013)

Cite This Page — Counsel Stack

Bluebook (online)
NEVILLE MCFARLANE, individually and on behalf of all others similarly situated v. Altice USA, Inc., Counsel Stack Legal Research, https://law.counselstack.com/opinion/neville-mcfarlane-individually-and-on-behalf-of-all-others-similarly-nysd-2021.