Dish Facing 2 More Negligence Class Actions From February Data Breach

In addition to negligence, plaintiff Michael Cardenas, a resident of Tennessee, charged (docket 1:23-cv-01405) Dish with breach of contract and unjust enrichment claims, and plaintiff Laura Jenkins added breach of contract, unjust enrichment, invasion of privacy by intrusion and breach of fiduciary duty to her complaint (docket 1:23-cv-01387).

Jenkins, a resident of Matoaka, West Virginia, and a former Dish employee, noted in her complaint that her and proposed class members’ personally identifiable information (PII) was in the hands of cybercriminals for over two months before they were notified of the data breach. “Time is of the essence when trying to protect against identity theft after a data breach, so early notification is critical,” Jenkins said. The plaintiff “reasonably believes” her stolen PII is currently available for sale on the Dark Web.

That Dish encourages class members to enroll in credit monitoring, fraud consultation and identity theft restoration services is “a tacit admission of imminent risk of identity theft” faced by plaintiff and class members, Jenkins said. The company had “obligations” by contract, industry standards and common law to keep class members’ PII “confidential and to protect it from unauthorized access and disclosure,” she said.

Dish could have prevented the breach by properly encrypting or “otherwise protecting its equipment and computer files containing PII,” she said. Dish has offered a two-year, single-credit bureau subscription for identity theft monitoring and protection through Identity Force, said Jenkins, calling it “inadequate when Dish’s victims are likely to face many years of identity theft.” The credit monitoring offer “squarely places the burden on plaintiffs” rather than on Dish to monitor and report suspicious activities to law enforcement, she said.

Cardenas, a Dish customer, retained the services of cybersecurity experts and outside advisors to help evaluate the breach after he heard about Dish’s network outage that affected its servers and IT systems. Cardenas learned the breach reportedly involved over 296,000 individuals and included Social Security numbers, vaccination records, health insurance information, financial account and driver’s license numbers and payment card information, said the complaint. Class members also suffered losses including out-of-pocket expenses and the value of their time incurred to remedy or mitigate the effects of the data breach, it said.

Cardenas seeks compensatory damages, reimbursement of out-of-pocket costs and injunctive relief including improvements to Dish’s data security systems, future annual audits and adequate credit monitoring and identity restoration services funded by the company.

Jenkins sees an order enjoining Dish from engaging in wrongful conduct described in the complaint; equitable relief requiring Dish to use appropriate data collection and storage methods; restitution and disgorgement of revenue wrongfully retained as a result of the breach; lifetime credit monitoring; and an award of actual, compensatory and statutory damages, plus attorneys’ fees and legal costs. Dish didn't comment.