Dual Liability for Data Breach and Compliance as a Moving Target

By /


Photo Caption: Photo by Jonas Leupe on Unsplash

Another day, another data breach. Earlier this month, I wrote about the 23andMe data breach, the California Attorney General’s action against 23andMe’s successor Chrome Holding Co., and why data privacy is something that businesses of all sizes should be thinking about. You can read that blog here.

Last week, on June 22, Washington’s Attorney General Nicholas W. Brown filed a Motion for Partial Summary Judgment in its lawsuit against T-Mobile. This motion would allow the AG to obtain a decision on part of its claim without going before a jury. This is the latest development in the state of Washington’s 2025 suit against T-Mobile for the data breach. The breach, which took place in 2021, is alleged to have exposed the personal information of 2 million people in Washington and over 79 million nationwide.

The AG argued that T-Mobile’s data breach notification texts violated the Consumer Protection Act because they were misleading and did not notify users as to what information was compromised. Although T-Mobile sent breach notifications to affected customers, the MSJ highlighted the inadequacy of the notice, stating that the messages were misleading because they only stated the information that was not exposed, instead of stating what information was exposed, such as Social Security numbers. Per the AG’s Complaint, the notification texts “failed to indicate that additional information about the nature of the PII exposed in the breach, or other critical information T-Mobile was required to notify customers about by law, was available at the linked website.”

This development is important for a couple of reasons:

  1. The AG suit highlights that there can be dual liability under the Data Breach Notification Statute and Consumer Protection Act.

    As mentioned in the last blog, businesses can be on the hook for penalties under both the Washington Data Breach Notification Statute (RCW 19.255) and the Consumer Protection Act (RCW 19.86). The AG claimed that T-Mobile’s insufficient breach notices under the Data Breach Notification Statute also constituted a per se violation of the Consumer Protection Act, meaning the AG did not need to prove actual harm under the CPA.

    It will be interesting to see how Washington courts handle this hybrid theory of liability, but the takeaway is that businesses may face dual exposure.

  2. Compliance can require going beyond the letter of the Data Breach Notification Statute.

    It’s also important to note that the Consumer Protection Act covers “unfair and deceptive practices” generally, not just the specific definitions and instances of breach described in RCW 19.255. Even if a notification was compliant with the letter of the Data Breach Notification Statute, the Attorney General has the discretion to identify when a company’s practices are unfair and deceptive. Compliance can be a moving target, especially as standards of competence and fairness evolve with technology and current events.

If you have or are part of a business, having protocols that evolve with the law and state of the art can help businesses stay ready and avoid penalties. Start having conversations today about security practices, protocols for data breach notification, and how you’re complying with the law. If you are wondering how to navigate that process, please reach out to our firm’s Technology and Data Privacy Practice for help getting started. Start small, but make sure you start today.



About the Authors

Smitha Gundavajhala

Smitha’s practice primarily involves civil litigation and tech and data privacy

Learn More