Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 1 of 53

1 Dennis Stewart (#99152)

2 GUSTAFSON GLUEK PLLC

600 W. Broadway
3 Suite 3300
San Diego, CA 92101
4 Tel: (612) 333-8844
dstewart@gustafsongluek.com
5

6 [Additional Counsel on Signature Page]

8
UNITED STATES DISTRICT COURT
9
NORTHERN DISTRICT OF CALIFORNIA
10
)
11 MICHELLE SALINAS and ) Case No. _________
RAYMEL WASHINGTON, )
12 individually and on behalf of )
) CLASS ACTION COMPLAINT
all others similarly situated, )
13
)
14 Plaintiffs, )
v. ) DEMAND FOR JURY TRIAL
15 )
BLOCK, INC. and CASH )
16 APP INVESTING, LLC, )
)
17 )
Defendants. )
18

19 Individually and on behalf of others similarly situated, Plaintiffs Michelle Salinas

20 (“Salinas” or “Plaintiff Salinas”) and Raymel Washington (“Washington” or “Plaintiff

21
Washington”) bring this action against Defendants Block, Inc. (“Block”) and Cash App
22
Investing, LLC, (“Cash App Investing”) (collectively, the “Defendants”). Plaintiffs’ allegations
23
are based upon personal knowledge as to themselves and their own acts, and upon information
24

25 and belief as to all other matters based on the investigation conducted by and through Plaintiffs’

26 attorneys. Plaintiffs believe that substantial additional evidentiary support for the allegations set

27 forth herein exists and will be revealed after a reasonable opportunity for discovery.

28
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 2 of 53

1 INTRODUCTION

2 1. This is a class action for damages against Defendants for their failure to exercise

3 reasonable care in securing and safeguarding consumer information in connection with a massive

4 December 2021 data breach (the “Data Breach”) that resulted in the unauthorized public release

5 of the personally identifiable information of 8.2 million current and former Cash App Investing

6 customers, including Plaintiffs’ and proposed “Class” (defined below) members’ full names and

7 brokerage account numbers (which are the personal identification numbers associated with Cash

8 App Investing customers’ stock activity on the Cash App Investing platform), the value and

9 holdings of brokerage portfolios, and trading activity (collectively, the “PII” or “Private

10 Information”).1

11 2. According to Block’s disclosure of the Data Breach, a former employee who had

12 access to the Private Information belonging to Cash App Investing users during his tenure

13 downloaded the data without Defendants’ authorization.2

14 3. Cash App Investing is a stock trading platform by Block (formerly Square, Inc.).

15 Accordingly, to the world of cybercriminals, Cash App Investing’s customer list, which was in

16 Defendants’ possession and control at the time of the Data Breach, is highly valuable. By

17 accessing Cash App Investing customers’ PII entrusted to Defendants, hackers can gain access to

18 Cash App Investing users’ portfolios and account funds and use those funds to commit a wide

19 range of fraudulent activities against the user, as was done here against Plaintiffs.

20 4. The security of Defendants’ customers’ Private Information is accordingly of the

21 utmost importance. One instance of a former employee accessing, exfiltrating, and misusing

22 and/or releasing for future misuse Plaintiffs’ and Class members’ Private Information to fellow

23
1
See Defendant Block’s regulatory filing with the United States Securities and Exchange
24
Commission (the “SEC”),
25 https://www.sec.gov/ix?doc=/Archives/edgar/data/0001512673/000119312522095215/d343042d
8k.htm (last accessed May 25, 2022).
26
2
See https://www.cpomagazine.com/cyber-security/over-8-million-cash-app-users-potentially-
27 exposed-in-a-data-breach-after-a-former-employee-downloaded-customer-information/ (last
accessed May 25, 2022).
28
-1-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 3 of 53

1 cybercriminals can lead to substantial financial losses. As Defendants acknowledge, “Future

2 costs associated with this incident are difficult to predict.”3 These costs will not only impact

3 Defendants’ bottom line but, more importantly, the millions of Cash App Investing users whose

4 Private Information is now in the hands of cybercriminals.

5 5. Because of the Data Breach, Plaintiffs’ and Class members’ Private Information

6 has been compromised and their financial accounts are no longer secure, including their Cash

7 App Investing portfolio.

8 6. Defendants understand the seriousness of the misuse of customers’ PII, and

9 purport to address these issues. For example, Defendants tout that they “take reasonable

10 measures, including administrative, technical, and physical safeguards to protect [users’]

11 information from loss, theft, and misuse, and unauthorized access, disclosures, alteration, and

12 destruction.”4 However, some believe the Data Breach occurred due to “an orphaned account

13 still active on a third-party SaaS application like a cloud storage solution,” or due to “a lack of

14 proper communication between the Human Resources and [] IT department on the status of

15 terminated employees.”5

16 7. While the exact reason(s) for the Data Breach remain unclear, there is no doubt

17 that Defendants failed to adequately protect Plaintiffs’ and Class members’ Private Information

18 and such negligent failures resulted in the injuries alleged herein.

19 8. Defendants led Plaintiffs and Class members to believe that their Private

20 Information was safe and secure, and that protection of that Private Information was a

21 fundamental component of the Cash App Investing platform.

22
3
See
23 https://www.sec.gov/ix?doc=/Archives/edgar/data/0001512673/000119312522095215/d343042d

24 8k.htm (last accessed May 25, 2022).

4
25 Privacy Policy, BLOCK, INC., https://cash.app/legal/us/en-us/privacy#security (last accessed May
25, 2022).
26
5
See https://www.cpomagazine.com/cyber-security/over-8-million-cash-app-users-potentially-
27 exposed-in-a-data-breach-after-a-former-employee-downloaded-customer-information/ (last
accessed May 25, 2022).
28
-2-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 4 of 53

1 9. Thus, on behalf of the Class of victims impacted by the Data Breach described

2 herein, Plaintiffs seek, under state common law and consumer-protection statutes, to redress

3 Defendants’ misconduct.

4 PARTIES

5 Plaintiff Salinas

6 10. Plaintiff Salinas is a citizen of Texas and resides in Del Rio, Texas. Plaintiff

7 Salinas became a Cash App Investing user in or around August of 2020. To invest through Cash

8 App’s investing feature, Plaintiff Salinas was required to provide her PII to Defendants’ online

9 service, including the types of PII mentioned above which was compromised in the Data Breach.

10 11. Plaintiff Salinas was led to believe that her Private Information was safe and

11 secure, and that protection of her Private Information was a fundamental component of the Cash

12 App Investing platform.

13 12. Following the Data Breach in December 2021 Plaintiff Salinas had multiple

14 unauthorized charges on her Cash App account in December, 2021, and January 2022 totaling

15 over $50. These charges were for Amazon purchases. Plaintiff Salinas has not been reimbursed

16 by Defendants or Cash App for these unauthorized charges. As a result of the Data Breach,

17 Plaintiff Salinas has spent over 100 hours researching the validity of the Data Breach,

18 researching unauthorized charges and attempting to get reimbursement for them, searching

19 through all of her financial accounts for unauthorized charges, resetting billing instructions that

20 are tied to her Cash App account, researching credit monitoring, and dealing with false

21 information that appeared on her Experian credit report following the Data Breach.

22 13. Plaintiff Salinas has suffered damages as described herein and below, including

23 but not limited to, the fraudulent misuse of the funds in her Cash App account, and she remains

24 at a significant risk of additional attacks now that her PII has been compromised and exfiltrated.

25 Plaintiff Washington

26 14. Plaintiff Washington is a citizen of Illinois and resides in Chicago, Illinois.

27 Plaintiff Washington became a Cash App Investing user in or around September of 2019. To

28 invest through Cash App’s investing feature, Plaintiff Washington was required to provide his
-3-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 5 of 53

1 PII to Defendants’ online service, including the types of PII mentioned above and compromised

2 in the Data Breach.

3 15. Plaintiff Washington was led to believe that his Private Information was safe and

4 secure, and that protection of his Private Information was a fundamental component of the Cash

5 App Investing platform.

6 16. On or around February 2022 through May of 2022 there were numerous

7 unauthorized attempts to withdraw money from his account. These unauthorized transactions

8 were declined because Plaintiff Washington did not have enough funds in his Cash App account

9 to cover these fraudulent transactions. However, Defendants did not take any action because

10 Plaintiff Washington had no funds taken from his account. On June 1, 2022, Plaintiff

11 Washington was alerted to numerous unauthorized transactions in his Cash App account which

12 totaled $394.85. Plaintiff Washington was unable to get that money back from Cash App. As a

13 result of the Data Breach, Plaintiff Washington has spent at least 15 hours researching the

14 validity of the Data Breach, researching unauthorized charges and attempting to get

15 reimbursement for them, searching through all of his financial accounts for unauthorized

16 charges, resetting billing instructions that are tied to his Cash App account, making a trip to the

17 bank to get a new debit card that had to be cancelled as a result of the unauthorized charges, and

18 researching credit monitoring.

19 17. Plaintiff Washington has suffered damages as described herein and below,

20 including but not limited to, the fraudulent misuse of the funds in his Cash App account, and he

21 remains at a significant risk of additional attacks now that his PII has been compromised and

22 exfiltrated.

23 Defendant Block, Inc.

24 18. Defendant Block, Inc. is a Delaware corporation based in San Francisco,

25 California.

26 19. Block, Inc. is the parent company of Defendant Cash App Investing, LLC and, by

27 virtue of its relationship with Cash App Investing, had access to and possession of Plaintiffs’ and

28 Class members’ PII, which it failed to secure by failing to implement adequate security measures
-4-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 6 of 53

1 or screening procedures to ensure that its agents, support representatives, and other individuals to

2 whom Defendants provided access to the PII would ensure its secure handling.

3 Defendant Cash App Investing, LLC

4 20. Defendant Cash App Investing is a limited liability brokerage firm and investment

5 advisor firm with its main offices located at 400 SW 6th Avenue, 11th Floor, Portland, OR 97204.

6 21. Cash App Investing was formed in Delaware on February 22, 2019 and operates

7 across the United States.

8 22. Cash App Investing is a subsidiary of Defendant Block, Inc. and, by virtue of its

9 relationship with Block, had access to and possession of Plaintiffs’ and Class members’ PII,

10 which it failed to secure by failing to implement adequate security measures or screening

11 procedures to ensure that its current and/or former employees and other individuals to whom

12 Defendants entrusted the Private Information would ensure its secure handling.

13 JURISDICTION AND VENUE

14 23. Jurisdiction of this Court is founded upon 28 U.S.C. § 1332(d) because the matter

15 in controversy exceeds the value of $5,000,000, exclusive of interests and costs, there are more

16 than 100 class members, and the matter is a class action in which members of the class are

17 citizens of a different state from that of a defendant.

18 24. This Court has personal jurisdiction since Defendant Block is headquartered in

19 California and Defendants solicit customers and transact business in California. Plaintiffs are

20 also informed and believe, and thereon allege, that acts and omissions giving rise to this action

21 occurred in California.

22 25. Venue is also proper in this District under 28 U.S.C. § 1391(b)(1) because

23 Defendant Block resides within this district and acts and omissions giving rise to this action

24 occurred within this District.

25 FACTUAL ALLEGATIONS

26 26. On or around December 10, 2021, Block determined that a former employee

27 downloaded certain reports of its subsidiary, Cash App Investing, which contained U.S. customer

28 Private Information. The Private Information was accessed without Defendants’ permission.
-5-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 7 of 53

1 27. In a recent regulatory filing with the SEC, Block disclosed the following as it

2 relates to the Data Breach:

3 “On April 4, 2022, Block, Inc. [] announced that it recently

4 determined that a former employee downloaded certain reports of
5 its subsidiary Cash App Investing LLC (“Cash App Investing”) on
6 December 10, 2021 that contained some U.S. customer information.
7 While this employee had regular access to these reports as part of
8 their past job responsibilities, in this instance these reports were
9 accessed without permission after their employment ended.
10
The information in the reports included full name and brokerage
11
account number (this is the unique identification number associated
12
with a customer’s stock activity on Cash App Investing), and for
13
some customers also included brokerage portfolio value, brokerage
14
portfolio holdings and/or stock trading activity for one trading day.
15

16 The reports did not include usernames or passwords, Social Security

17 numbers, date of birth, payment card information, addresses, bank
18 account information, or any other personally identifiable
19 information. They also did not include any security code, access
20 code, or password used to access Cash App accounts. Other Cash
21 App products and features (other than stock activity) and customers
22 outside of the United States were not impacted.
23
Upon discovery, the Company and its outside counsel launched an
24
investigation with the help of a leading forensics firm. Cash App
25
Investing is contacting approximately 8.2 million current and
26
former customers to provide them with information about this
27
incident and sharing resources with them to answer their questions.
28
-6-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 8 of 53

1 The Company is also notifying the applicable regulatory authorities

2 and has notified law enforcement.6

4 28. Defendant Block offered no explanation for the four-month delay between the

5 initial discovery of the Breach and the belated notification to affected customers, which

6 resulted in Plaintiffs and Class members suffering harm they otherwise could have avoided had

7 a timely disclosure been made.

8 29. Defendants’ notice of the Data Breach was not just untimely but woefully

9 deficient, failing to provide basic details, including but not limited to, how the unauthorized

10 former employee was able to access its networks, whether the Private Information accessed was

11 encrypted or otherwise protected, or how it learned of the Data Breach. Even worse,

12 Defendants failed to offer any credit or identity theft monitoring services for Plaintiffs and

13 Class members.

14 30. Plaintiffs’ and Class members’ Private Information has been accessed, viewed,

15 exfiltrated, and fraudulently misused to their detriment.

16 31. The Breach occurred because Defendants failed to take reasonable measures to

17 protect the Private Information it collected and stored. Among other things, Defendants failed

18 to implement data security measures designed to prevent this release of information to former

19 employees.

20 32. Defendants disregarded the rights of Plaintiffs and Class members by

21 intentionally, willfully, recklessly, and/or negligently failing to take and implement adequate

22 and reasonable administrative and data security measures to ensure that Plaintiffs’ and Class

23 members’ PII was safeguarded from access by former employees. As a result, the Private

24 Information of Plaintiffs and Class members were compromised through unauthorized access

25

26
6
See
27 https://www.sec.gov/ix?doc=/Archives/edgar/data/0001512673/000119312522095215/d343042d
8k.htm (last accessed July 13, 2022).
28
-7-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 9 of 53

1 resulting in damage to Plaintiffs and Class members. Plaintiffs and Class members have a

2 continuing interest in ensuring that their Private Information is and remains safe.

3 Defendants’ Privacy Promises

4 33. Defendants made, and continue to make, various promises to its customers,

5 including Plaintiffs, that it will maintain the security and privacy of their Private Information.

6 34. In its Privacy Notice, Defendants state the following:7

7
“We take reasonable measures, including administrative,
8 technical, and physical safeguards, to protect your information
from loss, theft, and misuse, and unauthorized access, disclosure,
9 alteration, and destruction.”8
10 35. By failing to do as they promised and protect Plaintiffs’ and Class members’
11 Private Information, and by allowing the Data Breach to occur, Defendants are in violation of

12 their own Privacy Notice.

13
a. Defendant Failed to Maintain Reasonable and Adequate Data Security Measures
14
to Safeguard Customers’ Private Information
15

16 36. As a condition of engaging in financial-related services, Defendants require that

17 customers entrust them with highly confidential Private Information. Defendants thus acquire,

18 collect, and store a massive amount of their customers’ protected Private Information, including

19 financial information and other personally identifiable data By obtaining, collecting, using,

20 and deriving a benefit from Plaintiffs’ and Class members’ Private Information, Defendants

21 assumed legal and equitable duties and knew or should have known that they were responsible

22 for protecting Plaintiffs’ and Class members’ Private Information from unauthorized access.

23 37. Defendants had obligations created by industry standards, common law, and
24 representations made to Plaintiffs and Class members to keep their Private Information

25 confidential and to protect it from unauthorized access and disclosure.

26
7
Privacy Notice, https://cash.app/legal/us/en-us/privacy.
27
8
See https://cash.app/legal/us/en-us/privacy#security.
28
-8-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 10 of 53

1 38. Defendants failed to properly safeguard Plaintiffs’ and Class members’ Private

2 Information, allowing at least one known unauthorized actor to access the Private Information.

3 39. Plaintiffs and Class members provided their Private Information to Defendants

4 with the reasonable expectation and mutual understanding that Defendants and any of their

5 affiliates would comply with their obligation to keep such information confidential and secure

6 from unauthorized access.

7 40. Prior to and during the Data Breach, Defendants promised customers that their

8 Private Information would be kept confidential.

9 41. Defendants’ failure to provide adequate security measures to safeguard

10 customers’ Private Information is especially egregious because Defendants operate in a field

11 which has recently been a frequent target of scammers attempting to fraudulently gain access to

12 customers’ highly confidential Private Information.

13 42. In fact, Defendants have been on notice for years that Plaintiffs’ and Class

14 members’ Private Information was a target for malicious actors. Despite such knowledge,

15 Defendants failed to implement and maintain reasonable and appropriate administrative and

16 data security measures to protect Plaintiffs’ and Class members’ Private Information from

17 unauthorized access that Defendants should have anticipated and guarded against.

18 43. A 2021 study conducted by Verizon showed that internal mismanagement of

19 data security represents nearly 44 percent of the data breaches in the financial sector.9

20 44. Private Information -related data breaches continued to rapidly increase into

21 2021 when Defendants’ data were breached.10

22

23

24

25 9
Financial and Insurance Data Breaches, VERIZON 2021 DIBR DATA BREACH SURVEY (2021),
26 https://www.verizon.com/business/resources/reports/dbir/2021/data-breach-statistics-by-
industry/financial-services-data-breaches/.
27
10
2019 HIMSS Cybersecurity Survey, https://www.himss.org/2019-himsscybersecurity-survey.
28
-9-
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 11 of 53

1 45. Almost half of data breaches globally are caused by internal errors relating to

2 either human mismanagement of sensitive information or system errors.11 Cybersecurity firm

3 Proofpoint reports that since 2020, there has been an increase of internal threats through the

4 misuse of security credentials or the negligent release of sensitive information.12 To mitigate

5 these threats, Proofpoint recommends that firms take the time to train their employees about the

6 risks of such errors.13

7 46. As explained by the Federal Bureau of Investigation, “[p]revention is the most

8 effective defense against ransomware and it is critical to take precaution for protection.”14

9 47. To prevent and detect unauthorized access, including the access by the former

10 employee(s) that resulted in the Data Breach, Defendants could and should have implemented,

11 as recommended by the Microsoft Threat Protection Intelligence Team, the following

12 measures:

13  Secure internet-facing assets

14  Apply the latest security updates

 Use threat and vulnerability management
15

16  Perform regular audit; remove privilege

credentials;
17
 Include IT Pros in security discussions
18

19  Ensure collaboration among [security

operations], [security admins], and [information
20 technology] admins to configure servers and
other endpoints securely;
21
 Build credential hygiene
22

23 11
COST OF A DATA BREACH REPORT, supra note 8, at 30.
24 12
The Human Factor 2021, PROOFPOINT (July 27, 2021),
25 https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf.
13
26 Id.

27 14
See How to Protect Your Networks from RANSOMWARE, FBI (2016) https ://www. fbi.gov/file-
repository/ransomware-prevention-and-response-for-cisos.pdf/view.
28
- 10 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 12 of 53

1
 use [multifactor authentication] or [network level
2 authentication] and use strong, randomized, just-
in-time local admin passwords;
3
 Apply principle of least-privilege
4
 Monitor for adversarial activities
5
 Hunt for brute force attempts
6
 Monitor for cleanup of Event Logs
7
 Analyze logon events
8
 Harden infrastructure
9  Use Windows Defender Firewall
10  Enable tamper protection
11
 Enable cloud-delivered protection
12
 Turn on attack surface reduction rules and
13 [Antimalware Scan Interface] for Office [Visual
Basic for Applications].15
14

15
48. These are basic, common-sense security measures that every business, not only
16
those who handle sensitive financial information, should be taking. Defendants, with the highly
17
sensitive personal and financial information in their possession and control, should be doing
18
even more. By adequately taking these common-sense solutions, Defendants could have
19
prevented this Data Breach from occurring.
20
49. Charged with handling sensitive Private Information, including financial
21
information, Defendants knew, or should have known, the importance of safeguarding the
22
Private Information that was entrusted to them and of the foreseeable consequences of a lapse
23

24
15
25 See Human-operated ransomware attacks: A preventable disaster, MICROSOFT (Mar. 5, 2020),

26 https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-
apreventable-
27
disaster/.
28
- 11 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 13 of 53

1 in its data security. This includes the significant costs that would be imposed on Defendants’

2 customers because of a breach. Defendants failed, however, to take adequate administrative

3 cybersecurity measures to prevent the Data Breach from occurring.

4 50. The Private Information was maintained in a condition vulnerable to misuse.

5 The mechanism of the unauthorized access and the potential for improper disclosure of

6 Plaintiffs’ and Class members’ Private Information was a known risk to Defendants, and thus

7 Defendants were on notice that failing to take reasonable steps necessary to secure the Private

8 Information from those risks left the Private Information in a vulnerable position.

9 The Monetary Value of Privacy Protections and Private Information

10 51. The fact that Plaintiffs’ and Class members’ Private Information was disclosed

11 to bad actors that should not have had access to it—and has already been fraudulently

12 misused—demonstrates the monetary value of the Private Information.

13 52. At all relevant times, Defendants understood Private Information it collects from

14 its customers is highly sensitive and of significant property value to those who would use it for

15 wrongful purposes.

16 53. Highly sensitive confidential information such as the Private Information

17 accessed and misused here is a valuable and important commodity to identity thieves. As the

18 FTC recognizes, identity thieves can use this information to commit an array of crimes,

19 including identify theft and financial fraud.16 Indeed, a robust “cyber black market” exists in

20 which criminals openly post stolen Private Information including sensitive financial

21 information on multiple underground Internet websites, commonly referred to as the dark web.

22 54. The Federal Trade Commission (the “FTC”) has also recognized that consumer

23 data is a new (and valuable) form of currency. In an FTC roundtable presentation, another

24 former Commissioner, Pamela Jones Harbour, underscored this point:

25

26

27 16
Federal Trade Commission, Warning Signs of Identity Theft (Sept. 2018),
https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft .
28
- 12 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 14 of 53

Most consumers cannot begin to comprehend the types and amount

1 of information collected by businesses, or why their information
2 may be commercially valuable. Data is currency. The larger the data
set, the greater potential for analysis—and profit.17
3

4 55. Recognizing the high value that consumers place on their Private Information,
18
5 many companies now offer consumers an opportunity to sell this information. The idea is to

6 give consumers more power and control over the type of information that they share and who

7 ultimately receives that information. And, by making the transaction transparent, consumers

8 will make a profit from their Private Information. This business has created a new market for

9 the sale and purchase of this valuable data.

10 56. Consumers place a high value not only on their Private Information, but also on

11 the privacy of that data. Researchers have begun to shed light on how much consumers value

12 their data privacy, and the amount is considerable. Indeed, studies confirm that the average
19
13 direct financial loss for victims of identity theft in 2021 was, on average, $1,100.

14 57. The value of Plaintiffs’ and Class members’ Private Information on the black
20
15 market is substantial. Sensitive financial information can sell for as much as $1,000. This

16 information is particularly valuable because criminals can use it to target victims with frauds

17 and scams that take advantage of the victim’s information, as is the case here.

18 58. The compromised Private Information in the Data Breach is of great value to

19 thieves and can be used in a variety of ways. Information about, or related to, an individual for

20
17
21 Statement of FTC Commissioner Pamela Jones Harbour—Remarks Before FTC Exploring
Privacy Roundtable, FED. TRADE COMM’N (Dec. 7, 2009),
22 https://www.ftc.gov/sites/default/files/documents/public_
statements/remarks-ftc-exploring-privacy-roundtable/091207privacyroundtable.pdf.
23

24 18 Web’s Hot New Commodity, supra note 17.

25 19 See Megan Leonhardt, Consumers lost $56 billion to identity fraud last year – here’s what to
look for (March 23, 2021), https://www.cnbc.com/2021/03/23/consumers-lost-56-billion-dollars-
26 to-identity-fraud-last-year.html (last accessed July 5, 2022)

27 20
See Zachary Ignoffo, Dark Web Price Index 2021, PRIVACY AFFAIRS (Nov. 21, 2021),
https://www.privacyaffairs.com/dark-web-price-index-2021/
28
- 13 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 15 of 53

1 which there is a possibility of logical association with other information is of great value to

2 unauthorized actors that wish to use individuals’ information for several nefarious purposes.

3 Indeed, “there is significant evidence demonstrating that technological advances and the ability

4 to combine disparate pieces of data can lead to identification of a consumer, computer or device

5 even if the individual pieces of data do not constitute PII.”21 For example, different Private

6 Information elements from various sources may be linked in order to identify an individual, or

7 access additional information about or relating to the individual.22 Based upon information and

8 belief, the unauthorized parties utilized the Private Information they obtained through the Data

9 Breach to obtain additional information from Plaintiffs and Class members that was misused to

10 perpetrate fraudulent purchases, applications for credit, and other identity theft in Plaintiffs’

11 and Class members’ names.

12 59. In addition, as technology advances, computer programs may scan the Internet

13 with wider scope to create a mosaic of information that may be used to link information to an

14 individual in ways that were not previously possible. This is known as the “mosaic effect.”

15 60. Names and dates of birth, combined with contact information like telephone

16 numbers and email addresses, are very valuable to identity thieves as this information allows

17 them to access users’ other accounts. Thus, even if payment card information was not involved

18 in the Data Breach, the unauthorized parties could use Plaintiffs’ and Class members’ Private

19 Information to access accounts, including, but not limited to email accounts and other financial

20 information, to engage in the fraudulent activity identified by Plaintiffs.

21

22

23

24 21
Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for
25 Businesses and Policymakers, Preliminary FTC Staff Report, FED. TRADE COMM’N 35-38 (Dec.
2010), https://www.ftc.gov/reports/preliminary-ftc-staff-report-protecting-consumer-privacy-era-
26 rapid-change-proposed-framework.

27 22
See id. (evaluating privacy framework for entities collecting or using consumer data with can be
“reasonably linked to a specific consumer, computer, or other device”).
28
- 14 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 16 of 53

1 61. Approximately 21% of victims do not realize their identify has been

2 compromised until more than two years after it has happened.23 This gives thieves ample time

3 to make fraudulent charges under the victim’s name.

4 62. Given these facts, any company that transacts business with customers and then

5 causes and/or negligently permits the compromise of the privacy of customers’ Private

6 Information has thus deprived them of the full monetary value of their transaction with the

7 company.

8 63. Plaintiffs and Class members have a property interest in their Private

9 Information and were deprived of this interest when their Private Information was released to

10 an unauthorized former employee because of Defendants’ negligent administrative and data

11 security practices.

12
b. Defendants Failed to Comply with FTC Guidelines
64. Defendants were prohibited by the Federal Trade Commission Act (“FTC Act”)
13
(15 U.S.C. §45) from engaging in “unfair or deceptive acts or practices in or affecting
14
commerce.” The Federal Trade Commission (“FTC”) has concluded that a company’s failure to
15
maintain reasonable and appropriate data security for consumers’ sensitive personal
16
information is an “unfair practice” in violation of the FTC Act. See, e.g., FTC v. Wyndham
17
Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
18
65. The FTC has promulgated numerous guides for businesses that highlight the
19
importance of implementing reasonable data security practices. According to the FTC, the need
20
for data security should be factored into all business decision-making.24
21

22

23

24
23
25 See Medical ID Theft Checklist, IDENTITYFORCE https://www.identityforce.com/blog/medical-
id-theft-checklist-2.
26
24
Start With Security: A Guide for Business, FED. TRADE. COMM’N (June 2015),
27 https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
[hereinafter Start with Security].
28
- 15 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 17 of 53

1 66. In 2016, the FTC updated its publication, Protecting Personal Information: A

2 Guide for Business, which established cybersecurity guidelines for businesses.25 The guidelines

3 note that businesses should protect the personal customer information that they keep; properly

4 dispose of personal information that is no longer needed; encrypt information stored on

5 computer networks; understand their network’s vulnerabilities; and implement policies to

6 correct any security problems.

7 67. The FTC further recommends that companies not maintain Private Information

8 longer than is needed for authorization of a transaction; limit access to private data; require

9 complex passwords to be used on networks; use industry-tested methods for security; monitor

10 for suspicious activity on the network; and verify that third-party service providers have

11 implemented reasonable security measures.26

12 68. The FTC has brought enforcement actions against businesses for failing to

13 adequately and reasonably protect customer data, treating the failure to employ reasonable and

14 appropriate measures to protect against unauthorized access to confidential consumer data as an

15 unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”),

16 15 U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses

17 must take to meet their data security obligations.

18 69. Defendants were, at all times, fully aware of their obligation to protect the

19 Private Information of plan participants because of their position as a trusted financial and

20 investment account administrator. Defendants were also aware of the significant repercussions

21 that would result from their failure to do so.

22

23

24 25
Protecting Personal Information: A Guide for Business, FED. TRADE. COMM’M (Oct. 2016),
25 https://www.ftc.gov/system/files/documents/plain-language/pdf- 0136_proteting-personal-
information.pdf.
26
26
Start With Security: A Guide for Business, FED. TRADE. COMM’N (June 2015),
27 https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
[hereinafter Start with Security].
28
- 16 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 18 of 53

1 c. Damages to Plaintiffs and the Class

2 70. Plaintiffs and the Class have been damaged by the compromise of their Private

3 Information in the Data Breach.

4 71. The ramifications of Defendants’ failure to keep its account holders’ Private

5 Information secure are long lasting and severe. Once Private Information is stolen, fraudulent

6 use of that information and damage to the victims may continue for years. Consumer victims

7 of data breaches such as this are more likely to become victims of identity fraud.27

8 72. In addition to their obligations under state laws and regulations, Defendants

9 owed a common law duty to Plaintiffs and Class members to protect Private Information

10 entrusted to them, including to exercise reasonable care in obtaining, retaining, securing,

11 safeguarding, deleting, and protecting the Private Information in its possession from being

12 compromised, lost, stolen, accessed, and misused by unauthorized parties.

13 73. Defendants further owed and breached their duty to Plaintiffs and Class

14 members to implement administrative processes and specifications as such relate to former

15 employee access to customer Private Information that would have prevented the Data Breach

16 from occurring.

17 74. As a direct result of Defendants’ willful, reckless, and/or negligent conduct

18 which resulted in the Data Breach, at least one known unauthorized party was able to access,

19 acquire, view, publicize, and/or otherwise cause the identity theft and misuse of Plaintiffs’ and

20 Class members’ Private Information, as detailed above, and Plaintiffs and Class members

21 remain at a heightened and increased risk of future identity theft and fraud.

22 75. The risks associated with identity theft are serious. Some identity theft victims

23 spend hundreds of dollars and many days repairing damage to their good name and credit

24 record. Some consumers victimized by identity theft may lose out on job opportunities, or

25

26

27 27
2014 LexisNexis True Cost of Fraud Study, LEXISNEXIS (Aug. 2014),
https://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf.
28
- 17 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 19 of 53

1 denied loans for education, housing or cars because of negative information on their credit

2 reports.

3 76. Some of these risks associated with the loss of personal information have

4 already materialized in the lives of Plaintiffs and Class members.

5 77. Plaintiffs and the Class have suffered or face a substantial risk of suffering out-

6 of-pocket losses such as fraudulent charges on online accounts, credit card fraud, and similar

7 identity theft.

8 78. Plaintiffs and Class members have, may have, and/or will incur out of pocket

9 costs for protective measures such as credit monitoring fees, credit report fees, credit freeze

10 fees, and similar costs directly or indirectly related to the Data Breach.

11 79. Plaintiffs and Class members did not receive the full benefit of the bargain made

12 with Defendants and, instead, received services that were of a diminished value to that

13 described in their agreements with Defendants. They were damaged in an amount at least equal

14 to the difference in the value of the services with data security protection that they paid for and

15 the services they actually received.

16 80. Plaintiffs and Class members would not have obtained services from Defendants

17 had Defendants told them that it failed to properly train its employees, lacked administrative

18 safety controls over the Private Information, and did not have proper data security practices to

19 safeguard their Private Information from disclosure to unauthorized actors.

20 81. As a result of the Data Breach, Plaintiffs’ and Class members’ Private

21 Information has also diminished in value.

22 82. The Private Information belonging to Plaintiffs and Class members is private in

23 nature and was left inadequately protected by Defendants who did not obtain Plaintiffs’ or

24 Class members’ consent to disclose such Private Information to any other person (especially

25 not to a former employee), as required by Defendants’ Privacy Notice, applicable law, and

26 industry standards.

27 83. The Data Breach was a direct and proximate result of Defendants’ failure to (a)

28 properly safeguard and protect Plaintiffs’ and Class members’ Private Information from
- 18 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 20 of 53

1 unauthorized access, use, and disclosure, as required by their own Privacy Notice, various state

2 and federal regulations, industry practices, and common law; (b) establish and implement

3 appropriate administrative, technical, and physical safeguards to ensure the security and

4 confidentiality of Plaintiffs’ and Class members’ Private Information; and (c) protect against

5 reasonably foreseeable threats to the security or integrity of such Private Information.

6 84. Defendants had the resources necessary to prevent the Data Breach, but

7 neglected to adequately implement data security measures, despite their obligation to protect

8 customer data.

9 85. Had Defendants remedied the deficiencies in their data security practices,

10 procedures, and protocols and adopted adequate data security measures recommended by

11 experts in the field, they would have prevented the intrusions into their systems by their former

12 employee(s) and, ultimately, the theft of Plaintiffs’ and Class members’ Private Information.

13 86. As a direct and proximate result of Defendants’ wrongful actions and inactions,

14 Plaintiffs and Class members have been placed at an imminent, immediate, and continuing

15 increased risk of harm from identity theft and fraud, requiring them to take the time which they

16 otherwise would have dedicated to other life demands such as work and family to mitigate the

17 actual and potential impact of the Data Breach on their lives.

18 87. The U.S. Department of Justice’s Bureau of Justice Statistics found that “among

19 victims who had personal information used for fraudulent purposes, twenty-nine percent spent

20 a month or more resolving problems” and that “resolving the problems caused by identity theft

21 [could] take more than a year for some victims.”28

22 88. Defendants’ failure to adequately protect Plaintiffs’ and Class members’ Private

23 Information has resulted in Plaintiff and Class members having to undertake these tasks, which

24 consume time and expense while Defendants do nothing to assist those affected by the Data

25

26 28
See U.S. Dep’t of Justice, Victims of Identity Theft, OFFICE OF JUSTICE PROGRAMS: BUREAU OF JUSTICE STATISTICS
1 (Nov. 13, 2017), https://www.bjs.gov/content/pub/pdf/vit14.pdf [hereinafter Victims of Identity Theft].
27

28
- 19 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 21 of 53

1 Breach. Instead, Defendants are putting the burden on Plaintiffs and Class members to discover

2 possible fraudulent activity and identity theft and mitigate such harms.

3 89. The Private Information stolen in the Data Breach can be misused on its own or

4 can be combined with personal information from other sources such as publicly available

5 information, social media, etc. to create a package of information capable of being used to

6 commit further identity theft. Thieves can also use the stolen Private Information to send spear-

7 phishing emails to Class members to trick them into revealing additional sensitive information.

8 Lulled by a false sense of trust and familiarity from a seemingly valid sender, the individual

9 provides sensitive information such as login credentials, account numbers, and the like.

10 90. As a result of Defendants’ failures to prevent the Data Breach, Plaintiffs and

11 Class members have suffered, will suffer, and are at increased risk of suffering:

12
 The compromise, publication, theft and/or unauthorized use of
13 their Private Information;

14 Out-of-pocket costs associated with the prevention, detection,

recovery and remediation from identity theft or fraud;
15

16  Lost opportunity costs and lost wages associated with efforts

expended and the loss of productivity from addressing and
17 attempting to mitigate the actual and future consequences of the
Data Breach, including but not limited to efforts spent
18 researching how to prevent, detect, contest and recover from
identity theft and fraud;
19

20  The continued risk to their Private Information, which remains

in the possession of Defendants and is subject to further breaches
21 so long as Defendants fail to undertake appropriate measures to
protect the Private Information in its possession;
22
Current and future costs in terms of time, effort and money that
23
will be expended to prevent, detect, contest, remediate and repair
24 the impact of the Data Breach for the remainder of the lives of
Plaintiff and Class members; and
25
 Anxiety and distress resulting fear of misuse of their Private
26 Information.
27

28
- 20 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 22 of 53

1 91. In addition to a remedy for the economic harm, Plaintiffs and Class members

2 maintain an undeniable interest in ensuring that their Private Information remains secure and is

3 not subject to further misappropriation and theft.

4 CLASS ACTION ALLEGATIONS

5 92. Plaintiffs incorporate by reference all other paragraphs of this Complaint as if

6 fully set forth herein.

7 93. Plaintiffs bring this action individually and on behalf of all other persons

8 similarly situated (the “Class”) pursuant to Federal Rule of Civil Procedure 23(b)(1), (b)(2),

9 (b)(3) and/or (c)(4).

10 94. Plaintiffs propose the following Class definition subject to amendment based on

11 information obtained through discovery. Notwithstanding, at this time, Plaintiffs bring this

12 action and seek certification of the following Nationwide Class, California Subclass, Illinois

13 Subclass and Texas Subclass (collectively defined herein as the “Class”):

14 Nationwide Class

15 All persons nationwide whose Private Information was

16 compromised because of the Data Breach.

17 California Subclass

18 All persons residing in California whose Private Information was

19 compromised because of the Data Breach.

20 Illinois Subclass

21 All persons residing in Illinois whose Private Information was

22 compromised because of the Data Breach.

23 Texas Subclass

24 All persons residing in Texas whose Private Information was

25 compromised because of the Data Breach.

26 Excluded from the Class are Defendants and Defendants’ affiliates, parents, subsidiaries,

27 employees, officers, agents, and directors. Also excluded is any judicial officer presiding over

28 this matter and the members of their immediate families and judicial staff.
- 21 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 23 of 53

1 95. Certification of Plaintiffs’ claims for class-wide treatment is appropriate because

2 Plaintiffs can prove the elements of their claims on a class-wide basis using the same evidence

3 as would be used to prove those elements in individual actions alleging the same claims.

4 96. Numerosity—Federal Rule of Civil Procedure 23(a)(1). The members of the

5 Class are so numerous that joinder of all Class members would be impracticable. According to

6 Defendants, millions of individuals were affected by the Data Breach.

7 97. Commonality and Predominance—Federal Rule of Civil Procedure 23(a)(2)

8 and 23(b)(3). Common questions of law and fact exist as to all members of the Class and

9 predominate over questions affecting only individual members of the Class. Such common

10 questions of law or fact include, inter alia:

11 1. Whether Defendants’ data security measures prior to and during

12 the Data Breach complied with applicable data security laws and

13 regulations;

14 2. Whether Defendants’ data security measures prior to and during

15 the Data Breach were consistent with industry standards;

16 3. Whether Defendants properly implemented their purported data

17 security measures to protect Plaintiffs’ and the Class’s Private

18 Information from unauthorized capture, dissemination, and

19 misuse;

20 4. Whether Defendants took reasonable measures to determine the

21 extent of the Data Breach after it first learned of same;

22 5. Whether Defendants disclosed Plaintiffs’ and the Class’s Private

23 Information in violation of the understanding that the Private

24 Information was being disclosed in confidence and should be

25 maintained;

26 6. Whether Defendants willfully, recklessly, or negligently failed

27 to maintain and execute reasonable procedures designed to

28
- 22 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 24 of 53

1 prevent unauthorized access to Plaintiffs’ and the Class’s Private

2 Information;

3 7. Whether Defendants were negligent in failing to properly secure

4 and protect Plaintiffs’ and the Class’s Private Information;

5 8. Whether Defendants were unjustly enriched by their actions; and

6 9. Whether Plaintiffs and the other members of the Class are

7 entitled to damages, injunctive relief, or other equitable relief,

8 and the measure of such damages and relief.

9 98. Defendants engaged in a common course of conduct giving rise to the legal

10 rights sought to be enforced by Plaintiffs, on behalf of himself and other members of the Class.

11 Similar or identical common law violations, business practices, and injuries are involved.

12 Individual questions, if any, pale by comparison, in both importance and number, to the

13 numerous common questions that predominate in this action.

14 99. Typicality—Federal Rule of Civil Procedure 23(a)(3). Plaintiffs’ claims are

15 typical of the claims of the other members of the Class because, among other things, all Class

16 members were similarly injured through Defendants’ uniform misconduct described above and

17 were thus all subject to the Data Breach alleged herein. Further, there are no defenses available

18 to Defendant that are unique to Plaintiffs.

19 100. Adequacy of Representation—Federal Rule of Civil Procedure 23(a)(4).

20 Plaintiffs are adequate representatives of the Nationwide Class because their interests do not

21 conflict with the interests of the Class they seek to represent, they have retained counsel

22 competent and experienced in complex class action litigation, and they will prosecute this

23 action vigorously. The Class’s interests will be fairly and adequately protected by Plaintiffs and

24 their counsel.

25 101. Injunctive Relief—Federal Rule of Civil Procedure 23(b)(2). Defendants

26 have acted and/or refused to act on grounds that apply generally to the Class, making injunctive

27 and/or declaratory relief appropriate with respect to the Class under Fed. Civ. P. 23 (b)(2).

28
- 23 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 25 of 53

1 102. Superiority—Federal Rule of Civil Procedure 23(b)(3). A class action is

2 superior to any other available means for the fair and efficient adjudication of this controversy,

3 and no unusual difficulties are likely to be encountered in the management of this class action.

4 The damages or other financial detriment suffered by Plaintiffs and the other members of the

5 Class are relatively small compared to the burden and expense that would be required to

6 individually litigate their claims against Defendants, so it would be impracticable for members

7 of the Class to individually seek redress for Defendants’ wrongful conduct. Even if members of

8 the Class could afford individual litigation, the court system could not. Individualized litigation

9 creates a potential for inconsistent or contradictory judgments and increases the delay and

10 expense to all parties and the court system. By contrast, the class action device presents far

11 fewer management difficulties and provides the benefits of a single adjudication, economy of

12 scale, and comprehensive supervision by a single court.

13 103. Alternatively, to the extent the Court determines that Rule 23(b)(2) or Rule

14 23(b)(3) certification is not appropriate, the Court may certify a Rule 23(c)(4) issues class for

15 determination of common material fact issues in the case, and/or liability.

16
COUNT I
17 NEGLIGENCE
18 (On Behalf of Plaintiffs and the Nationwide Class or, Alternatively, the California, Illinois
19 and Texas Subclasses)
20 104. Plaintiffs fully incorporates by reference all of the above paragraphs, as though
21 fully set forth herein.

22 105. Upon Defendants’ accepting and storing the Private Information of Plaintiffs
23 and the Class in their computer systems and on their networks, Defendants undertook and owed

24 a duty to Plaintiffs and the Class to exercise reasonable care to secure and safeguard that

25 information and to use commercially reasonable methods to do so. Defendants knew that the

26 Private Information was private and confidential and should be protected as such.

27

28
- 24 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 26 of 53

1 106. Defendants owed a duty of care not to subject Plaintiffs’ and the Class’s Private

2 Information to an unreasonable risk of exposure and theft because Plaintiffs and the Class were

3 foreseeable and probable victims of any inadequate security practices.

4 107. Defendants owed numerous duties to Plaintiffs and the Class, including the

5 following:

6 a. to exercise reasonable care in obtaining, retaining, securing,

7 safeguarding, deleting and protecting Private Information in

8 their possession;

9 b. to protect Private Information using reasonable and adequate

10 administrative and data security procedures and systems that are

11 compliant with industry-standard practices; and

12 c. to implement processes to quickly detect a data breach and to

13 timely act on warnings about data breaches.

14 108. Defendants also breached their duty to Plaintiffs and Class members to

15 adequately protect and safeguard Private Information by disregarding standard information

16 security principles, despite obvious risks, and by allowing unmonitored and unrestricted access

17 to unsecured Private Information. Furthering their dilatory practices, Defendants failed to

18 provide adequate supervision and oversight of the Private Information with which they were

19 and are entrusted, in spite of the known risk and foreseeable likelihood of breach and misuse,

20 which permitted a malicious third party to gather Plaintiffs’ and Class members’ Private

21 Information and potentially misuse the Private Information and intentionally disclose it to

22 others without consent.

23 109. Defendants knew, or should have known, of the risks inherent in collecting and

24 storing Private Information and the importance of adequate data security. Defendants knew or

25 should have known about numerous well-publicized data breaches.

26 110. Defendants knew, or should have known, that their data systems and networks

27 did not adequately safeguard Plaintiffs’ and Class members’ Private Information.

28
- 25 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 27 of 53

1 111. Defendants breached their duties to Plaintiff and Class members by failing to

2 provide fair, reasonable, or adequate data security practices to safeguard Plaintiffs’ and Class

3 members’ Private Information.

4 112. Because Defendants knew that a breach of their systems would damage millions

5 of their customers, including Plaintiffs and Class members, Defendants had a duty to

6 adequately protect the Private Information.

7 113. Defendants’ duty of care to use reasonable security measures arose because of

8 the special relationship that existed between Defendants and their customers, which is

9 recognized by laws and regulations including but not limited to common law. Defendants were

10 in a position to ensure that their administrative and data security systems, practices, and

11 protocols were sufficient to protect against the foreseeable risk of harm to Class members from

12 a data breach.

13 114. In addition, Defendants had a duty to employ reasonable security measures

14 under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair

15 . . . practices in or affecting commerce,” including, as interpreted and enforced by the FTC, the

16 unfair practice of failing to use reasonable measures to protect confidential data.

17 115. Defendants are also bound by industry standards to protect confidential Private

18 Information.

19 116. Defendants’ conduct created a foreseeable risk of harm to Plaintiffs and Class

20 members and their Private Information, which conduct included failing to: (1) secure Plaintiffs’

21 and Class member’s Private Information; (2) comply with industry standard security practices;

22 (3) implement adequate system and event monitoring; (4) implement the systems, policies, and

23 procedures necessary to prevent this type of data breach; and (5) failing to timely notify Class

24 members about the Data Breach so that they could take appropriate steps to mitigate the

25 potential for identity theft and other damages.

26 117. Through Defendants’ acts and omissions described in this Complaint, including

27 their failure to provide adequate data security and failure to protect Plaintiffs’ and Class

28 members’ Private Information from being foreseeably captured, accessed, disseminated, stolen
- 26 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 28 of 53

1 and misused, Defendants unlawfully breached their duty to use reasonable care to adequately

2 protect and secure Plaintiffs’ and Class members’ Private Information during the time it was

3 within Defendants’ possession or control.

4 118. Defendants’ conduct was negligent and departed from all reasonable standards

5 of care, including, but not limited to failing to adequately protect the Private Information and

6 failing to provide Plaintiffs and Class members with timely notice that their sensitive Private

7 Information had been compromised.

8 119. Neither Plaintiffs nor Class members contributed to the Data Breach and

9 subsequent misuse of their Private Information as described in this Complaint.

10 120. As a direct and proximate cause of Defendants’ conduct, Plaintiffs and Class

11 members suffered damages as alleged above.

12 121. Plaintiffs and Class members are also entitled to injunctive relief requiring

13 Defendant to, e.g., strengthen data security systems and monitoring procedures, and

14 immediately provide lifetime free credit monitoring to all Class members.

15 COUNT II
BREACH OF CONTRACT/BREACH OF IMPLIED COVENANT OF
16 GOOD FAITH AND FAIR DEALING
17 (On Behalf of Plaintiffs and the Nationwide Class or, Alternatively, the California, Illinois
18 and Texas Subclasses)
19 122. Plaintiffs fully incorporate by reference all of the above paragraphs, as though
20 fully set forth herein.

21 123. Plaintiffs and Class members entered into valid and enforceable express
22 contracts with Defendants under which Plaintiffs and Class members agreed to provide their

23 Private Information to Defendants, and Defendants agreed to provide financial services and to

24 protect Plaintiffs’ and Class members’ Private Information.

25 124. In every contract entered into between Plaintiffs and Class members and
26 Defendants, including those at issue here, there is an implied covenant of good faith and fair

27 dealing obligating the parties to refrain from unfairly interfering with the rights of the other

28
- 27 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 29 of 53

1 party or parties to receive the benefits of the contracts. This covenant of good faith and fair

2 dealing is applicable here as Defendants were obligated to protect (and not interfere with) the

3 privacy and protection of Plaintiffs’ and Class members’ Private Information.

4 125. To the extent Defendants’ obligation to protect Plaintiffs’ and Class members’

5 Private Information was not explicit in those express contracts, the contracts also included

6 implied terms requiring Defendants to implement data security adequate to safeguard and

7 protect the confidentiality of Plaintiffs’ and Class members’ Private Information, including in

8 accordance with trade regulations; federal, state and local laws; and industry standards. No

9 customer would have entered into these contracts with Defendants without the understanding

10 that their Private Information would be safeguarded and protected; stated otherwise, data

11 security was an essential term of the parties’ express contracts.

12 126. A meeting of the minds occurred, as Plaintiffs and Class members agreed,

13 among other things, to provide their Private Information in exchange for Defendants’

14 agreement to protect the confidentiality of that Private Information.

15 127. The protection of Plaintiffs’ and Class members’ Private Information was a

16 material aspect of Plaintiffs’ and Class members’ contracts with Defendants.

17 128. Defendants’ promises and representations described above relating to industry

18 practices and Defendants’ purported concern about their clients’ privacy rights became terms of

19 the contracts between Defendants and their clients, including Plaintiffs and Class members.

20 Defendants breached these promises by failing to comply with reasonable industry practices.

21 129. Plaintiffs and Class members read, reviewed, and/or relied on statements made

22 by or provided by Defendants and/or otherwise understood that Defendants would protect their

23 customers’ Private Information if that information were provided to Defendants.

24 130. Plaintiffs and Class members fully performed their obligations under their

25 contracts with Defendants; however, Defendants did not.

26 131. As a result of Defendants’ breach of these terms, Plaintiffs and Class members

27 have suffered a variety of damages including but not limited to: the lost value of their privacy;

28 not receiving the benefit of their bargain with Defendants; losing the difference in the value of
- 28 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 30 of 53

1 the services with adequate data security that Defendants promised and the services actually

2 received; the value of the lost time and effort required to mitigate the actual and potential

3 impact of the Data Breach on their lives, including, inter alia, that required to place “freezes”

4 and “alerts” with credit reporting agencies, to contact financial institutions, to close or modify

5 financial accounts, to closely review and monitor credit reports and various accounts for

6 unauthorized activity, and to file police reports. Additionally, Plaintiff sand Class members

7 have been put at increased risk of future identity theft, fraud, and/or misuse of their Private

8 Information, which may take years to manifest, discover, and detect.

9 132. Plaintiffs and Class members are therefore entitled to damages, including

10 restitution and unjust enrichment, disgorgement, declaratory and injunctive relief, and attorney

11 fees, costs, and expenses.

12 COUNT III
BREACH OF IMPLIED CONTRACT
13
(On Behalf of Plaintiffs and the Nationwide Class or, Alternatively, the California, Illinois
14
and Texas Subclasses)
15
133. Plaintiffs fully incorporate by reference all of the above paragraphs, as though
16
fully set forth herein.
17
134. Plaintiffs bring this claim alternatively to his claim for breach of contract.
18
135. Through their course of conduct, Defendants, Plaintiffs, and Class members
19
entered into implied contracts for the provision of financial services, as well as implied
20
contracts for the Defendants to implement data security adequate to safeguard and protect the
21
privacy of Plaintiffs’ and Class members’ Private Information.
22
136. Specifically, Plaintiffs entered into a valid and enforceable implied contract with
23
Defendants when he first entered into financial services agreements with Defendants.
24
137. The valid and enforceable implied contracts to provide financial services that
25
Plaintiffs and Class members entered into with Defendants include Defendants’ promise to
26
protect nonpublic Private Information given to them (or which Defendants created on its own
27
from disclosure).
28
- 29 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 31 of 53

1 138. When Plaintiffs and Class members provided their Private Information to

2 Defendants in exchange for Defendants’ services, they entered into implied contracts with

3 Defendants pursuant to which Defendants agreed to reasonably protect such information.

4 139. Defendants solicited and invited Plaintiffs and Class members to provide their

5 Private Information as part of Defendants’ regular business practices. Plaintiffs and Class

6 members accepted Defendants’ offer and provided their Private Information to Defendants.

7 140. In entering into such implied contracts, Plaintiffs and Class members reasonably

8 believed and expected that Defendants’ data security practices complied with relevant laws and

9 regulations, and were consistent with industry standards.

10 141. Class members, including Plaintiff, who paid money to Defendants reasonably

11 believed and expected that Defendant would use part of those funds to obtain and implement

12 adequate data security measures. Defendants failed to do so.

13 142. Under implied contracts, Defendants and/or their affiliated providers promised

14 and were obligated to: (a) provide financial services to Plaintiffs and Class members; and (b)

15 protect Plaintiffs’ and the Class members’ Private Information provided to obtain such benefits

16 of such services. In exchange, Plaintiffs and members of the Class agreed to pay money for

17 these services, and to turn over their Private Information to Defendants.

18 143. Both the provision of financial services and the protection of Plaintiffs’ and

19 Class members’ Private Information were material aspects of these implied contracts.

20 144. The implied contracts for the provision of financial services and maintenance of

21 the privacy of Plaintiffs’ and Class members’ Private Information are also acknowledged,

22 memorialized, and embodied in multiple documents, including (among other documents)

23 Defendants’ Privacy Notice.

24 145. Defendants’ express representations, including, but not limited to, the express

25 representations found in its Privacy Notice, memorializes and embodies the implied contractual

26 obligation requiring Defendants to implement data security adequate to safeguard and protect

27 the privacy of Plaintiffs’ and protect the privacy of Plaintiffs’ and Class members’ Private

28 Information.
- 30 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 32 of 53

1 146. Consumers of financial services value their privacy and the ability to keep their

2 Private Information associated with obtaining such services. Plaintiffs and Class members

3 would not have entrusted their Private Information to Defendants and entered into these

4 implied contracts with Defendants without an understanding that their Private Information

5 would be safeguarded and protected; nor would they have entrusted their Private Information to

6 Defendants in the absence of the implied promise by Defendants to monitor the Private

7 Information and to ensure that they adopted reasonable administrative and data security

8 measures.

9 147. A meeting of the minds occurred, as Plaintiffs and Class members agreed and

10 provided their Private Information to Defendants and/or their affiliated companies, and paid for

11 the provided services in exchange for, amongst other things, both the provision of financial

12 services and the protection of their Private Information.

13 148. Plaintiffs and Class members performed their obligations under the contract

14 when they paid for Defendants’ services and provided their Private Information to Defendants.

15 149. Defendants materially breached their contractual obligation to protect the

16 nonpublic Private Information they gathered when the Private Information was compromised as

17 a result of the Data Breach.

18 150. Defendants materially breached the terms of these implied contracts, including,

19 but not limited to, the terms stated in the relevant Privacy Notice. Defendants did not maintain

20 the privacy of Plaintiffs’ and Class members’ Private Information as evidenced by their

21 disclosures of the Data Breach to the SEC. Specifically, Defendants did not comply with

22 industry standards, standards of conduct embodied in statutes like Section 5 of the FTCA, or

23 otherwise protect Plaintiffs’ and Class members’ Private Information as set forth above.

24 151. The Data Breach was a reasonably foreseeable consequence of Defendants’ data

25 security failures in breach of these contracts.

26 152. As a result of Defendants’ failure to fulfill the data security protections promised

27 in these contracts, Plaintiffs and Class members did not receive full benefit of the bargain, and

28 instead received financial and other services that were of a diminished value to that described
- 31 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 33 of 53

1 in the contracts. Plaintiffs and Class members therefore were damaged in an amount at least

2 equal to the difference in the value of the investing accounts with data security protection that

3 they paid for and the services they actually received.

4 153. Had Defendants disclosed that their administrative and data security measures

5 were inadequate or that they did not adhere to industry-standard security measures, neither the

6 Plaintiffs, Class members, nor any reasonable person would have utilized services from

7 Defendants and/or their affiliated entities.

8 154. As a direct and proximate result of the Data Breach, Plaintiffs and Class

9 members have been harmed and suffered, and will continue to suffer, actual damages and

10 injuries, including without limitation the release and disclosure of their Private Information, the

11 loss of control of their Private Information, the imminent risk of suffering additional damages

12 in the future, out of pocket expenses, and the loss of the benefit of the bargain they had struck

13 with Defendants.

14 155. Plaintiffs and Class members are entitled to compensatory and consequential

15 damages suffered as a result of the Data Breach.

16 156. Plaintiffs and Class members are also entitled to injunctive relief requiring

17 Defendants to, e.g., strengthen their data security systems and monitoring procedures, and

18 immediately provide adequate credit monitoring to all Class members.

19 COUNT IV
UNJUST ENRICHMENT/QUASI-CONTRACT
20
(On Behalf of Plaintiffs and the Nationwide Class or, Alternatively, the California, Illinois
21
and Texas Subclasses)
22
157. Plaintiffs fully incorporate by reference all of the above paragraphs, as though
23
fully set forth herein.
24
158. Plaintiffs and Class members conferred a monetary benefit on Defendants.
25
Specifically, they purchased goods and services from Defendants and provided Defendants
26
with their Private Information. In exchange, Plaintiffs and Class members should have received
27
from Defendants the goods and services that were the subject of the transaction and should
28
- 32 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 34 of 53

1 have been entitled to have Defendants protect their Private Information with adequate data

2 security.

3 159. Defendants knew that Plaintiffs and Class members conferred a benefit on them

4 and accepted or retained that benefit. Defendants profited from Plaintiffs’ purchases and used

5 Plaintiff’s and Class member’s Private Information for business purposes.

6 160. Defendants failed to secure Plaintiffs’ and Class members’ Private Information

7 and, therefore, did not provide full compensation for the benefit the Plaintiffs’ and Class

8 members’ Private Information provided.

9 161. Defendants acquired the Private Information through inequitable means as they

10 failed to disclose the inadequate security practices previously alleged.

11 162. If Plaintiffs and Class members knew that Defendants would not secure their

12 Private Information using adequate security, they would not have used Defendants’ services.

13 163. Plaintiffs and Class members have no adequate remedy at law.

14 164. Under the circumstances, it would be unjust for Defendants to be permitted to

15 retain any of the benefits that Plaintiffs and Class members conferred on them.

16 165. Defendants should be compelled to disgorge into a common fund or constructive

17 trust, for the benefit of Plaintiffs and Class members, proceeds that they unjustly received from

18 them. In the alternative, Defendants should be compelled to refund the amounts that Plaintiffs

19 and the Class members overpaid for the use of Defendants’ services.

20 COUNT V
BREACH OF FIDUCIARY DUTY
21
(On Behalf of Plaintiffs and the Nationwide Class or, Alternatively, the California, Illinois
22
and Texas Subclasses)
23
166. Plaintiffs fully incorporate by reference all of the above paragraphs, as though
24
fully set forth herein.
25
167. In providing their Private Information to Defendants in exchange for financial
26
services, Plaintiffs and Class members justifiably placed a special confidence in Defendants to
27

28
- 33 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 35 of 53

1 act in good faith and with due regard to the interests of Plaintiffs and Class members to

2 safeguard and keep confidential that Private Information.

3 168. Defendants accepted the special confidence Plaintiffs and Class members placed

4 in them.

5 169. In light of the special relationship between Defendants and Plaintiffs and Class

6 members, whereby Defendants became guardians of Plaintiffs’ and Class members’ Private

7 Information, Defendants became fiduciaries by their undertaking and guardianship of the

8 Private Information, to act primarily for the benefit of their customers, including Plaintiffs and

9 Class members for the safeguarding of Plaintiffs’ and Class member’s Private Information.

10 170. Defendants have a fiduciary duty to act for the benefit of Plaintiffs and Class

11 members upon matters within the scope of their customers’ relationship, in particular, to keep

12 secure the Private Information of their customers.

13 171. Defendants breached their fiduciary duties to Plaintiffs and Class members by

14 failing to protect the integrity of the systems containing Plaintiffs’ and Class member’s Private

15 Information.

16 172. Defendants breached their fiduciary duties to Plaintiffs and Class members by

17 otherwise failing to safeguard Plaintiff’s and Class members’ Private Information.

18 173. As a direct and proximate result of Defendants’ breaches of their fiduciary

19 duties, Plaintiffs and Class members have suffered and will suffer injury, including but not

20 limited to: (i) actual identity theft; (ii) the compromise, publication, and/or theft of their

21 Private Information; (iii) out-of-pocket expenses associated with the prevention, detection,

22 and recovery from identity theft and/or unauthorized use of their Private Information; (iv) lost

23 opportunity costs associated with efforts expended and the loss of productivity addressing and

24 attempting to mitigate the actual and future consequences of the Data Breach, including but not

25 limited to efforts spent preventing, detecting, contesting, and recovering from identity theft; (v)

26 the continued risk to their Private Information, which remains in Defendants’ possession and is

27 subject to further unauthorized disclosures so long as Defendants fail to undertake

28 appropriate and adequate measures to protect the Private Information in their continued
- 34 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 36 of 53

1 possession; (vi) future costs in terms of time, effort, and money that will be expended as result

2 of the Data Breach for the remainder of the lives of Plaintiffs and Class Members; and

3 (vii) the diminished value of Defendants’ services they received.

4 174. As a direct and proximate result of Defendants’ breaches of their fiduciary

5 duties, Plaintiffs and Class members have suffered and will continue to suffer other forms of

6 injury and/or harm, and other economic and non-economic losses.

7 COUNT VI
VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW (“UCL”),
8
Cal. Bus. Prof. Code § 17200, et seq.,
9
(On Behalf of Plaintiffs and the California Subclass)
10
175. Plaintiffs fully incorporate by reference all of the above paragraphs, as though
11
fully set forth herein.
12
176. Defendants violated California’s Unfair Competition Law (“UCL”) Cal. Bus.
13
Prof. Code § 17200, et seq., by engaging in unlawful, unfair or fraudulent business acts and
14
practices and unfair, deceptive, untrue or misleading advertising that constitute acts of “unfair
15
competition” as defined in the UCL, including, but not limited to, the following:
16 a. By representing and advertising that they would maintain adequate data
17
privacy and security practices and procedures to safeguard Plaintiffs’ and
18
Class member’s Personal and financial information from unauthorized
19
disclosure, release, data breach, and theft; representing and advertising that
20

21 they would and did comply with the requirement of relevant federal and state

22 laws relating to privacy and security of Plaintiffs’ and Class’s Private

23 Information; and omitting, suppressing, and concealing the material fact of

24
the inadequacy of the privacy and security protections for the Private
25
Information;
26
b. By soliciting and collecting Private Information from Plaintiff and Class
27
members without adequately protecting or storing Private Information; and
28
- 35 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 37 of 53

c. By violating the California Customer Records Act, as set forth in further detail
1

2 below.

3
177. Defendants’ practices were also contrary to legislatively declared and public
4
policies that seek to protect consumer data and ensure that entities that solicit or are entrusted
5
with personal data utilize appropriate security measures, as reflected by laws like the FTC Act,
6
15 U.S.C. § 45.
7
178. As a direct and proximate result of Defendants’ unfair and unlawful practices and
8
acts, Plaintiff and the Class were injured and lost money or property, including but not limited
9
to, overpayments Defendants received to maintain adequate security measures and did not, the
10
loss of their legally protected interest in the confidentiality and privacy of their Private
11
Information, and additional losses described above.
12
179. Defendants knew or should have known that their administrative and data security
13
measures were inadequate to safeguard Plaintiff’s and Class members’ Private Information and
14
that the risk of a data breach or unauthorized access was highly likely. Defendants had resources
15
to secure and/or prepare for protecting customers’ Private Information in a data breach.
16
Defendants’ actions in engaging in the above-named unfair, unlawful and deceptive acts and
17
practices were negligent, knowing and willful, and/or wanton and reckless with respect to the
18
rights of the Class.
19
180. Plaintiff seeks relief under the UCL, including restitution to the Class of money
20
or property that the Defendants may have acquired by means of their deceptive, unlawful, and
21
unfair business practices, declaratory relief, attorney fees, costs and expenses (pursuant to Cal.
22
Code Civ. P. § 1021.5), and injunctive or other equitable relief.
23
COUNT VII
24 VIOLATION OF THE CALIFORNIA CUSTOMER RECORDS ACT (“CRA”),

25 Cal. Bus. Prof. Code § 1798.80, et seq.,

26 (On Behalf of Plaintiffs and the California Subclass)

27 181. Plaintiffs fully incorporate by reference all of the above paragraphs, as though

28 fully set forth herein.

- 36 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 38 of 53

1 182. At all relevant times, Defendants were a “business” under the terms of the CRA,

2 operating in the State of California and owning or licensing computerized data that included the

3 Private Information of Plaintiffs and the Class.

4 183. At all relevant times, Plaintiffs and the Class were “customers” under the terms

5 of the CRA as natural persons who provided personal information to Defendants for the purpose

6 of purchasing or leasing a product or obtaining a service from Defendants.

7 184. Section 1798.82 requires disclosure “shall be made in the most expedient time

8 possible and without unreasonable delay….” By the acts described above, Defendants violated

9 the CRA by allowing unauthorized access to customers’ personal and financial information and

10 then failing to inform them for months when the unauthorized use occurred, thereby failing in

11 their duty to inform their customers of unauthorized access expeditiously and without

12 unreasonable delay.

13 185. The Data Breach described herein is a “breach of the security system” under

14 Section 1798.82.

15 186. As a direct consequence of the actions as identified above, Plaintiffs and the Class

16 incurred additional losses and suffered further harm to their privacy, including but not limited to

17 economic loss, the loss of control over the use of their identity, harm to their constitutional right

18 to privacy, lost time dedicated to the investigation of and attempt to recover the loss of funds

19 and/or cure harm to their privacy, the need for future expenses and time dedicated to the recovery

20 and protection of further loss, and privacy injuries associated with having their sensitive personal

21 and financial information disclosed, that they would have not otherwise lost had Defendants

22 immediately informed them of the unauthorized use.

23 187. Plaintiffs accordingly request the Court enter an injunction requiring Defendants

24 to implement and maintain reasonable security procedures.

25 188. Plaintiffs further request the Court require Defendants to identify all of their

26 impacted clients, to what degree their information was stolen, and to notify all members of the

27 Class who have not yet been informed of the Data Breach by written email within 24 hours of

28 discovery of a breach, possible breach, and by mail within 72 hours.

- 37 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 39 of 53

1 189. As a result of Defendants’ violations, Plaintiffs and the Class are entitled to all

2 actual and compensatory damages according to proof, to non-economic injunctive relief

3 allowable under the CRA, and to such other and further relief as this Court may deem just and

4 proper.

5 COUNT VIII
VIOLATION OF THE ILLINOIS CONSUMER FRAUD ACT,
6
815 ILCS §§ 505, et seq.
7
(On Behalf of Plaintiff Salinas and the Illinois Subclass)
8
190. Plaintiff fully incorporates by reference all of the above paragraphs, as though
9
fully set forth herein.
10
191. Defendants are a “person” as defined by 815 Ill. Comp. Stat. §§ 505/1(c).
11
192. Plaintiff and Illinois Subclass members are “consumers” as defined by 815 Ill.
12
Comp. Stat. §§ 505/1(e).
13
193. Defendants’ conduct as described herein was in the conduct of “trade” or
14
“commerce” as defined by 815 Ill. Comp. Stat. § 505/1(f).
15
194. Defendants’ deceptive, unfair, and unlawful trade acts or practices, in violation of
16
815 Ill. Comp. Stat. § 505/2, include:
17
a. Failing to implement and maintain reasonable security and privacy
18
measures to protect Plaintiff and Illinois Subclass members’ Private
19
Information, which was a direct and proximate cause of the Data Breach;
20

21 b. Failing to identify foreseeable security and privacy risks, remediate

22 identified security and privacy risks, and adequately improve security and

23 privacy measures following previous cybersecurity incidents, which was a

24 direct and proximate cause of the Data Breach;

25 c. Failing to comply with common law and statutory duties pertaining to the
26 security and privacy of Plaintiff and Illinois Subclass members’ Private
27 Information, including duties imposed by the FTC Act, 15 U.S.C. § 45, and
28
- 38 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 40 of 53

1 the Illinois Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat. §

2 510/2(a), which was a direct and proximate cause of the Data Breach;

3 d. Misrepresenting that they would protect the privacy and confidentiality of

4 Plaintiff and Illinois Subclass members’ Private Information, including by
5 implementing and maintaining reasonable security measures;
6
e. Misrepresenting that they would comply with common law and statutory
7
duties pertaining to the security and privacy of Plaintiff Salinas and Illinois
8
Subclass members’ Private Information, including duties imposed by the
9
FTC Act, and the Illinois Uniform Deceptive Trade Practices Act, 815 Ill.
10
Comp. Stat. § 510/2(a);
11
f. Failing to timely and adequately notify Plaintiff Salinas and Illinois
12
Subclass members of the Data Breach;
13

14 g. Omitting, suppressing, and concealing the material fact that it did not

15 reasonably or adequately secure Plaintiff Salinas’s and Illinois Subclass

16 members’ Private Information;

17 h. Omitting, suppressing, and concealing the material fact that it did not
18 comply with common law and statutory duties pertaining to the security and
19 privacy of Plaintiff and Illinois Subclass members’ Private Information,
20 including duties imposed by the FTC Act, 15 U.S.C. § 45, and the Illinois
21 Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat. § 510/2(a).
22
195. Defendants’ representations and omissions were material because they were likely
23
to deceive reasonable consumers about the adequacy of Defendants’ data security and ability to
24
protect the confidentiality of consumers’ Private Information.
25
196. Defendants’ representations and omissions were material because they were likely
26
to deceive reasonable consumers, including Plaintiff and the Illinois Subclass members, that their
27

28
- 39 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 41 of 53

1 Private Information was not exposed and misled Plaintiff and the Illinois Subclass members into

2 believing they did not need to take actions to secure their identities.

3 197. Defendants intended to mislead Plaintiff and Illinois Subclass members and

4 induce them to rely on its misrepresentations and omissions.

5 198. The above unfair and deceptive practices and acts by Defendants offend public

6 policy, and were immoral, unethical, oppressive, and unscrupulous. These acts caused substantial

7 injury that these consumers could not reasonably avoid; this substantial injury outweighed any

8 benefits to consumers or to competition.

9 199. Defendants acted intentionally, knowingly, and maliciously to violate Illinois’s

10 Consumer Fraud Act, and recklessly disregarded Plaintiff and Illinois Subclass members’ rights.

11 200. As a direct and proximate result of Defendants’ unfair, unlawful, and deceptive

12 acts and practices, Plaintiff and Illinois Subclass members have suffered and will continue to

13 suffer injury, ascertainable losses of money or property, and monetary and non-monetary

14 damages, including from fraud and identity theft; time and expenses related to monitoring their

15 financial accounts for fraudulent activity; an increased, imminent risk of fraud and identity theft;

16 and loss of value of their Private Information.

17 201. Plaintiff and Illinois Subclass members seek all monetary and non-monetary relief

18 allowed by law, including damages, restitution, punitive damages, injunctive relief, and

19 reasonable attorneys’ fees and costs.

20 COUNT IX
VIOLATION OF THE ILLINOIS UNIFORM DECEPTIVE TRADE PRACTICES ACT,
21
815 ILCS §§ 510/2, et seq.
22
(On Behalf of Plaintiff Salinas and the Illinois Subclass)
23
202. Plaintiff fully incorporates by reference all of the above paragraphs, as though
24
fully set forth herein.
25
203. Defendants are a “person” as defined by 815 Ill. Comp. Stat. §§ 505/1(5).
26
204. Defendants engaged in deceptive trade practices in the conduct of its business, in
27
violation of 815 Ill. Comp. Stat. §§ 510/2(a), including:
28
- 40 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 42 of 53

1 a. Representing that goods or services have characteristics that they do not

2 have;

3 b. Representing that goods or services are of a particular standard, quality, or

4 grade if they are of another;
5
c. Advertising goods or services with intent not to sell them as advertised; and
6
d. Engaging in other conduct that creates a likelihood of confusion or
7
misunderstanding.
8

9 205. Defendants’ deceptive trade practices include:

10 a. Failing to implement and maintain reasonable security and privacy
11 measures to protect Plaintiff and Illinois Subclass members’ Private
12 Information, which was a direct and proximate cause of the Data Breach;
13
b. Failing to identify foreseeable security and privacy risks, remediate
14
identified security and privacy risks, and adequately improve security and
15
privacy measures following previous cybersecurity incidents, which was a
16
direct and proximate cause of the Data Breach;
17
c. Failing to comply with common law and statutory duties pertaining to the
18
security and privacy of Plaintiff and Illinois Subclass members’ Private
19
Information, including duties imposed by the FTC Act, 15 U.S.C. § 45, and
20
the Illinois Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat. §
21
510/2(a), which was a direct and proximate cause of the Data Breach;
22

23 d. Misrepresenting that it would protect the privacy and confidentiality of

24 Plaintiff and Illinois Subclass members’ Private Information, including by

25 implementing and maintaining reasonable security measures;

26 e. Misrepresenting that it would comply with common law and statutory duties
27 pertaining to the security and privacy of Plaintiff and Illinois Subclass
28
- 41 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 43 of 53

1 members’ Private Information, including duties imposed by the FTC Act,

2 and the Illinois Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat.

3 § 510/2(a);

4 f. Failing to timely and adequately notify Plaintiff and Illinois Subclass

5 members of the Data Breach;
6
g. Misrepresenting that certain sensitive Personal Information was not
7
accessed during the Data Breach, when it was;
8
h. Omitting, suppressing, and concealing the material fact that it did not
9
reasonably or adequately secure Plaintiff and Illinois Subclass members’
10
Private Information; and
11

12 i. Omitting, suppressing, and concealing the material fact that it did not

13 comply with common law and statutory duties pertaining to the security and

14 privacy of Plaintiff and Illinois Subclass members’ Private Information,

15 including duties imposed by the FTC Act, 15 U.S.C. § 45 and the Illinois

16 Uniform Deceptive Trade Practices Act, 815 Ill. Comp. Stat. § 510/2(a)).

17
206. Defendants’ representations and omissions were material because they were likely
18
to deceive reasonable consumers about the adequacy of Defendants’ data security and ability to
19
protect the confidentiality of consumers’ Private Information.
20
207. Defendants’ representations and omissions were material because they were likely
21
to deceive reasonable consumers, including Plaintiff and the Illinois Subclass members, that their
22
Private Information was not exposed and misled Plaintiff and the Illinois Subclass members into
23
believing they did not need to take actions to secure their identities.
24
208. The above unfair and deceptive practices and acts by Defendants were immoral,
25
unethical, oppressive, and unscrupulous. These acts caused substantial injury to Plaintiff and
26
Illinois Subclass members that they could not reasonably avoid; this substantial injury
27
outweighed any benefits to consumers or to competition.
28
- 42 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 44 of 53

1 209. As a direct and proximate result of Defendants’ unfair, unlawful, and deceptive

2 trade practices, Plaintiff and Illinois Subclass members have suffered and will continue to suffer

3 injury, ascertainable losses of money or property, and monetary and non-monetary damages,

4 including from fraud and identity theft; time and expenses related to monitoring their financial

5 accounts for fraudulent activity; an increased, imminent risk of fraud and identity theft; and loss

6 of value of their Private Information.

7 210. Plaintiff and Illinois Subclass members seek all monetary and non-monetary relief

8 allowed by law, including injunctive relief and reasonable attorney’s fees.

9 COUNT X
VIOLATION OF THE TEXAS DECEPTIVE TRADE PRACTICES ACT-CONSUMER
10 PROTECTION ACT,
11 Texas Bus. & Com. Code §§ 17.41, et seq.,
12 (On Behalf of Plaintiff Washington and the Texas Subclass)
13 211. Plaintiff fully incorporates by reference all of the above paragraphs, as though
14 fully set forth herein.

15 212. Defendants are a “person,” as defined by Tex. Bus. & Com. Code § 17.45(3).
16 213. Plaintiff and the Texas Subclass members are “consumers,” as defined by Tex.
17 Bus. & Com. Code § 17.45(4).

18 214. Defendants advertised, offered, or sold goods or services in Texas and engaged in
19 trade or commerce directly or indirectly affecting the people of Texas, as defined by Tex. Bus. &

20 Com. Code § 17.45(6).

21 215. Defendants engaged in false, misleading, or deceptive acts and practices, in

22 violation of Tex. Bus. & Com. Code § 17.46(b), including:

23 a. Representing that goods or services have sponsorship, approval,

24 characteristics, ingredients, uses, benefits or quantities that they do not
25 have;
26
b. Representing that goods or services are of a particular standard, quality or
27
grade, if they are of another; and
28
- 43 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 45 of 53

1 c. Advertising goods or services with intent not to sell them as advertised.

2 d. Defendants’ false, misleading, and deceptive acts and practices include:

3
e. Failing to implement and maintain reasonable security and privacy
4
measures to protect Plaintiff and Texas Subclass members’ Private
5
Information, which was a direct and proximate cause of the Data Breach;
6
f. Failing to identify foreseeable security and privacy risks, remediate
7
identified security and privacy risks, and adequately improve security and
8
privacy measures following previous cybersecurity incidents, which was a
9
direct and proximate cause of the Data Breach;
10

11 g. Failing to comply with common law and statutory duties pertaining to the

12 security and privacy of Plaintiff and Texas Subclass members’ Private

13 Information, including duties imposed by the FTC Act, 15 U.S.C. § 45 and

14 Texas’s data security statute, Tex. Bus. & Com. Code § 521.052, which was

15 a direct and proximate cause of the Data Breach;

16 h. Misrepresenting that it would protect the privacy and confidentiality of

17 Plaintiff and Texas Subclass members’ Private Information, including by
18 implementing and maintaining reasonable security measures;
19
i. Misrepresenting that it would comply with common law and statutory duties
20
pertaining to the security and privacy of Plaintiff and Texas Subclass
21
members’ Private Information, including duties imposed by the FTC Act,
22
15 U.S.C. § 45 and Texas’s data security statute, Tex. Bus. & Com. Code §
23
521.052;
24
j. Failing to timely and adequately notify the Plaintiff and Texas Subclass
25
members of the Data Breach;
26

27 k. Misrepresenting that certain sensitive Personal Information was not

28 accessed during the Data Breach, when it was;

- 44 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 46 of 53

1 l. Omitting, suppressing, and concealing the material fact that it did not

2 reasonably or adequately secure Plaintiff and Texas Subclass members’

3 Private Information; and

4 m. Omitting, suppressing, and concealing the material fact that it did not
5 comply with common law and statutory duties pertaining to the security and
6 privacy of Plaintiff and Texas Subclass members’ Private Information,
7 including duties imposed by the FTC Act, 15 U.S.C. § 45 and Texas’s data
8 security statute, Tex. Bus. & Com. Code § 521.052.
9
216. Defendants intended to mislead Plaintiff and Texas Subclass members and induce
10

11 them to rely on its misrepresentations and omissions.

217. Defendants’ representations and omissions were material because they were likely
12

13 to deceive reasonable consumers about the adequacy of Defendants’ data security and ability to

14 protect the confidentiality of consumers’ Private Information.

218. Defendants’ representations and omissions were material because they were likely
15

16 to deceive reasonable consumers, including Plaintiff and the Texas Subclass members, that their

17 Private Information was not exposed and misled Plaintiff and the Texas Subclass members into

18 believing they did not need to take actions to secure their identities.
219. Had Defendants disclosed to Plaintiff and Class members that its data systems
19

20 were not secure and, thus, vulnerable to attack, Defendants would have been unable to continue

21 in business and it would have been forced to adopt reasonable data security measures and

22 comply with the law. Instead, Defendants were trusted with sensitive and valuable Private

23 Information regarding millions of consumers, including Plaintiff, the Class, and the Texas

24 Subclass. Defendants accepted the responsibility of being a steward of this data while keeping

25 the inadequate state of its security controls secret from the public. Accordingly, because

26 Defendants held themselves out as maintaining a secure platform for Private Information data,

27 Plaintiff, the Class, and the Texas Subclass members acted reasonably in relying on Defendants’

28 misrepresentations and omissions, the truth of which they could not have discovered.
- 45 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 47 of 53

1 220. Defendant had a duty to disclose the above facts due to the circumstances of this

2 case, the sensitivity and extent of the Private Information in its possession, and the generally

3 accepted professional standards in its industry. This duty arose because members of the public,

4 including Plaintiff and the Texas Subclass, repose a trust and confidence in Defendants. In

5 addition, such a duty is implied by law due to the nature of the relationship between consumers,

6 including Plaintiff and the Texas Subclass, and Defendants because consumers are unable to

7 fully protect their interests with regard to their data, and placed trust and confidence in

8 Defendants. Defendants’ duty to disclose also arose from its:

9 a. Possession of exclusive knowledge regarding the security of the data in its

10 systems;

11 b. Active concealment of the state of its security; and/or

12
c. Incomplete representations about the security and integrity of its computer
13
and data systems, and its prior data breaches, while purposefully
14
withholding material facts from Plaintiff and the Texas Subclass that
15
contradicted these representations.
16

17 221. Defendants engaged in unconscionable actions or courses of conduct, in

18 violation of Tex. Bus. & Com. Code Ann. § 17.50(a)(3). Defendants engaged in acts or

19 practices which, to consumers’ detriment, took advantage of consumers’ lack of knowledge,

20 ability, experience, or capacity to a grossly unfair degree.

21 222. Consumers, including Plaintiff and Texas Subclass members, lacked knowledge

22 about deficiencies in Defendants’ data security because this information was known

23 exclusively by Defendants. Consumers also lacked the ability, experience, or capacity to secure

24 the Private Information in Defendants’ possession or to fully protect their interests with regard

25 to their data. Plaintiffs and Texas Subclass members lack expertise in information security

26 matters and do not have access to Defendants’ systems in order to evaluate its security controls.

27 Defendants took advantage of its special skill and access to Private Information to hide its

28
- 46 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 48 of 53

1 inability to protect the security and confidentiality of Plaintiff and Texas Subclass members’

2 Private Information.

3 223. Defendants intended to take advantage of consumers’ lack of knowledge, ability,

4 experience, or capacity to a grossly unfair degree, with reckless disregard of the unfairness that

5 would result. The unfairness resulting from Defendants’ conduct is glaringly noticeable,

6 flagrant, complete, and unmitigated. The Data Breach, which resulted from Defendants’

7 unconscionable business acts and practices, exposed Plaintiff and Texas Subclass members to a

8 wholly unwarranted risk to the safety of their Private Information and the security of their

9 identity or credit, and worked a substantial hardship on a significant and unprecedented number

10 of consumers. Plaintiff and Texas Subclass members cannot mitigate this unfairness because

11 they cannot undo the data breach.

12 224. Defendants acted intentionally, knowingly, and maliciously to violate Texas’s

13 Deceptive Trade Practices-Consumer Protection Act, and recklessly disregarded Plaintiff and

14 Texas Subclass members’ rights.

15 225. As a direct and proximate result of Defendants’ unconscionable and deceptive

16 acts or practices, Plaintiff and Texas Subclass members have suffered and will continue to

17 suffer injury, ascertainable losses of money or property, and monetary and non-monetary

18 damages, including from fraud and identity theft; time and expenses related to monitoring their

19 financial accounts for fraudulent activity; an increased, imminent risk of fraud and identity

20 theft; and loss of value of their Private Information. Defendants’ unconscionable and deceptive

21 acts or practices were a producing cause of Plaintiff and Texas Subclass members’ injuries,

22 ascertainable losses, economic damages, and non-economic damages, including their mental

23 anguish.

24 226. Defendants’ violations present a continuing risk to Plaintiff and Texas Subclass

25 members as well as to the general public.

26 227. Plaintiff and the Texas Subclass seek all monetary and non-monetary relief

27 allowed by law, including economic damages; damages for mental anguish; treble damages for

28
- 47 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 49 of 53

1 each act committed intentionally or knowingly; court costs; reasonably and necessary

2 attorneys’ fees; injunctive relief; and any other relief which the court deems proper.

3 COUNT XI
DECLARATORY/INJUNCTIVE RELIEF
4
(On Behalf of Plaintiffs and the Nationwide Class or, Alternatively, the California, Illinois
5
and Texas Subclasses)
6
228. Plaintiffs fully incorporate by reference all of the above paragraphs, as though
7
fully set forth herein.
8
229. Under the Declaratory Judgment Act, 28 U.S.C. §§ 2201, et seq., this Court is
9
authorized to enter a judgment declaring the rights and legal relations of the parties and
10
granting further necessary relief. Furthermore, the Court has broad authority to restrain acts,
11
such as here, that are tortious and violate the terms of the federal statutes described in this
12
Complaint.
13
230. An actual controversy has arisen in the wake of the Data Breach regarding
14
Defendants’ present and prospective common law and other duties to reasonably safeguard
15
Plaintiffs’ and Class members’ Private Information, and whether Defendants are currently
16
maintaining data security measures, including employee (and former employee) practices,
17
procedures, and protocols, adequate to protect Plaintiffs and Class members from future data
18
breaches that compromise their Private Information. Plaintiffs and the Class remain at an
19
imminent and substantial risk that further compromises of their Private Information will occur
20
in the future.
21
231. The Court should also issue prospective injunctive relief requiring Defendants to
22
employ adequate security practices consistent with law and industry standards to protect
23
consumers’ Private Information.
24
232. Defendants still possesses the Private Information of Plaintiffs and the Class.
25
233. To Plaintiffs’ knowledge, Defendants have made little, if any, changes to its data
26
storage or security practices relating to the security of the Private Information.
27

28
- 48 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 50 of 53

1 234. To Plaintiffs’ knowledge, Defendants have not adequately remedied the

2 vulnerabilities and negligent data security practices that led to the Data Breach.

3 235. If an injunction is not issued, Plaintiffs and the Class will suffer irreparable

4 injury and lack an adequate legal remedy in the event of another data breach at Defendants. The

5 risk of another such breach is real, immediate, and substantial.

6 236. The hardship to Plaintiffs and Class members if an injunction does not issue

7 exceeds the hardship to Defendants if an injunction is issued. Among other things, if another

8 data breach occurs, Plaintiffs and Class members will likely continue to be subjected to fraud,

9 identify theft, and other harms described herein. On the other hand, the cost to Defendants of

10 complying with an injunction by employing reasonable prospective data security measures is

11 relatively minimal, and Defendants have a pre-existing legal obligation to employ such

12 measures.

13 237. Issuance of the requested injunction will not disserve the public interest. To the

14 contrary, such an injunction would benefit the public by preventing another data breach, thus

15 eliminating the additional injuries that would result to Plaintiffs and Class members, along with

16 other consumers whose PII would be further compromised.

17 238. Pursuant to its authority under the Declaratory Judgment Act, this Court should

18 enter a judgment declaring that Defendant implement and maintain reasonable security

19 measures, including but not limited to the following:

20 a. Engaging third-party security auditors and internal personnel to run automated

21 data security monitoring;

22 b. auditing, testing, and training their security personnel and employees

23 regarding any new or modified procedures;

24 c. purging, deleting, and destroying Private Information not necessary for their

25 provisions of services in a reasonably secure manner;

26 d. conducting regular database scans and security checks; and

27 e. routinely and continually conducting internal employee training and education

28 to inform internal security personnel and employees how to prevent or detect

- 49 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 51 of 53

1 a similar data breach when it occurs and what to do in response to such a

2 breach.

3 DEMAND FOR JURY TRIAL

4 Plaintiffs demand a trial by jury of all claims so triable.

5 REQUEST FOR RELIEF

6 WHEREFORE, Plaintiffs, individually and on behalf of the Class proposed in this

7 Complaint, respectfully requests that the Court enter judgment in his favor and against

8 Defendants, as follows:

9 a. For an Order certifying this action as a class action and appointing Plaintiffs and

10 their counsel to represent the Class;

11 b. For equitable relief enjoining Defendants from engaging in the wrongful conduct

12 complained of herein pertaining to the misuse and/or disclosure of Plaintiffs’ and

13 Class members’ Private Information, and from failing to issue prompt, complete

14 and accurate disclosures to Plaintiffs and Class members;

15 c. For equitable relief compelling Defendants to utilize appropriate methods and

16 policies with respect to consumer data collection, storage, and safety, especially

17 as such methods and policies pertain to both current and former employees;

18 d. For equitable relief requiring restitution and disgorgement of the revenues

19 wrongfully retained as a result of Defendants’ wrongful conduct;

20 e. Ordering Defendants to pay for not less than three (3) years of credit monitoring

21 services for Plaintiffs and the Class;

22 f. For an award of actual damages, compensatory damages, statutory damages, and

23 statutory penalties, in an amount to be determined, as allowable by law;

24 g. For an award of punitive damages, as allowable by law;

25 h. For an award of attorneys’ fees and costs, and any other expense, including expert

26 witness fees;

27 i. Pre- and post-judgment interest on any amounts awarded; and such other and

28 further relief as this court may deem just and proper.

- 50 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 52 of 53

2 Date: August 23, 2022 Respectfully submitted,

3
/s/Dennis Stewart
4 Dennis Stewart (#99152)
GUSTAFSON GLUEK PLLC
5
600 W. Broadway
6 Suite 3300
San Diego, CA 92101
7 Tel: (612) 333-8844
dstewart@gustafsongluek.com
8
Daniel E. Gustafson*
9
David A. Goodwin*
10 Mary M. Nikolai*
GUSTAFSON GLUEK PLLC
11 Canadian Pacific Plaza
120 South Sixth Street, Suite 2600
12 Minneapolis, MN 55402
Tel: (612) 333-8844
13
dgustafson@gustafsongluek.com
14 dgoodwin@gustafsongluek.com
mnikolai@gustafsongluek.com
15
Nicholas A. Migliaccio*
16 nmigliaccio@classlawdc.com
17 Jason S. Rathod*
jrathod@classlawdc.com
18 Migliaccio & Rathod LLP
412 H Street NE
19 Washington, DC 20002
Tel: (202) 470-3520
20 Fax: (202) 800-2730
21
Gary S. Graifman*
22 Melissa R. Emert*
KANTROWITZ, GOLDHAMER &
23 GRAIFMAN, P.C.
135 Chestnut Ridge Road, Suite 200
24 Montvale, New Jersey 07645
25 T: 845-356-2570
F: 845-356-4335
26 ggraifman@kgglaw.com
memert@kgglaw.com
27

28
- 51 -
CLASS ACTION COMPLAINT
 Case 3:22-cv-04823-DMR Document 1 Filed 08/23/22 Page 53 of 53

2
Scott. D Hirsch*
3 SCOTT HIRSCH LAW GROUP
6810 N. State Road 7
4 Coconut Creek, FL 33073
(561) 569-7062
5
scott@scotthirschlawgroup.com
6
Counsel for Plaintiff and the Putative Class
7
*Pro Hac Vice Application to be Submitted
8

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28
- 52 -
CLASS ACTION COMPLAINT