Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 1 of 57

IN THE UNITED STATES DISTRICT COURT

SOUTHERN DISTRICT OF MISSISSIPPI
NORTHERN DIVISION

MILISA JONES YOUNG, on behalf of herself Case No.: 3:25-cv-00131-KHJ-MTP

and all others similarly situated,
CLASS ACTION
Plaintiff,
DEMAND FOR A JURY TRIAL
v.

YAZOO VALLEY ELECTRIC POWER

ASSOCIATION,

Defendant.

FIRST AMENDED CLASS ACTION COMPLAINT

Plaintiff Milisa Jones Young (“Plaintiff”) brings this First Amended Class Action

Complaint (“Complaint”) against Yazoo Valley Electric Power Association ("Defendant") as an

individual and on behalf of all others similarly situated, and alleges, upon personal knowledge as

to her own actions and her counsels’ investigation, and upon information and belief as to all other

matters, as follows:

PARTIES

1. Plaintiff is an adult resident citizen of Holly Bluff, Mississippi.

2. Defendant Yazoo Valley Electric Power Association is a company with its principal

place of business located in Yazoo City, Mississippi.

SUMMARY OF ACTION

3. Plaintiff brings this class action against Defendant for its failure to properly secure

and safeguard sensitive information of its customers.

1
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 2 of 57

4. Defendant is a rural electric power association serving parts of six counties in

Mississippi.

5. Plaintiff’s and Class Members’ sensitive personal information—which they

entrusted to Defendant on the mutual understanding that Defendant would protect it against

disclosure—was targeted, compromised and unlawfully accessed due to the Data Breach.

6. Defendant collected and maintained certain personally identifiable information of

Plaintiff and the putative Class Members (defined below), who are (or were) customers at

Defendant.

7. The PII compromised in the Data Breach included Plaintiff’s and Class Members’

full names and Social Security numbers (“personally identifiable information” or “PII”).

8. The PII compromised in the Data Breach was exfiltrated by cyber-criminals and

remains in the hands of those cyber-criminals who target PII for its value to identity thieves.

9. As a result of the Data Breach, Plaintiff and approximately 20,000 Class Members, 1

suffered concrete injuries in fact including, but not limited to: (i) invasion of privacy; (ii) theft of

their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated with

attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the

bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences

of the Data Breach; (vii) actual misuse of the compromised data consisting of an increase in spam

calls, texts, and/or emails; (viii) Plaintiff experiencing fraud and misuse of her PII in the form of a

hard inquiry being placed on her credit report, in or about February 2025; (ix) nominal damages;

and (x) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and

available for unauthorized third parties to access and abuse; and (b) remains backed up in

1 https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/93c8c3c5-1c8d-47bc-bf45-aefb701811f9.html

2
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 3 of 57

Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant

fails to undertake appropriate and adequate measures to protect the PII.

10. The Data Breach was a direct result of Defendant’s failure to implement adequate

and reasonable cyber-security procedures and protocols necessary to protect consumers’ PII from

a foreseeable and preventable cyber-attack.

11. Moreover, upon information and belief, Defendant was targeted for a cyber-attack

due to its status as a utility company that collects and maintains highly valuable PII on its systems.

12. Defendant maintained, used, and shared the PII in a reckless manner. In particular,

the PII was used and transmitted by Defendant in a condition vulnerable to cyberattacks. Upon

information and belief, the mechanism of the cyberattack and potential for improper disclosure of

Plaintiff’s and Class Members’ PII was a known risk to Defendant, and thus, Defendant was on

notice that failing to take steps necessary to secure the PII from those risks left that property in a

dangerous condition.

13. Defendant disregarded the rights of Plaintiff and Class Members by, inter alia,

intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures

to ensure its data systems were protected against unauthorized intrusions; failing to take standard

and reasonably available steps to prevent the Data Breach; and failing to provide Plaintiff and

Class Members prompt and accurate notice of the Data Breach.

14. Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s

negligent conduct because the PII that Defendant collected and maintained has been accessed and

acquired by data thieves.

15. Armed with the PII accessed in the Data Breach, data thieves have already engaged

in identity theft and fraud and can in the future commit a variety of crimes including, e.g., opening

3
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 4 of 57

new financial accounts in Class Members’ names, taking out loans in Class Members’ names,

using Class Members’ information to obtain government benefits, filing fraudulent tax returns

using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with

another person’s photograph, and giving false information to police during an arrest.

16. As a result of the Data Breach, Plaintiff and Class Members have been exposed to

a heightened and imminent risk of fraud and identity theft. Plaintiff and Class Members must now

and in the future closely monitor their financial accounts to guard against identity theft.

17. Plaintiff and Class Members may also incur out of pocket costs, e.g., for purchasing

credit monitoring services, credit freezes, credit reports, or other protective measures to deter and

detect identity theft.

18. Plaintiff brings this class action lawsuit on behalf all those similarly situated to

address Defendant’s inadequate safeguarding of Class Members’ PII that it collected and

maintained, and for failing to provide timely and adequate notice to Plaintiff and other Class

Members that their information had been subject to the unauthorized access by an unknown third

party and precisely what specific type of information was accessed.

19. Through this Complaint, Plaintiff seeks to remedy these harms on behalf of herself

and all similarly situated individuals whose PII was accessed during the Data Breach.

20. Plaintiff and Class Members have a continuing interest in ensuring that their

information is and remains safe, and they should be entitled to injunctive and other equitable relief.

JURISDICTION AND VENUE

21. This Court has subject matter jurisdiction over this action under the Class Action

Fairness Act, 28 U.S.C. § 1332(d)(2). There are at least 100 putative Class Members, the

aggregated claims of the individual Class Members exceed the sum or value of $5,000,000

4
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 5 of 57

exclusive of interest and costs, and members of the proposed Class are citizens of states different

from Defendant.2

22. This Court has jurisdiction over Defendant through its business operations in this

District, the specific nature of which occurs in this District. Defendant’s principal place of business

is in this District. Defendant intentionally avails itself of the markets within this District to render

the exercise of jurisdiction by this Court just and proper.

23. Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because

Defendant’s principal place of business is located in this District and a substantial part of the events

and omissions giving rise to this action occurred in this District.

FACTUAL ALLEGATIONS

Defendant's Business

24. Defendant is a rural electric power association serving parts of six counties in

Mississippi.

25. Plaintiff and Class Members are current and former customers at Defendant.

26. In the course of their relationship, customers, including Plaintiff and Class

Members, provided Defendant with at least the following: names, Social Security numbers, and

other sensitive information.

27. Upon information and belief, in the course of collecting PII from customers,

including Plaintiff, Defendant promised to provide confidentiality and adequate security for the

data it collected from customers through its applicable privacy policy and through other disclosures

in compliance with statutory privacy requirements.

2 According
to the breach report submitted to the Office of the Maine Attorney General, 1 Maine
resident was impacted in the Data Breach. See
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/93c8c3c5-1c8d-47bc-bf45-aefb701811f9.html

5
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 6 of 57

28. Indeed, Defendant provides on its website that: "[w]e are committed to ensuring

the security of your personal information. To prevent unauthorized access, maintain data accuracy,

and ensure the proper use of information, we have established and implemented appropriate

physical, electronic and managerial procedures to safeguard and secure the information we collect

online." 3

29. Plaintiff and the Class Members, as customers at Defendant, relied on these

promises and on this sophisticated business entity to keep their sensitive PII confidential and

securely maintained, to use this information for business purposes only, and to make only

authorized disclosures of this information. Consumers, in general, demand security to safeguard

their PII, especially when their Social Security numbers and other sensitive PII is involved.

The Data Breach

30. On or about January 30, 2025, Defendant began sending Plaintiff and other Data

Breach victims an untitled letter (the "Notice Letter"), informing them that:

What Happened: On or about August 26, 2024, we became aware of suspicious activity
on our network. Upon discovery, we took immediate action to secure the network and
engaged a team of third-party specialists to assist with determining the full nature and
scope of the incident. A thorough investigation determined that an unauthorized actor
accessed certain files on our network. We then conducted a thorough review of the
potentially impacted data to determine the types of information contained therein and to
whom the information related. On October 24, 2024, we completed our review and
determined that a limited amount of personal information may have been accessed by an
unauthorized party in connection with this incident. We then diligently worked to obtain
address information for potentially affected individuals and completed this process on
December 20, 2024.4

31. Omitted from the Notice Letter were the identity of the cybercriminals who

perpetrated this Data Breach, the date(s) of the Data Breach, the details of the root cause of the

3
https://www.yazoovalley.com/index.php/about-us/
4 The “Notice Letter”. A sample copy is available at
https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/93c8c3c5-1c8d-47bc-bf45-aefb701811f9.html

6
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 7 of 57

Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a

breach Jones Youngs not occur again. To date, these omitted details have not been explained or

clarified to Plaintiff and Class Members, who retain a vested interest in ensuring that their PII

remains protected.

32. This “disclosure” amounts to no real disclosure at all, as it fails to inform, with any

degree of specificity, Plaintiff and Class Members of the Data Breach’s critical facts. Without

these details, Plaintiff’s and Class Members’ ability to mitigate the harms resulting from the Data

Breach is severely diminished.

33. Despite Defendant’s intentional opacity about the root cause of this incident,

several facts may be gleaned from the Notice Letter, including: a) that this Data Breach was the

work of cybercriminals; b) that the cybercriminals first infiltrated Defendant’s networks and

systems, and downloaded data from the networks and systems (aka exfiltrated data, or in

layperson’s terms “stole” data; and c) that once inside Defendant’s networks and systems, the

cybercriminals targeted information including Plaintiff’s and Class Members’ Social Security

numbers for download and theft.

34. In the context of notice of data breach letters of this type, Defendant’s use of the

phrase “potentially accessed” is misleading lawyer language. Companies only send notice letters

because data breach notification laws require them to do so. And such letters are only sent to those

persons who Defendant itself has a reasonable belief that such personal information was accessed

or acquired by an unauthorized individual or entity. Defendant cannot hide behind legalese – by

sending a notice of data breach letter to Plaintiff and Class Members, it admits that Defendant

itself has a reasonable belief that Plaintiff’s and Class Members’ names, Social Security numbers,

7
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 8 of 57

and other sensitive information was accessed or acquired by an unknown actor – aka

cybercriminals.

35. Moreover, in its Notice Letter, Defendant failed to specify whether it undertook

any efforts to contact the approximate 20,000 Class Members whose data was accessed and

acquired in the Data Breach to inquire whether any of the Class Members suffered misuse of their

data, whether Class Members should report their misuse to Defendant, and whether Defendant set

up any mechanism for Class Members to report any misuse of their data.

36. Defendant had obligations created by the FTC Act, contract, common law, and

industry standards to keep Plaintiff’s and Class Members’ PII confidential and to protect it from

unauthorized access and disclosure.

37. Defendant did not use reasonable security procedures and practices appropriate to

the nature of the sensitive information they were maintaining for Plaintiff and Class Members,

causing the exposure of PII, such as encrypting the information or deleting it when it is no longer

needed.

38. The attacker accessed and acquired files containing unencrypted PII of Plaintiff and

Class Members. Plaintiff’s and Class Members’ PII was accessed and stolen in the Data Breach.

39. Plaintiff further believes that her PII and that of Class Members was subsequently

sold on the dark web following the Data Breach, as that is the modus operandi of cybercriminals

that commit cyber-attacks of this type.

Data Breaches Are Preventable

40. Defendant did not use reasonable security procedures and practices appropriate to

the nature of the sensitive information they were maintaining for Plaintiff and Class Members,

8
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 9 of 57

causing the exposure of PII, such as encrypting the information or deleting it when it is no longer

needed.

41. Defendant could have prevented this Data Breach by, among other things, properly

encrypting or otherwise protecting their equipment and computer files containing PII.

42. As explained by the Federal Bureau of Investigation, “[p]revention is the most

effective defense against ransomware and it is critical to take precautions for protection.” 5

43. To prevent and detect cyber-attacks and/or ransomware attacks, Defendant could

and should have implemented, as recommended by the United States Government, the following

measures:

• Implement an awareness and training program. Because end users are targets,
employees and individuals should be aware of the threat of ransomware and how it is
delivered.

• Enable strong spam filters to prevent phishing emails from reaching the end users and
authenticate inbound email using technologies like Sender Policy Framework (SPF),
Domain Message Authentication Reporting and Conformance (DMARC), and
DomainKeys Identified Mail (DKIM) to prevent email spoofing.

• Scan all incoming and outgoing emails to detect threats and filter executable files from
reaching end users.

• Configure firewalls to block access to known malicious IP addresses.

• Patch operating systems, software, and firmware on devices. Consider using a

centralized patch management system.

• Set anti-virus and anti-malware programs to conduct regular scans automatically.

• Manage the use of privileged accounts based on the principle of least privilege: no users
should be assigned administrative access unless absolutely needed; and those with a
need for administrator accounts should only use them when necessary.

• Configure access controls—including file, directory, and network share permissions—

with least privilege in mind. If a user only needs to read specific files, the user should

5 How to Protect Your Networks from RANSOMWARE, at 3, available at:

https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

9
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 10 of 57

not have write access to those files, directories, or shares.

• Disable macro scripts from office files transmitted via email. Consider using Office
Viewer software to open Microsoft Office files transmitted via email instead of full
office suite applications.

• Implement Software Restriction Policies (SRP) or other controls to prevent programs

from executing from common ransomware locations, such as temporary folders
supporting popular Internet browsers or compression/decompression programs,
including the AppData/LocalAppData folder.

• Consider disabling Remote Desktop protocol (RDP) if it is not being used.

• Use application whitelisting, which only allows systems to execute programs known
and permitted by security policy.

• Execute operating system environments or specific programs in a virtualized

environment.

• Categorize data based on organizational value and implement physical and logical
separation of networks and data for different organizational units.6

44. To prevent and detect cyber-attacks or ransomware attacks, Defendant could and

should have implemented, as recommended by the Microsoft Threat Protection Intelligence Team,

the following measures:

Secure internet-facing assets

- Apply latest security updates

- Use threat and vulnerability management
- Perform regular audit; remove privileged credentials;

Thoroughly investigate and remediate alerts

- Prioritize and treat commodity malware infections as potential full

compromise;

Include IT Pros in security discussions

- Ensure collaboration among [security operations], [security admins], and

[information technology] admins to configure servers and other endpoints
securely;

6
Id. at 3-4.

10
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 11 of 57

Build credential hygiene

- Use [multifactor authentication] or [network level authentication] and use

strong, randomized, just-in-time local admin passwords;

Apply principle of least-privilege

- Monitor for adversarial activities

- Hunt for brute force attempts
- Monitor for cleanup of Event Logs
- Analyze logon events;

Harden infrastructure

- Use Windows Defender Firewall

- Enable tamper protection
- Enable cloud-delivered protection
- Turn on attack surface reduction rules and [Antimalware Scan Interface]
for Office [Visual Basic for Applications]. 7

45. Given that Defendant was storing the PII of its current and former customers,

Defendant could and should have implemented all of the above measures to prevent and detect

cyberattacks.

46. The occurrence of the Data Breach indicates that Defendant failed to adequately

implement one or more of the above measures to prevent cyberattacks, resulting in the Data Breach

and data thieves acquiring and accessing the PII of more than twenty thousand individuals,

including that of Plaintiff and Class Members.

Defendant Acquires, Collects, And Stores Its Customers’ PII

47. Defendant acquires, collects, and stores a massive amount of PII on its current and

former customers.

7 See Human-operated ransomware attacks: A preventable disaster (Mar 5, 2020), available at:
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-
preventable-disaster/

11
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 12 of 57

48. As a condition of obtaining services at Defendant, Defendant requires that

customers and other personnel entrust it with highly sensitive personal information.

49. By obtaining, collecting, and using Plaintiff’s and Class Members’ PII, Defendant

assumed legal and equitable duties and knew or should have known that it was responsible for

protecting Plaintiff’s and Class Members’ PII from disclosure.

50. Plaintiff and the Class Members have taken reasonable steps to maintain the

confidentiality of their PII and would not have entrusted it to Defendant absent a promise to

safeguard that information.

51. Upon information and belief, in the course of collecting PII from customers,

including Plaintiff, Defendant promised to provide confidentiality and adequate security for their

data through its applicable privacy policy and through other disclosures in compliance with

statutory privacy requirements.

52. Plaintiff and the Class Members relied on Defendant to keep their PII confidential

and securely maintained, to use this information for business purposes only, and to make only

authorized disclosures of this information.

Defendant Knew, Or Should Have Known, of the Risk Because Utility Companies In
Possession Of PII Are Particularly Susceptible To Cyber Attacks

53. Defendant’s data security obligations were particularly important given the

substantial increase in cyber-attacks and/or data breaches targeting utility companies that collect

and store PII, like Defendant, preceding the date of the breach.

54. Data breaches, including those perpetrated against utility companies that store PII

in their systems, have become widespread.

55. In 2023, an all-time high for data compromises occurred, with 3,205 compromises

affecting 353,027,892 total victims. The estimated number of organizations impacted by data

12
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 13 of 57

compromises has increased by +2,600 percentage points since 2018, and the estimated number of

victims has increased by +1400 percentage points. The 2023 compromises represent a 78

percentage point increase over the previous year and a 72 percentage point hike from the previous

all-time high number of compromises (1,860) set in 2021.

56. In light of recent high profile data breaches at other industry leading companies,

including National Public Data (2.9 billion records, August 2024), Ticketmaster Entertainment,

LLC (560 million records, May 2024), Change Healthcare Inc. (145 million records, February

2024), Dell Technologies, Inc. (49 million records, May 2024), and AT&T Inc. (73 million

records, April 2024), Defendant knew or should have known that the PII that they collected and

maintained would be targeted by cybercriminals.

57. Indeed, cyber-attacks, such as the one experienced by Defendant, have become so

notorious that the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service have issued a

warning to potential targets so they are aware of, and prepared for, a potential attack. As one report

explained, smaller entities that store PII are “attractive to ransomware criminals…because they

often have lesser IT defenses and a high incentive to regain access to their data quickly.” 8

58. Additionally, as companies became more dependent on computer systems to run

their business,9 e.g., working remotely as a result of the Covid-19 pandemic, and the Internet of

Things (“IoT”), the danger posed by cybercriminals is magnified, thereby highlighting the need

for adequate administrative, physical, and technical safeguards.10

8
https://www.law360.com/consumerprotection/articles/1220974/fbi-secret-service-warn-of-
targeted-ransomware?nl_pk=3ed44a08-fcc2-4b6c-89f0-
aa0155a8bb51&utm_source=newsletter&utm_medium=email&utm_campaign=consumerprotect
ion
9https://www.federalreserve.gov/econres/notes/feds-notes/implications-of-cyber-risk-for-

financial-stability-20220512.html
10 https://www.picussecurity.com/key-threats-and-cyber-risks-facing-financial-services-and-
banking-firms-in-2022

13
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 14 of 57

59. Defendant knew and understood unprotected or exposed PII in the custody of

insurance companies, like Defendant, is valuable and highly sought after by nefarious third parties

seeking to illegally monetize that PII through unauthorized access.

60. At all relevant times, Defendant knew, or reasonably should have known, of the

importance of safeguarding the PII of Plaintiff and Class Members and of the foreseeable

consequences that would occur if Defendant’s data security system was breached, including,

specifically, the significant costs that would be imposed on Plaintiff and Class Members as a result

of a breach.

61. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their PII.

62. The injuries to Plaintiff and Class Members were directly and proximately caused

by Defendant’s failure to implement or maintain adequate data security measures for the PII of

Plaintiff and Class Members.

63. The ramifications of Defendant’s failure to keep secure the PII of Plaintiff and Class

Members are long lasting and severe. Once PII is stolen––particularly Social Security numbers––

fraudulent use of that information and damage to victims may continue for years.

64. As a utility company in custody of the PII of its customers, Defendant knew, or

should have known, the importance of safeguarding PII entrusted to it by Plaintiff and Class

Members, and of the foreseeable consequences if its data security systems were breached. This

includes the significant costs imposed on Plaintiff and Class Members as a result of a breach.

Defendant failed, however, to take adequate cybersecurity measures to prevent the Data Breach.

Value Of Personally Identifying Information

14
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 15 of 57

65. The Federal Trade Commission (“FTC”) defines identity theft as “a fraud

committed or attempted using the identifying information of another person without authority.” 11

The FTC describes “identifying information” as “any name or number that may be used, alone or

in conjunction with any other information, to identify a specific person,” including, among other

things, “[n]ame, Social Security number, date of birth, official State or government issued driver’s

license or identification number, alien registration number, government passport number,

employer or taxpayer identification number.” 12

66. The PII of individuals remains of high value to criminals, as evidenced by the prices

they will pay through the dark web. Numerous sources cite dark web pricing for stolen identity

credentials.13

67. For example, Personal Information can be sold at a price ranging from $40 to

$200.14 Criminals can also purchase access to entire company data breaches from $900 to $4,500.15

68. Of course, a stolen Social Security number – standing alone – can be used to wreak

untold havoc upon a victim’s personal and financial life. The popular person privacy and credit

monitoring service LifeLock by Norton notes “Five Malicious Ways a Thief Can Use Your Social

Security Number,” including 1) Financial Identity Theft that includes “false applications for loans,

credit cards or bank accounts in your name or withdraw money from your accounts, and which

can encompass credit card fraud, bank fraud, computer fraud, wire fraud, mail fraud and

11
17 C.F.R. § 248.201 (2013).
12
Id.
13 Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, Oct.

16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-dark-

web-how-much-it-costs/
14 Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec. 6,

2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-

personal-information-is-selling-for-on-the-dark-web/
15 In the Dark, VPNOverview, 2019, available at: https://vpnoverview.com/privacy/anonymous-

browsing/in-the-dark/

15
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 16 of 57

employment fraud; 2) Government Identity Theft, including tax refund fraud; 3) Criminal Identity

Theft, which involves using someone’s stolen Social Security number as a “get out of jail free

card;” 4) Medical Identity Theft, and 5) Utility Fraud.

69. It is little wonder that courts have dubbed a stolen Social Security number as the

“gold standard” for identity theft and fraud. Social Security numbers are among the worst kind of

PII to have stolen because they may be put to a variety of fraudulent uses and are difficult for an

individual to change.

70. According to the Social Security Administration, each time an individual’s Social

Security number is compromised, “the potential for a thief to illegitimately gain access to bank

accounts, credit cards, driving records, tax and employment histories and other private information

increases.” 16 Moreover, “[b]ecause many organizations still use SSNs as the primary identifier,

exposure to identity theft and fraud remains.” 17

71. The Social Security Administration stresses that the loss of an individual’s Social

Security number, as experienced by Plaintiff and some Class Members, can lead to identity theft

and extensive financial fraud:

A dishonest person who has your Social Security number can use it to get other
personal information about you. Identity thieves can use your number and your
good credit to apply for more credit in your name. Then, they use the credit cards
and don’t pay the bills, it damages your credit. You may not find out that someone
is using your number until you’re turned down for credit, or you begin to get calls
from unknown creditors demanding payment for items you never bought. Someone
illegally using your Social Security number and assuming your identity can cause
a lot of problems. 18

16
See
https://www.ssa.gov/phila/ProtectingSSNs.htm#:~:text=An%20organization's%20collection%20
and%20use,and%20other%20private%20information%20increases.
17 Id.
18 Social Security Administration, Identity Theft and Your Social Security Number, available at:

https://www.ssa.gov/pubs/EN-05-10064.pdf

16
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 17 of 57

72. In fact, “[a] stolen Social Security number is one of the leading causes of identity

theft and can threaten your financial health.” 19 “Someone who has your SSN can use it to

impersonate you, obtain credit and open bank accounts, apply for jobs, steal your tax refunds, get

medical treatment, and steal your government benefits.” 20

73. What’s more, it is no easy task to change or cancel a stolen Social Security number.

An individual cannot obtain a new Social Security number without significant paperwork and

evidence of actual misuse. In other words, preventive action to defend against the possibility of

misuse of a Social Security number is not permitted; an individual must show evidence of actual,

ongoing fraud activity to obtain a new number.

74. Even then, a new Social Security number may not be effective. According to Julie

Ferguson of the Identity Theft Resource Center, “[t]he credit bureaus and banks are able to link

the new number very quickly to the old number, so all of that old bad information is quickly

inherited into the new Social Security number.” 21

75. For these reasons, some courts have referred to Social Security numbers as the

“gold standard” for identity theft. Portier v. NEO Tech. Sols., No. 3:17-CV-30111, 2019 WL

7946103, at *12 (D. Mass. Dec. 31, 2019) (“Because Social Security numbers are the gold standard

for identity theft, their theft is significant . . . . Access to Social Security numbers causes long-

lasting jeopardy because the Social Security Administration Jones Youngs not normally replace

Social Security numbers.”), report and recommendation adopted, No. 3:17-CV-30111, 2020 WL

19
See https://www.equifax.com/personal/education/identity-theft/articles/-/learn/social-security-
number-identity-theft/
20 See https://www.investopedia.com/terms/s/ssn.asp
21 Bryan Naylor, Victims of Social Security Number Theft Find It’s Hard to Bounce Back, NPR

(Feb. 9, 2015), available at: http://www.npr.org/2015/02/09/384875839/data-stolen-by-anthem-s-

hackers-has-millionsworrying-about-identity-theft

17
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 18 of 57

877035 (D. Mass. Jan. 30, 2020); see also McFarlane v. Altice USA, Inc., 2021 WL 860584, at *4

(citations omitted) (S.D.N.Y. Mar. 8, 2021) (the court noted that Plaintiff’s Social Security

numbers are: arguably “the most dangerous type of personal information in the hands of identity

thieves” because it is immutable and can be used to “impersonat[e] [the victim] to get medical

services, government benefits, ... tax refunds, [and] employment.” . . . Unlike a credit card number,

which can be changed to eliminate the risk of harm following a data breach, “[a] social security

number derives its value in that it is immutable,” and when it is stolen it can “forever be wielded

to identify [the victim] and target her in fraudulent schemes and identity theft attacks.”)

76. Similarly, the California state government warns consumers that: “[o]riginally,

your Social Security number (SSN) was a way for the government to track your earnings and pay

you retirement benefits. But over the years, it has become much more than that. It is the key to a

lot of your personal information. With your name and SSN, an identity thief could open new credit

and bank accounts, rent an apartment, or even get a job.” 22

77. Based on the foregoing, the information compromised in the Data Breach is

significantly more valuable than the loss of, for example, credit card information in a retailer data

breach because, there, victims can cancel or close credit and debit card accounts. The information

compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to

change—Social Security numbers and names.

78. This data demands a much higher price on the black market. Martin Walter, senior

director at cybersecurity firm RedSeal, explained, “Compared to credit card information,

22
See https://oag.ca.gov/idtheft/facts/your-ssn

18
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 19 of 57

personally identifiable information and Social Security numbers are worth more than 10x on the

black market.” 23

79. Among other forms of fraud, identity thieves may obtain driver’s licenses,

government benefits, medical services, and housing or even give false information to police.

80. The fraudulent activity resulting from the Data Breach may not come to light for

years. There may be a time lag between when harm occurs versus when it is discovered, and also

between when PII is stolen and when it is used. According to the U.S. Government Accountability

Office (“GAO”), which conducted a study regarding data breaches:

[L]aw enforcement officials told us that in some cases, stolen data may be held for
up to a year or more before being used to commit identity theft. Further, once stolen
data have been sold or posted on the Web, fraudulent use of that information may
continue for years. As a result, studies that attempt to measure the harm resulting
from data breaches cannot necessarily rule out all future harm.24

81. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their PII.

Defendant Fails To Comply With FTC Guidelines

82. The Federal Trade Commission (“FTC”) has promulgated numerous guides for

businesses which highlight the importance of implementing reasonable data security practices.

According to the FTC, the need for data security should be factored into all business decision-

making.

23
Tim Greene, Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card
Numbers, IT World, (Feb. 6, 2015), available at:
https://www.networkworld.com/article/2880366/anthem-hack-personal-data-stolen-sells-for-10x-
price-of-stolen-credit-card-numbers.html
24 Report to Congressional Requesters, GAO, at 29 (June 2007), available at:

https://www.gao.gov/assets/gao-07-737.pdf

19
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 20 of 57

83. In 2016, the FTC updated its publication, Protecting Personal Information: A Guide

for Business, which established cyber-security guidelines for businesses. These guidelines note

that businesses should protect the personal consumer information that they keep; properly dispose

of personal information that is no longer needed; encrypt information stored on computer

networks; understand their network’s vulnerabilities; and implement policies to correct any

security problems.25

84. The guidelines also recommend that businesses use an intrusion detection system

to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating someone

is attempting to hack the system; watch for large amounts of data being transmitted from the

system; and have a response plan ready in the event of a breach. 26

85. The FTC further recommends that companies not maintain PII longer than is

needed for authorization of a transaction; limit access to sensitive data; require complex passwords

to be used on networks; use industry-tested methods for security; monitor for suspicious activity

on the network; and verify that third-party service providers have implemented reasonable security

measures.

86. The FTC has brought enforcement actions against businesses for failing to

adequately and reasonably protect consumer data, treating the failure to employ reasonable and

appropriate measures to protect against unauthorized access to confidential consumer data as an

unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15

U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take

to meet their data security obligations.

25
Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016).
Available at https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-
personal-information.pdf
26 Id.

20
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 21 of 57

87. These FTC enforcement actions include actions against utility companies, like

Defendant.

88. Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits “unfair . . . practices in or

affecting commerce,” including, as interpreted and enforced by the FTC, the unfair act or practice

by businesses, such as Defendant, of failing to use reasonable measures to protect PII. The FTC

publications and orders described above also form part of the basis of Defendant's duty in this

regard.

89. Defendant failed to properly implement basic data security practices.

90. Defendant's failure to employ reasonable and appropriate measures to protect

against unauthorized access to the PII of its customers or to comply with applicable industry

standards constitutes an unfair act or practice prohibited by Section 5 of the FTC Act, 15 U.S.C. §

45.

91. Upon information and belief, Defendant was at all times fully aware of its

obligation to protect the PII of its customers, Defendant was also aware of the significant

repercussions that would result from its failure to do so. Accordingly, Defendant's conduct was

particularly unreasonable given the nature and amount of PII it obtained and stored and the

foreseeable consequences of the immense damages that would result to Plaintiff and the Class.

Defendant Fails To Comply With Industry Standards

92. As noted above, experts studying cyber security routinely identify utility companies

in possession of PII as being particularly vulnerable to cyberattacks because of the value of the PII

which they collect and maintain.

93. Several best practices have been identified that, at a minimum, should be

implemented by utility companies in possession of PII, like Defendant, including but not limited

21
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 22 of 57

to: educating all employees; strong passwords; multi-layer security, including firewalls, anti-virus,

and anti-malware software; encryption, making data unreadable without a key; multi-factor

authentication; backup data and limiting which employees can access sensitive data. Defendant

failed to follow these industry best practices, including a failure to implement multi-factor

authentication.

94. Other best cybersecurity practices that are standard for utility companies include

installing appropriate malware detection software; monitoring and limiting the network ports;

protecting web browsers and email management systems; setting up network systems such as

firewalls, switches and routers; monitoring and protection of physical security systems; protection

against any possible communication system; training staff regarding critical points. Defendant

failed to follow these cybersecurity best practices, including failure to train staff.

95. Defendant failed to meet the minimum standards of any of the following

frameworks: the NIST Cybersecurity Framework Version 2.0 (including without limitation

PR.AA-01, PR.AA.-02, PR.AA-03, PR.AA-04, PR.AA-05, PR.AT-01, PR.DS-01, PR-DS-02,

PR.DS-10, PR.PS-01, PR.PS-02, PR.PS-05, PR.IR-01, DE.CM-01, DE.CM-03, DE.CM-06,

DE.CM-09, and RS.CO-04), and the Center for Internet Security’s Critical Security Controls (CIS

CSC), which are all established standards in reasonable cybersecurity readiness.

96. These foregoing frameworks are existing and applicable industry standards for

utility companies, and upon information and belief, Defendant failed to comply with at least one–

–or all––of these accepted standards, thereby opening the door to the threat actor and causing the

Data Breach.

22
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 23 of 57

Common Injuries & Damages

97. As a result of Defendant's ineffective and inadequate data security practices, the

Data Breach, and the foreseeable consequences of PII ending up in the possession of criminals,

the risk of identity theft to the Plaintiff and Class Members has materialized and is imminent, and

Plaintiff and Class Members have all sustained actual injuries and damages, including: (i) invasion

of privacy; (ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity

costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) loss

of benefit of the bargain; (vi) lost opportunity costs associated with attempting to mitigate the

actual consequences of the Data Breach; (vii) nominal damages; and (viii) the continued and

certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized

third parties to access and abuse; and (b) remains backed up in Defendant’s possession and is

subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and

adequate measures to protect the PII.

Data Breaches Increase Victims' Risk Of Identity Theft

98. The unencrypted PII of Class Members will end up for sale on the dark web as that

is the modus operandi of hackers.

99. Unencrypted PII may also fall into the hands of companies that will use the detailed

PII for targeted marketing without the approval of Plaintiff and Class Members. Simply put,

unauthorized individuals can easily access the PII of Plaintiff and Class Members.

100. The link between a data breach and the risk of identity theft is simple and well

established. Criminals acquire and steal PII to monetize the information. Criminals monetize the

data by selling the stolen information on the black market to other criminals who then utilize the

information to commit a variety of identity theft related crimes discussed below.

23
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 24 of 57

101. Plaintiff’s and Class Members’ PII is of great value to hackers and cyber criminals,

and the data stolen in the Data Breach has been used and will continue to be used in a variety of

sordid ways for criminals to exploit Plaintiff and Class Members and to profit off their misfortune.

102. Due to the risk of one’s Social Security number being exposed, state legislatures

have passed laws in recognition of the risk: “[t]he social security number can be used as a tool to

perpetuate fraud against a person and to acquire sensitive personal, financial, medical, and familial

information, the release of which could cause great financial or personal harm to an individual.

While the social security number was intended to be used solely for the administration of the

federal Social Security System, over time this unique numeric identifier has been used extensively

for identity verification purposes[.]” 27

103. Moreover, “SSNs have been central to the American identity infrastructure for

years, being used as a key identifier[.] . . . U.S. banking processes have also had SSNs baked into

their identification process for years. In fact, SSNs have been the gold standard for identifying and

verifying the credit history of prospective customers.”28

104. “Despite the risk of fraud associated with the theft of Social Security numbers, just

five of the nation’s largest 25 banks have stopped using the numbers to verify a customer’s identity

after the initial account setup[.]” 29 Accordingly, since Social Security numbers are frequently used

to verify an individual’s identity after logging onto an account or attempting a transaction,

27
See N.C. Gen. Stat. § 132-1.10(1).
28
See https://www.americanbanker.com/opinion/banks-need-to-stop-relying-on-social-security-
numbers
29 See https://archive.nytimes.com/bucks.blogs.nytimes.com/2013/03/20/just-5-banks-prohibit-

use-of-social-security-numbers/

24
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 25 of 57

“[h]aving access to your Social Security number may be enough to help a thief steal money from

your bank account”30

105. One such example of criminals piecing together bits and pieces of compromised

PII for profit is the development of “Fullz” packages.31

106. With “Fullz” packages, cyber-criminals can cross-reference two sources of PII to

marry unregulated data available elsewhere to criminally stolen data with an astonishingly

complete scope and degree of accuracy in order to assemble complete dossiers on individuals.

107. The development of “Fullz” packages means here that the stolen PII from the Data

Breach can easily be used to link and identify it to Plaintiff’s and Class Members’ phone numbers,

email addresses, and other unregulated sources and identifiers. In other words, even if certain

information such as emails, phone numbers, or credit card numbers may not be included in the PII

that was exfiltrated in the Data Breach, criminals may still easily create a Fullz package and sell it

at a higher price to unscrupulous operators and criminals (such as illegal and scam telemarketers)

over and over.

30
See https://www.credit.com/blog/5-things-an-identity-thief-can-do-with-your-social-security-
number-108597/
31 “Fullz” is fraudster speak for data that includes the information of the victim, including, but not

limited to, the name, address, credit card information, social security number, date of birth, and
more. As a rule of thumb, the more information you have on a victim, the more money that can be
made off of those credentials. Fullz are usually pricier than standard credit card credentials,
commanding up to $100 per record (or more) on the dark web. Fullz can be cashed out (turning
credentials into money) in various ways, including performing bank transactions over the phone
with the required authentication details in-hand. Even “dead Fullz,” which are Fullz credentials
associated with credit cards that are no longer valid, can still be used for numerous purposes,
including tax refund scams, ordering credit cards on behalf of the victim, or opening a “mule
account” (an account that will accept a fraudulent money transfer from a compromised account)
without the victim’s knowledge. See, e.g., Brian Krebs, Medical Records for Sale in Underground
Stolen From Texas Life Insurance Firm, Krebs on Security (Sep. 18, 2014),
https://krebsonsecuritv.eom/2014/09/medical-records-for-sale-in-underground-stolen-from-texas-
life-insurance-](https://krebsonsecuritv.eom/2014/09/medical-records-for-sale-in-underground-
stolen-from-texas-life-insurance-finn/

25
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 26 of 57

108. The existence and prevalence of “Fullz” packages means that the PII stolen from

the data breach can easily be linked to the unregulated data (like contact information) of Plaintiff

and the other Class Members.

109. Thus, even if certain information (such as contact information) was not stolen in

the data breach, criminals can still easily create a comprehensive “Fullz” package.

110. Then, this comprehensive dossier can be sold—and then resold in perpetuity—to

crooked operators and other criminals (like illegal and scam telemarketers).

Loss Of Time To Mitigate Risk Of Identity Theft & Fraud

111. As a result of the recognized risk of identity theft, when a Data Breach occurs, and

an individual is notified by a company that their PII was compromised, as in this Data Breach, the

reasonable person is expected to take steps and spend time to address the dangerous situation, learn

about the breach, and otherwise mitigate the risk of becoming a victim of identity theft of fraud.

Failure to spend time taking steps to review accounts or credit reports could expose the individual

to greater financial harm – yet, the resource and asset of time has been lost.

112. Thus, due to the actual and imminent risk of identity theft, Defendant, in its Notice

Letter instructs Plaintiff and Class Members to take the following measures to protect themselves:

“remain vigilant against incidents of identity theft and fraud by reviewing your credit

reports/account statements for suspicious activity and to detect errors.” 32

113. In addition, Defendant’s Notice letter includes multiple pages that recommend

Plaintiff and Class Members to partake in activities such as enrolling in the credit monitoring

services offered by Defendant, placing security freezes and fraud alerts on their accounts, and

contacting consumer reporting bureaus.33

32 Notice Letter.
33
Id.

26
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 27 of 57

114. Defendant’s extensive suggestion of steps that Plaintiff and Class Members must

take in order to protect themselves from identity theft and/or fraud demonstrates the significant

time that Plaintiff and Class Members must undertake in response to the Data Breach. Plaintiff’s

and Class Members’ time is highly valuable and irreplaceable, and accordingly, Plaintiff and Class

Members suffered actual injury and damages in the form of lost time that they spent on mitigation

activities in response to the Data Breach and at the direction of Defendant’s Notice Letter.

115. Plaintiff and Class Members have spent, and will spend additional time in the

future, on a variety of prudent actions, such as researching and verifying the legitimacy of the Data

Breach. Accordingly, the Data Breach has caused Plaintiff and Class Members to suffer actual

injury in the form of lost time—which cannot be recaptured—spent on mitigation activities.

116. Plaintiff’s mitigation efforts are consistent with the U.S. Government

Accountability Office that released a report in 2007 regarding data breaches (“GAO Report”) in

which it noted that victims of identity theft will face “substantial costs and time to repair the

damage to their good name and credit record.”34

117. Plaintiff’s mitigation efforts are also consistent with the steps that FTC

recommends that data breach victims take several steps to protect their personal and financial

information after a data breach, including: contacting one of the credit bureaus to place a fraud

alert (consider an extended fraud alert that lasts for seven years if someone steals their identity),

reviewing their credit reports, contacting companies to remove fraudulent charges from their

accounts, placing a credit freeze on their credit, and correcting their credit reports.35

34
See United States Government Accountability Office, GAO-07-737, Personal Information: Data
Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full
Extent Is Unknown (June 2007), https://www.gao.gov/new.items/d07737.pdf.
35 See Federal Trade Commission, Identity Theft.gov, https://www.identitytheft.gov/Steps

27
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 28 of 57

118. And for those Class Members who experience actual identity theft and fraud, the

United States Government Accountability Office released a report in 2007 regarding data breaches

(“GAO Report”) in which it noted that victims of identity theft will face “substantial costs and

time to repair the damage to their good name and credit record.”[4]

Diminution of Value of PII

119. PII is a valuable property right.36 Its value is axiomatic, considering the value of

Big Data in corporate America and the consequences of cyber thefts include heavy prison

sentences. Even this obvious risk to reward analysis illustrates beyond doubt that PII has

considerable market value.

120. Sensitive PII can sell for as much as $363 per record according to the Infosec

Institute. 37

121. An active and robust legitimate marketplace for PII also exists. In 2019, the data

brokering industry was worth roughly $200 billion. 38

122. In fact, the data marketplace is so sophisticated that consumers can actually sell

their non-public information directly to a data broker who in turn aggregates the information and

provides it to marketers or app developers.39,40

36
See “Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited;
However, the Full Extent Is Unknown,” p. 2, U.S. Government Accountability Office, June 2007,
https://www.gao.gov/new.items/d07737.pdf (“GAO Report”).
37 See, e.g., Milisa T. Soma, et al, Corporate Privacy Trend: The “Value” of Personally Identifiable

Information (“PII”) Equals the “Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *3-4
(2009) (“PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching
a level comparable to the value of traditional financial assets.”) (citations omitted).
38 See Ashiq Ja, Hackers Selling Healthcare Data in the Black Market, InfoSec (July 27, 2015),

https://resources.infosecinstitute.com/topic/hackers-selling-healthcare-data-in-the-black-market/
39 https://www.latimes.com/business/story/2019-11-05/column-data-brokers
40 https://datacoup.com/

28
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 29 of 57

123. Consumers who agree to provide their web browsing history to the Nielsen

Corporation can receive up to $50.00 a year.41

124. As a result of the Data Breach, Plaintiff’s and Class Members’ PII, which has an

inherent market value in both legitimate and dark markets, has been damaged and diminished by

its compromise and unauthorized release. However, this transfer of value occurred without any

consideration paid to Plaintiff or Class Members for their property, resulting in an economic loss.

Moreover, the PII is now readily available, and the rarity of the Data has been lost, thereby causing

additional loss of value.

125. At all relevant times, Defendant knew, or reasonably should have known, of the

importance of safeguarding the PII of Plaintiff and Class Members, and of the foreseeable

consequences that would occur if Defendant's data security system was breached, including,

specifically, the significant costs that would be imposed on Plaintiff and Class Members as a result

of a breach.

126. The fraudulent activity resulting from the Data Breach may not come to light for

years.

127. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their PII.

128. Defendant was, or should have been, fully aware of the unique type and the

significant volume of data on Defendant's network, amounting to more than twenty thousand

individuals’ detailed personal information and, thus, the significant number of individuals who

would be harmed by the exposure of the unencrypted data.

41
https://digi.me/what-is-digime/

29
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 30 of 57

129. The injuries to Plaintiff and Class Members were directly and proximately caused

by Defendant's failure to implement or maintain adequate data security measures for the PII of

Plaintiff and Class Members.

Future Cost of Credit and Identity Theft Monitoring is Reasonable and Necessary

130. Given the type of targeted attack in this case, sophisticated criminal activity, and

the type of PII involved, there is a strong probability that entire batches of stolen information have

been placed, or will be placed, on the black market/dark web for sale and purchase by criminals

intending to utilize the PII for identity theft crimes –e.g., opening bank accounts in the victims’

names to make purchases or to launder money; file false tax returns; take out loans or lines of

credit; or file false unemployment claims.

131. Such fraud may go undetected until debt collection calls commence months, or even

years, later. An individual may not know that her or her PII was used to file for unemployment

benefits until law enforcement notifies the individual’s employer of the suspected fraud.

Fraudulent tax returns are typically discovered only when an individual’s authentic tax return is

rejected.

132. Consequently, Plaintiff and Class Members are at an increased risk of fraud and

identity theft for many years into the future.

133. The retail cost of credit monitoring and identity theft monitoring can cost around

$200 a year per Class Member. This is reasonable and necessary cost to monitor to protect Class

Members from the risk of identity theft that arose from Defendant's Data Breach.

Loss Of Benefit Of The Bargain

134. Furthermore, Defendant’s poor data security practices deprived Plaintiff and Class

Members of the benefit of their bargain. When agreeing to pay Defendant and/or its agents for

30
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 31 of 57

utility services, Plaintiff and other reasonable consumers understood and expected that they were,

in part, paying for the service and necessary data security to protect the PII, when in fact, Defendant

did not provide the expected data security. Accordingly, Plaintiff and Class Members received

services that were of a lesser value than what they reasonably expected to receive under the

bargains they struck with Defendant.

Plaintiff Milisa Jones Young’s Experience

135. Upon information and belief, Defendant obtained Plaintiff’s PII in the course of

conducting its regular business operations.

136. Upon information and belief, at the time of the Data Breach, Defendant maintained

Plaintiff’s PII in its system.

137. Plaintiff Jones Young is very careful about sharing her sensitive PII. Plaintiff stores

any documents containing her PII in a safe and secure location. Plaintiff has never knowingly

transmitted unencrypted sensitive PII over the internet or any other unsecured source. Plaintiff

would not have entrusted her PII to Defendant had she known of Defendant’s lax data security

policies.

138. Plaintiff Milisa Jones Young received the Notice Letter, by U.S. mail, directly from

Defendant, dated January 30, 2025. According to the Notice Letter, Plaintiff’s PII was improperly

accessed and obtained by unauthorized third parties, including her name and Social Security

number.

139. As a result of the Data Breach, and at the direction of Defendant’s Notice Letter,

which instructs Plaintiff to “remain vigilant against incidents of identity theft and fraud by

reviewing your credit reports/account statements for suspicious activity and to detect errors[,]” 42

42
Notice Letter.

31
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 32 of 57

Plaintiff made reasonable efforts to mitigate the impact of the Data Breach, including researching

and verifying the legitimacy of the Data Breach. Plaintiff has spent significant time dealing with

the Data Breach₋₋valuable time Plaintiff otherwise would have spent on other activities, including

but not limited to work and/or recreation. This time has been lost forever and cannot be recaptured.

140. Plaintiff suffered actual injury from having her PII compromised as a result of the

Data Breach including, but not limited to: (i) invasion of privacy; (ii) theft of her PII; (iii) lost or

diminished value of PII; (iv) lost time and opportunity costs associated with attempting to mitigate

the actual consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity

costs associated with attempting to mitigate the actual consequences of the Data Breach; (vii)

nominal damages; and (viii) the continued and certainly increased risk to her PII, which: (a)

remains unencrypted and available for unauthorized third parties to access and abuse; and (b)

remains backed up in Defendant’s possession and is subject to further unauthorized disclosures so

long as Defendant fails to undertake appropriate and adequate measures to protect the PII.

141. Plaintiff further suffered actual injury in the form of a hard inquiry being placed on

her credit report, in or about February 2025, which, upon information and belief, was caused by

the Data Breach.

142. Plaintiff additionally suffered actual injury in the form of experiencing an increase

in spam calls, texts, and/or emails, which, upon information and belief, was caused by the Data

Breach. This misuse of her PII was caused, upon information and belief, by the fact that

cybercriminals are able to easily use the information compromised in the Data Breach to find more

information about an individual, such as their phone number or email address, from publicly

available sources, including websites that aggregate and associate personal information with the

owner of such information. Criminals often target data breach victims with spam emails, calls, and

32
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 33 of 57

texts to gain access to their devices with phishing attacks or elicit further personal information for

use in committing identity theft or fraud.

143. The Data Breach has caused Plaintiff to suffer fear, anxiety, and stress, which has

been compounded by the fact that Defendant has still not fully informed Plaintiff of key details

about the Data Breach’s occurrence.

144. As a result of the Data Breach, Plaintiff anticipates spending considerable time and

money on an ongoing basis to try to mitigate and address harms caused by the Data Breach.

145. As a result of the Data Breach, Plaintiff is at a present risk and will continue to be

at increased risk of identity theft and fraud for years to come.

146. Plaintiff Milisa Jones Young has a continuing interest in ensuring that her PII,

which, upon information and belief, remains backed up in Defendant’s possession, is protected

and safeguarded from future breaches.

CLASS ALLEGATIONS

147. Plaintiff brings this nationwide class action on behalf of herself and on behalf of all

others similarly situated, pursuant to Fed. R. Civ. P. 23(a), 23(b)(1), 23(b)(2), 23(b)(3), 23(c)(4)

and/or 23(c)(5).

148. The Class that Plaintiff seeks to represent is defined as follows:

Nationwide Class
All individuals residing in the United States whose PII was accessed and/or
acquired by an unauthorized party as a result of the data breach reported by
Defendant in January 2025 (the “Class”).

149. Excluded from the Class are the following individuals and/or entities: Defendant

and Defendant's parents, subsidiaries, affiliates, officers and directors, and any entity in which

Defendant have a controlling interest; all individuals who make a timely election to be excluded

33
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 34 of 57

from this proceeding using the correct protocol for opting out; and all judges assigned to hear any

aspect of this litigation, as well as their immediate family members.

150. Plaintiff reserves the right to amend the definitions of the Class or add a Class or

Subclass if further information and discovery indicate that the definitions of the Class should be

narrowed, expanded, or otherwise modified.

151. Numerosity: The members of the Class are so numerous that joinder of all members

is impracticable, if not completely impossible. According to the breach report submitted to the

Office of the Maine Attorney General, at least 20,000 Class Members were impacted in the Data

Breach.43 The Class is apparently identifiable within Defendant's records, and Defendant has

already identified these individuals (as evidenced by sending them breach notification letters).

152. Common questions of law and fact exist as to all members of the Class and

predominate over any questions affecting solely individual members of the Class. Among the

questions of law and fact common to the Class that predominate over questions which may affect

individual Class members, including the following:

a. Whether and to what extent Defendant had a duty to protect the PII of Plaintiff and

Class Members;

b. Whether Defendant had respective duties not to disclose the PII of Plaintiff and

Class Members to unauthorized third parties;

c. Whether Defendant had respective duties not to use the PII of Plaintiff and Class

Members for non-business purposes;

d. Whether Defendant failed to adequately safeguard the PII of Plaintiff and Class

Members;

43 See https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-
a1252b4f8318/93c8c3c5-1c8d-47bc-bf45-aefb701811f9.html

34
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 35 of 57

e. Whether and when Defendant actually learned of the Data Breach;

f. Whether Defendant adequately, promptly, and accurately informed Plaintiff and

Class Members that their PII had been compromised;

g. Whether Defendant violated the law by failing to promptly notify Plaintiff and

Class Members that their PII had been compromised;

h. Whether Defendant failed to implement and maintain reasonable security

procedures and practices appropriate to the nature and scope of the information

compromised in the Data Breach;

i. Whether Defendant adequately addressed and fixed the vulnerabilities which

permitted the Data Breach to occur;

j. Whether Plaintiff and Class Members are entitled to actual damages and/or nominal

damages as a result of Defendant's wrongful conduct;

k. Whether Plaintiff and Class Members are entitled to injunctive relief to redress the

imminent and currently ongoing harm faced as a result of the Data Breach.

153. Typicality: Plaintiff’s claims are typical of those of the other members of the Class

because Plaintiff, like every other Class Member, was exposed to virtually identical conduct and

now suffers from the same violations of the law as each other member of the Class.

154. Policies Generally Applicable to the Class: This class action is also appropriate for

certification because Defendant acted or refused to act on grounds generally applicable to the

Class, thereby requiring the Court’s imposition of uniform relief to ensure compatible standards

of conduct toward the Class Members and making final injunctive relief appropriate with respect

to the Class as a whole. Defendant's policies challenged herein apply to and affect Class Members

35
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 36 of 57

uniformly and Plaintiff’s challenges of these policies hinges on Defendant's conduct with respect

to the Class as a whole, not on facts or law applicable only to Plaintiff.

155. Adequacy: Plaintiff will fairly and adequately represent and protect the interests of

the Class Members in that she has no disabling conflicts of interest that would be antagonistic to

those of the other Class Members. Plaintiff seeks no relief that is antagonistic or adverse to the

Class Members and the infringement of the rights and the damages she has suffered are typical of

other Class Members. Plaintiff has retained counsel experienced in complex class action and data

breach litigation, and Plaintiff intend to prosecute this action vigorously.

156. Superiority and Manageability: The class litigation is an appropriate method for fair

and efficient adjudication of the claims involved. Class action treatment is superior to all other

available methods for the fair and efficient adjudication of the controversy alleged herein; it will

permit a large number of Class Members to prosecute their common claims in a single forum

simultaneously, efficiently, and without the unnecessary duplication of evidence, effort, and

expense that hundreds of individual actions would require. Class action treatment will permit the

adjudication of relatively modest claims by certain Class Members, who could not individually

afford to litigate a complex claim against large corporations, like Defendant. Further, even for

those Class Members who could afford to litigate such a claim, it would still be economically

impractical and impose a burden on the courts.

157. The nature of this action and the nature of laws available to Plaintiff and Class

Members make the use of the class action device a particularly efficient and appropriate procedure

to afford relief to Plaintiff and Class Members for the wrongs alleged because Defendant would

necessarily gain an unconscionable advantage since they would be able to exploit and overwhelm

the limited resources of each individual Class Member with superior financial and legal resources;

36
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 37 of 57

the costs of individual suits could unreasonably consume the amounts that would be recovered;

proof of a common course of conduct to which Plaintiff was exposed is representative of that

experienced by the Class and will establish the right of each Class Member to recover on the cause

of action alleged; and individual actions would create a risk of inconsistent results and would be

unnecessary and duplicative of this litigation.

158. The litigation of the claims brought herein is manageable. Defendant's uniform

conduct, the consistent provisions of the relevant laws, and the ascertainable identities of Class

Members demonstrates that there would be no significant manageability problems with

prosecuting this lawsuit as a class action.

159. Adequate notice can be given to Class Members directly using information

maintained in Defendant's records.

160. Unless a Class-wide injunction is issued, Defendant may continue in its failure to

properly secure the PII of Class Members, Defendant may continue to refuse to provide proper

notification to Class Members regarding the Data Breach, and Defendant may continue to act

unlawfully as set forth in this Complaint.

161. Further, Defendant has acted on grounds that apply generally to the Class as a

whole, so that class certification, injunctive relief, and corresponding declaratory relief are

appropriate on a class- wide basis.

162. Likewise, particular issues are appropriate for certification because such claims

present only particular, common issues, the resolution of which would advance the disposition of

this matter and the parties’ interests therein. Such particular issues include, but are not limited to:

a. Whether Defendant failed to timely notify the Plaintiff and the class of the Data

Breach;

37
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 38 of 57

b. Whether Defendant owed a legal duty to Plaintiff and the Class to exercise due care

in collecting, storing, and safeguarding their PII;

c. Whether Defendant's security measures to protect their data systems were

reasonable in light of best practices recommended by data security experts;

d. Whether Defendant's failure to institute adequate protective security measures

amounted to negligence;

e. Whether Defendant failed to take commercially reasonable steps to safeguard

consumer PII; and

f. Whether adherence to FTC data security recommendations, and measures

recommended by data security experts would have reasonably prevented the Data

Breach.

CAUSES OF ACTION

COUNT I
Negligence
(On Behalf of Plaintiff and the Class)

163. Plaintiff re-alleges and incorporates by reference all of the allegations contained in

paragraphs 1 through 162, as if fully set forth herein.

164. Defendant requires its customers, including Plaintiff and Class Members, to submit

non-public PII in the ordinary course of providing its utility services.

165. Defendant gathered and stored the PII of Plaintiff and Class Members as part of its

business of soliciting its services to its customers, which solicitations and services affect

commerce.

166. Plaintiff and Class Members entrusted Defendant with their PII with the

understanding that Defendant would safeguard their information.

38
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 39 of 57

167. Defendant had full knowledge of the sensitivity of the PII and the types of harm

that Plaintiff and Class Members could and would suffer if the PII were wrongfully disclosed.

168. By voluntarily undertaking and assuming the responsibility to collect and store this

data, and in fact doing so, and sharing it and using it for commercial gain, Defendant had a duty

of care to use reasonable means to secure and safeguard their computer property—and Class

Members’ PII held within it—to prevent disclosure of the information, and to safeguard the

information from theft. Defendant’s duty included a responsibility to implement processes by

which they could detect a breach of its security systems in a reasonably expeditious period of time

and to give prompt notice to those affected in the case of a data breach.

169. Defendant had a duty to employ reasonable security measures under Section 5 of

the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair . . . practices in or

affecting commerce,” including, as interpreted and enforced by the FTC, the unfair practice of

failing to use reasonable measures to protect confidential data.

170. Defendant owed a duty of care to Plaintiff and Class Members to provide data

security consistent with industry standards and other requirements discussed herein, and to ensure

that its systems and networks adequately protected the PII.

171. Defendant's duty of care to use reasonable security measures arose as a result of the

special relationship that existed between Defendant and Plaintiff and Class Members. That special

relationship arose because Plaintiff and the Class entrusted Defendant with their confidential PII,

a necessary part of being customers at Defendant.

172. Defendant’s duty to use reasonable care in protecting confidential data arose not

only as a result of the statutes and regulations described above, but also because Defendant is

bound by industry standards to protect confidential PII.

39
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 40 of 57

173. Defendant was subject to an “independent duty,” untethered to any contract

between Defendant and Plaintiff or the Class.

174. Defendant also had a duty to exercise appropriate clearinghouse practices to remove

former customers’ PII it was no longer required to retain pursuant to regulations.

175. Moreover, Defendant had a duty to promptly and adequately notify Plaintiff and

the Class of the Data Breach.

176. Defendant had and continues to have a duty to adequately disclose that the PII of

Plaintiff and the Class within Defendant’s possession might have been compromised, how it was

compromised, and precisely the types of data that were compromised and when. Such notice was

necessary to allow Plaintiff and the Class to take steps to prevent, mitigate, and repair any identity

theft and the fraudulent use of their PII by third parties.

177. Defendant breached its duties, pursuant to the FTC Act and other applicable

standards, and thus was negligent, by failing to use reasonable measures to protect Class Members’

PII. The specific negligent acts and omissions committed by Defendant include, but are not limited

to, the following:

a. Failing to adopt, implement, and maintain adequate security measures to safeguard

Class Members’ PII;

b. Failing to adequately monitor the security of their networks and systems;

c. Allowing unauthorized access to Class Members’ PII;

d. Failing to detect in a timely manner that Class Members’ PII had been

compromised;

e. Failing to remove former customers’ PII it was no longer required to retain pursuant

to regulations, and

40
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 41 of 57

f. Failing to timely and adequately notify Class Members about the Data Breach’s

occurrence and scope, so that they could take appropriate steps to mitigate the

potential for identity theft and other damages.

178. Defendant violated Section 5 of the FTC Act by failing to use reasonable measures

to protect PII and not complying with applicable industry standards, as described in detail herein.

Defendant’s conduct was particularly unreasonable given the nature and amount of PII it obtained

and stored and the foreseeable consequences of the immense damages that would result to Plaintiff

and the Class.

179. Plaintiff and Class Members were within the class of persons the Federal Trade

Commission Act was intended to protect and the type of harm that resulted from the Data Breach

was the type of harm that the statute was intended to guard against.

180. Defendant’s violation of Section 5 of the FTC Act constitutes negligence.

181. The FTC has pursued enforcement actions against businesses, which, as a result of

their failure to employ reasonable data security measures and avoid unfair and deceptive practices,

caused the same harm as that suffered by Plaintiff and the Class.

182. A breach of security, unauthorized access, and resulting injury to Plaintiff and the

Class was reasonably foreseeable, particularly in light of Defendant’s inadequate security

practices.

183. It was foreseeable that Defendant’s failure to use reasonable measures to protect

Class Members’ PII would result in injury to Class Members. Further, the breach of security was

reasonably foreseeable given the known high frequency of cyberattacks and data breaches in the

utility industry.

41
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 42 of 57

184. Defendant has full knowledge of the sensitivity of the PII and the types of harm

that Plaintiff and the Class could and would suffer if the PII were wrongfully disclosed.

185. Plaintiff and the Class were the foreseeable and probable victims of any inadequate

security practices and procedures. Defendant knew or should have known of the inherent risks in

collecting and storing the PII of Plaintiff and the Class, the critical importance of providing

adequate security of that PII, and the necessity for encrypting PII stored on Defendant’s systems

or transmitted through third party systems.

186. It was therefore foreseeable that the failure to adequately safeguard Class Members’

PII would result in one or more types of injuries to Class Members.

187. Plaintiff and the Class had no ability to protect their PII that was in, and possibly

remains in, Defendant’s possession.

188. Defendant was in a position to protect against the harm suffered by Plaintiff and

the Class as a result of the Data Breach.

189. Defendant’s duty extended to protecting Plaintiff and the Class from the risk of

foreseeable criminal conduct of third parties, which has been recognized in situations where the

actor’s own conduct or misconduct exposes another to the risk or defeats protections put in place

to guard against the risk, or where the parties are in a special relationship. See Restatement

(Second) of Torts § 302B. Numerous courts and legislatures have also recognized the existence of

a specific duty to reasonably safeguard personal information.

190. Defendant has admitted that the PII of Plaintiff and the Class was wrongfully lost

and disclosed to unauthorized third persons as a result of the Data Breach.

191. But for Defendant’s wrongful and negligent breach of duties owed to Plaintiff and

the Class, the PII of Plaintiff and the Class would not have been compromised.

42
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 43 of 57

192. There is a close causal connection between Defendant’s failure to implement

security measures to protect the PII of Plaintiff and the Class and the harm, or risk of imminent

harm, suffered by Plaintiff and the Class. The PII of Plaintiff and the Class was lost and accessed

as the proximate result of Defendant’s failure to exercise reasonable care in safeguarding such PII

by adopting, implementing, and maintaining appropriate security measures.

193. As a direct and proximate result of Defendant’s negligence, Plaintiff and the Class

have suffered and will suffer injury, including but not limited to: (i) invasion of privacy; (ii) theft

of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated

with attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the

bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences

of the Data Breach; (vii) actual misuse of the compromised data consisting of an increase in spam

calls, texts, and/or emails; (viii) Plaintiff experiencing fraud and misuse of her PII in the form of a

hard inquiry being placed on her credit report, in or about February 2025; (ix) nominal damages;

and (x) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and

available for unauthorized third parties to access and abuse; and (b) remains backed up in

Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant

fails to undertake appropriate and adequate measures to protect the PII.

194. Additionally, as a direct and proximate result of Defendant’s negligence, Plaintiff

and the Class have suffered and will suffer the continued risks of exposure of their PII, which

remain in Defendant’s possession and is subject to further unauthorized disclosures so long as

Defendant fails to undertake appropriate and adequate measures to protect the PII in its continued

possession.

43
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 44 of 57

195. Plaintiff and Class Members are entitled to compensatory and consequential

damages suffered as a result of the Data Breach.

196. Plaintiff and Class Members are also entitled to injunctive relief requiring

Defendant to (i) strengthen its data security systems and monitoring procedures; (ii) submit to

future annual audits of those systems and monitoring procedures; and (iii) continue to provide

adequate credit monitoring to all Class Members.

COUNT II
Negligence Per Se
(On Behalf of Plaintiff and the Class)

197. Plaintiff re-alleges and incorporates by reference all of the allegations contained in

paragraphs 1 through 162, as if fully set forth herein.

198. Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, prohibits “unfair

. . . practices in or affecting commerce” including, as interpreted and enforced by the FTC, the

unfair act or practice by companies, such as Defendant, of failing to use reasonable measures to

protect Private Information. Various FTC publications and orders also form the basis of

Defendant’s duty.

199. Defendant violated Section 5 of the FTC Act by failing to use reasonable measures

to protect PII and not complying with industry standards. Defendant’s conduct was particularly

unreasonable given the nature and amount of PII obtained and stored and the foreseeable

consequences of a data breach on Defendant’s systems.

200. Defendant’s violation of Section 5 of the FTC Act constitutes negligence per se.

201. Class Members are consumers within the class of persons that Section 5 of the FTC

Act was intended to protect.

44
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 45 of 57

202. Moreover, the harm that has occurred is the type of harm that the FTC Act intended

to guard against. Indeed, the FTC has pursued over fifty enforcement actions against businesses

which, as a result of their failure to employ reasonable data security measures and avoid unfair and

deceptive practices, caused the same harm suffered by Plaintiff and Class Members.

203. But for Defendant’s wrongful and negligent breach of duties owed to Plaintiff and

the Class, the PII of Plaintiff and the Class would not have been compromised.

204. There is a close causal connection between Defendant’s failure to implement

security measures to protect the PII of Plaintiff and the Class and the harm, or risk of imminent

harm, suffered by Plaintiff and the Class. The PII of Plaintiff and the Class was lost and accessed

as the proximate result of Defendant’s failure to exercise reasonable care in safeguarding such PII

by adopting, implementing, and maintaining appropriate security measures.

205. As a direct and proximate result of Defendant’s negligence per se, Plaintiff and the

Class have suffered and will suffer injury, including but not limited to: (i) invasion of privacy; (ii)

theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated

with attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the

bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences

of the Data Breach; (vii) actual misuse of the compromised data consisting of an increase in spam

calls, texts, and/or emails; (viii) Plaintiff experiencing fraud and misuse of her PII in the form of a

hard inquiry being placed on her credit report, in or about February 2025; (ix) nominal damages;

and (x) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and

available for unauthorized third parties to access and abuse; and (b) remains backed up in

Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant

fails to undertake appropriate and adequate measures to protect the PII.

45
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 46 of 57

206. As a direct and proximate result of Defendant’s negligence per se, Plaintiff and the

Class have suffered and will continue to suffer other forms of injury and/or harm, including, but

not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic

losses.

207. Additionally, as a direct and proximate result of Defendant’s negligence per se,

Plaintiff and the Class have suffered and will suffer the continued risks of exposure of their Private

Information, which remain in Defendant’s possession and is subject to further unauthorized

disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect

the PII in its continued possession.

208. Plaintiff and Class Members are entitled to compensatory and consequential

damages suffered as a result of the Data Breach.

209. Defendant’s negligent conduct is ongoing, in that it still holds the PII of Plaintiff

and Class Members in an unsafe and insecure manner.

210. Plaintiff and Class Members are also entitled to injunctive relief requiring

Defendant to (i) strengthen its data security systems and monitoring procedures; (ii) submit to

future annual audits of those systems and monitoring procedures; and (iii) continue to provide

adequate credit monitoring to all Class Members.

COUNT III
Breach Of Implied Contract
(On Behalf of Plaintiff and the Class)

211. Plaintiff re-alleges and incorporates by reference all of the allegations contained in

paragraphs 1 through 162, as if fully set forth herein.

212. Plaintiff and Class Members were required deliver their PII to Defendant as part of

the process of obtaining utility services provided by Defendant. Plaintiff and Class Members paid

46
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 47 of 57

money, or money was paid on their behalf, to Defendant in exchange for services and would not

have paid for Defendant’s services, or would have paid less for them, had they known that

Defendant’s data security practices were substandard.

213. Defendant solicited, offered, and invited Class Members to provide their PII as part

of Defendant’s regular business practices. Plaintiff and Class Members accepted Defendant’s

offers and provided their PII to Defendant.

214. Defendant accepted possession of Plaintiff’s and Class Members’ PII for the

purpose of providing services to Plaintiff and Class Members.

215. Plaintiff and the Class entrusted their PII to Defendant. In so doing, Plaintiff and

the Class entered into implied contracts with Defendant by which Defendant agreed to safeguard

and protect such information, to keep such information secure and confidential, and to timely and

accurately notify Plaintiff and the Class if their data had been breached and compromised or stolen.

216. In entering into such implied contracts, Plaintiff and Class Members reasonably

believed and expected that Defendant’s data security practices complied with relevant laws and

regulations (including FTC guidelines on data security) and were consistent with industry

standards.

217. Implicit in the agreement between Plaintiff and Class Members and the Defendant

to provide PII, was the latter’s obligation to: (a) use such PII for business purposes only, (b) take

reasonable steps to safeguard that PII, (c) prevent unauthorized disclosures of the PII, (d) provide

Plaintiff and Class Members with prompt and sufficient notice of any and all unauthorized access

and/or theft of their PII, (e) reasonably safeguard and protect the PII of Plaintiff and Class Members

from unauthorized disclosure or uses, (f) retain the PII only under conditions that kept such

information secure and confidential.

47
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 48 of 57

218. The mutual understanding and intent of Plaintiff and Class Members on the one

hand, and Defendant, on the other, is demonstrated by their conduct and course of dealing.

219. On information and belief, at all relevant times Defendant promulgated, adopted,

and implemented written privacy policies whereby it expressly promised Plaintiff and Class

Members that it would only disclose PII under certain circumstances, none of which relate to the

Data Breach.

220. On information and belief, Defendant further promised to comply with industry

standards and to make sure that Plaintiff’s and Class Members’ PII would remain protected.

221. Plaintiff and Class Members paid money to Defendant with the reasonable belief

and expectation that Defendant would use part of its earnings to obtain adequate data security.

Defendant failed to do so.

222. Plaintiff and Class Members would not have entrusted their PII to Defendant in the

absence of the implied contract between them and Defendant to keep their information reasonably

secure.

223. Plaintiff and Class Members would not have entrusted their PII to Defendant in the

absence of their implied promise to monitor their computer systems and networks to ensure that it

adopted reasonable data security measures.

224. Every contract in this State has an implied covenant of good faith and fair dealing,

which is an independent duty and may be breached even when there is no breach of a contract’s

actual and/or express terms.

225. Plaintiff and Class Members fully and adequately performed their obligations under

the implied contracts with Defendant.

48
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 49 of 57

226. Defendant breached the implied contracts it made with Plaintiff and the Class by

failing to safeguard and protect their personal information, by failing to delete the information of

Plaintiff and the Class once the relationship ended, and by failing to provide accurate notice to

them that personal information was compromised as a result of the Data Breach.

227. Defendant breached the implied covenant of good faith and fair dealing by failing

to maintain adequate computer systems and data security practices to safeguard PII, failing to

timely and accurately disclose the Data Breach to Plaintiff and Class Members and continued

acceptance of PII and storage of other personal information after Defendant knew, or should have

known, of the security vulnerabilities of the systems that were exploited in the Data Breach.

228. As a direct and proximate result of Defendant’s breach of the implied contracts,

Plaintiff and Class Members sustained damages, including, but not limited to: (i) invasion of

privacy; (ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity

costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) loss

of benefit of the bargain; (vi) lost opportunity costs associated with attempting to mitigate the

actual consequences of the Data Breach; (vii) actual misuse of the compromised data consisting of

an increase in spam calls, texts, and/or emails; (viii) Plaintiff experiencing fraud and misuse of her

PII in the form of a hard inquiry being placed on her credit report, in or about February 2025; (ix)

nominal damages; and (x) the continued and certainly increased risk to their PII, which: (a) remains

unencrypted and available for unauthorized third parties to access and abuse; and (b) remains

backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as

Defendant fails to undertake appropriate and adequate measures to protect the PII.

229. Plaintiff and Class Members are entitled to compensatory, consequential, and

nominal damages suffered as a result of the Data Breach.

49
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 50 of 57

230. Plaintiff and Class Members are also entitled to injunctive relief requiring

Defendant to, e.g., (i) strengthen its data security systems and monitoring procedures; (ii) submit

to future annual audits of those systems and monitoring procedures; and (iii) immediately provide

adequate credit monitoring to all Class Members.

COUNT IV
Unjust Enrichment
(On Behalf of Plaintiff and the Class)

231. Plaintiff re-alleges and incorporates by reference all of the allegations contained in

paragraphs 1 through 162, as if fully set forth herein.

232. Plaintiff brings this Count in the alternative to the breach of implied contract count

above.

233. Plaintiff and Class Members conferred a monetary benefit on Defendant.

Specifically, they paid Defendant and/or its agents for utility services and in so doing also provided

Defendant with their PII. In exchange, Plaintiff and Class Members should have received from

Defendant the services that were the subject of the transaction and should have had their PII

protected with adequate data security.

234. Defendant knew that Plaintiff and Class Members conferred a benefit upon it and

has accepted and retained that benefit by accepting and retaining the PII entrusted to it. Defendant

profited from Plaintiff’s retained data and used Plaintiff’s and Class Members’ PII for business

purposes.

235. Defendant failed to secure Plaintiff’s and Class Members’ PII and, therefore, did

not fully compensate Plaintiff or Class Members for the value that their PII provided.

236. Defendant acquired the PII through inequitable record retention as it failed to

investigate and/or disclose the inadequate data security practices previously alleged.

50
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 51 of 57

237. If Plaintiff and Class Members had known that Defendant would not use adequate

data security practices, procedures, and protocols to adequately monitor, supervise, and secure

their PII, they would have entrusted their PII at Defendant or obtained services at Defendant.

238. Plaintiff and Class Members have no adequate remedy at law.

239. Defendant enriched itself by saving the costs it reasonably should have expended

on data security measures to secure Plaintiff’s and Class Members’ Personal Information. Instead

of providing a reasonable level of security that would have prevented the hacking incident,

Defendant instead calculated to increase its own profit at the expense of Plaintiff and Class

Members by utilizing cheaper, ineffective security measures and diverting those funds to its own

profit. Plaintiff and Class Members, on the other hand, suffered as a direct and proximate result of

Defendant’s decision to prioritize its own profits over the requisite security and the safety of their

PII.

240. Under the circumstances, it would be unjust for Defendant to be permitted to retain

any of the benefits that Plaintiff and Class Members conferred upon it.

241. As a direct and proximate result of Defendant’s conduct, Plaintiff and Class

Members have suffered and will suffer injury, including but not limited to: (i) invasion of privacy;

(ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs

associated with attempting to mitigate the actual consequences of the Data Breach; (v) loss of

benefit of the bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual

consequences of the Data Breach; (vii) actual misuse of the compromised data consisting of an

increase in spam calls, texts, and/or emails; (viii) Plaintiff experiencing fraud and misuse of her

PII in the form of a hard inquiry being placed on her credit report, in or about February 2025; (ix)

nominal damages; and (x) the continued and certainly increased risk to their PII, which: (a) remains

51
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 52 of 57

unencrypted and available for unauthorized third parties to access and abuse; and (b) remains

backed up in Defendant’s possession and is subject to further unauthorized disclosures so long as

Defendant fails to undertake appropriate and adequate measures to protect the PII.

242. Plaintiff and Class Members are entitled to full refunds, restitution, and/or damages

from Defendant and/or an order proportionally disgorging all profits, benefits, and other

compensation obtained by Defendant from its wrongful conduct. This can be accomplished by

establishing a constructive trust from which the Plaintiff and Class Members may seek restitution

or compensation.

243. Plaintiff and Class Members may not have an adequate remedy at law against

Defendant, and accordingly, they plead this claim for unjust enrichment in addition to, or in the

alternative to, other claims pleaded herein.

PRAYER FOR RELIEF

WHEREFORE, Plaintiff, on behalf of herself and Class Members, requests judgment

against Defendant and that the Court grants the following:

A. For an Order certifying the Class, and appointing Plaintiff and her Counsel to

represent the Class;

B. For equitable relief enjoining Defendant from engaging in the wrongful conduct

complained of herein pertaining to the misuse and/or disclosure of the PII of

Plaintiff and Class Members;

C. For injunctive relief requested by Plaintiff, including but not limited to, injunctive

and other equitable relief as is necessary to protect the interests of Plaintiff and

Class Members, including but not limited to an order:

i. prohibiting Defendant from engaging in the wrongful and unlawful acts

52
Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 53 of 57

described herein;

ii. requiring Defendant to protect, including through encryption, all data

collected through the course of its business in accordance with all applicable

regulations, industry standards, and federal, state or local laws;

iii. requiring Defendant to delete, destroy, and purge the personal identifying

information of Plaintiff and Class Members unless Defendant can provide to

the Court reasonable justification for the retention and use of such information

when weighed against the privacy interests of Plaintiff and Class Members;

iv. requiring Defendant to provide out-of-pocket expenses associated with the

prevention, detection, and recovery from identity theft, tax fraud, and/or

unauthorized use of their PII for Plaintiff’s and Class Members’ respective

lifetimes;

v. requiring Defendant to implement and maintain a comprehensive Information

Security Program designed to protect the confidentiality and integrity of the

PII of Plaintiff and Class Members;

vi. prohibiting Defendant from maintaining the PII of Plaintiff and Class

Members on a cloud-based database;

vii. requiring Defendant to engage independent third-party security

auditors/penetration testers as well as internal security personnel to conduct

testing, including simulated attacks, penetration tests, and audits on

Defendant’s systems on a periodic basis, and ordering Defendant to promptly

correct any problems or issues detected by such third-party security auditors;

viii. requiring Defendant to engage independent third-party security auditors and

53
Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 54 of 57

internal personnel to run automated security monitoring;

ix. requiring Defendant to audit, test, and train its security personnel regarding

any new or modified procedures;

x. requiring Defendant to segment data by, among other things, creating

firewalls and controls so that if one area of Defendant’s network is

compromised, hackers cannot gain access to portions of Defendant’s systems;

xi. requiring Defendant to conduct regular database scanning and securing

checks;

xii. requiring Defendant to establish an information security training program that

includes at least annual information security training for all employees, with

additional training to be provided as appropriate based upon the employees’

respective responsibilities with handling personal identifying information, as

well as protecting the personal identifying information of Plaintiff and Class

Members;

xiii. requiring Defendant to routinely and continually conduct internal training and

education, and on an annual basis to inform internal security personnel how to

identify and contain a breach when it occurs and what to do in response to a

breach;

xiv. requiring Defendant to implement a system of tests to assess its respective

employees’ knowledge of the education programs discussed in the preceding

subparagraphs, as well as randomly and periodically testing employees’

compliance with Defendant’s policies, programs, and systems for protecting

personal identifying information;

54
Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 55 of 57

xv. requiring Defendant to implement, maintain, regularly review, and revise as

necessary a threat management program designed to appropriately monitor

Defendant’s information networks for threats, both internal and external, and

assess whether monitoring tools are appropriately configured, tested, and

updated;

xvi. requiring Defendant to meaningfully educate all Class Members about the

threats that they face as a result of the loss of their confidential personal

identifying information to third parties, as well as the steps affected

individuals must take to protect herself;

xvii. requiring Defendant to implement logging and monitoring programs sufficient

to track traffic to and from Defendant’s servers; and

xviii. for a period of 10 years, appointing a qualified and independent third party

assessor to conduct a SOC 2 Type 2 attestation on an annual basis to evaluate

Defendant’s compliance with the terms of the Court’s final judgment, to

provide such report to the Court and to counsel for the class, and to report any

deficiencies with compliance of the Court’s final judgment;

D. For an award of damages, including actual, nominal, consequential, and punitive

damages, as allowed by law in an amount to be determined;

E. For an award of attorneys’ fees, costs, and litigation expenses, as allowed by law;

F. For prejudgment interest on all amounts awarded; and

G. Such other and further relief as this Court may deem just and proper.

JURY TRIAL DEMANDED

Plaintiff hereby demands a trial by jury on all claims so triable.

55
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 56 of 57

This the 28th day of February, 2025.

Respectfully submitted,

MILISA JONES YOUNG, on behalf of herself

and all others similarly situated

BY: /s/ James R. Segars, III_______________

JAMES R. SEGARS, III

Gerald J. Diaz, Jr., Esq. (MSB #6063)

Christopher P. Williams, Esq. (MSB #10774)
James R. Segars, III, Esq. (MSB #103605)
DIAZ LAW FIRM, PLLC
208 Waterford Square, Suite 300
Madison, MS 39110
Phone: (601) 607-3456
Fax: (601) 607-3393
Email: joey@diazlawfirm.com
Email: chris@diazlawfirm.com
Email: tripp@diazlawfirm.com

Mariya Weekes, Pro Hac Vice

MILBERG COLEMAN BRYSON
PHILLIPS GROSSMAN, PLLC
201 Sevilla Avenue, 2nd Floor
Coral Gables, FL 33134
Tel: (786) 879-8200
Fax: (786) 879-7520
Email: mweekes@milberg.com

Attorneys for Plaintiff and The Proposed Class

56
 Case 3:25-cv-00131-KHJ-MTP Document 6 Filed 02/28/25 Page 57 of 57

CERTIFICATE OF SERVICE

I hereby certify that First Amended Class Action Complaint was filed electronically on this

the 28th day of February, 2025. Notice of Electronic Case Filing has been sent automatically to all

parties listed in the Service List in effect on the date of electronic filing and is being sent to known

counsel for Defendant.

____ /s/ James R. Segars, III____

JAMES R. SEGARS, III

57