Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 1 of 23 1 2 3 4 5 6 7 8 9 10 11 Matthew J. Preusch (298144) Christopher L. Springer (291180) KELLER ROHRBACK L.L.P. 801 Garden Street, Suite 301 Santa Barbara, CA 93101 (805) 456-1496, Fax (805) 456-1497 mpreusch@kellerrohrback.com cspringer@kellerrohrback.com Lynn Lincoln Sarko, pro hac vice forthcoming KELLER ROHRBACK L.L.P. 1201 Third Avenue, Suite 3200 Seattle, WA 98101 (206) 623-1900, Fax (206) 623-3384 lsarko@kellerrohrback.com Attorneys for Plaintiffs Additional Attorneys Listed on Signature Page UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN FRANCISCO DIVISION 12 13 14 15 DANYELLE TOWNSEND and KEN TEW, individually and on behalf of all others similarly situated, 16 Plaintiffs, 17 No. CLASS ACTION COMPLAINT JURY DEMANDED v. 18 19 20 UBER TECHNOLOGIES, INC., a Delaware corporation, Defendant. 21 22 23 24 25 26 27 28 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 2 of 23 1 2 3 Table of Contents I. INTRODUCTION ...................................................................................................................... 1 II. PARTIES ................................................................................................................................... 2 4 5 A. Plaintiffs ......................................................................................................................... 2 B. Defendant ....................................................................................................................... 2 6 III. JURISDICTION AND VENUE.................................................................................................. 2 IV. INTRADISTRICT ASSIGNMENT ............................................................................................ 3 V. FACTUAL ALLEGATIONS...................................................................................................... 3 7 8 9 10 11 A. Uber Was Negligent in Its Efforts to Protect Highly Valuable Personal Information ..................................................................................................................... 3 B. Uber Concealed the Massive Breach from Data Breach Victims and Regulators for Over One Year ......................................................................................... 6 C. Uber’s Failures Have Harmed and Will Continue to Harm Data Breach Victims ........................................................................................................................... 7 12 13 14 15 VI. CLASS ACTION ALLEGATIONS ............................................................................................ 7 A. 16 Class Definition(s) .......................................................................................................... 7 17 1. National Class ..................................................................................................... 7 18 2. South Carolina Subclass ...................................................................................... 8 19 VII. CLAIMS FOR RELIEF .............................................................................................................. 9 20 Negligence ............................................................................................................ 9 21 Fraudulent Misrepresentation ............................................................................. 11 22 Unjust Enrichment ............................................................................................ 13 23 24 25 26 27 28 Invasion of Privacy ........................................................................................... 14 Declaratory Judgment ........................................................................................ 14 Violation of South Carolina Data Breach Security Act, S.C. Code Ann. §§ 39- 1-90 et seq. ................................................................................................ 16 Violations of South Carolina Unfair Trade Practices Act, S.C. Code Ann. §§ 39-5-10 et seq. ........................................................................................ 17 i COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 3 of 23 1 2 VIII. PRAYER FOR RELIEF ........................................................................................................... 19 IX. DEMAND FOR JURY TRIAL ................................................................................................. 19 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ii COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 4 of 23 1 Plaintiffs bring this action on behalf of themselves and all others similarly situated, against Uber 2 Technologies, Inc. (“Uber”). Plaintiffs allege the following based upon information and belief, the 3 investigation of counsel, and personal knowledge as to the factual allegations pertaining to 4 himself/herself. 5 6 I. 1. INTRODUCTION Uber, the world’s largest ridesharing company operating in over 700 countries and 600 7 cities worldwide, connects millions of riders with drivers via Uber’s mobile application. Uber users trust 8 the company with their personal information when they create an Uber account consisting of their name, 9 email, phone number, login name and password, address, payment or banking information and other 10 11 personal information. 2. On November 21, 2017, Uber disclosed that it had experienced a data breach, confirming 12 that the personally identifiable information of 57 million Uber users worldwide (the “Data Breach”) had 13 been downloaded by hackers, including names, email addresses and mobile phone numbers. However, 14 also potentially at risk are additional pieces of personally identifiable information generally available in 15 Uber customer accounts including: location history, credit card numbers, bank account numbers, Social 16 Security numbers, dates of birth and other information. Additionally, Uber disclosed that the names and 17 drivers’ license numbers of around 600,000 drivers in the United States had been downloaded by 18 hackers. 19 3. The Data Breach occurred in October 2016; however, Uber failed to disclose the Data 20 Breach until more than one year later. The hackers were able to gain access through a third-party cloud- 21 based service that handled computing tasks for the company. From there, the hackers discovered an 22 archive of rider and driver information. The hackers then emailed the company, demanding a ransom in 23 exchange for deleting the downloaded information. 24 4. Rather than alerting regulators, law enforcement and victims of the Data Breach, Uber 25 sought to conceal the Data Breach by paying the hackers $100,000 to destroy the stolen data and to 26 promise to keep the Data Breach a secret from the public and regulators. 27 28 5. In a statement released November 21, 2017, Uber’s Chief Executive Officer, Dara Khosrowshahi stated: “You may be asking why we are just talking about this now, a year later. I had the 1 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 5 of 23 1 same question,” adding that he “immediately” launched an investigation upon recently learning about 2 the cover-up. 3 6. As a result of Uber’s negligence and wanton and reckless disregard of data breach 4 notification requirements, millions of Americans are now – and have been for over one year – at risk of 5 identity theft. 6 7 II. A. 8 9 10 PARTIES Plaintiffs 7. Class representative Danyelle Townsend is a U.S. Citizen and resident of Charleston County, South Carolina. Ms. Townsend’s data was compromised, damaged, and otherwise put at risk by Uber’s gross negligence and other violations of law. 11 8. Class representative Ken Tew is a U.S. Citizen and resident of Charleston County, South 12 Carolina. Mr. Tew’s data was compromised, damaged, and otherwise put at risk by Uber’s gross 13 negligence and other violations of law. 14 B. 15 Defendant 9. Uber Technologies, Inc. is a global company incorporated in Delaware with headquarters 16 in San Francisco, California. The company employs approximately 16,000 people and operates or has 17 investments in over 700 countries in North America, Central and South America, Europe and the Asia 18 Pacific region. Among Uber’s subsidiaries are UberEATS, Otto, Rasier LLC, deCarta, Complex 19 Polygon, and Geometric Intelligence. 20 21 III. 10. JURISDICTION AND VENUE This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. § 1331 22 based on the federal statutory claims below, and the Court has supplemental jurisdiction over Plaintiffs’ 23 state law claims under 28 U.S.C. § 1367. 24 11. This Court also has subject matter jurisdiction pursuant to the Class Action Fairness Act 25 of 2005, 28 U.S.C. § 1332(d), because at least one Class member is of diverse citizenship from one 26 defendant, there are 100 or more Class members nationwide, and the aggregate amount in controversy 27 exceeds $5,000,000. 28 12. Venue is proper in this District pursuant to 28 U.S.C. § 1391(b)(3) because the Court has 2 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 6 of 23 1 personal jurisdiction over Defendant, a substantial portion of the alleged wrongdoing occurred in this 2 District and California, and Defendant has sufficient contacts with this District and California. 3 13. Venue is proper in the Northern District of California pursuant to 28 U.S.C. § 1391(b)(2) 4 because a substantial part of the events or omissions giving rise to the claims at issue in this Complaint, 5 which impacted millions of Californians, arose in this District. 6 IV. 7 14. INTRADISTRICT ASSIGNMENT This action is properly assigned to the San Francisco or Oakland Division of this District 8 pursuant to N.D. Cal. L.R. 3-2, because a substantial part of the events or omissions giving rise to 9 Plaintiffs’ claims arose in the counties served by the San Francisco and Oakland Divisions. Defendant, 10 as well as thousands of other Class members who have had their personally identifiable information 11 breached, reside in the counties served by this Division. 12 13 14 V. A. FACTUAL ALLEGATIONS Uber Was Negligent in Its Efforts to Protect Highly Valuable Personal Information 15. Uber is the largest ride sharing company in the world, serving over 40 million riders per 15 month and contracting with over 2 million drivers. Uber provides services to users through its mobile 16 software application, which collects users’ information provided when users interact with the company, 17 including by creating or updating an account and using Uber’s services, as well as from other sources, 18 such as Uber partners and third parties that use Uber’s application programming interface. When 19 creating an Uber account, users provide information such as name, email, phone number, login name 20 and password, address, payment or banking information, government identification numbers, birth date 21 and photo. Uber likewise collects information when riders use its service such as location, date and time 22 service was provided, amount charged, distance traveled, and other related transaction details. 23 Additionally, Uber collects information about users’ devices, including hardware models, operating 24 systems and versions, software, file names and versions, preferred languages, unique device identifiers, 25 advertising identifiers, serial numbers, device motion information, and mobile network information. 26 Uber also collects information from its drivers, including vehicle, insurance and driver’s license 27 information. In short, Uber collects massive amounts of data about its users, both riders and drivers. 28 3 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 7 of 23 1 16. On November 21, 2017, Uber disclosed that it had suffered a breach in October 2016 that 2 exposed personally identifiable information for 57 million drivers and customers, including names, 3 email addresses and phone numbers. In addition, the driver’s license numbers for about 600,000 U.S. 4 drivers were also disclosed. 5 6 7 8 9 10 11 12 13 14 15 16 17 18 17. Uber stated that two individuals from outside the company were able to gain access to 19 user data stored on a third-party cloud based service used by the company. According to Bloomberg 20 News, the hackers gained entry through a GitHub coding site used by Uber software engineers and then 21 used login credentials they obtained there to access data stored on an Amazon Web Services account 22 that handled computing tasks for the company. From there, the hackers discovered an archive of rider 23 and driver information. 24 18. In November 2016, Uber became aware of the Data Breach when the hackers emailed the 25 company, demanding a ransom in exchange for deleting the downloaded information. Rather than 26 reporting the Data Breach to regulators, law enforcement or the victims, the company paid the hackers 27 $100,000 to delete the data and keep the Data Breach secret from the public and regulators. 28 19. According to Uber, after the company learned of the breach, it hired a forensic expert to 4 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 8 of 23 1 assess the extent of the information breached and “took immediate steps to secure the data and shut 2 down further unauthorized access” to the information by “implement[ing] security measures to restrict 3 access and to strengthen controls of our cloud-based storage accounts.” Additionally, Uber represented 4 that it has “subsequently identified the [hackers] and obtained assurances that the downloaded data had 5 been destroyed.” 6 20. Uber’s Privacy Policy recognizes that users trust and rely on it to safeguard their 7 personally identifiable information (“PII”): “When you use Uber, you trust us with your information. 8 We are committed to keeping that trust.” Moreover, Uber represents to users that it makes every effort 9 to protect and safeguard their PII: “We work around the clock to protect your data from fraud, abuse, 10 and unauthorized access.” In this regard, the frequently asked questions on Uber’s Privacy Policy 11 webpage represents that Uber uses “technical safeguards” and “secure software development” to protect 12 and safeguard users’ PII, and that Uber has a team of experts “working around the clock” to prevent any 13 misuse of users’ PII. 14 15 16 17 How does Uber protect the information it collects? We take the security of your data seriously. Uber uses technical safeguards like encryption, authentication, fraud detection, and secure software development to protect your information. We also have an extensive team of data security and privacy experts working around the clock to prevent theft, fraud, or abuse of your information. 18 19 20 21 22 23 24 25 26 27 28 5 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 9 of 23 1 2 3 4 5 6 7 8 9 10 11 12 13 21. Nonetheless, it appears Uber did not have sufficient infrastructure or procedures to 14 prevent the intrusion. It also appears that Uber did not have sufficient infrastructure or procedures to 15 detect the intrusion once it occurred. Uber only became aware of the Data Breach after it was contacted 16 by the hackers, which suggests Uber had very poor security detection practices. 17 18 B. Uber Concealed the Massive Breach from Data Breach Victims and Regulators for Over One Year 19 22. Although Uber reportedly became aware of the Data Breach in November 2016, it failed 20 to disclose the breach to the public until one year later. During that time, tens of millions of Uber’s 21 customers and drivers were unaware that some of their most valuable private information had been 22 accessed by hackers. 23 23. Uber has had a reputation for flouting regulations since its founding in 2009. At the time 24 of the Data Breach, Uber was negotiating with various U.S. regulators investigating separate claims of 25 privacy violations. These claims included a lawsuit that was recently settled with the New York State 26 Office of Attorney General over Uber’s failure to disclose a 2014 data security incident. Additionally, 27 Uber was negotiating with the Federal Trade Commission over its handling of consumer data, which 28 resulted in a settlement in August of 2017 without admitting wrongdoing, before last year’s attack was 6 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 10 of 23 1 disclosed to the agency. 2 24. Among the key executives involved in the breach response in November 2016 was co- 3 founder and then CEO, Travis Kalanick. However, in June 2017, he was ousted by the Board in 4 response to investor concerns that he put the company at risk in the wake of numerous criminal probes 5 related to bribes, illicit software, questionable pricing schemes and theft of competitor intellectual 6 property. 7 25. Another key member of the executive team involved in Uber’s 2016 response to the Data 8 Breach was Joe Sullivan, the company’s then Chief Security Officer. In October 2017, Mr. Sullivan and 9 his team became the subject of an investigation by Uber’s board with the help of an outside law firm. 10 The outside law firm discovered the hack and Uber’s failure to disclose. In the wake of this disclosure 11 CEO Khosrowshahi asked Mr. Sullivan to step down. 12 C. 13 Uber’s Failures Have Harmed and Will Continue to Harm Data Breach Victims 26. The Uber Data Breach has greatly increased the victims’ risk of identity theft relative to 14 the time before the Data Breach. Unlike the credit and debit card numbers stolen in some of the other 15 recent high-profile data breaches, much of the information furnished here cannot simply be changed, and 16 will continue to be valuable to identity thieves for many years. 17 27. As the Government Accountability Office reported in 2012, individuals who experience a 18 data breach involving their Social Security number and dates of birth experience a much higher 19 likelihood of being a victim of an identity crime. Social Security numbers, dates of birth, and names “are 20 among the three personal identifiers most often sought by identity thieves,” according to the GAO. 21 22 VI. A. CLASS ACTION ALLEGATIONS Class Definition(s) 23 1. National Class 24 28. Pursuant to Fed. R. Civ. P. 23(a), (b)(2), (b)(3) and (c)(4), Plaintiffs seek relief on behalf 25 of themselves and as representatives of a proposed nationwide class (“Nationwide Class”), defined as 26 follows: 27 28 All natural persons in the United States whose PII was compromised as a result of the Data Breach. 7 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 11 of 23 1 2 2. South Carolina Subclass 29. Pursuant to Fed. R. Civ. P. 23, Plaintiffs seek relief on behalf of themselves and as 3 representatives of a proposed statewide subclass class (“South Carolina Subclass”), defined as follows: 4 All natural persons who are citizens of South Carolina whose PII was compromised as a result of the Data Breach. 5 6 7 8 9 10 30. Except where otherwise noted, “Class” or “Class members” shall refer to members of the Nationwide Class and the South Carolina Subclass. 31. Excluded from the Class are Defendant and any of its affiliates, parents or subsidiaries; all employees of Defendant; as well as the Court and its personnel presiding over this action. 32. Numerosity. The proposed Class is sufficiently numerous, as 57 million Data Breach 11 victims worldwide had their PII compromised, including 600,000 U.S. Uber drivers and, upon 12 information and belief, tens of millions of U.S. Uber customers. These individuals are dispersed 13 throughout the United States, making joinder of all members impracticable. Class members can be 14 readily identified and ascertained through the records maintained by Uber. 15 16 17 33. predominate over questions affecting only individual class members, including: a. Whether Uber had a legal duty to use reasonable security measures to protect Class members’ PII; 18 19 Commonality. Common questions of fact and law exist for each cause of action and b. Whether Uber timely, accurately, and adequately informed Class members that their PII had been compromised; 20 21 c. Whether Uber breached its legal duty by failing to protect Class members’ PII; 22 d. Whether Uber acted reasonably in securing Class members’ PII; 23 e. Whether Class members are entitled to actual damages and/or statutory damages; and 24 f. Whether Class members are entitled to injunctive relief. 25 34. Typicality. Plaintiffs’ claims are typical of the claims of members of the proposed Class 26 because, among other things, Plaintiffs and Class members sustained similar injuries as a result of 27 Uber’s uniform wrongful conduct and their legal claims all arise from the same conduct by Uber. 28 35. Adequacy. Plaintiffs will fairly and adequately protect the interests of the proposed 8 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 12 of 23 1 Class. Plaintiffs’ interests do not conflict with other Class members’ interests and they have retained 2 counsel experienced in complex class action and data privacy litigation to prosecute this case on behalf 3 of the Class. 4 36. Rule 23(b)(3). In addition to satisfying the prerequisites of Rule 23(a), Plaintiffs satisfy 5 the requirements for maintaining a class action under Rule 23(b)(3). Common questions of law and fact 6 predominate over any questions affecting only individual Class members and a class action is superior to 7 individual litigation. The amount of damages available to individual plaintiffs is insufficient to make 8 litigation addressing Uber’s conduct economically feasible in the absence of the class action procedure. 9 Individualized litigation also presents a potential for inconsistent or contradictory judgments, and 10 increases the delay and expense to all parties and the court system presented by the legal and factual 11 issues of the case. By contrast, the class action device presents far fewer management difficulties and 12 provides the benefits of a single adjudication, economy of scale, and comprehensive supervision by a 13 single court. 14 37. Rule 23(b)(2). Plaintiffs also satisfy the requirements for maintaining a class action 15 under Rule 23(b)(2). Uber has acted or refused to act on grounds that apply generally to the proposed 16 Class, making final declaratory or injunctive relief appropriate with respect to the proposed Class as a 17 whole. 18 38. Rule 23(c)(4). This action also satisfies the requirements for maintaining a class action 19 under Rule 23(c)(4). The claims of Class members are composed of particular issues that are common 20 to all Class members and capable of class wide resolution that will significantly advance the litigation. 21 22 VII. CLAIMS FOR RELIEF Claims Asserted on Behalf of the Nationwide Class: 23 24 Negligence 25 39. Plaintiffs incorporate by reference all paragraphs above as if fully set forth herein. 26 40. Uber owed a duty to Plaintiffs and the Nationwide Class members to exercise reasonable 27 care in safeguarding and protecting their highly sensitive and personal information. This duty included, 28 among other things, designing, maintaining, monitoring, testing Uber’s security systems, protocols, and 9 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 13 of 23 1 practices, as well as taking other reasonable security measures to protect and adequately secure the PII 2 of Plaintiffs and Nationwide Class members from unauthorized access. 3 41. Uber owed a duty to Plaintiffs and Nationwide Class members to implement 4 administrative, physical and technical safeguards, such as intrusion detection processes that detect data 5 breaches in a timely manner, to protect and secure Plaintiffs’ and Nationwide Class members’ PII. 6 42. Uber owed a duty of care to Plaintiffs and Nationwide Class members because they were 7 foreseeable and probable victims of any inadequate security practices. It was foreseeable that if Uber 8 did not take reasonable security measures, the PII of Plaintiffs and members of the Nationwide Class 9 would be stolen. Major corporations like Uber face a higher threat of security breaches than smaller 10 companies due in part to the large amounts of data they possess. Uber knew or should have known its 11 security systems were inadequate, particularly in light of the prior data breaches that Uber had 12 experienced, and yet Uber failed to take reasonable precautions to safeguard the PII of Plaintiffs and 13 members of the Nationwide Class. 14 15 16 43. Uber owed a duty to disclose the material fact that its data security practices were inadequate to safeguard Nationwide Class members’ PII. 44. Uber had a duty to timely and accurately notify Plaintiffs and Nationwide Class members 17 if their PII was compromised so that Plaintiffs and Nationwide Class members could act to mitigate the 18 harm caused by the loss of opportunity to control how their PII was used. 19 45. Uber breached its duties by, among other things: (a) failing to implement and maintain 20 adequate data security practices to safeguard Nationwide Class members’ PII; (b) failing to detect the 21 Data Breach in a timely manner; (c) failing to disclose that Defendant’s data security practices were 22 inadequate to safeguard Nationwide Class members’ PII; and (d) failing to provide adequate and timely 23 notice of the breach. 24 25 26 46. But for Uber’s breach of its duties, Nationwide Class members’ PII would not have been accessed by unauthorized individuals. 47. Plaintiffs and Nationwide Class members were foreseeable victims of Uber’s inadequate 27 data security practices. Uber knew or should have known that a breach of its data security systems 28 would cause damages to Nationwide Class members. 10 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 14 of 23 1 2 3 48. Uber’s negligent conduct provided a means for unauthorized intruders to obtain Plaintiffs’ and the Nationwide Class members’ PII. 49. As a result of Uber’s willful failure to prevent the Data Breach, Plaintiffs and Nationwide 4 Class members suffered injury, which includes but is not limited to: (1) exposure to a heightened, 5 imminent risk of fraud, identity theft, and financial harm; (2) the loss of the opportunity to control how 6 their PII is used; (3) the diminution in the value and/or use of their PII; (4) the compromise, publication, 7 and/or theft of their PII; (5) out-of-pocket costs associated with the prevention, detection, and recovery 8 from identity theft and/or unauthorized use of financial accounts; (6) lost opportunity costs associated 9 with the effort expended and the loss of productivity from addressing and attempting to mitigate the 10 actual and future consequences of the breach, including but not limited to efforts spent researching how 11 to prevent, detect, contest and recover from identity theft, as well as the time and effort Plaintiffs and 12 Nationwide Class members have expended to monitor their financial accounts and credit histories to 13 guard against identity theft; (7) costs associated with the ability to use credit and assets frozen or flagged 14 due to credit misuse, including complete credit denial and/or increased costs to use credit, credit scores, 15 credit reports and assets; (8) unauthorized use of compromised PII to open new financial accounts; (9) 16 tax fraud and/or other unauthorized charges to financial accounts and associated lack of access to funds 17 while proper information is confirmed and corrected; (10) the continued risk to their PII, which remain 18 in Uber’s possession and is subject to further breaches so long as Uber fails to undertake appropriate and 19 adequate measures to protect the PII in its possession; and (11) future costs in terms of time, effort and 20 money that will be expended to prevent, detect, contest, and repair the impact of the PII compromised as 21 a result of the Data Breach for the remainder of their lives. 22 23 24 50. The damages to Plaintiffs and Nationwide Class members were a proximate, reasonably foreseeable result of Uber’s breaches of its duties. 51. Plaintiffs and the Nationwide Class are also entitled to damages and reasonable attorneys’ 25 fees and costs. Plaintiffs seek reasonable attorneys’ fees and costs under applicable law including 26 Federal Rule of Civil Procedure 23 and California Code of Civil Procedure § 1021.5. 27 28 Fraudulent Misrepresentation 52. Plaintiffs incorporate by reference all paragraphs above as if fully set forth herein. 11 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 15 of 23 1 53. Uber misrepresented material facts to Plaintiffs and Nationwide Class Members by 2 representing that it would maintain adequate data security and privacy practices and procedures to 3 safeguard Plaintiffs’ and Nationwide Class members’ PII from unauthorized access, disclosure, release, 4 theft, fraud or other abuse. 5 54. Uber made these false representations knowingly and with a reckless disregard for the 6 truth, because it has been aware of the inadequacy of its data security and privacy practices and 7 procedures since at least approximately November 2016, when it became aware of the Data Breach. 8 55. Prior to making these misrepresentations, Uber knew that its networks, systems, 9 protocols, policies, procedures and practices, as described above, were not adequately designed, 10 implemented, maintained, monitored and tested to ensure that Plaintiffs’ and Nationwide Class 11 members’ PII were secured from unauthorized access. 12 13 14 15 16 56. Uber intended that users would rely on these misrepresentations in deciding whether to engage and pay Uber for transportation services. 57. In reliance upon these representations, Plaintiffs and Nationwide Class members engaged and paid for Uber to provide transportation services. 58. Had Plaintiffs and Nationwide Class members, as reasonable persons, known of Uber’s 17 inadequate data privacy and security practices, or that Uber was failing to comply with the requirements 18 of federal and state laws pertaining to the privacy and security of Plaintiffs’ and Nationwide Class 19 members’ PII, they would not have engaged Uber to provide, nor paid for, transportation services from 20 Uber, and would not have entrusted their PII to Uber. 21 59. As a direct and proximate consequence of Uber’s fraudulent misrepresentations, 22 Plaintiffs and Nationwide Class members have suffered injury, which includes but is not limited to the 23 exposure to a heightened, imminent risk of fraud, identity theft, financial and other harm. Plaintiffs and 24 Nationwide Class members must monitor their financial accounts and credit histories more closely and 25 frequently to guard against identity theft. Plaintiffs and Nationwide Class members also have incurred, 26 and will continue to incur on an indefinite basis, out-of-pocket costs for obtaining credit reports, credit 27 freezes, credit monitoring services, and other protective measures to deter or detect identity theft. The 28 unauthorized acquisition of Plaintiffs’ and Nationwide Class members’ PII has also diminished the value 12 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 16 of 23 1 of the PII. 2 60. 3 Therefore, Plaintiffs and Nationwide Class members are entitled to damages in an amount to be proven at trial. 4 Unjust Enrichment 5 6 61. Plaintiffs incorporate by reference all paragraphs above as if fully set forth herein. 7 62. In the alternative, Plaintiffs allege that Plaintiffs and the Nationwide Class have no 8 9 adequate remedy at law. 63. Plaintiffs and Nationwide Class members, unaware of the Data Breach, conferred a 10 monetary benefit on Uber in the form of money paid (directly or indirectly) to Uber for ride sharing 11 services obtained and/or provided their PII to Uber, during the period of time between when Uber 12 discovered the Data Breach and when Uber disclosed the Data Breach (“Undisclosed Breach Period”). 13 14 15 16 17 64. Had Plaintiffs and Nationwide Class members known about the Data Breach during the Undisclosed Breach Period, they would have used another ride sharing service such as Lyft. 65. Uber appreciated or had knowledge of the benefits conferred upon it by Plaintiffs and Nationwide Class members during the Undisclosed Breach Period. 66. As a result of Uber’s conduct, Plaintiffs and Nationwide Class members suffered actual 18 damages in an amount equal to the monetary benefit conferred by Plaintiffs and Nationwide Class members 19 on Uber during the Undisclosed Breach Period. 20 21 22 67. Under principles of equity and good conscience, Uber should not be permitted to retain the money conferred by Plaintiffs and Nationwide Class members during the Undisclosed Breach Period. 68. Uber should be compelled to disgorge into a common fund for the benefit of Plaintiffs 23 and Nationwide Class members all unlawful or inequitable proceeds received by Uber during the 24 Undisclosed Breach Period. 25 26 69. A constructive trust should be imposed upon all unlawful or inequitable sums received by Uber traceable to Plaintiffs and Nationwide Class members during the Undisclosed Breach Period. 27 28 13 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 17 of 23 1 Invasion of Privacy 2 70. Plaintiffs incorporate by reference all paragraphs above as if fully set forth herein. 3 71. Plaintiffs and Nationwide Class members reasonably expected that their PII would be 4 protected and secured from unauthorized parties, would not be disclosed to any unauthorized parties or 5 disclosed for any improper purpose. 6 72. Uber unlawfully invaded the privacy rights of Plaintiffs and the Nationwide Class by (a) 7 failing to adequately secure their PII from disclosure to unauthorized parties for improper purposes; (b) 8 disclosing their PII to unauthorized parties in a manner that is highly offensive to a reasonable person; 9 and (c) disclosing their PII to unauthorized parties without the informed and clear consent of Plaintiffs 10 11 and the Nationwide Class. 73. In failing to adequately secure Plaintiffs’ and Nationwide Class members’ PII, Uber acted 12 in reckless disregard of their privacy rights. Uber knew or should have known that their substandard data 13 security measures are highly offensive to a reasonable person in the same position as Plaintiffs and 14 Nationwide Class members. 15 74. Uber violated Plaintiffs’ and Nationwide Class members’ right to privacy under the 16 common law as well as under state law, including but not limited to the California Constitution, Article 17 I, Section 1, and the South Carolina Constitution, Article I, Section 10. 18 75. As a direct and proximate result of Uber’s unlawful invasions of privacy, Plaintiffs’ and 19 Nationwide Class members’ PII has been viewed or is at imminent risk of being viewed, and their 20 reasonable expectations of privacy have been intruded upon and frustrated. Plaintiffs and the Nationwide 21 Class have suffered injury as a result of Uber’s unlawful invasions of privacy and are entitled to 22 appropriate relief. 23 Declaratory Judgment 24 25 76. Plaintiffs incorporate by reference all paragraphs above as if fully set forth herein. 26 77. As previously alleged, Plaintiffs and the Nationwide Class have stated claims against 27 28 Uber based on negligence and other common law and statutory violations. 78. Uber has failed to live up to its obligations to provide reasonable security measures for 14 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 18 of 23 1 the PII of Plaintiffs and the Nationwide Class. 2 79. Uber still possesses PII pertaining to Plaintiffs and Nationwide Class members. 3 80. In addition, the Data Breach has rendered Uber’s system even more vulnerable to 4 unauthorized access and requires that Uber immediately take even more stringent measures to currently 5 safeguard the PII of Plaintiffs and the Nationwide Class going forward. 6 81. 7 security systems. 8 82. 9 Uber has made no representation that it has remedied the vulnerabilities in its data An actual controversy has arisen in the wake of the Data Breach regarding Uber’s current obligations to provide reasonable data security measures to protect the PII of Plaintiffs and the 10 Nationwide Class. On information and belief, Uber maintains that its security measures were, and 11 remain, reasonably adequate. On information and belief, Uber further denies that it previously had or 12 now has any obligation to better safeguard the PII of Plaintiffs and the Nationwide Class. 13 83. Plaintiffs thus seek a declaration that to comply with its existing obligations, Uber must 14 implement specific additional, prudent industry security practices, as outlined below, to provide 15 reasonable protection and security to the PII of Plaintiffs and the Nationwide Class. 16 84. Specifically, Plaintiffs and the Nationwide Class seek a declaration that (a) Uber’s 17 existing security measures do not comply with its obligations, and (b) that to comply with its 18 obligations, Uber must implement and maintain reasonable security measures on behalf of Plaintiffs and 19 the Nationwide Class, including, but not limited to: (1) engaging third party security auditors/penetration 20 testers as well as internal security personnel to conduct testing consistent with prudent industry 21 practices, including simulated attacks, penetration tests, and audits on Uber’s systems on a periodic 22 basis; (2) engaging third party security auditors and internal personnel to run automated security 23 monitoring consistent with prudent industry practices; (3) auditing, testing, and training its security 24 personnel regarding any new or modified procedures; (4) purging, deleting and destroying, in a secure 25 manner, data not necessary for its business operations; (5) conducting regular database scanning and 26 securing checks consistent with prudent industry practices; (6) periodically conducting internal training 27 and education to inform internal security personnel how to identify and contain a breach when it occurs 28 and what to do in response to a breach consistent with prudent industry practices; (7) receiving periodic 15 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 19 of 23 1 compliance audits by a third party regarding the security of the computer systems Uber uses to store the 2 personal information of Plaintiffs and the Nationwide Class members; (8) meaningfully educating 3 Plaintiffs and the Nationwide Class members about the threats they face as a result of the loss of their 4 PII to unauthorized third parties, as well as the steps they must take to protect themselves; and (9) 5 providing ongoing identity theft protection, monitoring, and recovery services to Plaintiffs and 6 Nationwide Class members. 7 Claims Asserted on Behalf of the South Carolina Subclass 8 9 Violation of South Carolina Data Breach Security Act, S.C. Code Ann. §§ 39- 1-90 et seq. 10 85. Plaintiffs incorporate by reference all paragraphs above as if fully set forth herein. 11 86. Plaintiffs Danyelle Townsend and Ken Tew bring this action on behalf of the South 12 13 Carolina Subclass against Defendant. 87. Uber is required to accurately notify Plaintiffs and South Carolina Subclass members 14 following discovery or notification of a breach of its data security system (if personally identifying 15 information that was not rendered unusable through encryption, redaction, or other methods was, or was 16 reasonably believed to have been, acquired by an unauthorized person, creating a material risk of harm) 17 in the most expedient time possible and without unreasonable delay under S.C. Code Ann. § 39-1-90(A). 18 19 20 88. Uber is a business that owns or licenses computerized data or other data that includes personal identifying information as defined by S.C. Code Ann. § 39-1-90(A). 89. Plaintiffs and South Carolina Subclass members’ personal information (e.g., Social 21 Security numbers) includes personal identifying information as covered under S.C. Code Ann. § 39-1- 22 90(D)(3). 23 90. Because Uber discovered a breach of its data security system (in which personal 24 information that was not rendered unusable through encryption, redaction, or other methods was, or was 25 reasonably believed to have been, acquired by an unauthorized person, creating a material risk of harm), 26 Uber had an obligation to disclose the Data Breach in a timely and accurate fashion as mandated by S.C. 27 Code Ann. § 39-1-90(A), but failed to do so. 28 91. As a direct and proximate result of Uber’s violations of S.C. Code Ann. § 39-1-90(A), 16 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 20 of 23 1 Plaintiffs and South Carolina Subclass members suffered damages, as described above. 2 3 92. Plaintiffs and South Carolina Subclass members seek relief under S.C. Code Ann. § 39-1- 90(G), including, but not limited to, actual damages and injunctive relief. 4 5 Violations of South Carolina Unfair Trade Practices Act, S.C. Code Ann. §§ 39-5-10 et seq. 6 93. Plaintiffs incorporate by reference all paragraphs above as if fully set forth herein. 7 94. Plaintiffs Danyelle Townsend and Ken Tew bring this action on behalf of the South 8 Carolina Subclass against Defendant. 9 10 95. meaning of S.C. Code § 39-5-10(a). 11 12 13 14 15 16 17 Uber, Plaintiffs, and the South Carolina Subclass members are “persons” within the 96. Uber is engaged in “trade” or “commerce” within the meaning of S.C. Code § 39-5- 97. The South Carolina Unfair Trade Practices Act (“South Carolina UTPA”) prohibits 10(b). “unfair or deceptive acts or practices in the conduct of any trade or commerce.” S.C. Code § 39-5-20(a). 98. In the course of its business, Uber, through its agents, employees, and/or subsidiaries, violated the South Carolina UTPA as detailed above. 99. Specifically, in failing to adequately protect the sensitive information of South Carolina 18 Subclass members and failing to adequately respond to a data breach, Defendant engaged in one or more 19 of the following unfair or deceptive acts or practices in violation of S.C. Code § 39-5-20(a): 20 • 21 22 Subclass members’ sensitive information; • 23 24 Representing that the Uber’s information security systems and practices have characteristics or benefits that they do not have; • 25 26 Causing likelihood of confusion or of misunderstanding as to security of South Carolina Engaging in other conduct which created a likelihood of confusion or of misunderstanding; and/or • Using or employing deception, fraud, false pretense, false promise or misrepresentation, 27 or the concealment, suppression or omission of a material fact with intent that others rely 28 upon such concealment, suppression or omission, in connection with the advertisement 17 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 21 of 23 1 and sale of Uber’s goods or services, whether or not any person has in fact been misled, 2 deceived or damaged thereby. 3 100. Defendant’s scheme and concealment of the true characteristics of its information 4 security systems were material to Plaintiffs and the South Carolina Subclass, as Defendant intended. 5 Had they known the truth, Plaintiffs and the South Carolina Subclass would not have permitted Uber to 6 retain their sensitive information. 7 101. Plaintiffs and South Carolina Subclass members had no way of discerning that 8 Defendant’s representations were false and misleading, or otherwise learning the facts that Defendant 9 had concealed or failed to disclose, because Defendant did not disclose the true nature of its information 10 11 security systems and practices. 102. Defendant had an ongoing duty to Plaintiffs and the South Carolina Subclass to refrain 12 from unfair and deceptive practices under the South Carolina UTPA in the course of its business. 13 Specifically, Defendant owed Plaintiffs and South Carolina Subclass members a duty to disclose all the 14 material facts concerning its information security systems and practices because it possessed exclusive 15 knowledge, it intentionally concealed this information from Plaintiffs and the South Carolina Subclass, 16 and/or it made misrepresentations that were rendered misleading because they were contradicted by 17 withheld facts. 18 103. Plaintiffs and South Carolina Subclass members suffered ascertainable loss and actual 19 damages as a direct and proximate result of Defendant’s concealment, misrepresentations, and/or failure 20 to disclose material information. 21 104. Defendant’s violations present a continuing risk to Plaintiffs and the South Carolina 22 Subclass, as well as to the general public. Defendant’s unlawful acts and practices complained of herein 23 affect the public interest. 24 105. Pursuant to S.C. Code § 39-5-140(a), Plaintiffs and the South Carolina Subclass seek an 25 order enjoining Defendant’s unfair and/or deceptive acts or practices, and awarding damages, treble 26 and/or punitive damages, and any other just and proper relief available under the South Carolina UTPA. 27 28 18 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 22 of 23 VIII. PRAYER FOR RELIEF 1 WHEREFORE, Plaintiffs, individually and on behalf of members of the Nationwide Class and 2 South Carolina Subclass, respectfully request: 3 106. An order certifying the proposed Class or Subclass under the provisions of Rule 23 of the 4 Federal Rules of Civil Procedure, and directing that notice be provided to all members of these Classes; 5 107. A finding that Uber breached its duty to safeguard and protect the PII of Plaintiffs and 6 Class members that was compromised in the Data Breach; 7 108. Injunctive relief, including public injunctive relief in the form of an order enjoining 8 Defendant from continuing the unlawful, deceptive, fraudulent, and unfair business practices alleged in 9 this Complaint; 10 109. That Plaintiffs and Class members recover damages in the form of restitution or 11 disgorgement and/or compensatory damages for economic loss and out-of-pocket costs, treble damages 12 under the applicable federal and state laws, and punitive and exemplary damages under applicable law; 13 110. A determination that Uber is financially responsible for all Class notice and 14 administration of Class relief; 15 111. A judgment against Defendant for any and all applicable statutory and civil penalties; 112. An order requiring Defendant to pay both pre- and post-judgment interest on any 16 17 amounts awarded; 18 113. An award to Plaintiffs and Class members of costs and reasonable attorneys’ fees; 114. Leave to amend this Complaint to conform to the evidence produced in discovery and at 19 20 trial; and 21 115. Such other or further relief as the Court may deem appropriate, just, and equitable. 22 IX. 23 DEMAND FOR JURY TRIAL Pursuant to Federal Rule of Civil Procedure 38(b), Plaintiffs demand a trial by jury of any and all 24 issues in this action so triable. 25 26 27 28 19 COMPLAINT Case 3:17-cv-06756 Document 1 Filed 11/22/17 Page 23 of 23 1 2 DATED this 22nd day of November, 2017. KELLER ROHRBACK L.L.P. 3 4 5 6 7 8 9 10 11 12 13 14 15 By /s/ Matthew J. Preusch Matthew J. Preusch (298144) Christopher L. Springer (291180) mpreusch@kellerrohrback.com cspringer@kellerrohrback.com 801 Garden Street, Suite 301 Santa Barbara, CA 93101 (805) 456-1496, Fax (805) 456-1497 Lynn Lincoln Sarko, pro hac vice forthcoming Gretchen Freeman Cappio, pro hac vice forthcoming Cari Campen Laufenberg, pro hac vice forthcoming KELLER ROHRBACK L.L.P. 1201 Third Avenue, Suite 3200 Seattle, WA 98101 (206) 623-1900, Fax (206) 623-3384 lsarko@kellerrohrback.com gcappio@kellerrohrback.com claufenberg@kellerrohrback.com MOTLEY RICE LLC 16 17 18 19 20 21 22 23 24 25 26 27 Jodi Flowers, pro hac vice forthcoming Breanne Cope (260217) 28 Bridgeside Boulevard Mount Pleasant, SC 29464 (843) 216-9000, Fax (843) 216-9450 jflowers@motleyrice.com bcope@motleyrice.com Laura Ray, pro hac vice forthcoming Mathew Jasinski, pro hac vice forthcoming One Corporate Center 20 Church Street 17th Floor Hartford, CT 06103 (860) 882-1681, Fax (860) 882-1682 lray@motleyrice.com mjasinski@motleyrice.com Attorneys for Plaintiffs 28 20 COMPLAINT