Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 1 of 37 Page ID #:1 5 Bobby Saadian, Esq. SBN: 250377 Colin M. Jones, Esq. SBN: 265628 WILSHIRE LAW FIRM 3055 Wilshire Blvd., 12th Floor Los Angeles, California 90010 Tel: (213) 381-9988 Fax: (213) 381-9989 6 Attorneys for Plaintiff, Alejandro Flores 1 2 3 4 7 UNITED STATES DISTRICT COURT 8 FOR THE CENTRAL DISTRICT OF CALIFORNIA 9 10 11 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 12 ALEJANDRO FLORES; individually CASE NO.: 2:17-cv-8503 and on behalf of all others similarly situated, CLASS ACTION COMPLAINT 13 Plaintiffs, 14 15 16 17 18 19 vs. RASIER, LLC., a Limited Liability Company; RASIER-CA, LLC., a Limited Liability Company; and UBER TECHNOLOGIES, INC., a corporation; DOES 1 through 15, inclusive, 20 21 22 23 24 25 26 27 28 Defendants. 1. BREACH OF IMPLIED CONTRACT 2. NEGLIGENCE 3. VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW CAL. BUS. & PROF. CODE § 17200 - UNLAWFUL BUSINESS PRACTICES 4. VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW CAL. BUS. & PROF. CODE §17200 UNFAIR BUSINESS PRACTICES 5. VIOLATION OF CALIFORNIA’S UNFAIR COMPETITION LAW CAL. BUS. & PROF. CODE §17200 FRAUDULENT/DECEPTIVE BUSINESS PRACTICES 6. UNFAIR AND DECEPTIVE BUSINESS PRACTICES 7. CONSTITUTIONAL INVASION OF PRIVACY 8. NEGLIGENCE PER SE 9. BREACH OF COVENANT OF DUTY OF GOOD FAITH AND FAIR DEALING 10. VIOLATION OF STATE DATA BREACH 1 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 2 of 37 Page ID #:2 ACTS 1 2 3 Plaintiff, Alejandro Flores ("Plaintiff”), by and through her counsel of 4 record, on behalf of themselves and all others similarly situated bring this Class 5 Action Complaint against against Rasier, LLC., a Limited Liability Company 6 (“Rasier”), Rasier-CA, LLC., a Limited Liability Company (“Rasier-CA”), and 7 Uber Technologies, Inc., a corporation, ("Uber") (Rasier, Rasier-LLC, and Uber 8 are sometimes collectively referenced as "Uber Defendants" for ease of reading 9 when the allegations implicate both entities) Plaintiffs alleges the following on 10 information and belief, except as to those allegations specific to Plaintiffs, as 11 follows: WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 12 13 14 I. NATURE OF THE ACTION 1. Millions of customers book rides using Uber for their traveling 15 needs. Consumers expect the highest quality of services when booking a ride. 16 What consumers did not expect was that starting in October 2016, driver and 17 rider’s information was stolen. The information stolen included full name, 18 driver’s license, e-mail addresses, mobile phone numbers, credit card numbers, 19 social security numbers, and date of birth. This is a data breach case. 20 2. Plaintiffs, individually and on behalf of those similarly situated 21 persons (hereafter “Class Members”), brings this Class Action to secure redress 22 against Uber for their reckless and negligent violation of customer privacy rights. 23 Plaintiffs and Class Members are former customers who booked rides, and were 24 drivers in October 2016, at the time of the data breach. 25 3. Plaintiffs and Class Members suffered injury. The security breach 26 compromised both riders and drivers’ full name, driver’s license, e-mail addresses, 27 mobile phone numbers, credit card numbers, social security numbers, and date of 28 birth, and other private identifiable information (“PII”). 2 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 3 of 37 Page ID #:3 4. 1 2 driver’s information were stolen. Many of the customers who booked rides have 3 had their PII compromised, have had their privacy rights violated, have been 4 exposed to the risk of fraud and identify theft, and have otherwise suffered 5 damages. 6 II. 7 8 9 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 As a result of Uber’s wrongful actions and inactions, customer and THE PARTIES 5. Plaintiff Alejandro Flores is a California citizen residing in Los Angeles, California. 6. Plaintiffs bring this action on his own behalf and on behalf of all 10 others similarly situated, namely all other individuals who have worked as Uber 11 Black, Uber Pool, Uber SUV, or UberX drivers in the United States, and on 12 behalf of all riders who ordered Uber rides during or near the time of the data 13 breach incident. 14 7. 15 16 17 18 Defendant Rasier, LLC. is a Limited Liability Company headquartered in San Francisco, California. 8. Defendant Rasier-CA, LLC. is a Limited Liability Company headquartered in San Francisco, California. 9. Defendant Uber Technologies, Inc. is a corporation headquartered in 19 San Francisco, California. Defendant Uber Technologies is the parent company 20 of Defendants Rasier and Rasier-CA. 21 10. The Uber Defendants provide car service in cities throughout the 22 country via an on demand dispatch system that enables users to hail a car service 23 driver using a mobile phone through the User application, and which enables 24 transportation providers to accept and fulfill such on-demand requests for 25 transportation services by Users seeking transportation services through the use 26 of a driver’s application (collectively “Uber Software”). 27 28 11. At all relevant times, including during the Class Period, the Uber Defendants and/or their agents distributed, implemented, warranted, 3 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 4 of 37 Page ID #:4 1 disseminated, permitted, licensed, or otherwise caused the Uber Software to be 2 used by drivers and Users. 3 Plaintiff is ignorant of the true names and capacities of Defendants 4 sued herein as Does 1 through 50, inclusive, and therefore sues these Defendants 5 by such fictitious names. Plaintiff will amend this Complaint to allege their true 6 names and capacities when the same are ascertained. Plaintiff is informed and 7 believe and thereon allege that each of the fictitiously named Defendants are 8 responsible in some manner for the occurrences and discriminatory acts alleged 9 herein, and that Plaintiff’s damages alleged herein were proximately caused by 10 these Defendants. When used herein, the term “Defendants” is inclusive of 11 DOES 1 through 15. 12 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 12. 13. Plaintiff is informed and believes and thereon alleges that at all 13 relevant times herein, each of the Defendants, including the Defendants sued 14 herein as Does 1 through 50, were the agents, employees, and/or joint venturers 15 of, or working in concert with the other Defendants, and were acting within the 16 course and scope of such agency, employment, joint venture and/or concerted 17 activity. To the extent that said conduct and omissions were perpetrated by 18 Defendants and their agents, Defendants confirmed and ratified said conduct and 19 omissions. 20 14. At all relevant times, including during the Class Period, each 21 Defendant, including Does 1 through 50, acted as an agent, servant, employee, or 22 joint venturer of the other Defendants, and in doing the things alleged acted 23 within the course of such agency, employment, and/or in furtherance of the joint 24 venture to accomplish the scheme. Each of the Defendants' acts alleged herein 25 was done with the permission and consent of the other Defendant. While each of 26 the Defendants are separate legal entities, each Defendant works together under a 27 common identity as portrayed to the public and there is a sufficient unity of 28 4 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 5 of 37 Page ID #:5 1 interest and control between each Defendant such that the acts of one are for the 2 benefit and can be imputed to the acts of the other. 15. 3 4 act by a Defendant or Defendants, such allegations and reference shall also be 5 deemed to mean the acts and failures to act of each Defendant acting 6 individually, jointly, and severally. 7 III. 9 JURISDICTION AND VENUE 16. 8 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 Whenever and wherever reference is made in this Complaint to any This Court has subject matter jurisdiction over the state law claims asserted here pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2), 10 since some of the Class Members are citizens of a State different from the 11 Defendant and, upon the original filing of this complaint, members of the 12 putative Plaintiffs class resided in states around the country; there are more than 13 100 putative class members; and the amount in controversy exceeds $5 million. 17. 14 The Court also has personal jurisdiction over the Parties because 15 Uber conducts a major part of their national operations with regular and 16 continuous business activity in California, with an advertising budget both not 17 exceeded in other jurisdictions throughout the United States. 18. 18 Venue is appropriate because, among other things: (a) Plaintiffs are 19 resident and citizen of this District; (b) the Defendants had directed their 20 activities at residents in this District; (b) the acts and omissions that give rise to 21 this Action took place, among others, in this judicial district. 19. 22 Venue is further appropriate pursuant to 28 U.S.C. § 1391 because 23 Defendants conduct a large amount of their business in this District, and 24 Defendants have substantial relationships in this District. Venue is also proper in 25 this Court because a substantial part of the events and omissions giving rise to the 26 harm of the Class Members occurred in this District. 27 IV. SUBSTANTIVE ALLEGATIONS 28 A. The Data Breach Unravels 5 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 6 of 37 Page ID #:6 20. 1 2 disclosed that “I recently learned that in late 2016 we became aware that two 3 individuals outside the company had inappropriately accessed user data stored on 4 a third-party cloud-based service that we use.” 2016 Data Security Incident, 5 available at: https://www.uber.com/newsroom/2016-data-incident. 21. 6 This disclosure was made more than a year later, customers, and 7 drivers had no chance to protect their identity, and their information. 8 B. 9 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 On November 21, 2017, Uber’s new CEO, Dara Khosrowshahi Stolen Information Is Valuable to Hackers and Thieves 22. It is well known, and the subject of many media reports, that payment 10 card data is highly coveted and a frequent target of hackers. Especially in the 11 technology industry, the issue of data security and threats thereto, is well known. 12 Despite well-publicized litigation and frequent public announcements of data 13 breaches, Uber opted to maintain an insufficient and inadequate system to protect 14 the payment information of Plaintiffs and Class Members. Legitimate 15 organizations and criminal underground alike recognize the value of PII. 16 Otherwise, they would not aggressively seek or pay for it. As previously seen in 17 one of the world’s largest breaches, hackers compromised the card holder data of 18 40 million customers. See “Target: 40 million credit cards compromised,” CNN 19 Money, available at 20 http://money.cnn.com/2013/12/18/news/companies/target-credit-card/ (attached 21 hereto as Exhibit A). 22 23. Dec. 19, 2013, Credit or debit card information is highly valuable to hackers. Credit 23 and debit card information that is stolen from the point of sale are known as 24 “dumps.” 25 https://krebsonsecurity.com/2016/04/all-about-fraud-how-crooks-get-the-cvv/ 26 (attached hereto as Exhibit B). Credit and debit card dumps can be sold in the 27 cybercrime underground for a retail value of about “$20 apiece.” Id. This 28 information can also be used to clone a debit or credit card. Id. See Krebs on Security April 16, 2016, Blog Post, available at 6 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 7 of 37 Page ID #:7 1 C. 2 Identity Fraud 3 24. Uber failed to implement and maintain reasonable security procedures 4 and practices appropriate to the nature and scope of the information compromised 5 in the data breach. 6 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 The Data Breach Has and Will Result in Additional Identity Theft and 25. Security flaws and other infirmities were explicitly outlined by Visa, 7 as early as 2009, when it issued a Data Security Alert outlining the threat of RAM 8 scraper malware. The report instructs companies to “[s]ecure remote access 9 connectivity,” “[i]mplement a secure network configuration, including egress and 10 ingress filtering to only allow the ports/services necessary to conduct business” 11 (i.e., segregate networks), “actively monitor logs of network components, 12 including IDS [intrusion detection systems] and firewalls for suspicious traffic, 13 particularly outbound traffic to unknown addresses,” “[e]ncrypt cardholder data 14 anywhere it is being stored and [] implement[] a data field encryption solution to 15 directly address cardholder data in transit” and “[w]ork with your payment 16 application vendor to ensure security controls are in place to prevent unauthorized 17 modification to the payment application configuration.” 18 26. All merchants that accept customer payments via payment cards, 19 including Defendants, are obligated and required to comply with the Payment Card 20 Industry Data Security Standards (the “PCI DSS”). How to Be Compliant: Getting 21 Started with PCI Data Security Standard Compliance, PCI SSC, available at 22 https://www. pcisecuritystandards.org/merchants/how_to_be_compliant.php (last 23 visited June 24, 2015) (stating “[i]f you are a merchant that accepts payment cards, 24 you are required to be complaint with the PCI [DSS].”). Compliance with the PCI 25 DSS is common practice in the retail industry. The PCI DSS, among other things, 26 mandates merchants to protect cardholder data, PCI DSS v. 3.0 at 34 (Nov. 2013),7 27 requires merchants to install and maintain firewalls, id. at 19, forbids merchants 28 from using default settings and passwords for applications and devices, id. at 28, 7 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 8 of 37 Page ID #:8 1 requires merchants to segment cardholder data, id. at 61, and requires merchants 2 to identify and authenticate their system users. Id. at 64. WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 3 27. Additionally, sub-requirement 3.2 of the PCI DSS requires merchants 4 and other organizations involved in payment card transactions to refrain from 5 storing sensitive authentication data after authorization (even if it is encrypted). 6 See id. at 35. To adhere to the PCI DSS, a merchant must, inter alia: 7 First, Assess -- identify cardholder data, take an inventory of your 8 ITassets and business processes for payment card processing, and 9 analyze them for vulnerabilities that could expose cardholder data. 10 Second, Remediate -- fix vulnerabilities and do not store cardholder 11 data unless you need it. Third, Report -- compile and submit required 12 remediation validation records (if applicable), and submit compliance 13 reports to the acquiring bank and card brands you do business with. 14 (emphasis in original). How to Be Compliant: Getting Started with PCI Data 15 Security 16 https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php (last 17 visited June 24, 2015). 18 19 20 28. Standard Compliance, PCI SSC, available at The ramification of Uber’s failure to keep Plaintiffs’ and Class Members’ data secure is severe. 29. According to Javelin Strategy and Research, “one in every three 21 people who is notified of being a potential fraud victim becomes one . . . with 46% 22 of consumers who had cards breached becoming fraud victims that same year.” 23 “Someone Became an Identity Theft Victim Every 2 Seconds Last Year,” Fox 24 Business, Feb. 5, 2014 available at http://www.foxbusiness.com/personal- 25 finance/2014/02/05/someone-became-identitytheft-victim-every-2-seconds-last- 26 year.html (attached hereto as Exhibit C). 27 28 30. It is incorrect to assume that reimbursing a consumer for a financial loss due to fraud makes that individual whole again. On the contrary, after 8 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 9 of 37 Page ID #:9 1 conducting a study, the Department of Justice’s Bureau of Justice Statistics 2 (“BJS”) found that “among victims who had personal information used for 3 fraudulent purposes, 29% spent a month or more resolving problems.” 4 “Victims of Identity Theft,” U.S. Department of Justice, Dec 2013, available at 5 https://www.bjs.gov/content/pub/pdf/vit12.pdf (attached hereto as Exhibit D). In 6 fact, the BJS reported, “resolving the problems caused by identity theft [could] take 7 more than a year for some victims.” Id. at 11. 8 D. 9 Dollars WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 10 See Annual Monetary Losses from Identity Theft are in the Billions of 31. Javelin Strategy and Research reports that those losses increased to 11 $21 billion in 2013. See 2013 Identity Fraud Report (attached hereto as Exhibit 12 E). There may be a time lag between when harm occurs and when it is discovered, 13 and also between when PII is stolen and when it is used. According to the U.S. 14 Government Accountability Office (“GAO”), which conducted a study regarding 15 data breaches: 16 22 [L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm. GAO, Report to Congressional Requesters, at 33 (June 2007), available at http://www.gao.gov/new.items/d07737.pdf (attached hereto as Exhibit F) 23 32. 17 18 19 20 21 Plaintiffs and Class Members now face years of constant surveillance 24 of their financial and personal records, monitoring, and loss of rights. The Class is 25 incurring and will continue to incur such damages in addition to any fraudulent 26 credit and debit card charges incurred by them and the resulting loss of use of their 27 credit and access to funds, whether or not such charges are ultimately reimbursed 28 by the credit card companies. 9 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 10 of 37 Page ID #:10 33. 1 2 “identity theft can create huge emotional problems for people. We often think of 3 bank fraud as just against a bank or just money, but it damages real people.” Press 4 Release, United States Attorney’s Office, Western District of Washington, 5 Member of ID Theft Ring That Preyed on Starbucks’ Employees Sentenced to 6 Prison 7 http://www.usdoj.gov/usao/waw/press/2006/jun/nguyen.htm (last visited Apr. 28, 8 2009). Chief Judge Lasnik also noted that the damage of identity theft isn’t just 9 financial, “it causes rifts between husbands and wives, it causes divorces.” Id. 10 11 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 As Chief Judge Lasnik observed when sentencing a thief of PII, E. (June 2, 2006), available at Plaintiffs and Class Members Suffered Damages 34. The data breach was a direct and proximate result of Uber’s failure to 12 properly safeguard and protect Plaintiffs’ and Class Members’ PII from 13 unauthorized access, use, and disclosure, as required by various state and federal 14 regulations, industry practices, and the common law, including Uber’s failure to 15 establish and implement appropriate administrative, technical, and physical 16 safeguards to ensure the security and confidentiality of Plaintiffs’ and Class 17 Members’ PII to protect against reasonably foreseeable threats to the security or 18 integrity of such information. 19 35. Plaintiffs and Class Members’ PII is private and sensitive in nature 20 and was inadequately protected by Uber. Uber did not obtain Plaintiffs’ and Class 21 Members’ consent to disclose their PII, except to certain persons not relevant to 22 this action, as required by applicable law and industry standards. 23 36. As a direct and proximate result of Uber’s wrongful action and 24 inaction and the resulting data breach, Plaintiffs and Class Members have been 25 placed at an imminent, immediate, and continuing increased risk of harm from 26 identity theft and identity fraud, requiring them to take the time and effort to 27 mitigate the actual and potential impact of the subject data breach on their lives by, 28 among other things, placing “freezes” and “alerts” with credit reporting agencies, 10 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 11 of 37 Page ID #:11 1 contacting their financial institutions, closing or modifying financial accounts, and 2 closely reviewing and monitoring their credit reports and accounts for 3 unauthorized activity. 4 As a result of this breach of security, Plaintiffs’ and other Class 5 members’ debit cards and credit cards were exposed and subjected to unauthorized 6 charges; their bank accounts were overdrawn and credit limits exceeded; they were 7 deprived of the use of their cards and access to their funds; their preauthorized 8 charge relationships were disrupted; they were required to expend time, energy and 9 expense to address and resolve these financial disruptions and mitigate the 10 consequences; and they suffered consequent emotional distress and their credit and 11 debit card information is at an increased risk of theft and unauthorized use. 12 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 37. 38. Plaintiffs' and class members were deprived of use of their cards for 13 appreciable periods of time and were unable to access their accounts or their funds; 14 customers lost accumulated miles and points toward bonus awards and were unable 15 to earn points during the interval their cards were inactivated; customers who 16 requested that their cards be cancelled were required to pay fees to issuing banks 17 for replacement cards; customers who had registered their cards with online sellers 18 were required to cancel and change their registered numbers; customers who had 19 given creditors pre-authorization to charge their debit cards or credit cards for 20 recurring payments were required to change the pre-authorizations; customers 21 were placed in non-payment status by virtue of their cards being overdrawn or 22 abruptly cancelled and were required to pay penalties and service reinstatement 23 fees; customers purchased identity theft insurance and credit monitoring services 24 to protect themselves against possible consequences of the breach; customers 25 suffered emotional distress as they were forced to cope with the unauthorized 26 charges and other consequences of Defendant’s’ data breach, and some customers 27 are still not aware of the data breach or that their data has been compromised. 28 11 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 12 of 37 Page ID #:12 1 2 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 3 39. Some of the Plaintiffs’ and class members did not cancel their debit and credit cards and continue to experience fraudulent activity on their accounts. 40. Plaintiffs have suffered sufficiently concrete injuries for the purposes 4 of Article III standing. The current rule in the Ninth Circuit comes from Spokeo 5 ruling after remand from the United States Supreme Court. See Robins v. Spokeo, 6 Inc., No. 11-56843 (9th Cir. Aug. 15, 2017). The “risk of real harm” is sufficient 7 in this circumstance to constitute injury in fact. Id.; Lujan v. Defs. Of Wildlife, 504 8 U.S. 555, 578 (1992). The nature of a data breach, makes it so that the threatened 9 injury is “certainly impending” as opposed to merely speculative. Clapper v. 10 Amnesty International USA, 133 S. Ct. 1138, 1147-48 (2013). The reason for that, 11 is that the very nature of a data breach stems from individuals attempting to use the 12 stolen information – this “intangible injury” has already occurred. See Spokeo, Inc. 13 v. Robins, 136 S. Ct. 1540, 1549 (2016). The harm in a data breach occurs to every 14 affected individual that has had their information acquired without their consent. 15 Whether anticipated conduct or an anticipated injury is likely to happen after a 16 breach is beside the point. Just as in Spokeo II, the court did not suggest that 17 “Congress's ability to recognize such injuries turns on whether they would also 18 result in additional future injuries that would satisfy Clapper.” See, e.g., Spokeo 19 II, 136 S. Ct. at 1553 (Thomas, J., concurring). 20 41. Uber’s wrongful actions and inaction directly and proximately caused 21 the theft and dissemination into the public domain of Plaintiffs and Class 22 Members’ PII, causing them to suffer, and continue to suffer, economic damages 23 and other actual harm for which they are entitled to compensation, including: 24 a. Theft of their PII; 25 b. The imminent and certainly impending injury flowing from potential 26 fraud and identity theft posed by their PII being placed in the hands of 27 criminals and already misused via the sale of Plaintiffs’ and Class 28 Members’ information on the Internet black market; 12 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 13 of 37 Page ID #:13 1 c. The untimely and inadequate notification of the data breach; 2 d. The improper disclosure of their PII; 3 e. Loss of privacy; 4 f. Ascertainable losses in the form of out-of-pocket expenses and the 5 value of their time reasonably incurred to remedy or mitigate the 6 effects of the data breach; g. 7 8 PII, for which there is a well-established national and international 9 market; h. 10 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 Ascertainable losses in the form of deprivation of the value of their Overpayments to Uber for booking rides and fees to drivers during the 11 subject data breach in that a portion of the price paid for such booking 12 by Plaintiffs and Class Members to Uber was for the costs of 13 reasonable and adequate safeguards and security measures that would 14 protect customers’ PII, which Uber and its affiliates did not implement 15 and, as a result, Plaintiffs and Class Members did not receive what they 16 paid for and were overcharged by Uber; and i. 17 Competition Laws. 18 19 20 Deprivation of rights they possess under the Unfair V. CLASS ACTION ALLEGATIONS 42. Plaintiffs brings this action on their own behalf and pursuant to the 21 Federal Rules of Civil Procedure Rule 23(a), (b)(2), (b)(3), and (c)(4), Plaintiffs 22 seeks certification of a Nationwide class and a California class. The nationwide 23 class is initially defined as follows: 24 25 26 All persons residing in the United States whose PII was disclosed in the data breach in 2016 (the “Nationwide Class”). The California class is initially defined as follows: 27 28 13 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 14 of 37 Page ID #:14 All persons residing in California whose PII was disclosed in the data breach in 2016 (the “California Class”). 1 2 3 4 5 6 7 8 9 10 11 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 12 13 14 15 16 17 18 19 20 21 22 43. entity in which Uber has a controlling interest, is a parent or subsidiary, or which is controlled by Uber, as well as the officers, directors, affiliates, legal representatives, heirs, predecessors, successors, and assigns of Uber. immediate families. Plaintiffs reserves the right to amend the Class definitions if discovery and further investigation reveal that the Classes should be expanded or otherwise modified. 44. of Class Members is unknown to Plaintiffs at this time, Uber has acknowledged that customers’ PII was stolen for a period of over a year. The disposition of the claims of Class Members in a single action will provide substantial benefits to all parties and to the Court. The Class Members are readily identifiable from information and records in Uber’s possession, custody, or control. 45. Commonality. Fed. R. Civ. P. 23(a)(2) and (b)(3). There are questions of law and fact common to the Classes, which predominate over any questions affecting only individual Class Members. These common questions of law and fact include, without limitation: a. Whether Uber owed a duty of care to Plaintiffs and Class Members with respect to the security of their personal information; b. Whether Uber took reasonable steps and measures to safeguard Plaintiffs’ and Class Members’ personal information; c. Whether Uber violated California’s Unfair Competition Law by failing to implement reasonable security procedures and practices; 27 28 Numerosity. Fed. R. Civ. P. 23(a)(1). The members of the Classes are so numerous that the joinder of all members is impractical. While the exact number 25 26 Also excluded are the judges and court personnel in this case and any members of their 23 24 Excluded from each of the above Classes are Uber, including any d. Whether Uber violated common and statutory law by 14 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 15 of 37 Page ID #:15 1 failing to promptly notify Class Members their Private Identifiable 2 Information had been compromised; 3 e. 4 procedure should Uber be required to implement as part of any 5 injunctive relief ordered by the Court; 6 f. 8 g. h. i. Whether Uber knew or should have known of the security breach prior to its November 2017 disclosure; 13 14 Whether Uber acts and omissions described herein give rise to a claim of negligence; 11 12 Whether Uber has complied with any implied contractual obligation to use reasonable security measures; 9 10 Whether Uber has an implied contractual obligation to use reasonable security measures; 7 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 Which security procedures and which data-breach notification j. Whether Uber had a duty to promptly notify Plaintiffs and Class 15 Members that their personal information was, or potentially could be, 16 compromised; 17 k. comply with its implied contractual obligations; 18 19 l. m. n. 26 Whether Uber willfully and/or negligently violated the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.; and 24 25 What the nature of the relief should be, including equitable relief, to which Plaintiffs and the Class Members are entitled; 22 23 Whether Uber violated California’s privacy laws in connection with the acts and omissions described herein; 20 21 What security measures, if any, must be implemented by Uber to o. Whether Plaintiffs and the Class are entitled to damages, civil penalties, punitive damages, and/or injunctive relief. 27 28 15 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 16 of 37 Page ID #:16 1 Typicality. Fed. R. Civ. P. 23(a)(3). Plaintiffs’ claims are typical of 2 those of other Class Members because Plaintiffs’ PII, like that of every other Class 3 Member, was misused and/or disclosed by Uber. 4 47. Adequacy of Representation. Fed. R. Civ. P. 23(a)(4). Plaintiffs will 5 fairly and adequately represent and protect the interests of the members of the 6 Class. Plaintiffs have retained competent counsel experienced in litigation of class 7 actions, including consumer and data breach class actions, and Plaintiffs intend to 8 prosecute this action vigorously. 9 other members of the Class and Plaintiffs has the same non-conflicting interests as 10 the other Members of the Class. The interests of the Class will be fairly and 11 adequately represented by Plaintiffs and their counsel. 12 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 46. 48. Plaintiffs’ claims are typical of the claims of Superiority of Class Action. Fed. R. Civ. P. 23(b)(3). A class action is 13 superior to other available methods for the fair and efficient adjudication of this 14 controversy since joinder of all the members of the Classes is impracticable. 15 Furthermore, the adjudication of this controversy through a class action will avoid 16 the possibility of inconsistent and potentially conflicting adjudication of the 17 asserted claims. There will be no difficulty in the management of this action as a 18 class action. 19 49. Damages for any individual class member are likely insufficient to 20 justify the cost of individual litigation so that, in the absence of class treatment, 21 Uber’s violations of law inflicting substantial damages in the aggregate would go 22 un-remedied. 23 50. Class certification is also appropriate under Fed. R. Civ. P. 23(a) and 24 (b)(2), because Uber has acted or has refused to act on grounds generally applicable 25 to the Classes, so that final injunctive relief or corresponding declaratory relief is 26 appropriate as to the Classes as a whole. 27 COUNT I 28 Breach of Implied Contract 16 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 17 of 37 Page ID #:17 1 (On Behalf of Plaintiffs and the Nationwide and California Classes) 2 51. 3 4 and every paragraph of this Complaint. 52. Uber’s system solicited and invited Plaintiffs and the members of the 5 Class to book rides, and for drivers to drive customers. Plaintiffs and Class 6 Members accepted Uber’s offers and booked rides through Uber. 7 53. When Plaintiffs and Class Members booked rides through Uber, they 8 provided their Private Identifiable Information. In so doing, Plaintiffs and Class 9 Members entered into implied contracts with Uber to which Uber agreed to 10 safeguard and protect such information and to timely and accurately notify 11 Plaintiffs and Class Members if their data had been breached and compromised. 12 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 Plaintiffs incorporate the substantive allegations contained in each 54. Each booking made with Uber’s system by Plaintiffs and Class 13 Members was made pursuant to the mutually agreed-upon implied contract with 14 Uber and the drivers using their system under which Uber agreed to safeguard and 15 protect Plaintiffs’ and Class Members’ Private Identifiable Information and to 16 timely and accurately notify them if such information was compromised or stolen. 17 55. Plaintiffs and Class Members would not have provided and entrusted 18 their Private Identifiable Information to Uber in the absence of the implied contract 19 between them and Uber. 20 21 22 56. Plaintiffs and Class Members fully performed their obligations under the implied contracts with Uber. 57. Uber breached the implied contracts it made with Plaintiffs and Class 23 Members by failing to safeguard and protect the Private Identifiable Information 24 of Plaintiffs and Class Members and by failing to provide timely and accurate 25 notice to them that their Private Identifiable Information was compromised as a 26 result of the data breach. 27 28 58. As a direct and proximate result of Uber’s breaches of the implied contracts between Uber and Plaintiffs and Class Members, Plaintiffs and Class 17 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 18 of 37 Page ID #:18 1 2 COUNT II 3 Negligence 4 (On Behalf of Plaintiffs and the Nationwide and California Classes) 5 59. 6 7 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 Members sustained actual losses and damages as described in detail above. Plaintiffs repeats and fully incorporates the allegations contained in each and every paragraph of this Complaint. 60. A special relationship exists between Defendants and the Consumer 8 Plaintiffs and the Class. Defendants actively solicited Consumer Plaintiffs and the 9 other Class members to use their PII in sales transactions at Defendants’ stores. 10 When Consumer Plaintiffs and the other Class members gave their PII to 11 Defendants to facilitate and close sales transactions, they did so with the mutual 12 understanding that Defendants had reasonable security measures in place and 13 Defendants would take reasonable steps to protect and safeguard the PII of 14 Consumer Plaintiffs and the other Class members. Consumer Plaintiffs and the 15 other Class members also gave their PII to Defendants on the premise that 16 Defendants were in a superior position to protect against the harms attendant to 17 unauthorized access, theft and misuse of that information. 18 61. Upon accepting Plaintiffs’ and Class Members’ Private Identifiable 19 Information in their respective point-of-sale systems, Uber undertook and owed a 20 duty to Plaintiffs and Class Members to exercise reasonable care to secure and 21 safeguard that information from being compromised, lost, stolen, misused, and 22 or/disclosed to unauthorized parties, and to utilize commercially reasonable 23 methods to do so. This duty included, among other things, designing, maintaining, 24 and testing Uber’s security systems to ensure that Plaintiffs’ and the Class 25 Members' PII was adequately secured and protected. 26 27 28 62. Uber further had a duty to implement processes that would detect a breach of its security system in a timely manner. 63. Uber had a duty to timely disclose to Plaintiffs and Class Members 18 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 19 of 37 Page ID #:19 1 that their Private Identifiable Information had been or was reasonably believed to 2 have been compromised. Timely disclosure was appropriate so that, among other 3 things, Plaintiffs and Class Members could take appropriate measures to avoid use 4 of bank funds, and monitor their account information and credit reports for 5 fraudulent activity. WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 6 64. Uber breached its duty to discover and to notify Plaintiffs and Class 7 Members of the unauthorized access by failing to discover the security breach 8 within reasonable time and by failing to notify Plaintiffs and Class Members of the 9 breach until November of 2017. To date, Uber has not provided sufficient 10 information to Plaintiffs and Class Members regarding the extent and scope of the 11 unauthorized access and continues to breach its disclosure obligations to Plaintiffs 12 and the Class. 13 65. Uber also breached its duty to Plaintiffs and Class Members to 14 adequately protect and safeguard this information by knowingly disregarding 15 standard information security principles, despite obvious risks, and by allowing 16 unmonitored and unrestricted access to unsecured Private Identifiable Information. 17 Furthering its negligent practices, Uber failed to provide adequate supervision and 18 oversight of the Private Identifiable Information with which it is entrusted, in spite 19 of the known risk and foreseeable likelihood of breach and misuse, which 20 permitted a third party to gather Plaintiffs’ and Class Members’ Private Identifiable 21 Information, misuse the Private Identifiable Information, and intentionally disclose 22 it to others without consent. 23 66. Through Uber’s acts and omissions described in this Complaint, 24 including Uber’s failure to provide adequate security and its failure to protect 25 Plaintiffs’ and Class Members’ Private Identifiable Information from being 26 foreseeably captured, accessed, disseminated, stolen, and misused, Uber 27 unlawfully breached its duty to use reasonable care to adequately protect and 28 secure Plaintiffs and Class Members’ Private Identifiable Information during the 19 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 20 of 37 Page ID #:20 1 2 67. Further, through its failure to timely discover and provide clear 3 notification of the data breach to consumers, Uber prevented Plaintiffs and Class 4 Members from taking meaningful, proactive steps to secure their Private 5 Identifiable Information. 6 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 time it was within Uber’s control. 68. Upon information and belief, Uber improperly and inadequately 7 safeguarded the Private Identifiable Information of Plaintiffs and Class Members 8 in deviation from standard industry rules, regulations, and practices at the time of 9 the data breach. 10 69. Uber’s failure to take proper security measures to protect Plaintiffs 11 and Class Members’ sensitive PII as described in this Complaint, created 12 conditions conducive to a foreseeable, intentional criminal act, namely the 13 unauthorized access of Plaintiffs and Class Members’ Private Identifiable 14 Information. 15 70. Uber’s conduct was grossly negligent and departed from all 16 reasonable standards of care, including, but not limited to: failing to adequately 17 protect the Private Identifiable Information; failing to conduct adequate regular 18 security audits; failing to provide adequate and appropriate supervision of persons 19 having access to Plaintiffs’ and Class Members’ Private Identifiable Information. 20 71. Neither Plaintiffs nor the other Class Members contributed to the data 21 breach and subsequent misuse of their Private Identifiable Information as described 22 in this Complaint. As a direct and proximate result of Uber’s negligence, Plaintiffs 23 and Class Members sustained actual losses and damages as described in detail 24 above. 25 COUNT III 26 Violation of California’s Unfair Competition Law Cal. Bus. & Prof. Code § 27 17200 Unlawful Business Practices 28 (On Behalf of the California Class) 20 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 21 of 37 Page ID #:21 1 2 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 3 72. Plaintiffs repeats and fully incorporates the allegations contained in each and every allegation of this Complaint. 73. Uber has violated Cal. Bus. and Prof. Code §17200 et seq. by 4 engaging in unlawful, unfair or fraudulent business acts and practices and unfair, 5 deceptive, untrue or misleading advertising that constitute acts of “unfair 6 competition” as defined in Cal. Bus. Prof. Code §17200. Uber engaged in unlawful 7 acts and practices with respect to its services by establishing the sub-standard 8 security practices and procedures described herein; by soliciting and collecting 9 Plaintiffs’ and Class Members’ Private Identifiable Information with knowledge 10 that the information would not be adequately protected; and by gathering Plaintiffs’ 11 and Class Members’ Private Identifiable Information in an unsecure electronic 12 environment in violation of California’s data breach statute, Cal. Civ. Code § 13 1798.81.5, which requires Uber to take reasonable methods of safeguarding the 14 Private Identifiable Information of Plaintiffs and the Class Members. 15 74. In addition, Uber engaged in unlawful acts and practices with respect 16 to its services by failing to discover and then disclose the data breach to Plaintiffs 17 and Class Members in a timely and accurate manner, contrary to the duties imposed 18 by Cal. Civ. Code § 1798.82. To date, Uber has still not provided such sufficient 19 information to Plaintiffs and the Class Members. 20 75. As a direct and proximate result of Uber’s unlawful acts and practices, 21 Plaintiffs and the Class Members were injured and lost money or property, 22 including but not limited to the loss of their legally protected interest in the 23 confidentiality and privacy of their Private Identifiable Information, and additional 24 losses described above. 25 76. Uber knew or should have known that its system had been breached 26 and data security practices were inadequate to safeguard Class Members’ Private 27 Identifiable Information and that the risk of a data breach or theft was highly likely. 28 Uber’s actions in engaging in the above-named unlawful practices and acts were 21 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 22 of 37 Page ID #:22 1 negligent, knowing and willful, and/or wanton and reckless with respect to the 2 rights of Class Members. WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 3 77. Plaintiffs and members of the Classes seek relief under Cal. Bus. & 4 Prof. Code § 17200, et. seq., including, but not limited to, restitution to Plaintiffs 5 and Class Members of money or property that Uber may have acquired by means 6 of its unlawful, and unfair business practices, restitutionary disgorgement of all 7 profits accruing to Uber because of its unlawful and unfair business practices, 8 declaratory relief, attorney’s fees and costs (pursuant to Cal. Code Civ. Proc. § 9 1021.5), and injunctive or other equitable relief. 10 COUNT IV 11 Violation of California’s Unfair Competition Law Cal. Bus. & Prof. Code 12 §17200 Unfair Business Practices 13 (On Behalf of the California Class) 14 15 16 78. Plaintiffs repeats and fully incorporates the allegations contained in each and every allegation of this Complaint. 79. Uber engaged in unfair acts and practices by soliciting and collecting 17 Plaintiffs’ and Class Members’ Private Identifiable Information with knowledge 18 that the information would not be adequately protected; while Plaintiffs’ and the 19 Class Members’ Private Identifiable Information would be processed in an 20 unsecure electronic environment. These unfair acts and practices were immoral, 21 unethical, oppressive, unscrupulous, unconscionable, and/or substantially injurious 22 to Plaintiffs and Class Members. They were likely to deceive the public into 23 believing their Private Identifiable Information was secure, when it was not. The 24 harm these practices caused to Plaintiffs and the members of the Class outweighed 25 their utility, if any. 26 80. Uber engaged in unfair acts and practices with respect to the provision 27 of its services by failing to enact adequate privacy and security measures and 28 protect Class Members’ Private Identifiable Information from further unauthorized 22 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 23 of 37 Page ID #:23 1 disclosure, release, data breaches, and theft, and failing to timely discovery and 2 give notice of the Data Breach. These unfair acts and practices were immoral, 3 unethical, oppressive, unscrupulous, unconscionable, and/or substantially injurious 4 to Plaintiffs and Class Members. They were likely to deceive the public into 5 believing their Private Identifiable Information was secure, when it was not. The 6 harm these practices caused to Plaintiffs and the Class Members outweighed their 7 utility, if any. 8 As a direct and proximate result of Uber’s acts of unfair practices and 9 acts, Plaintiffs and the members of the Class were injured and lost money or 10 property, including but not limited to the loss of their legally protected interest in 11 the confidentiality and privacy of their PII, and additional losses described above. 12 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 81. 82. Uber knew or should have known that its systems and data security 13 practices were inadequate to safeguard Class Members’ Private Identifiable 14 Information and that the risk of a data breach or theft was highly likely. Uber’s 15 actions in engaging in the above-named unlawful practices and acts were negligent, 16 knowing and willful, and/or wanton and reckless with respect to the rights of the 17 Class Members. 18 83. The members of the Class seek relief under Cal. Bus. & Prof. Code 19 § 17200, et. seq., including, but not limited to, restitution to Plaintiffs and Class 20 Members of money or property that the Uber may have acquired by means of its 21 unfair business practices, restitutionary disgorgement of all profits accruing to 22 Uber because of its unfair business practices, declaratory relief, attorney’s fees 23 and costs (pursuant to Cal. Code Civ. Proc. §1021.5), and injunctive or other 24 equitable relief. 25 COUNT V 26 Violation of California’s Unfair Competition Law Cal. Bus. & Prof. Code 27 §17200 Fraudulent/Deceptive Business Practices 28 (On Behalf of the California Class) 23 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 24 of 37 Page ID #:24 1 2 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 3 84. Plaintiffs repeats and fully incorporates the allegations contained in each and every allegation of this Complaint. 85. Uber engaged in fraudulent and deceptive acts and practices by 4 representing and advertising that it would maintain adequate data privacy and 5 security practices and procedures to safeguard the Class Members’ Private 6 Identifiable Information from unauthorized disclosure, release, data breaches, and 7 theft; and representing and advertising that it did and would comply with the 8 requirements of relevant federal and state laws pertaining to the privacy and 9 security of the members of the Class’ Private Identifiable Information. These 10 representations were likely to deceive members of the public, including Plaintiffs 11 and Class Members, into believing their Private Identifiable Information was 12 securely stored, when it was not, and that Uber was complying with relevant law, 13 when it was not. 14 86. Uber engaged in fraudulent and deceptive acts and practices by 15 omitting, suppressing, and concealing the material fact of the inadequacy of the 16 privacy and security protections for Class Members’ Private Identifiable 17 Information. At the time that Class Members were booking rides through Uber’s 18 system, Uber failed to disclose to Class Members that its data security systems 19 failed to meet legal and industry standards for the protection of their Private 20 Identifiable Information. Plaintiffs would not have booked rides with Uber if 21 they had known about its substandard data security practices. These 22 representations were likely to deceive members of the public, including Plaintiffs 23 and the Class Members, into believing their Private Identifiable Information was 24 secure, when it was not, and that Uber was complying with relevant law and 25 industry standards, when it was not. 26 87. As a direct and proximate result of Uber’s deceptive practices and 27 acts, Plaintiffs and the Class Members were injured and lost money or property, 28 including but not limited to the loss of their legally protected interest in the 24 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 25 of 37 Page ID #:25 1 confidentiality and privacy of their Private Identifiable Information, and 2 additional losses described above. 3 Uber knew or should have known that its system and data security 4 practices were inadequate to safeguard Class Members’ PII and that the risk of a 5 data breach or theft was highly likely. Uber’s actions in engaging in the above- 6 named unlawful practices and acts were negligent, knowing and willful, and/or 7 wanton and reckless with respect to the rights of Class Members. 8 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 88. 89. Class Members seek relief under Cal. Bus. & Prof. Code § 17200, et. 9 seq., including, but not limited to, restitution to Plaintiffs and Class Members of 10 money or property that Uber may have acquired by means of its fraudulent and 11 deceptive business practices, restitutionary disgorgement of all profits accruing to 12 Uber because of its fraudulent and deceptive business practices, declaratory 13 relief, attorney’s fees and costs (pursuant to Cal. Code Civ. Proc. §1021.5), and 14 injunctive or other equitable relief. 15 COUNT VI 16 Unfair and Deceptive Business Practices 17 (On Behalf of the Nationwide Class) 18 19 20 90. Plaintiffs repeats and fully incorporates the allegations contained in each and every allegation of this Complaint. 91. Plaintiffs bring this Count individually, and on behalf of all similarly 21 situated residents of each of the 50 States and the District of Columbia, aside 22 from the state of California, for violations of the respective statutory consumer 23 protection laws, as follows: 24 a. 19–1, et seq.; 25 26 b. the Alaska Unfair Trade Practices and Consumer Protection Act, AS § 45.50.471, et seq.; 27 28 the Alabama Deceptive Trade Practices Act, Ala.Code 1975, § 8– c. the Arizona Consumer Fraud Act, A.R.S §§ 44-1521, et seq.; 25 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 26 of 37 Page ID #:26 1 d. et seq.; 2 3 e. the Colorado Consumer Protection Act, C.R.S.A. §6-1-101, et seq.; 4 f. the Connecticut Unfair Trade Practices Act, C.G.S.A. § 42-110, et seq.; 5 6 g. the Delaware Consumer Fraud Act, 6 Del. C. § 2513, et seq.; 7 h. the D.C. Consumer Protection Procedures Act, DC Code § 28-3901, et seq.; 8 9 i. the Florida Deceptive and Unfair Trade Practices Act, FSA § 501.201, et seq.; 10 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 the Arkansas Deceptive Trade Practices Act, Ark.Code §§ 4-88-101, 11 j. the Georgia Fair Business Practices Act, OCGA § 10-1-390, et seq.; 12 k. the Hawaii Unfair Competition Law, H.R.S. § 480-1, et seq.; 13 l. the Idaho Consumer Protection Act, I.C. § 48-601, et seq.; 14 m. the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 501/1 et seq.; 15 16 n. seq. 17 18 the Indiana Deceptive Consumer Sales Act, IN ST § 24-5-0.5-2, et o. the Iowa Private Right of Action for Consumer Frauds Act, Iowa Code Ann. § 714H.1, et seq.; 19 20 p. the Kansas Consumer Protection Act, K.S.A. § 50-623, et seq.; 21 q. the Kentucky Consumer Protection Act, KRS 367.110, et seq.; 22 r. the Louisiana Unfair Trade Practices and Consumer Protection Law, LSA-R.S. 51:1401, et seq.; 23 24 s. the Maine Unfair Trade Practices Act, 5 M.R.S.A. § 205-A, et seq.; 25 t. the Maryland Consumer Protection Act, MD Code, Commercial Law, § 13-301, et seq.; 26 27 28 u. the Massachusetts Regulation of Business Practices for Consumers Protection Act, M.G.L.A. 93A, et seq.; 26 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 27 of 37 Page ID #:27 1 v. the Michigan Consumer Protection Act, M.C.L.A. 445.901, et seq.; 2 w. the Minnesota Prevention of Consumer Fraud Act, Minn. Stat. § 325F.68, et seq.; 3 4 x. 1, et seq. 5 6 y. the Missouri Merchandising Practices Act, V.A.M.S. § 407, et seq.; 7 z. the Montana Unfair Trade Practices and Consumer Protection Act of 1973, Mont. Code Ann. § 30-14-101, et seq.; 8 9 aa. the Nebraska Consumer Protection Act, Neb.Rev.St. §§ 59-1601, et seq.; 10 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 the Mississippi Consumer Protection Act, Miss. Code Ann. § 75-24- 11 bb. the Nevada Deceptive Trade Practices Act, N.R.S. 41.600, et seq.; 12 cc. the New Hampshire Regulation of Business Practices for Consumer Protection, N.H.Rev.Stat. § 358-A:1, et seq.; 13 14 dd. the New Jersey Consumer Fraud Act, N.J.S.A. 56:8, et seq.; 15 ee. the New Mexico Unfair Practices Act, N.M.S.A. §§ 57-12-1, et seq.; 16 ff. the New York Consumer Protection from Deceptive Acts and Practices, N.Y. GBL (McKinney) § 349, et seq.; 17 18 gg. Gen Stat. § 75-1.1, et seq.; 19 20 the North Carolina Unfair and Deceptive Trade Practices Act, N.C. hh. the North Dakota Consumer Fraud Act, N.D. Cent.Code Chapter 5115, et seq.; 21 22 ii. the Ohio Consumer Sales Practices Act, R.C. 1345.01, et seq.; 23 jj. the Oklahoma Consumer Protection Act, 15 O.S.2001, §§ 751, et seq.; 24 25 kk. the Oregon Unlawful Trade Practices Act, ORS 646.605, et seq.; 26 ll. the Pennsylvania Unfair Trade Practices and Consumer Protection 27 28 Law, 73 P.S. § 201-1, et seq.; mm. the Rhode Island Deceptive Trade Practices Act, G.L.1956 § 6-13.127 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 28 of 37 Page ID #:28 5.2(B), et seq.; 1 2 nn. 39-5-10, et seq.; 3 4 oo. pp. qq. the Texas Deceptive Trade Practices-Consumer Protection Act, V.T.C.A., Bus. & C. § 17.41, et seq.; 9 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 the Tennessee Consumer Protection Act, T.C.A. § 47-18-101, et seq.; 7 8 the South Dakota Deceptive Trade Practices and Consumer Protection Act, SDCL § 37-24-1, et seq.; 5 6 the South Carolina Unfair Trade Practices Act, SC Code 1976, §§ 10 rr. the Utah Consumer Sales Practices Act, UT ST § 13-11-1, et seq.; 11 ss. the Vermont Consumer Fraud Act, 9 V.S.A. § 2451, et seq.; 12 tt. the Virginia Consumer Protection Act of 1977, VA ST § 59.1-196, et seq.; 13 14 uu. seq.; 15 16 vv. ww. the Wisconsin Deceptive Trade Practices Act, WIS.STAT. § 100.18, et seq.; and 19 20 xx. the Wyoming Consumer Protection Act, WY ST § 40-12-101, et seq. 21 22 the West Virginia Consumer Credit And Protection Act, W.Va.Code § 46A-1-101, et seq.; 17 18 the Washington Consumer Protection Act, RCWA 19.86.010, et 92. Uber violated the statutes set forth above (collectively, the 23 “Consumer Protection Acts”) by failing to properly implement adequate, 24 commercially reasonable security measures to protect Plaintiffs and Class 25 Members’ PII, and by allowing third parties to access Plaintiffs’ and Class 26 Members’ PII. 27 28 93. Uber further violated the Consumer Protection Acts by failing to disclose to the consumers that its data security practices were inadequate, thus 28 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 29 of 37 Page ID #:29 1 2 3 4 94. Uber’s acts and/or omissions constitute fraudulent, deceptive, and/or unfair acts or omissions under the Consumer Protection Acts. 95. Plaintiffs and other Class Members were deceived by Uber’s failure 5 to properly implement adequate, commercially reasonable security measures to 6 protect their PII. 7 96. Uber intended for Plaintiffs and other Class Members to rely on 8 Uber to protect the information furnished to it in connection with debit and credit 9 card transactions and/or otherwise collected by Uber, in such manner that 10 Plaintiffs’ PII would be protected, secure and not susceptible to access from 11 unauthorized third parties. 12 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 inducing consumers to schedule and book rides through Uber. 13 14 15 16 97. Uber instead handled Plaintiffs’ and other Class Members’ information in such manner that it was compromised. 98. Uber failed to follow industry best practices concerning data security or was negligent in preventing the Data Breach from occurring. 99. It was foreseeable that Uber’s willful indifference or negligent 17 course of conduct in handling PII it collected would put that information at the 18 risk of compromise by data thieves. 19 100. On information and belief, Uber benefited from mishandling the PII 20 of customers, by not taking effective measures to secure this information, and 21 therefore saving on the cost of providing data security. 22 101. Uber’s fraudulent and deceptive acts and omissions were intended to 23 induce Plaintiffs’ and Class Members’ reliance on Uber’s deception that their 24 Private Information was secure. 25 102. Uber’s conduct offends public policy and constitutes unfair acts or 26 practices under the Consumer Protection Acts because Uber caused substantial 27 injury to Class Members that is not offset by countervailing benefits to 28 consumers or competition, and is not reasonably avoidable by consumers. 29 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 30 of 37 Page ID #:30 1 2 appropriate security measures to protect Private Information constitute violations 3 of the Federal Trade Commission Act, 15 U.S.C. § 45(a), which the courts 4 consider when evaluating claims under the Consumer Protection Acts, including 5 815 ILCS 505/2. 6 104. Uber’s conduct constitutes unfair acts or practices as defined in the 7 Consumer Protection Acts because Uber caused substantial injury to Class 8 members, which injury is not offset by countervailing benefits to consumers or 9 competition and was not reasonably avoidable by consumers. 10 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 103. Uber’s acts or practice of failing to employ reasonable and 105. Plaintiffs and other Class Members have suffered injury in fact and 11 actual damages including lost money and property as a result of Uber’s violations 12 of the Consumer Protection Acts. 13 106. Uber’s fraudulent and deceptive behavior proximately caused 14 Plaintiffs’ and Class Members’ injuries, and Uber conducted itself with reckless 15 indifference toward the rights of others, such that an award of punitive damages 16 is appropriate. 17 107. Uber’s failure to disclose information concerning the Data Breach 18 directly and promptly to affected customers, constitutes a separate fraudulent act 19 or practice in violation of the Consumer Protection Acts. 20 21 108. Plaintiffs seek attorney’s fees and damages to the fullest extent permitted under the Consumer Protection Acts, including N.Y. G.B.L. § 349(h). 22 COUNT VII 23 Constitutional Invasion of Privacy 24 (On Behalf of the California Class) 25 26 27 28 109. Plaintiffs repeats and fully incorporates the allegations contained in each and every allegation of this Complaint. 110. Cal. Const., Art. 1., section 1 provides that “[a]ll people are by nature free and independent and have inalienable rights. Among these are 30 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 31 of 37 Page ID #:31 1 enjoying and defending life and liberty, acquiring, possessing, and protecting 2 property, and pursuing and obtaining safety, happiness, and privacy.” 3 4 in the Private Identifiable Information provided to Uber. 5 112. Plaintiffs and Class Members had a reasonable expectation of 6 privacy as to the Private Identifiable Information they provided to Uber under the 7 circumstances of their purchases. 8 9 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 111. Plaintiffs and Class members had a legally protected privacy interest 113. Uber's actions and inactions amounted to a serious invasion of the protected privacy interests of Plaintiffs and Class Members. 10 114. Uber's invasion of Plaintiffs and Class Members' reasonable 11 expectation of privacy caused Plaintiffs and Class members to suffer damages. 12 COUNT VIII 13 Negligence Per Se 14 (On Behalf of Plaintiffs and the Nationwide and California Classes 15 16 17 115. Plaintiffs repeats and fully incorporates the allegations contained in each and every allegation of this Complaint. 116. Pursuant to the Federal Trade Commission Act (15 U.S.C. §45), 18 Uber had a duty to provide fair and adequate computer systems and data security 19 practices to safeguard Plaintiffs’ and Class Members’ PII. 20 117. Pursuant to the Gramm-Leach-Bliley Act (15 U.S.C. § 6801), Uber 21 had a duty to protect the security and confidentiality of Plaintiffs’ and Class 22 Members’ PII. 23 118. Pursuant to state laws in the following 12 states, Uber operating in 24 those states had a duty to those respective states’ Class Members to implement 25 and maintain reasonable security procedures and practices to safeguard Plaintiffs’ 26 and Class Members’ Personal Information: 27 a. Arkansas: Ark. Code § 4-110-104 28 b. California: Cal Civ. Code § 1798.81.5 31 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 32 of 37 Page ID #:32 1 c. Connecticut: Conn. Gen. Stat. § 42-471 2 d. Florida: Fla. Stat. § 501.171(2) 3 e. Indiana: Ind. Code § 24-4.9-3.5 4 f. Maryland: Md. Code. Comm. Law § 14-5303 5 g. Massachusetts: Mass. Gen Laws Ch. 93H, § 3(a) 6 h. Nevada: Nev. Rev. Stat. § 603A.210 7 i. Oregon: Ore. Rev. Stat. § 646A.622(1) 8 j. Rhode Island: R.I. Gen Laws § 11-49.2-2(2) 9 k. Texas: Tex. Bus. & Com. Code § 521.052(a) l. Utah: Utah Code § 14-44-201(1)(a) WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 10 11 119. Uber breached their duties to Plaintiffs and Statewide Class 12 Members under the Federal Trade Commission Act (15 U.S.C. § 45), Gramm- 13 Leach-Bliley Act (15 U.S.C. § 6801), and the state reasonable data security 14 statutes by failing to provide fair, reasonable, or adequate computer systems and 15 data security practices to safeguard Plaintiffs’ and Class Members’ Personal 16 Information. 17 18 120. Uber’s failure to comply with applicable laws and regulations constitutes negligence per se. 19 121. But for Uber’s wrongful and negligent breach of their duties owed to 20 Plaintiffs and Statewide Class Members, Plaintiffs and Statewide Class Members 21 would not have been injured. 22 122. The injury and harm suffered by Plaintiffs and Statewide Class 23 Members was the reasonably foreseeable result of Uber’s breach of their duties. 24 Uber knew or should have known that they were failing to meet their duties, and 25 that Uber’s breach would cause Plaintiffs and Statewide Class Members to 26 experience the foreseeable harms associated with the exposure of their Personal 27 Information. 28 123. As a direct and proximate result of Uber negligent conduct, 32 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 33 of 37 Page ID #:33 1 Plaintiffs and Class Members have suffered injury and are entitled to damages in 2 an amount to be proven at trial. 3 COUNT IX 4 Breach of the Covenant of Duty of Good Faith and Fair Dealing 5 (On Behalf of Plaintiffs and the Nationwide and California Classes) 6 124. Plaintiffs repeats and fully incorporates the allegations contained in 7 8 9 10 11 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 12 13 14 15 16 each and every allegation of this Complaint. 125. The law implies a covenant of good faith and fair dealing in every contract. 126. Plaintiffs and Class Members contracted with Defendant by accepting Defendant’s offers and paying for the booking of rides. 127. Plaintiffs and Class Members performed all of the significant duties under their agreements with Defendant. 128. The conditions required for Uber’s performance under the contract has occurred. 129. Uber did not provide and/or unfairly interfered with and/or frustrated 17 the right of Plaintiffs and the Class Members to receive the full benefits under 18 their agreement. 19 130. Uber breached the covenant of good faith and fair dealing implied in 20 its contracts with Plaintiffs and the Class Members by failing to use and provide 21 reasonable and industry-leading security practices. 22 131. Plaintiffs and the Class Members were damaged by Uber’s breach 23 in that they paid for, but never received, the valuable security protections to 24 which they were entitled, and which would have made their products and services 25 more valuable. 26 27 28 COUNT X 33 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 34 of 37 Page ID #:34 1 Violation of State Data Breach Acts 2 (On Behalf of Plaintiffs and the Nationwide and California Classes) 3 132. Plaintiffs repeats and fully incorporates the allegations contained in 4 5 6 133. Uber owns, licenses and/or maintains computerized data that includes Plaintiffs’ and Class Members’ PII. 7 134. Uber was required to, but failed, to take all reasonable steps to 8 dispose, or arrange for the disposal, of records within its custody or control 9 containing PII when the records were no longer to be retained, by shredding, 10 erasing, or otherwise modifying the personal information in those records to 11 make it unreadable or undecipherable through any means. 12 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 each and every allegation of this Complaint. 13 135. Uber’s conduct, as alleged above, violated the data breach statutes of many states, including: 14 a. California, Cal. Civ. Code §§ 1798.80 et. seq.; 15 b. Hawaii, Haw. Rev. Stat. § 487N-1–4 (2006); 16 c. Illinois, 815 Ill. Comp Stat. Ann. 530/1–/30 (2006); 17 d. Louisiana, La. Rev. Stat. § 51:3071-3077 (2005), and L.A.C. 18 19 20 21 22 16:III.701; e. Michigan, Mich. Comp. Laws Ann. §§ 445.63, 445.65, 445.72 (2006); f. New Hampshire, N.H. Rev. Stat. Ann. §§ 359-C:19–C:21, 358A:4 (2006)., 332-I:1–I:610; 23 g. New Jersey, N.J. Stat. Ann. § 56:8-163–66 (2005); 24 h. North Carolina, N.C. Gen. Stat. §§ 75-65 (2005); as amended 25 26 27 28 (2009); i. Oregon, Or. Rev. Stat. §§ 646A.602, 646A.604, 646A.624 (2011); j. Puerto Rico, 10 L.P.R.A. § 4051; 10 L.P.R.A. § 4052 (2005), as 34 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 35 of 37 Page ID #:35 amended (2008); 1 2 k. South Carolina, S.C. Code § 1-11-490 (2008); S.C. Code § 39-190 (2009); 3 4 l. Virgin Islands, 14 V.I.C. § 2208, et seq. (2005); 5 m. Virginia, Va. Code Ann. § 18.2-186.6 (2008); Va. Code Ann. § 32.1– 127.1:05 (2011); and 6 7 n. the District of Columbia, D.C. Code § 28-3851 to 28-3853 (2007) (collectively, the “State Data Breach Acts”). WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 8 9 136. Uber was required to, but failed, to implement and maintain 10 reasonable security procedures and practices appropriate to the nature and scope 11 of the information compromised in the Data Breach. 12 137. The Data Breach constituted a “breach of the security system” 13 within the meaning of section 1798.82(g) of the California Civil Code, and other 14 State Data Breach Acts. 15 138. The information compromised in the Data Breach constituted 16 “personal information” within the meaning of section 1798.80(e) of the 17 California Civil Code, and other State Data Breach Acts. 18 139. Like other State Data Breach Acts, California Civil Code § 19 1798.80(e) requires disclosure of data breaches “in the most expedient time 20 possible and without unreasonable delay . . . .” 21 140. Uber violated Cal. Civ. Code § 1798.80(e) and other State Data 22 Breach Acts by unreasonably delaying disclosure of the Data Breach to Plaintiffs 23 and other Class Members, whose PII was, or was reasonably believed to have 24 been, acquired by an unauthorized person. 25 141. Upon information and belief, no law enforcement agency instructed 26 Uber that notification to Plaintiffs and Class Members would impede a criminal 27 investigation. 28 142. As a result of Uber’s violation of State Data Breach Acts, including 35 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 36 of 37 Page ID #:36 1 Cal. Civ. Code § 1798.80, et seq., Plaintiffs and Class Members incurred 2 economic damages, including expenses associated with monitoring their personal 3 and financial information to prevent further fraud. 4 143. Plaintiffs, individually and on behalf of the Class, seek all remedies 5 available under Cal. Civ. Code § 1798.84 and under the other State Data Breach 6 Acts, including, but not limited to: (a) actual damages suffered by Class Members 7 as alleged above; (b) statutory damages for Uber’s willful, intentional, and/or 8 reckless violation of Cal. Civ. Code § 1798.83; (c) equitable relief; and (d) 9 reasonable attorneys’ fees and costs under Cal. Civ. Code §1798.84(g). 144. Because Uber was guilty of oppression, fraud or malice, in that it WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 10 11 failed to act with a willful and conscious disregard of Plaintiffs’ and Class 12 Members’ rights, Plaintiffs also seek punitive damages, individually and on 13 behalf of the Class. 14 VI. PRAYER FOR RELIEF 15 WHEREFORE, Plaintiffs, individually and on behalf of all Class Members 16 proposed in this Complaint, respectfully requests that the Court enter judgment in 17 her favor and against Uber as follows: 18 A. For an Order certifying the Nationwide Class and California Class as 19 defined here, and appointing Plaintiffs and her Counsel to represent 20 the Nationwide Class and the California Class; 21 B. For equitable relief enjoining Uber from engaging in the wrongful 22 conduct complained of here pertaining to the misuse and/or 23 disclosure of Plaintiffs’ and Class Members’ Private Identifiable 24 Information, and from refusing to issue prompt, complete, and 25 accurate disclosures to the Plaintiffs and Class Members; 26 27 C. For equitable relief compelling Uber to utilize appropriate methods and policies with respect to consumer data collection, storage, and 28 36 CLASS ACTION COMPLAINT Case 2:17-cv-08503-FMO-GJS Document 1 Filed 11/21/17 Page 37 of 37 Page ID #:37 1 safety and to disclose with specificity to Class Members the type of 2 PII compromised. 3 D. revenues wrongfully retained as a result of Uber’s wrongful conduct; 4 5 E. F. For an award of costs of suit and attorneys’ fees, as allowable by law; and 8 9 For an award of actual damages and compensatory damages, in an amount to be determined; 6 7 For equitable relief requiring restitution and disgorgement of the G. Such other and further relief as this court may deem just and proper. 10 11 WILSHIRE LAW FIRM, PLC 3055 Wilshire Blvd, 12th Floor Los Angeles, CA 90010-1137 12 13 DEMAND FOR JURY TRIAL Based on the foregoing, Plaintiffs, on behalf of themselves, and all others similarly situated, hereby demand a jury trial for all claims so triable. 14 15 Dated: November 21, 2017 Respectfully Submitted, 16 17 18 19 /s/ Colin M. Jones, Esq. _____________________________ Colin M. Jones, Esq. SBN: 265628 Attorneys for Plaintiffs 20 21 22 23 24 25 26 27 28 37 CLASS ACTION COMPLAINT