Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 1 of 33 Page ID #:1 1 4 Patrice L. Bishop (182256) pbishop@ssbla.com STULL, STULL & BRODY 9430 W. Olympic Blvd., Suite 400 Beverly Hills, CA 90212 Tel: 310-209-2468 Fax: 310-209-2087 5 Counsel for Plaintiffs 6 (Additional Counsel on Signature Page) 2 3 7 8 UNITED STATES DISTRICT COURT 9 FOR THE CENTRAL DISTRICT OF CALIFORNIA 10 11 12 13 14 BENJAMIN HELLER, DAVID Case No. 17-cv-8545 FLUSS, ANNA LUNA, MARCY LOKIETZ, AKASH SHETH, COMPLAINT Individually and on Behalf of all Others Similarly Situated, 15 16 17 18 Plaintiffs, v. RASIER, LLC, RASIER-CA, LLC, and UBER TECHNOLOGIES, INC., Defendants. 19 20 21 22 23 24 25 26 27 28 COMPLAINT CASE NO. 17-cv-8545 CLASS ACTION DEMAND FOR JURY TRIAL Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 2 of 33 Page ID #:2 1 Plaintiffs Benjamin Heller, Anna Luna, David Fluss, Marcy Lokietz and 2 Akash Sheth (“Plaintiffs”), by and through their undersigned counsel, submits this 3 Complaint on behalf of themselves and all others similarly situated. Plaintiffs’ 4 allegations are based upon their personal knowledge as to themselves and their own 5 acts, and upon information and belief, developed from the investigation and analysis 6 by Plaintiffs’ counsel, including a review of publicly available information. NATURE OF THE ACTION 7 8 1. Plaintiffs bring this class action case against Rasier, LLC., Rasier-CA, 9 LLC., Uber Technologies, Inc. (collectively referred to as either “Uber” or 10 “Defendants”) for their failure to secure and safeguard riders’ and drivers’ 11 personally identifiable information (“PII”) which Uber collected in connection with 12 the operation of its business. 13 2. On November 21, 2017, Uber disclosed that in October 2016 hackers 14 had stolen 57 million driver and rider accounts (the “Data Breach” or “Breach”) and 15 that Defendants had kept the data breach secret for more than a year after paying a 16 $100,000 ransom. 17 3. Uber has acknowledged that a cybersecurity incident occurred, 18 resulting in the theft of its riders’ and drivers’ PII, consisting of names, addresses, 19 email addresses, credit card numbers and other information. 20 4. PII for Plaintiffs and the class of riders and drivers they seek to 21 represent was compromised due to Uber’s acts and omissions and their failure to 22 properly protect PII. 23 5. Uber could have prevented this Data Breach. 24 6. Uber disregarded the rights of Plaintiffs and Class members by 25 intentionally, willfully, recklessly, or negligently failing to take adequate and 26 reasonable measures to ensure its data systems were protected, failing to disclose to 27 its riders and drivers the material fact that it did not have adequate security practices 28 COMPLAINT CASE NO. 17-cv-8545 -2- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 3 of 33 Page ID #:3 1 to safeguard PII, failing to take available steps to prevent and stop the breach from 2 ever happening, and failing to monitor and detect the breach on a timely basis. 3 7. As a result of the Data Breach, PII of the Plaintiffs and Class members 4 has been exposed, in all likelihood, to criminals for misuse. The injuries suffered by 5 Plaintiffs and Class members, or likely to be suffered as a direct result of the Data 6 Breach, include: 7 a. unauthorized use of their PII; 8 b. theft of their personal and financial information; 9 c. costs associated with the detection and prevention of identity theft and 10 unauthorized use of their financial accounts; 11 d. damages arising from the inability to use their PII; 12 e. loss of use of and access to their account funds and costs associated 13 with inability to obtain money from their accounts or being limited in the 14 amount of money they were permitted to obtain from their accounts, 15 including missed payments on bills and loans, late charges and fees, and 16 adverse effects on their credit including decreased credit scores and adverse 17 credit notations; 18 f. 19 enjoyment of one’s life from taking time to address and attempt to ameliorate, 20 mitigate and deal with the actual and future consequences of the Data Breach, 21 including finding fraudulent charges, the costs of purchasing credit 22 monitoring and identity theft protection services, and the stress, nuisance and 23 annoyance of dealing with all issues resulting from the Data Breach; 24 g. 25 fraud and identify theft posed by their PII being placed in the hands of 26 criminals and already misused via the sale of Plaintiffs and Class members’ 27 information on the Internet black market; 28 h. costs associated with time spent and the loss of productivity or the the imminent and certainly impending injury flowing from potential damages to and diminution in value of their PII entrusted to Uber for COMPLAINT CASE NO. -3- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 4 of 33 Page ID #:4 1 the sole purpose of purchasing products and services from Uber; and 2 i. the loss of Plaintiffs’ and Class members’ privacy. 3 8. The injuries to the Plaintiffs and Class members were directly and 4 proximately caused by Defendants’ failure to implement or maintain adequate data 5 security measures for PII. 6 9. Further, Plaintiffs retain a significant interest in ensuring that their PII, 7 which, while stolen, remains in the possession of Defendants, is protected from 8 further breaches, and seeks to remedy the harms they have suffered on behalf of 9 themselves and similarly situated riders and drivers whose PII was stolen as a result 10 11 of the Data Breach. 10. Plaintiffs bring this action to remedy these harms on behalf of 12 themselves and all similarly situated individuals whose PII was accessed during the 13 Data Breach. Plaintiffs seek the following remedies, among others: statutory 14 damages under state and/or federal laws, reimbursement of out-of-pocket losses, 15 other compensatory damages, further and more robust credit monitoring services 16 with accompanying identity theft insurance, and injunctive relief including an order 17 requiring Defendants to implement improved data security measures. PARTIES 18 19 20 21 22 23 24 25 26 27 28 11. Plaintiff Anna Luna is a California citizen residing in Encino, California, and was an Uber rider in October 2016. 12. Plaintiff Benjamin Heller is a New York citizen residing in New York, New York, and was an Uber rider in October 2016. 13. Plaintiff David Fluss is a Florida citizen residing in Tamarac, Florida, and was an Uber driver in October 2016. 14. Plaintiff Marcy Lokietz is a Florida citizen residing in Parkland, Florida, and was an Uber rider in October 2016. 15. Plaintiff Akash Sheth is a New Jersey citizen residing in Edison, New Jersey, and was an Uber driver in October 2016. COMPLAINT CASE NO. -4- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 5 of 33 Page ID #:5 1 2 3 4 5 16. Defendant Rasier, LLC is a Limited Liability Company with its headquarters and principle place of business in San Francisco, California. 17. Defendants Rasier-CA, LLC is a Limited Liability Company with its headquarters and principle place of business in San Francisco, California. 18. Defendants Uber Technologies, Inc. is a corporation with its 6 headquarters and principle place of business and corporate offices in San Francisco, 7 California and is the parent company of Defendants Rasier and Rasier-CA. 8 19. The Defendants develop, market, and operate a ridesharing mobile 9 application which allows consumers to submit a trip request, which is routed to 10 crowd-sourced taxi drivers. Their smartphone application connects drivers with 11 people who need a ride. Uber’s application enables users to arrange and schedule 12 transportation and/or logistics services with third party providers. JURISDICTION AND VENUE 13 14 20. This Court has jurisdiction over this action pursuant to the Class Action 15 Fairness Act, 28 U.S.C. §1332(d)(2), because the amount in controversy exceeds 16 $5,000,000, exclusive of interest and costs, and Plaintiffs and Defendants are 17 citizens of different states. The proposed Class and Sub-classes each include well 18 over 100 members. 19 21. This Court has jurisdiction over Defendants because Uber regularly 20 conducts business in California; and has sufficient minimum contacts in California. 21 Defendants intentionally avail themselves of this jurisdiction by marketing and 22 offering their services from California to millions of consumers nationwide, 23 including Uber riders and drivers in the states of California, Florida, New York, and 24 New Jersey. 25 22. Venue is proper in this District pursuant to 28 U.S.C. §1391 because 26 Uber is registered to conduct business throughout California and regularly conducts 27 business in this District. 28 COMPLAINT CASE NO. -5- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 6 of 33 Page ID #:6 CLASS ACTION ALLEGATIONS 1 2 23. Plaintiffs bring this class action pursuant to the Federal Rules of Civil 3 Procedure 23(a) and (b)(3), on behalf of themselves and all others similarly situated 4 in the United States, who were Uber riders and drivers during and since the Data 5 Breach, had their personal information stolen from Uber’s software application 6 systems, and were damaged thereby (the “Class”). Plaintiffs also bring Counts on 7 behalf of Sub-classes of California, New Jersey, New York and Florida residents 8 who were Uber riders and drivers during and since the Data Breach and had their 9 personal information stolen from Uber’s software application systems and were 10 damaged thereby (the ”Sub-classes”). The Class and Sub-classes do not include 11 Uber officers or directors. 12 24. The Class and Sub-classes consist of potentially millions of Uber riders 13 and drivers. While the exact number of members of the Class and Sub-classes and 14 the identities of individual members of the Class and Subclasses are unknown to 15 Plaintiffs’ counsel at this time, and can only be ascertained through appropriate 16 discovery, based on the fact that 57 million Uber riders and drivers have been 17 adversely affected, the membership of the Class and Sub-classes are each so 18 numerous that joinder of all members is impracticable. 19 25. Uber’s wrongful conduct affected all members of the Class and Sub- 20 classes in exactly the same way. The Defendants’ failure to properly safeguard its 21 customer’s personal information is completely uniform among the Class and Sub- 22 classes. 23 26. Questions of law and fact common to all members of the Class and 24 Sub-classes predominate over any questions affecting only individual members. 25 Such common questions of law and fact include: 26 a. whether the Defendants acted wrongfully by failing to properly 27 safeguard their riders’ and drivers’ personal information collected and 28 stored by Uber on its software application system; COMPLAINT CASE NO. -6- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 7 of 33 Page ID #:7 1 b. whether Defendants’ conduct violated law; 2 c. whether the Plaintiffs and the other members of the Class and 3 Subclasses have been damaged, and, if so, what is the appropriate 4 relief; and 5 d. whether Defendants breached their duties owed to members of the 6 Class and Subclasses and by failing to properly safeguard their personal 7 information. 8 27. Plaintiffs’ claims, as described herein, are typical of the claims of all 9 other members of the Class and Sub-classes, as the claims of Plaintiffs and all other 10 members of the Class and Sub-classes arise from the same set of facts regarding 11 Defendants’ failure to protect the Class and Sub-classes member’s personal 12 information from computer hackers. Plaintiffs maintain no interest antagonistic to 13 the interests of other members of the Class or Sub-classes. 14 28. Plaintiffs are committed to the vigorous prosecution of this action and 15 have retained competent counsel experienced in the prosecution of class actions of 16 this type. Accordingly, Plaintiffs are adequate representatives of the Class and Sub- 17 classes and will fairly and adequately protect their interests. 18 19 20 29. claims of Plaintiffs and the Class and Sub-classes for the following reasons: a. common questions of law and fact predominate over any question affecting any individual Class and Sub-Class members; 21 22 This class action is a fair and efficient method of adjudicating the b. the prosecution of separate actions by individual Class and Sub-classes 23 members would likely create a risk of inconsistent or varying 24 adjudications with respect to individual members thereby establishing 25 incompatible standards of conduct for Defendants or would allow some 26 Class and Sub-classes members’ claims to adversely affect the ability 27 of other members to protect their interests; 28 COMPLAINT CASE NO. -7- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 8 of 33 Page ID #:8 1 c. this forum is appropriate for litigation of this action since a substantial 2 portion of the transactions, acts, events, and omissions alleged herein 3 occurred in this District; 4 d. as a class action; and 5 6 Plaintiffs anticipates no difficulty in the management of this litigation e. the Class and Sub-classes is readily definable, and prosecution as a 7 class action will eliminate the possibility of repetitious litigation, while 8 also providing redress for claims that may be too small to support the 9 expense of individual, complex litigation. 10 11 30. for the fair and efficient adjudication of this controversy. SUBSTANTIVE ALLEGATIONS 12 13 For these reasons, a class action is superior to other available methods 31. Plaintiffs were riders with Uber and/or drivers for Uber prior to and 14 during October 2016 and to the present, and provided Uber personal information in 15 order to initiate their Uber account to be used solely by Uber for purposes of 16 maintaining and facilitating such account. 17 32. On November 21, 2017, Uber announced that two hackers had stolen 18 data about Uber’s riders and drivers from a third-party server and then approached 19 Uber and demanded payment of $100,000 to delete their copy of the data. 20 Defendants discovered this breach as part of a larger investigation into Uber’s 21 business practices over a year ago. 22 33. Joe Sullivan, the Uber chief security officer at the time of the breach, 23 who has since been fired, arranged the deal to pay the hackers the $100,000 in 24 ransom. However, Uber did not stop at acquiescing to the hacker’s demands and 25 took it a step further. Uber successfully tracked down the hackers and forced them 26 to sign nondisclosure agreements. 27 28 34. To further conceal the damage caused from this breach, Uber executives made it appear that rather than this payment being a ransom payoff, they COMPLAINT CASE NO. -8- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 9 of 33 Page ID #:9 1 made the payoff appear to be part of a “bug bounty” which is a deal offered by 2 many websites and software developers by which individuals can receive 3 recognition and compensation for reporting “bugs” especially those pertaining to 4 exploits and vulnerabilities in a company. 5 35. The failure to immediately or within a reasonable time report this data 6 breach to relevant governmental agencies and to Uber users and drivers is a blatant 7 and egregious violation of numerous state statutes specifically enacted to insure 8 prompt disclosure of data breaches. 9 36. Furthermore, Plaintiffs and class members have suffered imminent and 10 impending injury arising from the substantially increased risk of future fraud, 11 identity theft and misuse posed by their PII being placed in the hands of criminals 12 who have already, or will imminently, misuse such information. 13 37. Moreover, Plaintiffs have a continuing interest in ensuring that their 14 PII, which remains in the possession of Uber, is protected and safeguarded from 15 future breaches. 16 38. At all relevant times, Uber was well-aware, or reasonably should have 17 been aware, that the PII collected, maintained and stored by Uber is highly sensitive, 18 susceptible to attack, and could be used for wrongful purposes by third parties, such 19 as identity theft and fraud. 20 39. It is well known and the subject of many media reports that PII is 21 highly coveted and a frequent target of hackers. Despite the frequent public 22 announcements of data breaches, Uber continued to use an outdated, insufficient and 23 inadequate system to protect the PII of Plaintiffs and Class members. 24 40. PII is a valuable commodity because it contains not only payment card 25 numbers but PII as well. A “cyber blackmarket” exists in which criminals openly 26 post stolen payment card numbers and other personal information on a number of 27 underground Internet websites. It is common knowledge that PII is considered gold 28 COMPLAINT CASE NO. -9- Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 10 of 33 Page ID #:10 1 to identity thieves because they can use victims’ personal data to incur charges on 2 existing accounts, or clone ATM, debit, or credit cards. 41. 3 Legitimate organizations and the criminal underground alike recognize 4 the value in PII contained in a merchant’s data systems; otherwise, they would not 5 aggressively seek or pay for it. For example, in “one of 2013’s largest breaches . . . 6 not only did hackers compromise the [card holder data] of three million customers, 7 they also took registration data [containing PII] from 38 million users.”1 42. 8 At all relevant times, Uber knew, or reasonably should have known, of 9 the importance of safeguarding PII and of the foreseeable consequences that would 10 occur if its data security system was breached, including, specifically, the significant 11 costs that would be imposed on individuals as a result of a breach. 43. 12 Uber was, or should have been, fully aware of the significant number of 13 people whose PII it collected, and thus, the significant number of individuals who 14 would be harmed by a breach of its system. 44. 15 Unfortunately, and as alleged below, despite all of this publicly 16 available knowledge of the continued compromises of PII in the hands of other third 17 parties, Uber’s approach to maintaining the privacy and security of the PII of 18 Plaintiffs and the Class members, and reporting any violation thereof in accordance 19 with law, was lackadaisical, cavalier, reckless, or at the very least, negligent. 45. 20 21 members’ data secure are severe. 46. 22 23 The ramifications of Uber’s failure to keep Plaintiffs’ and Class The FTC defines identity theft as “a fraud committed or attempted using the identifying information of another person without authority.”2 The FTC 24 25 26 27 28 1 Verizon 2014 PCI Compliance Report, available at: http://www.cisco.com/c/dam /en_us/solutions/industries/docs/retail/verizon_pci2014.pdf (hereafter “2014 Verizon Report”), at 54 (last visited Nov. 22, 2017). 2 17 C.F.R § 248.201 (2013). COMPLAINT CASE NO. - 10 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 11 of 33 Page ID #:11 1 describes “identifying information” as “any name or number that may be used, alone 2 or in conjunction with any other information, to identify a specific person.”3 47. 3 Personal identifying information is a valuable commodity to identity 4 thieves once the information has been compromised. As the FTC recognizes, once 5 identity thieves have personal information, “they can drain your bank account, run 6 up your credit cards, open new utility accounts, or get medical treatment on your 7 health insurance.”4 48. 8 9 Javelin Strategy and Research reports that identity thieves have stolen $112 billion in the past six years.5 49. 10 Reimbursing a consumer for a financial loss due to fraud does not make 11 that individual whole again. On the contrary, identity theft victims must spend 12 numerous hours and their own money repairing the impact to their credit. After 13 conducting a study, the Department of Justice’s Bureau of Justice Statistics (“BJS”) 14 found that identity theft victims “reported spending an average of about 7 hours 15 clearing up the issues” and resolving the consequences of fraud in 2014.6 50. 16 There may be a time lag between when harm occurs versus when it is 17 discovered, and also between when PII or PCD is stolen and when it is used. 18 According to the U.S. Government Accountability Office (“GAO”), which 19 conducted a study regarding data breaches: 20 [L]aw enforcement officials told us that in some cases, 21 stolen data may be held for up to a year or more before 22 23 24 25 26 27 28 3 Id. 4 Federal Trade Commission, Warning Signs of Identity Theft, available at: https:// www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft (last visited Nov. 22, 2017). 5 See https://www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits -inflection-point (last visited Nov. 22, 2017). 6 Victims of Identity Theft, 2014 (Sept. 2015) available at: http://www.bjs.gov/ content/pub/pdf/vit14.pdf (last visited Nov. 22, 2017). COMPLAINT CASE NO. - 11 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 12 of 33 Page ID #:12 1 being used to commit identity theft. Further, once stolen 2 data have been sold or posted on the Web, fraudulent use 3 of that information may continue for years. As a result, 4 studies that attempt to measure the harm resulting from 5 data breaches cannot necessarily rule out all future harm.7 51. 6 Plaintiffs and the Class members now face years of constant 7 surveillance of their financial and personal records, monitoring, and loss of rights. 8 The Class is incurring and will continue to incur such damages in addition to any 9 fraudulent use of their PII. 52. 10 11 The PII of Plaintiffs and the Class members is private and sensitive in nature and was left inadequately protected by Uber. 53. 12 The Data Breach was a direct and proximate result of Uber’s failure to 13 properly safeguard and protect Plaintiffs’ and the Class members’ PII from 14 unauthorized access, use, and disclosure, as required by various state and federal 15 regulations, industry practices, and the common law, including Uber’s failure to 16 establish and implement appropriate administrative, technical, and physical 17 safeguards to ensure the security and confidentiality of Plaintiffs’ and the Class 18 members’ PII to protect against reasonably foreseeable threats to the security or 19 integrity of such information. 54. 20 Uber had the resources to prevent a breach, but neglected to timely and 21 adequately invest in data security, despite the growing number of well-publicized 22 data breaches. 55. 23 Had Uber remedied the deficiencies in its data security systems, 24 followed security guidelines, and adopted security measures recommended by 25 experts in the field, Uber would have prevented the Data Breach and, ultimately, the 26 theft of its customers’ PII. 27 28 7 GAO, Report to Congressional Requesters, at 29 (June 2007), available at http://www.gao.gov/new.items/d07737.pdf (last visited Nov. 22, 2017). COMPLAINT CASE NO. - 12 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 13 of 33 Page ID #:13 1 56. As a direct and proximate result of Uber’s wrongful actions and 2 inaction and the resulting Data Breach, Plaintiffs and the Class members have been 3 placed at an imminent, immediate, and continuing increased risk of fraud, requiring 4 them to take the time which they otherwise would have dedicated to other life 5 demands such as work and effort to mitigate the actual and potential impact of the 6 Data Breach on their lives. 7 57. While the PII of Plaintiffs and members of the Class has been stolen, 8 Uber continues to hold PII of consumers, including Plaintiffs and the Class 9 members. Particularly because Uber and has demonstrated an inability to prevent a 10 breach and immediately disclose it even after being detected, Plaintiffs and members 11 of the Class have an undeniable interest in insuring that their PII is secure, remains 12 secure, is properly and promptly destroyed and is not subject to further theft. 13 COUNT I 14 NEGLIGENCE 15 (ON BEHALF OF PLAINTIFFS AND THE NATIONWIDE 16 CLASS, OR, ALTERNATIVELY, PLAINTIFFS AND THE 17 SEPARATE SUB-CLASSES) 18 19 20 58. Plaintiffs incorporate and re-allege all allegations contained in the preceding paragraphs as if fully set forth herein. 59. Upon accepting and storing the PII of Plaintiffs and the Class Members 21 in its computer systems and on its networks, Defendants undertook and owed a duty 22 to Plaintiffs and the Class Members to exercise reasonable care to secure and 23 safeguard that information and to use commercially reasonable methods to do so. 24 Defendants knew that PII was private and confidential and should be protected as 25 private and confidential. 26 60. Defendants owed a duty of care not to subject Plaintiffs, along with 27 their PII, and Class members to an unreasonable risk of harm because they were 28 foreseeable and probable victims of any inadequate security practices. COMPLAINT CASE NO. - 13 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 14 of 33 Page ID #:14 1 2 3 61. Nationwide Class, including the following: a. b. c. to implement processes to quickly detect a data breach and to timely act on warnings about data breaches. 8 9 to protect PII using reasonable and adequate security procedures and systems that are compliant with industry-standard practices; and 6 7 to exercise reasonable care in obtaining, retaining, securing, safeguarding, deleting and protecting PII in its possession; 4 5 Defendants owed numerous duties to Plaintiffs and to members of the 62. Defendants also breached its duty to Plaintiffs and the Class Members 10 to adequately protect and safeguard PII by knowingly disregarding standard 11 information security principles, despite obvious risks. Further, Defendants failed to 12 provide adequate supervision and oversight of the PII with which they were and are 13 entrusted, in spite of the known risk and foreseeable likelihood of breach and 14 misuse, which permitted an unknown third party to gather PII of Plaintiffs and Class 15 Members, misuse the PII and intentionally disclose it to others without consent. 16 63. Defendants knew, or should have known, of the risks inherent in 17 collecting and storing PII, the vulnerabilities of its data security systems, and the 18 importance of adequate security. Defendants knew about numerous, well-publicized 19 data breaches. 20 21 22 64. Defendants knew, or should have known, that their data systems and networks did not adequately safeguard Plaintiffs’ and Class Members’ PII. 65. Defendants breached their duties to Plaintiffs and Class Members by 23 failing to provide fair, reasonable, or adequate computer systems and data security 24 practices to safeguard PII of Plaintiffs and Class Members. 25 66. Because Defendants knew that a breach of their systems would damage 26 millions of individuals, including Plaintiffs and Class members, Defendants had a 27 duty to adequately protect their data systems and the PII contained thereon. 28 COMPLAINT CASE NO. - 14 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 15 of 33 Page ID #:15 1 67. Defendants’ own conduct also created a foreseeable risk of harm to 2 Plaintiffs and Class members and their PII. 3 failing to: (1) secure its systems, despite knowing their vulnerabilities, (2) comply 4 with industry standard security practices, (3) implement adequate system and event 5 monitoring, and (4) implement the systems, policies, and procedures necessary to 6 prevent this type of data breach. 7 8 9 10 11 68. Defendants’ misconduct included Defendants also had independent duties under state and/or federal laws that required it to safeguard Plaintiffs’ and Class members’ PII. 69. Defendants breached their duties to Plaintiffs and Class members in numerous ways, including: a. by failing to provide fair, reasonable, or adequate computer systems 12 and data security practices to safeguard PII of Plaintiffs and Class 13 members; 14 b. previously described; 15 16 by creating a foreseeable risk of harm through the misconduct c. by failing to implement adequate security systems, protocols and 17 practices sufficient to protect Plaintiffs’ and Class members’ PII both 18 before and after learning of the Data Breach; and 19 d. standards during the period of the Data Breach. 20 21 by failing to comply with the minimum industry data security 70. Through Defendants’ acts and omissions described in this Complaint, 22 including Defendants’ failure to provide adequate security and its failure to protect 23 PII of Plaintiffs and Class members from being foreseeably captured, accessed, 24 disseminated, stolen and misused, Defendants unlawfully breached its duty to use 25 reasonable care to adequately protect and secure PII of Plaintiffs and Class members 26 during the time it was within its possession or control. 27 28 71. Upon information and belief, Uber improperly and inadequately safeguarded PII of Plaintiffs and Class Members in deviation of standard industry COMPLAINT CASE NO. - 15 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 16 of 33 Page ID #:16 1 rules, regulations, and practices at the time of the unauthorized access. Defendants’ 2 failure to take proper security measures to protect sensitive PII of Plaintiffs and 3 Class members, as described in this Complaint, created conditions conducive to a 4 foreseeable, intentional criminal act, namely the unauthorized access of PII of 5 Plaintiffs and Class members. 6 72. Defendants’ conduct was grossly negligent and departed from all 7 reasonable standards of care, including, but not limited to: failing to adequately 8 protect the PII; failing to conduct regular security audits; failing to provide adequate 9 and appropriate supervision of persons having access to PII of Plaintiffs and Class 10 members; and failing to provide Plaintiffs and Class members with timely and 11 sufficient notice that their sensitive PII had been compromised. 12 13 14 73. Neither Plaintiffs nor the other Class members contributed to the Data Breach and subsequent misuse of their PII as described in this Complaint. 74. As a direct and proximate result of the Defendant’s conduct, Plaintiffs 15 and the other members of the Class and Sub-Classes suffered damages including, 16 but not limited to, loss of control of their PII, the burden and cost of heightened 17 monitoring for signs for identity theft and for undertaking actions such as credit 18 freezes and alerts to prevent identity theft, and remediating acts and damages caused 19 by identity theft, and other economic damages. 20 COUNT II 21 NEGLIGENCE PER SE 22 (ON BEHALF OF PLAINTIFFS AND THE NATIONWIDE 23 CLASS, OR, ALTERNATIVELY, PLAINTIFFS AND THE 24 SEPARATE STATEWIDE SUB-CLASSES) 25 26 27 28 75. Plaintiffs incorporate and re-allege all allegations contained in the preceding paragraphs as if fully set forth herein. 76. Section 5 of the FTC Act prohibits “unfair . . . practices in or affecting commerce,” including, as interpreted and enforced by the FTC, the unfair act or COMPLAINT CASE NO. - 16 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 17 of 33 Page ID #:17 1 practice by businesses, such as Uber, of failing to use reasonable measures to protect 2 PII. The FTC publications and orders described above also form part of the basis of 3 Defendants’ duty in this regard. 77. 4 Defendants violated Section 5 of the FTC Act by failing to use 5 reasonable measures to protect PII and not complying with applicable industry 6 standards, as described in detail herein. 78. 7 8 negligence per se. 79. 9 10 Defendants’ violation of Section 5 of the FTC Act constitutes Plaintiffs and the Class Members are within the class of persons that the FTC Act was intended to protect. 80. 11 The harm that occurred as a result of the Data Breach is the type of 12 harm the FTC Act was intended to guard against. 13 enforcement actions against businesses, which, as a result of their failure to employ 14 reasonable data security measures and avoid unfair and deceptive practices, caused 15 the same harm as that suffered by Plaintiffs and the Class. 81. 16 The FTC has pursued As a direct and proximate result of the Defendant’s conduct, Plaintiffs 17 and the other members of the Class and Sub-Classes suffered damages including, 18 but not limited to, loss of control of their PII, the burden and cost of heightened 19 monitoring for signs for identity theft and for undertaking actions such as credit 20 freezes and alerts to prevent identity theft, and remediating acts and damages caused 21 by identity theft, and other economic damages. 22 23 24 25 26 /// 27 /// 28 /// COMPLAINT CASE NO. - 17 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 18 of 33 Page ID #:18 1 COUNT III 2 BREACH OF IMPLIED CONTRACT 3 (ON BEHALF OF PLAINTIFFS AND THE NATIONWIDE 4 CLASS, OR, ALTERNATIVELY, PLAINTIFFS AND THE 5 SEPARATE STATEWIDE SUB-CLASSES) 6 7 8 82. Plaintiffs incorporate and re-allege the allegations contained in the preceding paragraphs as if fully set forth herein. 83. By providing Plaintiffs’ and the other Class and Sub-Classes members’ 9 PII to Uber as a rider or a driver, Plaintiffs and the other members of the Class and 10 Sub-Classes entered into implied contracts with Uber pursuant to which Uber agreed 11 to safeguard and protect such information from unauthorized access and theft. 12 13 14 84. Plaintiffs and the other members of the Class and Sub-Classes fully performed their obligations under the implied contracts with Uber. 85. Defendants breached the implied contracts it had made with the 15 Plaintiffs and the other members of the Class and Sub-Classes by failing to 16 safeguard and protect the personal and financial information of Plaintiffs and the 17 other members of the Class and Sub-Classes, and by allowing unauthorized access 18 to Uber’s software application network and the mass exporting of PII from Uber. 19 86. The damages to Plaintiffs and the other members of the Class and Sub- 20 Classes as described herein were the direct and proximate result of the Defendants’ 21 breaches of these implied contracts. 22 COUNT IV 23 DECLARATORY JUDGMENT 24 (ON BEHALF OF PLAINTIFFS AND THE NATIONWIDE 25 CLASS, OR, ALTERNATIVELY, PLAINTIFFS AND THE 26 SEPARATE STATEWIDE SUB-CLASSES) 27 28 87. Plaintiffs incorporate and re-allege all allegations contained in the preceding paragraphs as if fully set forth herein. COMPLAINT CASE NO. - 18 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 19 of 33 Page ID #:19 88. 1 As previously alleged, Plaintiffs and Class members entered into an 2 implied contract that required Uber to provide adequate security for the PII it 3 collected from their payment card transactions. As previously alleged, Uber owes 4 duties of care to Plaintiffs and Class members that require it to adequately secure 5 PII. 6 89. Uber still possesses PII pertaining to Plaintiffs and Class members. 7 90. Uber has made no announcement or notification that it has remedied 8 9 the vulnerabilities in its computer data systems, and, most importantly, its systems. 91. Accordingly, Uber has not satisfied its contractual obligations and legal 10 duties to Plaintiffs and Class members. In fact, now that Uber’s lax approach 11 towards data security has become public, the PII in its possession is more vulnerable 12 than it previously was. 13 92. Actual harm has arisen in the wake of the Uber Data Breach regarding 14 Uber’s contractual obligations and duties of care to provide data security measures 15 to Plaintiffs and Class members. 16 93. Plaintiffs, therefore, seek a declaration that (a) Uber’s existing data 17 security measures do not comply with its contractual obligations and duties of care, 18 and (b) in order to comply with its contractual obligations and duties of care, Uber 19 must implement and maintain reasonable security measures, including, but not 20 limited to: 21 a. engaging third-party security auditors/penetration testers as well as 22 internal security personnel to conduct testing, including simulated 23 attacks, penetration tests, and audits on Uber’s systems on a periodic 24 basis, and ordering Uber to promptly correct any problems or issues 25 detected by such third-party security auditors; 26 b. engaging third-party security auditors and internal personnel to run automated security monitoring; 27 28 COMPLAINT CASE NO. - 19 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 20 of 33 Page ID #:20 1 c. auditing, testing, and training its security personnel regarding any new or modified procedures; 2 3 d. segmenting PII by, among other things, creating firewalls and access 4 controls so that if one area of Uber is compromised, hackers cannot 5 gain access to other portions of Uber systems; 6 e. purging, deleting, and destroying in a reasonable secure manner PII not necessary for its provisions of services; 7 8 f. conducting regular database scanning and securing checks; 9 g. routinely and continually conducting internal training and education to 10 inform internal security personnel how to identify and contain a breach 11 when it occurs and what to do in response to a breach; and 12 h. educating its customers about the threats they face as a result of the loss 13 of their financial and personal information to third parties, as well as 14 the steps Uber customers must take to protect themselves. 15 COUNT V 16 VIOLATION OF FLORIDA’S UNFAIR TRADE PRACTICES 17 ACT, FLA. STAT. § 501.201, ET SEQ. 18 (ON BEHALF OF PLAINTIFFS FLUSS AND LOKIETZ AND 19 THE FLORIDA SUB-CLASS) 20 21 22 23 94. Plaintiffs Fluss and Lokietz incorporate and re-allege all allegations contained in the preceding paragraphs as if fully set forth herein. 95. At all relevant times, Florida Subclass members were “consumers” within the meaning of FDUPTA. 24 96. Uber is engaged in trade and commerce in Florida. 25 97. Plaintiffs Fluss and Lokietz and Class members entrusted Uber with 26 their PII. 27 28 COMPLAINT CASE NO. - 20 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 21 of 33 Page ID #:21 1 98. As alleged herein this Complaint, Uber engaged in unfair or deceptive 2 acts or practices in the conduct of consumer transactions, including the following, in 3 violation of the FDUTPA: 4 a. failure to maintain the security of credit Plaintiffs’ PII; 5 b. failure to maintain adequate data security practices to safeguard Plaintiffs’ PII; 6 7 b. safeguard Plaintiffs’ PII from theft; 8 9 failure to disclose that its data security practices were inadequate to d. continued acceptance of PII and storage of other personal information 10 after Uber knew or should have known of the security vulnerabilities of 11 the systems that were exploited in the Data Breach; 12 99. Uber knew or should have known that its data security practices were 13 inadequate to safeguard the PII of Plaintiffs and the Class members, deter hackers, 14 and detect a breach within a reasonable time, and that the risk of a data breach was 15 highly likely. 16 100. As a direct and proximate result of Uber’s violation of the FDUTPA, 17 Plaintiffs Fluss and Lokietz and Class members suffered damages arising from the 18 breach of their PII. The nature full nature of the damages and injury may take years 19 to detect, and the potential scope can only be assessed after a thorough investigation 20 of the facts and events surrounding the theft mentioned above. 21 101. Also as a direct result of Uber’s knowing violation of the FDUTPA, 22 Plaintiffs Fluss and Lokietz and Class members are entitled to damages as well as 23 injunctive relief, including, but not limited to: 24 a. Ordering that Uber engage third-party security auditors/penetration 25 testers as well as internal security personnel to conduct testing, 26 including simulated attacks, penetration tests, and audits on Uber’s 27 systems on a periodic basis, and ordering Uber to promptly correct any 28 problems or issues detected by such third-party security auditors; COMPLAINT CASE NO. - 21 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 22 of 33 Page ID #:22 1 b. personnel to run automated security monitoring; 2 3 c. Ordering that Uber audit, test, and train its security personnel regarding any new or modified procedures; 4 5 Ordering that Uber engage third-party security auditors and internal d. Ordering that Uber segment PII by, among other things, creating 6 firewalls and access controls so that if one area of Uber is 7 compromised, hackers cannot gain access to other portions of Uber 8 systems; 9 e. manner PII not necessary for its provisions of services; 10 11 f. Ordering that Uber conduct regular database scanning and securing checks; 12 13 Ordering that Uber purge, delete, and destroy in a reasonable secure g. Ordering that Uber routinely and continually conduct internal training 14 and education to inform internal security personnel how to identify and 15 contain a breach when it occurs and what to do in response to a breach; 16 and 17 h. Ordering Uber to meaningfully educate its customers about the threats 18 they face as a result of the loss of their financial and personal 19 information to third parties, as well as the steps Uber customers must 20 take to protect themselves. 21 102. Plaintiffs Fluss and Lokietz bring this action on behalf of themselves 22 and Class Members for the relief requested above and for the public benefit in order 23 to promote the public interests in the provision of truthful, fair information to allow 24 consumers to make informed purchasing decisions and to protect Plaintiffs Fluss 25 and Lokietz and Class members and the public from Uber’s unfair methods of 26 competition and unfair, deceptive, fraudulent, unconscionable and unlawful 27 practices. Uber’s wrongful conduct as alleged in this Complaint has had widespread 28 impact on the public at large. COMPLAINT CASE NO. - 22 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 23 of 33 Page ID #:23 1 103. Plaintiffs Fluss and Lokietz and the Florida Sub-class seek actual 2 damages under Fla. Stat. § 501.211 (2) and all fees, costs, and expenses allowed by 3 law, including attorney’s fees and costs, pursuant to Federal Rule of Civil Procedure 4 23 and Fla. Stat. §§ 501.2105 and 501.211, to be proven at trial. 5 COUNT VI 6 VIOLATION OF NEW JERSEY’S CONSUMER FRAUD ACT, 7 N.J. STAT. ANN. § 56:8-1, ET SEQ. 8 (ON BEHALF OF PLAINTIFF SHETH AND THE NEW JERSEY 9 SUB-CLASS) 104. Plaintiff Sheth incorporates and re-alleges all allegations contained in 10 11 the preceding paragraphs as if fully set forth herein. 12 105. The New Jersey Consumer Fraud Act prohibits the “use or employment 13 by any person of any unconscionable commercial practice, deception or fraud, false 14 pretense, false promise or misrepresentation, or the knowing concealment, 15 suppression or omission of any material fact with the intent that others rely upon 16 such concealment, suppression or omission, in connection with the sale or 17 advertisement of any merchandise or real estate…is declared to be an unlawful 18 practice…” 19 106. Plaintiff Sheth and the New Jersey Sub-Class never would have 20 provided their sensitive and personal PII if they had been told or knew that Uber 21 failed to maintain sufficient security to keep such PII from being hacked and taken 22 by others, that Uber failed to maintain the information in encrypted form. 107. Uber’s practices, acts, policies and course of conduct are actionable in 23 24 25 that: (a) Uber actively and knowingly misrepresented or omitted disclosure of 26 material information to Plaintiff Sheth and the New Jersey Sub-Class at the time 27 they provided their PII information that Anthem did not have sufficient security or 28 mechanisms to protect PII; and COMPLAINT CASE NO. - 23 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 24 of 33 Page ID #:24 1 (b) Uber failed to give adequate warnings and notices regarding the defects 2 and problems with its defective system of security that it maintained to protect 3 Plaintiff Sheth and the New Jersey Sub-Class’ PII. 4 knowledge of the inherent defects in Uber’s system of security and failed to give 5 adequate and timely warnings that there had been a data breach and hacking 6 episodes had occurred. Anthem possessed prior 7 108. The aforementioned conduct is and was deceptive, false, and fraudulent 8 and constitutes an unconscionable commercial practice in that Uber has, by the use 9 of false or deceptive statements and/or knowing intentional material omissions, 10 misrepresented and/or concealed the defective security system it maintained and 11 failed to reveal the data breach timely and adequately. 12 13 109. Members of the New Jersey Sub-Class were deceived by and relied upon Uber’s affirmative misrepresentations and failures to disclose. 14 110. Such acts by Uber are and were deceptive acts or practices which are 15 and/or were, likely to mislead a reasonable consumer providing their PII to Uber. 16 Said deceptive acts and practices aforementioned are material. The requests for and 17 use of such PII materials in New Jersey and concerning New Jersey residents and/or 18 citizens was a consumer-oriented and thereby falls under the New Jersey Consumer 19 Fraud Act. 20 111. Uber’s wrongful conduct caused Plaintiff Sheth and the New Jersey 21 Sub-Class to suffer a consumer-related injury and ascertainable losses by causing 22 them to incur substantial expense to protect from misuse of the PII materials by third 23 parties and placing Plaintiff Sheth and the Sub-Class at serious risk for monetary 24 damages. 25 112. In addition to or in lieu of actual damages, because of the injury, 26 Plaintiff Sheth and the New Jersey Sub-Class seek treble damages, attorneys’ fees 27 and costs for each injury and violation which has occurred. 28 COMPLAINT CASE NO. - 24 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 25 of 33 Page ID #:25 1 COUNT VII 2 VIOLATION OF THE NEW JERSEY DATA BREACH ACT 3 (ON BEHALF OF PLAINTIFF SHETH AND THE NEW JERSEY 4 SUB-CLASS) 5 6 7 8 9 10 113. Plaintiff Sheth incorporates and re-alleges all allegations contained in the preceding paragraphs as if fully set forth herein. 114. Plaintiff Sheth and the other members of the New Jersey Sub-Class are riders and drivers who provided PII to Uber for personal and private use. 115. By failing to timely notify Uber customers of the Data Breach, Uber violated N.J. Stat. Ann. §56:8-163(a), et seq., which provides: 11 (a) Any business that conducts business in New Jersey, or 12 any public entity that compiles or maintains computerized 13 records that include personal information, shall disclose 14 any breach of security of those computerized records 15 following discovery or notification of the breach to any 16 customer who is a resident of New Jersey whose personal 17 information was, or is reasonably believed to have been, 18 accessed by an unauthorized person. The disclosure to a 19 customer shall be made in the most expedient time 20 possible and without unreasonable delay, consistent with 21 the legitimate needs of law enforcement, as provided in 22 subsection c. of this section, or any measures necessary to 23 determine the scope of the breach and restore the 24 reasonable integrity of the data system. Disclosure of a 25 breach of security to a customer shall not be required 26 under this section if the business or public entity 27 establishes that misuse of the information is not 28 COMPLAINT CASE NO. - 25 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 26 of 33 Page ID #:26 1 reasonably possible. Any determination shall be 2 documented in writing and retained for five years. *** 3 4 (c)(2) The notification required by this section shall be 5 delayed if a law enforcement agency determines that the 6 notification will impede a criminal or civil investigation 7 and that agency has made a request that the notification be 8 delayed. The notification required by this section shall be 9 made after the law enforcement agency determines that its 10 disclosure will not compromise the investigation and 11 notifies that business or public entity. *** 12 13 56:8-166 It shall be an unlawful practice and a violation 14 of P.L. 1960, c.39 (C.56:8-1 et seq.) to willfully, 15 knowingly or recklessly violate sections 10 through 13 of 16 this amendatory and supplementary act. 17 116. The Uber Data Breach constituted a breach of the Uber security 18 system within the meaning of the above New Jersey data breach statute and the data 19 breached was protected and covered by the data breach statute. 20 117. Uber unreasonably delayed informing the public, including Plaintiff 21 Sheth and the members of the Class, about the Data Breach after Uber knew or 22 should have known that the Data Breach had occurred. 23 118. While the Data Breach and stealing of customer’s personal information 24 was known or should have been known to Uber, Uber did not notify customers of 25 the data breach until November 21, 2017. 26 119. Thus, Uber failed to disclose the Data Breach to Plaintiff Sheth and the 27 other members of the Class without unreasonable delay and in the most expedient 28 time possible. COMPLAINT CASE NO. - 26 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 27 of 33 Page ID #:27 1 120. Uber has provided no indication that any law enforcement agency 2 requested that Uber delay notification. Plaintiff Sheth and the other members of the 3 Sub-Class suffered harm directly resulting from Uber’s failure to provide and the 4 delay in providing notification of the data breach with timely and accurate notice as 5 required by law. 6 121. As a result of said practices, Uber has directly, foreseeably, and 7 proximately caused damages to Plaintiff Sheth and the other members of the Class. 8 Had Uber provided timely and accurate notice of the Data Breach Plaintiff Sheth 9 and the other members of the Class would have been able to avoid and/or attempt to 10 ameliorate or mitigate the damages and harm resulting in the unreasonable delay by 11 Uber in providing notice. Plaintiff Sheth and the Class members could have avoided 12 providing further data to Uber could have avoided use of Uber’s services, and 13 otherwise have tried to avoid the harm caused by Uber’s delay in providing timely 14 and accurate notice. 15 COUNT VIII 16 VIOLATIONS OF CALIFORNIA CONSUMER LAWS 17 (ON BEHALF OF PLAINTIFF LUNA AND THE CALIFORNIA 18 SUB-CLASS)8 122. Plaintiff Luna incorporates and re-alleges all allegations contained in 19 20 the preceding paragraphs as if fully set forth herein. 21 22 23 24 25 26 27 28 8 Upon the Cal. Civ. Code § 1782 notice requirements being satisfied, Luna and members of the proposed California Class intend to amend this count to include monetary damages in addition to the presently requested injunctive relief. Luna’s counsel is notifying defendants by separate letter of the particular violations of the California Consumer Legal Remedies Act and requesting they correct or agree to correct the violations enumerated. If defendants fail to do so, Luna shall amend the complaint as of right (or otherwise seek leave to amend the complaint) to include compensatory and monetary damages. COMPLAINT CASE NO. - 27 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 28 of 33 Page ID #:28 1 123. Plaintiff Luna and the other members of the California Sub-Class are 2 consumers who purchased, directly or indirectly, services from Uber for personal or 3 family purposes. 4 124. Uber engaged in the conduct alleged in this Complaint in transactions 5 intended to result, and which did result, in the sale of goods or services to 6 consumers, including Plaintiff Luna and the other members of the California Sub- 7 Class. 8 125. Uber is engaged in, and its acts and omissions affect, trade and 9 commerce. Uber’s acts, practices and omissions were done in the course of Uber’s 10 business of marketing, offering for sale, and selling goods and services in the United 11 States, including in the state of California. 12 126. Uber’s conduct, as alleged in this Complaint, including without 13 limitation Uber’s failure to maintain adequate computer systems and data security 14 practices to safeguard customers’ PII, Uber’s failure to disclose the material fact that 15 Uber’s computer systems and data security practices, was inadequate to safeguard 16 Insureds’ PII from theft. 17 127. Uber’s conduct constitutes unfair methods of competition and unfair, 18 deceptive, fraudulent, unconscionable and/or unlawful acts or practices in violation 19 of The California Consumer Legal Remedies Act, Cal. Civ. Code § 1750, et seq., 20 and the California Unfair Competition Law, Cal. Bus. And Prof. Code, § 17200, et 21 seq. 22 COUNT IX 23 VIOLATION OF THE CALIFORNIA DATA BREACH ACT 24 (ON BEHALF OF PLAINTIFF LUNA AND THE CALIFORNIA 25 SUB-CLASS) 26 27 128. Plaintiff Luna incorporates and re-alleges all allegations contained in the preceding paragraphs as if fully set forth herein. 28 COMPLAINT CASE NO. - 28 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 29 of 33 Page ID #:29 1 129. The Data Breach described above constituted a “breach of the security 2 system” of Uber, within the meaning of Section 1798.82 (g) of the California Civil 3 Code. 4 130. The information lost in the Data Breach constituted “personal 5 information” within the meaning of Section 1798.80(e) of the California Civil Code. 6 131. Uber failed to implement and maintain reasonable security procedures 7 and practices appropriate to the nature and scope of the information compromised in 8 the Data Breach. 9 132. Uber unreasonably delayed informing anyone about the breach of 10 security of Plaintiff Luna and the California Sub-Class’s confidential and non-public 11 information after Uber knew the Data Breach had occurred. 12 133. Uber failed to disclose to Plaintiff Luna and the California Sub-Class, 13 without unreasonable delay, and in the most expedient time possible, the breach of 14 security of their unencrypted, or not properly and securely encrypted, PII when they 15 knew or reasonably believed such information had been compromised. 16 134. Upon information and belief, no law enforcement agency instructed 17 Uber that notification to Plaintiff Luna and the California Sub-Class would impede 18 investigation. 19 135. As a result of Defendant’s violation of Cal. Civ. Code § 1798.80 et 20 seq., Plaintiff Luna and the California Sub-Class incurred economic damages, 21 including expenses associated with necessary credit monitoring. 22 136. Plaintiff Luna, individually and on behalf of the California Sub-Class, 23 seeks all remedies available under Cal. Civ. Code § 1798.84, including but not 24 limited to: (a) damages suffered by the California Sub-Class as alleged above; (b) 25 statutory damages for Uber’s willful, intentional, and/or reckless violation of Cal. 26 Civ. Code § 1798.83; and (c) equitable relief. 27 28 137. Plaintiff Luna, individually and on behalf of the California Sub-Class, also seeks reasonable attorneys’ fees and costs under Cal. Civ. Code § 1798.84(g). COMPLAINT CASE NO. - 29 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 30 of 33 Page ID #:30 1 COUNT X 2 VIOLATIONS OF NEW YORK’S CONSUMER PROTECTION 3 LAWS 4 (ON BEHALF OF PLAINTIFF HELLER AND THE NEW YORK 5 SUB-CLASS) 138. Plaintiff Heller incorporates and re-alleges all allegations contained in 6 7 the preceding paragraphs as if fully set forth herein. 8 139. Defendants’ practices, acts, policies and course of conduct, as 9 described above, including making representations that it possessed sufficient 10 security to maintain the privacy of such PII, were intended to induce, and did 11 induce, Plaintiff Heller and the New York Sub-Class to provide their sensitive PII to 12 Uber. 13 140. Plaintiff Heller and the New York Sub-Class never would have 14 provided their sensitive and personal PII if they had been told or knew that Uber 15 failed to maintain sufficient security to keep such PII from being hacked and taken 16 by others, that Uber failed to maintain the information in encrypted form. 141. Uber’s practices, acts, policies and course of conduct are actionable in 17 18 that: (a) 19 Uber actively and knowingly misrepresented or omitted 20 disclosure of material information to Plaintiff Heller and the New York Sub- 21 Class at the time they provided such PII information that Uber did not have 22 sufficient security or mechanisms to protect PII; and (b) 23 Uber failed to give adequate warnings and notices regarding the 24 defects and problems with its defective system of security systems that it 25 maintained to protect Plaintiff Heller and the New York Sub-Class’ PII. Uber 26 possessed prior knowledge of the inherent defects in Uber’s system of 27 security and failed to give adequate and timely warnings that there had been a 28 Data Breach and hacking episodes had occurred. COMPLAINT CASE NO. - 30 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 31 of 33 Page ID #:31 1 142. The aforementioned conduct is and was deceptive, false, and fraudulent 2 and constitutes an unconscionable commercial practice in that Uber has, by the use 3 of false or deceptive statements and/or knowing intentional material omissions, 4 misrepresented and/or concealed the defective security system it maintained and 5 failed to reveal the Data Breach timely and adequately. 143. Members of the public were deceived by and relied upon Uber’s 6 7 affirmative misrepresentations and failures to disclose. 8 144. Such acts by Uber are and were deceptive acts or practices which are 9 and/or were, likely to mislead a reasonable consumer providing their PII to Uber. 10 Said deceptive acts and practices aforementioned are material. The requests for and 11 use of such PII materials in New York and concerning New York residents and/or 12 citizens was a consumer-oriented act and thereby falls under the New York 13 consumer fraud statute, General Business Law § 349 and 350. 14 145. Uber’s wrongful conduct caused Plaintiff Heller and the New York 15 Sub-Class to suffer a consumer-related injury by causing them to incur substantial 16 expense to protect from misuse of the PII materials by third parties and placing 17 Plaintiff Heller and the New York Sub-Class at serious risk for monetary damages. 18 146. In addition to or in lieu of actual damages, because of the injury, 19 Plaintiff Heller and the Sub-Class seek statutory damages for each injury and 20 violation which has occurred. 21 22 23 /// 24 /// 25 /// 26 27 28 COMPLAINT CASE NO. - 31 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 32 of 33 Page ID #:32 REQUEST FOR RELIEF 1 WHEREFORE, Plaintiffs, on behalf of themselves and all others similarly 2 3 situated, respectfully request that this Court: A. 4 Certify this action as a class action pursuant to Federal Rule of Civil 5 Procedure 23(a) and (b)(3), and appoint the Plaintiffs as Class and Sub-Class 6 representatives and their counsel as Class counsel; B. 7 8 appropriate relief, including actual and statutory damages; C. 9 10 Award Plaintiffs and the other members of the Class and Sub-Classes Enter judgment in favor of Plaintiffs and the other members of the Class and against the Defendants under the legal theories alleged herein; 11 D. Award reasonable attorneys’ fees, costs, and expenses; 12 E. Award the Plaintiffs and the other members of the Class and Sub- 13 classes pre-judgment and post-judgment interest at the maximum rate allowable by 14 law; 15 F. Award Plaintiffs and the other members of the Class and Sub-Classes 16 equitable, injunctive and declaratory relief as may be appropriate under applicable 17 laws. Plaintiffs on behalf of the other members of the Class and Sub-Classes seek 18 appropriate injunctive relief designed to ensure against the recurrence of a data 19 breach by adopting and implementing reasonable data security practices to 20 safeguard Ubers’ riders’ and drivers’ personal information, by an Order requiring 21 Uber to implement reasonable data security enhancements as they become available, 22 including data encryption, segregation of sensitive data, more robust passwords, 23 authentication of users, increased control of access to sensitive information on the 24 network, prohibitions of mass exports of sensitive data; 25 G. Enter Declaratory Judgment that seeks a declaration that (a) Uber’s 26 existing data security measures do not comply with its contractual obligations and 27 duties of care, and (b) in order to comply with its contractual obligations and duties 28 of care, Uber must implement and maintain reasonable security measures; COMPLAINT CASE NO. - 32 - Case 2:17-cv-08545 Document 1 Filed 11/24/17 Page 33 of 33 Page ID #:33 1 H. Enter such additional orders or judgment as may be necessary to 2 prevent a recurrence of the Breach and to restore any interest or any money or 3 property which may have been acquired by means of violations set forth in this 4 Complaint; and 5 I. Grant such other and further relief as the Court deems just and proper. JURY DEMAND 6 7 Plaintiffs demand a trial by jury on all issues so triable. 8 9 Dated: November 24, 2017 10 11 12 13 By: s/ Patrice L. Bishop Patrice L. Bishop STULL, STULL & BRODY 9430 West Olympic Blvd., Suite 400 Beverly Hills, CA 90212 Tel: (310) 209-2468 Fax: (310) 209-2087 Email: service@ssbla.com Howard Longman Melissa R. Emert STULL, thSTULL & BRODY 6 East 45 Street New York, NY 10017 Tel: (212) 687-7230 Fax: (212) 490-2022 Email: hlongman@ssbny.com memert@ssbny.com 14 15 16 17 18 Counsel for Plaintiffs 19 20 21 22 23 24 25 26 27 28 COMPLAINT CASE NO. - 33 -