Case Document 1' Filed 11/22/17 Page 1 of 26

IN THE UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF 

 

REBECCA DESIGNOR, Individually and on: CIVIL ACTION N03
Behalf of All Others Similarly Situated, 

Plaintiff,

vs.
JURY TRIAL I
DEMANDED
UBER TECHNOLOGIES INC.
RAISER, and EASIER-CA, LLC,

Defendants.

 

CLASS ACTION COMPLAINT

Case Document 1 Filed 11/22/17 Page 2 of 26

Plaintiff Rebecca DeSignor trimmer), ?on behalf of herself and all others
similarly situated, bring this class action against UBER TECHNOLOGIES 
EASIER, LLC. and LLC. (?Defendants?) and respectfully alleges the

following3

NATURE OF ACTION

 

1. Plaintiff Rebeoca DeSignor brings this class action suit on behalf of
herself and all others similarly situated, to redress Defendants? failure to
adequately safeguard personal identifying information and related data.

2. This action arises-from What may be one of the larger data security
breaches ever to occur in the United States.

3. As a result of this breach, Plaintiff and the millions of individuals
Whose sensitive personal data was made accessible now face substantial risk of
further injury from identity theft, credit and reputational harm, false tax claims, or

even extortion.

PARTIES
4. Plaintiff Rebecca DeSignor (?Plaintiff?) is a citizen of and
resides in Northampton County.
5. Defendant Uber Technologies Inc. is a global transportation technology

company incorporated in California, With its principal place of business in San

Francisco, California.



Case Document 1 Filed 11/22/17 Page 3 of 26

6. Defendant Easier, LLC. is a California Limited Liability Company,
With its principal place (of business in San Francisco, California.

Defendant RasierrCA, LLC. is a California Limited Liability Company,
with its principal place of business in San Francisco, California.

8. Defendants do business nationwide, including in this District.

9. Upon information and belief, the wrongful acts and/or decisions by
Defendants leading to this data breach occurred nationwide and in this District.

FACTUAL ALLEGATIONS

10. On or about November 21, 2015, Defendants publicly acknowledged
that they had paid hackersat least $100,000 to conceal the existence of a massive
data breach that had occurred approximately a year earlier.

11. According to Defendants? press releases, two hackers gained access to
information stored on GitHub, a service that allows engineers to collaborate on
developing software code. There, the hackers were able to steal Defendants?
credentials for a separate cloudeervices provider. From there, the hackers were
able to download driver and rider data.

12. The stolen information included names, email addresses and mobile
phone nunibers of Defendants? customers in the U.S. and around the world, as well
as the names and license numbers of 600,000 US. Uber drivers.

13. According to Defendants? press releases, the breach occurred in

October 2016.

Case Document 1 Filed 11/22/17 Page 4 of 26

14. At the time of the breach, Defendants were negotiating with the U.S.
Federal Trade Commission Cover the proper handling of consumer data.

15. In spite of the potential danger to customers and drivers, Defendants
not only waited a year before disclosing the existence of the data breach, but also
took deliberate action to conceal the breach.

16. This is not the first time that Defendants have been accused of
inadequate security policies. Earlier this year, London?s transport regulator
stripped Defendants? license to operate, citing their failure to deal with public safety
and security issues.

17. Defendants have issued a statement that they were obliged to report
the theft of the drivers? license information and had failed to do so.

18. None of the individuals Whose personal information was compromised
authorized such access or disclosure by Defendants.

19. Defendants purport to be a sophisticated technology companies with
expertise in handling client?s personal data, including the highly sensitive personal
information of individual consumers like Plaintiff.

20. Defendants stated this week that they have fired chief security officer,
Joe Sullivan, and a deputy, Craig Clark, this week over their role in the handling of
the incident.

JURISDICTION

 

21. This Court has original jurisdiction pursuant to 28 U.S.C.A. 

1332(d)(2), in that the matter in controversy, exclusive of interest and costs, exceeds

Case Document 1 Filed 11/22/17 Page 5 of 26

the sum of $5,000,000 andis a class action in Which members of the Class are
citizens of a state different froin Defendants.

22. I This Court has personal jurisdiction over Defendants because they
conduct signi?cant business in this District, and the unlawful conduct alleged in the
Complaint. occurred in, was directed to, and/or emanated from this District.

23. Venue is proper in this District pursuant to 28 U.S.C. 1391 because a
substantial part of the events giving rise to Plaintiffs and putative Class Members?
claims occurred in this jurisdiction. Defendants are authorized to do business in
this District and are subject to personal jurisdiction in this District.

CLASS ACTION ALLEGATIONS

24. Plaintiff incorporates each paragraph of this Complaint as if set forth
fully here, and further alleges as follOws.

25. The Class is defined asi

All United Sta tes residents W12 ose personally identifiable information

(?Pl ?9 was made accessible in the da ta breach Uber announced on
November .21, .20] 7. 

26. Plaintiff brings her claims on behalf of the Class.
27. Excluded from the Class arei
a) any Judge or Magistrate presiding over this action and members

of their families;
b) Defendants, Defendants? subsidiaries, parents, successors,

predecessors, and any entity in which Defendants or their

(31

Case Document 1 Filed 11/22/17 Page 6 of 26

parents have a controlling interest and their current or former

employees;
(3) counsel for Plaintiff and Defendants;
d) perSOns who properly execute and ?le a timely request for

exclusion from the Class;

e) the legal representatives, successors or assigns of any such
excluded persons;

9 all persons who have previously had claims ?nally adjudicated
or Who have released their claims against Defendants similar to

those alleged herein; and

g) any individual who contributed to the unauthorized access of
Defendants? database.

28. While the exact number and identities of the Class Members are
unknown at this time: and can only be ascertained through appropriate discovery,
on information and belief, the Class is so numerous over 57 million, six hundred
thousand (57,600,000) ~that joinder of all Class Members is impracticable.

29. Defendants? wrongful conduct affected all of the Class Members in the
same way, includingi

a) Defendants improperly stored consumers? personal information;

b) Defendants failed to safeguard consumers? personal information;

Case Document 1 Filed 11/22/17 Page Defendants failed to immediately notify consumers of the breach
and/or notify them directly as-soon as practicable. after
discovering the breach;

Defendants failed to monitor and ensure compliance with
pertinent data security standards, statutes and regulations;
and

Defendants took deliberate action to conceal the existence of the

data breach from consumers.

Questions of law and fact common to all Class Members predominate

over any questions affecting only individual Class Members including, Without

limitationl

a)

b)

c)

d)

e)

Whether Defendants owed duties to Class Members under
federal or state law to protect their personal information,
provide timely notice of unauthorized access to this information,
and provide meaningful and fair redress;

Whether Defendants breached their duties;

Whether Defendants acted wrongfully by improperly
monitoring, storing and/or failing to properly safeguard
consumers? personal information;

Whether Defendants knew, or reasonably should have known,
about the deficiencies in the data storage systems;

Whether Defendants willfully failed to design, employ, and

NJ

Case Document 1 Filed 11/22/17 Page 8 of 26

maintain a system adequate to protect consumers? personal

information; 

f) Whether representations that-Defendants made about the
security of their systems were false or misleading;

g) Whether Defendants? actions and omissions violated applicable
state consumer protection laws;

h) Whether Defendants? failures resulted in the breach at issue;

i) Whether Defendants failed to properly and timely notify Plaintiff
and Class Members of the breach as soon as practical after it
was discovered;

j) Whether Defendants? deliberate acts of concealment violated
applicable state consumer protection laws; and

k) Whether Plaintiff and Class Members have been damaged and,
if so, the appropriate relief.

31. Plaintiff claims are typical of the claims of all Class members because

such claims arise from the Defendants? wrongful conduct, as alleged above,

pertaining to Plaintiffs and Class Members? personal information. Plaintiff has no

interests antagonistic to the interests of the other Class Members.

32. Plaintiff will fairly and adequately represent and protect the interests

of the Class Members. Plaintiff has retained competent counsel experienced in

complex commercial litigation and class actions to represent her and the Class.

Case Document 1 Filed 11/22/17 Page 9 of 26

33. This class action also provides a fair and efficient method for
adjudicating the claims-of Plaintiff and Class Members for the following reasons:

a) common questions of law and fact predominate over (any
question affecting any individual Class Member;

b) . the prosecution of separate actions by individual Class Members
would likely create a risk of inconsistent or varying
adjudications with respect to individual Class Members, thereby
establishing incompatible standards of conduct for Defendants
and/or would allow some Class Members? claims to adversely
affect the ability of other Class members to protect their
interests;

c) Plaintiff anticipates no difficulty in the management of this
litigation as a class action; and

d) The Class is readily definable. Prosecution as a class action will
eliminate the possibility of repetitious litigation While also
providing redress for claims that may be too small to support the
expense of individual, complex litigation.

34. For these reasons, a class action is superior to other available methods
for the fair and efficient adjudication of this controversy. Certification, therefore, is

appropriate under Rule 28(b)(1) or of the Federal Rules of Civil Procedure.

Case Document 1 Filed 11/22/17 Page 10 of 26

VIOLATION OF CALIFORNIA BUSIISDEISTIEND PROFESSIONS CODE ?17200 
UNLAWFUL, UNFAIR 0R FRAUDULENT BUSINESS PRACTICES

85. Plaintiff incorporates by reference the allegations in the preceding
paragraphs as if fully set forth herein.

7 86. Defendants have violated Cal. Bus. and Prof. Code ?17200 et seq. by
engaging in unlawful, unfair or fraudulent business acts and practices and unfair,
deceptive, untrue or misleading advertising that constitute acts of ?unfair
competition? as defined in Cal. Bus. Prof. Code ?17 200.

87. Defendants engaged in unlawful acts and practices With respect to
their services by establishing inadequate security practices 
described herein; by soliciting and collecting Plaintiffs and Class Members? Private
Identifiable Information with knowledge that the information would not be
adequately protected; and by gathering Plaintiffs and Class Members? Private
Identifiable Information in an unsecure electronic environment in violation of
California?s data breach statute, Cal. Civ. Code 1798.815, which requires
Defendants to take reasonable methods of safeguarding the Private Identifiable
Information of Plaintiff and Class Members.

38. In addition, Defendants engaged in unlawful acts and practices With
respect to their services by failing to discover and then disclose the data breach to

Plaintiff and Class Members in a timely and accurate manner, contrary to the

duties imposed by Cal. Civ. Code 1798.82.

10

Case Document 1 Filed 11/22/17 Page 11 of 26

39. To date, Defendants still have not provided sufficient information
regarding the breach to Plaintiff Members.

40. As a direct and proximate result of Defendants unlawful acts and
practices, Plaintiff and Class Members were injured and lost money or property,
including but not limited to the loss of their legally protected interests in the
confidentiality and privacy of their Private Identi?able Information, and additional
losses described above.

41. Defendants knew or should have known that their system had been
breached, that their data security practices were inadequate to safeguard Class
Members? Private Identifiable Information, and that the risk of a data breach or
theft Was signi?cant.

42. Defendants? actions in engaging in the above'narned unlawful practices
and acts were negligent, knowing and willful, and/or wanton and reckless with
respect to the rights of Plaintiff and Class Members.

43. Plaintiff and Class Members seek relief under Cal. Bus. Prof. Code 
17200, et. seq., including, but not limited tot restitution to Plaintiff and Class
Members of money or property that Defendants may have acquired by means of
unlawful and unfair business practices; restitutionary disgorgement of all profits
accruing to Defendants because of their unlawful and unfair business practices;
declaratory relief; attorney?s fees and costs (pursuant to Cal. Code Civ. Proc.

?1021.5); and injunctive or other equitable relief.

,11

Case Document 1 Filed 11/22/17 Page 12 of 26

4-4.

II
BREACH OF CONSUMER PROTECTION STATUTES

Plaintiff incorporates each paragraph of this Complaint as if set forth

fully here, and further alleges as follows.

45.

Plaintiff brings this Count individually, and on behalf of all similarly

Situated residents of each of the 50 States and the District 'of Columbia, for

violations of the reSpective statutory consumer protection laws of these States and

territories, as followsi

a.

11.

Alabama Deceptive Trade Practices Act, Ala.Code 1975, 8?19?1, e15

seq. 

. Alaska Unfair Trade Practices and Consumer Protection Act, 

4560.471, et seq;

Arizona Consumer Fraud Act, A.R.S 441521, et seq;

Arkansas Deceptive Trade Practices Act, ArkCode 4-88-101, et seq;
Colorado Consumer Protection Act, C.R.S.A. ?6-1'101, et seq;
Connecticut Unfair Trade Practices Act, C.G.S.A. 42110, et 53qu
Delaware Consumer Fraud Act, 6 Del. C. 2513, et seq;

DC. Consumer Protection Procedures Act, DC Code 283901, et seq;
Florida Deceptive and Unfair Trade Practices Act, FSA ?501.201, et
seq; I

Georgia Fair Business Practices Act, OCGA 10?1??)90, et seq;

. Hawaii Unfair Competition Law, HRS. 4801, et seq;

Idaho Consumer Protection Act, LC. 48-601, et seq.;

12

Case Document 1 Filed 11/22/17 Page 13 of 26

n1. Illinois Consumer Fraud and Deceptive Business Practices Act, 815
ILCS 501/1, et seq;

n. Indiana Deceptive Consumer Sales Act, IN ST 2450.52, et set};

0. Iowa Private Right of Action for Consumer Frauds Act, Iowa Code
Ann. 71411.1, 61155qu

p. Kansas Consumer Protection Act, ELSA. 50628, et :3qu

(1. Kentucky Consumer Protection Act, KRS 867.110, et seq;

Louisiana Unfair Trade Practices and Consumer Protection Law, 
RS. 5111401, (9155qu

s. Maine Unfair Trade Practices Act, 5 M.R.S.A. et seq;

t. Maryland Consumer Protection Act, MD Code, Commercial Law, 18'
301, et seq;

11. Massachusetts Regulation of Business Practices for Consumers
Protection Act, M.G.L.A. 93A, et seq;

v. Michigan Consumer Protection Act, M.C.L.A. 445.901, et seq;

W. Minnesota Prevention of Consumer Fraud Act, Minn. Stat. 
et seq;

X. Mississippi Consumer Protection Act, Miss. Code Ann. 75241 et
:3qu

y. Missouri Merchandising Practices Act, V.A.M.S. 407, et seq;

3. Montana Unfair Trade Practices and Consumer Protection Act of 1973,

Mont. Code Ann. 80*14'101, et :3qu

18

Case Document 1 Filed 11/22/17 Page 14 of 26

aa. Nebraska Consumer Protection Act, Neb.Rev.St. 59-1601, 8155;qu

lbb. Nevada Deceptive Trade Practices Act, N.R.S. 4.1.600, et seq;

cc. New Hampshire Regulation of. Business Practices for Consumer
Protection, 358-A11, et seq;

dd. New Jersey Consumer Fraud Act, N.J.S.A.L 568, et .3qu

cc. New Mexico Unfair Practices Act, N.M.S.A. 57-12-21, et seq;

ff. New York Consumer Protection from Deceptive Acts and Practices,
NY. GBL (McKinney) 349, et seq;

gg. North Carolina Unfair and Deceptive Trade Practices Act, NC. Gen
etseqi

hh. North Dakota Consumer Fraud Act, ND. Cent.Code Chapter 5115, at
seqj

ii. Ohio Consumer Sales Practices Act, RC. 1345.01, et :3qu

jj. Oklahoma Consumer Protection Act, 15 O.S.2001, 751, et seq;

kk. Oregon Unlawful Trade Practices Act, ORS 646.605, et seq;

ll. Unfair Trade Practices and Consumer Protection Law,
73 PS. 201-1, et seq;

mm. Rhode Island Deceptive Trade Practices Act, G.L.1956 613.1-
5.203), et seq;

nn. South Carolina Unfair Trade Practices Act, SC Code 1976, 

et seq;

14

46.

Case Document 1 Filed 11/22/17 Page 15 of 26

on. South Dakota Deceptive Trade Practices and Consumer Protection Act,
SDCL 37241, 6165*qu

pp. Tennessee Consumer Protection Act, T.C.A. ?i47 "18101, et seq; 7

qq. Texas Deceptive Trade PracticesConsumer Protection Act, V.T.C.A.,
Bus. 8; C. 1741, et seq;

rr. Utah Consumer Sales Practices Act, UT ST 18111, et seq;

ss. Vermont Consumer Fraud Act, 9 V.S.A. 2451, et seq;

tt. Virginia Consumer Protection Act of 1977, VA ST 59.1-196, et seq;

uu. Washington Consumer Protection Act, RCWA 19.86.010, et seq;

VV. West Virginia Consumer Credit And Protection Act, .Va.Code 

1101, et sec};

WW. Wisconsin Deceptive Trade Practices Act, WISSTAT. 10018, et
seq.; and

XX. Wyoming Consumer Protection Act, ST 40?12?101, et seq.

Defendants violated the statutes set forth above (collectively, the

?Consumer Protection Acts?) by failing to properly implement adequate,

commercially reasonable security measures to protect Plaintiffs and Class

Members? personal information, and by allowing third parties to access Plaintiffs

and Class Members? personal information.

47.

Defendants further violated the Consumer Protection Acts by failing to

disclose to the consumers that their data security practices were inadequate, thus

inducing consumers to schedule and book rides through Defendants.

15

Case Document 1 Filed 11/22/17 Page 16 of 26

48. Defendants? acts and/or omissions constitute fraudulent, deceptive,
and/or unfair acts or omissions under the Consumer Protection Acts.

49. Plaintiff and Class Members were deceived by Defendants? failure to
properly implement adequate, commercially reasonable security measures to
protect their personal information.

50. Defendants intended for Plaintiff and Class Members to rely on
Defendants to protect the information furnished to it in connection with debit and
credit card transactions and/or otherwise collected by Defendants, in such manner
that Plaintiffs and Class Members? personal information would be protected, secure
and not susceptible to access from unauthorized third parties.

51. Defendants instead handled Plaintiffs and Class Members? personal
information in such manner that it was compromised.

52. Defendants failed to follow industry best practices concerning data
security or was negligent in preventing the data breach from occurring.

58. It was foreseeable that Defendants? willful indifference or negligent
course of conduct in handling personal information they collected would put that
information at the risk of compromise by hackers.

54. On information and belief, Defendants benefited from mishandling the
personal information of their customers, by not taking effective measures to secure

this information, and therefore saving on the cost of providing data security.

16

Case Document 1 Filed 11/22/17 Page 17 of 26

55. Defendants? fraudulent and deceptive acts and omissions were
intended to induce Plaintiff and Class Members? reliance on Defendants deception
that their personal information was secure.

56. Defendants? conduct offends public policy and constitutes unfair acts or
practices under the Consumer Protection Acts because Defendants caused 
substantial injury to Plaintiff and Class Members that is not offset by
countervailing bene?ts to consumers or competition, and is not reasonably
avoidable by consumers.

57. Defendants? acts or practice of failing to employ reasonable and
appropriate security measures to protect their customers? and employees personal
information constitute violations of the Federal Trade Commission Act, 15 U.S.C. 
45(a), which the courts consider when evaluating claims under the Consumer
Protection Acts, including 815 ILCS 505/2.

58. Defendants? conduct constitutes unfair acts or practices as defined'in
the Consumer Protection Acts because Defendants caused substantial injury to
Plaintiff and Class Members, which injury is not offset by countervailing benefits to
consumers or competition and was not reasonably avoidable by consumers.

59. Plaintiff and Class Members have suffered injury in fact and actual
damages including lost money and property as a result of Defendants? Violations of
the Consumer Protection Acts.

60. Defendants? fraudulent and deceptive behavior proximately caused

Plaintiff and Class Members? injuries, and Defendants conducted themselves with

17

Case Document 1 Filed 11/22/17 Page 18 of 26

reckless indifference toward the rights of others, such that an award of punitive
damages is appropriate.

61. I Defendants? failure to disclose information concerning the Data Breach
directly and to affected customers and employees, constitutes a separate
fraudulent act or practice in violation of the Consumer Protection Acts,

62. Plaintiff seeks attorney?s fees and damages to the fullest extent
permitted under the Consumer Protection Acts, including NY. G.B.L. 349(h).

9w
BREACH OF FIDUCIARY DUTIES

63. By virtue of their possession, custody and/or control of Plaintiffs and
Class Members? personal information, and their duty to properly monitor and
safeguard it, Defendants were, and continue to be, in a confidential, special and/or
fiduciary relationship with Plaintiff and Class Members. As fiduciaries, Defendants
owed, and continue to owe, Plaintiff and Class Members:

a) the commitment to deal fairly and honestly;
b) the duties of good faith and undivided loyalty; and
c) integrity of the strictest kind.

64. Defendants were, and continue to be, obligated to exercise the highest
degree of care in carrying out their responsibilities to Plaintiff and Class Members
under such confidential, special and/or fiduciary relationships.

65. Defendants breached their fiduciary duties to Plaintiff and Class
Members by, inter alia, improperly storing, monitoring and/or safeguarding

Plaintiffs and Class Members? personal information.

18

Case Document 1 Filed 11/22/17 Page 19 of 26 -

66. To the extent that Defendants are fiduciaries who did not breach the
duties outlined above, Defendants are nonetheless liable because they had
knowledge of the breachesof fiduciary duty committed by other fiduciaries, and did i
not make reasonable efforts under the circumstances to remedy such. fiduciary
breaches.

67. To the extent that Defendants are not fiduciaries, Defendants are
nonetheless liable because they engaged in transactions with a breaching fiduciary
under circumstances in which they knew, or should have known, about such
?duciary breaches.

68. Defendants breached their fiduciary duties to Plaintiff and'Class
Members by their wrongful actions described above. Defendants willfully and
wantonly breached their fiduciary duties to Plaintiff and Class Members or, at the
very least, committed these breaches with conscious indifference and reckless
disregard of their rights and interests.

COUNT IV
NEGLIGENCE

69. Plaintiff incorporates each paragraph of this Complaint as if set forth
fully here, and further alleges as follows.

70. Defendants were, and continue to be, in confidential, special and/or
fiduciary relationships with Plaintiff and Class Members by Virtue of being
entrusted with their personal information. At the very least, therefore, Defendants
assumed a duty, and had duties imposed upon them by regulations, to use

reasonable care to keep Plaintiff and Class Members? information private and

19

Case Document 1 Filed 11/22/17 Page 20 of 26

secure, including a duty to comply With applicable PCI data security standards,
statutes land/or regulations.

71. I Defendants also had a duty to timely inform Plaintiff and Class
Members of the breach and the fact that their personal information had been stolen
and/or compromised, and, upon learning of the breach, a duty to take immediate
action to protect Plaintiff and Class members from the foreseeable consequences of
the breach. By their acts and omissions describes therein, Defendants unlawfully
breached their duty, and Plaintiff and Class Members were harmed as a direct
result.

72. Defendants knew, or should have known, that their system for
processing and storing consumers? personal information had security 
vulnerabilities. Defendants were negligent by continuing to accept, process and
store such information in light of these computer network vulnerabilities and the
sensitivity of the personal information stored within.

7 3. The breach, and the resulting damages suffered by Plaintiff and Class
Members, were the direct and proximate result of a number of actions and
omissions, including but not limited tol

a) Defendants? improper retention and storage of Plaintiffs and Class
Members? personal information;

b) Defendants? failure to use reasonable care to implement and maintain
appropriate security procedures reasonably designed to protect such

information;

20

Case Document 1 Filed 11/22/17 Page 21 of 26

c) Defendants? delay in notifying Plaintiff and Class Members about the
breach for more than ayear; and

d) Defendants? failure to take immediate and effective actionw to protect
Plaintiff and Class members from potential and foreseeable damage.

74. Defendants? wrongful actions constitute negligence.

75. When Defendants gathered and transmitted consumers? personal
information, they came into the possession, custody and control of this sensitive
information and as such, were and continue to be in confidential, special and/or
fiduciary relationships with Plaintiff and Class Members. At the very least,
Defendants had a duty to monitor and safeguard such information to keep it private
and secure. including a duty to ensure that Defendants complied with applicable
PCI data security standards, statutes and/or regulations. 2

76. Defendants knew, or should have known, that their network for
processing and storing consumers? personal information had security
vulnerabilities. Defendants were negligent in continuing to process such
information in light of those vulnerabilities and the sensitivity of the information.

77. The breach was a direct and/or proximate result of Defendants? failure
to use reasonable care to ensure that they maintained appropriate security
procedures reasonably designed to protect Plaintiffs and Class Members? personal
information. Defendants? wrongful conduct constitutes negligence.

78. Plaintiff and Class Members have not in any way contributed to the

security breach or the compromise or theft of their personal information.

21

Case Document 1 Filed 11/22/17 Page 22 of 26

COUNT 
NEGLIGENCE PER SE

 

?79. Plaintiff incorporates each paragraph of this Complaint as if set forth
fully here, and further alleges as follows.

80. Pursuant to the Gramm-Leach-Bliley Act (the 15 U.S.C. 6801,
and related California consumer data protection statutes, Defendants had a duty to
protect and keep consumers? personal information secure, private and confidential.

81. Defendants violated these Acts by not adequately safeguarding
Plaintiffs and Class Members? Sensitive Personal Information; and monitoring and
ensuring that Defendants complied with PCI data security standards, card
association standards, statutes and/or regulations designed to protect such
information.

82* Defendants also failed to comply with PCI data security standards,
statutes and regulations prohibiting the storage of unprotected personal
information.

83. Defendants? failure to comply with these Acts, industry standards
and/or regulations constitutes negligence per se.


BREACH OF CONTRACT

 

84. Plaintiff incorporates each paragraph of this Complaint as if set forth

fully here, and further alleges as follows.

22

Case Document 1 Filed 11/22/17 Page 23 of 26

85. Plaintiff and Class Members were parties to actual or implied
contracts with Defendants that required Defendants to properly safeguard their
personal information from theft, compromise and/or unauthorized disclosure.

86. Additionally, Plaintiff and Class Members were third party
beneficiaries to contracts and/or agreements by and between Defendants and other
institutions and networks. These agreements required Defendants to properly
safeguard personal information from theft, compromise and unauthorized
disclosure.

87. Defendants breached their agreements with Plaintiff and Class
Members by failing to properly safeguard personal information from theft,
compromise and/or unauthorized disclosure. Defendants? wrongful conduct
constitutes breach of contract.


BAILMENT

88. Plaintiff incorporates each paragraph of this Complaint as if set forth
fully here, and further alleges as follows.

89. Plaintiffs and Class Members? personal information is their personal
property, which they delivered to Defendants for the sole and specific purpose of
compiling and/or transmitting credit information.

90. Defendants accepted Plaintiffs and Class Members? personal
information. As a bailee, Defendants owed a duty to Plaintiff and Class Members
and, in fact, had an express and/or implied contract with them, to properly protect

their personal information from theft, compromise and/or unauthorized disclosure.

28

Case Document 1 Filed 11/22/17 Page 24 of 26

91. Defendants breached their duty and/or express and implied contracts
TWith Plaintiff and Class Members by, inter alia, improperly storing and
inadequately protecting their personal information from theft, compromise and/or
unauthorized disclosure, which directly and proximately caused Plaintiff and Class
Members to suffer damages,

92. Defendants? wrongful actions constitute breaches of their duty to
(and/or express and/or implied contracts with Plaintiff and Class Members arising
from the bailment.

REQUESTED RELIEF

 

93. As a direct and/or proximate result of Defendants? wrongful conduct,
Plaintiff and Class Members have sustained, and Will continue to sustain, damages

in the form of:

a) the unauthorized disclosure and/or compromise of their personal
information;
b) monetary losses and damage to credit from fraudulent charges

made on their accounts; and

c) the burden and expense of credit monitoring,
94. Plaintiff and Class Members? damages were reasonably foreseeable by
Defendants.
95. Plaintiff and Class Members are entitled to equitable relief to prevent

any additional harm including, but not limited to, provision of credit monitoring

services for a period of time to be determined by the trier of fact.

Case Document 1 Filed 11/22/17 Page 25 of 26

96. Plaintiff and Class Members are entitled to recover their reasonable

and necessary attorneys? fees, litigation expenses and court costs.

WHEREFORE, Plaintiff, on behalf of herself and all other similarly situated

Class Members, respectfully requests that this Court3

a) Certify this action as a class action pursuant to Rule 23(b)(3) of
the Federal Rules of Civil Procedure, appoint Plaintiff as
representative of the Class, and appoint Plaintiffs counsel as
Class Counsel;

b) Enter judgment in favor of Plaintiff and the Class against
Defendants under the legal theories alleged herein;

0) Award damages and/or equitable relief in an amount to be
determined by the trier of fact;

Award attorneys? fees, expenses and costs of suit;

e) Award prejudgrnent and post'judgment interest at the
maximum rate allowed by law; and

g) Such other and further relief as to this Court may deem
necessary, just and proper.

Date1 November 22, 2017 Respectfully submitted

  

WW

Dianne M. Nest (PA Atty. ll) No 24424)
Daniel N. Gallucci
oanne E. Matusko

 

25

Case Document 1 Filed 11/22/17 Page 26 of 26

Joseph N. Roda

NASTLAW, LLC 
1101 Market Street, Suite 2801
Philadelphia, 19107
Telephone: (215) 923-9300
Facsimile: (215) 9239802
Email: dnast@nast1aw.com

jmatuek0@nast1aw.com


Attorneys for Plaintiff

26