Case Document 1-1 Filed 07/30/19 Page 1 of 2 PagelD# 50 )5 44 (Rev. 02119) The JS 44 civil cover sheet and the information contained herein neither rep provided by local rules ot'coun. This form, approved by the Judicial Conference of the CIVIL COVER SHEET lace nor sup?ern I . titted States in 1974, is reqwrc purpose of initiating the civil docket sheet. (SEE INSTRUCTIONS ON NEXT PAGE OF THIS FORM.) t. DuWayne Baird, individually and on behalf of all other similarly situated PLAINTIFFS individuais. County of Resideme of First Listed Plaintiff IN US. PLAINTIFF Morgan Morgan Attorneys (F'fr?rn??lame. riddresr. pm! Teleph m: Nuirrber) omp ex Litigation roup 201 N7 Franklin Street, 7th Floor, Tampa, FL 33602 813?223~5505 DEFENDANTS Bank (USA) NOTE: Attorneys County ol?Residence of First Listed Defendant out the ?lin and service of pleadings or other papers as re uired by law. except as tl for the use of the alerk ofCourt for the Capitai One Financial Corporation. Capitai One, NA. and Capital One Fam?iizty U. 5.7 PM INTIFF CASES UNI. to! LAND CONDEMHATION CASES. USE THE LOCATION OF THE OF LAND II. BASIS OF JURISDICTION {Hat-e on "mane BuxOnb?) CI 0 I US. Government Pinion 2 .3 Government Defendant if 3 Federal Question (US. Government Nat tr Party) :1 4 Diversity {Indicate Cirizertrhip ofPartieS in Item Ill) 0F (Place an in One Hm?ir Plainti? ?ier Diversity Cares Only) and One Box I 1hr Defendant) FTP DEF PTF DEF Citizen State Incorporated or Principal Piano 0 4 15 4 of Business In This State Citizen of?tnothcr Slate I5 2 2 Incorporated and Principal Piece CI 5 El 5 of Business In Another State tL?itizenorSuhiect ol?a CI 3 Cl 3 Foreign Nation 6 6 Foreivn r?ounir. IV. RE 0F SUIT (Place an in One 50: on?) Click here for: Nature oi" Suit Code Desert prions. 555 Prison Condition Cl 560 Civil Detainee - Conditions of Confinement Cl 448 Education wva 'ronTs mm'ni?sr?TFES?J 1 l0 insurance PERSONAL INJURY INJURY 625 Drug. Related Seizure 422 Appeal 28 USC 153 375 False Claims CI Marine CI BIO Airpiane El 365 Personal Injury - oi" l?rope?y 2! USC RBI 423 Wittniruwai 376 Qui Tam USC 130 Miller Act 0 315 Airplane Product Product Liability CI 690 Other 23 USC I57 3729(3)) El 140 Negotiable Instrument Liabitity 367 Health Care! Cl 400 State Reapportionment Cl ISO Recovery of Overpayment 320 Assault, Libel Pharmaceutical I'ltf'l'l it'll-THIS ITI 410 Antitrust Enforcement of Judgment Slander Personal injury 53 320 Copyrights 430 Banks and Banking :1 [Si Medicare Act El 330 Federal Employers? Product Liability CI 830 Patent 450 Commerce II I52 Renovery of Defaulted Liability 368 Asbestos Personal 3 335 Patent - Abbreviated 1860 Deportation Student Loans CI 340 Marine injury Product New Drug Appliqation 470 Racketeer in?uenced and (Excludes Veterans) El 345 Murine Product Liability 840 Tradeka Corrupt Organiza?gns CI l53 Recovery ol?OverpaymcrIt Liability PERSONAL PROPERTY L4- h? Iii- "i'fl? 'Ir?t1 ?i?f liiti'i't' Cl 480 Consumer Credit of Veteran's Bene?ts C) 350 Motor Vehicle 370 Other Fraud [3 7 it) Fair Labor Standards Ci Sol ?39511) if] 485 Telephone Consumer :60 Stockholders' Suits 0 355 Motor Vehicle {3 Truth in Lending Act 862 Black Lung (923] Protection Act 0 [90 Other Contract Product Liability CI 380 Other Personal II 720 LaMrleagement 863 (405(g)) 490 CubielSat TV [3 ms Contract Product El 360 Other Personal Property Damage Relations Ci 864 Title Cl 850 Securiticleornmoditiesf l96 Franchise luju 385 Property Damage Cl Railway Labor Act II) 8&5 RSI Exchange 0 362 Personal Injury - Product Liability 'l'Sl Family and Medical 6? 890 Other Statutory Actions Medical Malpractice Leave Act CI 891 Agricultural Acts HEAL mop??tw (:1er mom PRISONER 790 Other Labor Litigation FEDEMLTAX sons 0 393 Environmental Matters 2 0 Land Condemnation Cl 440 Other Civil Rights Rubens Corpus: CI 79! Employee Retirement CI 870 Taxes (US. Plaintiff 895 Freedom oflnl?omunon it 220 Foreciosurt: Cl 44l Voting. Cl 463 Alien Detainee income Security Act or Defendant) Am 230 Rom Lease cit Ejeennent 442 Employment CI 5 l0 Motions to Vacate CI 87! lRS??Third Party [3 896 Arbitration C) 240 Torts to Land 443 Housing] Sentence 26 7509 El 39?) Administrative Procedure I3 245 ?Tort Product Liability Accommodations :3 530 General Acu?Review or Appeal 9f Cl 290 All Either Real Property El 445 Amen wlDisabilities - Ci 535 Death Penalty IMMIGHATIDN Agency Decision Employment Other: 452 Naturalization Application 0 950 Constitutionality of El 446 Amer. wlDisubilil?ics - 5-10 Mandamus 8: Other Cl 465 Other State Statutes Other Ci 550 Civil Rights Actions V. ORIGIN (Place Reinstated or 13 5 'l?ransfe rred from El 6 Multidistriot l3 8 Multidisuict RECEIPT ti Original i3 2 Removed from 3 Remanded from Proceeding State Court Appellate Court Reopened Another Dismcr Litigation - Litigation - (spent;ij Transfer Direct Pile (gloat: Ug. uAnder gnaw}; fling ({Jo irmr eitejnrivdictinna! reunites-unless diversifyCAUSE OF ACTION Brieldescription ofcuuse: Data Breach VII. REQUESTED IN CHECK IF THIS ts A ACTION DEMAND CHECK YES only ifdemanded in complaint: COM PLAINT: UNDER RULE 23, JURY DEMAND: 2t ves mic RELATED IF ANY ?S?ee intrrutriom}. JUDGE I - DOCKET NUMBER DATE SIGNATURE OF ATTORNEY OF RECORD 07/30/2019 15! John G. Harnishfeger r771: omr use ONLY n? AMOUNT APPLYING IFP JUDGE MAG. JUDGE Case 1:19-cv-00979 Document 1-1 Filed 07/30/19 Page 2 of 2 PagelD# 51 IS 44 Reverse (Rev. Ill/l9) INSTRUCTIONS FOR ATTORNEYS COMPLETING CIVIL COVER SHEET FORM .18 44 Authority For Civil Cover Sheet The IS 44 civil cover sheet and the information contained herein neither replaces nor supplements the ?lings and service of pleading or other papers as required by law, except as provided by local rules of court. This form, approved by the Judicial Con ferencc of the United States in September 1974, is required for the use of the Clerk of Court for the purpose of initiating the civil docket sheet. Consequently, a civil cover sheet is submitted to the Clerk of Court for each civil compiaint filed. The attorney ?ling a case should complete the form as follows: Plaintiffs-Defendants. Enter names (last, ?rst, middle initial) of plaintiff and defendant. If the plaintiff or defendant is a agency, use only the full name or standard abbreviations. If the plaintiff or defendant is an of?cial within a government agency, identify ?rst the agency and then the official, giving both name and title. County of Residence. For each civil case ?led, except U.S. plaintiff cases, enter the name of the county where the ?rst listed plaintiff resides at the time of ?ling. in 1.1.5. plaintiff cases, enter the name of the county in which the first listed defendant resides at the time offiling. (NOTE: In land condemnation cases, the county of residence of the "defendant" is the location of the tract of land involved.) Attorneys. Enter the ?rm name, address, telephone number, and attorney of record. lftherc are several attorneys, list them on an attachment, noting in this section "(see attachment)". Jurisdiction. The basis ofjurisdiction is set forth under Rule which requires that jurisdictions be shown in pleadings. Place an in one of the boxes. If there is more than one basis of jurisdiction, precedence is given in the order shown below. United States plaintiff. Jurisdiction based on 28 U.S.C. l345 and B48. Suits by agencies and adhere of the United States are included here. United States defendant. (2) When the plaintiff is suing the United States, its of?cers or agencies, place an in this box. Federai question. (3) This refers to suits under 28 U.S.C. 133i, where jurisdiction arises under the Constitution of the United States, an amendment to the Constitution, an act of Congress or a treaty of the United States. In cases where the U.S. is a party, the U.S. plaintiff or defendant code takes precedence, and box or 2 should be marked. Diversity of citizenship. (4) This refers to suits under 28 U.S.C. I332. where parties are citizens of different states. When Box 4 is checked. the citizenship of the different parties must be checked. (See Section below; NOTE: federal question actions take precedence over diversity cases.) Ill. Residence (citizenship) of Principal Parties. This section ofthe IS 44 is to be completed ifdiversity was indicated above. Mark this section for each principal party. W. Nature of Suit. Place an in the appropriate box. If there are multiple nature of suit codes associated with the case, pick the nature of suit code that is most applicable. Click here for: Nature of Suit Code De?f?tiontl. v. Origin. Place an in one of the seven boxes. Original Proceedings. (1) Cases which originate in the United States district couns. Removed from State Court. (2) Proceedings initiated in state courts may be removed to the district ocurts under Title 28 U.S.C., Section 144]. Remanded from Appellate Court. (3) Check this box for cases remanded to the district court for further action. Use the date of remand as the ?ling date. Reinstath or Reopened. (4) Check this box for cases reinstated or reopened in the district court. Use the reopening date as the ?ling date. Transferred from Another District. (5) For cases transferred under Title 28 U.S.C. Section l404(a). Do not use this for within district transfers or multidistrict litigation transfers. Multidistn'ct Litigation Transfer. (6) Check this box when a inultidistrict case is transferred into the district under authority of Title 28 U.S.C. Section 1407. Multidistrict Litigation Direct File. (8) Check this box when a multidistrict case is ?led in the same district as the Master MDL docket, FLEASE NOTE THAT THERE IS NOT AN ORIGIN CODE 7. Origin Code 7 was used for historical records and is no longer relevant due to changes in statue. VI. Cause of Action. Report the civil statute directly related to the cause of action and give a brief description of the cause. Do not cite jurisdictional statutes unless diversity. Example: U.S. Civil Statute: 47 USC 553 Brief Description: Unauthorized reception of cable service VII. Requested in Complaint. Class Action. Place an in this box if you are ?ling a class action under Rule 23, Demand. in this space enter the actual dollar amount being demanded or indicate other demand. such as a preliminary injunction. Jury Demand. Check the appropriate box to indicate whether or nol ajury is being demanded. Related Cases. This section of the 18 44 is used to reference related pending cases. if any. if there are related pending cases. insert the docket numbers and the corresponding judge names for such cases. Date and Attorney Signatu rc. Date and sign the civil cover sheet. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 1 of 49 PagelD# 1 IN THE UNITED STATES DISTRICT COURT EASTERN DISTRICT OF VIRGINIA ALEXANDRIA DIVISION DuWayne Baird individually and on behalf of Case No.: all other similarly situated individuals, CLASS ACTION COMPLAINT Plaintiff, JURY TRIAL DEMANDED v. INJUNCTIVE RELIEF DEMANDED Capital One Financial Corporation, Capital One, N.A. and Capital One Bank (USA) Defendants. Plaintiff DuWayne Baird (?Plainti??), individually and on behalf of all others similarly situated, allege upon personal knowledge of the facts respectively pertaining to their own actions, and upon information and belief as to all other matters, by and through their undersigned counsel, hereby bring this Class Action Complaint against Defendant, Capital One Financial Corporation and its two primary subsidiaries Capital One, NA. and Capital One Bank (USA) collectively, ?Capital One?). NATURE OF ACTION 1. Plaintiff asserts this class action against Capital One for its failure to exercise reasonable care in securing and safeguarding consumers? sensitive personal information, including the names, addresses, phone numbers, dates of birth, credit scores, credit limits, account balances, payment histories, social security numbers, and bank account numbers (collectively, 2. On July 29, 2019, Capital One announced that on ?July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal infonnation relating to people who had applied for its credit card products and to Capital Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 2 of 49 PagelD# 2 One credit card customers.?1 The United States Federal Bureau of Investigations related that an individual accessed the P11 by exploiting one of Capital One?s miscon?gured ?rewalls, which allowed her to access a Capital One cloud repository and ex?ltrate the P11 of approximately 100 million consumers in or around March 2019 (the ?Data 3. The hacker, known as Paige A. Thompson, who used the handle ?erratic,? posted the PH of these approximate 100 million consumers to her GitI-Iub account on April 21, 2019, which was free and available for any user on the internet to download and further exploit.3 4. In addition to Capital One?s failure to prevent the Data Breach, Capital One also failed to detect the breach for approximately three months. Upon information and belief, the posted PH of approximately 100 million consumers on Thompson?s GitHub account remained exposed until at least July 17, 2019, when an unidenti?ed tipster informed Capital One of the posting by emailing the bank?s responsible disclosure address with a brief waming and a link to the GitI-Iub address.4 5. The Data Breach was the result of Capital One?s inadequate approach to data security and protection of PH that it collected during the course of its business. The de?ciencies in Capital One?s data security were so signi?cant that the miscon?gured ?rewall permitted access to any consumer or small business that applied for one of Capital One?s credit card products ?om I Overview Frequently Asked Questions, Capital One, (July 29, 2019), Available at hit; 91/ (hereinafter the ?Breach Noti?cation?). 2 Harrer, Andrew, The Alleged Capital One Hacker Didn ?t Cover Her Tracks, Wired (July 29, 2019). Available at dam?af- 3 Id. 4 Id. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 3 of 49 PagelD# 3 2005 through early ZOE?approximately fourteen years of data left unprotected and exposed for any malicious actor to access, download, and exploit.5 6. Capital One disregarded the rights of Plaintiff and the Class (de?ned below) by: intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected; failing to disclose to its customers the material fact that it did not have adequate computer systems and security practices to safeguard customer failing to take available steps to detect and prevent the Data Breach; failing to monitor and timely detect the Data Breach; and failing to provide Plaintiff and the Class prompt and accurate notice of the Data Breach. 7. As a result of Capital One?s Data Breach, Plainti??s and Class members? PII have de?nitively been exposed to criminals for misuse. The injuries Plaintiff and the Class suffered as a direct result of the Data Breach include: i. theft of personal and ?nancial information; costs associated with the detection and prevention of identity theft and unauthorized use of ?nancial accounts; damages arising from the inability to use debit or credit card accounts because accounts were suspended or otherwise rendered unusable as a result of fraudulent charges stemming Earn the Data Breach, including but not limited to foregoing cash back rewards; iv. damages arising from the inability to withdraw or otherwise access funds because accounts were suSpended, restricted, or otherwise rendered unusable as a result of the Data Breach, including, but not limited to, missed 5 Breach Noti?cation, supra n.1. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 4 of 49 PagelD# 4 vi. vii. 8. bill and loan payments, late-payment charges, and lowered credit scores and other adverse impacts on credit; costs associated with spending time to address and mitigate the actual and ?iture consequences of the Data Breach such as ?nding fraudulent charges, cancelling and reissuing payment cards, purchasing credit monitoring and identity the? protection services, imposition of withdrawal and purchase limits on compromised accounts, including, but not limited to, lost productivity and opportunities, time taken from the enjoyment of one?s life, and the inconvenience, nuisance and annoyance of dealing with all issues resulting from the Data Breach; the imminent and certainly impending injury resulting from the potential fraud and identity theft posed by PII being exposed for theft and sale on the dark web; damages to and diminution in value of P11 entrusted to Capital One for the sole purpose of purchasing products and services ?om Capital One; and the loss of Plaintiffs and Class members? privacy. The injuries Plaintiff and the Class suffered were directly and proximately caused by Capital One?s failure to implement or maintain adequate data security measures for SP1. 9. Plaintiff and the Class retain a signi?cant interest in ensuring that their PII, which remain in Capital One?s possession, are protected from further breaches, and seek to remedy the harms suffered as a result of the Data Breach for themselves and on behalf of similarly situated consumers whose PII was stolen. Case Document 1 Filed 07/30/19 Page 5 of 49 PagelD# 5 10. Plaintiff; individually and on behalf of similarly situated consumers, seek to recover damages, equitable relief, including injunctive relief designed to prevent a reoccurrence of the Data Breach and resulting injuries, restitution, disgorgement, reasonable costs and attorneys? fees, and all other remedies this Court deems proper. PARTIES 11. Plaintiff DuWayne Baird is a citizen of Ohio. 12. Defendant Capital One Financial Corporation is a Delaware corporation with its principal place of business located at 1680 Capital One Drive, McLean, Virginia. It offers a broad spectrum of ?nancial products and services to consumers including credit cards and is among the biggest banks in the United States with $373.6 billion in total assets as of 2019. Capital One Financial Corp. operates through its two primary subsidiaries Capital One Bank (USA) and Capital One, NA. 13. Capital One Bank (USA), National Association is one of Capital One Financial Corporation?s two principal subsidiaries. It offers a variety of credit and debit card products to consumers. 14. Capital One, National Association is one of Capital One Financial Corporation?s two principal subsidiaries. It offers a broad spectrum of banking products and ?nancial services to consumers small businesses and commercial clients. JURISDICTION 15. This Court has jurisdiction pursuant to 28 U.S.C. 1332(d)(2) (?The Class Action Fairness Act?) because suf?cient diversity of citizenship exists between parties in this action, the aggregate amount in controversy exceeds $5,000,000, exclusive of interests and costs, and there Case Document 1 Filed 07/30/19 Page 6 of 49 PagelD# 6 are 100 or more members of the Class, pursuant to Capital One?s admission that approximately 100,000,000 consumers were affected by the Data Breach. 16. This Court has personal jurisdiction over Capital One because its principal place of business is in the Eastern District of Virginia, and Capital One is authorized to and regularly conducts business in the Eastern District of Virginia. 17. Venue is proper in this District pursuant to 28 U.S.C. 1391(b)(1) 85 (2) because Capital One is 'a corporation, has its principal place of business in this District, and a substantial part of the events and omissions giving rise to this action occurred in this District. FACTUAL ALLEGATION A. The Banking System is a Constant Target for Malicious Actor 18. Data breaches have become widespread. In 2016, the number of US data breaches surpassed 1,000, representing a record high and a forty percent increase from the previous year. 6 In 201??r a new record high of 1,579 breaches was reached representing a 44.7% increase over 2016.7 The banking sector remained a high target among cyber criminals with 135 data breaches in 2018 alone.3 19. ?The risk of cyberattack on ?nancial services ?rms cannot be overstated? as ?nancial services companies ?fall victim to cybersecurity attacks 300 times more frequently than 5 Identity Theft Resource Center, Data Breaches Increase 40 Percent in 2016, Finds New Report From Identity Zhe?? Resource Center and CyberScout (J an. 19, 2017), available at (last visited January 23, 2019). 7 Identity Theft: Resource Center, 2017 Annual Data Breach Year-End Review, available at 7-data?breachesl (last visited January 23, 2019). 3 Identity Theft Resource Center, End of Year Data Breach Report (2018). Available at g2018?data?breachesf. Case Document 1 Filed 07/30/19 Page 7 of 49 PagelD# 7 businesses in other industries.? Indeed, ??nancial institutions have long been a lucrative target for cybercriminals because of the massive volumes of data and money that can be A recent study from the cybersecurity ?rm Intsights con?rmed that the Banking and Financial sectors were hit with a constant stream of cyber-attacks when compared to other sectors.? 20. The consequences to affected consumers are signi?cant as sensitive personal and ?nancial infonnation is exposed. It is ?irther exacerbated when, as here, compromised PII includes Social Security numbers which make it possible for thieves to ?le fraudulent tax returns, ?le for unemployment bene?ts, or apply for a job using a false identity. '2 Each of these ?audulent activities is dif?cult to detect and may not be uncovered until the number has been used in a ?'audulent transaction. Moreover, it is no easy task to change or cancel a stolen Social Security number. Even then, a new Social Security number may not be effective, as ?[t]he credit bureaus and banks are able to link the new number very quickly to the old number, so all of that old bad information is quickly inherited into the new Social Security number.?13 9 Forbes, Laughing All The Way The Bank: Cyberc?minals Targeting US. Financial Institutions, August 28, 2018. Available at 1? Help Net Security, Increasing number of ?nancial institutions falling prey to cyber Attacks, November 9, 2016. Available at .com/2016/1 I/OQ/?nangial- CISO MAG, Banking and Financial sectors are prime target for hackers, May 3, 2019 survex (last visited July 30, 2019). ?2 The United States Government Accountability Of?ce explained that theft involving social security numbers is the most insidious not only because it often takes time for the victim to become aware of the thett, but that as a result they will often face ?substantial costs and inconveniences repairing damage to their credit records. . .[and their] good name.? Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown, GAO (June 2007), available at (the visited March 21, 2019). 13 Victims of Social Security Number The? Find It?s Hard to Bounce Back, NPR, Brian Naylor, Feb. 9, 2015, available at (last visited February 13, 2019). Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 8 of 49 Page D# 8 21. Capital One knew the importance of safeguarding patient PII entrusted to it and of the foreseeable consequences if its data security systems were to be breached, including the signi?cant costs that would be imposed on its customers as a result of a breach. B. Plaintiff?s Transaction with Capital One 22. In or about December 2011, Plaintiff Baird applied for a credit card with Capital 23. Since the announcement of the Data Breach, Plaintiff Baird continues to monitor his accounts in an effort to detected and prevent any misuses of his personal information. 24. Plaintiff Baird has, and continues to, spend his valuable time to protect the integrity of his ?nances and credit time which she would not have had to expend but for the Data Breach. 25. Plaintiff Baird would not have applied for a credit card with and provided PII to Capital One during the period of the Data Breach had Capital One disclosed that it lacked adequate computer systems and data security practices to safeguard eonsumers? PII from theft. 26. Plaintiff suffered actual injury from having his PII stolen as a result of the Data Breach. 27. Plaintiff Baird suffered actual injury and damages in paying money to, and purchasing products through, Capital One?s business during the Data Breach paying interest on credit cards, paying minimum balance fees, and other banking fees), expenditures which he would not have made with Capital One had Capital One disclosed that it lacked computer systems and data security practices adequate to safeguard consumers? PII from theft. 28. Plaintiff Baird suffered actual injury in the form of damages to and diminution in the value of his form of intangible property that the Plaintiff entrusted to Capital One for Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 9 of 49 PagelD# 9 the purpose of applying for and using Capital One?s products, which was compromised in and as a result of the Data Breach. 29, Plaintiff Baird suffered lost time, annoyance, interference, and inconvenience as a result of the Data Breach, and has concerns for the loss of his privacy. 30. Plaintiff Baird has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting ?orn his P11 being placed in the hands of criminals. 31. Plaintiff Baird has a continuing interest in ensuring his PII, which remains in the possession of Capital One, is protected and safeguarded from future breaches. C. Capital Ono?s Customer Data Collection Practices 32. Capital One is a for-pro?t corporation and one of the largest banking institutions in the United States. 33. As part of applying for a credit card and other ?nancial services, consumers provide banks their names, addresses, social security numbers, and other valuable, sensitive, and private P11. 34. At all relevant times, Capital One was well-aware, or reasonably should have been aware, that the P11 collected, maintained, and stored from the applications is highly sensitive, susceptible to attack, and could be used for Wrongful purposes by third parties, such as identity theft and ?aud. 35. Banking repositories and databases are popular targets for cyberattacks, especially given the extremely sensitive nature of the P11 stored on those repositories and databases. The ?equency and prevalence of attacks make it imperative that banks such as Capital One routinely monitor for exploits and erattacks and regularly update their software and security procedures. Case Document 1 Filed 07/30/19 Page 10 of 49 PagelD# 10 36. Such exploits can go undetected for a long period of time, especially if industry best practices are not routinely used. 37. P11 is a valuable commodity. A ?cyber black market" exists in which criminals openly post stolen payment card numbers, social security numbers, and other personal, private information on multiple underground Internet websites. Pi] is valuable to identity thieves because they can use victims? personal data?including open new ?nancial accounts and take out loans in another person?s name, incur charges on existing accounts, or clone ATM, debit, and credit cards. 38. This is especially true for banks, given that the PH disclosed in this Data Breach was precisely the PH Capital One requested to process and, in some cases, approve consumers for credit cards and other banking products. 39. Legitimate organizations and the criminal underground alike recognize the value of PH contained in a data systems; otherwise, the latter would not aggressively seek or pay for it. For example, in ?one of 2013 ?s largest breaches . . . not only did hackers compromise the [card holder data] of three million customers, they also took registration data [containing ?'om 38 million users "14 40. Professionals tasked with trying to stop ?aud and other misuse know that PII have real monetary value in part because criminals continue their efforts to obtain this data.15 In other words, if any additional breach of sensitive data did not have incremental value to criminals, one 14 Verizon 2014 PCI Compliance Report, (hereafter ?2014 Verizon Report? at 54. i 15 Data Breaches Rise as Cybercriminals Continue to OutwirIT, CIO Magazine (October 2016), htt; cio.com/article/2686 .bgcriminals- Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 11 of 49 PagelD# 11 would expect to see a reduction in criminal efforts to obtain such additional data over time. However, just the Opposite has occurred. For example, the Identity Theft Resource Center reported 1,579 data breaches in 2017, which represents a 44.7 percent increase over the record high ?gures reported for 2016.16 41. The PII of consumers remains of high value to identity criminals, as evidenced by the prices criminals will pay through black-market sources, or what is often called the dark web. Numerous sources cite dark web pricing for stolen identity credentials. For example, a complete set of bank account credentials can fetch a thousand dollars or more (depending on the associated credit score or balance available to criminals)? Experian reports that a stolen credit or debit card number can sell for $5 to $110 on the dark web. 13 42. At all relevant times, Capital One knew, or reasonably should have known, of the importance of safeguarding PII, and of the foreseeable consequences that would occur if its data security system was breached, including, speci?cally, the signi?cant costs that would be imposed on its customers as a result of a breach. 43. Capital One was, or should have been, aware of the signi?cant volume of daily online credit applications, amounting to tens of thousands of daily interactions with consumers? P11, and thus, the signi?cant number of individuals who would be harmed by a breach of Capital One?s systems. ?5 201 7 Annual Data Breach Year-End Review, IDTheftCenter (2017), 17 Here ?3 How Much Thieves Make By Selling Your Personal Data Galina, Business Insider, 2015-5, May 27, 2015. 18 Here ?3 How Much Your Personal Information Is Selling ?ar on the Dark Web htt; our-1 wersonal-inf?nat?ns- sellingsfor?gnethe-dark?f. Case Document 1 Filed 07/30/19 Page 12 of 49 Page D# 12 44. Unfortunately, and as alleged below, despite all of this publicly available knowledge of the continued compromises of P11 in the hands of other third parties, such as banking institutions, retailers, and restaurant chains, Capital One?s approach to maintaining the privacy and security of Plaintiffs and Class members? PII was lackadaisical, cavalier, reckless, or at the very least, negligent. D. The Capital One Data Breach 45. On July 29, 2019, Capital One admitted to one of the largest data breaches in history, in which more than 100 million US consumers were affected.19 The Data Breach notice stated in relevant part: Capital One Announces Data Security Incident *Iltill MCLEAN, Va., July 29, 2019 fPRNewswire/ -- Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers. Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada. The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: a Customer status data, credit scores, credit limits, balances, payment 19 Breach Noti?cation, supra 11. 1. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 13 of 49 PagelD# 13 history, contact information - Fragments of transaction data ?om a total of 23 days during 2016, 2017 and 201 8. 0 About 140,000 Social Security numbers of our credit card customers About 80,000 linked bank account numbers of our secured credit card custOIners sea: We 1will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected. Safeguarding our customers' information is essential to our mission and our role as a ?nancial institution. We have invested heavily in cybersccun'ty and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses. For more information about this incident and what Capital One is doing to respond, visit In Canada, information can be found at and The investigation is ongoing and analysis is subject to change. As we learn more, we will update these websites to provide additional information. 2" 46. The Capital One Data Breach occurred because Capital One failed to secure the of approximately 100 million consumers in Capital One?s cloud-based repository and database.21 47. Capital One also reported that the Data Breach impacted consumers who applied for Capital One credit card products from 2005 through ?early 2019,? with information that included ?personal information Capital One routinely collects at the time it receives credit card 2"Capital One Announces Data Security Incident (?Security Incident?), Available at htt; . 21 Breach Noti?cation, supra 11.1. Case Document 1 Filed 07/30/19 Page 14 of 49 PagelD# 14 applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.?22 48. In addition to the aforementioned ?routine? collections, Capital One also admitted consumers? credit scores, credit limits, balances, payment histories, contact information, and ??agments of transaction data from a total of 23 days during 2016, 2017 and 2018393 49. Capital One ?irther admitted that ?about 140,000 Social Security numbers of [its] credit card customers? and ?about 80,000 linked bank account numbers of our secured credit card customers? were also disclosed in the Data Breach.24 50. At no point did Capital One offer any concrete assistance or offer to remunerate Plaintiff or the Class for its negligence. Despite acknowledging that the P11 was stolen by a malicious actor and placed on the Internet for anyone to access, download, and use, Capital One attempted to downplay the gravity of breach claiming it is unlikely that the information was used for ?-aud or disseminated by this individual?? 51. This PII was compromised due to Capital Ono?s acts and omissions and its failure to properly protect the PH, despite being aware of cybersecurity standards, industry best practices, and the vulnerability of ?nancial service institutions to attack. See e.g. Equifazt??5 52. In addition to its failure to prevent the Data Breach, Capital One also failed to detect the breach for at least three months?despite it being publicly represented on the pepular and often 22 Breach Noti?cation, supra n.1. 23 Breach Noti?cation, supra 11. l. 3? Breach Noti?cation, supra n.1. 25 Security Incident, supra n.20. 2? 2017 Cybersecurity Incident 3: Important Consumer Information. Available at gl?rwwe Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 15 of 49 PagelD# 15 traf?cked GitHub website.27 Intruders, therefore, had at least three months to access, collect, download, and make use of this information for ?'audulent and other malicious purposes. 53. During this time, Capital One failed to recognize its systems had been breached and that intruders were stealing the P11 of 100 million credit card applicants. Indeed, the breach was not even discovered as a result of Capital One?s diligence or their internal cyber security systems, but rather by a third party who ?sent a message to the company's responsible disclosure email address with a link to the GitHub page?? 54. While timely action by Capital One in identifying the Breach would likely have signi?cantly reduced the harmful consequences, instead, their inaction and negligence contributed to the scale of the Data Breach and the resulting damages to Plaintiff and Class members. E. Defendants? Privacy Policies and Agreements to Keep PII Con?dential 55. As a condition of credit, Capital One required applicants to provide them with certain personal information. In their ordinary course of business, Defendants maintained this personal information, including, but not limited to, names, addresses, dates of birth and Social Security numbers. 56. By obtaining, collecting, using, and deriving a bene?t ?om Plaintiff?s and the Class members? PII, Defendants assumed legal and equitable duties to those individuals. Defendants knew or should have known that they were responsible for protecting Plaintiffs and Class 27 CNET, Capital One data breach involves I 00 million credit card applications. Available at hi Oil-millginecredit?card: anglications/ (Thompson [the hacker] allegedly posted details about the hack on a Gitl-Iub page in April, and talked about the attack on Twitter and Slack discussions, according to the FBI. The page had been up since April 21, with the IP address for a speci?c server containing the company's sensitive data.) 2? Id. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 16 of 49 PagelD# 16 members? PII from disclosure. At all relevant times, Plaintiff and the Class members have taken reasonable steps to maintain the con?dentiality of their P11. 57. Plaintiff and the Class members, as credit card applicants, relied on Defendants to keep their PH con?dential and securely maintained, to use this infonnation for business purposes only, and to make only authorized, disclosures of this information. 58. In addition to their obligations under the law, Capital One independently and routinely promised to safeguard PII. Examples include: ?To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured ?les and buildings?? Capital One understands how important security and con?dentiality are to our customers, so we use the following security techniques, which comply with or even exileed federal regulatory requirements to protect information about At Capital One, we make your safety and security a top priority and are committed to protecting your personal and ?nancial information. If we collect identifying information ?om you, we will protect that information with controls based upon internationally recognized security standards, regulations, and industry-based best practices.31 F. Capital One Failed to Comply with Federal Requirements 59. The Federal Trade Commission has issued numerous guides for business highlighting the importance of reasonable data security practices. According to the FTC, the need for data security should be factored into all business decision-making.32 29 ht: 3? ht {pg/1W. 011/; ?rivacz .I/fnu 3' Istatrlnerlt 3?2 Federal Trade Commission, Start With Security, available at hti I :a Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 17 of 49 PagelD# 17 60. In 2016, the FTC updated its publication, Protecting Personal Information: A Guide for Business, which established guidelines for fundamental data security principles and practices for business.33 The guidelines note businesses should protect the personal customer information that they keep; properly dispose of personal information that is no longer needed; information stored on computer networks; understand their network?s vulnerabilities; and implement policies to correct security problems. The guidelines also recommend that businesses use an intrusion detection system to expose a breach as soon as it occurs; monitor all incoming traf?c for activity indicating someone is attempting to hack the system; watch for large amounts of data being transmitted from the system; and have a response plan ready in the event of a breach. 61. The FTC recommends that companies not maintain PH longer than is needed for authorization of a transaction; limit access to sensitive data; require complex passwords to be used on networks; use industry-tested methods for security; monitor for suspicious activity on the netwurk; and verify that third-party service providers have implemented reasonable security measures.34 62. The FTC has brought enforcement actions against businesses for failing to adequately and reasonably protect customer data, treating the failure to employ reasonable and appropriate measures to protect against unauthorized access to con?dential consumer data as an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act 15 U.S.C. 45. Orders resulting ?'om these actions further clarify the measures businesses must take to meet their data security obligations. 33 Federal Trade Commission, Protecting Personal Infometion: A Guide for Business, available at information-pit: 34 FTC, Start With Security, supra note 32. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 18 of 49 Page D# 18 63. Capital One?s failure to employ reasonable and appropriate measures to protect against unauthorized access to con?dential consumer data PII) constitutes an unfair act or practice prohibited by Section 5 of the FTC Act, 15 U.S.C. 45. 64. In this case, Capital One was at all times ?illy aware of its obligation to protect the ?nancial data?including Pll?of Capital One?s applicants because of its existence a one of the United States? largest ?nancial institutions. Capital One was also aware of the signi?cant repercussions if it failed to do so because Capital One collected applicant data from millions of consumers (if not daily) and they knew that this data, if hacked, would result in injury to consumers, including Plaintiff and Class members. G. The Data Breach Caused Harm and Will Result in Additional Fraud 65. The rami?cations of Defendant?s failure to keep Patients? PII secure are long lasting and severe. Once P11 is stolen, fraudulent use of that information and damage to victims may continue for years. 66. Consumer victims of data breaches are more likely to become victims of identity ?'aud. This conclusion is based on an analysis of four years of data that correlated each year?s data breach victims with those who also reported being victims of identity ?aud.35 67. The FTC de?nes identity theft as ?a ?end committed or attempted using the identifying information of another person without authority?? The FTC describes ?identifying 35 2014 LexisNexis True Cost of Fraud Study, pdf. 36 17 C.F.R 248.201 (2013). Case Document 1 Filed 07/30/19 Page 19 of 49 Page D# 19 information? as ?any name or number that may be used, alone or in conjunction with any other information, to identify a speci?c person.?7 68. PH are valuable. commodities to identity thieves once the information has been compromised. As the FTC recognizes, once identity thieves have PII, ?they can drain your bank account, run up your credit cards, open new utility accounts, or get medical treatment on your health insurance.?38 69. Identity thieves can use PII, such as that of Plaintiff and Class members, which Capital One failed to keep secure, to perpetrate a variety of crimes that harm victims. For instance, identity thieves may commit various types of government fraud such as: immigration fraud; obtaining a driver?s license or identi?cation card in the victim?s name but with another?s picture; using the victim?s information to obtain government bene?ts; or ?ling a fraudulent tax return using the victim?s information to obtain a ?'audulent refund. 70. Analysis of a 2016 survey of 5,028 consumers found ?The quicker a ?nancial institution, credit card issuer, wireless carrier or other service provider is noti?ed that fraud has occurred on an account, the sooner these organizations can act to limit the damage. Early noti?cation can also help limit the liability of a victim in some cases, as well as allow more time for law enforcement to catch the fraudsters in the act.?39 71. As a result of Capital One?s delay in detecting and notifying consumers of the Data Breach, the risk of ?aud for Plaintiff and Class members has been driven even higher. 37 Id. 38 Federal Trade Commission, Warning Sigm of Identity The?, available at: 35' Identity Fraud Hits Record I?gh with 15.4 Militias U.S. Wetims' in 2016, Up 16 Percent According to New Javelin Strateg cf: Research Study, coin/43353- rel 3g -1 February I, 2017. Case Document 1 Filed 07/30/19 Page 20 of 49 PagelD# 20 72. Javelin Strategy and Research reports that identity thieves have stolen $112 billion in the six years preceding 2016.40 73. Moreover, reimbursing a consumer for a ?nancial loss due to hand does not make that individual Whole again. On the contrary, identity theft victims must spend numerous hours and their own money repairing the impact to their credit. After conducting a study, the Department of Justice?s Bureau of Justice Statistics found that identity theft victims ?reported spending an average of about 7 hours clearing up the issues? and resolving the consequences of fraud in 2014.41 74. An independent ?nancial services industry research study conducted for BillGuard?a private enterprise that automates the consumer task of ?nding unauthorized transactions that might otherwise go undetected?calculated the average per-consumer cost of all unauthorized transactions at roughly US $215 per cardholder incurring these charges,42 some portion of which could go undetected and thus must be paid entirely out-of-pocket by consumer victims of account or identity misuse. 75. As a direct and proximate result of Defendants? wrongful actions and inaction, Plaintiff and Class Members have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and fraud. The US. Department of Justice?s Bureau of Justice Statistics found that ?among victims who had personal information used for fraudulent 4" See 41 Victims of Identity Theft, 2014 (Sept. 2015) available at: 42 Hadley Maldom, Consumers Rack Up $14.3 Billion in Gray Charges, Research Study Commissioned For Biilguard By Aite Research, Use Today (July 25, 2013), available at: 1'11 i 1 aszf?wlkusatodaa .com/stolj; Imoneg/i >ersonal?nance/201 Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 21 of 49 Page D# 21 purposes, 29% spent a month or more resolving problems? and that ?Tesolving the problems caused by identity theft [could] take more than a year for some victims?? 76. The victims here?Plaintiff and the Class?are no di??erent, as they are faced with an arduous path to secure their P11 in response to Capital One?s negligence. Plaintiff and the Class must take at least the following steps to attempt to prevent further misuse of their PH: a. Review and monitor credit card statements for any unusual or unknown charges; b. Contact their ?nancial institution (which is not necessarily Capital One) to determine if there is any suspicious activity on their accounts; c. Change their account information; d. Place a ?aud alert on their credit bureau reports; e. Place a security freeze on their credit bureau reports; and f. Periodically monitor their credit bureau reports for any unusual activity and check for accuracy. 77. Additionally, there is commonly lag time between when harm occurs and when it is discovered and also between when P11 is stolen and when it is used. According to the U.S. Government Accountability Of?ce, which conducted a study regarding data breaches: [L]aw enforcement of?cials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm. 43 U.S. Department of Justice, Of?ce of Justice Programs Bureau of Justice Statistics, Victims of Identity Ihe?, 2012, December 2013 available at (last visited April 19,2019). Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 22 of 49 PagelD# 22 78. There is a very strong probability that those impacted by Capital One?s failure to secure their PH could be at risk of hand and identity theft for extended periods of time. 79. Thus, Plaintiff and Class members now face years of constant surveillance of their ?nancial and personal records, monitoring, and loss of rights. Plaintiff and the Class are incurring and will continue to incur such damages in addition to any fraudulent credit and debit card charges incurred by them and the resulting loss of use of their credit and access to funds, regardless of Whether such charges are ultimately reimbursed by banks and credit card companies. H. Plaintiff and Class Members Suffered Damages 80. The PII of Plaintiff and Class members are private and sensitive in nature and was left inadequately protected by Capital One. Capital One did not obtain Plaintiffs and Class members? consent to disclose their to any other person as required by applicable law and industry standards. 81. The Data Breach was a direct and proximate result of Capital One?s failure to properly safeguard and protect Plaintiffs and Class members? PII from unauthorized access, use, and disclosure, as required by various state and federal regulations, industry practices, and the law, including Capital One?s failure to establish and implement appropriate administrative, technical, and physical safeguards to ensure the security and con?dentiality of Plaintiffs and Class members? PH to protect against reasonably foreseeable threats to the security or integrity of such information. 82. Capital One had the resources to prevent a breach, but instead chose to put pro?t before consumers? privacy and protection of consumers? PH. 83. Had Capital One remedied the de?ciencies in its computer systems, followed federal and state guidelines, and adopted security measures recommended by experts in the ?eld, Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 23 of 49 Page D# 23 Capital One would have prevented intrusion into its computer systems and, ultimately, the theft of its consumers? con?dential PH. 84. As a result of Capital One?s wrongful actions, inaction, negligent security practices, and the resulting Data Breach, Plaintiff and Class members have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and family in an effort to mitigate the actual and potential impact of the Data Breach on their lives including, inter alia, by placing ?freezes? and ?alerts? with credit reporting agencies, contacting their ?nancial institutions, closing or modifying ?nancial accounts, closely reviewing and monitoring their credit reports and accounts for unauthorized activity, and ?ling police reports. This time has been lost forever and cannot be recaptured. 85. Capital One?s wrong?il actions and inaction directly and proximately caused the theft and dissemination into the public domain of Plaintiffs and Class members? PII, causing them to suffer, and continue to suffer, economic damages and other actual harm for which they are entitled to compensation, including: a. theft of their personal and ?nancial information; b. unauthorized charges on their debit and credit card accounts; c. the imminent and certainly impending injury ?owing from potential fraud and identity theft posed by their personal information being placed in the hands of criminals and misused via the sale of Plaintiffs and Class members? information on the Internet?s black market; (1. the untimely and inadequate noti?cation of the Data Breach; e. the improper disclosure of their Case Document 1 Filed 07/30/19 Page 24 of 49 Page D# 24 f. loss of privacy; g. money paid to, and purchasing products Capital One?s business during the Data Breach paying interest on credit cards, paying minimum balance fees, and other banking fees), expenditures which Plaintiff and Class members would not have made with Capital One had Capital One disclosed that it lacked computer systems and data security practices adequate to safeguard consumers? PII from theft; h. ascertainable losses in the form of out?of?pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach; i. ascertainable losses in the form of deprivation of the value of their PII, for which there is a well-established national and international market; j. loss of use of, and access to, their account ?uids and costs associated with the inability to obtain money from their accounts or being limited in the amount of money they were permitted to obtain ?om their accounts, including missed payments on bills and loans, late charges and fees, and adverse effects on their credit including adverse credit notations; and, k. the loss of productivity and value of their time spent to address, attempt to ameliorate, mitigate, and deal with the actual and ?lters consequences of the Data Breach, including ?nding ?'audulent charges, cancelling and reissuing cards, purchasing credit monitoring and identity theft protection services, imposition of withdrawal and purchase limits on compromised accounts, and the inconvenience, nuisance and annoyance of dealing with all such issues resulting from the Data Breach. Case Document 1 Filed 07/30/19 Page 25 of 49 PagelD# 25 86. While Plaintiffs and Class members? PII have been stolen, Capital One continues to hold PII of consumers, including Plaintiffs and Class members? PII. Particularly because Capital One has demonstrated an inability to prevent a breach, Plaintiff and Class members have an undeniable interest in ensuring that their P11 is secure, remains secure, is properly and destroyed, and is not subject to further the?. ACTION ALLEGATIONS 87. Plaintiff brings this action on behalf of themselves and as a class action under Federal Rules of Civil Procedure 23(a), and seeking damages and equitable relief on behalf of the following nationwide Class for which Plaintiff seeks certi?cation: All persons residing in the United States who applied for Capital One credit card products from 2005 through 2019 and whose PII was disclosed to unauthorized third parties (the ?Nationwide Class?). 88. Additionally, Plaintiff brings this action on behalf of a state sub class action seeking damages and equitable relief on behalf of the following All persons residing in the State of Ohio who applied for Capital One credit card products from 2005 through 2019 and whose PII was disclosed to unauthorized third parties (the ?Ohio Sub Class?). 89. Excluded from the Classes are Capital One; any parent, af?liate, or subsidiary of Capital One; any entity in which Capital One has a controlling interest; any of Capital One?s of?cers or directors; or any successor or assign of Capital One. Also excluded are any Judge or court personnel assigned to this case and members of their immediate families. 90. Plaintiff hereby reserves the right to amend or modify the class de?nitions with greater speci?city or division after having had an opportunity to conduct discovery. Case Document 1 Filed 07/30/19 Page 26 of 49 PagelD# 26 91. Numerosity. Fed. R. Civ. P. Consistent with Rule the Classes are so numerous that joinder of all members is impracticable. While Plaintiff does not know the exact number of the members of the Classes, Plaintiff believes the Nationwide Class contains approximately 100 million people. Class members may be identi?ed through objective means. Class members may be noti?ed of the pendency of this action by recognized, Court-approved notice dissemination methods, which may include US. mail, electronic mail, intet'net postings, social media, and/or published notice. 92. Communality. Fed. R. Civ. P. 23(a)(2) and Consistent with Rule 23(a)(2) and with predominance requirements, this action involves common questions of law and fact exist as to all members of the Classes, and predominate over any questions affecting individual members of the Classes. Such questions of law and fact common to the Classes include, but are not limited to: a. Whether Capital One had a legal duty to implement and maintain reasonable and adequate security procedures and practices for the protection of information it collected and stored from consumers who applied for Capital One credit card products; b. Whether Capital One had a duty to adequately protect c. Whether and when Capital One knew or should have known of the susceptibility of its computer systems to a data breach; d. Whether Capital One?s security measures to protect its computer systems were reasonable in light of the FTC data security recommendations and best practices recommended by data security experts; 6. Whether Capital One engaged in the wrongful conduct alleged herein; Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 27 of 49 PagelD# 27 93. Whether Capital One was negligent in failing to implement reasonable and adequate security procedures and practices to protect the information it collected and stored from consumers who applied for Capital One credit card products; Whether Capital One?s failure to implement adequate data security measures resulted in or was the proximate cause of the Data Breach; Whether Capital One?s conduct, practices, actions, and/or omissions constituted unfair or deceptive trade practices; Whether Capital One?s conduct, including its failure to act, resulted in or was the proximate cause of the breach of its computer systems, resulting in the loss of the PH belonging to Plaintiff and Class members; Whether Plaintiff and Class members were injured and suffered damages or other losses because of Capital One?s failure to reasonably protect its computer systems and data network; and Whether Plaintiff and Class members are entitled to relief, including equitable relief. Typicality. Fed. R. Civ. P. Consistent with rule Plaintiff?s claims are typical of the claims of the members of the Classes. Plaintiff is a consumer who provided PII to in order to apply for Capital One credit card products and had their PII compromised as a result of the Data Breach. Plaintiff?s damages and injuries are akin to other Class members, and Plaintiff seeks relief consistent with the relief of the Class members. 94. Adequacy. Fed. R. Civ. P. Consistent with Rule Plaintiff is an adequate representative of the Classes because Plaintiff is a member of the respective Classes and is committed to pursuing this matter against Capital One to obtain relief for the Classes. Plaintiff Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 28 of 49 PagelD# 28 has no con?icts of interest with ei?ier Class members. Plaintiff?s Counsel are competent and experienced in litigating class actions, including privacy litigation. Plaintiff intends to vigorously prosecute this case and will fairly and adequately protect the Classes? interests. Plaintiff?s claims arise out of the same common course of conduct giving rise to the claims of the other members of the Classes. Plaintiff?s interests are coincident with, and not antagonistic to, those of the other members of the Classes. 95. Superiority. Fed. R. Civ. P. Consistent with Rule 23 a class action is superior to any other available means for the fair and ef?cient adjudication of this controversy, and no unusual dif?culties are likely to be encountered in the management of this class action. The quintessential purpose of the class action mechanism is to permit litigation against wrongdoers even when damages to individual plaintiff may not be suf?cient to justify individual litigation. Here, the damages suffered by Plaintiff and the Classes are relatively small compared to the burden and expense required to individually litigate their claims against Capital One, and thus, individual litigation to redress Capital One?s wrongful conduct would be impracticable. Individual litigation by each Class member would also strain the court system. Individual litigation creates the potential for inconsistent or contradictory judgments and increases the delay and expense to all parties and the court system. By contrast, the class action device presents far fewer management dif?culties and provides the bene?ts of a single adjudication, economies of scale, and comprehensive supervision by a single court. 96. Injunctive and Declaratory Relief. Class certi?cation is also appropriate under Rule 23 and Capital One, through its uniform conduct, acted or refused to act on grounds generally applicable to the Classes as a whole, making injunctive and declaratory relief appropriate to the Classes as a whole. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 29 of 49 PagelD# 29 97. Likewise, particular issues under Rule 23(c)(4) are appropriate for certi?cation because such claims present only particular, common issues, the resolution of which would advance the disposition of this matter and the parties? interests therein. Such particular issues are set forth in Paragraphs above. 98. Finally, all members of the proposed Classes are readily ascertainable. Capital One has access to information regarding the applications from consumers for the span of time from 2005 through 2019 and the consumers a?ected by the Data Breach. Using this information, Class members can be identi?ed and their contact information ascertained for the purpose of providing notice to the Classes. FIRST, CLAINI FOR RELIEF Breach of Implied Contract (On behalf of all Classes) 99. Plaintiff restates and realleges paragraphs 1 through 98 as if fully set forth herein. 100. Capital One solicited and invited Plaintiff and Class members to apply for credit card products by providing their P11. Plaintiff and Class members accepted Capital One?s o?'ers and provided their PH to Capital One to apply for Capital One credit card products. 101. When Plaintiff and Class members applied Capital One credit card products, they provided their PII to Capital One. In so doing, Plaintiff and Class members on the one hand, and Capital One on the other, entered into mutually agreed-upon implied contracts pursuant to which Plaintiff and Class members agreed that their PII was valid, while Capital One agreed that it would use Plaintiffs and Class members? P11 in its possession for only the agreed-upon purpose of processing the credit card product application, and no other purpose. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 30 of 49 PagelD# 30 102. Implicit in the agreement to use the P11 in its possession for only the agreed?upon application and no other purpose was the obligation that Capital One would use reasonable measures to safeguard and protect the PH of Plaintiff and Class members in its possession. 103. By accepting PII for credit card product applications, Capital One assented to and con?rmed its agreement to reasonably safeguard and protect Plaintiffs and Class members? PII from unauthorized disclosure or uses and to timely and accurately notify Plaintiff and Class members if their data had been breached and/or compromised. 104. Plaintiff and Class members would not have provided and entrusted their P11 to Capital One to apply for the Capital One credit card products in the absence of the implied contract between them and Capital One. 105. Plaintiff and Class members fully performed their obligations under the implied contracts with Capital One. 106. Capital One breached the implied contracts it made with Plaintiff and Class members by failing to safeguard and protect Plaintiffs and Class members? PII, and by failing to provide timely and accurate notice to them that their PII was compromised as a result of the Data Breach. 107. Capital One breached the implied contracts it made with Plaintiff and Class members by failing to ensure that Plaintiff?s and Class members? P11 in its possession was used only for the agreed-upon application veri?cation and no o?ier purpose. 108. Plaintiff and Class members conferred a monetary bene?t on Capital One which has accepted or retained that bene?t. Speci?cally, the credit card products typically carry annual fees and other charges interest) for use. In exchange, Plaintiff and Class members should Case 1:19?cv?00979 Document 1 Filed 07/30/19 Page 31 of 49 PagelD# 31 have received the services that were the subject of the transaction and should have been entitled to have Capital One protect their PII with adequate data security measures. 109. Capital One failed to secure Plaintiffs and Class members? PII and, therefore, did not provide full compensation for the bene?t Plaintiff and Class members provided. 110. Capital One acquired the PI1 through inequitable means when it failed to disclose the inadequate security practices previously alleged. 111. If Plaintiff and Class members had known that Capital One would employ inadequate security measures to safeguard PII, they would not have applied for the Capital One credit card products. 1 12. As a direct and proximate result of Capital One?s breaches of the implied contracts between Capital One on the one hand, and Plaintiff and Class members on the other, Plaintiff and Class members sustained actual losses and damages as described in detail above. 113. Plaintiff and Class members were harmed as the result of Capital One?s breach of the implied contracts because their PII was compromised, placing them at a greater risk of identity theft and subjecting them to identity theft, and their PII was disclosed to third parties without their consent. Plaintiff and Class members also suffered diminution in value of their P11 in that it is now easily available to hackers on the dark web. Plaintiff and the Class have also suffered consequential out-of-pocket losses for procuring credit freeze or protection services, identity theft monitoring, late fees, bank fees, and other expenses relating to identity ?ieft losses or protective measures. The Class members are ?irther damaged as their PH remains in the hands of those who obtained it without their consent. 114. This breach of implied contracts was a direct and legal cause of the injuries and damages to Plaintiff and Class members as described above. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 32 of 49 PagelD# 32 SECOND CLAIM FOR RELIEF Negligence (On behalf of all Clases) 115. Plaintiff restates and realleges paragraphs 1 through 98 as if fully set forth herein. 1 16. Capital One solicited and took possession ofPlaintifPs and the Class members? PII, and Capital One had a duty to exercise reasonable care in securing that information ?rom unauthorized access or disclosure. Capital One further had a duty to destroy Plaintiff?s and Class members? PII within an appropriate amount of time after it was no longer required by Capital One, in order to mitigate the risk of such non-essential P11 being compromised in a data breach. 117. Upon accepting and storing Plaintiffs and Class members? P11 in its computer systems and on its networks, Capital One undertook and owed a duty of care to Plaintiff and Class members to exercise reasonable care to secure and safeguard Plaintiff?s and Class members? PII and to use commercially-reasonable methods to do so. Capital One knew that the P11 was private and con?dential, and should be protected as private and con?dential. 118. Capital One owed a duty of care not to subject Plaintiff and Class members, along with their PH, to an unreasonable risk of harm because they were foreseeable and probable victims of any inadequate security practices. 119. Capital One owed a duty of care to Plaintiff and Class members to quickly detect a data breach and to timely act on warnings about data breaches. 120. Capital One?s duties arose ?'om its relationship to Plaintiff and Class members and from industry custom. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 33 of 49 Page D# 33 121. Capital One, through its actions and/or failures to act, unlawfully breached duties to Plaintiff and Class members by failing to implement standard industry protocols and to exercise reasonable care to secure and keep private the P11 entrusted to it. 122. Capital One, through its actions and/or failures to act, allowed unmonitored and unrestricted access to unsecured P11. 123. Capital One, through its actions and/or failures to act, failed to provide adequate supervision and oversight of the PH with which it was entrusted, despite knowing the risk and foreseeable likelihood of a breach and misuse, which permitted unknown third parties to gather Plaintiff?s and Class members? PII, misuse that PII, and intentionally disclose it to unauthorized third parties without consent. 124. Capital One knew, or should have known, the risks inherent in collecting and storing PII, the importance of adequate security and the well-publicized data breaches within the ?nancial services industry. 125. Capital One knew, or should have known, that its data systems and networks did not adequately safeguard Plaintiffs and Class members? P11. 126. Due to Capital One?s knowledge that a breach of its systems would damage millions of its customers, including Plaintiff and Class members, Capital One had a duty to adequately protect its data systems and the P11 contained thereon. 127. Capital One had a special relationship with Plaintiff and Class members. Plaintiffs and Class members? willingness to entrust Capital One with their was predicated on the understanding that Capital One would take adequate security precautions to safeguard that information. Moreover, only Capital One had the ability to protect its systems and the PH stored on those systems ?om attack. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 34 of 49 PageID# 34 128. Capital One?s own conduct also created a foreseeable risk of harm to Plaintiff and Class members and their PII. Capital One?s misconduct included failing to: (1) secure its computer systems, despite knowing their vulnerabilities; (2) comply with industry standard security practices; (3) implement adequate system and event monitoring; and (4) implement the systems, policies, and procedures necessary to prevent this type of data breach. 129. Capital One also had independent duties under federal laws that required Capital One to reasonably safeguard Plaintiffs and Class members? PII, and notify them about the Data Breach. 130. Capital One breached its duties to Plaintiff and Class members in numerous ways, including: a. by failing to provide fair, reasonable, or adequate computer systems and data security practices to safeguard Plaintiffs and Class members? Customer Data; b. by creating a foreseeable risk of harm through the misconduct previously described; c. by failing to implement adequate security systems, protocols, and practices suf?cient to protect Plaintiffs and Class members? PII before and after learning of the Data Breach; d. by failing to comply with industry standard data security standards during the period of the Data Breach; and e. by failing to timely and accurately disclose that Plaintiffs and Class members? PII had been improperly acquired or accessed. 131. Through Capital One?s acts and omissions described in this Complaint, including Capital One?s failure to provide adequate security and its failure to protect Plaintiffs and Class members? PII ?om being foreseeably captured, accessed, disseminated, stolen, and misused, Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 35 of 49 PagelD# 35 Capital One breached its duty to use reasonable care to adequately protect and secure Plaintiffs and Class members? PII while it was within Capital One?s possession or control. 132. The law further imposes an af?rmative duty on Capital One to timely disclose the unauthorized access and theft of Plaintiffs and Class members? PII, so that Plaintiff and Class members can take appropriate measures to mitigate damages, protect against adverse consequences, and thwart future misuse of their PH. 133. Capital One breached its duty to notify Plaintiff and Class Members of the unauthorized access to their PH by waiting to notify Plaintiff and Class mbers, and then by failing to provide Plaintiff and Class members suf?cient information regarding the breach. 134. Through Capital One?s acts and omissions described in this Complaint, including Capital One?s failure to provide adequate security and its failure to protect Plaintiffs and Class members? PII ?'om being foreseeany captured, accessed, disseminated, stolen, and misused, Capital One unlawfully breached its duty to use reasonable care to adequately protect and secure Plaintiff?s and Class members? PII while it was within Capital Ono?s possession or control. 135. Further, through its failure to provide timely and clear noti?cation of the Data Breach to consumers, Capital One prevented Plaintiff and Class members ?'om taking meaningful, proactive steps to secure their ?nancial data and bank accounts. 136. Upon information and belief, Capital One improperly and inadequately safeguarded Plaintiff?s and Class members? PH in deviation of standard industry rules, regulations, and practices at the time of the unauthorized access. Capital One?s failure to take proper security measures to protect sensitive P11 as described in this Complaint, created conditions conducive to a foreseeable, intentional criminal act, namely the unauthorized access of Plaintiffs and Class members? PII. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 36 of 49 PageID# 36 137. Capital One?s conduct was grossly negligent and departed from all reasonable standards of care, including, but not limited to: failing to adequately protect the failing to conduct regular security audits; failing to provide adequate and appropriate supervision of persons having access to Plaintiffs and Class members? and failing to provide Plaintiff and Class members with timely and suf?cth notice that their sensitive PII had been compromised. 138. Neither Plaintiff nor the other Class members contributed to the Data Breach and subsequent misuse of their PII as described in this Complaint 139. Capital One?s failure to exercise reasonable care in safeguarding PII by adopting appropriate security measures, including preper storage techniques, was the direct and proximate cause of Plaintiff and Class members? PII being accessed and stolen through the data breach. 140. Capital One breached its duties to Plaintiff and Class members by failing to provide fair, reasonable, and adequate computer systems and data security practices to safeguard Plaintiffs and Class members? PH. 141. As a result of Capital One?s breach of duties, Plaintiff and the Class suffered damages including, but not limited to: damages from lost time and effort to mitigate the actual and potential impact of the Data Breach on their lives including, inter alia, by placing ??eezes? and ?alerts? with credit reporting agencies, contacting their ?nancial institutions, closing or modifying ?nancial accounts, closely reviewing and monitoring their credit reports and accounts for unauthorized activity, and ?ling police reports, and damages from identity theft, which may take months if not years to discover and detect, given the far?reaching, adverse and detrimental consequences of identity theft and loss of privacy. The nature of other forms of economic damage Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 37 of 49 Page D# 37 and injury may take years to detect, and the potential scope can only be assessed after a thorough investigation of the facts and events surrounding the theft mentioned above. THIRD CLAIM FOR RELIEF Negligence Per Se (On behalf of all Classes) 142. Plaintiff restates and realleges paragraphs 1 through 98 as if fully set forth herein. 143. Section 5 of the FTC Act prohibits ?unfair . . . practices in or a??ecting commerce,? including, as interpreted and enforced by the FTC, the unfair act or practice by businesses, such as Capital One, of failing to use reasonable measures to protect PII. The FTC publications and orders described above also form part of the basis of Capital One?s duty in this regard. 144. Capital One violated Section 5 of the FTC Act by failing to use reasonable measures to protect PII, and not complying with applicable industry standards, as described in detail herein. Capital One?s conduct was particularly unreasonable given the nature and amount of PH it obtained and stored, and the foreseeable consequences of a data breach including, speci?cally, the immense damages that would result to Plaintiff and Class members. 145. Capital One?s violation of Section 5 of the FTC Act constitutes negligence per as. 146. Plaintiff and Class members are within the class of persons that the FTC Act was intended to protect. 147. The harm that occurred as a result of the Data Breach is the type of harm the FTC Act was intended to guard against. The FTC has pursued enforcement actions against businesses, which, as a result of their failure to employ reasonable data security measures and avoid unfair and deceptive practices, caused the same harm as that suffered by Plaintiff and the Class. 148. As a direct and proximate result of Capital Ono?s negligence per se, Plaintiff and the Class have suffered, and continue to suffer, injuries and damages arising from identity theft; Case 1:19?cv?00979 Document 1 Filed 07/30/19 Page 38 of 49 Page D# 38 damages ??om lost time and effort to mitigate the actual and potential impact of the Data Breach on their lives, including, inter alia, by placing ??eezes? and ?alerts? with credit reporting agencies, contacting their ?nancial institutions, closing or modifying ?nancial accounts, closely reviewing and monitoring their credit reports and accounts for unauthorized activity, and ?ling police reports, and damages from identity theft, which may take months if not years to dis cover and detect, given the far-reaching, adverse and detrimental consequences of identity the? and loss of privacy. 149. Additionally, as a direct and proximate result of Capital One?s negligence per se, Plaintiff and Class members have suffered and will suffer the continued risks of exposure of their PII, which remain in Capital One?s possession and is subject to Mar unauthorized disclosures so long as Capital One fails to undertake appropriate and adequate measures to protect the P11 in its continued possession. FOURTH CLAIM FOR Unjust Enrichment (On behalf of all Classes) 150. Plaintiff restates and realleges paragraphs 1 through 98 as if fully set forth herein. 15]. Plaintiff and members of the Class conferred a monetary bene?t on Capital One. Speci?cally, they provided and entrusted their PII to Capital One. 152. In exchange, Plaintiff and Class members should have been entitled to have Capital One protect their PII with adequate data security. 153. Capital One appreciated, accepted, and retained the bene?t bestowed upon it under inequitable and unjust circumstances arising from Capital One?s conduct toward Plaintiff and Class Members as described herein; Plaintiff and Class members conferred a bene?t on Capital Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 39 of 49 Page D# 39 One and accepted or retained that bene?t. Capital One used Plaintiffs and Class members? PII for business purposes. 154. Capital One failed to secure Plaintiffs and Class members? PII and, therefore, did not provide full compensation for the bene?t Plaintiff and Class members provided. 155. Capital One acquired the P11 through inequitable means in that it failed to disclose the inadequate security practices previously alleged, as well as failing to destroy or otherwise purge the PH ?om its computer systems after Capital One no longer had a legitimate business purpose to maintain that P11. 156. If Plaintiff and Class members knew that Capital One would not secure their PII using adequate security, they would not have applied for Capital One credit card products. 157. Plaintiff and Class members have no adequate remedy at law. 158. Under the circumstances, it would be unjust for Capital One to be permitted to retain any of the bene?ts that Plaintiff and Class members conferred on it. 159. Under the principles of equity and good conscience, Capital One should not be permitted to retain the P11 belonging to Plaintiff and Class members because Capital One failed to implement the data management and security measures that industry standards mandate. 160. Capital One should be compelled to disgorge into a common fund or constructive trust, for the bene?t of Plaintiff and Class members, proceeds that it unjustly received from them. In the alternative, Capital One should be compelled to re?tnd the amounts that Plaintiff and Class members overpaid for security they did not receive. FIFTH CLAIM FOR RELIEF Breach of Con?dence (On behalf of all Classes) Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 40 of 49 PagelD# 40 16]. Plaintiff restates and realleges paragraphs 1 through 98 as if fully set forth herein. 162. At all times during Plaintiff?s and Class Members? interactions with Defendants, Capital One was ?Jlly aware of the con?dential and sensitive nature of Plaintiffs and Class Members? PII that was provided to them. 163. As alleged herein and above, Capital One?s relationship with Plaintiff and Class Members was governed by expectations that Plaintiff?s and Class Members? PII would be collected, stored, and protected in con?dence, and would not be disclosed to unauthorized third parties. 164. Plaintiff and Class Members provided their respective PH to Capital One with the explicit and implicit understandings that Capital One would protect and not permit the to be disseminated to any unauthorized parties. 165. Plaintiff and Class Members also provided their respective PII to Capital One with the explicit and implicit understanding that Capital One would take precautions to protect that PII from unauthorized disclosure, such as following basic principles of information security practices. 166. Capital One voluntarily received in con?dence Plaintiffs and Class Members? PII with the understanding that the PH would not be disclosed or disseminated to the public or any unauthorized third parties. 167. Due to Capital One?s failure to prevent, detect, and avoid the Data Breach from occurring by, inter alia, failing to follow best information security practices to secure Plaintiff?s and Class Members? PII, Plaintist and Class Members? was disclosed and misappropriated to Unauthorized third parties in breach of Plaintiffs and Class Members? con?dence, and without their express permission. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 41? of 49 PagelD# 41 168. As a direct and proximate cause of Capital One?s actions and/or omissions, Plaintiff and Class Members have suffered damages. 169. But for Capital One?s disclosure of Plaintiff" and Class Members? PH in violation of the parties? understanding of con?dence, their PII would not have been compromised, stolen, viewed, accessed, and used by unauthorized third parties. Capital One?s Data Breach was the direct and legal cause of the theft of Plaintiffs and Class Members? PII, as well as the resulting damages. 170. The injury and harm Plaintiff and Class Members suffered was the reasonably foreseeable result of Capital One?s unauthorized disclosure of Plaintiffs and Class Members? PII. Capital One knew its computer systems and technologies for accepting and securing Plaintiffs and Class Members? PII had numerous security vulnerabilities because Capital One failed to observe industry standard information security practices. 171. As a direct and proximate result of Capital One?s breaches of con?dence, Plaintiff and the Class have suffered, and continue to suffer, injuries and damages arising fi'om identity the?; damages ?'om lost time and effort to mitigate the actual and potential impact of the Data Breach on their lives, including, inter site, by placing ?freezes? and ?alerts? with credit reporting agencies, contacting their ?nancial institutions, closing or modifying ?nancial accounts, closely reviewing and monitoring their credit reports and accounts for unauthorized activity, and ?ling police reports, and damages ?om identity theft, which may take menths if not years to discover and detect, given the far-reaching, adverse and detrimental consequences of identity theft and loss of privacy 172. As a direct and proximate result of Capital One?s breaches of con?dence, Plaintiff and Class Members have suffered and will continue to incur injury and suffer economic and non- economic losses. Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 42 of 49 PagelD# 42 Invasion of Privacy (On behalf of all Classes) 173. Plaintiff restates and realleges paragraphs 1 through 98 as if fully set forth herein. 174. Plaintiff and Class members had a legitimate expectation of privacy to their PII and were entitled to the protection of this information against disclosure to unauthorized third parties. 175. Capital One owed a duty to its credit product applicant, including Plainti?' and Class members, to keep their PII con?dential. 176. Defendants failed to protect and released to unknown and unauthorized third parties? databases containing the PH of Plainti?' and Class members. 177. Defendants allowed unauthorized and unknown third parties access to and examination of the P11 of Plaintiff and Class members, by way of Defendants? failure to protect the P11 in the databases. 178. The unauthorized release to, custody of, and examination by unauthorized third parties of the P11 of Plaintiff and Class members, especially where the information includes Social Security numbers and dates of birth, is highly o??ensive to a reasonable person. 179. The intrusion was into a place or thing, which was private and is entitled to be private. Plaintiff and Class members disclosed their PII to Defendants as part of their use of Defendants? services, but privately with an intention that the PH would be kept con?dential and would be protected from unauthorized disclosure. Plaintiff and Class members were reasonable in their belief that such information would be kept private and would not be disclosed without their authorization. Case Document 1 Filed 07/30/19 Page 43 of 49 PagelD# 43 180. The Data Breach at the hands of Defendants constitutes an intentional interference with Plaintiff and Class members? interest in solitude or seclusion, either as to their persons or as to their private affairs or concerns, of a kind that would be highly o??ensive to a reasonable person. 181. Capital One acted with a knowing state of mind when it permitted the Data Breach because it had aetual knowledge that its information security practices were inadequate and insuf?cient. 182. As a proximate result of the above acts and omissions of Defendants, the PH of Plaintiff and Class members was disclosed to third parties without authorization, causing Plaintiff and Class members to suffer damages. 183. Unless and until enjoined, and restrained by order of this Court, Defendants? wrong?rl conduct will continue to cause great and irreparable injury to Plaintiff and Class members in that the PH maintained by Defendants can be viewed, distributed, and used by unauthorized persons. Plaintiff and Class members have no adequate remedy at law for the injuries in that a judgment for monetary damages will not end the invasion of privacy for Plaintiff and the Class. SEVENTH CLAIM Ohio Consumer Sales Practices Act Ohio Rev. Code 1345.01, et seq. (On Behalf of the Ohio Subclass) 184. Plaintiff DuWayne Baird for purposes of this Count), individually and on behalf of the other Ohio Subclass Members, restates and reallege paragraphs 1 through 98 as if fully set forth herein Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 44 of 49 PagelD# 44 185. Capital One operating in Ohio engaged in unfair and deceptive acts and practices in connection with a consumer transaction, in violation of Ohio Rev. Code 1345.01 (A) and (B), including but not limited to the following: i. ii. iv. Failing to enact adequate privacy and security measures to protect the Ohio Subclass Members? Personal Information from unauthorized disclosure, release, data breaches, and theft, which was a direct and proximate cause of the Capital One Data Breach; Failing to take proper action following known security risks and prior cybersecurity incidents, which was a direct and proximate cause of the Capital One Data Breach; Knowingly and ?'audulently misrepresenting that it would maintain adequate data privacy and security practices and procedures to safeguard the Ohio Subclass Members? Personal Information ??om unauthorized disclosure, release, data breaches, and theft; Omitting, suppressing, and concealing the material fact of the inadequacy of its privacy and security protections for the Ohio Subclass Members? Personal Information; Knowingly and ?'audulently misrepresenting that it would comply wi?1 the requirements of relevant federal and state laws pertaining to the privacy and security of the Ohio Subclass Members? Personal Information; Failing to maintain the privacy and security of the Ohio Subclass Members? Personal Information, in violation of duties imposed by applicable federal and state laws, including but not limited to those mentioned in the aforementioned paragraph, directly and proximately causing the Capital One Data Breach; and Case Document 1 Filed 07/30/19 Page 45 of 49 PagelD# 45 vii. Failing to disclose the Capital One Data Breach to the Ohio Subclass Members in a timely and accurate manner, in violation of the duties imposed by Ohio Rev. Code 186. As a direct and proximate result of Capital One?s practices, the Ohio Subclass Members suffered injury andfor damages, including but not limited to time and expenses related to monitoring their ?nancial accounts for fraudulent activity, an increased, imminent risk of fraud and identity theft, and loss of value of their Personal Information. 187. The above unfair and deceptive acts and practices by Capital One were immoral, unethical, oppressive, and unscrupulous. These acts caused substantial injury to the Ohio Subclass Members that they could not reasonably avoid; this substantial injury outweighed any bene?ts to consumers or to competition. 188. Capital One knew or should have known that its computer systems and data security practices were inadequate to safeguard the Ohio Subclass Members? Personal Information and that risk of a data breach or theft was high. Capital One?s actions in engaging in the above-named unfair practices and deceptive acts were negligent, knowing and willful. 189. Pursuant to Ohio Rev. Code 1345.09, Plaintiff and the Ohio Subclass Members seek an order enjoining Capital One?s unfair and/or deceptive acts or practices, actual damages trebled (to be proven at the time of trial), attorneys? fees and costs, and any other just and proper relief, to the extent available under the Ohio Consumer Sales Practices Act, Ohio Rev. Code 1345.01, et seq. EIGHT VCLAJM .FORRELIEF. Declaratory Judgment (On behalf of Classes) 190. Plaintiff restates and realleges paragraphs 1 through 98 as if fully set forth herein. Case Document 1 Filed 07/30/19 Page 46 of 49 PagelD# 46 191. As previously alleged, Plaintiff and Class members entered into an implied contract that required Capital One to provide adequate security for the PH it collected from their applicatirms for Capital One credit card products. As previously alleged, Capital One owes duties of care to Plaintiff and Class members that require it to adequately secure P11. 192. Capital One still possesses PII pertaining to Plaintiff and Class members. 193. Capital One has not announced or otherwise noti?ed Plaintiff and Class members that their PII are suf?ciently protected or, more importantly, expunged from Capital One?s servers so as to prevent any further breaches or compromises. 194. Indeed, Capital One has stated that PII from Capital One credit card product applications submitted as far back as 2005 is subject to the Data Breach. 195. Accordingly, Capital One has not satis?ed its contractual obligations and legal duties to Plaintiff and Class members. In fact, now that Capital One?s lax approach towards data security has become public, the P11 in its possession is more vulnerable than before. 196. Actual harm has arisen in the wake of the Data Breach regarding Capital One?s contractual obligations and dutiesof care to provide data security measures to Plaintiff and Class members. 197. Plaintiff, therefore, seeks a declaration that: Capital One?s existing data security measures do not comply with its contractual obligations and duties of care; and in order to comply with its contractual obligations and duties of care, Capital One must implement and maintain reasonable security measures, including, but not limited to: i. engaging third-party security auditors/penetration testers as well as internal security personnel to conduct testing, including simulated attacks, penetration tests, and audits on Capital One?s systems on a periodic basis, and ordering Capital One to Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 47 of 49 PagelD# 47 ii. iv. vii. correct any problems or issues detected by such third-party security auditors; engaging third-party security auditors and intemal personnel to run automated security monitoring; auditing, testing, and training its security personnel regarding any new or modi?ed procedures; segmenting customer data by, among other things, creating ?rewalls and access controls so that if one area of Capital One is compromised, hackers cannot gain access to other portions of Capital One?s systems; purging, deleting, and destroying PII not necessary for its provisions of services in a reasonably secure manner; conducting regular database scans and security checks; routinely and continually conducting intemal training and education to inform internal security personnel how to identify and contain a breach when it occurs and what to do in response to a breach; and educating its customers about the threats they face as a result of the loss of their ?nancial and personal information to third parties, as well as the steps Capital One?s customers should take to protect themselves. PRAYER FOR RELIEF WHEREFORE, Plaintiff, on behalf of himself and the Classes, respectfully seeks ?om the Court the following relief: a. Certi?cation of the Classes as requested herein; Case 1:19-cv-00979 Document 1 Filed 07/30/19 Page 48 of 49 PagelD# 48 b. Appointment of Plaintiff as Class representative and his undersigned counsel as Class counsel; 0. Award Plaintiff and members of the proposed Class damages; d. Award Plaintiff and members of the proposed Class equitable, injunctive and declaratory relief, including the enjoining of Capital One?s insuf?cient data protection practices at issue herein and Capital One?s continuation of its unlaw?il business practices as alleged herein; 6. An order declaring that Capital One?s acts and practices with respect to the safekeeping of PH are negligent; f. Award Plaintiff and members of the proposed Class pie-judgment and post? judgment interest as permitted by law; g. Award Plaintiff and members of the proposed Class reasonable attorney fees and costs of suit, including expert witness fees; and h. Award Plaintiff and members of ?re proposed Class any further relief the Court deems proper. Dated: July 30, 2019 Respectfully submitted, MURPHY, FALCON MURPHY fS/ . .. .7 a John G. (Virginia Bar No. 36878) Attorney for Plainti? One South Street, 23rd Floor Baltimore, MD 21202 Telephone: (410) 951-8744 Fax: (410) 53 9-6599 Case Document 1 Filed 07/30/19 Page 49 of 49 PagelD# 49 Is! MORGAN MORGAN COMPLEX LITIGATION GROUP John A. Yanchunis (Florida Bar No. 324681) Ryan J. McGee (Florida Bar No. 64957) Patrick A. Barthle (Florida Bar No.99286) Attorneys for Plaintiff" *pro hac vice applications pending 201 N. Franklin Street, 7th Floor Tampa, Florida 33602 Telephone: (813) 223-5505 Facsimile: (813) 223-5402 Yanehunis'tiiForThePeopleeom RMcGeel?lForThePeoDleeom PBarthlefcilForTheP?pleeory Plaintiff, on behalf of himself and the Class of all others similarly situated, hereby demands a trial by jury on all issues so triable pursuant to Rule 38 of the Federal Rules of Civil Procedure. John G. Harnishfeger (Virginia Bar No. 368-78)