Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 1 of 22 Page ID #:1
`
`
`
`
`
`
`
`
`
`
`
`
`Deepali A. Brahmbhatt (SBN 255646)
`Email: dbrahmbhatt@devlinlawfirm.com
`DEVLIN LAW FIRM LLC
`3120 Scott Blvd. #13,
`Santa Clara, CA 95054
`Telephone: (650) 254-9805
`
`Timothy Devlin (pro hac vice pending)
`Email: tdevlin@devlinlawfirm.com
`Robert Kiddie (pro hac vice pending)
`Email: rkiddie@devlinlawfirm.com
`Robyn Williams (pro hac vice pending)
`Email: rwilliams@devlinlawfirm.com
`Devlin Law Firm LLC
`1526 Gilpin Avenue
`Wilmington, DE 19806
`Telephone: (302) 449-9010
`
`Attorneys for Plaintiff,
`Catherine Foster, on behalf of herself
`and all others similarly situated
`
`
`UNITED STATES DISTRICT COURT
`
`CENTRAL DISTRICT OF CALIFORNIA
`
`SOUTHERN DIVISION
`
` Case No.
`
`CLASS ACTION COMPLAINT
`FOR DATA BREACH
`
`
`DEMAND FOR JURY TRIAL
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`Catherine Foster, on behalf of herself and
`all others similarly situated,
`
`
`
`
`Plaintiff,
`
`v.
`
`
`Ring, LLC, a Delaware limited liability
`corporation,
`
`
`
`Defendant.
`
`
`
`
`
`
`COMPLAINT
`
`
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 2 of 22 Page ID #:2
`
`
`
`Plaintiff, Catherine Foster (“Plaintiff”), individually and on behalf of all
`
`others similarly situated, brings this class action against Defendant Ring LLC
`
`(“Ring” or “Defendant”), and alleges the following:
`
`I.
`
`INTRODUCTION
`
`1.
`
`This action addresses Ring’s egregious failure to provide the safety and
`
`security it ostensibly promises its customers and to respect the most fundamental of
`
`its customers’ autonomy and privacy rights—the right to privacy in one’s home—and
`
`the very principles upon which the company was purportedly built.
`
`2.
`
`Ring markets and sells home security remote-access cameras and
`
`appurtenant software (collectively, “devices”). Intended for use in and around the
`
`home, Ring’s devices feature motion-activated cameras; a “live view” that allows
`
`users to “check in on” their homes remotely; and a two-way talk feature that allows
`
`users to communicate through the devices. According to Ring, its home security
`
`devices offer “smart security here, there, everywhere.” Ring promises users that it
`
`takes cybersecurity seriously and will safeguard users’ private information.
`
`3.
`
`Despite Ring expressly promising to provide its customers with “peace
`
`of mind” and to put its customers’ “security first,” its devices actually expose the most
`
`intimate areas of customers’ homes—and consequently the most private aspects of
`
`customers’ lives—to unauthorized third parties through its deliberately inadequate
`
`security measures that allows hackers to invade and terrorize their homes. Ring has
`
`failed to protect consumers against ill-meaning hackers despite the fact that it had
`
`been on notice of the inadequacies of its cybersecurity because of previous breach
`
`incidents.
`
`4.
`
`Instead of helping families protect their homes, Ring’s devices—which
`
`were plagued with cyber-security vulnerabilities—have provided hackers a wide-
`
`open back door to enter the very homes the devices were supposed to protect. These
`
`simple vulnerabilities permit vicious criminals to hack into Ring devices and
`
`
`
`1
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 3 of 22 Page ID #:3
`
`
`
`potentially their home networks. Based on the in-built vulnerabilities in the Ring
`
`devices, Plaintiff is at a high risk of injury based on hacking or data breach.
`
`5.
`
`Furthermore, Ring actively shared users’ sensitive personal identifying
`
`information (“PII”) with third parties without first obtaining users’ authorization or
`
`consent. This sensitive data allows third parties to build comprehensive and unique
`
`digital fingerprints to track consumer behavior and engage in surveillance behind the
`
`walls of one’s private home, further enriching both Ring and the third parties.
`
`6.
`
`Ring continues to sell to the public devices that are not secure and are
`
`prone to hacking, while promising consumers “peace of mind” and safety despite
`
`continuing to affirmatively share its customers’ PII with third parties without their
`
`clear, informed consent.
`
`7.
`
`Plaintiff brings this lawsuit to hold Ring responsible for selling defective,
`
`dangerous devices and proliferating misrepresentations, and to prevent the public
`
`from being similarly harmed in the future. Plaintiff requests that the Court order Ring
`
`to take all necessary measures to secure the privacy of user accounts and devices, to
`
`stop sharing customers’ PII with third parties without their clear, informed consent,
`
`and to compensate Plaintiff and the Class members for the damage that Ring’s acts
`
`and omissions have caused.
`
`8.
`
`Plaintiff intends to ask the Court to certify a Class under Rule 23(b)(2)
`
`and 23(b)(3) on behalf of all persons in the United States who purchased Ring’s
`
`defective devices and insecure services and/or created an account for use of such
`
`devices (the “Purchaser/Accountholder Class”) and is at a significant risk of harm
`
`through hacking, data breach and unauthorized sharing of PII.
`
`II. THE PARTIES
`
`9.
`
`Plaintiff Catherine Foster is a resident and citizen of Massachusetts and
`
`is a member of the Purchaser/Accountholder Class.
`
`10.
`
`Defendant Ring LLC is a Delaware is a limited liability company with
`
`its principal lace of business in Santa Monica, California.
`2
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 4 of 22 Page ID #:4
`
`
`
`III. JURISDICTION AND VENUE
`
`11.
`
`This Court has original jurisdiction pursuant to 28 U.S.C. § 1332(d)(2).
`
`The matter in controversy, exclusive of interest and costs, exceeds the sum or value
`
`of $5,000,000, and members of the Class are citizens of different states from Ring.
`
`12.
`
`This Court has personal jurisdiction over Ring because it maintains
`
`headquarters in this District and operates in this District. Through its business
`
`operations in this District, Ring intentionally avails itself of the markets within this
`
`District to render the exercise of jurisdiction by this Court just and proper.
`
`13.
`
`Venue is proper in this District under 28 U.S.C. § 1391 because
`
`significant events giving rise to this case took place in this District, and because Ring
`
`is authorized to conduct business in this District, has intentionally availed itself of the
`
`laws and markets within this District, does substantial business in this District, and is
`
`subject to personal jurisdiction in this District.
`
`IV. BACKGROUND
`
`14.
`
`Several of its user accounts and devices were hacked, putting Ring on
`
`notice that its service and devices had serious security vulnerabilities. The very
`
`purpose of the device and service was to provide security. The existing security
`
`vulnerabilities make a user account or device from Ring more likely at risk to be
`
`hacked or data breached. Such security risks take away from any benefits Ring
`
`products or services provide.
`
`15.
`
`To date, Ring’s tardy updates are still insufficient to protect their
`
`consumers’ privacy and security going forward. There is no indication that Ring has
`
`addressed gaping security holes like Ring’s leaving their devices vulnerable to brute
`
`force attacks and credential stuffing, failure to limit the number of failed login
`
`attempts, or Ring’s failure to conduct basic IP detection to warn a customer that
`
`someone is attempting to login to their account from multiple different geographic
`
`locations at the same time. There is also no indication that Ring plans to require
`
`
`
`3
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 5 of 22 Page ID #:5
`
`
`
`customers to use strong passwords or will prevent them from using passwords that
`
`are known to be exposed from previous data breaches.
`
`16.
`
`Not only did Ring fail to protect Plaintiff’s Ring account in adopting
`
`substandard security and privacy protocols, it also violated their customers’ privacy
`
`by affirmatively sharing PII with third parties without authorization or consent.
`
`17.
`
`After widespread reporting on the Ring hacks, an investigation by the
`
`Electronic Frontier Foundation (“EFF”), a nonprofit organization that educates
`
`consumers on privacy matters, found that the Ring app integrated multiple third-party
`trackers1. This unauthorized release further exposed customers to privacy violations
`
`by sharing their PII with third parties and increasing the risk of unauthorized access.
`
`18.
`
`Among the information shared with these third parties were customers’
`
`names, private IP addresses, mobile network carriers, persistent identifiers, and sensor
`
`data on the devices of Ring’s customers. Ring could remove the personal identifiers
`
`in user data before sending it to third parties, but it does not.
`
`19.
`
`Ring thus allows third parties to track its customers on a granular level,
`
`without meaningful user notification or consent and, in most cases, with no way to
`
`mitigate the damage done. Persistent identifiers and device information are often sent
`
`upon app install, and thus before the user has even had the opportunity to view and
`
`accept the terms and conditions.
`
`20.
`
`The danger in sending even small bits of information, such as device
`
`specifications, and an advertising ID, anonymous ID, or fingerprint ID, is that
`
`analytics and tracking companies are able to combine these bits together to form a
`
`unique picture of the user’s device (mobile phone or computer), and thus create a
`
`fingerprint that follows the user as they interact with other apps and use their device,
`
`in essence providing the ability to spy on what a user is doing in their daily lives, in
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`1 Bill Budington, Ring Doorbell App Packed with Third-Party Trackers, Electronic
`Frontier Foundation (Jan. 27, 2020),
`<https://www.eff.org/deeplinks/2020/01/ringdoorbell-
`app-packed-third-party-trackers>.
`
`4
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 6 of 22 Page ID #:6
`
`
`
`their home, and precisely when they are doing it. This data detailing user behavior is
`
`linked into a profile resulting in broad yet near perfect surveillance of practically all
`
`of someone’s interests, identities, and daily routines. The information Ring’s app and
`
`website sends to third-party servers at a minimum would allow third parties to know
`
`when Ring users are at home or away.
`
`21.
`
`This information is used to build precise and detailed profiles on
`
`individuals, ultimately identifying characteristics such as race, age, sexual orientation,
`
`relationship status, socioeconomic status, parental status, and much more. Social
`
`media sites and operating systems or apps on Mobile devices can exploit this indirect
`
`data collection practices, in particular rely on apps to autonomously collect and send
`
`information about app usage to the social network without telling users about the
`
`arrangement.
`
`22.
`
`Obtaining data on and from a device, including the transmission of data
`
`linked to a unique identifier from an app to third parties, constitutes the processing of
`
`personal data. Data relating to the use of specific apps, including usage logs, from
`
`which an individual is directly or indirectly identifiable is also personal data.
`
`23.
`
`Data harvesting is the fastest growing industry in the U.S. As software,
`
`data mining, and targeting technologies have advanced, the revenue from digital ads
`
`and the consequent value of the data used to target them have risen rapidly. On
`
`information and belief, Ring continues to integrate a sweeping combination of third
`
`party “analytics tools” and trackers that require collection of PII to serve its own
`
`selfish purpose of monetization.
`
`24.
`
`Plaintiff Catherine Foster purchased Ring Camera before September 8,
`
`2019 and started her subscription service on that date. She stopped ring protection
`
`plan on November 24, 2020. By purchasing Ring device and using the service in the
`
`past, she has put herself and her household at a significant risk of hacking, data breach
`
`and unauthorized dissemination of her and her family’s PII.
`
`
`
`5
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 7 of 22 Page ID #:7
`
`
`
`25.
`
`Because Plaintiff Foster has canceled her subscription service, she is no
`
`longer subject to the terms of her subscription service including arbitration. She
`
`continues to use her Ring camera and view live streaming.
`
`26.
`
`Unlike other companies that use online accounts, as of the dates the
`
`Plaintiff purchased their Ring devices, Ring did not require basic, industry-standard
`
`measures to protect the security of users’ accounts. And instead of following any
`
`industry standard practices or providing customers clear channels of remediation,
`
`Ring places the blame for the data breach on their own users.
`
`V. CLASS ALLEGATIONS
`
`27.
`
`Pursuant to Federal Rule of Civil Procedure 23(b)(2) and 23(b)(3),
`
`Purchaser/Accountholder Plaintiff, individually and on behalf of all others similarly
`
`situated, bring this lawsuit on behalf of themselves and as a class action on behalf of
`
`the following Class:
`
`Purchaser/Accountholder Class: All persons who purchased a Ring
`
`security device of any kind from Ring LLC and/or created a Ring account
`
`during the applicable limitations period from the state of Massachusetts
`
`and nationwide.
`
`
`
`28.
`
`Excluded from the Class are any entities, including Ring, and Ring’s
`
`officers, agents, and employees. Also excluded from the Class are counsel for
`
`Plaintiff, any judicial officer presiding over this matter, members of their immediate
`
`family, members of their judicial staff, and any judge sitting in the presiding court
`
`system who may hear an appeal of any judgment entered.
`
`29.
`
`Members of the Class are so numerous that joinder is impracticable.
`
`While the exact number of members of Class is unknown to Plaintiff, it is believed
`
`that each Class is comprised of dozens, if not thousands, of members.
`
`30.
`
`Common questions of law and fact exist as to all members of the Class.
`
`These questions predominate over questions that may affect only individual class
`
`6
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 8 of 22 Page ID #:8
`
`
`
`members because Ring has acted on grounds generally applicable to the Class. Such
`
`common and legal factual questions for the Class include:
`
`a. Whether Ring violated Plaintiff’s and Class Members’ privacy
`
`rights;
`
`b. Whether Ring failed to safeguard adequately Plaintiff’s and Class
`
`Members’ property, including their private and personal
`
`information;
`
`c. Whether Ring’s collection and storage of Plaintiff’s and Class
`
`Members’ private and personal information in the manner alleged
`
`herein violated federal, state, and local laws, or industry standards;
`
`d. Whether Ring’s disclosure of Plaintiff’s and Class Members’ private
`
`and personal information in the manner alleged herein violated
`
`federal, state, and local laws, or industry standards;
`
`e. Whether Ring acted negligently;
`
`f. Whether Plaintiff and the Class Members were harmed;
`
`g. Whether Ring and Plaintiff formed implied contracts;
`
`h. Whether Ring breached implied contracts with Plaintiff and the
`
`Class Members;
`
`i. Whether Ring’s conduct was unfair;
`
`j. Whether Ring’s conduct was fraudulent;
`
`k. Whether Plaintiff and the Class members are entitled to equitable
`
`relief, including, but not limited to, injunctive relief, restitution, and
`
`disgorgement; and
`
`l. Whether Plaintiff and the Class members are entitled to actual,
`
`statutory, punitive or other forms of damages, and other monetary
`
`relief.
`
`31.
`
`Plaintiff’s claims are typical of the members of the Class as all members
`
`of the Class are similarly affected by the Ring’s actionable conduct. Ring’s conduct
`
`7
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 9 of 22 Page ID #:9
`
`
`
`that gave rise to the claims of Plaintiff and members of the Class is the same for all
`
`members of the Class.
`
`32.
`
`Plaintiff will fairly and adequately protect the interests of the Class
`
`because they have no interests antagonistic to, or in conflict with, the Class that
`
`Plaintiff seeks to represent. Furthermore, Plaintiff has retained counsel experienced
`
`and competent in the prosecution of complex class action litigation, including data
`
`privacy litigation.
`
`33.
`
`Class action treatment is a superior method for the fair and efficient
`
`adjudication of this controversy, in that, among other things, such treatment will
`
`permit a large number of similarly situated persons or entities to prosecute their
`
`common claims in a single forum simultaneously, efficiently, and without the
`
`unnecessary duplication of evidence, effort, expense, or the possibility of inconsistent
`
`or contradictory judgments that numerous individual actions would engender. The
`
`benefits of the class mechanism, including providing injured persons or entities with
`
`a method for obtaining redress on claims that might not be practicable to pursue
`
`individually, substantially outweigh any difficulties that may arise in the management
`
`of this class action.
`
`34.
`
`Plaintiff knows of no difficulty to be encountered in the maintenance of
`
`this action that would preclude its maintenance as a class action.
`
`35.
`
`Ring has acted or refused to act on grounds generally applicable to the
`
`Class, thereby making appropriate final injunctive relief or corresponding declaratory
`
`relief with respect to the Class as a whole.
`
`36.
`
`Plaintiff suffers a substantial and imminent risk of repeated injury in the
`
`future.
`
`37.
`
`38.
`
`California law applies to the claims of all members of the Class.
`
`The State of California has sufficient contacts to Ring’s relevant conduct
`
`for California law to be uniformly applied to the claims of the Class. Application of
`
`California law to all relevant Class Member transactions comports with the Due
`
`8
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 10 of 22 Page ID #:10
`
`
`
`Process Clause given the significant aggregation of contacts between Ring’s conduct
`
`and California.
`
`39.
`
`40.
`
`Ring is headquartered and does substantial business in California.
`
`A significant percentage of the Class Members are located in, and Ring
`
`aimed a significant portion of its unlawful conduct at, California.
`
`41.
`
`The conduct that forms the basis for each Class Member’s claims against
`
`Ring emanated from Ring’s headquarters in Santa Monica, California, including
`
`Ring’s misrepresentations and omissions regarding security and decisions to
`
`implement substandard security practices as alleged herein.
`
`42.
`
`California has a greater interest than any other state in applying its law
`
`to the claims at issue in this case. California has a very strong interest in preventing
`
`its resident corporations from engaging in unfair and deceptive conduct and in
`
`ensuring that harm inflicted on resident consumers is redressed. California’s interest
`
`in preventing unlawful corporate behavior occurring in California substantially
`
`outweighs any interest of any other state in denying recovery to its residents injured
`
`by an out-of-state defendant or in applying its laws to conduct occurring outside its
`
`borders. If other states’ laws were applied to Class Members’ claims, California’s
`
`interest in deterring resident corporations from committing unfair and deceptive
`
`practices would be impaired.
`
`VI. CLAIMS FOR RELIEF
`
`
`
`43.
`
`COUNT I
`NEGLIGENCE
`(On behalf of Plaintiff and the Class Members)
`Plaintiff re-alleges and incorporates the allegations in Paragraphs 1
`
`through set forth above as if fully written herein.
`
`44.
`
`Ring owed Plaintiff and the members of the Class a duty to exercise
`
`reasonable care in safeguarding and protecting access to their Ring accounts and
`
`
`
`9
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 11 of 22 Page ID #:11
`
`
`
`keeping them from being compromised, lost, stolen, misused, and/or disclosed to
`
`unauthorized parties.
`
`45.
`
`This duty included, among other things, designing, maintaining, and
`
`testing security systems to ensure that users’ account information is adequately
`
`secured and protected. Ring’s duty to Plaintiff and the members of Class arose from
`
`the sensitivity of the information and privacy rights that Ring’s devices were designed
`
`to secure and protect. This duty further arose because Ring affirmatively designed,
`
`developed, maintained, and provided the Ring products and services to its customers,
`
`who were the foreseeable victims of negligence in the design, development, and
`
`maintenance of Ring’s products and services.
`
`46.
`
`Ring’s duties to use reasonable data security measures also arose under
`
`Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45, which
`
`prohibits “unfair . . . practices in or affecting commerce,” including, as interpreted
`
`and enforced by the FTC, the unfair practice of failing to use reasonable data security
`
`measures to protect consumers. Various FTC publications and data security breach
`
`orders further form the basis of Luxottica’s duties. In addition, individual states have
`
`enacted statutes based upon the FTC Act that also created a duty. The harm that has
`
`occurred is the type of harm the FTC Act (and similar state statutes) were intended to
`
`guard against.
`
`47.
`
`Ring breached its duty to Plaintiff and the members of Class when it
`
`allowed unauthorized users to access their accounts, when it failed to implement and
`
`maintain reasonable security protections and protocols, and when it knowingly shared
`
`and/or sold customers’ PII to third parties for analytics and marketing purposes
`
`without adequate disclosure to and consent from its customers.
`
`48.
`
`Ring, a sophisticated tech company, knows what the industry-standard
`
`security practices are, but chose not to implement them.
`
`49.
`
`As a result of Ring’s breaches, several of the Class members suffered
`
`serious injuries when unauthorized third parties were able to access their Ring
`
`10
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 12 of 22 Page ID #:12
`
`
`
`accounts. And Plaintiff and other Class members are at a significant risk to suffer
`
`injury due to Ring’s breaches because they incurred expense associated with
`
`purchasing, installing, creating accounts for, and using the insecure devices in and
`
`around their homes.
`
`50.
`
`It was entirely foreseeable to Ring that Plaintiff and the members of
`
`Class would be harmed if it failed to adequately safeguard access to their Ring
`
`accounts and security devices. Failure to protect their Ring accounts and access to
`
`their security devices was likely to result in injury to Plaintiff and members of the
`
`Class because hackers could gain unauthorized access to private information about
`
`their lives, spy on them, harass them, threaten them, endanger them, and commit
`
`financial fraud or theft using information learned through the unauthorized access.
`
`51.
`
`There is a close connection between Ring’s failure to adequately
`
`safeguard access to the Ring accounts of the members of the Class and the injuries
`
`suffered by them.
`
`52.
`
`But for Ring’s acts and omissions in maintaining inadequate security,
`
`and
`
`allowing
`
`hackers
`
`to
`
`gain
`
`access
`
`to
`
`customer
`
`accounts,
`
`the
`
`Accountholder/Purchaser Plaintiff and Class Members’ devices would not be put at a
`
`significant risk of getting hacked, their homes spied on, and loved ones harassed. This
`
`close connection is further reinforced by the broader general evidence of hacks of
`
`others’ Ring devices occurring around the same time period.
`
`53.
`
`Further, but for Ring’s disclosure and/or sale of PII to third parties for
`
`analytics and marketing purposes without disclosure and consent,
`
`the
`
`Accountholder/Purchaser Plaintiff’s and
`
`the Accountholder/Purchaser Class
`
`Members’ PII and privacy rights would not have been compromised.
`
`54.
`
`Aware of the vulnerability of its customers, and the sensitive nature of
`
`the information available to anyone who watches an indoor camera security feed, Ring
`
`has not taken sufficient actions to prevent hackers from gaining unauthorized access.
`
`Ring was aware of the problems with its security systems and that they were
`
`11
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 13 of 22 Page ID #:13
`
`
`
`vulnerable to intrusion by hackers, because these issues were widely covered in the
`
`media. There was even a podcast dedicated to entertaining subscribers by hacking and
`
`harassing Ring customers through their devices. But even though Ring was aware of
`
`the vulnerability of its customers to being hacked through its accounts and devices,
`
`Ring failed to cure those vulnerabilities or protect its customers’ accounts.
`
`55.
`
`Plaintiff and members of the Class enjoy a special relationship with
`
`Ring. Ring provided services to Plaintiff and members of the Class, including the
`
`ability to monitor their indoor security devices via their Ring accounts. The
`
`transactions between Ring and the members of the Class are intended to benefit the
`
`Plaintiff and members of the Class by providing them the ability to use the indoor
`
`devices for all of the purposes they expected and Ring intended.
`
`56.
`
`Plaintiff and members of the Class were harmed by Ring’s failure to
`
`exercise reasonable care in safeguarding their account information, and that harm was
`
`reasonably foreseeable.
`
`COUNT II
`VIOLATION OF CALIFORNIA UNFAIR COMPETITION LAW (“UCL”)
`(Or its equivalent in states nationwide and on behalf of Plaintiff and
`Class Members)
`Plaintiff re-alleges and incorporates the allegations in Paragraphs 1
`
`57.
`
`through set forth above as if fully written herein.
`
`58.
`
`Plaintiff has standing to pursue this cause of action because Plaintiff was
`
`placed at and is at a significant risk of suffering injury in fact and lost money as a
`
`result of Ring’s misconduct described herein.
`
`59.
`
`As described herein, Ring advertised their products and services as
`
`enhancing security and safety, but in fact provided products and services that were
`
`highly vulnerable to hacking and that worsened the safety and security of Plaintiff and
`
`the members of the Class.
`
`
`
`12
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 14 of 22 Page ID #:14
`
`
`
`60.
`
`Plaintiff would continue using her Ring products and services if they
`
`could be assured that Ring would take adequate security measures to protect the
`
`security of their accounts and devices going forward.
`
`61.
`
`The UCL defines unfair business competition to include any “unlawful,
`
`unfair or fraudulent” act or practice, as well as any “unfair, deceptive, untrue or
`
`misleading” advertising. Cal. Bus. & Prof. Code § 17200. Ring has engaged in
`
`business acts and practices that, as alleged above, constitute unfair competition in
`
`violation of Business and Professions Code section 17200.
`
`Unlawful
`
`62.
`
`Ring’s business practices, as alleged herein, violate the “unlawful” prong
`
`because Ring violates Plaintiff’s and Class Members’ rights to privacy and state laws,
`
`including Article 1, Section 1 of the California Constitution, and the California
`
`Consumers Legal Remedies Act.
`
`Unfair
`
`63.
`
`Ring’s business practices, as alleged herein, violate the “unfair” prong
`
`of the UCL because they offend an established public policy and are immoral,
`
`unethical, and unscrupulous or substantially injurious to consumers.
`
`64.
`
`Plaintiff and members of the Class have a well-established right to
`
`privacy and well-established privacy interests in their homes and in their sensitive
`
`personal information. Ring’s failure to implement and maintain adequate security
`
`protocols, and its disclosure and/or sale of customers PII to third parties without their
`
`permission or consent, violated those interests and substantially injured them.
`
`65.
`
`The reasons, justifications, or motives that Ring may offer for the acts
`
`and omissions described herein are outweighed by the gravity of harm to the victims.
`
`The injuries suffered by Plaintiff and members of the Class are substantial and are not
`
`outweighed by any countervailing benefits to consumers or competition.
`
`Fraudulent
`
`
`
`13
`CLASS ACTION COMPLAINT
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 15 of 22 Page ID #:15
`
`
`
`66.
`
`Ring’s acts, as described herein, are “fraudulent” because they are likely
`
`to deceive the general public.
`
`67.
`
`Ring’s business practices described herein also violate the UCL because
`
`Ring falsely represented that goods or services have characteristics they do not have,
`
`namely, good security; falsely represented that its goods or services are of a particular
`
`standard when they are of another; advertised its goods and services with intent not
`
`to sell them as advertised; represented that the subject of a transaction was supplied
`
`in accordance with a previous representation when it was not; and/or made material
`
`omissions regarding the security of Ring’s devices.
`
`68.
`
`As a result of Ring’s unlawful, unfair, and fraudulent business practices,
`
`Plaintiff and members of the Class have a significant risk of suffering injury.
`
`69.
`
`If Ring is permitted to continue to engage in the unfair and fraudulent
`
`business practices described above, its conduct will engender further injury,
`
`expanding the number of injured members of the public beyond its already large size,
`
`and will tend to render any judgment at law, by itself, ineffectual. Under such
`
`circumstances, Plaintiff and members of the Class have no adequate remedy at law in
`
`that Ring will continue to engage in the wrongful conduct alleged herein, thus
`
`engendering a multiplicity of judicial proceedings. Plaintiff and members of the Class
`
`request and are entitled to injunctive relief, enjoining Ring from engaging in the unfair
`
`and fraudulent acts described herein.
`
`70.
`
`The basis for Plaintiff’s claims emanated from California, where the
`
`primary decisions regarding what security measures to implement (or not) into Ring’s
`
`devices occurred. Ring affirmatively instructs its users to contact Ring at an address
`
`in Santa Monica, California, with questions about “data protection.”
`
`COUNT III
`
`BREACH OF IMPLIED CONTRACT
`
`71.
`
`Plaintiff re-alleges and incorporates the allegations in Paragraphs 1
`
`through set forth above as if fully written herein.
`14
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

`

`Case 2:21-cv-02175-CBM-PLA Document 1 Filed 03/10/21 Page 16 of 22 Page ID #:16
`
`
`
`72.
`
`Ring sold devices to Plaintiff and members of the Class. In exchange,
`
`Ring received benefits in the form of monetary payments. Plaintiff and members of
`
`the Class also created Ring accounts, providing Ring with their v