Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 1 of 13 Page ID #:1
`
`
`Todd M. Friedman (SBN 216752)
`Adrian R. Bacon (SBN 280332)
`Meghan E. George (SBN 274525)
`Thomas E. Wheeler (SBN 308789)
`LAW OFFICES OF TODD M. FRIEDMAN, P.C.
`21550 Oxnard St. Suite 780,
`Woodland Hills, CA 91367
`Phone: 323-306-4234
`Fax: 866-633-0228
`tfriedman@toddflaw.com
`abacon@toddflaw.com
`mgeorge@toddflaw.com
`twheeler@toddflaw.com
`Attorneys for Plaintiff Lauren Schaubach
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE CENTRAL DISTRICT OF CALIFORNIA
`
`Plaintiff,
`
`
`Lauren Schaubach, individually and
`on behalf of all others similarly
`situated,
`
`
`
`
`
`vs.
`
`HOTELS.COM, L.P., EXPEDIA
`GROUP, INC., AMAZON WEB
`SERVICES, INC., and DOES 1-10
`Inclusive,
`
`
`
`
`Defendant.
`
` Case No.
`
`CLASS ACTION COMPLAINT
`
`(1) Violation of the California
`Consumer Privacy Act § 1798.150;
`(2) Violation of California’s Unfair
`Competition Law, Cal. Bus. & Prof.
`C. § 17200, et. seq.
`(3) Negligence;
`(4) Declaratory and Injunctive Relief
`
`
`Jury Trial Demanded
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 2 of 13 Page ID #:2
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Plaintiff Lauren Schaubach (“Plaintiff”), individually and on behalf of all
`others similarly situated, alleges as follows:
`NATURE OF THE ACTION
`This action arises out of a violation of the California Consumer
`1.
`Privacy Act of 2018 (“CCPA”), Cal. Civ. C. § 1798 et. seq., arising out of a data
`breach and the exposure of millions of Californians’ personal identifying
`information collected by Defendant Hotels.com, L.P. (“HLP”) and Defendant
`Expedia Group, Inc. (“Expedia”) and stored with Defendant Amazon Web
`Services, Inc. (“AWS”), in violation of Cal. Civ. C. § 1798.150 and Cal. Bus. &
`Prof. C. § 17200 et. seq..
`JURISDICTION AND VENUE
`This class action is brought pursuant to Federal Rule of Civil
`2.
`Procedure 23.
`This matter is properly venued in the United States District Court for
`3.
`the Central District of California, in that Defendants do business in the Central
`District of California. A substantial portion of the events giving rise to Defendants’
`liability took place in this district.
`There is original federal subject matter jurisdiction over this matter
`4.
`pursuant to the Class Action Fairness Act of 2005, Pub. L. 109-2, 119 Stat. 4 (Feb.
`18, 2005), by virtue of 28 U.S.C. §1332(d)(2), which explicitly provides for the
`original jurisdiction of federal courts in any class action in which at least 100
`members are in the proposed plaintiff class, any member of the plaintiff class is a
`citizen of a State different from the State of citizenship of any defendant, and the
`matter in controversy exceeds the sum of $5,000,000.00, exclusive of interests and
`costs.
`In the case at bar, there are at least 100 members in the proposed
`5.
`Class, the total claims of the proposed Class members are in excess of
`
`
`
`Page 1
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 3 of 13 Page ID #:3
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`$5,000,000.00 in the aggregate, exclusive of interests and costs, and Plaintiff seeks
`to represent a California class of consumers against non-California companies,
`establishing minimum diversity.
`THE PARTIES
`Plaintiff LAUREN SCHAUBACH is a citizen and resident of the
`6.
`State of California, County of Orange and is a consumer as laid forth in Cal. Civ.
`C. § 1798.150.
`Defendant HOTELS.COM, L.P. is a Texas limited partnership
`7.
`company that does business in California, including in Orange County, that is
`incorporated in Texas and has its headquarters in Washington.
`Defendant EXPEDIA GROUP, INC. is a Delaware corporation that
`8.
`does business in California, including in Orange County, that is incorporated in
`Delaware and has its headquarters in Washington.
`Defendant AMAZON WEB SERVICES INC. is a Delaware
`9.
`corporation that does business in California, including in Orange County, that is
`incorporated in Delaware and has its headquarters in Washington.
`10. Plaintiffs are informed and believe, and thereon alleges, that each and
`all of the acts and omissions alleged herein were performed by, or is attributable
`to, Defendant and/or its employees, agents, and/or third parties acting on its behalf,
`each acting as the agent for the other, with legal authority to act on the other’s
`behalf. The acts of any and all of Defendant’s employees, agents, and/or third
`parties acting on its behalf, were in accordance with, and represent, the official
`policy of Defendant.
`11. Plaintiff is informed and believes, and thereon alleges, that said
`Defendants are in some manner intentionally, negligently, or otherwise
`responsible for the acts, omissions, occurrences, and transactions of each and all
`their employees, agents, and/or third parties acting on their behalf, in proximately
`
`
`
`Page 2
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 4 of 13 Page ID #:4
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`causing the damages herein alleged.
`12. At all relevant times, Defendants ratified each and every act or
`omission complained of herein. At all relevant times, Defendants aided and
`abetted the acts and omissions as alleged herein.
`PLAINTIFF’S FACTS
`13. On or about November 9, 2020, a Cloud Hospitality server hosted by
`Defendant AWS and containing information for customers for Defendant HLP and
`Defendant Expedia was hacked and tens of millions of data records were exposed
`(“the Breach”).
`14. HLP operates Hotels.com, which is an online book service by which
`individuals, such as Plaintiff, can check the availability of hotels and other lodging
`options and make reservations through the Hotels.com platform, including either
`paying in advance or paying at the time of the reservation.
`In order to use HLP’s Hotels.com, a customer must enter in
`15.
`significant personally identifiable information (“PII”) such as a first name, last
`name, email address, password, home address, telephone number, and payment
`card information. Users of Hotels.com trust that their PII will be maintained in a
`secure manner and kept from unauthorized disclosure to third parties as required
`by the law.
`16. Expedia owns HLP and also operates numerous other travel-oriented
`websites, including Expedia.com, which also collect and store PII and which were
`also the subject of the hack that exposed the tens of millions of data records on or
`about November 9, 2020.
`17. Expedia, HLP, and AWS have not issued a disclosure as required by
`Cal. Civ. C. § 1798.82 as of the date of filing and instead the news of such Breach
`was broken by multiple news sources rather than the companies themselves, who
`have been silent.
`
`
`
`Page 3
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 5 of 13 Page ID #:5
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`18. PII including the full names, email addresses, national ID numbers,
`phone numbers, credit card numbers, credit cardholder’s names, CVVs, expiration
`dates, and information regarding the nature and cost of the booked hotel stays were
`revealed and exposed by Defendants Expedia, HLP, and AWS as a result of the
`hack.
`
`19. This PII was not stored in a hashed or otherwise secured format and
`failed to comply with the Payment Card Industry Data Security Standards as
`exemplified by the significant variety and amount of credit card PII that was
`exposed.
`20. The Breach exposed Expedia, HLP, and AWS customer PII which is
`protected by the CCPA. “Personal information” is defined by Cal. Civ. C. §
`1798.81.5 as:
`“an individuals first name or first in initial and the individual’s last name in
`combination with any one or more of the following data elements, when
`either the name or the data elements are not encrypted or redacted: . . .
`(ii) Driver’s license number, California identification card number,
`tax identification number, passport number, military identification
`number, or other unique identification number issued on a
`government document commonly used to verify the identify of a
`specific individual.
`(iii) Account number or debt card number, in combination with any
`required security code, access code, or password that would permit
`access to an individual’s financial account.”
`21. Here, unredacted names were revealed along with both unique
`identification numbers, such as driver’s license or passport numbers, as well as
`credit card and payment information that would permit access to individuals’
`financial and other accounts across the web.
`
`
`
`Page 4
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 6 of 13 Page ID #:6
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`22. When nonencrypted and nonredacted personal information as defined
`in Cal. Civ. C. § 1798.81.5 is subjected to unauthorized access and exfiltration,
`theft, or disclosure by a company that has failed to maintain reasonable security
`measures, the CCPA provides for a private cause of action pursuant to Cal. Civ.
`C. § 1798.150 that authorized litigations to bring individual or class action claims.
`23. This right may not be waived or limited and any such waiver is
`contrary to public policy, void, and unenforceable pursuant to Cal. Civ. C. §
`1798.192.
`24. Defendants HLP, Expedia, and AWS have failed to maintain
`reasonable security controls and systems appropriate for the nature of the PII they
`maintain as required by the CCPA. The information was stored in an unencrypted
`format and, in particular, the payment information was stored in a way contrary to
`the Payment Card Industry Data Security Standards. This failure exposed
`consumers, such as Plaintiff, to unreasonable risk and now harm as a result of such
`failure and the exposure of their PII.
`25. Defendants HLP, Expedia, and AWS also failed to maintain proper
`measures to detect hacking and intrusion. Defendants HLP, Expedia, and AWS
`have still made no public statement or provided any notice regarding the hack and
`instead the public has learned of such hack through public news sources.
`Defendants HLP, Expedia, and AWS should have had breach detection protocols
`in place such that they could have alerted consumers significantly earlier.
`26. Because Defendants HLP, Expedia, and AWS failed to maintain
`reasonable security measures and disclosed their customers’ unencrypted names
`in combination with both identification numbers and payment information, they
`have explicitly violated the CCPA.
`27. Defendants HLP, Expedia, and AWS disregarded the privacy rights
`of Plaintiff and similarly situated consumers over their PII by failing to implement
`
`
`
`Page 5
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 7 of 13 Page ID #:7
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`reasonable security safeguards to prevent or timely detect a Breach, failing to
`detect the Breach when or after it occurred, failing to disclose to customers that it
`did not implement such reasonable security safeguards, and failing ot provide
`sufficiently prompt, thorough, and accurate notice and information about the
`Breach.
`28. As a result of the Breach, Plaintiff and Class Members have been
`injured in several ways because they face an imminent and ongoing risk of identity
`theft and similar cyber crimes, will expend time and money to protect against such
`cybercrimes, and did not receive the benefit of their bargain with respect to data
`privacy.
`29. Accordingly, Plaintiff and Class Members are entitled to actual and
`statutory damages under the CCPA and other laws and declaratory, injunctive, and
`equitable relief necessary to protect their PII.
`CLASS ACTION ALLEGATIONS
`30. Plaintiff brings this action, individually and on behalf of all others
`similarly situated, and thus, seeks class certification under Federal Rule of Civil
`Procedure 23.
`31. Plaintiff seeks to represent a Class (the “Class”) defined as follows:
`
`All consumers in California whose PII was compromised
`in the Breach.
`
`32. As used herein, the term “Class Members” shall mean and refer to the
`members of the Class described above.
`33. Excluded from the Class is Defendants, their affiliates, employees,
`agents, attorneys, and the Court.
`34. Plaintiff reserves the right to amend the Class, and to add additional
`subclasses, if discovery and further investigation reveals such action is warranted.
`35. Upon information and belief, the proposed Class is composed of
`
`
`
`Page 6
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 8 of 13 Page ID #:8
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`hundreds of thousands of persons. The members of the class are so numerous that
`joinder of all members would be unfeasible and impractical.
`36. No violations alleged in this complaint are contingent on any
`individualized interaction of any kind between Class Members and Defendant.
`37. Rather, all claims in this matter arise from the same exposure of PII
`from the Breach and Defendants’ failure to take reasonable actions to prevent such
`data breach.
`38. There are common questions of law and fact as to the Class Members
`that predominate over questions affecting only individual members, including but
`not limited to:
`(a) Whether Defendants failed to prevent Plaintiff and Class
`Members’ PII from unauthorized access and exfiltration, theft,
`or disclosure as a result of Defendants’ failure to implement
`and maintain reasonable security procedures and practices
`appropriate to the nature of the information;
`(b) Whether Defendants violated Cal. Bus. & Prof. C. § 17200, et
`seq. and Cal. Civ. C. § 1798.150;
`(c) Whether Defendants provided timely notice of the Breach to
`Plaintiff and Class Members;
`(d) Whether Defendants were negligent in the handling of Plaintiff
`and the Class Members’ PII;
`(e) Whether Plaintiff and Class Members are entitled to equitable
`and/or injunctive relief; and
`The method of calculation and extent of damages for Plaintiff
`and Class Members.
`39. Plaintiff is a member of the Class she seeks to represent.
`40. The claims of Plaintiff are not only typical of all Class Members, they
`
`(f)
`
`
`
`Page 7
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 9 of 13 Page ID #:9
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`are identical.
`41. All claims of Plaintiff and the Class are based on the exact same legal
`theories.
`42. Plaintiff has no interest antagonistic to, or in conflict with, the Class.
`43. Plaintiff is qualified to, and will, fairly and adequately protect the
`interests of each Class Member, because Plaintiff suffered the same harm from
`having her PII exposed as the Class. Defendant’s unlawful actions concern the
`same business practices described herein irrespective of where they occurred or
`were experienced. Plaintiff’s claims are typical of all Class Members as
`demonstrated herein.
`44. Plaintiff will thoroughly and adequately protect the interests of the
`Class, having retained qualified and competent legal counsel to represent herself
`and the Class.
`45. Common questions will predominate, and there will be no unusual
`manageability issues.
`
`FIRST CAUSE OF ACTION
`Violation of the CCPA
`(Cal. Civ. C. § 1798.150)
`46. Plaintiff incorporates by reference each allegation set forth above.
`47. As described above, Plaintiff and the Class’s nonencrypted and
`nonredacted PII was subject to an unauthorized access and exfiltration, theft, or
`disclosure as a result of Defendants’ violation of the duty to implement and
`maintain reasonable security procedures and practices appropriate to the nature of
`the information to protect that personal information.
`48. Defendants are each corporations organized or operated for the profit
`or financial benefit of their owners with annual gross revenues over $25 million.
`49. Defendants violated Cal. Civ. C. § 1798.150.
`
`
`
`Page 8
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 10 of 13 Page ID #:10
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`50. On November 10, 2020, Plaintiff provided Defendants with written
`notice identifying the specific provisions of the CCPA the consumer alleges to
`have been violated. Defendants have not provided an express written statement
`that the violation has been cured and no further violation shall occur nor actually
`cured the violation.
`51. Over thirty (30) days have elapsed since Plaintiff served written
`notice pursuant to Cal. Civ. C. § 1798.150 on Defendants and therefore a claim
`for statutory damages under the CCPA may be brought.
`52. Plaintiff and the Class seek all relief possible under Cal. Civ. C. §
`1798.150(a) including, but not limited to, actual damages, damages in amount not
`less than $100 and not greater than $750 per consumer per incident, injunctive or
`declaratory relief, and any other relief the Court deems proper, including
`attorney’s fees and costs pursuant to Cal. C. Civ. Proc. § 1021.5.
`SECOND CAUSE OF ACTION
`Violation of Unfair Business Practices Act
` (Cal. Bus. & Prof. Code §§ 17200 et seq.)
`53. Plaintiff incorporates by reference each allegation set forth above.
`54. Actions for relief under the unfair competition law may be based on
`any business act or practice that is within the broad definition of the UCL. Such
`violations of the UCL occur as a result of unlawful, unfair or fraudulent business
`acts and practices. A plaintiff is required to provide evidence of a causal
`connection between a defendant's business practices and the alleged harm--that is,
`evidence that the defendant's conduct caused or was likely to cause substantial
`injury. It is insufficient for a plaintiff to show merely that the defendant's conduct
`created a risk of harm. Furthermore, the "act or practice" aspect of the statutory
`definition of unfair competition covers any single act of misconduct, as well as
`ongoing misconduct.
`
`
`
`Page 9
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 11 of 13 Page ID #:11
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`UNLAWFUL
`55. California Business and Professions Code Section 17200, et seq.
`prohibits “any unlawful…business act or practice.”
`56. As explained above, Defendants violated Cal. Civ. C. § 1798.150
`with respect to Plaintiff and other Class Members.
`57. Additionally, Defendants violated Cal. Civ. C. § 1798.81.5 for
`failing to implement and maintain reasonable security procedures and practices to
`safeguard PII and Cal. Civ. C. § 1798.82 for failing to provide a notice of data
`breach as required by that section/
`58. These acts by Defendants are therefore an “unlawful” business
`practice or act under Business and Professions Code Section 17200 et seq.
`59. Defendants have thus engaged in unlawful business acts entitling
`Plaintiff and Class Members to judgment and equitable relief against Defendants,
`as set forth in the Prayer for Relief. Additionally, pursuant to Business and
`Professions Code section 17203, Plaintiff and Classes Members seek an order
`requiring Defendant to immediately cease such acts of unlawful, unfair, and
`fraudulent business practices and requiring Defendant to correct its actions.
`THIRD CAUSE OF ACTION
`Negligence
`60. Plaintiff incorporates by reference each allegation set forth above
`herein.
`61. Defendants owed Plaintiff and Class Members a duty to exercise
`reasonable care in protecting their PII from unauthorized disclosure or access.
`62. Defendants breached their duty of care by failing to implement
`reasonable security procedures and practices to protect Plaintiff and Class
`Members’ PII.
`63. Plaintiff and the Class have suffered and continued to suffer harm
`
`
`
`Page 10
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 12 of 13 Page ID #:12
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`from the exposure of their PII by Defendants’ breach of their duty, which is a
`foreseeable harm caused by such breach.
`64. But for Defendants’ breach of their duty of care, the Breach would
`not have occurred, and Plaintiff and Class Members’ PII would not have been
`accessed and exposed.
`
`MISCELLANEOUS
`65. Plaintiffs and Class Members allege that they have fully complied
`with all contractual and other legal obligations and fully complied with all
`conditions precedent to bringing this action or all such obligations or conditions
`are excused.
`
`REQUEST FOR JURY TRIAL
`66. Plaintiff request a trial by jury as to all claims so triable.
`PRAYER FOR RELIEF
`67. Plaintiff, on behalf of herself and the Class, request the following
`relief:
`
`(a) An order certifying the Class and appointing Plaintiff as
`Representative of the Class;
`(b) An order certifying the undersigned counsel as Class Counsel;
`(c) An order requiring Defendants, at their own costs, to notify all
`Class Members of the unlawful conduct herein;
`(d) Actual damages suffered by Plaintiffs and Class Members;
`Punitive damages, as allowable, in an amount determined by
`(e)
`the Court or jury;
`(f) Any and all statutory enhanced damages;
`(g) All reasonable and necessary attorneys’ fees and costs provided
`by statute, common law or the Court’s inherent power;
`Pre- and post-judgment interest; and
`
`(h)
`
`
`
`Page 11
`CLASS ACTION COMPLAINT
`
`

`

`Case 8:20-cv-02370 Document 1 Filed 12/17/20 Page 13 of 13 Page ID #:13
`
`
`(i) All other relief, general or special, legal and equitable, to which
`Plaintiff and Class Members may be justly entitled as deemed
`by the Court.
`
`
`Dated: December 17, 2020
`
`
`
`
`
`Respectfully submitted,
`
`LAW OFFICES OF TODD M. FRIEDMAN , PC
`
`
`By: /s Todd. M. Friedman
`TODD M. FRIEDMAN, ESQ.
`Attorney for Plaintiff Lauren Schaubach
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 12
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`