`
`
`BURSOR & FISHER, P.A.
`L. Timothy Fisher (State Bar No. 191626)
`Joel D. Smith (State Bar No. 244902)
`1990 North California Blvd., Suite 940
`Walnut Creek, CA 94596
`Telephone: (925) 300-4455
`Facsimile: (925) 407-2700
`E-Mail: ltfisher@bursor.com
`
` jsmith@bursor.com
`
`Counsel for Plaintiff
`
`
`
`UNITED STATES DISTRICT COURT
`EASTERN DISTRICT OF CALIFORNIA
`
`
`
`JOYCE MERCADAL, individually and on behalf Case No.
`
`of all others similarly situated,
`
`
`CLASS ACTION COMPLAINT
` Plaintiff,
`
`
`v.
`
`
`
`GENERAL ELECTRIC COMPANY and
`JURY TRIAL DEMANDED
`
`CANON BUSINESS PROCESS SERVICES,
`INC.,
`
` Defendants.
`
`
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 2 of 16
`
`
`
`Plaintiff Joyce Mercadal (“Plaintiff” or “Ms. Mercadal”), by and through her attorneys,
`makes the following allegations against Defendant General Electric Company (“GE”) and Defendant
`Canon Business Process Services, Inc. (“Canon”) (collectively, “Defendants”) pursuant to the
`investigations of her counsel and upon information and belief, except as to the allegations
`specifically pertaining to herself or her counsel, which are based on personal knowledge.
`INTRODUCTION
`1.
`Plaintiff brings this class action against Defendants for their failure to secure and
`safeguard her personal identifying information (“Personal Information”), and the Personal
`Information of hundreds of thousands of other current and former GE employees, as well as the GE
`employees’ beneficiaries.
`2.
`General Electric is a global high-tech industrial company primarily engaged in
`energy, healthcare, and transportation. General Electric utilizes Canon Business Process Services
`in connection with the administration of employee benefits.
`3.
`Unfortunately for current and former GE employees entitled to benefits, between
`approximately February 3, 2020 and February 14, 2020, Canon experienced a data breach in which
`hackers accessed the Personal Information of numerous current and former GE employees entitled
`to benefits, including their beneficiaries (hereinafter, the “Data Breach”).1
`4.
`According to GE, hackers gained access to, at minimum, the below categories of
`information:2
`
`direct deposit forms, driver’s licenses, passports, birth certificates,
`marriage certificates, death certificates, medical child support orders, tax
`withholding forms, beneficiary designation forms and applications for benefits
`such as retirement, severance and death benefits with related forms and
`documents, may have included names, addresses, Social Security numbers,
`driver’s license numbers, bank account numbers, passport numbers, dates of
`birth, and other information contained in the relevant forms.
`
`
`1 https://www.documentcloud.org/documents/6817907-GE-Canon-Notice-of-Data-Breach.html
`2 https://www.bleepingcomputer.com/news/security/tech-giant-ge-discloses-data-breach-after-
`service-provider-hack/
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`1
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 3 of 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`5.
`As set forth herein, the Data Breach was the inevitable result of Defendants’
`inadequate approach to data security and their failure to protect Class Members’ Personal
`Information that they collected, maintained, and disseminated during the course of their business.
`6.
`Defendants’ actions and omissions violate well-established legal and statutory duties
`they owed to Plaintiff and Class Members.
`7.
`Plaintiff brings this action on behalf of herself and all others similarly situated for
`actual damages, as well as punitive damages and equitable and injunctive relief to fully redress the
`widespread harm Defendants’ wrongful acts and omissions have unleashed.
`PARTIES
`8.
`Plaintiff Joyce Mercadal is, and at all times mentioned herein was, a resident of Citrus
`Heights, California and a citizen of the State of California. Ms. Mercadal was a GE employee for 17
`years. Accordingly, Ms. Mercadal’s Personal Information was stored by GE and Canon, and later
`stolen and put at risk during the Data Breach. The Data Breach and disclosure of the Personal
`Information has immediately, directly and substantially increased Ms. Mercadal’s risk of identity
`theft. Indeed, information such as data breach victims’ names, birth dates, social security numbers,
`bank account numbers, passport numbers, tax withholding numbers, and other identifying
`information creates a material risk of identity theft. As a result of the Data Breach, Ms. Mercadal
`also has suffered a loss of privacy, nuisance and diminished value of Personal Information, and must
`now expend additional time and money mitigating the threat of identity theft that would not be
`necessary but for the Data Breach.
`9.
`Defendant General Electric Company is a New York corporation with its principal
`place of business at 5 Necco Street, Boston, Massachusetts, 02210.
`10.
`Defendant Canon Business Process Services, Inc. is a Delaware corporation with its
`principal place of business at 261 Madison Ave., New York, New York, 10016.
`JURISDICTION AND VENUE
`11.
`This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. §§
`1331 and 1337, as well as jurisdiction over the state law claims pursuant to 28 U.S.C. §§ 1332(d) and
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`2
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 4 of 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`1367 because this is a class action in which the matter or controversy exceeds the sum of $5,000,000,
`exclusive of interest and costs, and in which some members of the proposed Classes are citizens of a
`state different from the Defendant.
`12.
`Venue is proper in this District pursuant to 28 U.S.C. §§ 1391 (b), (c), and (d),
`because a substantial part of the events giving rise to Plaintiff’s claims occurred in this District.
`13.
`This Court has personal jurisdiction because Defendant does business in this District
`and a substantial part of the events and injury giving rise to Plaintiff’s claims occurred in this
`District.
`
`FACTS COMMON TO ALL CLAIMS
`14.
`GE is a for-profit Fortune 500 technology giant that conducts business in over 180
`countries and, according to GE’s 2018 annual report, has over 280,000 employees.3 As mentioned
`above, GE utilizes Canon as a service provider in connection with administering the benefits of
`current employees, former employees, and the beneficiaries of current and former employees.
`15.
`On March 20, 2020, GE filed a Notice of Data Breach with the State of California
`that stated: “Recently GE was informed that one of our service providers, Canon Business Process
`Services, Inc. (‘Canon’), experienced a data security incident. GE contracts with Canon to process
`documents of GE employees, former employees, and beneficiaries entitled to benefits.”
`16.
`The Notice of Data Breach also states that “affected documents” include “personal
`information[] which was contained in documents such as direct deposit forms, driver’s licenses,
`passports, birth certificates, marriage certificates, death certificates, medical child support orders,
`tax withholding forms, beneficiary designation forms and application for benefits such as
`retirement, severance and death benefits with related forms and documents, may have included
`names, addresses, Social Security numbers, driver’s license numbers, bank account numbers,
`passport numbers, dates of birth, and other information contained in the relevant forms.”
`17.
`As discussed above, Defendants acknowledges that they have failed to meet their
`
`
`3 http://www.annualreports.com/HostedData/AnnualReports/PDF/NYSE_GE_2018. pdf
`
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`3
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 5 of 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`responsibility to protect the Personal Information of Plaintiff and Class Members. Indeed,
`recognizing the imminent and direct threat of injury caused by the Data Breach, GE recommended
`that those affected by the Data Breach “take steps to protect [themselves],” including credit
`monitoring and identity protection.
`18.
`Unfortunately for Plaintiff and Class Members, the ramifications of Defendants’
`failure to keep Plaintiff’s and Class Members’ data secure are severe. The FTC defines identity
`theft as “a fraud committed or attempted using the identifying information of another person
`without authority.” 17 C.F.R § 248.201. The FTC describes “identifying information” as “any
`name or number that may be used, alone or in conjunction with any other information, to identify a
`specific person.” Id.
`19.
`Personal identifying information is a valuable commodity to identity thieves once
`the information has been compromised. As the FTC recognizes, once identity thieves have
`personal information, “they can drain your bank account, run up your credit cards, open new utility
`accounts, or get medical treatment on your health insurance.”4
`20.
`Identity thieves can use personal information, such as that of Plaintiff and Class
`Members, which Defendants failed to keep secure, to perpetrate a variety of crimes that harm
`victims. For instance, identity thieves may commit various types of government fraud such as:
`immigration fraud; obtaining a driver’s license or identification card in the victim’s name but with
`another’s picture; using the victim’s information to obtain government benefits; or filing a
`fraudulent tax return using the victim’s information to obtain a fraudulent refund.
`21.
`Annual monetary losses from identity theft are in the billions of dollars. According
`to a Presidential Report on identity theft produced in 2007:
`
`In addition to the losses that result when identity thieves fraudulently open accounts
`. . . individual victims often suffer indirect financial costs, including the costs incurred
`in both civil litigation initiated by creditors and in overcoming the many obstacles
`they face in obtaining or retaining credit. Victims of non-financial identity theft, for
`
`
`4 Federal Trade Commission, Warning Signs of Identity Theft (May 2015), available at
`https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft (last visited June 18,
`2019).
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`4
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 6 of 16
`
`
`
`example, health-related or criminal record fraud, face other types of harm and
`frustration. In addition to out-of-pocket expenses that can reach thousands of dollars
`for the victims of new account identity theft, and the emotional toll identity theft can
`take, some victims have to spend what can be a considerable amount of time to repair
`the damage caused by the identity thieves. Victims of new account identity theft, for
`example, must correct fraudulent information in their credit reports and monitor their
`reports for future inaccuracies, close existing bank accounts and open new ones, and
`dispute charges with individual creditors.5
`22.
`The unauthorized disclosure of Social Security Numbers can be particularly
`damaging because Social Security Numbers cannot easily be replaced. To obtain a new number, a
`person must prove, among other things, he or she continues to be disadvantaged by the misuse.
`Thus, under current rules, no new number can be obtained until the damage has been done.
`Furthermore, as the Social Security Administration warns:
`
`A new number probably will not solve all your problems. This is because other
`governmental agencies (such as the Internal Revenue Service and state motor vehicle
`agencies) and private businesses (such as banks and credit reporting companies) likely
`will have records under your old number. Also, because credit reporting companies
`use the number, along with other Personal Information, to identify your credit record,
`using a new number will not guarantee you a fresh start. This is especially true if
`your other Personal Information, such as your name and address, remains the same.
`If you receive a new Social Security Number, you will not be able to use the old
`number anymore. For some victims of identity theft, a new number actually creates
`new problems. If the old credit card information is not associated with the new
`number, the absence of any credit history under the new number may make it more
`difficult for you to get credit.6
`
`23.
`Personal Information such as that stolen in the Data Breach is highly coveted by,
`and a frequent target of, hackers because thieves can use the credit card information to create fake
`credit cards that can be swiped and used to make purchases as if they were the real credit cards;
`thieves can reproduce stolen debit cards and use them to withdraw cash from ATMs; use the
`victim’s Personal Information to commit immigration fraud, obtain a driver’s license or
`identification card in the victim’s name but with another’s picture, use the victim’s information to
`
`
`5 Federal Trade Commission, Combating Identity Theft A Strategic Plan (April 2007), available at
`https://www.ftc.gov/sites/default/files/documents/reports/combating-identity-theft-
`strategicplan/strategicplan.pdf (last visited June 18, 2019).
` Social Security Administration, Identity Theft and Your Social Security Number (June 2017),
`available at http://www.ssa.gov/pubs/10064.html (last visited June 18, 2019).
`
` 6
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`5
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 7 of 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`obtain government benefits, file a fraudulent tax return using the victim’s information to obtain a
`fraudulent refund; get medical services using consumers’ stolen information or commit any number
`of other frauds, such as obtaining a job, procuring housing, or even giving false information to
`police during an arrest.
`24.
`Further, without detailed, prompt disclosure by Defendants to Plaintiff and Class
`Members who have been impacted, affected individuals, including Plaintiff and Class Members,
`will be left exposed, unknowingly and unwittingly, for potentially months to continued misuse and
`ongoing risk of misuse of their Personal Information without being able to take necessary
`precautions to prevent imminent harm.
`25.
`And even those individuals who are reimbursed for a financial loss due to fraud are
`not made whole again. On the contrary, identity theft victims must spend numerous hours and their
`own money repairing the impact to their credit. After conducting a study, the Department of
`Justice’s Bureau of Justice Statistics found that identity theft victims “reported spending an average
`of about 7 hours clearing up the issues” and resolving the consequences of fraud in 2014.7
`26.
`There may also be a time lag between when harm occurs versus when it is
`discovered, and also between when Personal Information is stolen and when it is used. According
`to the U.S. Government Accountability Office (“GAO”), which conducted a study regarding data
`breaches:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be held for up
`to a year or more before being used to commit identity theft. Further, once stolen data
`have been sold or posted on the Web, fraudulent use of that information may continue
`for years. As a result, studies that attempt to measure the harm resulting from data
`breaches cannot necessarily rule out all future harm.8
`
`27.
`Thus, Plaintiff and Class Members now face years of constant surveillance of their
`financial and personal records and will continue to spend time, effort, and money attempting to
`protect themselves from ongoing identity theft and fraud. To address these increased risks, they
`
`
`7 U.S. Department of Justice, Victims of Identity Theft, 2014 (Sept. 2015) available at
`http://www.bjs.gov/content/pub/pdf/vit14.pdf (last visited June 18, 2019).
`8 U.S. Government Accountability Office, Report to Congressional Requesters (June 2007),
`available at http://www.gao.gov/new.items/d07737.pdf (last visited June 18, 2019).
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`6
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 8 of 16
`
`
`
`must incur, and will continue to incur on an indefinite basis, out-of-pocket costs for obtaining
`credit reports, credit freezes, credit monitoring services, and other protective measures to deter or
`detect identity theft.
`28.
`The Personal Information of Plaintiff and Class Members is private and sensitive in
`nature and was left inadequately protected by Defendants.
`29.
`The Data Breach was a direct and proximate result of GE’s failure to adequately
`monitor and audit the data security systems of its service providers, including Canon, and its failure
`to properly safeguard and protect Plaintiff’s and Class Members’ Personal Information from
`unauthorized access, use, and disclosure, as required by various state and federal regulations,
`industry practices, and the common law, including its failure to establish, implement, and ensure
`appropriate administrative, technical, and physical safeguards to ensure the security and
`confidentiality of Plaintiff’s and Class Members’ Personal Information to protect against
`reasonably foreseeable threats to the security or integrity of such information.
`30.
`As a direct and proximate result of Defendants’ wrongful actions and inaction and
`the resulting Data Breach, Plaintiff and Class Members have been placed at an imminent,
`immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring
`them to take the time which they otherwise would have dedicated to other life demands such as
`work and effort to mitigate the actual and potential impact of the Data Breach.
`31.
`Further, as discussed above, GE itself recommended that impacted individuals take
`precautionary measures, such as credit monitoring and identity protection.
`32.
`Defendants’ wrongful actions and inaction directly and proximately caused the theft
`and dissemination into the public domain of Plaintiff’s and Class Members’ Personal Information,
`causing them to suffer, and continue to suffer, economic damages and other actual harm for which
`they are entitled to compensation.
`33.
`Defendants continue to hold Personal Information, including the Plaintiff’s and
`Class Members’ Personal Information, and, therefore, Plaintiff and the Class have an undeniable
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`7
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 9 of 16
`
`
`
`interest in ensuring that their Personal Information is secure, remains secure, is properly and
`promptly destroyed and is not subject to further theft.
`CLASS ACTION ALLEGATIONS
`
`34.
`Plaintiff seeks relief in her individual capacity and as a representative of all others
`who are similarly situated. In accordance with Fed. R. Civ. P. 23(a) and (b)(2) and/or (b)(3),
`Plaintiff seeks certification of a Nationwide Class and a California subclass.
`35.
`The Nationwide Class is defined as all persons residing in the United States whose
`personal information was disclosed in the data breach affecting GE and Canon in 2020 (the
`“Class”).
`36.
`The California Class is defined as all persons residing in California whose personal
`information was disclosed in the data breach affecting GE and Canon in 2020 (the “California
`Class”).
`37.
`Excluded from the Classes are Defendants; any of their corporate affiliates; any of
`their directors, officers, or employees; any persons who timely elects to be excluded from any of
`the Classes; any government entities; and any judge to whom this case is assigned and their
`immediate family and court staff.
`38.
`The members of each Class are so numerous that the joinder of all members is
`impractical. Based on Defendant GE’s statements about the scope of the Data Breach, the Class
`likely includes hundreds of thousands, of not millions of people.
`39.
`There are questions of law and fact common to the Classes, which predominate over
`any questions affecting only individual Class Members. These common questions of law and fact
`include, without limitation:
`
`a. Whether Defendants had a legal duty to use reasonable security measures to
`protect Personal Information;
`
`b. Whether Defendants were negligent in failing to protect the Personal
`Information of Plaintiff and the Class Members;
`
`c. Whether Defendants were unjustly enriched by their failure to protect the
`Personal Information of Plaintiff and the Class Members;
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`8
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 10 of 16
`
`
`
`d. Whether Defendants violated California Business and Professions Code §
`17200, et seq.;
`
`e. Whether Defendants violated the Federal Trade Commission Act, 15 U.S.C. §
`45; and
`
`f. The nature of the relief, including equitable relief and damages, to which
`Plaintiff and the Class Members are entitled.
`
`40.
` Plaintiff’s claims are typical of the claims of the members of the Classes, and
`Plaintiff will fairly and adequately protect the interests of the Classes. Plaintiff and all members of
`the Classes are similarly affected by Defendants’ wrongful conduct in that their Personal
`Information has been exposed without their authorization.
`41.
`Plaintiff’s claims arise out of the same common course of conduct giving rise to the
`claims of the other members of the Classes.
`42.
`Plaintiff’s interests are coincident with, and not antagonistic to, those of the other
`members of the Classes.
`43.
`Plaintiff is represented by counsel competent and experienced in the prosecution of
`consumer protection and tort litigation.
`44.
`The questions of law and fact common to the members of the Classes predominate
`over any questions affecting only individual members, including legal and factual issues relating to
`liability and damages.
`45.
`Class action treatment is a superior method for the fair and efficient adjudication of
`the controversy. Among other things, such treatment will permit a large number of similarly
`situated persons to prosecute their common claims in a single forum simultaneously, efficiently and
`without the unnecessary duplication of evidence, effort and expense if numerous individual actions.
`The benefits of proceeding as a class, including providing injured persons or entities
`with a method for obtaining redress for claims that might not be practicable to pursue individually,
`substantially outweigh any potential difficulties in managing this class action.
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`9
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 11 of 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`COUNT I
`Negligence
`46.
`Plaintiff incorporates by reference the allegations in the preceding paragraphs as if
`fully set forth herein. Plaintiff brings this count on behalf of herself and the Class.
`47.
`Defendants owed a duty to Plaintiff and Class Members, who were required to
`provide their Personal Information to Defendants in connection with the administration of benefits.
`Defendants created a duty through their voluntary actions in collecting and storing the Personal
`Information for their own benefit, as well as by their assurances that they would safeguard that
`information.
`48.
`Defendants’ duty required them, among other things, to design and employ
`cybersecurity systems, anti-hacking technologies, and intrusion detection and reporting systems
`sufficient to protect Personal Information from unauthorized access and to promptly alert their
`users of data breaches.
`49.
`Defendants breached their duties by, among other things: failing to maintain
`appropriate technological and other systems to prevent unauthorized access; failing to minimize the
`Personal Information that any intrusion could compromise; failing to detect the Data Breach in a
`timely manner; failing to promptly notify Plaintiff and Class Members of the Data Breach.
`50.
` Defendants’ breaches of their duties provided the means for third parties to access,
`obtain, and misuse the Personal Information of Plaintiff and the Class without authorization. It was
`reasonably foreseeable that such breaches would expose the Personal Information to criminals and
`other unauthorized access.
`51.
`But for Defendants’ breach of their duties, Class Members’ Personal Information
`would not have been compromised in the Data Breach.
`52.
`As a result of Defendants’ negligence, Plaintiff and the Class suffered injury, which
`includes but is not limited to exposure to a heightened, imminent risk of fraud, identity theft, and
`financial harm. Plaintiff and class member must more closely monitor their financial accounts and
`credit histories to guard against identity theft and misuse of their Personal Information. Class
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`10
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 12 of 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`Members also have incurred, and will continue to incur on an indefinite basis, out-of-pocket costs
`for obtaining credit reports, credit freezes, credit monitoring services, and other protective
`measures to deter or detect identity theft. The unauthorized release of Plaintiff’s and Class
`Members’ Personal Information also diminished the value of that Personal Information.
`53.
`The damages to Plaintiff and other Class Members were a proximate, reasonably
`foreseeable result of Defendants’ breaches of their duties. Plaintiff and class member are entitled
`to damages in an amount to be proven at trial.
`COUNT II
`Unjust Enrichment
`54.
`Plaintiff incorporates by reference the allegations in the preceding paragraphs as if
`fully set forth herein. Plaintiff brings this count on behalf of herself and the Class.
`55.
`Defendants knowingly and deliberately enriched themselves by saving the costs
`they reasonably should have expended on data security measures to secure Plaintiff’s and Class
`Members’ Personal Information. Instead of providing a reasonable level of security that would
`have prevented the Data Breach, Defendants instead calculated to increase their own profits at the
`expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures.
`Plaintiff and Class Members, on the other hand, suffered as a direct and proximate result of
`Defendant’s decision to prioritize their own profits over the requisite security.
`56.
`Plaintiff and Class Members suffered and will continue to suffer injuries in the form
`of identity theft, attempted identity theft, the expense in mitigating harms, diminished value of
`Personal Information, loss of privacy, and nuisance.
`57.
`Plaintiff, on behalf of herself and the Class Members, therefore seek relief in the
`form of restitution.
`
`COUNT III
`Violation of California’s Unfair Competition Law, Bus. & Prof. Code § 17200 et seq.
`58.
`Plaintiff incorporates by reference the allegations in the preceding paragraphs as if
`fully set forth herein. Plaintiff brings this count on behalf of herself and the California Class.
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`11
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 13 of 16
`
`
`
`59.
`Defendants engaged in unfair, fraudulent and unlawful business practices in
`violation of the Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, et seq. (“UCL”).
`60.
`Plaintiff and California Class Members suffered an injury in fact because of
`Defendants’ alleged violations of the UCL.
`61.
`The acts, omissions, and conduct of Defendants as alleged constitute a “business
`practice” within the meaning of the UCL.
`62.
`Defendants violated the unlawful prong of the UCL by violating the Federal Trade
`Commission Act, 15 U.S.C. § 45, as alleged below.
`63.
`Defendants’ acts, omissions, and conduct also violate the unfair prong of the UCL
`because they offended public policy and constitute immoral, unethical, oppressive, and
`unscrupulous activities that caused substantial injury, including to Plaintiff and other California
`Class Members. The harm cause by Defendants’ conduct outweighs any potential benefits
`attributable to such conduct and there were reasonably available alternatives to further Defendants’
`legitimate business interests, other than Defendants’ conduct described herein.
`64.
`Defendants engaged in a fraudulent business practice that is likely to deceive a
`reasonable consumer by not having adequate measures to prevent data theft. A reasonable person
`would find Defendants’ omissions material.
`65.
`As a result of Defendants’ violations of the UCL, Plaintiff and the other California
`Class Members are entitled to injunctive relief and restitution of all funds Defendant acquired as a
`result of their unfair competition.
`
`Count IV
`
`Negligence Per Se For Violation of the Federal Trade Commission Act,
`15 U.S.C. § 45
`66.
`Plaintiff incorporates by reference the allegations in the preceding paragraphs as if
`fully set forth herein.
`67.
`Plaintiff brings this claim on behalf of herself and all members of the proposed
`Classes against Defendants.
`
`CLASS ACTION COMPLAINT – JURY TRIAL DEMANDED
`
`12
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 2:20-cv-00695-MCE-DB Document 1 Filed 04/02/20 Page 14 of 16
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`68.
`Section 5 of the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45,
`prohibits “unfair . . . practices in or affecting commerce.” The FTC has held that the failure to
`employ reasonable measures to protect against unauthorized access to confidential consumer data
`constitutes an unfair act or practice prohibited by Section 5.
`69.
`The FTC has provided guidance on how businesses should protect against data
`breaches, including: protect the personal customer information they acquire; properly dispose of
`personal information that is not necessary to maintain; encrypt information stored on computer
`networks; understand their network’s vulnerabilities; and install vendor-approved updates to
`address those vulnerabilities. FTC guidance also recommends that businesses use an intrusion
`detection system to expose a breach as soon as it occurs; monitor all incoming traffic for activity
`indicating that someone may be trying to penetrate the system; and watch for large amounts of data
`being transmitted from the system.
`70.
`Plaintiff and members of the Classes are within the Classes of persons Section 5 of
`the FTCA was intended to protect.
`71.
`The harm that has occurred is the type of harm the FTCA was intended to guard
`against. Indeed, the FTC has pursued over fifty enforcement actions against businesses that, as a
`result of their failure to employ reasonable data security measures and avoid unfair and deceptive
`practices, caused the same harm suffered by Plaintiff and members of the Classes
`72.
`Defendants owed a duty to Plaintiff and members of the Classes under the Section 5
`of the FTCA.
`73.
`Defendants breached their duty under Section 5 of the FTCA by, among other
`things, failing to maintain appropriate technological and other systems to prevent unauthorized
`access to C