Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 1 of 30
`
`
`
`
`
`RACHELE R. BYRD (190634)
`byrd@whafh.com
`BRITTANY N. DEJONG (258766)
`dejong@whafh.com
`WOLF HALDENSTEIN ADLER
` FREEMAN & HERZ LLP
`750 B Street, Suite 1820
`San Diego, CA 92101
`Telephone: 619/239-4599
`Facsimile: 619/234-4599
`
`MATTHEW M. GUINEY (pro hac vice forthcoming)
`guiney@whafh.com
`WOLF HALDENSTEIN ADLER
` FREEMAN & HERZ LLP
`270 Madison Avenue
`New York, NY 10016
`Telephone: 212/545-4600
`Facsimile: 212/545-4677
`
`Attorneys for Plaintiffs
`
`[Additional counsel appear on signature page]
`
`
`
`UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN FRANCISCO DIVISION
`
`
`
`
`KRISTA GILL and DOUG SUMERFIELD,
`individually and on behalf of all others similarly
`situated,
`
`
`
` v.
`
`HANNA ANDERSSON, LLC and
`SALESFORCE.COM, INC.
`
`
`
`
`
`
`
`
`
`
`
`
`Plaintiffs,
`
`
`Defendants.
`
`
`
`
`
`
`
`Case No.
`
`CLASS ACTION COMPLAINT
`
`
`
`JURY TRIAL DEMANDED
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 2 of 30
`
`
`
`
`Plaintiffs Krista Gill (“Gill”) and Doug Sumerfield (“Sumerfield”) (collectively,
`“Plaintiffs”), individually and on behalf of all other similarly situated individuals, hereby allege
`upon personal knowledge of the facts respectively pertaining to their own actions, and upon
`information and belief as to all other matters, by and through their undersigned counsel, and
`bring this Class Action Complaint against defendants Hanna Andersson, LLC (“Hanna
`Andersson”) and Salesforce.com, Inc. (“Salesforce” and, collectively, “Defendants”).
`NATURE OF ACTION
`1.
`Plaintiffs assert this class action against Defendants for their failure to exercise
`reasonable care in securing and safeguarding their customers’ sensitive personal information
`(“SPI”), including customer names, payment card numbers, payment card expiration dates, and
`payment card security codes.
`2.
`On January 15, 2020, Hanna Andersson sent letters to customers and states
`attorneys general stating that it “had obtained evidence that an unauthorized third party had
`accessed information entered on Hanna Andersson’s website concerning purchases made
`between September 16 and November 11, 2019” (the “Data Breach”).1 Attempting to avoid the
`spotlight, Hanna Andersson sent this letter directly to customers and state law enforcement
`without making a public press release. News soon got out, however.
`3.
`This type of customer payment data breach, called a Magecart attack, was simply
`the most recent in a long line of similar attacks on e-commerce platforms. The Hanna Andersson
`attack was no less than the second successful recent Magecart attack upon a platform that was
`part of Salesforce’s Commerce Cloud Unit, its commercial hosting service.2
`4.
`More broadly, Magecart attacks on online platforms have become very popular in
`the past few years. For example, Salesforce customer Macy’s faced a similar Magecart attack
`
`
`1
`https://www.documentcloud.org/documents/6662592-Hanna-Andersson-Notice-of-Data-
`Breach-to-Consumers.html (last visited Mar. 2, 2020).
`2
`See US Retailer Hanna Andersson Hacked to Steal Credit Cards, BLEEPING COMPUTER,
`https://www.bleepingcomputer.com/news/security/us-retailer-hanna-andersson-hacked-to-steal-
`credit-cards/ (last visited Mar. 2, 2020).
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 1 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 3 of 30
`
`
`
`last October where hackers successfully stole payment card information from its website for a
`week.3
`
`5.
`Defendants could have prevented this Data Breach. Magecart attacks on e-
`ecommerce platforms are among the most popular types of attacks by hackers today. While
`many retailers, restaurant chains, and other companies have responded to data breaches by
`adopting technology that helps make transactions more secure, Defendants did not.
`6.
`The Data Breach was the result of Defendants’ inadequate approach to data
`security and protection of SPI that it collected during the course of its business. The deficiencies
`in Defendants’ data security were so significant that the malware installed by hackers remained
`undetected and intact in Defendants’ systems for approximately two months.
`7.
`Defendants disregarded the rights of Plaintiffs and the Class by intentionally,
`willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its
`data systems were protected, failing to disclose to its customers the material fact that it did not
`have adequate computer systems and security practices to safeguard SPI, failing to take available
`steps to prevent the Data Breach, failing to monitor and timely detect the Data Breach, and
`failing to provide Plaintiffs and the Class prompt and accurate notice of the Data Breach.
`8.
`As a result of Defendants’ Data Breach, Plaintiffs’ and Class members’ SPI has
`been exposed to criminals for misuse and have, in fact, been misused. The injuries Plaintiffs and
`the Class suffered as a direct result of the Data Breach include:
`a.
`unauthorized charges on debit and credit card accounts;
`b.
`theft of personal and financial information;
`c.
`costs associated with the detection and prevention of identity theft and
`unauthorized use of financial accounts;
`
`
`Macy’s Hit by Magecart Card-Skimming Attack, CISO MAG (Nov. 20, 2019),
`3
`https://www.cisomag.com/macys-hit-by-magecart-card-skimming-attack/;
`see also Macy’s
`Heroku,
`SALESFORCE,
`moves
`its
`mission-critical
`commerce
`app
`to
`https://www.salesforce.com/products/platform/app-gallery/macys/ (last visited Mar. 3, 2020).
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 2 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 4 of 30
`
`
`
`
`d.
`
`e.
`
`f.
`
`damages arising from the inability to use debit or credit card accounts because
`accounts were suspended or otherwise rendered unusable as a result of fraudulent
`charges stemming from the Data Breach, including but not limited to foregoing
`cash back rewards;
`damages arising from the inability to withdraw or otherwise access funds because
`accounts were suspended, restricted, or otherwise rendered unusable as a result of
`the Data Breach, including, but not limited to, missed bill and loan payments,
`late-payment charges, and lowered credit scores and other adverse impacts on
`credit;
`costs associated with spending time to address and mitigate the actual and future
`consequences of the Data Breach such as finding fraudulent charges, cancelling
`and reissuing payment cards, purchasing credit monitoring and identity theft
`protection services,
`imposition of withdrawal and purchase
`limits on
`compromised accounts, lost productivity and opportunity(ies), time taken from
`the enjoyment of one’s life, and the inconvenience, nuisance and annoyance of
`dealing with all issues resulting from the Data Breach;
`the imminent and certainly impending injury resulting from the potential fraud
`and identity theft posed by SPI being exposed for theft and sale on the dark web;
`costs of products purchased at Defendants’ website during the period of the Data
`Breach because Plaintiffs and the Class would not have purchased products from
`Defendants’ website had Defendants disclosed that they lacked adequate systems
`and procedures to reasonably safeguard SPI;
`damages to and diminution in value of SPI entrusted to Defendants for the sole
`purpose of purchasing products and services from Defendants; and
`j.
`the loss of Plaintiffs’ and Class members’ privacy.
`9.
`The injuries Plaintiffs and the Class suffered were directly and proximately
`caused by Defendants’ failure to implement or maintain adequate data security measures for SPI.
`
`g.
`
`h.
`
`i.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 3 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 5 of 30
`
`
`
`
`10.
`Plaintiffs and the Class retain a significant interest in ensuring that their SPI,
`which remains in Defendants’ possession, is protected from further breaches, and seek to remedy
`the harms suffered as a result of the Data Breach for themselves and on behalf of similarly
`situated consumers whose SPI was stolen.
`11.
`Plaintiffs, individually and on behalf of similarly situated consumers, seek to
`recover damages, equitable relief, including injunctive relief designed to prevent a reoccurrence
`of the Data Breach and resulting injuries, restitution, disgorgement, reasonable costs and
`attorneys’ fees, and all other remedies this Court deems proper.
`PARTIES
`12.
`Plaintiffs Krista Gill and Doug Sumerfield are natural persons and a married
`couple residing in Alexandria, Virginia.
`13.
`Defendant Hanna Andersson, LLC is a Delaware corporation with its principal
`place of business at 608 NE 19th Ave., Portland, Oregon 97232. It is wholly-owned by L
`Catterton, a private equity company.
`14.
`Defendant Salesforce.com, Inc. is a Delaware corporation with its principal place
`of business at 415 Mission St., San Francisco, California 94105.
`JURISDICTION AND VENUE
`15.
`This Court has jurisdiction pursuant to 28 U.S.C. § 1332(d)(2) (“The Class Action
`Fairness Act”) because sufficient diversity of citizenship exists between the parties to this action,
`the aggregate amount in controversy exceeds $5,000,000, exclusive of interests and costs, and
`there are 100 or more members of the Class.4
`16.
`This Court has personal jurisdiction over Defendant Salesforce because its
`principal place of business is in the Northern District of California and Salesforce is authorized
`to and regularly conducts business in the Northern District of California.
`
`
`4
`A letter sent to the North Dakota Attorney General by counsel for Hanna Andersson
`noted that there were 374 residents of North Dakota alone affected by the Data Breach.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 4 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 6 of 30
`
`
`
`
`17.
`This Court has personal jurisdiction over Defendant Hanna Andersson because it
`is authorized to do business and regularly conducts business in the Northern District of
`California. Hanna Andersson has no fewer than five physical stores in the Northern District of
`California and, on information and belief, Class members who were affected by the Data Breach
`placed orders from locations within the Northern District of California.
`18.
`Venue is proper in this District pursuant to 28 U.S.C. § 1391(b)(1) & (2) because
`Defendants are corporations, Salesforce’s principal place of business is within this District, and a
`substantial part of the events and omissions giving rise to this action occurred in this District.
`FACTUAL ALLEGATIONS
`
`A.
`
`Plaintiffs’ Transactions
`19.
`On or around September 26, 2019, Plaintiffs made an online purchase from
`hannaandersson.com.
`20.
`On or around December 13, 2019, Plaintiffs were alerted by their bank to
`fraudulent activity on their credit card account, and their account was suspended until new cards
`could be issued to them, approximately five days later. For those five days, Plaintiffs were
`without the ability to use their joint credit card.
`21.
`Plaintiffs’ joint credit card that was compromised in the Data Breach is connected
`to a rewards program. While awaiting a replacement card following the Data Breach and
`fraudulent charges, Plaintiffs had to use alternative methods of payment and, thus, lost the
`opportunity to accrue rewards during that time.
`22.
`After this occurred, Plaintiffs received notice on or about January 20, 2020 by
`mail from Hanna Andersson regarding the Data Breach.
`23.
`Additionally, Plaintiff Krista Gill previously received data monitoring as part of a
`class action settlement from the Office of Personnel Management from MyIDCare services. This
`is the same data monitoring vendor whose services are offered by Hanna Andersson following
`the Data Breach. MyIDCare’s monitoring was inadequate to prevent the Hanna Andersson Data
`Breach from causing damage to Plaintiffs, and is inadequate to address the Data Breach at the
`heart of this complaint.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 5 -
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 7 of 30
`
`
`
`
`24.
`Consequently, Plaintiffs lost time dealing with the issues related to the Data
`Breach in cancelling their credit card and in communicating with their financial institution.
`25.
`Plaintiffs are not aware of any other relevant data breaches that could have
`resulted in the theft of their credit card information.
`26.
`Plaintiffs suffered actual injury and damages in paying money to, and purchasing
`products from, Defendants’ website during the Data Breach, expenditures which they would not
`have made had Defendants disclosed that they lacked computer systems and data security
`practices adequate to safeguard customers’ SPI from theft.
`27.
`Plaintiffs suffered actual injury in the form of damages to and diminution in the
`value of their SPI—a form of intangible property that Plaintiffs entrusted to Defendants for the
`purpose of purchasing Defendants’ products and which was compromised in and as a result of
`the Data Breach.
`28.
`Plaintiffs suffered lost time, annoyance, interference, and inconvenience as a
`result of the Data Breach and have concerns for the loss of their privacy.
`29.
`Plaintiffs have suffered imminent and impending injury arising from the
`substantially increased risk of fraud, identity theft, and misuse resulting from their SPI being
`placed in the hands of criminals.
`30.
`Plaintiffs have a continuing interest in ensuring their SPI, which remains in the
`possession of Defendants, is protected and safeguarded from future breaches.
`B.
`Hanna Andersson’s Online Platform
`31.
`Hanna Andersson is a retail corporation wholly owned by private equity company
`L Catterton. Hanna Andersson has at least 60 retail locations in the United States and a highly
`successful online retail presence.
`32.
`Hanna Andersson produces and sells clothing and related products, mostly for
`children and infants, that are marketed as high-end. Hanna Andersson sells these products both
`in retail stores and online at hannaandersson.com.
`33.
`Hanna Andersson’s website states:
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 6 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 8 of 30
`
`
`
`
`The security of your personal information is very important to Hanna, and we
`have implemented measures to protect your information. Our website is PCI DSS
`compliant and uses SSL/TLS (Secure Sockets Layer) technology to encrypt your
`order information, such as your name, address, and credit card number, during
`data transmission. We use a third-party payment processor, which is also PCI
`DSS compliant.
`
`Our customer service center and stores also operate over a private, secure
`network.
`
`We follow generally accepted industry standards to protect the personal
`information submitted to us, both during transmission and once we receive it.5
`34.
`Salesforce is a cloud-based software company that offers customer relationship
`management services to corporations, such as Hanna Andersson, that allow its clients to interact
`with customers, such as through online sales platforms, such as hannaandersson.com.
`35.
`These online platforms, including hannaandersson.com, allow (among other
`things) for customers to make purchases of their clients’ products through the use of payment
`cards. As part of the sales transactions, these platforms must collect highly sensitive SPI and
`personally identifiable information (“PII”), including payment card numbers, expiration dates,
`CVV codes, names, and billing and shipping addresses, as well as (potentially) email addresses
`and telephone numbers.
`36.
`Platforms that allow this are marketed by Salesforce as the “Platform as a
`Service” (“PaaS”) model.6
`37.
`Salesforce says of its PaaS products, “(PaaS) is a proven model for running
`applications without the hassle of maintaining on-premises hardware and software infrastructure
`at your company. Enterprises of all sizes have adopted PaaS solutions like Salesforce for
`simplicity, scalability, and reliability. PaaS applications also have the latest features without the
`pain of constant upgrades.”7
`
`5
`Privacy Statement, HANNA ANDERSSON, https://www.hannaandersson.com/security-and-
`privacy.html (last visited Mar. 2, 2020).
`6
`See What is PaaS?, SALESFORCE, https://www.salesforce.com/paas/overview/# (last
`visited Mar. 2, 2020).
`7
`Id.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 7 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 9 of 30
`
`
`
`
`Further, Salesforce prominently markets its PaaS products as “Secure —
`38.
`Information is not vulnerable to a flood, fire, natural disaster, or hardware failure in one location.
`Security protocols and infrastructure are constantly analyzed and updated to address new
`threats.”8
`C. The Data Breach
`39.
`A letter sent by Perkins Coie to the North Dakota Attorney General stated that
`Hanna Andersson was informed of the Data Breach on December 5, 2019 by “law enforcement”
`and that “credit cards used on its website were available for purchase on a dark web site.”9
`40.
`The letter further noted:
`The investigation has confirmed that Hanna Andersson’s third-party ecommerce
`platform, Salesforce Commerce Cloud, was infected with malware that may have
`scraped information entered by customers into the platform during the purchase
`process. The earliest potential date of compromise identified by forensic
`investigators is September 16, 2019, and the malware was removed on November
`11, 2019.
`41.
`The letter further noted that physical letters were being mailed to customers
`believed to be affected by the breach and would be sent out beginning January 15, 2020.
`42.
`The type of attack faced by Hanna Andersson and Salesforce is known as a
`“Magecart” attack, which has become very prevalent in recent years.10
`43.
`“Magecart” is a consortium of hacker groups known from placing malware into
`online shopping cart systems in order to steal payment card information. As CSO Online stated,
`
`
`8
`SALESFORCE,
`Computing?,
`Cloud
`What
`is
`https://www.salesforce.com/products/platform/best-practices/cloud-computing/?d=70130000000
`i88b (last visited Mar. 1, 2020).
`9
`https://attorneygeneral.nd.gov/sites/ag/files/documents/DataBreach/2020-01-15-
`HannaAndersson.pdf (last visited Mar. 2, 2020).
`10
`in Card-Skimming Bonanza,
`See Magecart Hits 80 Major eCommerce Sites
`THREATPOST, https://threatpost.com/magecart-ecommerce-card-skimming-bonanza/147765/ (last
`visited Mar. 2, 2020).
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 8 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 10 of 30
`
`
`
`“Almost all ecommerce sites that use shopping carts don’t properly vet the code that is used with
`these third-party pieces — a recipe for a ready-made hack.”11
`44.
`At all relevant times, Defendants were well-aware, or reasonably should have
`been aware, that the SPI collected, maintained, and stored in the system’s servers is highly
`sensitive, susceptible to attack, and could be used for wrongful purposes by third parties, such as
`identity theft and fraud.
`45.
`Such malware can go undetected for a long period of time, especially if industry
`best practices are not routinely used.
`46.
`SPI is a valuable commodity because it contains not only payment card numbers,
`but also PII. A “cyber black market” exists in which criminals openly post stolen payment card
`numbers, social security numbers, and other personal, private information on multiple
`underground Internet websites. SPI is valuable to identity thieves because they can it—including
`PII—to open new financial accounts and take out loans in another person’s name, incur charges
`on existing accounts, or clone ATM, debit, and credit cards.
`47.
`Legitimate organizations and the criminal underground alike recognize the value
`of SPI and PII contained in a merchant’s data systems, otherwise the latter would not
`aggressively seek or pay for it. For example, in “one of 2013’s largest breaches . . . [n]ot only did
`hackers compromise the [card holder data] of three million customers, they also took registration
`data [containing SPI and PII] from 38 million users.”12
`48.
`Professionals tasked with trying to stop fraud and other misuse know that SPI and
`PII have real monetary value in part because criminals continue their efforts to obtain this data.13
`
`
`11
`What is Magecart? How this hacker group steals payment card data, CSO ONLINE,
`https://www.csoonline.com/article/3400381/what-is-magecart-how-this-hacker-group-steals-
`payment-card-data.html (last visited Mar. 2, 2020).
`12
`at
`Report
`Verizon
`2014
`PCI
`Compliance
`https://www.cisco.com/c/dam/en_us/solutions/industries/docs/retail/verizon_pci2014.pdf.
`13
`Data Breaches Rise as Cybercriminals Continue to Outwit IT, CIO MAGAZINE (Sept. 28,
`2014),
`http://www.cio.com/article/2686167/data-breach/data-breaches-rise-as-cybercriminals-
`continue-to-outwit-it.html.
`
`54,
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 9 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 11 of 30
`
`
`
`In other words, if any additional breach of sensitive data did not have incremental value to
`criminals, one would expect to see a reduction in criminal efforts to obtain such additional data
`over time. However, just the opposite has occurred. For example, the Identity Theft Resource
`Center reported 1,579 data breaches in 2017, which represents a 44.7 percent increase over the
`record high figures reported for 2016.14
`49.
`Consumers’ SPI and PII remains valuable to identity criminals, as evidenced by
`the prices they will pay through black-market sources, or what is often called the dark web.
`Numerous sources cite dark web pricing for stolen identity credentials. For example, a complete
`set of bank account credentials can fetch a thousand dollars or more (depending on the associated
`credit score or balance available to criminals).15 Experian reports that a stolen credit or debit card
`number can sell for $5–110 on the dark web. 16
`50.
`At all relevant times, Defendants knew, or reasonably should have known, of the
`importance of safeguarding SPI and PII, and of the foreseeable consequences that would occur if
`its data security system was breached, including, specifically, the significant costs that would be
`imposed on its customers as a result of a breach.
`51.
`Defendants were, or should have been, fully aware of the significant volume of
`daily credit and debit card transactions on hannaandersson.com and, thus, the significant number
`of individuals who would be harmed by a breach of Defendants’ systems.
`52.
`Unfortunately, and as alleged below, despite all of this publicly available
`knowledge of the continued compromises of SPI and PII in the hands of other third parties, such
`as retailers and restaurant chains, Defendants’ approach to maintaining the privacy and security
`
`
`14
`2017 Annual Data Breach Year-End Review, IDENTITY THEFT RESOURCE CENTER,
`https://www.idtheftcenter.org/2017-data-breaches (last visited Mar. 2, 2020).
`15
`Here’s how much thieves make by selling your personal data online, BUSINESS INSIDER
`(May 27, 2015), http://www.businessinsider.com/heres-how-much-your-personal-data-costs-on-
`the-dark-web-2015-5.
`16
`Here’s How Much Your Personal Information Is Selling for on the Dark Web, EXPERIAN
`(Dec. 6, 2017), https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-
`information-is-selling-for-on-the-dark-web/.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 10 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 12 of 30
`
`
`
`of Plaintiffs’ and Class members’ SPI and PII was lackadaisical, cavalier, reckless, or, at the very
`least, negligent.
`D.
`The Data Breach Caused Harm and Will Result in Additional Fraud
`53. Without detailed disclosures to Defendants’ customers, Plaintiffs and Class
`members were unknowingly and unwittingly left exposed to continued misuse and ongoing risk
`of misuse of their SPI and PII without being able to take necessary precautions to prevent
`imminent harm.
`54.
`Plaintiffs have already experienced fraud and loss of use of their payment card as
`a result of the breach.
`55.
`Prior to the Data Breach, Plaintiffs routinely reviewed their credit report for
`unusual activity and had not received any indication that their credit card had been breached or
`otherwise compromised.
`56.
`Plaintiffs never transmit unencrypted SPI or PII over the internet or any other
`unsecured source.
`57.
`Plaintiffs store any and all documents containing their SPI and PII in a safe and
`secure location, and destroy/shred any documents they receive in the mail that contain any of
`their SPI or PII, or that may contain any information that could otherwise be used to compromise
`their credit cards, financial accounts, or steal their identities.
`58.
`Thus, given that before the Data Breach, Plaintiffs’ credit card had not
`experienced any prior form of breach or compromise and Plaintiffs undertook substantial efforts
`to protect their financial information—including SPI and PII—Defendants’ Data Breach is the
`source of Plaintiffs’ damages and injuries described in this Complaint.
`59.
`But for the Data Breach, Plaintiffs’ credit card would not have been breached or
`compromised and their damages would not have occurred.
`60.
`The ramifications of Defendants’ failure to keep Plaintiffs’ and Class members’
`data secure are severe and far reaching.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 11 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 13 of 30
`
`
`
`
`61.
`Additionally, Hanna Andersson has offered a one-year subscription to MyIDCare
`identity protection services, offered by ID Experts.17 However, MyIDCare is the same service
`used by the Office of Personnel Management as a result of that data breach.18 MyIDCare did
`not stop Plaintiffs’ data from being stolen as part of this Data Breach, and will not be sufficient
`to protect Defendants’ consumers identities going forward.
`62.
`Consumer victims of data breaches are more likely to become victims of identity
`fraud. This conclusion is based on an analysis of four years of data that correlated each year’s
`data breach victims with those who also reported being victims of identity fraud.19
`63.
`The Electronic Code of Federal Regulations defines identity theft as “a fraud
`committed or attempted using the identifying information of another person without authority.”20
`The FTC describes “identifying information” as “any name or number that may be used, alone or
`in conjunction with any other information, to identify a specific person.”21
`64.
`SPI and PII are valuable commodities to identity thieves once the information has
`been compromised. As the FTC recognizes, once identity thieves have SPI and PII, “they can
`drain your bank account, run up charges on your credit cards, open new utility accounts, or get
`medical treatment on your health insurance.”22
`
`
`17
`See https://ago.vermont.gov/wp-content/uploads/2020/01/2020-01-14-Hanna-Andersson-
`Notice-of-Data-Breach-to-Consumers.pdf (last visited Mar. 2, 2020).
`18
`See Victims enrolled in OPM’s identity protection service are covered through June,
`says, FEDERAL NEWS NETWORK, https://federalnewsnetwork.com/opm-cyber-
`agency
`breach/2018/11/victims-enrolled-in-opms-identity-protection-service-are-covered-through-june-
`agency-says/ (last visited Mar. 2, 2020).
`19
`Study
`Fraud
`of
`Cost
`2014
`LexisNexis
`True
`https://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf.
`20
`17 C.F.R § 248.201 (2013).
`21
`Id.
`22
`COMMISSION,
`TRADE
`FEDERAL
`Theft,
`Identity
`of
`Signs
`Warning
`https://www.consumer.ftc.gov/articles/0271-warning-signs-identity-theft (last visited Mar. 2,
`2020).
`
`2014),
`
`(Aug.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 12 -
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 14 of 30
`
`
`
`
`65.
`Identity thieves can use SPI and PII, such as that of Plaintiffs and Class members,
`which Defendants failed to keep secure, to perpetrate a variety of crimes that harm victims. For
`instance, identity thieves may commit various types of government fraud such as: immigration
`fraud, obtaining a driver’s license or identification card in the victim’s name but with another’s
`picture, using the victim’s information to obtain government benefits, or filing a fraudulent tax
`return using the victim’s information to obtain a fraudulent refund.
`66.
`Analysis of a 2016 survey of 5,028 consumers found, “The quicker a financial
`institution, credit card issuer, wireless carrier or other service provider is notified that fraud has
`occurred on an account, the sooner these organizations can act to limit the damage. Early
`notification can also help limit the liability of a victim in some cases, as well as allow more time
`for law enforcement to catch the fraudsters in the act.”23
`67.
`As a result of Defendants’ delay in notifying consumers of the Data Breach, the
`risk of fraud for Plaintiffs and Class members has been driven even higher.
`68.
`Javelin Strategy and Research reports that identity thieves have stolen $112
`billion in the six years preceding 2016.24
`69.
`Reimbursing a consumer for a financial loss due to fraud does not make that
`individual whole again. On the contrary, identity theft victims must spend numerous hours and
`their own money repairing the impact to their credit. After conducting a study, the Department of
`Justice’s Bureau of Justice Statistics (“BJS”) found that identity theft victims “reported spending
`an average of about 7 hours clearing up the issues” and resolving the consequences of fraud in
`2014.25
`
`
`23
`Identity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 Percent
`to New Javelin Strategy & Research Study, JAVELIN
`(Feb. 1, 2017),
`According
`https://www.javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-us-
`victims-2016-16-percent-according-new.
`24
`See 2016 Identity Fraud: Fraud Hits an Inflection Point, JAVELIN (Feb. 2, 2016),
`https://www.javelinstrategy.com/coverage-area/2016-identity-fraud-fraud-hits-inflection-point.
`25
`Erika Harrell, Victims of Identity Theft, 2014, U.S. DEP’T OF JUSTICE (Sept. 2015),
`http://www.bjs.gov/content/pub/pdf/vit14.pdf.
`
`1 2 3 4 5 6 7 8 9
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`CLASS ACTION COMPLAINT
`- 13 -
`
`

`

`Case 3:20-cv-01572-SK Document 1 Filed 03/03/20 Page 15 of 30
`
`
`
`
`70.
`An independent financial services industry research study conducted for
`BillGuard—a private enterprise that automates the consumer task of finding unauthorized
`transactions that might otherwise go undetected—calculated the average per-consumer cost of all
`unauthorized transactions at roughly US $215 per cardholder incurring these charges,26 some
`portion of which could go undetected and thus must be paid entirely out-of-pocket by consumer
`victims of account or identity misuse.
`71.
`Plaintiffs and the Class now face a real, immediate, and continuing risk of identity
`theft and fraudulent payment card charges resulting from Defendants’ a