`
`
`
`
`Julian Hammond (SBN 268489)
`jhammond@hammondlawpc.com
`Polina Brandler (SBN 269086)
`pbrandler@hammondlawpc.com
`Ari Cherniak (SBN 290071)
`acherniak@hammondlawpc.com
`Steven Resnick (pro hac vice pending)
`sresnick@hammondlawpc.com
`HAMMONDLAW, PC
`11780 W. Sample Road, Suite 1103
`Coral Springs, FL 33065
`Tel: (310) 601-6766
`Fax: (310) 295-2385
`
`Attorneys for Plaintiff and the Putative Class
`
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`SAN JOSE DIVISION
`
`
`
`Case No.: 5:21-1155
`
`CLASS ACTION COMPLAINT FOR:
`
`1. Negligence;
`2. Violation of Washington State Consumer
`Protection Act, RCW 19.86.010;
`
`
`
`
`
`DEMAND FOR JURY TRIAL
`
`Plaintiff,
`
`
`
`
`
`MADALYN BROWN, individually and on behalf
`of all others similarly situated,
`
`
`vs.
`
`ACCELLION, INC., a Delaware Corporation,
`
`
`
`
`
`
`
`
`
`
`
`
`Defendant.
`
`
`
`
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`1
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 2 of 14
`
`
`
`Plaintiff Madalyn Brown (“Plaintiff”), on behalf of herself and all others similarly situated
`
`(hereinafter “Class Members”), complains and alleges as follows:
`
`OVERVIEW OF CLAIMS
`
`1.
`
`This is a class action, under Federal Rule of Civil Procedure 23, brought on behalf of
`
`individuals whose private information, including names, dates of birth, Social Security numbers, driver’s
`
`license numbers and/or state identification numbers, bank account information, and employment
`
`information (collectively “Personally Identifiable Information” or “PII”) was exposed because of the
`
`failure of Accellion, Inc. (“Accellion” or “Defendant”) to safeguard and protect the sensitive information
`
`of Plaintiff and the Class Members.
`
`2.
`
`In January 2021, Accellion, a software company, providing services to the Washington
`
`State Auditor’s Office (the “SAO”), announced that unauthorized individuals gained access to SAO files
`
`by exploiting a vulnerability in Accellion’s file transfer service. This unauthorized access began in
`
`December 2020 and continued into January 2021 (the “Data Breach”). The SAO files contained the PII
`
`of Washington residents who filed unemployment insurance claims in 2020. In addition, the
`
`compromised files may have included the PII of other Washington residents whose information was
`
`contained in state agency and/or local government files.
`
`3.
`
`On February 1, 2021, the Washington State Auditor’s Office confirmed that PII belonging
`
`to approximately 1.6 million people in Washington was compromised as a result of the Data Breach.
`
`4.
`Accellion is a cloud computing company focused on file sharing and collaboration
`solutions.1 Accellion developed, marketed, and sold a file sharing transfer product called “File Transfer
`Appliance” (“FTA”) for use in overcoming limits imposed on the size of email attachments.2 Rather
`
`than transferring documents by email, the intended recipient would receive a link to files hosted on
`
`Accellion’s FTA, which could then be viewed or downloaded. Id.
`
`5.
`
`At the time of the Data Breach, the SAO was using Accellion’s FTA product to transfer
`
`and/or receive files and Accellion knew that SAO was using the FTA product to transfer and/or receive
`
`files containing PII.
`
`
`1 https://en.wikipedia.org/wiki/Accellion
`
` https://www.bankinfosecurity.com/blogs/accellion-mess-what-went-wrong-p-2989
`
` 2
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`2
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 3 of 14
`
`
`
`6.
`
`As of 2020, however, FTA was an outdated product “nearing end-of-life.”3 Nevertheless,
`
`Accellion continued to market and sell the FTA product to SAO and other entities for use in transferring
`
`files containing PII.
`
`7.
`
`In December 2020 and continuing into January 2021, unknown threat actors exploited
`
`vulnerabilities in the FTA software and gained access to SAO files. The SAO files contained the records
`
`of approximately 1.6 million Washington residents who filed claims for unemployment insurance in
`
`2020.
`
`8.
`
` Accellion’s failure to ensure that the FTA product provided adequate security protocols
`
`exposed the PII of more than one million Washington residents, including Plaintiff and the Class
`
`Members. As a result of Defendant’s conduct, the PII of Plaintiff and the Class was compromised and
`
`their PII was disclosed to unknown and unauthorized third parties without their consent.
`
`9.
`
`Armed with the PII acquired in this type of cyberattack, threat actors can commit a variety
`
`of crimes including, e.g., opening new financial accounts in class members’ names, taking out loans in
`
`Class Members’ names, using Class Members’ information to obtain government benefits, filing
`
`fraudulent tax returns using Class Members’ information, and obtaining driver’s licenses in Class
`
`Members’ names but with another person’s photograph.
`
`10.
`
`As a result of the Data Breach, Plaintiff and the Class Members have and will continue
`
`to incur out of pocket costs and expenses for, among other things, purchasing credit monitoring services,
`
`credit freezes, credit reports, and/or other protective measures to deter and detect identity theft. Plaintiff
`
`and the Class Members have and will continue to spend time, resources, and money in order to mitigate
`
`their damages from the Data Breach.
`
`11.
`
`As a result of the Data Breach, Plaintiff and the Class Members are at a heightened and
`
`imminent risk of fraud and identity theft. Plaintiff and the Class Members must now and in the future
`
`closely monitor their bank accounts and credit card accounts to guard against the risk of identity theft.
`
`12.
`
`Plaintiff brings this class action lawsuit on behalf of herself and all those similarly situated
`
`to address Accellion’s inadequate safeguarding of Class Members’ PII.
`
`JURISDICTION AND VENUE
`
`13.
`
`This Court has subject matter jurisdiction over this action under the Class Action Fairness
`
`Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million exclusive of interest and
`
`
`3 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-
`incident
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`3
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 4 of 14
`
`
`
`costs. At least one Plaintiff and one Defendant are citizens of different states. There are more than 100
`
`putative Class Members.
`
`14.
`
`This Court has personal jurisdiction over Defendant because its principal place of
`
`business is in California and has sufficient contacts in this District.
`
`15.
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because Defendant
`
`conducts substantial business in this District and California is the principal place of business for
`
`Defendant.
`
`PARTIES
`
`16.
`
`Plaintiff Madalyn Brown is an adult individual who resides, and at all relevant times, has
`
`resided in Eatonville Washington. Plaintiff Madalyn Brown filed an unemployment claim with the State
`
`of Washington in 2020 and her PII was exposed in the Data Breach. She is referred to in this Complaint
`
`as “Plaintiff.”
`
`17.
`
`Accellion, Inc. is a Delaware Corporation with headquarters in Palo Alto, California.
`
`FACTUAL ALLEGATIONS
`
`18.
`Accellion is a Palo Alto, California-based private cloud solutions company focused on
`secure file sharing and collaboration.4 Users of Accellion’s file transfer products can access, edit, and
`
`share enterprise content from any device while maintaining compliance and security. Id.
`
`19.
`
`Accellion markets its products as way to safely transfer sensitive information via file
`
`sharing. With regard to file sharing, Accellion’s website states in relevant part:
`
`Shared Files and Folders | Secure File Sharing
`
` Give users a simple, secure, private way to share confidential information
` Provide the same ease of use found in consumer cloud file sharing apps
` Designated business users give external parties access privileges to folders and individual
`files, such as watermarked view-only, download, and upload/edit
` Designated business users request files from external partners so they can upload sensitive
`content in compliance
` Ensure productivity with tight integration to email, mobile, office and enterprise apps5
`
`20.
`
`According to its website, the Accellion enterprise content firewall “prevents data
`
`breaches and compliance violations from third party cyber risk. CIOs and CISOs rely on the Accellion
`
`platform for complete visibility, security and control over the communication of IP, PII, PHI, and other
`
`
`4 https://en.wikipedia.org/wiki/Accellion
`5 https://www.accellion.com/platform/simple/secure-file-sharing/
`4
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 5 of 14
`
`
`
`sensitive content across email, file sharing, mobile, enterprise apps, web portals, SFTP, and automated
`
`inter-business workflow…When employees click the Accellion button, they know it’s the safe, secure
`way to share sensitive information with the outside world.” 6
`
`21.
`
`Accellion developed, marketed, and sold a file transfer product called Accellion FTA.
`
`According to its website, “Accellion FTA helps worldwide enterprises… transfer large and sensitive
`files securely using a 100% private cloud, on-premises or hosted.”7
`
`22.
`
`Accellion was aware that its FTA program was inadequate to keep file transfer secure.
`
`With regard to the FTA product, Acccellion’s website states that “in today’s breach-filled, over-regulated
`
`world, you need even broader protection and control. Protect all your external file sharing – no matter
`
`what the source, device or location – with the industry-leading governance and security of Accellion’s
`
`new platform.” Id.
`By the end of 2020, Accellion’s product was nearing “end of life.”8 In fact, in a recent
`
`23.
`
`interview, Joel York, Accellion’s chief marketing officer, said the data breach involved the company’s
`
`20-year-old “legacy product,” known as FTA, which the company has been encouraging customers to
`
`stop using. With regard to the FTA product, Mr. York stated, “It just wasn’t designed for these types of
`threats.”9
`
`24.
`In mid-December 2020, Accellion was made aware of a “zero-day vulnerability” in its
`legacy FTA software.10 A zero-day vulnerability is a software security flaw that is known to the software
`
`vendor but does not have a patch in place to fix the flaw. It has the potential to be exploited by
`
`cybercriminals.
`
`25.
`
`Accellion attempted to patch the vulnerability, however, the company identified
`
`additional exploits in the ensuing weeks and attempted to release patches to close each vulnerability. Id.
`
`The Data Breach began in December 2020 and continued into January 2021, as cyber attackers
`
`repeatedly exploited vulnerabilities in the FTA product.
`
`
`6 https://www.accellion.com/company/
`7 https://www.accellion.com/products/fta/
`8 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-
`incident
`9 https://www.seattletimes.com/seattle-news/politics/personal-data-of-1-6-million-washington-
`unemployment-claimants-exposed-in-hack-of-state-auditor/
`10 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-
`incident/
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`5
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 6 of 14
`
`
`
`26.
`
`During the Data Breach, threat actors were able to exploit a software vulnerability in
`
`Accellion’s FTA product and gain access to files that were being transferred using Accellion’s service.
`
`SAO was one of Accellion’s customers targeted in the attack along with approximately 50 others.
`
`27.
`
`At the time of the Data Breach, the SAO was using Accellion’s FTA product to transfer
`
`and/or receive files and Accellion knew that SAO was using the FTA product to transfer and/or receive
`
`files containing PII.
`
`28.
`
`SAO determined that data files from the Employment Security Department (ESD) were
`
`impacted. These ESD data files contained unemployment compensation claim information including the
`
`person’s name, social security number and/or driver’s license or state identification number, date of birth,
`bank account number and bank routing number, and place of employment.11 In addition, the SAO
`
`determined that data files from some local governments and other state agencies were also affected.
`
`SAO is reviewing all potentially accessed data files to identify which agencies’ and local governments’
`
`files were impacted. Id.
`
`29. Washington State Auditor Pat McCarthy has stated that Washington paid an annual
`
`subscription fee for the service for the past 13 years and relied on it to be safe, stating, “We believed that
`
`we were getting a secure system and we expected that — and the citizens of Washington state should
`
`expect that as well.” Id.
`
`30.
`
`Recently, Accellion issued and announcement advising consumers of the “end of life for
`
`its legacy FTA software effective April 30, 2021”. Accellion has stated that it will continue to “provide
`support and honor its FTA contracts for the duration of its existing License Terms.”12
`
`31.
`
`Plaintiff Madalyn Brown applied for unemployment benefits from the State of
`
`Washington in 2020. As part of her application, Plaintiff Brown was required to provide sensitive
`
`personal information, including her social security number and banking information. Given the highly
`
`sensitive nature of the information stolen in the Data Breach, Plaintiff Madalyn Brown suffered damages
`
`including but not limited to out-of-pocket losses, time and effort spent mitigating her damages and
`
`dealing with the fall-out from the Data Breach, damage to her credit score, and the loss of the value of
`
`her PII.
`
`32.
`
`Specifically, with respect to damages, Plaintiff Madalyn Brown had to close her primary
`
`bank account and reopen a new account. While waiting for her funds to become available, Plaintiff
`
`
`11 https://sao.wa.gov/breach2021
`12 https://www.accellion.com/sites/default/files/resources/fta-eol.pdf
`6
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 7 of 14
`
`
`
`Madalyn Brown was compelled to borrow money from family members in order to pay for certain
`
`necessities. Unauthorized activity was detected on her credit card account, resulting in a reduction in her
`
`credit score. Plaintiff Madalyn Brown spent time and resources sending correspondence to three major
`
`credit bureaus explaining what occurred. In addition, Plaintiff Madalyn Brown placed freezes on her
`
`credit so that no one could open new accounts in her name. She spent time updating automatic bill pay
`
`with her new bank account number. Lastly, the launch of a new business was placed on hold.
`
`Plaintiff and the Class Members Suffered Damages
`
`33.
`
`Plaintiff and the Class members’ PII is private and sensitive in nature and was left
`
`inadequately protected by Defendant. Defendant did not obtain Plaintiff and the Class Members’ consent
`
`to disclose their PII to any other person or entity, as required by applicable law and industry standards.
`
`34.
`
`The Data Breach was a direct and proximate result of Defendant’s failure to properly
`
`safeguard and protect Plaintiff and the Class Members’ PII from unauthorized access, use, and
`
`disclosure, as required by various state and federal regulations, industry practices, and the common law,
`
`including Defendant’s failure to establish and implement appropriate technical safeguards to ensure the
`
`security and confidentiality of Plaintiff and the Class members’ PII to protect against reasonably
`
`foreseeable threats to the security or integrity of such information.
`
`35.
`
`As a direct and proximate result of Defendant’s wrongful actions and inaction and the
`
`resulting Data Breach, Plaintiff and the Class Members have been placed at an imminent, immediate,
`
`and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the
`
`time which they otherwise would have dedicated to other life demands such as work and effort to mitigate
`
`the actual and potential impact of the Data Breach on their lives including, inter alia, by placing “freezes”
`
`and “alerts” with credit reporting agencies, contacting their financial institutions, closing or modifying
`
`financial accounts, closely reviewing and monitoring their credit reports and accounts for unauthorized
`
`activity, changing the information used to verify their identity to information not subject to this Data
`
`Breach, and filing police reports. This time has been lost forever and cannot be recaptured. In all manners
`
`of life in this country, time has constantly been recognized as compensable.
`
`36.
`
`Defendant’s wrongful actions and inaction directly and proximately caused the theft and
`
`dissemination to an unknown third party of Plaintiffs’ PII, causing them to suffer, and continue to suffer,
`
`economic damages and other actual harm for which they are entitled to compensation, including:
`(a) theft of their PII;
`
`
`
`
`
`(b) costs for credit monitoring services;
`
`(c) unauthorized charges on their debit and credit card accounts; the imminent and
`certainly impending injury flowing from potential fraud and identity theft posed by
`7
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 8 of 14
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`their credit/debit card and PII being placed in the hands of criminals and already
`misused via the sale of Plaintiff and Class members’ PII on the internet black
`market;
`
`(d) the improper disclosure of their data;
`
`(e) loss of privacy;
`
`(f) ascertainable losses in the form of out-of-pocket expenses and the value of their
`time reasonably incurred to remedy or mitigate the effects of the Data Breach;
`
`(g) ascertainable losses in the form of deprivation of the value of their PII, for which
`there is a well-established national and international market; ascertainable losses in
`the form of the loss of cash back or other benefits as a result of their inability to use
`certain accounts and cards affected by the Data Breach;
`
`(h) loss of use of, and access to, their account funds and costs associated with the
`inability to obtain money from their accounts or being limited in the amount of
`money they were permitted to obtain from their accounts, including missed
`payments on bills and loans, late charges and fees, and adverse effects on their
`credit including adverse credit notations; and
`
`(i) the loss of productivity and value of their time spent to address, attempt to
`ameliorate, mitigate, and deal with the actual and future consequences of the Data
`Breach, including finding fraudulent charges, cancelling and reissuing cards,
`purchasing credit monitoring and identity theft protection services, imposition of
`withdrawal and purchase limits on compromised accounts, changing the information
`used to verify their identity to information not subject to this data breach, and the
`stress, nuisance and annoyance of dealing with all such issues resulting from the
`data breach.
`
`CLASS ACTION ALLEGATIONS
`
`37.
`
`Plaintiff brings this action, on behalf of herself and all others similarly situated, as a class
`
`action pursuant to Federal Rules of Civil Procedure, Rule 23.
`
`38.
`
`Plaintiff proposes the following Class definitions, subject to amendment as appropriate:
`
`All residents of the United States whose Personally Identifiable Information
`was compromised as a result of the Data Breach disclosed by the Washington
`State Auditor in January 2021.
`This action has been brought and may properly be maintained as a class action under
`
`39.
`
`Federal Rules of Civil Procedure, Rule 23, because there is a well-defined community of interest in the
`
`litigation, the proposed class is easily ascertainable, and Plaintiff is a proper representative of the Class.
`
`40.
`
`Excluded from the above Class is Defendant and its parents or subsidiaries, any entities
`
`in which it has a controlling interest, as well as its officers, directors, affiliates, legal representatives,
`
`heirs, predecessors, successors, and assigns. Also excluded is any Judge to whom this case is assigned,
`
`as well as his or her judicial staff and immediate family members.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`8
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 9 of 14
`
`
`
`41.
`
`The proposed Class meet the criteria for certification under Fed. R. Civ. P. 23(a), (b)(2),
`
`and (b)(3).
`
`42.
`
`Numerosity. The members of the Class are so numerous that joinder of all of them is
`
`impracticable. While the exact number of Class Members is unknown to Plaintiff at this time, based on
`
`information and belief, the Class consists of approximately 1,600,000 individuals whose PII was
`
`compromised in the Data Breach.
`
`43.
`
`Commonality. There are questions of law and fact common to the Class, which
`
`predominate over any questions affecting only individual Class Members. These common questions of
`
`law and fact include, without limitation:
`
`a.
`
`Whether Defendant engaged in the conduct alleged herein;
`
`b. Whether Defendant’s conduct constituted un unfair trade practice (as defined
`
`below) actionable under the applicable consumer protection laws;
`
`c. Whether Defendant had a legal duty to adequately protect Plaintiff’s and Class
`
`Members’ personal information;
`
`d. Whether Defendant breached its legal duty by failing to adequately protect
`
`Plaintiff’s and Class Members’ personal information;
`
`e. Whether and when Defendant knew or should have known that Plaintiff’s and
`
`Class Members’ personal information was vulnerable to attack;
`
`f.
`
`Whether Plaintiff and Class Members are entitled to recover actual damages
`
`and/or statutory damages; and
`
`g. Whether Plaintiff and Class Members are entitled to equitable relief, including
`
`injunctive relief, restitution, disgorgement, and/or the establishment of a constructive trust.
`
`44.
`
`Typicality. Plaintiff’s claims are typical of those of other Class Members because
`
`Plaintiff’s PII, like that of every other Class Member, was compromised in the Data Breach.
`
`45.
`
`Adequacy of Representation. Plaintiff will fairly and adequately represent and protect the
`
`interests of the Members of the Class. Plaintiff’s Counsel are competent and experienced in litigating
`
`class actions, including data breach class actions.
`
`46.
`
`Predominance. Defendant has engaged in a common course of conduct toward Plaintiff
`
`and Class Members, in that all the Plaintiff’s and Class Members’ PII was exposed via Defendant’s FTA
`
`product and unlawfully accessed in the same way. The common issues arising from Defendant’s conduct
`
`affecting Class Members set out above predominate over any individualized issues. Adjudication of
`
`these common issues in a single action has important and desirable advantages of judicial economy.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`9
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 10 of 14
`
`
`
`47.
`
`Superiority. A class action is superior to other available methods for the fair and efficient
`
`adjudication of the controversy. Class treatment of common questions of law and fact is superior to
`
`multiple individual actions or piecemeal litigation. Absent a class action, most Class Members would
`
`likely find that the cost of litigating their individual claims is prohibitively high and would therefore
`
`have no effective remedy. The prosecution of separate actions by individual Class Members would create
`
`a risk of inconsistent or varying adjudications with respect to individual Class Members, which would
`
`establish incompatible standards of conduct for Defendant. In contrast, the conduct of this action as a
`
`class action presents far fewer management difficulties, conserves judicial resources and the parties’
`
`resources, and protects the rights of each Class Member.
`
`48.
`
`Class certification also is appropriate under Fed. R. Civ. P. 23(b)(2). Defendant has acted
`
`or have refused to act on grounds generally applicable to the Class, so that final injunctive relief or
`
`corresponding declaratory relief is appropriate as to the Class as a whole.
`
`49.
`
`Finally, all Members of the purposed Class is readily ascertainable. Defendant and/or the
`
`SAO has access to addresses and other contact information for the members of the Class, which can be
`
`used to identify Class Members.
`
`50.
`
`Plaintiff reserves the right to add Class representatives, provided Defendant is afforded
`
`an opportunity to conduct discovery as to those representatives.
`
`FIRST CAUSE OF ACTION
`
`Negligence
`
`51.
`
`Plaintiff re-alleges and incorporates by reference each and every allegation set forth in
`
`the preceding paragraphs.
`
`52.
`
`53.
`
`Plaintiff alleges this claim individually and on behalf of the Class.
`
`Defendant owed a duty to Plaintiff and the Class to exercise reasonable care in obtaining,
`
`retaining, securing, safeguarding, deleting and protecting the PII in their possession from being
`
`compromised, stolen, lost, accessed, misused and/or disclosed to unauthorized recipients.
`
`54.
`
`Defendant also had the duty to implement processes that would detect a breach of its
`
`security in a timely manner and to timely act upon warnings and alerts.
`
`55.
`
`Defendant owed Plaintiff and the Class a duty to exercise reasonable care in the
`
`acquisition, maintenance, and storage of their PII. Such duty includes the implementation of adequate
`
`security infrastructure and protocols to protect that PII.
`
`56.
`
`Defendant owed a duty to timely disclose the material fact that their data security
`
`practices were inadequate to safeguard individuals’ PII.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`10
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 11 of 14
`
`
`
`57.
`
`Defendant breached these duties by the conduct alleged in the Complaint, including
`
`without limitation: (a) failing to protect the PII; (b) failing to maintain adequate data security practices
`
`to safeguard the PII; and (c) failing to disclose the material fact that Defendant’s’ data security practices
`
`were inadequate to safeguard the PII.
`
`58.
`
`The conduct alleged herein caused Plaintiff and Class Members to be exposed to fraud
`
`and be harmed as detailed herein. Plaintiff and Class Members were foreseeable victims of Defendant’s
`
`inadequate data security practices and in fact suffered damages caused by Defendant’s breaches of their
`
`duties.
`
`59.
`
`Defendant knew of the serious harms that could result through the wrongful disclosure of
`
`the PII of Plaintiff and the Class.
`
`60.
`
`Defendant’s failure to comply with industry standards further demonstrates their
`
`negligence in failing to exercise reasonable care in safeguarding and protecting the PII of Plaintiff and
`
`the Class.
`
`61.
`
`But for Defendant’s wrongful and negligent breach of its duties owed to Plaintiff and the
`
`Class, their PII would not have been compromised. Defendant’s negligence was a direct and legal cause
`
`of the exposure of Plaintiff’s and the Class’s PII and all resulting damages.
`
`62.
`
`The injury and harm suffered by Plaintiff and the Class were a reasonably foreseeable
`
`result of Defendant’s failure to cure those numerous vulnerabilities or, at a minimum, exercise reasonable
`
`care in safeguarding and protecting the PII of Plaintiff and the other Class Members.
`
`63.
`
`As a result of Defendant’s misconduct, the PII of Plaintiff and the Class was compromised
`
`and their PII was disclosed to third parties without their consent, placing them at a greater risk of identity
`
`theft. Plaintiff and the Class have also suffered out of pocket losses related to identity theft losses or
`
`protective measures.
`
`64.
`
`Defendant’s misconduct alleged herein was carried out with a willful and conscious
`
`disregard of the rights or safety of Plaintiff and the Class and subjected Plaintiff and the Class to unjust
`
`hardship in conscious disregard of their rights.
`
`65.
`
`Plaintiff, on behalf of himself and all other Class Members, requests relief as described
`
`below.
`
`SECOND CAUSE OF ACTION
`
`Violation of the Washington State Consumer Protection Act, RCW 19.86.010, et seq.
`
`66.
`
`Plaintiff re-alleges and incorporates by reference each and every allegation set forth in
`
`the preceding paragraphs.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`11
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 12 of 14
`
`
`
`67.
`
`The Washington State Consumer Protection Act, RCW 19.86.020 (the “CPA”) prohibits
`
`any “unfair or deceptive acts or practices” in the conduct of any trade or commerce as those terms are
`
`described by the CPA and relevant case law.
`
`68.
`
`69.
`
`Defendant is a “person” as described in RCW 19.86.010(1).
`
`Defendant engages in “trade” and “commerce” as described in RCW 19.86.010(2) in that
`
`it engages in the sale of services and commerce directly and indirectly affecting the people of the State
`
`of Washington.
`
`70.
`
`By virtue of the above-described wrongful actions, inaction, omissions, and want of
`
`ordinary care that directly and proximately caused the Data Breach, Defendant engaged in unlawful,
`
`unfair and fraudulent practices within the meaning, and in violation of, the CPA, in that Defendant’s
`
`practices were injurious to the public interest because they injured other persons, had the capacity to
`
`injure other persons, and have the capacity to injure other persons.
`
`71.
`
`In the course of conducting their business, Defendant committed “unfair or deceptive acts
`
`or practices” by, inter alia, knowingly failing to design, adopt, implement, control, direct, oversee,
`
`manage, monitor and audit appropriate data security processes, controls, policies, procedures, protocols,
`
`and software and hardware systems to safeguard and protect Plaintiff’s and Class Members’ Private
`
`Information, and violating the common law alleged herein in the process. Plaintiff and Class Members
`
`reserve the right to allege other violations of law by Defendant constituting other unlawful business acts
`
`or practices. Defendant’s above-described wrongful actions, inaction, omissions, and want of ordinary
`
`care are ongoing and continue to this date.
`
`72.
`
`Defendant’s above-described wrongful actions, inaction, omissions, want of ordinary
`
`care, misrepresentations, practices, and non-disclosures also constitute “unfair or deceptive acts or
`
`practices” in violation of the CPA in that Defendant’s wrongful conduct is substantially injurious to other
`
`persons, had the capacity to injure other persons, and has the capacity to injure other persons.
`
`73.
`
`The gravity of Defendant’s wrongful conduct outweighs any alleged benefits attributable
`
`to such conduct. There were reasonably available alternatives to further Defendant’s legitimate business
`
`interests other than engaging in the above-described wrongful conduct.
`
`74.
`
`As a direct and proximate result of Defendant’s above-described wrongful actions,
`
`inaction, omissions, and want of ordinary care that directly and proximately caused the Cyber-Attack
`
`and its violations of the CPA, Plaintiff and Class Members have suffered, and will continue to suffer,
`
`economic damages and other injury and actual harm in the form of, inter alia, (1) an imminent, immediate
`
`and the continuing increased risk of identity theft, identity fraud—risks justifying expenditures for
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`