throbber
Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 1 of 14
`
`
`
`
`Julian Hammond (SBN 268489)
`jhammond@hammondlawpc.com
`Polina Brandler (SBN 269086)
`pbrandler@hammondlawpc.com
`Ari Cherniak (SBN 290071)
`acherniak@hammondlawpc.com
`Steven Resnick (pro hac vice pending)
`sresnick@hammondlawpc.com
`HAMMONDLAW, PC
`11780 W. Sample Road, Suite 1103
`Coral Springs, FL 33065
`Tel: (310) 601-6766
`Fax: (310) 295-2385
`
`Attorneys for Plaintiff and the Putative Class
`
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`SAN JOSE DIVISION
`
`
`
`Case No.: 5:21-1155
`
`CLASS ACTION COMPLAINT FOR:
`
`1. Negligence;
`2. Violation of Washington State Consumer
`Protection Act, RCW 19.86.010;
`
`
`
`
`
`DEMAND FOR JURY TRIAL
`
`Plaintiff,
`
`
`
`
`
`MADALYN BROWN, individually and on behalf
`of all others similarly situated,
`
`
`vs.
`
`ACCELLION, INC., a Delaware Corporation,
`
`
`
`
`
`
`
`
`
`
`
`
`Defendant.
`
`
`
`
`
`
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`1
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 2 of 14
`
`
`
`Plaintiff Madalyn Brown (“Plaintiff”), on behalf of herself and all others similarly situated
`
`(hereinafter “Class Members”), complains and alleges as follows:
`
`OVERVIEW OF CLAIMS
`
`1.
`
`This is a class action, under Federal Rule of Civil Procedure 23, brought on behalf of
`
`individuals whose private information, including names, dates of birth, Social Security numbers, driver’s
`
`license numbers and/or state identification numbers, bank account information, and employment
`
`information (collectively “Personally Identifiable Information” or “PII”) was exposed because of the
`
`failure of Accellion, Inc. (“Accellion” or “Defendant”) to safeguard and protect the sensitive information
`
`of Plaintiff and the Class Members.
`
`2.
`
`In January 2021, Accellion, a software company, providing services to the Washington
`
`State Auditor’s Office (the “SAO”), announced that unauthorized individuals gained access to SAO files
`
`by exploiting a vulnerability in Accellion’s file transfer service. This unauthorized access began in
`
`December 2020 and continued into January 2021 (the “Data Breach”). The SAO files contained the PII
`
`of Washington residents who filed unemployment insurance claims in 2020. In addition, the
`
`compromised files may have included the PII of other Washington residents whose information was
`
`contained in state agency and/or local government files.
`
`3.
`
`On February 1, 2021, the Washington State Auditor’s Office confirmed that PII belonging
`
`to approximately 1.6 million people in Washington was compromised as a result of the Data Breach.
`
`4.
`Accellion is a cloud computing company focused on file sharing and collaboration
`solutions.1 Accellion developed, marketed, and sold a file sharing transfer product called “File Transfer
`Appliance” (“FTA”) for use in overcoming limits imposed on the size of email attachments.2 Rather
`
`than transferring documents by email, the intended recipient would receive a link to files hosted on
`
`Accellion’s FTA, which could then be viewed or downloaded. Id.
`
`5.
`
`At the time of the Data Breach, the SAO was using Accellion’s FTA product to transfer
`
`and/or receive files and Accellion knew that SAO was using the FTA product to transfer and/or receive
`
`files containing PII.
`
`
`1 https://en.wikipedia.org/wiki/Accellion
`
` https://www.bankinfosecurity.com/blogs/accellion-mess-what-went-wrong-p-2989
`
` 2
`
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`2
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 3 of 14
`
`
`
`6.
`
`As of 2020, however, FTA was an outdated product “nearing end-of-life.”3 Nevertheless,
`
`Accellion continued to market and sell the FTA product to SAO and other entities for use in transferring
`
`files containing PII.
`
`7.
`
`In December 2020 and continuing into January 2021, unknown threat actors exploited
`
`vulnerabilities in the FTA software and gained access to SAO files. The SAO files contained the records
`
`of approximately 1.6 million Washington residents who filed claims for unemployment insurance in
`
`2020.
`
`8.
`
` Accellion’s failure to ensure that the FTA product provided adequate security protocols
`
`exposed the PII of more than one million Washington residents, including Plaintiff and the Class
`
`Members. As a result of Defendant’s conduct, the PII of Plaintiff and the Class was compromised and
`
`their PII was disclosed to unknown and unauthorized third parties without their consent.
`
`9.
`
`Armed with the PII acquired in this type of cyberattack, threat actors can commit a variety
`
`of crimes including, e.g., opening new financial accounts in class members’ names, taking out loans in
`
`Class Members’ names, using Class Members’ information to obtain government benefits, filing
`
`fraudulent tax returns using Class Members’ information, and obtaining driver’s licenses in Class
`
`Members’ names but with another person’s photograph.
`
`10.
`
`As a result of the Data Breach, Plaintiff and the Class Members have and will continue
`
`to incur out of pocket costs and expenses for, among other things, purchasing credit monitoring services,
`
`credit freezes, credit reports, and/or other protective measures to deter and detect identity theft. Plaintiff
`
`and the Class Members have and will continue to spend time, resources, and money in order to mitigate
`
`their damages from the Data Breach.
`
`11.
`
`As a result of the Data Breach, Plaintiff and the Class Members are at a heightened and
`
`imminent risk of fraud and identity theft. Plaintiff and the Class Members must now and in the future
`
`closely monitor their bank accounts and credit card accounts to guard against the risk of identity theft.
`
`12.
`
`Plaintiff brings this class action lawsuit on behalf of herself and all those similarly situated
`
`to address Accellion’s inadequate safeguarding of Class Members’ PII.
`
`JURISDICTION AND VENUE
`
`13.
`
`This Court has subject matter jurisdiction over this action under the Class Action Fairness
`
`Act, 28 U.S.C. § 1332(d)(2). The amount in controversy exceeds $5 million exclusive of interest and
`
`
`3 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-
`incident
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`3
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 4 of 14
`
`
`
`costs. At least one Plaintiff and one Defendant are citizens of different states. There are more than 100
`
`putative Class Members.
`
`14.
`
`This Court has personal jurisdiction over Defendant because its principal place of
`
`business is in California and has sufficient contacts in this District.
`
`15.
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391(a)(1) because Defendant
`
`conducts substantial business in this District and California is the principal place of business for
`
`Defendant.
`
`PARTIES
`
`16.
`
`Plaintiff Madalyn Brown is an adult individual who resides, and at all relevant times, has
`
`resided in Eatonville Washington. Plaintiff Madalyn Brown filed an unemployment claim with the State
`
`of Washington in 2020 and her PII was exposed in the Data Breach. She is referred to in this Complaint
`
`as “Plaintiff.”
`
`17.
`
`Accellion, Inc. is a Delaware Corporation with headquarters in Palo Alto, California.
`
`FACTUAL ALLEGATIONS
`
`18.
`Accellion is a Palo Alto, California-based private cloud solutions company focused on
`secure file sharing and collaboration.4 Users of Accellion’s file transfer products can access, edit, and
`
`share enterprise content from any device while maintaining compliance and security. Id.
`
`19.
`
`Accellion markets its products as way to safely transfer sensitive information via file
`
`sharing. With regard to file sharing, Accellion’s website states in relevant part:
`
`Shared Files and Folders | Secure File Sharing
`
` Give users a simple, secure, private way to share confidential information
` Provide the same ease of use found in consumer cloud file sharing apps
` Designated business users give external parties access privileges to folders and individual
`files, such as watermarked view-only, download, and upload/edit
` Designated business users request files from external partners so they can upload sensitive
`content in compliance
` Ensure productivity with tight integration to email, mobile, office and enterprise apps5
`
`20.
`
`According to its website, the Accellion enterprise content firewall “prevents data
`
`breaches and compliance violations from third party cyber risk. CIOs and CISOs rely on the Accellion
`
`platform for complete visibility, security and control over the communication of IP, PII, PHI, and other
`
`
`4 https://en.wikipedia.org/wiki/Accellion
`5 https://www.accellion.com/platform/simple/secure-file-sharing/
`4
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 5 of 14
`
`
`
`sensitive content across email, file sharing, mobile, enterprise apps, web portals, SFTP, and automated
`
`inter-business workflow…When employees click the Accellion button, they know it’s the safe, secure
`way to share sensitive information with the outside world.” 6
`
`21.
`
`Accellion developed, marketed, and sold a file transfer product called Accellion FTA.
`
`According to its website, “Accellion FTA helps worldwide enterprises… transfer large and sensitive
`files securely using a 100% private cloud, on-premises or hosted.”7
`
`22.
`
`Accellion was aware that its FTA program was inadequate to keep file transfer secure.
`
`With regard to the FTA product, Acccellion’s website states that “in today’s breach-filled, over-regulated
`
`world, you need even broader protection and control. Protect all your external file sharing – no matter
`
`what the source, device or location – with the industry-leading governance and security of Accellion’s
`
`new platform.” Id.
`By the end of 2020, Accellion’s product was nearing “end of life.”8 In fact, in a recent
`
`23.
`
`interview, Joel York, Accellion’s chief marketing officer, said the data breach involved the company’s
`
`20-year-old “legacy product,” known as FTA, which the company has been encouraging customers to
`
`stop using. With regard to the FTA product, Mr. York stated, “It just wasn’t designed for these types of
`threats.”9
`
`24.
`In mid-December 2020, Accellion was made aware of a “zero-day vulnerability” in its
`legacy FTA software.10 A zero-day vulnerability is a software security flaw that is known to the software
`
`vendor but does not have a patch in place to fix the flaw. It has the potential to be exploited by
`
`cybercriminals.
`
`25.
`
`Accellion attempted to patch the vulnerability, however, the company identified
`
`additional exploits in the ensuing weeks and attempted to release patches to close each vulnerability. Id.
`
`The Data Breach began in December 2020 and continued into January 2021, as cyber attackers
`
`repeatedly exploited vulnerabilities in the FTA product.
`
`
`6 https://www.accellion.com/company/
`7 https://www.accellion.com/products/fta/
`8 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-
`incident
`9 https://www.seattletimes.com/seattle-news/politics/personal-data-of-1-6-million-washington-
`unemployment-claimants-exposed-in-hack-of-state-auditor/
`10 https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-
`incident/
`
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`5
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 6 of 14
`
`
`
`26.
`
`During the Data Breach, threat actors were able to exploit a software vulnerability in
`
`Accellion’s FTA product and gain access to files that were being transferred using Accellion’s service.
`
`SAO was one of Accellion’s customers targeted in the attack along with approximately 50 others.
`
`27.
`
`At the time of the Data Breach, the SAO was using Accellion’s FTA product to transfer
`
`and/or receive files and Accellion knew that SAO was using the FTA product to transfer and/or receive
`
`files containing PII.
`
`28.
`
`SAO determined that data files from the Employment Security Department (ESD) were
`
`impacted. These ESD data files contained unemployment compensation claim information including the
`
`person’s name, social security number and/or driver’s license or state identification number, date of birth,
`bank account number and bank routing number, and place of employment.11 In addition, the SAO
`
`determined that data files from some local governments and other state agencies were also affected.
`
`SAO is reviewing all potentially accessed data files to identify which agencies’ and local governments’
`
`files were impacted. Id.
`
`29. Washington State Auditor Pat McCarthy has stated that Washington paid an annual
`
`subscription fee for the service for the past 13 years and relied on it to be safe, stating, “We believed that
`
`we were getting a secure system and we expected that — and the citizens of Washington state should
`
`expect that as well.” Id.
`
`30.
`
`Recently, Accellion issued and announcement advising consumers of the “end of life for
`
`its legacy FTA software effective April 30, 2021”. Accellion has stated that it will continue to “provide
`support and honor its FTA contracts for the duration of its existing License Terms.”12
`
`31.
`
`Plaintiff Madalyn Brown applied for unemployment benefits from the State of
`
`Washington in 2020. As part of her application, Plaintiff Brown was required to provide sensitive
`
`personal information, including her social security number and banking information. Given the highly
`
`sensitive nature of the information stolen in the Data Breach, Plaintiff Madalyn Brown suffered damages
`
`including but not limited to out-of-pocket losses, time and effort spent mitigating her damages and
`
`dealing with the fall-out from the Data Breach, damage to her credit score, and the loss of the value of
`
`her PII.
`
`32.
`
`Specifically, with respect to damages, Plaintiff Madalyn Brown had to close her primary
`
`bank account and reopen a new account. While waiting for her funds to become available, Plaintiff
`
`
`11 https://sao.wa.gov/breach2021
`12 https://www.accellion.com/sites/default/files/resources/fta-eol.pdf
`6
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 7 of 14
`
`
`
`Madalyn Brown was compelled to borrow money from family members in order to pay for certain
`
`necessities. Unauthorized activity was detected on her credit card account, resulting in a reduction in her
`
`credit score. Plaintiff Madalyn Brown spent time and resources sending correspondence to three major
`
`credit bureaus explaining what occurred. In addition, Plaintiff Madalyn Brown placed freezes on her
`
`credit so that no one could open new accounts in her name. She spent time updating automatic bill pay
`
`with her new bank account number. Lastly, the launch of a new business was placed on hold.
`
`Plaintiff and the Class Members Suffered Damages
`
`33.
`
`Plaintiff and the Class members’ PII is private and sensitive in nature and was left
`
`inadequately protected by Defendant. Defendant did not obtain Plaintiff and the Class Members’ consent
`
`to disclose their PII to any other person or entity, as required by applicable law and industry standards.
`
`34.
`
`The Data Breach was a direct and proximate result of Defendant’s failure to properly
`
`safeguard and protect Plaintiff and the Class Members’ PII from unauthorized access, use, and
`
`disclosure, as required by various state and federal regulations, industry practices, and the common law,
`
`including Defendant’s failure to establish and implement appropriate technical safeguards to ensure the
`
`security and confidentiality of Plaintiff and the Class members’ PII to protect against reasonably
`
`foreseeable threats to the security or integrity of such information.
`
`35.
`
`As a direct and proximate result of Defendant’s wrongful actions and inaction and the
`
`resulting Data Breach, Plaintiff and the Class Members have been placed at an imminent, immediate,
`
`and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the
`
`time which they otherwise would have dedicated to other life demands such as work and effort to mitigate
`
`the actual and potential impact of the Data Breach on their lives including, inter alia, by placing “freezes”
`
`and “alerts” with credit reporting agencies, contacting their financial institutions, closing or modifying
`
`financial accounts, closely reviewing and monitoring their credit reports and accounts for unauthorized
`
`activity, changing the information used to verify their identity to information not subject to this Data
`
`Breach, and filing police reports. This time has been lost forever and cannot be recaptured. In all manners
`
`of life in this country, time has constantly been recognized as compensable.
`
`36.
`
`Defendant’s wrongful actions and inaction directly and proximately caused the theft and
`
`dissemination to an unknown third party of Plaintiffs’ PII, causing them to suffer, and continue to suffer,
`
`economic damages and other actual harm for which they are entitled to compensation, including:
`(a) theft of their PII;
`
`
`
`
`
`(b) costs for credit monitoring services;
`
`(c) unauthorized charges on their debit and credit card accounts; the imminent and
`certainly impending injury flowing from potential fraud and identity theft posed by
`7
`CLASS ACTION COMPLAINT
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 8 of 14
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`their credit/debit card and PII being placed in the hands of criminals and already
`misused via the sale of Plaintiff and Class members’ PII on the internet black
`market;
`
`(d) the improper disclosure of their data;
`
`(e) loss of privacy;
`
`(f) ascertainable losses in the form of out-of-pocket expenses and the value of their
`time reasonably incurred to remedy or mitigate the effects of the Data Breach;
`
`(g) ascertainable losses in the form of deprivation of the value of their PII, for which
`there is a well-established national and international market; ascertainable losses in
`the form of the loss of cash back or other benefits as a result of their inability to use
`certain accounts and cards affected by the Data Breach;
`
`(h) loss of use of, and access to, their account funds and costs associated with the
`inability to obtain money from their accounts or being limited in the amount of
`money they were permitted to obtain from their accounts, including missed
`payments on bills and loans, late charges and fees, and adverse effects on their
`credit including adverse credit notations; and
`
`(i) the loss of productivity and value of their time spent to address, attempt to
`ameliorate, mitigate, and deal with the actual and future consequences of the Data
`Breach, including finding fraudulent charges, cancelling and reissuing cards,
`purchasing credit monitoring and identity theft protection services, imposition of
`withdrawal and purchase limits on compromised accounts, changing the information
`used to verify their identity to information not subject to this data breach, and the
`stress, nuisance and annoyance of dealing with all such issues resulting from the
`data breach.
`
`CLASS ACTION ALLEGATIONS
`
`37.
`
`Plaintiff brings this action, on behalf of herself and all others similarly situated, as a class
`
`action pursuant to Federal Rules of Civil Procedure, Rule 23.
`
`38.
`
`Plaintiff proposes the following Class definitions, subject to amendment as appropriate:
`
`All residents of the United States whose Personally Identifiable Information
`was compromised as a result of the Data Breach disclosed by the Washington
`State Auditor in January 2021.
`This action has been brought and may properly be maintained as a class action under
`
`39.
`
`Federal Rules of Civil Procedure, Rule 23, because there is a well-defined community of interest in the
`
`litigation, the proposed class is easily ascertainable, and Plaintiff is a proper representative of the Class.
`
`40.
`
`Excluded from the above Class is Defendant and its parents or subsidiaries, any entities
`
`in which it has a controlling interest, as well as its officers, directors, affiliates, legal representatives,
`
`heirs, predecessors, successors, and assigns. Also excluded is any Judge to whom this case is assigned,
`
`as well as his or her judicial staff and immediate family members.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`8
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 9 of 14
`
`
`
`41.
`
`The proposed Class meet the criteria for certification under Fed. R. Civ. P. 23(a), (b)(2),
`
`and (b)(3).
`
`42.
`
`Numerosity. The members of the Class are so numerous that joinder of all of them is
`
`impracticable. While the exact number of Class Members is unknown to Plaintiff at this time, based on
`
`information and belief, the Class consists of approximately 1,600,000 individuals whose PII was
`
`compromised in the Data Breach.
`
`43.
`
`Commonality. There are questions of law and fact common to the Class, which
`
`predominate over any questions affecting only individual Class Members. These common questions of
`
`law and fact include, without limitation:
`
`a.
`
`Whether Defendant engaged in the conduct alleged herein;
`
`b. Whether Defendant’s conduct constituted un unfair trade practice (as defined
`
`below) actionable under the applicable consumer protection laws;
`
`c. Whether Defendant had a legal duty to adequately protect Plaintiff’s and Class
`
`Members’ personal information;
`
`d. Whether Defendant breached its legal duty by failing to adequately protect
`
`Plaintiff’s and Class Members’ personal information;
`
`e. Whether and when Defendant knew or should have known that Plaintiff’s and
`
`Class Members’ personal information was vulnerable to attack;
`
`f.
`
`Whether Plaintiff and Class Members are entitled to recover actual damages
`
`and/or statutory damages; and
`
`g. Whether Plaintiff and Class Members are entitled to equitable relief, including
`
`injunctive relief, restitution, disgorgement, and/or the establishment of a constructive trust.
`
`44.
`
`Typicality. Plaintiff’s claims are typical of those of other Class Members because
`
`Plaintiff’s PII, like that of every other Class Member, was compromised in the Data Breach.
`
`45.
`
`Adequacy of Representation. Plaintiff will fairly and adequately represent and protect the
`
`interests of the Members of the Class. Plaintiff’s Counsel are competent and experienced in litigating
`
`class actions, including data breach class actions.
`
`46.
`
`Predominance. Defendant has engaged in a common course of conduct toward Plaintiff
`
`and Class Members, in that all the Plaintiff’s and Class Members’ PII was exposed via Defendant’s FTA
`
`product and unlawfully accessed in the same way. The common issues arising from Defendant’s conduct
`
`affecting Class Members set out above predominate over any individualized issues. Adjudication of
`
`these common issues in a single action has important and desirable advantages of judicial economy.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`9
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 10 of 14
`
`
`
`47.
`
`Superiority. A class action is superior to other available methods for the fair and efficient
`
`adjudication of the controversy. Class treatment of common questions of law and fact is superior to
`
`multiple individual actions or piecemeal litigation. Absent a class action, most Class Members would
`
`likely find that the cost of litigating their individual claims is prohibitively high and would therefore
`
`have no effective remedy. The prosecution of separate actions by individual Class Members would create
`
`a risk of inconsistent or varying adjudications with respect to individual Class Members, which would
`
`establish incompatible standards of conduct for Defendant. In contrast, the conduct of this action as a
`
`class action presents far fewer management difficulties, conserves judicial resources and the parties’
`
`resources, and protects the rights of each Class Member.
`
`48.
`
`Class certification also is appropriate under Fed. R. Civ. P. 23(b)(2). Defendant has acted
`
`or have refused to act on grounds generally applicable to the Class, so that final injunctive relief or
`
`corresponding declaratory relief is appropriate as to the Class as a whole.
`
`49.
`
`Finally, all Members of the purposed Class is readily ascertainable. Defendant and/or the
`
`SAO has access to addresses and other contact information for the members of the Class, which can be
`
`used to identify Class Members.
`
`50.
`
`Plaintiff reserves the right to add Class representatives, provided Defendant is afforded
`
`an opportunity to conduct discovery as to those representatives.
`
`FIRST CAUSE OF ACTION
`
`Negligence
`
`51.
`
`Plaintiff re-alleges and incorporates by reference each and every allegation set forth in
`
`the preceding paragraphs.
`
`52.
`
`53.
`
`Plaintiff alleges this claim individually and on behalf of the Class.
`
`Defendant owed a duty to Plaintiff and the Class to exercise reasonable care in obtaining,
`
`retaining, securing, safeguarding, deleting and protecting the PII in their possession from being
`
`compromised, stolen, lost, accessed, misused and/or disclosed to unauthorized recipients.
`
`54.
`
`Defendant also had the duty to implement processes that would detect a breach of its
`
`security in a timely manner and to timely act upon warnings and alerts.
`
`55.
`
`Defendant owed Plaintiff and the Class a duty to exercise reasonable care in the
`
`acquisition, maintenance, and storage of their PII. Such duty includes the implementation of adequate
`
`security infrastructure and protocols to protect that PII.
`
`56.
`
`Defendant owed a duty to timely disclose the material fact that their data security
`
`practices were inadequate to safeguard individuals’ PII.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`10
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 11 of 14
`
`
`
`57.
`
`Defendant breached these duties by the conduct alleged in the Complaint, including
`
`without limitation: (a) failing to protect the PII; (b) failing to maintain adequate data security practices
`
`to safeguard the PII; and (c) failing to disclose the material fact that Defendant’s’ data security practices
`
`were inadequate to safeguard the PII.
`
`58.
`
`The conduct alleged herein caused Plaintiff and Class Members to be exposed to fraud
`
`and be harmed as detailed herein. Plaintiff and Class Members were foreseeable victims of Defendant’s
`
`inadequate data security practices and in fact suffered damages caused by Defendant’s breaches of their
`
`duties.
`
`59.
`
`Defendant knew of the serious harms that could result through the wrongful disclosure of
`
`the PII of Plaintiff and the Class.
`
`60.
`
`Defendant’s failure to comply with industry standards further demonstrates their
`
`negligence in failing to exercise reasonable care in safeguarding and protecting the PII of Plaintiff and
`
`the Class.
`
`61.
`
`But for Defendant’s wrongful and negligent breach of its duties owed to Plaintiff and the
`
`Class, their PII would not have been compromised. Defendant’s negligence was a direct and legal cause
`
`of the exposure of Plaintiff’s and the Class’s PII and all resulting damages.
`
`62.
`
`The injury and harm suffered by Plaintiff and the Class were a reasonably foreseeable
`
`result of Defendant’s failure to cure those numerous vulnerabilities or, at a minimum, exercise reasonable
`
`care in safeguarding and protecting the PII of Plaintiff and the other Class Members.
`
`63.
`
`As a result of Defendant’s misconduct, the PII of Plaintiff and the Class was compromised
`
`and their PII was disclosed to third parties without their consent, placing them at a greater risk of identity
`
`theft. Plaintiff and the Class have also suffered out of pocket losses related to identity theft losses or
`
`protective measures.
`
`64.
`
`Defendant’s misconduct alleged herein was carried out with a willful and conscious
`
`disregard of the rights or safety of Plaintiff and the Class and subjected Plaintiff and the Class to unjust
`
`hardship in conscious disregard of their rights.
`
`65.
`
`Plaintiff, on behalf of himself and all other Class Members, requests relief as described
`
`below.
`
`SECOND CAUSE OF ACTION
`
`Violation of the Washington State Consumer Protection Act, RCW 19.86.010, et seq.
`
`66.
`
`Plaintiff re-alleges and incorporates by reference each and every allegation set forth in
`
`the preceding paragraphs.
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`
`
`11
`CLASS ACTION COMPLAINT
`
`

`

`Case 5:21-cv-01155-SVK Document 1 Filed 02/17/21 Page 12 of 14
`
`
`
`67.
`
`The Washington State Consumer Protection Act, RCW 19.86.020 (the “CPA”) prohibits
`
`any “unfair or deceptive acts or practices” in the conduct of any trade or commerce as those terms are
`
`described by the CPA and relevant case law.
`
`68.
`
`69.
`
`Defendant is a “person” as described in RCW 19.86.010(1).
`
`Defendant engages in “trade” and “commerce” as described in RCW 19.86.010(2) in that
`
`it engages in the sale of services and commerce directly and indirectly affecting the people of the State
`
`of Washington.
`
`70.
`
`By virtue of the above-described wrongful actions, inaction, omissions, and want of
`
`ordinary care that directly and proximately caused the Data Breach, Defendant engaged in unlawful,
`
`unfair and fraudulent practices within the meaning, and in violation of, the CPA, in that Defendant’s
`
`practices were injurious to the public interest because they injured other persons, had the capacity to
`
`injure other persons, and have the capacity to injure other persons.
`
`71.
`
`In the course of conducting their business, Defendant committed “unfair or deceptive acts
`
`or practices” by, inter alia, knowingly failing to design, adopt, implement, control, direct, oversee,
`
`manage, monitor and audit appropriate data security processes, controls, policies, procedures, protocols,
`
`and software and hardware systems to safeguard and protect Plaintiff’s and Class Members’ Private
`
`Information, and violating the common law alleged herein in the process. Plaintiff and Class Members
`
`reserve the right to allege other violations of law by Defendant constituting other unlawful business acts
`
`or practices. Defendant’s above-described wrongful actions, inaction, omissions, and want of ordinary
`
`care are ongoing and continue to this date.
`
`72.
`
`Defendant’s above-described wrongful actions, inaction, omissions, want of ordinary
`
`care, misrepresentations, practices, and non-disclosures also constitute “unfair or deceptive acts or
`
`practices” in violation of the CPA in that Defendant’s wrongful conduct is substantially injurious to other
`
`persons, had the capacity to injure other persons, and has the capacity to injure other persons.
`
`73.
`
`The gravity of Defendant’s wrongful conduct outweighs any alleged benefits attributable
`
`to such conduct. There were reasonably available alternatives to further Defendant’s legitimate business
`
`interests other than engaging in the above-described wrongful conduct.
`
`74.
`
`As a direct and proximate result of Defendant’s above-described wrongful actions,
`
`inaction, omissions, and want of ordinary care that directly and proximately caused the Cyber-Attack
`
`and its violations of the CPA, Plaintiff and Class Members have suffered, and will continue to suffer,
`
`economic damages and other injury and actual harm in the form of, inter alia, (1) an imminent, immediate
`
`and the continuing increased risk of identity theft, identity fraud—risks justifying expenditures for
`
`1 2 3 4 5 6 7 8 9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket