`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF FLORIDA
`
`
`
`PAM ARTHUR and DOROTHY KAMM on :
`behalf of themselves and all others similarly
`:
`situated,
`
`
`
`
`
`:
`
`
`
`
`
`
`
`:
`
`
`Plaintiffs,
`
`
`
`:
`
`
`
`
`
`
`
`:
`v.
`
`
`
`
`
`
`:
`
`
`
`
`
`
`
`:
`BLACKBAUD, INC.,
`
`
`
`:
`
`
`
`
`
`
`
`:
`
`
`Defendant.
`
`
`
`:
`_________________________________________ :
`
`
`CLASS ACTION COMPLAINT
`
`CIVIL ACTION NO.:
`
`1.
`
`Plaintiffs, Pam Arthur and Dorothy Kamm, individually and on behalf of all
`
`others similarly situated, bring this action against Defendant Blackbaud, Inc. (“Blackbaud” or
`
`“Defendant”) to obtain damages, restitution, and injunctive relief for the Class, as defined below,
`
`from Defendant. Plaintiffs make the following allegations upon information and belief, except
`
`as to their own actions, the investigation of their counsel, and the facts that are a matter of public
`
`record.
`
`NATURE OF THE ACTION
`
`2.
`
`This class action arises out of the May of 2020, ransomware attack and data
`
`breach (“Data Breach”) of several schools, healthcare, non-profit companies, and other
`
`organizations (collectively “Clients”) whose data and servers were managed, maintained, and
`
`secured by Blackbaud. The Clients’ data and servers contained identifying, sensitive, and
`
`personal data from students, patients, donors, and other individual users, including Plaintiffs’. As
`
`a result of the Data Breach, Plaintiffs and thousands of other Class Member users suffered
`
`
`
`1
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 2 of 35
`
`ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably
`
`incurred to remedy or mitigate the effects of the attack. Additionally, Plaintiffs and Class
`
`Members’ sensitive personal information—which was entrusted to Defendant, its officials and
`
`agents—was compromised and unlawfully accessed due to the Data Breach. Information
`
`compromised in the Data Breach included a copy of a subset of information retained by
`
`Blackbaud, including name(s), addresses, phone numbers, and other personal information. True
`
`and accurate copies of the notices of data breach mailed to Plaintiffs (“Notice”) is attached
`
`hereto, and Defendant’s exemplar Notice is available on its website.1 Contrary to the
`
`representations in the Notice regarding the type of accessed information, it is believed based on
`
`statements by Defendant’s Clients directing Class Members to monitor suspicious activity of
`
`their credit and accounts, that Social Security Numbers, credit card numbers, bank account
`
`numbers, and additional personally identifiable information (collectively “Private Information”)
`
`may also have been compromised.
`
`3.
`
`Plaintiffs bring this class action lawsuit on behalf of themselves and those
`
`similarly situated, in order to, (1) address Defendant’s inadequate safeguarding of Class
`
`Members’ Private Information, which Defendant managed, maintained, and secured; (2) for
`
`failing to provide timely and adequate notice to Plaintiffs and other Class Members that their
`
`information had been subject to the unauthorized access of an unknown third-party; (3) for
`
`failing to identify all information that was accessed; and (4) for failing to provide Plaintiffs and
`
`Class Members with any redress for the Data Breach.
`
`4.
`
`Defendant maintained and secured the Private Information in a reckless manner,
`
`including, inter alia, failing to safeguard against ransomware attacks. In particular, the Private
`
`
`1 https://www.blackbaud.com/securityincident (Last Accessed August 12, 2020).
`2
`
`
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 3 of 35
`
`Information was maintained on Defendant’s computer network in a condition vulnerable to
`
`cyberattacks. Upon information and belief, the mechanism of the cyberattack and potential for
`
`improper disclosure of Plaintiffs and Class Members’ Private Information was a known risk to
`
`Defendant, and thus Defendant was on notice that failing to take steps necessary to secure the
`
`Private Information from those risks left that property in a dangerous condition.
`
`5.
`
`In addition, Defendant and their employees failed to properly monitor the
`
`computer network and systems that housed the Private Information; failed to implement
`
`appropriate policies to ensure secure communications; and failed to properly train employees
`
`regarding ransomware attacks. Had Defendant properly monitored their network, security, and
`
`communications, it would have discovered the cyberattack sooner or prevented it altogether. In
`
`fact, Blackbaud has announced it has “already implemented changes to prevent this specific
`
`issue from happening again.”2 In other words, had these changes been in place previously, this
`
`incident would not have happened and Plaintiffs and Class Members’ Private Information would
`
`not have been accessed.
`
`6.
`
`Plaintiffs and Class Members’ identities and Private Information are now at risk
`
`because of Defendant’s negligent conduct as the Private Information that Defendant collected
`
`and maintained was in the hands of data thieves. Defendant cannot reasonably maintain that the
`
`data thieves destroyed the subset copy simply because Defendant paid the ransom and the data
`
`thieves confirmed the copy was destroyed. In fact, the notices advise the affected individuals to
`
`monitor their own credit, suspicious account activity, and notify the school or non-profit of
`
`suspicious activity related to his or her credit. Despite this, Defendant has not offered any
`
`manner of redress, including, inter alia, credit monitoring.
`
`
`2 https://www.blackbaud.com/securityincident (Last Accessed August 12, 2020).
`3
`
`
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 4 of 35
`
`7.
`
`Armed with the Private Information accessed in the Data Breach, data thieves can
`
`commit a variety of crimes including, e.g., opening new financial accounts in class members’
`
`names, taking out loans in class members’ names, using Plaintiffs and Class Members’ names to
`
`obtain medical services, using class members’ information to obtain government benefits, filing
`
`fraudulent tax returns using class members’ information, obtaining driver’s licenses in class
`
`members’ names, but with another person’s photograph, and giving false information to police
`
`during an arrest.
`
`8.
`
`As a result of the Data Breach, Plaintiffs and Class Members have been exposed
`
`to a heightened and imminent risk of fraud and identity theft. Plaintiffs and Class Members, at
`
`their own cost, must now and in the future closely monitor their financial accounts to guard
`
`against identity theft.
`
`9.
`
`Consequently, Plaintiffs and Class Members will also incur out of pocket costs
`
`for, e.g., purchasing credit monitoring services, credit freezes, credit reports, or other protective
`
`measures to deter and detect identity theft.
`
`10.
`
`By their Complaint, Plaintiffs seeks to remedy these harms on behalf of
`
`themselves and all similarly-situated individuals, whose Private Information was accessed during
`
`the Data Breach.
`
`11.
`
`Plaintiffs seek remedies including, but not limited to, compensatory damages,
`
`reimbursement of out-of-pocket costs, and injunctive relief including improvements to
`
`Defendant’s data security systems, future annual audits, and adequate credit monitoring services
`
`funded by Defendant.
`
`
`
`4
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 5 of 35
`
`12.
`
`Accordingly, Plaintiffs brings this action against Defendant seeking redress for
`
`their unlawful conduct, and asserting claims for: (i) negligence, (ii) violation of privacy, (iii)
`
`negligence per se, (iv) breach of express contract, and (v) breach of implied contract.
`
`PARTIES
`
`13.
`
`14.
`
`Plaintiff Pam Arthur is a resident and citizen of Stuart, Martin County, Florida.
`
`Plaintiff Dorothy Kamm is a resident and citizen of Port St. Lucie, St. Lucie
`
`County. Florida.
`
`15.
`
`Defendant Blackbaud is a Delaware corporation with its principal place of
`
`business located on Daniel Island, Charleston County, South Carolina.
`
`16.
`
`Defendant manages, maintains, and provides cybersecurity for the data obtained
`
`by its clients who are, inter alia, schools and non-profit companies, including Bread for the
`
`World and Planned Parenthood, which maintained Plaintiffs’ Private Information.
`
`JURISDICTION AND VENUE
`
`17.
`
`This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. §
`
`1332(d)(2)(A), as modified by the Class Action Fairness Act of 2005, because at least one
`
`member of the Class, as defined below, is a citizen of a different state than Defendant, there are
`
`more than 100 members of the Class, and the aggregate amount in controversy exceeds
`
`$5,000,000 exclusive of interest and costs.
`
`18.
`
`This Court has personal jurisdiction over this action because Defendant holds its
`
`principal place of business in this District has sufficient minimum contacts with this District and
`
`has purposefully availed itself of the privilege of doing business in this District such that it could
`
`reasonably foresee litigation being brought in this District.
`
`
`
`5
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 6 of 35
`
`19.
`
`Venue is proper in this District under 28 U.S.C. § 1391(b)(2) because a
`
`substantial part of the events or omissions giving rise to the claim occurred in this District.
`
`DEFENDANT’S BUSINESS
`
`20.
`
`Since originally incorporating in New York in 1982,3 Blackbaud has become “the
`
`world’s leading cloud software company powering social good.” This includes providing its
`
`clients with “cloud software, services, expertise, and data intelligence…” It is a publically
`
`traded company with clients that include “nonprofits, foundations, corporations, education
`
`institutions, healthcare institutions, and the individual change agents who support them.” 4
`
`21.
`
`In 2019, Blackbaud reported that it had “45,000 customers located in over 100
`
`countries,” with a “total addressable market (TAM)… greater than $10 billion.” 5
`
`22.
`
`In the ordinary course of doing business with Defendant’s clients, individuals are
`
`regularly required to provide Defendant’s clients with sensitive, personal and private information
`
`that is then stored, maintained, and secured by Defendant. This information includes or may
`
`include:
`
`• Name, address, phone number and email address;
`
`• Date of birth;
`
`• Demographic information;
`
`• Social Security numbers;
`
`• Credit card account numbers;
`
`• Bank account numbers;
`
`
`3 https://investor.blackbaud.com/static-files/9cd70119-4e13-4d47-b068-3c228c580417 (Last
`Accessed August 12, 2020).
`4 https://www.blackbaud.com/company (Last Accessed August 12, 2020).
`5 https://investor.blackbaud.com/static-files/9cd70119-4e13-4d47-b068-3c228c580417 (Last
`Accessed August 12, 2020).
`
`
`
`6
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 7 of 35
`
`• Educational history;
`
`• Healthcare information;
`
`•
`
`Insurance information and coverage;
`
`• Photo identification;
`
`• Employer information;
`
`• Donor contribution information; and
`
`• Other information that may be deemed necessary to provide care.
`
`23.
`
`In its 2019 Annual Report, Blackbaud specifically addressed its known
`
`susceptibility to cyberattacks. Specifically the report states,
`
`If the security of our software is breached, we fail to securely collect, store and
`transmit customer information, or we fail to safeguard confidential donor data,
`we could be exposed to liability, litigation, penalties and remedial costs and our
`reputation and business could suffer.
`
`Fundamental to the use of our solutions is the secure collection, storage and
`transmission of confidential donor and end user data and transaction data,
`including in our payment services. Despite the network and application security,
`internal control measures, and physical security procedures we employ to
`safeguard our systems, we may still be vulnerable to a security breach,
`intrusion, loss or theft of confidential donor data and transaction data, which
`may harm our business, reputation and future financial results. [Emphasis
`Added].
`
`Like many major businesses, we are, from time to time, a target of cyber-attacks
`and phishing schemes, and we expect these threats to continue. Because of the
`numerous and evolving cybersecurity threats, including advanced and persistent
`cyber-attacks, phishing and social engineering schemes, used
`to obtain
`unauthorized access, disable or degrade systems have become increasingly more
`complex and sophisticated and may be difficult to detect for periods of time,
`we may not anticipate these acts or respond adequately or timely... [Emphasis
`Added]…
`
`Further, the existence of vulnerabilities, even if they do not result in a security
`breach, may harm client confidence and require substantial resources to address,
`and we may not be able to discover or remedy such security vulnerabilities before
`
`
`
`7
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 8 of 35
`
`they are exploited, which may harm our business, reputation and future financial
`results. 6
`
`24.
`
`Because of the highly sensitive and personal nature of the information Defendant
`
`maintains, manages, and secures with respect to it clients and their users, Defendant has
`
`acknowledged to their clients and users that this information will be comprehensively secured.
`
`25.
`
`Blackbaud’s Privacy Policy North America (“Privacy Policy”) expressly applies
`
`as follows:
`
`At Blackbaud, we are committed to protecting your privacy. This Policy applies
`to Blackbaud’s collection and use of personal data in connection with our
`marketing and provision of the Blackbaud Solutions, customer support and other
`services (collectively, the “Services”), for example if you are a customer, visit the
`website, interact with us at industry conferences, or work for a current or
`prospective customer of the Services.
`
`If you’re a constituent, supporter, patient or student of one of our customers, to
`which we provide the Services, your data will be used in accordance with that
`customer’s privacy policy. In providing the Services, Blackbaud acts as a service
`provider and thus, this Policy will not apply to constituents of our customers.7
`
`26. With regard to securing its constituents, supporters, patients or students of one of
`
`Defendant’s customers, Defendant further represents with regard to the security of personal
`
`information:
`
`We restrict access to personal information collected about you at our website to
`our employees, our affiliates’ employees, those who are otherwise specified in
`this Policy or others who need to know that information to provide the Services to
`you or in the course of conducting our business operations or activities. While no
`website can guarantee exhaustive security, we maintain appropriate physical,
`electronic and procedural safeguards to protect your personal information
`collected via the website. We protect our databases with various physical,
`technical and procedural measures and we restrict access to your information by
`unauthorized persons.
`
`
`
`6 https://investor.blackbaud.com/static-files/9cd70119-4e13-4d47-b068-3c228c580417 (Last
`Accessed August 10, 2020).
`7 https://www.blackbaud.com/company/privacy-policy/north-america (Last Accessed August 12,
`2020).
`
`
`
`8
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 9 of 35
`
`We also advise all Blackbaud employees about their responsibility to protect
`customer data and we provide them with appropriate guidelines for adhering to
`our company’s business ethics standards and confidentiality policies. Inside
`Blackbaud, data is stored in password-controlled servers with limited access.8
`
`27.
`
`Blackbaud has made additional commitments to the maintenance of student’s
`
`
`
`private information. In April of 2015 with regard to its K-12 school providers, Defendant signed
`
`a pledge to respect student data privacy to safeguard student information. The Student Privacy
`
`Pledge, developed by the Future of Privacy Forum (FPF) and the Software & Information
`
`Industry Association (SIIA), was created to “safeguard student privacy in the collection,
`
`maintenance and use of personal information.”9
`
`28.
`
`In signing the Student Privacy Pledge, Blackbaud specifically represented to
`
`students and parents of its K-12 school providers that it would, inter alia, (1) “[m]aintain a
`
`comprehensive security program:” and (2) “[b]e transparent about collection and use of student
`
`data.”10
`
`29.
`
`In further support of this representation and promise to student and parent users,
`
`Travis Warrant, president of Blackbaud’s K-12 Private Schools Group, stated:
`
`Blackbaud is committed to protecting sensitive student data and security…
`The Pledge will better inform our customers, service providers and the
`general public of our dedication to protecting student privacy.” The Pledge
`details ongoing industry practices that meet (and in some cases, exceed) all
`federal requirements, and encourages service providers to more clearly
`articulate their data privacy practices.11
`
`
`
`
`8 Id.
`9 https://www.blackbaud.com/home/2015/04/22/blackbaud-signs-pledge-to-respect-student-data-
`privacy (Last Accessed August 12, 2020).
`10 Id.
`11 Id.
`
`
`
`9
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 10 of 35
`
`30.
`
`Despite such representations and promises, Defendant failed to adequately secure
`
`and protect numerous K-12 providers and thousands of students Private Information, by allowing
`
`the Private Information to be copied and potentially used or sold at a later date.
`
`31.
`
`Further, due to the Health Information Portability and Accountability Act
`
`(HIPPA), Defendant had additional obligations to secure patient users’ information for
`
`healthcare Clients.
`
`32.
`
`Defendant has further failed Plaintiffs and Class Members by failing to
`
`adequately secure and protect their Private Information, by allowing the Private Information to
`
`be copied and potentially used or sold at a later date.
`
`33.
`
`Defendant further failed Plaintiffs and Class Members by failing to adequately
`
`notify them of the ransomware attack or provide any remedy other than late notice.
`
`THE CYBERATTACK AND DATA BREACH
`
`34.
`
`Prior to the ransomware attack, clients, constituents, supporters, patients, and
`
`students provided sensitive and identifying Private Information to Blackbaud as part of, inter
`
`alia, seeking education from K-12 school providers and universities; seeking healthcare from
`
`healthcare providers; making donations to non-profit companies; and in other ways seeking
`
`services through Blackbaud’s clients. When providing such information, these individuals had
`
`the expectation that Defendant, as the manager and securer of this Private Information, would
`
`maintain security against hackers and cyberattacks.
`
`35.
`
`Defendant maintained Plaintiffs and Class Members’ Private Information on a
`
`shared network, server, and/or software. Despite its own awareness of steady increases of
`
`cyberattacks on health care, schools, and other facilities over the course of recent years,
`
`
`
`10
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 11 of 35
`
`Defendant did not maintain adequate security of Plaintiffs and Class Members’ data, to protect
`
`against hackers and cyberattacks.
`
`36.
`
`According to its own statements, in May of 2020, Defendant discovered a
`
`ransomware attack that attempted to “disrupt business by locking companies out of their own
`
`data and servers.”12 According to Defendant’s statements:
`
`After discovering the attack, our Cyber Security team—together with independent
`forensics experts and law enforcement—successfully prevented the cybercriminal
`from blocking our system access and fully encrypting files; and ultimately
`expelled them from our system. Prior to our locking the cybercriminal out, the
`cybercriminal removed a copy of a subset of data from our self-hosted
`environment. The cybercriminal did not access credit card information, bank
`account information, or social security numbers. Because protecting our
`customers’ data is our top priority, we paid the cybercriminal’s demand with
`confirmation that the copy they removed had been destroyed. Based on the nature
`of the incident, our research, and third party (including law enforcement)
`investigation, we have no reason to believe that any data went beyond the
`cybercriminal, was or will be misused; or will be disseminated or otherwise made
`available publicly… The subset of customers who were part of this incident have
`been notified and supplied with additional information and resources. We
`apologize that this happened and will continue to do our very best to supply help
`and support as we and our customers jointly navigate this cybercrime incident.13
`
`37.
`
`Upon information and belief, the ransomware attack began in February of 2020
`
`
`
`and continued for approximately three months until it was stopped in May of 2020.
`
`38.
`
`Although Defendant claims that social security numbers, credit card information,
`
`or bank account information was not accessed, the Notice advises individuals whose Private
`
`Information was accessed to, inter alia, “be on alert for any suspicious activity or attempts at
`
`identity theft…” Exhibit A.
`
`
`12 https://www.blackbaud.com/securityincident (Last Accessed August 12, 2020).
`13 Id.
`
`
`
`11
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 12 of 35
`
`39.
`
`Defendant did not have a sufficient process or policies in place to prevent such
`
`cyberattack, which is evident by its own statements that it has “ already implemented changes to
`
`prevent this specific issue from happening again.”14
`
`40.
`
`The acknowledged types of data which “may” have been exposed included
`
`“name, postal address, email address, phone number, and demographic data…” Exhibit A.
`
`41.
`
`Defendant cannot reasonably rely on the word of data thieves or “certificate of
`
`destruction” issued by those same thieves, that the copied subset of any Private Information was
`
`destroyed. Further, upon information and belief, Defendant cannot be assured that Social
`
`Security numbers, Bank Account numbers, and Credit Card numbers were not also accessed and
`
`retained by the data thieves, or else it would not have advised its clients to advise affected
`
`individuals to monitor accounts for suspicious activity. Despite such advice, Defendant has
`
`failed to offer its clients or their users any remedy, including credit monitoring.
`
`42.
`
`Despite having knowledge of the attack since at least May of 2020, Defendant did
`
`not notify its affected clients until July or August of 2020 of the potentially compromised data.
`
`See Exhibit B (“Blackbaud discovered and contained this attack in May of this year.
`
`Unfortunately, the company did not notify its clients - including Planned Parenthood - until
`
`midJuly. To say the least, we find this delay unacceptable, and we are extremely dissatisfied with
`
`Blackbaud's lack of transparency around this incident”).
`
`43.
`
`Defendant had obligations created by federal law, contracts, industry standards,
`
`common law, and privacy representations made to Plaintiffs and Class Members, to keep their
`
`Private Information confidential and to protect it from unauthorized access and disclosure.
`
`44.
`
`As noted by Planned Parenthood in its Notice:
`
`
`14 https://www.blackbaud.com/securityincident (Last Accessed August 12, 2020).
`12
`
`
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 13 of 35
`
`Planned Parenthood's service agreements with Blackbaud require them to employ
`stringent security measures to protect the data of our supporters , and this breach
`has violated those agreements. We are conducting a close investigation to fully
`understand what measures Blackbaud is taking to remediate this situation and
`prevent further incidents. Exhibit B.
`
`45.
`
`Plaintiffs and Class Members provided their Private Information to Defendant
`
`with the reasonable expectation and mutual understanding that Defendant would comply with
`
`their obligations to keep such information confidential and secure from unauthorized access.
`
`46.
`
`Defendant’s data security obligations were particularly important given the
`
`substantial increase in cyberattacks and/or data breaches in its client’s various industries
`
`preceding the date of the breach.
`
`47.
`
`Indeed, cyberattacks have become so notorious that the Federal Bureau of
`
`Investigation (“FBI”) and U.S. Secret Service have issued a warning to potential targets so they
`
`are aware of, and prepared for, a potential attack. 15
`
`48.
`
`The increase in such attacks, and attendant risk of future attacks, was widely
`
`known to the public and to anyone in Defendant’s industry, including by Defendant’s own
`
`admissions in its 2019 Annual Report.
`
`49.
`
`Defendant breached its obligations to Plaintiffs and Class Members and/or was
`
`otherwise negligent and reckless because it failed to properly maintain and safeguard
`
`Defendant’s computer systems and data. Defendant’s unlawful conduct includes, but is not
`
`limited to, the following acts and/or omissions:
`
`a. Failing to maintain an adequate data security system to reduce the risk
`of data breaches and cyber-attacks;
`
`b. Failing to adequately protect patients’ Private Information;
`
`
`
`
`15 https://www.law360.com/consumerprotection/articles/1220974/fbi-secret-service-warn-of-
`targeted-ransomware (emphasis added) (Last Accessed August 12, 2020).
`13
`
`
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 14 of 35
`
`c. Failing to properly monitor their own data security systems for
`existing intrusions;
`
`d. Failing to timely notify its Clients, Plaintiffs, and Class Members of
`the data breach; and
`
`e. In other such ways to be discovered.
`
`As the result of Defendant’s failure to take certain measures to prevent the attack
`
`
`
`
`
`
`
`
`50.
`
`until after the attack occurred, Defendant negligently and unlawfully failed to safeguard
`
`Plaintiffs and Class Members’ Private Information.
`
`51.
`
`Accordingly, as outlined below, Plaintiffs and Class Members’ daily lives were
`
`severely disrupted. Now Plaintiffs and Class Members face an increased risk of fraud and
`
`identity theft.
`
`CYBERATTACKS AND DATA BREACHES CAUSE DISRUPTION AND PUT
`CONSUMERS AT AN INCREASED RISK OF FRAUD AND IDENTIFY THEFT
`
`52.
`
`Cyberattacks and data breaches of medical facilities, schools, and non-profit
`
`entities are especially problematic because of the disruption they cause to the overall daily lives
`
`of patients, students, donors, and other individuals affected by the attack.
`
`53.
`
`The United States Government Accountability Office released a report in 2007
`
`regarding data breaches (“GOA Report”) finding that victims of identity theft will face
`
`“substantial costs and time to repair the damage to their good name and credit record.”16
`
`54.
`
`The FTC recommends that identity theft victims take several steps to protect their
`
`personal and financial information after a data breach, including contacting one of the credit
`
`bureaus to place a fraud alert (consider an extended fraud alert that lasts for seven years if
`
`
`16 See “Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited;
`However, the Full Extent Is Unknown,” p. 2, U.S. Government Accountability Office, June
`2007, https://www.gao.gov/new.items/d07737.pdf (last visited Apr. 12, 2019) (“GAO Report”).
`14
`
`
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 15 of 35
`
`someone steals their identity), reviewing their credit reports, contacting companies to remove
`
`fraudulent charges from their accounts, placing a credit freeze on their credit, and correcting their
`
`credit reports.17
`
`55.
`
`Identity thieves use stolen Private Information such as Social Security numbers
`
`for a variety of crimes, including credit card fraud, phone or utilities fraud, and bank/finance
`
`fraud.
`
`56.
`
`Identity thieves can also use Social Security numbers to obtain a driver’s license
`
`or official identification card in the victim’s name, but with the thief’s picture; use the victim’s
`
`name and Social Security number to obtain government benefits; or file a fraudulent tax return
`
`using the victim’s information. In addition, identity thieves may obtain a job using the victim’s
`
`Social Security number, rent a house or receive medical services in the victim’s name, and may
`
`even give the victim’s personal information to police during an arrest resulting in an arrest
`
`warrant being issued in the victim’s name. A study by Identity Theft Resource Center shows the
`
`multitude of harms caused by fraudulent use of personal and financial information:18
`
`
`
`
`
`
`
`[GRAPHIC ON FOLLOWING PAGE]
`
`
`17 See https://www.identitytheft.gov/Steps (last visited April 12, 2019).
`18 “Credit Card and ID Theft Statistics” by Jason Steele, 10/24/2017, at:
`https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-
`1276.php (last visited August 12, 2020).
`
`
`
`15
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 16 of 35
`
`
`Private Information is a valuable property right.19 Its value is axiomatic,
`
`57.
`
`considering the value of Big Data in corporate America and the consequences of cyber thefts
`
`include heavy prison sentences. This obvious risk to reward analysis illustrates that Private
`
`Information has considerable market value.
`
`58.
`
`It must also be noted there may be a substantial time lag – measured in years --
`
`between when harm occurs versus when it is discovered, and also between when Private
`
`Information and/or financial information is stolen and when it is used. According to the U.S.
`
`Government Accountability Office, which conducted a study regarding data breaches:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be held
`for up to a year or more before being used to commit identity theft. Further, once
`stolen data have been sold or posted on the Web, fraudulent use of that
`
`19 See, e.g., John T. Soma, et al, Corporate Privacy Trend: The “Value” of Personally Identifiable
`Information (“PII”) Equals the “Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *3-4
`(2009) (“PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching
`a level comparable to the value of traditional financial assets.”) (citations omitted).
`16
`
`
`
`
`
`Case 2:20-cv-14319-DMM Document 1 Entered on FLSD Docket 09/11/2020 Page 17 of 35
`
`information may continue for years. As a result, studies that attempt to measure
`the harm resulting from data breaches cannot necessarily rule out all future harm.
`
`See GAO Report, at p. 29.
`
`59.
`
`Private Information and financial information are such valuable commodities to
`
`identity thieves that once the information has been compromised, criminals often trade the
`
`information on the “cyber black-market” for years.
`
`60.
`
`There is a strong probability that entire batches of stolen information have been
`
`dumped on the black market and are yet to be dumped on the black market, meaning Plaintiffs
`
`and Class Members are at an increased risk of fraud and identity theft for many years into the
`
`future. Thus, as the Notices advises, Plaintiffs and Class Members must vigilantly monitor their
`
`financial and medical accounts for many years to come. See Exhibit A.
`
`PLAINTIFFS AND CLASS MEMBERS’ DAMAGE