throbber
Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 1 of 30 PageID #:1
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF ILLINOIS
`
`
`
`JORGE NEWBERY and HOLLY
`RINGLING, individually and on behalf of
`all others similarly situated,
`
` Plaintiffs,
`
`
`v.
`
`
`
`SAMSUNG ELECTRONICS
`AMERICA, INC.,
`
`
`Defendant.
`
`
`
`
`
`
`
`
`
`Case No. 1:22-cv-5325
`
`
`
`
`DEMAND FOR JURY TRIAL
`
`
`CLASS ACTION COMPLAINT
`
`Plaintiffs JORGE NEWBERY and HOLLY RINGLING (“Plaintiffs”), individually and on
`
`behalf of all others similarly situated, through their attorneys, bring this action against Defendant
`
`SAMSUNG ELECTRONICS AMERICA, INC (“Defendant” or “Samsung”), and allege upon
`
`personal knowledge as to their own actions and experiences, and upon investigation, information,
`
`and belief as to all other matters, as follows:
`
`INTRODUCTION
`
`1.
`
`This consumer data breach lawsuit arises out of Defendant’s failure to implement
`
`and maintain adequate security and safeguards with respect to its collection and maintenance of
`
`highly sensitive and confidential personal information of its customers, including name, contact
`
`and demographic information, date of birth, and product registration information. Defendant’s
`
`insufficient and unreasonable data security practices caused, facilitated, and exacerbated the data
`
`breach and its impact on Plaintiffs and Class members.
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 2 of 30 PageID #:2
`
`2.
`
`Samsung is a leader in the global market for high-tech computers and electronics
`
`manufacturing and digital media.
`
`3.
`
`By Defendant’s own admission, in late July 2022, an unauthorized third party
`
`acquired information from some of Samsung’s U.S. systems (the “Data Breach”). According to
`
`Defendant, on or around August 4, 2022, Defendant determined through its ongoing investigation
`
`that personal information of its customers was affected. Although Defendant identified the incident
`
`as early as August 4, 2022, Defendant did not warn those most at risk––Plaintiffs and Class
`
`members, until September 2, 2022.
`
`4.
`
`The Data Breach exposed Plaintiffs’ and Class members’ personally identifiable
`
`information to criminals, including, but not limited to, name, contact and demographic
`
`information, date of birth, and product registration information (“PII”).
`
`5.
`
`The PII that unauthorized persons accessed on Defendant’s systems can be used by
`
`criminals alone, and in conjunction with other pieces of information, to perpetrate crimes against
`
`Plaintiffs and Class members that can result in significant liability and damage to their money,
`
`property, creditworthiness, reputation, and their ability to pay current loans, improve their credit,
`
`and/or obtain loans on favorable terms in the future.
`
`6.
`
`Plaintiffs and Class members entrusted Defendant with their sensitive PII.
`
`Defendant understands the importance of protecting such information. For example, on its website,
`
`Defendant states “How We Protect Personal Information” and explains “We maintain safeguards
`
`designed to protect personal information we obtain through the Services.”1
`
`7.
`
`Defendant’s representations concerning privacy practices and data security were
`
`false. Defendant does not state the date that it began investigating the incident, only that on or
`
`
`1 See https://www.samsung.com/us/account/privacy-policy/ (last visited Sept. 21, 2022).
`
`2
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 3 of 30 PageID #:3
`
`around August 4, 2022, Defendant determined that its customers’ information was acquired in the
`
`Data Breach that occurred in late July 2022. Criminals breached Defendant’s inadequately
`
`defended systems, and accessed and acquired electronic files containing the PII of Plaintiffs and
`
`Class members. The criminals gained unauthorized access by thwarting, circumventing, and
`
`defeating Defendant’s unreasonably deficient data security measures and protocols. Defendant did
`
`not start notifying Plaintiffs and other Class members of the Data Breach until on or around
`
`September 2, 2022.
`
`8.
`
`Plaintiffs, individually, and on behalf of all persons similarly situated, seek to be
`
`made whole for the losses incurred by Plaintiffs and other victims of the Data Breach, and the
`
`losses that will be incurred in the future. Plaintiffs also seek injunctive relief in the form of
`
`compliant data security practices, full disclosure regarding the disposition of the information in
`
`Defendant’s systems, and monitoring and audits of Defendant’s security practices going forward
`
`because Defendant continues to collect, maintain, and store Plaintiffs’ and Class members’ PII.
`
`PARTIES, JURISDICTION, AND VENUE
`
`9.
`
`Plaintiff Jorge Newbery resides in Barrington, Illinois and is a citizen of Illinois.
`
`10.
`
`Plaintiff Holly Ringling resides in San Antonio, Texas and is a citizen of Texas.
`
`11.
`
`Defendant is a New York corporation with its principal place of business in
`
`Ridgefield Park, New Jersey.
`
`12.
`
`The Court has original jurisdiction under the Class Action Fairness Act (“CAFA”),
`
`28 U.S.C. § 1332(d)(2), because this is a Class action involving 100 or more Class members and
`
`the amount in controversy exceeds $5,000,000, exclusive of interest and costs. Many members of
`
`the Class, including Plaintiffs, are citizens of different states from Defendant.
`
`3
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 4 of 30 PageID #:4
`
`13.
`
`Venue is proper in this District under 28 U.S.C. §§ 1391(a)(2), 1391(b)(2), and
`
`1391(c)(2), as a substantial part of the events giving rise to the claims emanated from activities
`
`within this District, and Defendant conducts substantial business in this District.
`
`GENERAL ALLEGATIONS
`
`The Data Breach
`
`14.
`
`On or about September 2, 2022, Defendants provided notice to Plaintiffs and Class
`
`members (“Data Breach Notice”) via email and posted an “Important Notice Regarding Customer
`
`Information” on its website.2 In the Data Breach Notice, Defendant states that in late July 2022,
`
`an unauthorized third party acquired information from some of Samsung’s U.S. systems that
`
`contain the personal information of Plaintiffs and Class members. A true and correct copy of the
`
`Data Breach Notice sent to each Plaintiff is attached as Exhibit 1.
`
`15.
`
`The Data Breach Notice states that personal information pertaining to Plaintiffs and
`
`Class members was acquired by an unauthorized person in the Data Breach.
`
`16.
`
`Defendant states that Plaintiffs’ and Class members’ information acquired in the
`
`Data Breach includes customer name, contact and demographic information, date of birth, and
`
`product registration information. See Exhibit 1.
`
`17.
`
`Since discovering the Data Breach, Defendant states that “We have taken actions
`
`to secure the affected systems” and that “By working with industry - leading experts, we will
`
`further enhance the security of our systems - and your personal information.” See Exhibit 1. These
`
`are actions that should have been employed in the first place and they would have prevented or
`
`limited the impact of the Data Breach.
`
`
`2 See https://www.samsung.com/us/support/securityresponsecenter/ (last visited Sept. 21, 2022).
`
`4
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 5 of 30 PageID #:5
`
`18.
`
`Defendant does not state when the Data Breach was first detected. See Exhibit 1.
`
`Defendant states that on or around August 4, 2022, Defendant determined through its “ongoing
`
`investigation that personal information of certain customers was affected.” Id. Defendant did not
`
`publicly announced the Data Breach or notify those whose PII was accessed by criminals in the
`
`Data Breach at that time.
`
`19.
`
`On or around September 2, 2022—almost a month after learning that its customers’
`
`information was acquired by criminals in the Data Breach—Defendant sent Data Breach Notices
`
`to Plaintiffs and other persons whose PII was accessed by the criminals.
`
`20.
`
`In the Data Breach Notice, Defendant provided information to Plaintiffs and Class
`
`members about additional steps they can take to help protect themselves. Defendant provided the
`
`contact information of the three credit bureaus that Plaintiffs and Class members could contact to
`
`obtain a credit report to help them detect possible misuse of PII. See Exhibit 1.
`
`21.
`
`Additionally, Defendant provides FAQs on its website and recommends that
`
`Plaintiffs and Class members (a) remain cautious of any unsolicited communications that ask for
`
`your personal information or refer you to a web page asking for personal information; (b) avoid
`
`clicking on links or downloading attachments from suspicious emails; and (c) review your
`
`accounts for suspicious activity. 3
`
`22.
`
`As a result of the Data Breach, Plaintiffs and Class members have been and must
`
`continue to be vigilant and review their credit reports for incidents of identity theft or fraud, and
`
`educate themselves about security freezes, fraud alerts, and other steps to protect themselves
`
`against identity theft.
`
`
`
`
`3 See https://www.samsung.com/us/support/securityresponsecenter/ (last visited Sept. 21, 2022).
`
`5
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 6 of 30 PageID #:6
`
`Industry Standards for Data Security
`
`23.
`
`Defendant is aware of the importance of safeguarding Plaintiffs’ and Class
`
`members’ PII, that by virtue of its business it places Plaintiffs’ and Class members’ PII at risk of
`
`being targeted by hackers.
`
`24.
`
`Defendant is aware that the PII that it collects, organizes, and stores, can be used
`
`by criminals to engage in crimes such as identity fraud and theft using Plaintiffs’ and Class
`
`members’ PII.
`
`25.
`
`Because of Defendant’s failure to implement, maintain, and comply with necessary
`
`cybersecurity requirements, Defendant was unable to protect Plaintiffs’ and Class members’
`
`information and confidentiality, and protect against obvious and readily foreseeable threats to
`
`information security and confidentiality. As a proximate result of such failures, criminals gained
`
`unauthorized access to Defendant’s U.S. systems, and acquired Plaintiffs’ and Class members’ PII
`
`in the Data Breach without being stopped.
`
`26.
`
`Only after the attack was completed did Defendant begin to undertake basic steps
`
`recognized in the industry to protect Plaintiffs’ and Class members’ PII.
`
`27.
`
`Defendant was unable to prevent the Data Breach, and was unable to detect the
`
`unauthorized access to vast quantities of sensitive and protected files containing protected
`
`information of Plaintiffs and Class members. Discovery on Defendant, law enforcement
`
`investigators, and private investigators, will reveal more specific facts about Defendant’s deficient
`
`and unreasonable security procedures.
`
`28.
`
`Security standards commonly accepted among businesses that store personal
`
`information using the Internet include, without limitation:
`
`a)
`
`Maintaining a secure firewall configuration;
`
`6
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 7 of 30 PageID #:7
`
`b)
`
`c)
`
`d)
`
`e)
`
`f)
`
`g)
`
`h)
`
`i)
`
`Monitoring for suspicious or irregular traffic to servers;
`
`Monitoring for suspicious credentials used to access servers;
`
`Monitoring for suspicious or irregular activity by known users;
`
`Monitoring for suspicious or unknown users;
`
`Monitoring for suspicious or irregular server requests;
`
`Monitoring for server requests for personal information;
`
`Monitoring for server requests from VPNs; and
`
`Monitoring for server requests from Tor exit nodes.
`
`29.
`
`The U.S. Federal Trade Commission (“FTC”) publishes guides for businesses for
`
`cybersecurity4 and protection of personal information5 which includes basic security standards
`
`applicable to all types of businesses.
`
`30.
`
`The FTC recommends that businesses:
`
`a)
`
`b)
`
`c)
`
`d)
`
`Identify all connections to the computers where you store sensitive
`information;
`
`Assess the vulnerability of each connection to commonly known or
`reasonably foreseeable attacks;
`
`Do not store sensitive consumer data on any computer with an internet
`connection unless it is essential for conducting their business;
`
`Scan computers on their network to identify and profile the operating
`system and open network services. If services are not needed, they should
`be disabled to prevent hacks or other potential security problems. For
`example, if email service or an internet connection is not necessary on a
`certain computer, a business should consider closing the ports to those
`services on that computer to prevent unauthorized access to that machine;
`
`
`
`
`
`
`
`
`4 See F.T.C., Start with Security: A Guide for Business, (June 2015), https://www.ftc.gov/business-
`guidance/resources/start-security-guide-business (last accessed Sept. 20, 2022).
`5 See F.T.C., Protecting Personal Information: A Guide
`for Business, (Oct. 2016),
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-
`information.pdf (last accessed Sept. 20, 2022).
`
`7
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 8 of 30 PageID #:8
`
`e)
`
`f)
`
`g)
`
`h)
`
`i)
`
`Pay particular attention to the security of their web applications—the
`software used to give information to visitors to their websites and to retrieve
`information from them. Web applications may be particularly vulnerable to
`a variety of hack attacks;
`
`Use a firewall to protect their computers from hacker attacks while it is
`connected to a network, especially the internet;
`
`Determine whether a border firewall should be installed where the
`business’s network connects to the internet. A border firewall separates the
`network from the internet and may prevent an attacker from gaining access
`to a computer on the network where sensitive information is stored. Set
`access controls—settings that determine which devices and traffic get
`through the firewall—to allow only trusted devices with a legitimate
`business need to access the network. Since the protection a firewall provides
`is only as effective as its access controls, they should be reviewed
`periodically;
`
`Monitor incoming traffic for signs that someone is trying to hack in. Keep
`an eye out for activity from new users, multiple log-in attempts from
`unknown users or computers, and higher-than-average traffic at unusual
`times of the day; and
`
`Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly
`large amounts of data being transmitted from their system to an unknown
`user. If large amounts of information are being transmitted from a business’
`network, the transmission should be investigated to make sure it is
`authorized.
`
`
`
`
`
`
`
`
`
`
`
`31.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer information, treating the failure to employ reasonable
`
`and appropriate measures to protect against unauthorized access to confidential consumer data as
`
`an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTC
`
`Act”), 15 U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses
`
`must take to meet their data security obligations.6
`
`
`6 F.T.C., Privacy and Security Enforcement: Press Releases, https://www.ftc.gov/news-events/
`media-resources/protecting-consumer-privacy/privacy-security-enforcement (last accessed Sept.
`20, 2022).
`
`8
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 9 of 30 PageID #:9
`
`32.
`
`Because Defendant was entrusted with consumers’ PII, it had and has a duty to keep
`
`the PII secure.
`
`33.
`
`Plaintiffs and Class members reasonably expect that when they provide their PII to
`
`a company, the company will safeguard their PII.
`
`34.
`
`Despite Defendant’s obligations, Defendant failed to upgrade and maintain its data
`
`security systems in a meaningful way so as to prevent the Data Breach.
`
`35.
`
`Specifically, in breach of its duties, Defendant failed to:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a)
`
`b)
`
`c)
`
`d)
`
`e)
`
`f)
`
`g)
`
`h)
`
`i)
`
`j)
`
`k)
`
`l)
`
`m)
`
`Replace email filtering tools, malware software, and Internet monitoring
`tools with more robust solutions that utilize artificial intelligence (“AI”) to
`detect and block known and newly introduced malware;
`
`Block all inbound and outbound Internet, email, and network traffic to
`foreign countries;
`
`Maintain a secure firewall configuration;
`
`Monitor for suspicious or irregular traffic to servers;
`
`Monitor for suspicious credentials used to access servers;
`
`Monitor for suspicious or irregular activity by known users;
`
`Monitor for suspicious or unknown users;
`
`Monitor for suspicious or irregular server requests;
`
`Monitor for server requests for personal information;
`
`Monitor for server requests from VPNs;
`
`Monitor for server requests from Tor exit nodes;
`
`Identify all connections to the computers where Defendant stores sensitive
`information;
`
`Assess the vulnerability of each connection to commonly known or
`reasonably foreseeable attacks;
`
`
`9
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 10 of 30 PageID #:10
`
`n)
`
`o)
`
`p)
`
`q)
`
`r)
`
`s)
`
`t)
`
`Scan computers on Defendant’s network to identify and profile the
`operating system and open network services, and disable services that are
`not needed to prevent hacks or other potential security problems;
`
`Pay particular attention to the security of Defendant’s web applications—
`the software used to give information to visitors to its websites and to
`retrieve information from them;
`
`Use a firewall to protect Defendant’s computers from hacker attacks while
`they are connected to a network, especially the Internet;
`
`Not store sensitive consumer data on any computer with an internet
`connection unless it is essential for conducting its business;
`
`Determine whether a border firewall should be installed where the
`business’s network connects to the internet. A border firewall separates the
`network from the internet and may prevent an attacker from gaining access
`to a computer on the network where sensitive information is stored. Set
`access controls—settings that determine which devices and traffic get
`through the firewall—to allow only trusted devices with a legitimate
`business need to access the network. Since the protection a firewall provides
`is only as effective as its access controls, they should be reviewed
`periodically;
`
`Monitor incoming traffic for signs that someone is trying to hack in. Keep
`an eye out for activity from new users, multiple log-in attempts from
`unknown users or computers, and higher-than-average traffic at unusual
`times of the day; and
`
`Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly
`large amounts of data being transmitted from their system to an unknown
`user. If large amounts of information are being transmitted from a business’
`network, the transmission should be investigated to make sure it is
`authorized.
`
`
`
`36.
`
`Had Defendant properly maintained its systems and adequately protected them,
`
`Defendant could have prevented the Data Breach.
`
`Defendant Owed Duties to Plaintiffs and Class Members
`to Adequately Secure and Safeguard Their PII
`
`
`37.
`
`Defendant is aware of the importance of security in maintaining personal
`
`information (particularly sensitive personal information), and the value consumers place on
`
`keeping their PII secure.
`
`10
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 11 of 30 PageID #:11
`
`38.
`
`Defendant owes duties to Plaintiffs and the Class members to maintain adequate
`
`security and safeguards to protect the confidentiality of their PII.
`
`39.
`
`Defendant owes a further duty to its customers to immediately and accurately notify
`
`them of a breach of its systems to protect them from identity theft and other misuse of their personal
`
`data and to take adequate measures to prevent further breaches.
`
`The Categories of PII at Issue Here Are Valuable to Criminals
`
`40.
`
`Businesses that solicit, aggregate, and store sensitive PII are likely to be targeted
`
`by cyber criminals.
`
`41.
`
`The FTC has released its updated publication on protecting PII for businesses,
`
`which includes instructions on protecting PII, properly disposing of PII, understanding network
`
`vulnerabilities, implementing policies to correct security problems, using intrusion detection
`
`programs, monitoring data traffic, and having in place a response plan.
`
`42.
`
`The FTC has, upon information and belief, brought enforcement actions against
`
`businesses for failing to protect PII. The FTC has done this by treating a failure to employ
`
`reasonable measures to protect against unauthorized access to PII as a violation of the FTC Act,
`
`15 U.S.C. § 45.
`
`43.
`
`General policy reasons support such an approach. A person whose personal
`
`information has been compromised may not see any signs of identity theft for years. According to
`
`a U.S. Government Accountability Office report:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be
`held for up to a year or more before being used to commit identity theft.
`Further, once stolen data have been sold or posted on the Web, fraudulent
`use of that information may continue for years. As a result, studies that
`attempt to measure the harm resulting from data breaches cannot necessarily
`rule out all future harm.7
`
`
`7 See https://www.gao.gov/assets/gao-07-737.pdf at 29 (last visited Sept. 20, 2022).
`
`11
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 12 of 30 PageID #:12
`
`44.
`
`Companies recognize that PII is a valuable asset. Indeed, PII is a valuable
`
`commodity. A “cyber black-market” exists in which criminals openly post PII on a number of
`
`Internet websites. Plaintiffs’ and Class members’ personal data that was stolen has a high value on
`
`both legitimate and black markets.
`
`45.
`
`At an FTC public workshop in 2001, then-Commissioner Orson Swindle described
`
`the value of a consumer’s personal information as follows:
`
`The use of third party information from public records, information
`aggregators and even competitors for marketing has become a major
`facilitator of our retail economy. Even [Federal Reserve] Chairman [Alan]
`Greenspan suggested here some time ago that it’s something on the order of
`the life blood, the free flow of information.8
`
`46.
`
`Individuals rightfully place a high value not only on their PII, but also on the
`
`privacy of that data. Researchers have already begun to shed light on how much individuals value
`
`their data privacy—and the amount is considerable.
`
`47.
`
`Notably, one study on website privacy determined that U.S. consumers valued the
`
`restriction of improper access to their personal information—the very injury at issue here—
`
`between $11.33 and $16.58 per website. 9 The study also determined that “[a]mong U.S. subjects,
`
`protection against errors, improper access, and secondary use of personal information is worth
`
`US$30.49 – 44.62.”10 This study was done in 2002. The sea-change in how pervasive the Internet
`
`is in everyday lives since then indicates that these values—when associated with the loss of PII to
`
`bad actors—would be exponentially higher today.
`
`
`8 FEDERAL TRADE COMMISSION, The Information Marketplace: Merging and Exchanging
`Consumer Data,
`transcript, p. 8, available at http://www.ftc.gov/news-events/events-
`calendar/2001/03/information-marketplace-merging-exchanging-consumer-data (last visited Sept.
`20. 2022).
`9 Hann, Hui, et al, The Value of Online Information Privacy: Evidence from the USA and
`Singapore, at p. 17. Oct. 2002, available at https://www.comp.nus. edu.sg/~ipng/research/privacy.
`pdf (last visited Sept. 20. 2022).
`10 Id.
`
`12
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 13 of 30 PageID #:13
`
`48.
`
`Identity thieves may commit various types of crimes such as immigration fraud,
`
`obtaining a driver’s license or identification card in the victim’s name but with another’s picture,
`
`and/or using the victim’s information to obtain a fraudulent tax refund or fraudulent unemployment
`
`benefits. The United States government and privacy experts acknowledge that it may take years
`
`for identity theft to come to light and be detected.
`
`49.
`
`To date, Defendant has not offered Plaintiffs and Class members any compensation
`
`or relief as a result of the Data Breach.
`
`50.
`
`The information Defendant allowed to be compromised and taken is of such that
`
`the harms to Plaintiffs and the Class will continue to grow, and Plaintiffs and Class members will
`
`continue to be at substantial risk for further imminent and future harm.
`
`Damages from Data Breaches
`
`51.
`
`According to Javelin Strategy & Research, in 2017 alone over 16.7 million
`
`individuals were affected by identity theft, causing $16.8 billion to be stolen.
`
`52.
`
`Consumers place a high value not only on their personal information, but also on
`
`the privacy of that data. This is because identity theft causes “significant negative financial impact
`
`on victims” as well as severe distress and other strong emotions and physical reactions.
`
`53.
`
`The United States Government Accountability Office explains that “[t]he term
`
`‘identity theft’ is broad and encompasses many types of criminal activities, including fraud on
`
`existing accounts—such as unauthorized use of a stolen credit card number—or fraudulent
`
`creation of new accounts—such as using stolen data to open a credit card account in someone
`
`else’s name.” See In re Zappos.com, Inc., 888 F.3d 1020, 1024 (9th Cir. 2018). The GAO Report
`
`notes that victims of identity theft will face “substantial costs and time to repair the damage to
`
`their good name and credit record.”
`
`13
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 14 of 30 PageID #:14
`
`54.
`
`The FTC recommends that identity theft victims take several steps to protect their
`
`personal information after a data breach, including contacting one of the credit bureaus to place a
`
`fraud alert (consider an extended fraud alert that lasts for 7 years if someone steals their identity),
`
`reviewing their credit reports often, contacting companies to remove fraudulent charges from their
`
`accounts, placing a credit freeze on their credit, and correcting their credit reports.
`
`55.
`
`Identity thieves use stolen personal information for “various types of criminal
`
`activities, such as when personal and financial is used to commit fraud or other crimes,” including
`
`“credit card fraud, phone or utilities fraud, bank fraud and government fraud.” In re Zappos.com,
`
`Inc., 888 F.3d at 1024. The information exfiltrated in the Data Breach can also be used to commit
`
`identity theft by placing Plaintiffs and Class members at a higher risk of “phishing,” “vishing,”
`
`“smishing,” and “pharming,” which are which are ways for hackers to exploit information they
`
`already have to get even more personally identifying information through unsolicited email, text
`
`messages, and telephone calls purportedly from a legitimate company requesting personal,
`
`financial, and/or login credentials.
`
`56.
`
`There may be a time lag between when harm occurs versus when it is discovered,
`
`and also between when personal information is stolen and when it is used. According to the U.S.
`
`Government Accountability Office, which conducted a study regarding data breaches:
`
`[L]aw enforcement officials told us that in some cases, stolen data may be
`held for up to a year or more before being used to commit identity theft.
`Further, once stolen data have been sold or posted on the Web, fraudulent
`use of that information may continue for years. As a result, studies that
`attempt to measure the harm resulting from data breaches cannot necessarily
`rule out all future harm.
`
`
`
`
`
`See GAO Report, at p. 29.
`
`57.
`
`Personal information is such a valuable commodity to identity thieves that once the
`
`information has been compromised, criminals often trade the information on the “cyber
`
`14
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 15 of 30 PageID #:15
`
`blackmarket” for years.
`
`58.
`
`Thus, there is a strong probability that entire batches of stolen information have
`
`been dumped on the black market, or are yet to be dumped on the black market, meaning Plaintiffs
`
`and Class members are at an increased risk of fraud and identity theft for many years into the
`
`future.
`
`59.
`
`Data breaches are preventable. As Lucy Thompson wrote in the DATA BREACH
`
`AND ENCRYPTION HANDBOOK, “In almost all cases, the data breaches that occurred could
`
`have been prevented by proper planning and the correct design and implementation of appropriate
`
`security solutions.” She added that “[o]rganizations that collect, use, store, and share sensitive
`
`personal data must accept responsibility for protecting the information and ensuring that it is not
`
`compromised . . . .”
`
`60.
`
`“Most of the reported data breaches are a result of lax security and the failure to
`
`create or enforce appropriate security policies, rules, and procedures. . . . Appropriate information
`
`security controls, including encryption, must be implemented and enforced in a rigorous and
`
`disciplined manner so that a data breach never occurs.”
`
`61.
`
`Indeed, here Defendant took actions to secure the affected systems after the Data
`
`Breach, but should have implemented those actions previously to prevent the Data Breach.
`
`62.
`
`The types of information Defendant acknowledges were stolen by the criminals are
`
`sufficiently sensitive and valuable to identity thieves and criminals in perpetrating identity crimes.
`
`This information can be used to perpetrate scams, victimize the persons who own the information,
`
`and commit identity theft and fraud. With a person’s name, address and birth date in hand,
`
`scammers may be able to buy the person’s Social Security number on websites that normally sell
`
`15
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 16 of 30 PageID #:16
`
`them to businesses conducting background checks.11 If they cannot, just by knowing your birth
`
`date and hometown, scammers can often guess most, if not all, the digits of your Social Security
`
`number.12
`
`63.
`
`Criminals can use PII to devise and employ phishing and social engineering
`
`schemes capitalizing on the genuine information stolen from Defendant to send fraudulent mail
`
`and other communications to Plaintiffs and Class members that look authentic, but which are
`
`designed to lure them into paying money or providing other information that the criminals can use
`
`to steal money.
`
`Plaintiffs Received Defendant’s Data Breach Notification Letter
`
`64.
`
`In or about April 2019, Plaintiff Ringling purchased two Samsung mobile phones
`
`from a Boost Mobile store. Her phones were registered with Samsung by Boost Mobile using her
`
`personal information.
`
`65.
`
`On September 2, 2022, Plaintiff Ringling received an email from Samsung
`
`notifying her of the Data Breach. See Exhibit 1. Plaintiff Ringling has Experian credit monitoring.
`
`Due to the Data Breach, Plaintiff Ringling plans to renew her Experian credit monitoring.
`
`66.
`
`On or about December 2016, Plaintiff Newbery purchased a Samsung mobile
`
`phone from a Verizon store. His phone was registered with Samsung by Verizon using his personal
`
`information.
`
`67.
`
`On September 2, 2022, Plaintiff Newbery received an email from Samsung
`
`notifying him of the Data Breach. See Exhibit 1. Prior to receiving the Data Breach Notice, Plaintiff
`
`Newbery subscribed to a Silver membership with DebtCleanse on a month-to-month basis. After
`
`
`11 See https://www.aarp.org/money/scams-fraud/info-2014/protect-these-numbers-from-
`scammers.html (last visited Sept. 21, 2022).
`12 Id.
`
`16
`
`
`

`

`Case: 1:22-cv-05325 Document #: 1 Filed: 09/29/22 Page 17 of 30 PageID #:17
`
`receiving the Data Breach Notice, Plaintiff Newbery upgraded his DebtCleanse monthly
`
`membership to a Gold membership to add Identity Theft Protection and Dark Web Monitoring.
`
`Plaintiff Newbery plans on renewing his DebtCleanse Gold membership due to the Data Breach.
`
`68.
`
`Plaintiffs and Class members provided Defendant with significant personal
`
`info

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket