`
`IN THE UNITED STATES DISTRICT COURT
`FOR DISTRICT OF MARYLAND
`SOUTHERN DIVISION
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HADONA DIEP
`18013 Foxworth Court
`Gaithersburg, MD 20874
`
`
`
`Individually, and on behalf of
` similarly-situated persons,
`as Plaintiff,
`
`v.
`
`APPLE, INC.,
`One Apple Park Way
`Cupertino, CA 95014
`
`Case No. 21-2359
`
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
` )
`
`
`Defendant.
`
`
`
` )
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`Plaintiff Hadona Diep, by and through undersigned counsel, and on her own
`
`behalf and on behalf of those similarly situation, for her Class Action Complaint against
`
`Apple, Inc., seeking damages, hereby alleges as follows:
`
`NATURE OF THE CASE
`
`1.
`
`This action is a class-action suit for damages under the federal and state
`
`laws of the United States, seeking legal remedy for the Defendant's breaches of those
`
`same laws, in participating in and or allowing “hacking” and “breach” of financial
`
`account information and actual theft of personal financial assets, by authorizing a
`
`malicious application in the “App Store” and maintaining the same, despite knowledge of
`
`the criminal activity, and the Defendant's further failures to notify Plaintiff and the Class
`
`Members that their financial information had been compromised.
`
`PARTIES
`
`1
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 2 of 24
`
`2.
`
`3.
`
`4.
`
`Plaintiff Hadona Diep is a resident of the State of Maryland.
`
`Defendant Apple, Inc. is a corporation of the State of California.
`
`JURISDICTION AND VENUE
`
`Jurisdiction is proper in the Court as the Plaintiff brings Federal causes of
`
`action pursuant to 18 U.S.C. § 1030(g) and 47 U.S.C. § 230(e)(4). This Court has
`
`supplemental jurisdiction over the State law claims pursuant to 28 U.S.C. § 1367.
`
`5.
`
`Jurisdiction is further proper under the Class Action Fairness Act of 2005,
`
`28 U.S.C. § 1332(d), because, on information and belief, the proposed Class(es) consists
`
`of 100 or more members; the amount in controversy exceeds $5,000,000, exclusive of
`
`costs and interest; and minimal diversity exists.
`
`6.
`
`This Court may exercise personal jurisdiction over the Defendant, who
`
`has availed itself of the jurisdiction of this Court through acts and omissions, including
`
`but not limited to, advertising its services in this District, selling products and services to
`
`consumers in this District, and by otherwise conducting business in this District.
`
`7.
`
`Venue is proper in this forum pursuant to 28 U.S.C. § 1391(b), as the
`
`Plaintiff resides in this judicial district and/or a substantial part of the acts or omissions
`
`giving rise to the claims herein occurred in the same.
`
`GENERAL ALLEGATIONS
`
`Plaintiff uses a computer in interstate commerce.
`
`Plaintiff makes her living as a full-time cyber-security IT professional.
`
`8.
`
`9.
`
`10.
`
`Apple, Inc. (“Apple”) is the largest, or at least one of the largest, mobile
`
`and tablet application providers in the world, through its universally-known “App Store.”
`
`11.
`
`Apple itself describes the App Store to consumers as, for over a decade,
`
`having
`
`2
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 3 of 24
`
`proved to be a safe and trusted place to discover and download
`
`apps. But the App Store is more than just a storefront — it’s an
`
`innovative destination focused on bringing you amazing
`
`experiences. And a big part of those experiences is ensuring that
`
`the apps we offer are held to the highest standards for privacy,
`
`security, and content. Because we offer nearly two million apps —
`
`and we want you to feel good about using every single one of
`
`them.1
`
`12.
`
`Apple controls what applications may be sold or provided to consumers
`
`through the App Store by a rigorous vetting process that involves provision of the
`
`proposed application's purpose and a copy of the application itself and any relevant
`
`source code, users' guides, and software documentation.2
`
`13.
`
`Apple customers in fact have no other practical or convenient manner in
`
`which to download applications for their iPhones or iPads, as Apple maintains rigorous
`
`control over applications that can be placed on their devices.3
`
`14.
`
`The monopolistic App Store therefore generates tens of billions in dollars
`
`of revenue per year for Apple, through Apple's charging of a 70/30 percent split on all
`
`revenue generated through applications downloaded through the App Store, whether
`
`through fees for downloads, subscriptions, in-app purchases, or service fees.4
`
`1 https://www.apple.com/app-store/ (last accessed September 3, 2021 at 5:31PM).
`2 See, e.g., https://developer.apple.com/app-store/review/guidelines/#business (last accessed September 3,
`2021, at 1:27PM EST).
`3 See, e.g., https://www.lifewire.com/get-apps-not-in-app-store-1999916 (last accessed September 3, 2021,
`at 5:31PM).
`4 See, e.g., https://www.cnbc.com/2021/01/08/apples-app-store-had-gross-sales-around-64-billion-in-
`2020.html (last accessed September 3, 2021, at 5:34PM); https://www.marketwatch.com/story/how-
`profitable-is-apples-app-store-even-a-landmark-antitrust-trial-couldnt-tell-us-11622224506; (last accessed
`September 3, 2021, at 5:35PM); https://www.theverge.com/2019/3/20/18273179/apple-icloud-itunes-app-
`store-music-services-businesses (last accessed September 3, 2021, at 5:33PM).
`
`3
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 4 of 24
`
`15.
`
`Furthermore, even when Apple does not directly profit from an
`
`application downloaded from the App Store, drawing consumers to its selling forum, as
`
`opposed to other fora, has considerable business advantage to Apple, as it dissuades
`
`consumers from using other devices.
`
`16.
`
`Because Plaintiff knew, or at least thought she knew, that Apple
`
`thoroughly vets applications before it allowed them on the App Store, Plaintiff
`
`downloaded the application known as Toast Plus from the Apple App Store on or about
`
`March of 2020 onto her iPhone.
`
`17.
`
`Plaintiff believed that Toast Plus was a version of Toast Wallet, a well-
`
`known cryptocurrency wallet, as the names were similar and the logo used for the
`
`application in the App Store was the same or nearly identical.
`
`18.
`
`On or about January 2, 2018, Plaintiff caused approximately 474 Ripple
`
`(“XRP”) cryptocurrency coins to be transferred from the Bittrex cryptocurrency
`
`exchange to a secure cryptocurrency wallet, called Rippex.
`
`19.
`
`Rippex shut down February 2nd, 2018; however, Plaintiff could still
`
`access her coins from any secure wallet. Plaintiff thereafter linked her private XRP key,
`
`or a seed phrase, into Toast Plus in March of 2021.
`
`20.
`
`As Plaintiff intended to hold the XRP as an investment and not to actively
`
`trade it, she did not check the Toast Wallet Plus application after entering her seed phrase
`
`into it.
`
`21.
`
`In August of 2021, Plaintiff checked her account on Toast Plus, and
`
`discovered that not only did she have no XRP in the Wallet, her account was "deleted" on
`
`March 3, 2021.
`
`4
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 5 of 24
`
`22.
`
`Plaintiff thereupon began investigating the matter, and discovered that
`
`Toast Plus was not in fact a version of the legitimate Toast Wallet application, but was
`
`instead a “spoofing” or “phishing” program created for the sole purpose of stealing
`
`cryptocurrency, by obtaining consumers' cryptocurrency account information and
`
`thereafter routing the same to the hackers' personal accounts.
`
`23.
`
`Plaintiff took the following steps to investigate the theft of her property:
`
`contacting or attempting to contact Toast Plus; investigating Toast Plus through online
`
`resources; contacting Apple; contacting the Federal Trade Commission and the Federal
`
`Bureau of Investigations; and identifying co-conspirators involved in the fraudulent acts
`
`through online research.
`
`24.
`
`While the App Store does have terms and conditions, including limitations
`
`on liability, those terms and conditions are the product of adhesion, in that consumers
`
`have no other practical ability to access applications for the iPhones and iPads if they do
`
`not use the App Store; those terms and conditions are therefore not applicable to this
`
`case.
`
`25.
`
`Plaintiff has no power to negotiate any terms whatsoever and no other
`
`source from which to get applications for her Apple products, and or many of the terms
`
`of which are unenforceable as being in violation of public policy.
`
`26.
`
`Furthermore, those contractual terms are expressly exempted when there
`
`are State laws that either forbid such contractual terms or legislation that otherwise
`
`controls the subject matter.
`
`27.
`
`Furthermore, the fact that Toast Plus was not an actual application, but
`
`instead a medium for the commission of fraud, makes any existing contract using it as
`
`5
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 6 of 24
`
`subject matter void, as there was a failure of consideration and or mistake of the same, as
`
`what was requested by Plaintiff and Class Members was not provided by Defendant.
`
`CLASS ACTION ALLEGATIONS
`
`28.
`
`Plaintiff brings this action on behalf of herself and as a class action,
`
`pursuant to the provisions of Federal Rules of Civil Procedure Rules 23(a), (b)(2), and
`
`(b)(3), on behalf of the classes identified herein:
`
`The National Class
`
`All United States persons who downloaded or otherwise used
`
`Toast Plus from the Apple Store within the relevant statutory
`
`period and suffered actual loss of cryptocurrency as a result,
`
`regardless of the amount of lost cryptocurrency.
`
`The Maryland Class
`
`All Maryland residents who downloaded or otherwise used Toast
`
`Plus from the Apple Store within the relevant statutory period and
`
`suffered actual loss of cryptocurrency as a result, regardless of the
`
`amount of lost cryptocurrency.
`
`29.
`
`Excluded from the Class are Defendant and its subsidiaries and related
`
`entities; all persons who make a timely election to be excluded from the Class;
`
`governmental entities; and any judge to whom this case is assigned and his/her
`
`immediate family. Plaintiff reserves the right to revise the Class definition based upon
`
`information learned through discovery.
`
`30.
`
`Certification of Plaintiff’s claims for class-wide treatment is appropriate
`
`because Plaintiff can prove the elements of her claims on a class-wide basis using the
`
`6
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 7 of 24
`
`same evidence as would be used to prove those elements in individual actions alleging
`
`the same claim.
`
`31.
`
`This action has been brought and may be properly maintained on behalf of
`
`the Class proposed herein under Federal Rule of Civil Procedure 23 for the following
`
`reasons:
`
`Numerosity
`
`32.
`
`Pursuant to Federal Rule of Civil Procedure 23(a)(1), the members of the
`
`Classes are so numerous and geographically dispersed that individual joinder of all Class
`
`members is impracticable. While Plaintiff is informed and believes that there are at least
`
`hundreds or thousands of members of the Class, the precise number of Class members in
`
`Maryland and Nationwide is unknown to Plaintiff, but may be ascertained from
`
`Defendant's books and records. Class members may effectively and efficiently be
`
`notified of the pendency of this action by recognized, Court-approved dissemination
`
`methods, which may include U.S. mail, electronic mail, Internet postings, and/or
`
`publication.
`
`Commonality and Predominance
`
`33.
`
`Pursuant to Federal Rule of Civil Procedure 23(a)(2) and 23(b)(3), this
`
`action involves common questions of law and fact, which predominate over any
`
`questions affecting individual Class members, including, without limitation:
`
`a. Whether Defendant engaged in the conduct alleged herein;
`
`b. Whether Defendant's conduct constituted violations of federal and state
`
`computer fraud, wiretap, data privacy, consumer protection, contract, and tort law;
`
`7
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 8 of 24
`
`c. Whether Plaintiff and the other Class members are entitled to damages and
`
`other monetary relief and, if so, in what amount.
`
`Typicality
`
`34.
`
`Plaintiff’s claims are typical of the other Class members’ claims because,
`
`among other things, all Class members were comparably injured through Defendants’
`
`wrongful conduct as described above.
`
`Adequacy
`
`35.
`
`Plaintiff is an adequate Class representative because her interests do not
`
`conflict with the interests of the other members of the Classes she seeks to represent;
`
`Plaintiff has retained experienced counsel competent in complex multi-party and class
`
`action litigation, and Plaintiff intends to prosecute this action vigorously. The Classes’
`
`interests will be fairly and adequately protected by Plaintiff and her counsel.
`
`Superiority
`
`36.
`
`It is well-recognized that class action litigation is superior to any other
`
`available means for the fair and efficient adjudication of this controversy, and no unusual
`
`difficulties are likely to be encountered in the management of this action as a class action.
`
`The damages suffered by Plaintiff and the other Class members are relatively small
`
`compared to the burden and expense that would be required to individually litigate their
`
`claims against Defendant, so it would be impracticable for members of the proposed
`
`Maryland and National Classes to individually seek redress from the courts. Even if the
`
`individual Class members could afford to undertake individual litigation, such individual
`
`claims would overwhelm the court system should they do so. Furthermore, individual
`
`litigation creates potential for inconsistent or contradictory judgments, and increases
`
`8
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 9 of 24
`
`delay and expense to the parties and to the court system. A class action in this matter
`
`would present fewer administrative difficulties, would be more efficient, and would
`
`enhance the interests of consistent and fair justice in this matter.
`
`COUNT I
`Violations of the Computer Fraud and Abuse Act,
`18 U.S.C § 1030, et seq.
`(on behalf of Plaintiff and the all Classes)
`
`37.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`38.
`
`Plaintiff’s (and each Class Members') computer is a “protected
`
`computer . . . which is used in interstate commerce and/or communication” within the
`
`meaning of 18 U.S.C. § 1030(e)(2)(B).
`
`39.
`
`The application Toast Plus's sole purpose is to entice consumers to divulge
`
`their cryptocurrency account information, by mimicking an established cryptocurrency
`
`wallet in name, mark, and design, thereby allowing hackers to steal that cryptocurrency.
`
`40.
`
`The Defendant, having examined the application Toast Plus prior to
`
`authorizing it for distribution on the App Store, knew its purpose.
`
`41.
`
`To the extent that Defendant did not know the true purpose of Toast Plus
`
`prior to its authorization for distribution on the App Store, Defendant came to know its
`
`true purpose prior to the Plaintiff and the Class Members downloading Toast Plus.
`
`42.
`
`By allowing the application Toast Plus to be distributed on the App Store,
`
`Defendant violated the Computer Fraud and Abuse Act, in that Defendant
`
`● intentionally accessed or caused Plaintiff's and Class Members computer(s) to be
`
`accessed without authorization or exceeded authorized access, through that Toast
`
`9
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 10 of 24
`
`Plus application, and thereby obtained information from those protected
`
`computer(s); and or
`
`● knowingly and with intent to defraud, accessed or caused Plaintiff's and Class
`
`Members computer(s), a protected computer, to be accessed, without
`
`authorization, and or exceeded authorized access, through the Toast Plus
`
`application, and by means of such conduct furthers the intended fraud and
`
`obtained something of value, to wit, Plaintiff's cryptocurrency, and or
`
`● intentionally accessed or caused Plaintiff's and Class Members computer(s), a
`
`protected computer, to be accessed, without authorization, and as a result of such
`
`conduct, caused damage and loss, and or
`
`● conspired with others to commit or attempt to commit those acts.
`
`43.
`
`These acts and omissions occurred within two years of the date of this
`
`filing, or two years of the date of Plaintiff's discovery of the same.
`
`44.
`
`Plaintiff personally has suffered more than $5,000 in direct consequential
`
`economic damages as a result of Defendant's acts and omissions, in that she lost
`
`cryptocurrency of value, and has spent her time investigating the source and method of
`
`the fraud, determining who was responsible, contacting law enforcement agencies, and
`
`communicating with Defendant to attempt to investigate and remediate the fraud, to no
`
`avail, and conferring with legal counsel on the fraud and any remedies.
`
`45.
`
`Therefore, Plaintiff requests entry of judgment in her and the Classes'
`
`favor against Defendant for violations of the CFAA, in the amount of $5,000, or actual
`
`damages, to be demonstrated at trial.
`
`10
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 11 of 24
`
`COUNT II
`Violations of the Electronic Communications Privacy Act,
`18 U.S.C. § 2510, et seq.
`(on behalf of Plaintiff and all Classes)
`
`46.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`47.
`
`The Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510
`
`(“ECPA”), regulates wire and electronic communications interception and interception of
`
`oral communications, and makes it unlawful for a person to “willfully intercept [],
`
`endeavor [] to intercept, or procure . . . any other person to intercept or endeavor to
`
`intercept any wire, oral, or electronic communication,” within the meaning of 18 U.S.C.
`
`§ 2511(1).
`
`48.
`
`By intentionally allowing the application Toast Plus distributed through
`
`the App Store, Defendant violated 18 U.S.C. § 2511 by intentionally acquiring and/or
`
`intercepting, by device or otherwise, Plaintiff and Class members’ electronic
`
`communications, without knowledge, consent, or authorization.
`
`49.
`
`The contents of data transmissions from and to Plaintiff and Class
`
`Members’ personal computers constitute “electronic communications” within the
`
`meaning of 18 U.S.C. § 2510.
`
`50.
`
`Plaintiff and Class Members each individually qualify as a “person
`
`whose . . . electronic communication is intercepted . . . or intentionally used in violation
`
`of this chapter” under 18 U.S.C. § 2520.
`
`51.
`
`Through the Toast Plus application, Defendant violated 18 U.S.C. §
`
`2511(1)(a) by intentionally intercepting, endeavoring to intercept, or procuring any other
`
`11
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 12 of 24
`
`person to intercept or endeavor to intercept Plaintiff’s and Class Members' electronic
`
`communications.
`
`52.
`
`Defendant further violated 18 U.S.C. 2511(1)(c) by intentionally
`
`disclosing, or endeavoring to disclose, to any other person, the contents of Plaintiff’s
`
`electronic communications, knowing or having reason to know that the information was
`
`obtained through the interception of Plaintiff’s electronic communications.
`
`53.
`
`Defendant further violated 18 U.S.C. § 2511(1)(d) by intentionally using
`
`or endeavoring to use, the contents of Plaintiff’s electronic communications, knowing of
`
`having reason to know that the information obtained through the interception of
`
`Plaintiff’s electronic communications.
`
`54.
`
`Defendant’s intentional interception of these electronic communications
`
`was without Plaintiff's or the Class Members’ knowledge, consent, or authorization.
`
`55.
`
`Defendant's actions further have no legal justification exempting it from
`
`liability.
`
`56.
`
`Defendant intentionally used such electronic communications, with
`
`knowledge, or having reason to know, that the electronic communications were obtained
`
`through interception, for an unlawful purpose.
`
`57.
`
`Defendant unlawfully accessed and used, and voluntarily disclosed, the
`
`contents of the intercepted communications to enhance their profitability and revenue.
`
`58.
`
`59.
`
`Defendant is liable directly and/or vicariously for this cause of action.
`
`Plaintiff therefore seeks full legal and equitable remedy under the EPCA,
`
`including such preliminary and other equitable or declaratory relief as may be
`
`appropriate, for damages consistent with subsection (c) of that section to be proven at
`
`12
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 13 of 24
`
`trial, punitive damages to be proven at trial, reasonable attorney’s fees, and other
`
`litigation costs incurred.
`
`60.
`
`Plaintiff and Class Members have suffered direct loss by reason of these
`
`violations, including, without limitation, loss of present day value of cryptocurrency, loss
`
`of investment value of the same, loss of time in investigating the conduct, and violations
`
`of the right of privacy.
`
`61.
`
`Plaintiff and the Class Members are entitled to statutory damages of the
`
`greater of $10,000 or $100 per day for each day of violation, actual and punitive
`
`damages, reasonable attorneys’ fees, and Defendant’s profits obtained from the above
`
`described violations.
`
`62.
`
`Furthermore, unless restrained and enjoined, Defendant will continue to
`
`commit such acts. Plaintiff’s remedy at law is not adequate to compensate it for these
`
`inflicted and threatened injuries, entitling Plaintiff to remedies including injunctive relief
`
`as provided by 18 U.S.C. 2510. Plaintiff therefore requests that Defendant be enjoined
`
`and restrained from distributing such “phishing” or “spoofing” applications in the App
`
`Store, and that this Court retain jurisdiction over this matter to monitor compliance with
`
`such an order.
`
`COUNT III
`Interception of Electronic Communications in
`Violation of Md. Code Ann., Wiretap & Electronic Surveillance Act § 10-402(a)(1)
`(on behalf of Plaintiff and the Maryland Class)
`
`63.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`13
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 14 of 24
`
`64.
`
`In relevant part, Maryland Code Wiretap and Electronic Surveillance Act
`
`§ 10-402(a) (2006) provides that it is unlawful for any person to:
`
`● (1) Wilfully intercept, endeavor to intercept, or procure any other person to
`intercept or endeavor to intercept, any wire, oral, or electronic communication;
`
`● (2) Wilfully disclose, or endeavor to disclose, to any other person the contents of
`any wire, oral, or electronic communication, knowing or having reason to know
`that the information was obtained through the interception of a wire, oral, or
`electronic communication in violation of this subtitle. . . .
`
`65.
`
`Maryland Code § 10-401(3) (2006) provides that “intercept” means “the
`
`aural or other acquisition of the contents of any wire, electronic, or oral communication
`
`through the use of any electronic, mechanical, or other device.”
`
`66.
`
`Maryland Code § 10-401(7) (2006) provides that “Contents”, when used
`
`with respect to any wire, oral, or electronic communication, includes any information
`
`concerning the identity of the parties to the communication or the existence, substance,
`
`purport, or meaning of that communication.”
`
`67.
`
`68.
`
`Defendant is a “person” with the meaning of Maryland Code § 10-402.
`
`On information and belief, Defendant willfully intercepted, and or
`
`endeavored to intercept, and or procured others to intercept or endeavor to intercept the
`
`“contents” of Plaintiffs’ and Maryland Class Members' internet communications, related
`
`records, subscriber identity, or other information, without authorization, in clear violation
`
`of Maryland Code, § 10-402(a)(1), by causing the “phishing” application Toast Plus to be
`
`published and distributed to Plaintiff and the Maryland Class Members.
`
`69.
`
`Plaintiffs and the Maryland Class members have been and are aggrieved
`
`by Defendant’s above-described willful activity, including loss of present day value of
`
`14
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 15 of 24
`
`cryptocurrency, loss of investment value of the same, loss of time in investigating the
`
`conduct, and violations of the right of privacy.
`
`70.
`
`Pursuant to Md. Code Ann. § 10-410, which provides a civil action for
`
`Defendant’s above-described willful activity, Plaintiff demands monetary damages of
`
`$100 a day for each violation or $1,000, whichever is higher, for Plaintiff and each
`
`Maryland Class member; punitive damages as the Court considers just; and reasonable
`
`attorneys’ fees and other litigation costs reasonably incurred.
`
`71.
`
`Furthermore, unless restrained and enjoined, Defendant will continue to
`
`commit such acts. Plaintiff’s remedy at law is not adequate to compensate it for these
`
`inflicted and threatened injuries, entitling Plaintiff to remedies including injunctive relief
`
`as provided Maryland Code § 10-410. Plaintiff therefore requests that Defendant be
`
`enjoined and restrained from distributing such “phishing” or “spoofing” applications in
`
`the App Store, and that this Court retain jurisdiction over this matter to monitor
`
`compliance with such an order.
`
`COUNT IV
`Disclosure of Electronic Communications in
`Violation of Md. Code Ann., Wiretap & Electronic Surveillance Act § 10-402(a)(2)(on
`behalf of Plaintiff and the Maryland Class)
`
`72.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`73.
`
`74.
`
`Defendant is a “person” with the meaning of Md. Code Ann. § 10-402.
`
`On information and belief, Defendant willfully disclosed, and or
`
`endeavored to disclose, and or procured others to disclose or endeavor to disclose the
`
`“contents” of Plaintiffs’ and Statewide class members’ telephone and or internet
`
`communications, related records, subscriber identity, or other information, without
`
`15
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 16 of 24
`
`authorization, in clear violation of Md. Code Ann., § 10-402(a)(2), by causing the
`
`“phishing” or “spoofing” application Toast Plus to be published and distributed to
`
`Plaintiff and the Class Members.
`
`75.
`
`On information and belief, there is a strong likelihood that Defendant is
`
`now engaging in and will continue to engage in the above-described willful activity in
`
`clear violation of Md. Code Ann. § 10-402(a)(2), and that likelihood represents a credible
`
`threat of immediate future harm.
`
`76.
`
`Plaintiffs and Maryland Class members have been and are aggrieved by
`
`Defendant’s above-described willful activity.
`
`77.
`
`Pursuant to Md. Code Ann. § 10-410, which provides a civil action for
`
`Defendant’s above-described willful activity, Plaintiff demands monetary damages of
`
`$100 a day for each violation or $1,000, whichever is higher, for Plaintiff and each
`
`Maryland Class member; punitive damages as the Court considers just; and reasonable
`
`attorneys’ fees and other litigation costs reasonably incurred.
`
`78.
`
`Furthermore, unless restrained and enjoined, Defendant will continue to
`
`commit such acts. Plaintiff’s remedy at law is not adequate to compensate it for these
`
`inflicted and threatened injuries, entitling Plaintiff to remedies including injunctive relief
`
`as provided Maryland Code § 10-410. Plaintiff therefore requests that Defendant be
`
`enjoined and restrained from distributing such “phishing” or “spoofing” applications in
`
`the App Store, and that this Court retain jurisdiction over this matter to monitor
`
`compliance with such an order.
`
`16
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 17 of 24
`
`COUNT V
`Violation(s) of the Maryland Personal Information Protection Act
`Md. Ann. Code, Commercial Law, § 14-3501, et seq.
`(on behalf of Plaintiff and the Maryland Class)
`
`79.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`80.
`
`81.
`
`Plaintiff resides in Maryland.
`
`Defendant is a business that owns Personal Information of the Plaintiff
`
`and the Class Members residing in the State.
`
`82.
`
`The application Toast Plus is a “phishing” or “spoofing” application, one
`
`whose only purpose is to intercept financial information that was intended for another,
`
`legitimate recipient.
`
`83.
`
`Defendant came to know of this illegitimate nature of the Toast Plus
`
`application some time before Plaintiff became aware of her loss of private data.
`
`84.
`
`This security breach included information that is considered Personal
`
`Information under the “Maryland Personal Information Protection Act,” Maryland Code,
`
`Commercial Law, § 14-3501, et seq. (“PIPA”), in that it included “Financial
`
`Information” and or “Personal Information,” as defined therein and or by reference.
`
`85.
`
`On information and belief, Plaintiff's and Class Member's Personal
`
`Information was taken as a result of the distribution of the Toast Plus application.
`
`86.
`
`The servers and network connections in which the data breach occurred
`
`was controlled by Defendant.
`
`87.
`
`Defendant failed to “implement and maintain reasonable security
`
`procedures and practices that are appropriate to the nature of the personal information
`
`17
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 18 of 24
`
`owned or licensed and the nature and size of the business and its operations,” which was
`
`the direct cause of the data breach.
`
`88.
`
`89.
`
`This failure constitutes a violation of PIPA.
`
`The Defendant further failed to properly notify Plaintiff and the Class
`
`Members of the unauthorized access of their Personal Information, as required by PIPA,
`
`in that no notice was given whatsoever.
`
`90.
`
`91.
`
`That notification failure constitutes a violation of PIPA
`
`Each of the Defendant's failures under PIPA constitute violations of
`
`Maryland Code Annotated, Commercial Law, Title 13, the “Consumer Protection Act”
`
`(“MCPA”).
`
`92.
`
`Plaintiff therefore claims statutory damages for herself and the Maryland
`
`Class Members, pursuant to Maryland Code Annotated, Commercial Law, Title 13, for
`
`each and every violation of the same.
`
`93.
`
`Plaintiff further claims attorney’s fees and costs of suit, as authorized
`
`under the MCPA.
`
`COUNT VI
`Violation(s) of Each State's Personal Information Protection Acts
`(on behalf of all Classes)
`
`94.
`
`Plaintiff repeats and incorporates herein by reference the allegations in the
`
`preceding paragraphs of this Complaint, as if set forth fully herein.
`
`95.
`
`Each and every State of the United States has a personal data and or
`
`privacy breach statute.
`
`18
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 19 of 24
`
`96.
`
`Defendant is a business that owns Personal Information of the Class
`
`Members residing in each State.
`
`97.
`
`The application Toast Plus is a “phishing” or “spoofing” application, one
`
`whose only purpose is to intercept financial information that was intended for another,
`
`legitimate recipient.
`
`98.
`
`Defendant came to know of this illegitimate nature of the Toast Plus
`
`application some time before the Class Members became aware of their loss of private
`
`data.
`
`99.
`
`This security breach included information that is considered Personal
`
`Information under each of the State's data breach protection laws, in that it included
`
`“Financial Information” and or “Personal Information,” as defined therein and or by
`
`reference.
`
`100.
`
`On information and belief, Plaintiff's and Class Member's Personal
`
`Information was taken as a result of the distribution of the Toast Plus application.
`
`101.
`
`The servers and network connections in which the data breach occurred
`
`was controlled by Defendant.
`
`102.
`
`Defendant failed to implement and maintain reasonable security
`
`procedures and practices that are appropriate to the nature of the personal information
`
`owned or licensed and the nature and size of the business and its operations, which was
`
`the direct cause of the data breach.
`
`103.
`
`This failure constitutes a violation of each State's data breach protection
`
`laws.
`
`19
`
`
`
`Case 8:21-cv-02359-CBD Document 1 Filed 09/16/21 Page 20 of 24
`
`104.
`
`The Defendant further failed to properly notify Plaintiff and the Class
`
`Members of the unauthorized access of their Personal Information,